Analysis Report RFQ - REF 208056-pdf.exe

Overview

General Information

Sample Name: RFQ - REF 208056-pdf.exe
Analysis ID: 358398
MD5: c1b250f45de606ef95af9961496402a0
SHA1: a222da21dbd932d64f9cad12b46c068ac7360f72
SHA256: cdb8cf995f8287a1f64cd035c4e34e047e23a3218dbf50b0fcf321ecd464094e
Tags: exesigned
Infos:

Most interesting Screenshot:

Detection

AgentTesla
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Found malware configuration
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
System process connects to network (likely due to code injection or exploit)
Yara detected AgentTesla
Adds a directory exclusion to Windows Defender
Binary contains a suspicious time stamp
Changes security center settings (notifications, updates, antivirus, firewall)
Creates an autostart registry key pointing to binary in C:\Windows
Drops PE files with benign system names
Drops executables to the windows directory (C:\Windows) and starts them
Hides threads from debuggers
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Sigma detected: Suspicious Svchost Process
Sigma detected: System File Execution Location Anomaly
Tries to delay execution (extensive OutputDebugStringW loop)
AV process strings found (often used to terminate AV products)
Antivirus or Machine Learning detection for unpacked file
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Contains capabilities to detect virtual machines
Contains functionality to call native functions
Contains functionality to dynamically determine API calls
Contains functionality to launch a program with higher privileges
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Creates files inside the system directory
Detected potential crypto function
Drops PE files
Drops PE files to the windows directory (C:\Windows)
Enables debug privileges
Extensive use of GetProcAddress (often used to hide API calls)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
One or more processes crash
PE / OLE file has an invalid certificate
PE file contains strange resources
Queries disk information (often used to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Tries to load missing DLLs
Uses code obfuscation techniques (call, push, ret)
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
Yara detected Credential Stealer

Classification

AV Detection:

barindex
Found malware configuration
Source: 16.2.svchost.exe.47b10f0.5.raw.unpack Malware Configuration Extractor: Agenttesla {"Exfil Mode": "SMTP", "FTP Info": "directortopcoba@top-co.babrSet=M{CAdetop-co.ba"}
Multi AV Scanner detection for domain / URL
Source: coroloboxorozor.com Virustotal: Detection: 15% Perma Link
Source: http://coroloboxorozor.com Virustotal: Detection: 15% Perma Link
Source: http://coroloboxorozor.com/base/4FDB764474638ADF12639B4DA858CE81.html Virustotal: Detection: 15% Perma Link
Multi AV Scanner detection for dropped file
Source: C:\Windows\Microsoft.NET\Framework\fEPqNDVRKakftSbrsO\svchost.exe ReversingLabs: Detection: 31%
Multi AV Scanner detection for submitted file
Source: RFQ - REF 208056-pdf.exe Virustotal: Detection: 18% Perma Link
Source: RFQ - REF 208056-pdf.exe ReversingLabs: Detection: 31%
Machine Learning detection for dropped file
Source: C:\Windows\Microsoft.NET\Framework\fEPqNDVRKakftSbrsO\svchost.exe Joe Sandbox ML: detected
Machine Learning detection for sample
Source: RFQ - REF 208056-pdf.exe Joe Sandbox ML: detected
Antivirus or Machine Learning detection for unpacked file
Source: 16.0.svchost.exe.d60000.0.unpack Avira: Label: TR/Dropper.Gen
Source: 16.2.svchost.exe.d60000.0.unpack Avira: Label: TR/Dropper.Gen
Source: 0.2.RFQ - REF 208056-pdf.exe.50000.0.unpack Avira: Label: TR/Dropper.Gen
Source: 0.0.RFQ - REF 208056-pdf.exe.50000.0.unpack Avira: Label: TR/Dropper.Gen

Compliance:

barindex
Contains modern PE file flags such as dynamic base (ASLR) or NX
Source: RFQ - REF 208056-pdf.exe Static PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
Binary contains paths to debug symbols
Source: Binary string: c:\Projects\VS2005\AdvancedRun\Release\AdvancedRun.pdb source: RFQ - REF 208056-pdf.exe, 00000000.00000002.492361781.000000000395D000.00000004.00000001.sdmp, AdvancedRun.exe, 0000000B.00000000.311587089.000000000040C000.00000002.00020000.sdmp, AdvancedRun.exe, 0000000D.00000000.329692687.000000000040C000.00000002.00020000.sdmp, svchost.exe, 00000010.00000002.554662869.0000000007201000.00000004.00000001.sdmp
Source: Binary string: \??\C:\Windows\symbols\dll\mscorlib.pdb source: RFQ - REF 208056-pdf.exe, 00000000.00000002.543172698.0000000005AF0000.00000004.00000001.sdmp
Source: Binary string: C:\Users\user\Desktop\RFQ - REF 208056-pdf.PDB source: RFQ - REF 208056-pdf.exe, 00000000.00000002.394246360.00000000004F9000.00000004.00000010.sdmp
Source: Binary string: OnpeiVisualBasic.pdb source: RFQ - REF 208056-pdf.exe, 00000000.00000002.394246360.00000000004F9000.00000004.00000010.sdmp
Source: Binary string: O.pdb3X source: RFQ - REF 208056-pdf.exe, 00000000.00000002.394246360.00000000004F9000.00000004.00000010.sdmp
Source: Binary string: \??\C:\Windows\mscorlib.pdb source: RFQ - REF 208056-pdf.exe, 00000000.00000002.543172698.0000000005AF0000.00000004.00000001.sdmp
Source: Binary string: \??\C:\Windows\symbols\dll\mscorlib.pdbA source: RFQ - REF 208056-pdf.exe, 00000000.00000002.543172698.0000000005AF0000.00000004.00000001.sdmp
Source: Binary string: \??\C:\Windows\Microsoft.VisualBasic.pdbn source: RFQ - REF 208056-pdf.exe, 00000000.00000002.543172698.0000000005AF0000.00000004.00000001.sdmp
Source: Binary string: hhRFQ - REF 208056-pdf.PDB source: RFQ - REF 208056-pdf.exe, 00000000.00000002.394246360.00000000004F9000.00000004.00000010.sdmp
Source: Binary string: System.Management.Automation.pdb-4053062332-1002_Classes\WOW6432Node\CLSID\{0A29FF9E-7F9C-4437-8B11-F424491E3931}\InprocServer3215EBB53FAC1131AE0BD333C5EE6021672D9718EA31A8AEBD0DA0072F25D87DBA6FC90FFD598ED4DA35E44C398C454307E8E33B8426143DAEC9F596836F97C8F7479F source: powershell.exe, 00000011.00000002.548053273.0000000008392000.00000004.00000001.sdmp
Source: Binary string: \??\C:\Windows\Microsoft.VisualBasic.pdb source: RFQ - REF 208056-pdf.exe, 00000000.00000002.543172698.0000000005AF0000.00000004.00000001.sdmp
Source: Binary string: \??\C:\Windows\mscorlib.pdb^ source: RFQ - REF 208056-pdf.exe, 00000000.00000002.543172698.0000000005AF0000.00000004.00000001.sdmp

Networking:

barindex
HTTP GET or POST without a user agent
Source: global traffic HTTP traffic detected: GET /base/4FDB764474638ADF12639B4DA858CE81.html HTTP/1.1Host: coroloboxorozor.comConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /base/67CF952D671D30AE6DA37F3E241170D6.html HTTP/1.1Host: coroloboxorozor.com
Source: global traffic HTTP traffic detected: GET /base/7DD0ECB3FED3970A09258155874027F0.html HTTP/1.1Host: coroloboxorozor.com
Source: global traffic HTTP traffic detected: GET /base/4FDB764474638ADF12639B4DA858CE81.html HTTP/1.1Host: coroloboxorozor.comConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /base/67CF952D671D30AE6DA37F3E241170D6.html HTTP/1.1Host: coroloboxorozor.com
Source: global traffic HTTP traffic detected: GET /base/4FDB764474638ADF12639B4DA858CE81.html HTTP/1.1Host: coroloboxorozor.comConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /base/67CF952D671D30AE6DA37F3E241170D6.html HTTP/1.1Host: coroloboxorozor.com
Source: global traffic HTTP traffic detected: GET /base/7DD0ECB3FED3970A09258155874027F0.html HTTP/1.1Host: coroloboxorozor.com
Source: global traffic HTTP traffic detected: GET /base/7DD0ECB3FED3970A09258155874027F0.html HTTP/1.1Host: coroloboxorozor.com
IP address seen in connection with other malware
Source: Joe Sandbox View IP Address: 172.67.172.17 172.67.172.17
Internet Provider seen in connection with other malware
Source: Joe Sandbox View ASN Name: CLOUDFLARENETUS CLOUDFLARENETUS
Source: global traffic HTTP traffic detected: GET /base/4FDB764474638ADF12639B4DA858CE81.html HTTP/1.1Host: coroloboxorozor.comConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /base/67CF952D671D30AE6DA37F3E241170D6.html HTTP/1.1Host: coroloboxorozor.com
Source: global traffic HTTP traffic detected: GET /base/7DD0ECB3FED3970A09258155874027F0.html HTTP/1.1Host: coroloboxorozor.com
Source: global traffic HTTP traffic detected: GET /base/4FDB764474638ADF12639B4DA858CE81.html HTTP/1.1Host: coroloboxorozor.comConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /base/67CF952D671D30AE6DA37F3E241170D6.html HTTP/1.1Host: coroloboxorozor.com
Source: global traffic HTTP traffic detected: GET /base/4FDB764474638ADF12639B4DA858CE81.html HTTP/1.1Host: coroloboxorozor.comConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /base/67CF952D671D30AE6DA37F3E241170D6.html HTTP/1.1Host: coroloboxorozor.com
Source: global traffic HTTP traffic detected: GET /base/7DD0ECB3FED3970A09258155874027F0.html HTTP/1.1Host: coroloboxorozor.com
Source: global traffic HTTP traffic detected: GET /base/7DD0ECB3FED3970A09258155874027F0.html HTTP/1.1Host: coroloboxorozor.com
Source: unknown DNS traffic detected: queries for: coroloboxorozor.com
Source: RFQ - REF 208056-pdf.exe, 00000000.00000002.543172698.0000000005AF0000.00000004.00000001.sdmp String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0
Source: RFQ - REF 208056-pdf.exe, 00000000.00000002.403215923.0000000002581000.00000004.00000001.sdmp, svchost.exe, 00000010.00000002.524567158.00000000034C1000.00000004.00000001.sdmp String found in binary or memory: http://coroloboxorozor.com
Source: RFQ - REF 208056-pdf.exe, 00000000.00000002.403215923.0000000002581000.00000004.00000001.sdmp, svchost.exe, 00000010.00000002.524567158.00000000034C1000.00000004.00000001.sdmp String found in binary or memory: http://coroloboxorozor.com/base/4FDB764474638ADF12639B4DA858CE81.html
Source: RFQ - REF 208056-pdf.exe, 00000000.00000002.403215923.0000000002581000.00000004.00000001.sdmp, svchost.exe, 00000010.00000002.524567158.00000000034C1000.00000004.00000001.sdmp String found in binary or memory: http://coroloboxorozor.com/base/7DD0ECB3FED3970A09258155874027F0.html
Source: powershell.exe, 00000011.00000002.518282012.00000000035B4000.00000004.00000020.sdmp String found in binary or memory: http://crl.globalsign.net/root-r2.crl0
Source: powershell.exe, 00000011.00000002.551437427.0000000009B51000.00000004.00000001.sdmp String found in binary or memory: http://crl.m
Source: powershell.exe, 00000011.00000002.551437427.0000000009B51000.00000004.00000001.sdmp String found in binary or memory: http://crl.microsoft.co
Source: RFQ - REF 208056-pdf.exe, 00000000.00000002.492361781.000000000395D000.00000004.00000001.sdmp, svchost.exe, 00000010.00000002.554662869.0000000007201000.00000004.00000001.sdmp String found in binary or memory: http://crl.sectigo.com/SectigoRSACodeSigningCA.crl0s
Source: RFQ - REF 208056-pdf.exe, 00000000.00000002.492361781.000000000395D000.00000004.00000001.sdmp, svchost.exe, 00000010.00000002.554662869.0000000007201000.00000004.00000001.sdmp String found in binary or memory: http://crl.sectigo.com/SectigoRSATimeStampingCA.crl0t
Source: RFQ - REF 208056-pdf.exe, 00000000.00000002.543172698.0000000005AF0000.00000004.00000001.sdmp String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0P
Source: svchost.exe, 00000002.00000002.529372868.000001EAA1C00000.00000004.00000001.sdmp String found in binary or memory: http://crl3.digicert.com/Omniroot2025.crl0
Source: RFQ - REF 208056-pdf.exe, 00000000.00000002.492361781.000000000395D000.00000004.00000001.sdmp, svchost.exe, 00000010.00000002.554662869.0000000007201000.00000004.00000001.sdmp String found in binary or memory: http://crt.sectigo.com/SectigoRSACodeSigningCA.crt0#
Source: RFQ - REF 208056-pdf.exe, 00000000.00000002.492361781.000000000395D000.00000004.00000001.sdmp, svchost.exe, 00000010.00000002.554662869.0000000007201000.00000004.00000001.sdmp String found in binary or memory: http://crt.sectigo.com/SectigoRSATimeStampingCA.crt0#
Source: svchost.exe, 00000002.00000002.529372868.000001EAA1C00000.00000004.00000001.sdmp String found in binary or memory: http://ocsp.digicert.com0:
Source: svchost.exe, 00000002.00000002.529372868.000001EAA1C00000.00000004.00000001.sdmp String found in binary or memory: http://ocsp.msocsp.com0
Source: RFQ - REF 208056-pdf.exe, 00000000.00000002.492361781.000000000395D000.00000004.00000001.sdmp, svchost.exe, 00000010.00000002.554662869.0000000007201000.00000004.00000001.sdmp String found in binary or memory: http://ocsp.sectigo.com0
Source: powershell.exe, 00000011.00000002.524764005.0000000005201000.00000004.00000001.sdmp String found in binary or memory: http://schemas.xmlsoap.org/soap/encoding/
Source: svchost.exe, 00000002.00000002.532241708.000001EAA1F60000.00000002.00000001.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous.
Source: RFQ - REF 208056-pdf.exe, 00000000.00000002.403215923.0000000002581000.00000004.00000001.sdmp, powershell.exe, 00000009.00000002.539506519.0000000005161000.00000004.00000001.sdmp, svchost.exe, 00000010.00000002.524567158.00000000034C1000.00000004.00000001.sdmp, powershell.exe, 00000011.00000002.524025636.00000000050C1000.00000004.00000001.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: powershell.exe, 00000011.00000002.524764005.0000000005201000.00000004.00000001.sdmp String found in binary or memory: http://schemas.xmlsoap.org/wsdl/
Source: svchost.exe, 00000005.00000002.307256810.00000243FF013000.00000004.00000001.sdmp String found in binary or memory: http://www.bingmapsportal.com
Source: powershell.exe, 00000011.00000002.547914635.0000000008310000.00000004.00000001.sdmp String found in binary or memory: http://www.microsoft.coaHp
Source: AdvancedRun.exe, AdvancedRun.exe, 0000000D.00000000.329692687.000000000040C000.00000002.00020000.sdmp, svchost.exe, 00000010.00000002.554662869.0000000007201000.00000004.00000001.sdmp String found in binary or memory: http://www.nirsoft.net/
Source: svchost.exe, 00000003.00000002.513627906.000002451B03E000.00000004.00000001.sdmp String found in binary or memory: https://%s.dnet.xboxlive.com
Source: svchost.exe, 00000003.00000002.513627906.000002451B03E000.00000004.00000001.sdmp String found in binary or memory: https://%s.xboxlive.com
Source: svchost.exe, 00000003.00000002.513627906.000002451B03E000.00000004.00000001.sdmp String found in binary or memory: https://activity.windows.com
Source: svchost.exe, 00000003.00000002.513627906.000002451B03E000.00000004.00000001.sdmp String found in binary or memory: https://activity.windows.comr
Source: svchost.exe, 00000005.00000003.306998078.00000243FF061000.00000004.00000001.sdmp String found in binary or memory: https://appexmapsappupdate.blob.core.windows.net
Source: svchost.exe, 00000003.00000002.513627906.000002451B03E000.00000004.00000001.sdmp String found in binary or memory: https://bn2.notify.windows.com/v2/register/xplatform/device
Source: svchost.exe, 00000003.00000002.513627906.000002451B03E000.00000004.00000001.sdmp String found in binary or memory: https://co4-df.notify.windows.com/v2/register/xplatform/device
Source: svchost.exe, 00000005.00000003.307021748.00000243FF04A000.00000004.00000001.sdmp String found in binary or memory: https://dev.ditu.live.com/REST/v1/Imagery/Copyright/
Source: svchost.exe, 00000005.00000003.306998078.00000243FF061000.00000004.00000001.sdmp String found in binary or memory: https://dev.ditu.live.com/REST/v1/Locations
Source: svchost.exe, 00000005.00000002.307284356.00000243FF03E000.00000004.00000001.sdmp String found in binary or memory: https://dev.ditu.live.com/REST/v1/Routes/
Source: svchost.exe, 00000005.00000003.306998078.00000243FF061000.00000004.00000001.sdmp String found in binary or memory: https://dev.ditu.live.com/mapcontrol/logging.ashx
Source: svchost.exe, 00000005.00000003.307003492.00000243FF04D000.00000004.00000001.sdmp String found in binary or memory: https://dev.ditu.live.com/mapcontrol/mapconfiguration.ashx?name=native&v=
Source: svchost.exe, 00000005.00000002.307267041.00000243FF029000.00000004.00000001.sdmp String found in binary or memory: https://dev.ditu.live.com/webservices/v1/LoggingService/LoggingService.svc/Log?
Source: svchost.exe, 00000005.00000003.285270099.00000243FF031000.00000004.00000001.sdmp String found in binary or memory: https://dev.virtualearth.net/REST/v1/Locations
Source: svchost.exe, 00000005.00000002.307284356.00000243FF03E000.00000004.00000001.sdmp String found in binary or memory: https://dev.virtualearth.net/REST/v1/Routes/
Source: svchost.exe, 00000005.00000003.306998078.00000243FF061000.00000004.00000001.sdmp String found in binary or memory: https://dev.virtualearth.net/REST/v1/Routes/Driving
Source: svchost.exe, 00000005.00000003.306998078.00000243FF061000.00000004.00000001.sdmp String found in binary or memory: https://dev.virtualearth.net/REST/v1/Routes/Transit
Source: svchost.exe, 00000005.00000003.306998078.00000243FF061000.00000004.00000001.sdmp String found in binary or memory: https://dev.virtualearth.net/REST/v1/Routes/Walking
Source: svchost.exe, 00000005.00000003.285270099.00000243FF031000.00000004.00000001.sdmp String found in binary or memory: https://dev.virtualearth.net/REST/v1/Traffic/Incidents/
Source: svchost.exe, 00000005.00000003.307049363.00000243FF042000.00000004.00000001.sdmp String found in binary or memory: https://dev.virtualearth.net/REST/v1/Transit/Schedules/
Source: svchost.exe, 00000005.00000003.307049363.00000243FF042000.00000004.00000001.sdmp String found in binary or memory: https://dev.virtualearth.net/mapcontrol/HumanScaleServices/GetBubbles.ashx?n=
Source: svchost.exe, 00000005.00000003.306998078.00000243FF061000.00000004.00000001.sdmp String found in binary or memory: https://dev.virtualearth.net/mapcontrol/logging.ashx
Source: svchost.exe, 00000005.00000003.307034624.00000243FF041000.00000004.00000001.sdmp String found in binary or memory: https://dev.virtualearth.net/webservices/v1/LoggingService/LoggingService.svc/Log?
Source: svchost.exe, 00000005.00000003.307021748.00000243FF04A000.00000004.00000001.sdmp String found in binary or memory: https://dynamic.api.tiles.ditu.live.com/odvs/gd?pv=1&r=
Source: svchost.exe, 00000005.00000002.307307178.00000243FF05D000.00000004.00000001.sdmp String found in binary or memory: https://dynamic.api.tiles.ditu.live.com/odvs/gdi?pv=1&r=
Source: svchost.exe, 00000005.00000002.307307178.00000243FF05D000.00000004.00000001.sdmp String found in binary or memory: https://dynamic.api.tiles.ditu.live.com/odvs/gdv?pv=1&r=
Source: svchost.exe, 00000005.00000003.307003492.00000243FF04D000.00000004.00000001.sdmp String found in binary or memory: https://dynamic.t
Source: svchost.exe, 00000005.00000003.306998078.00000243FF061000.00000004.00000001.sdmp String found in binary or memory: https://dynamic.t0.tiles.ditu.live.com/comp/gen.ashx
Source: svchost.exe, 00000005.00000002.307284356.00000243FF03E000.00000004.00000001.sdmp String found in binary or memory: https://ecn.dev.virtualearth.net/REST/v1/Imagery/Copyright/
Source: svchost.exe, 00000005.00000003.285270099.00000243FF031000.00000004.00000001.sdmp String found in binary or memory: https://ecn.dev.virtualearth.net/mapcontrol/mapconfiguration.ashx?name=native&v=
Source: RFQ - REF 208056-pdf.exe, 00000000.00000002.492361781.000000000395D000.00000004.00000001.sdmp, svchost.exe, 00000010.00000002.554662869.0000000007201000.00000004.00000001.sdmp String found in binary or memory: https://sectigo.com/CPS0C
Source: RFQ - REF 208056-pdf.exe, 00000000.00000002.492361781.000000000395D000.00000004.00000001.sdmp, svchost.exe, 00000010.00000002.554662869.0000000007201000.00000004.00000001.sdmp String found in binary or memory: https://sectigo.com/CPS0D
Source: svchost.exe, 00000005.00000002.307284356.00000243FF03E000.00000004.00000001.sdmp String found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/comp/gen.ashx
Source: svchost.exe, 00000005.00000002.307284356.00000243FF03E000.00000004.00000001.sdmp, svchost.exe, 00000005.00000002.307256810.00000243FF013000.00000004.00000001.sdmp String found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gd?pv=1&r=
Source: svchost.exe, 00000005.00000003.307045052.00000243FF046000.00000004.00000001.sdmp String found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gdi?pv=1&r=
Source: svchost.exe, 00000005.00000003.307045052.00000243FF046000.00000004.00000001.sdmp String found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gdv?pv=1&r=
Source: svchost.exe, 00000005.00000002.307267041.00000243FF029000.00000004.00000001.sdmp String found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gri?pv=1&r=
Source: svchost.exe, 00000005.00000003.285270099.00000243FF031000.00000004.00000001.sdmp String found in binary or memory: https://t0.ssl.ak.tiles.virtualearth.net/tiles/gen
Source: svchost.exe, 00000005.00000003.307003492.00000243FF04D000.00000004.00000001.sdmp String found in binary or memory: https://t0.tiles.ditu.live.com/tiles/gen
Source: RFQ - REF 208056-pdf.exe, 00000000.00000002.543172698.0000000005AF0000.00000004.00000001.sdmp String found in binary or memory: https://www.digicert.com/CPS0
Source: RFQ - REF 208056-pdf.exe, 00000000.00000002.509634686.0000000003B23000.00000004.00000001.sdmp, svchost.exe, 00000010.00000002.544302148.000000000477A000.00000004.00000001.sdmp String found in binary or memory: https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip

System Summary:

barindex
Contains functionality to call native functions
Source: C:\Users\user\Desktop\RFQ - REF 208056-pdf.exe Code function: 0_2_022E0BA0 NtSetInformationThread, 0_2_022E0BA0
Creates files inside the system directory
Source: C:\Users\user\Desktop\RFQ - REF 208056-pdf.exe File created: C:\Windows\Microsoft.NET\Framework\fEPqNDVRKakftSbrsO Jump to behavior
Detected potential crypto function
Source: C:\Users\user\Desktop\RFQ - REF 208056-pdf.exe Code function: 0_2_022E2750 0_2_022E2750
Source: C:\Users\user\Desktop\RFQ - REF 208056-pdf.exe Code function: 0_2_0237C2F0 0_2_0237C2F0
Source: C:\Users\user\Desktop\RFQ - REF 208056-pdf.exe Code function: 0_2_023793F0 0_2_023793F0
Source: C:\Users\user\Desktop\RFQ - REF 208056-pdf.exe Code function: 0_2_08100040 0_2_08100040
Source: C:\Users\user\Desktop\RFQ - REF 208056-pdf.exe Code function: 0_2_0810000A 0_2_0810000A
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 9_2_0357B348 9_2_0357B348
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 9_2_035785C0 9_2_035785C0
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 9_2_0357CAB0 9_2_0357CAB0
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 9_2_0357F9C8 9_2_0357F9C8
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 9_2_0357A9B8 9_2_0357A9B8
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 9_2_0357ECA4 9_2_0357ECA4
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 9_2_03577210 9_2_03577210
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 9_2_03575797 9_2_03575797
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 9_2_035757A8 9_2_035757A8
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 9_2_03577680 9_2_03577680
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 9_2_0357F9C8 9_2_0357F9C8
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 9_2_03578DF0 9_2_03578DF0
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 9_2_0357A9B8 9_2_0357A9B8
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 9_2_03580390 9_2_03580390
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 9_2_03582B08 9_2_03582B08
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 9_2_03582B08 9_2_03582B08
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 9_2_03582B08 9_2_03582B08
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 9_2_03582B08 9_2_03582B08
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 9_2_03582B08 9_2_03582B08
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 9_2_035889BB 9_2_035889BB
Source: C:\Windows\Microsoft.NET\Framework\fEPqNDVRKakftSbrsO\svchost.exe Code function: 16_2_059EB1F4 16_2_059EB1F4
Source: C:\Windows\Microsoft.NET\Framework\fEPqNDVRKakftSbrsO\svchost.exe Code function: 16_2_059EB1E8 16_2_059EB1E8
Source: C:\Windows\Microsoft.NET\Framework\fEPqNDVRKakftSbrsO\svchost.exe Code function: 16_2_059E93F0 16_2_059E93F0
Source: C:\Windows\Microsoft.NET\Framework\fEPqNDVRKakftSbrsO\svchost.exe Code function: 16_2_059EDFB0 16_2_059EDFB0
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 17_2_0378C920 17_2_0378C920
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 17_2_0378EA2F 17_2_0378EA2F
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 17_2_0827EC58 17_2_0827EC58
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 17_2_08278DA8 17_2_08278DA8
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 17_2_08278D99 17_2_08278D99
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 17_2_0827A427 17_2_0827A427
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 17_2_0827A438 17_2_0827A438
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 17_2_08273D83 17_2_08273D83
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 17_2_08273D90 17_2_08273D90
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 17_2_08307E00 17_2_08307E00
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 17_2_08307E00 17_2_08307E00
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 17_2_089EE5A0 17_2_089EE5A0
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 17_2_089ED730 17_2_089ED730
Found potential string decryption / allocating functions
Source: C:\Users\user\AppData\Local\Temp\3f77e94d-b01b-49a3-88ba-e6fd38451fb3\AdvancedRun.exe Code function: String function: 0040B550 appears 50 times
One or more processes crash
Source: unknown Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -pss -s 468 -p 6556 -ip 6556
PE / OLE file has an invalid certificate
Source: RFQ - REF 208056-pdf.exe Static PE information: invalid certificate
PE file contains strange resources
Source: AdvancedRun.exe.0.dr Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: AdvancedRun.exe.0.dr Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Sample file is different than original file name gathered from version info
Source: RFQ - REF 208056-pdf.exe, 00000000.00000002.492361781.000000000395D000.00000004.00000001.sdmp Binary or memory string: OriginalFilenameRunPeBraba.dll6 vs RFQ - REF 208056-pdf.exe
Source: RFQ - REF 208056-pdf.exe, 00000000.00000002.492361781.000000000395D000.00000004.00000001.sdmp Binary or memory string: ,@shell32.dllSHGetSpecialFolderPathWshlwapi.dllSHAutoComplete%2.2X%2.2X%2.2X&lt;&gt;&quot;&deg;&amp;<br><font size="%d" color="#%s"><b></b>\StringFileInfo\\VarFileInfo\Translation%4.4X%4.4X040904E4ProductNameFileDescriptionFileVersionProductVersionCompanyNameInternalNameLegalCopyrightOriginalFileNameRSDSu vs RFQ - REF 208056-pdf.exe
Source: RFQ - REF 208056-pdf.exe, 00000000.00000002.492361781.000000000395D000.00000004.00000001.sdmp Binary or memory string: OriginalFilenameAdvancedRun.exe8 vs RFQ - REF 208056-pdf.exe
Source: RFQ - REF 208056-pdf.exe, 00000000.00000002.543316412.0000000005C30000.00000002.00000001.sdmp Binary or memory string: System.OriginalFileName vs RFQ - REF 208056-pdf.exe
Source: RFQ - REF 208056-pdf.exe, 00000000.00000002.543447459.0000000005C80000.00000002.00000001.sdmp Binary or memory string: originalfilename vs RFQ - REF 208056-pdf.exe
Source: RFQ - REF 208056-pdf.exe, 00000000.00000002.543447459.0000000005C80000.00000002.00000001.sdmp Binary or memory string: OriginalFilenamepropsys.dll.mui@ vs RFQ - REF 208056-pdf.exe
Source: RFQ - REF 208056-pdf.exe, 00000000.00000000.228993123.000000000006E000.00000002.00020000.sdmp Binary or memory string: OriginalFilenameTEwJVelt.exe2 vs RFQ - REF 208056-pdf.exe
Source: RFQ - REF 208056-pdf.exe, 00000000.00000002.509634686.0000000003B23000.00000004.00000001.sdmp Binary or memory string: OriginalFilenameIoxb OTf.exe2 vs RFQ - REF 208056-pdf.exe
Source: RFQ - REF 208056-pdf.exe, 00000000.00000002.401077790.00000000022F0000.00000002.00000001.sdmp Binary or memory string: OriginalFilenamemscorrc.dllT vs RFQ - REF 208056-pdf.exe
Tries to load missing DLLs
Source: C:\Windows\System32\svchost.exe Section loaded: xboxlivetitleid.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: cdpsgshims.dll Jump to behavior
Source: C:\Windows\explorer.exe Section loaded: ninput.dll
Source: C:\Windows\explorer.exe Section loaded: ninput.dll
Source: classification engine Classification label: mal100.troj.evad.winEXE@37/15@3/3
Source: C:\Users\user\AppData\Local\Temp\3f77e94d-b01b-49a3-88ba-e6fd38451fb3\AdvancedRun.exe Code function: 11_2_00408FC9 GetCurrentProcess,GetLastError,GetProcAddress,GetProcAddress,LookupPrivilegeValueW,GetProcAddress,AdjustTokenPrivileges,GetLastError,FindCloseChangeNotification, 11_2_00408FC9
Source: C:\Users\user\AppData\Local\Temp\3f77e94d-b01b-49a3-88ba-e6fd38451fb3\AdvancedRun.exe Code function: 13_2_00408FC9 GetCurrentProcess,GetLastError,GetProcAddress,GetProcAddress,LookupPrivilegeValueW,GetProcAddress,AdjustTokenPrivileges,GetLastError,FindCloseChangeNotification, 13_2_00408FC9
Source: C:\Users\user\AppData\Local\Temp\3f77e94d-b01b-49a3-88ba-e6fd38451fb3\AdvancedRun.exe Code function: 11_2_004095FD CreateToolhelp32Snapshot,memset,Process32FirstW,OpenProcess,OpenProcess,OpenProcess,memset,GetModuleHandleW,GetProcAddress,QueryFullProcessImageNameW,CloseHandle,Process32NextW,CloseHandle, 11_2_004095FD
Source: C:\Users\user\AppData\Local\Temp\3f77e94d-b01b-49a3-88ba-e6fd38451fb3\AdvancedRun.exe Code function: 11_2_0040A33B FindResourceW,SizeofResource,LoadResource,LockResource, 11_2_0040A33B
Source: C:\Users\user\AppData\Local\Temp\3f77e94d-b01b-49a3-88ba-e6fd38451fb3\AdvancedRun.exe Code function: 11_2_00401306 OpenServiceW,CloseServiceHandle,QueryServiceStatus,StartServiceW,CloseServiceHandle,CloseServiceHandle, 11_2_00401306
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File created: C:\Users\user\Documents\20210225 Jump to behavior
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6216:120:WilError_01
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6440:120:WilError_01
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2720:120:WilError_01
Source: C:\Users\user\Desktop\RFQ - REF 208056-pdf.exe File created: C:\Users\user\AppData\Local\Temp\3f77e94d-b01b-49a3-88ba-e6fd38451fb3 Jump to behavior
Source: unknown Process created: C:\Windows\explorer.exe
Source: unknown Process created: C:\Windows\explorer.exe
Source: unknown Process created: C:\Windows\explorer.exe
Source: unknown Process created: C:\Windows\explorer.exe
Source: RFQ - REF 208056-pdf.exe Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: C:\Users\user\Desktop\RFQ - REF 208056-pdf.exe Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\fEPqNDVRKakftSbrsO\svchost.exe Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
Source: C:\Users\user\Desktop\RFQ - REF 208056-pdf.exe File read: C:\Users\user\Desktop\desktop.ini Jump to behavior
Source: C:\Users\user\Desktop\RFQ - REF 208056-pdf.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: C:\Users\user\Desktop\RFQ - REF 208056-pdf.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Users\user\Desktop\RFQ - REF 208056-pdf.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Windows\System32\svchost.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Windows\System32\svchost.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\fEPqNDVRKakftSbrsO\svchost.exe File read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Windows\Microsoft.NET\Framework\fEPqNDVRKakftSbrsO\svchost.exe File read: C:\Windows\System32\drivers\etc\hosts
Source: RFQ - REF 208056-pdf.exe Virustotal: Detection: 18%
Source: RFQ - REF 208056-pdf.exe ReversingLabs: Detection: 31%
Source: C:\Users\user\Desktop\RFQ - REF 208056-pdf.exe File read: C:\Users\user\Desktop\RFQ - REF 208056-pdf.exe Jump to behavior
Source: unknown Process created: C:\Users\user\Desktop\RFQ - REF 208056-pdf.exe 'C:\Users\user\Desktop\RFQ - REF 208056-pdf.exe'
Source: unknown Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS
Source: unknown Process created: C:\Windows\System32\svchost.exe c:\windows\system32\svchost.exe -k localservice -p -s CDPSvc
Source: unknown Process created: C:\Windows\System32\svchost.exe c:\windows\system32\svchost.exe -k networkservice -p -s DoSvc
Source: unknown Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k NetworkService -p
Source: unknown Process created: C:\Windows\System32\svchost.exe c:\windows\system32\svchost.exe -k localservicenetworkrestricted -p -s wscsvc
Source: unknown Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Windows\Microsoft.NET\Framework\fEPqNDVRKakftSbrsO\svchost.exe' -Force
Source: unknown Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown Process created: C:\Users\user\AppData\Local\Temp\3f77e94d-b01b-49a3-88ba-e6fd38451fb3\AdvancedRun.exe 'C:\Users\user\AppData\Local\Temp\3f77e94d-b01b-49a3-88ba-e6fd38451fb3\AdvancedRun.exe' /EXEFilename 'C:\Users\user\AppData\Local\Temp\3f77e94d-b01b-49a3-88ba-e6fd38451fb3\test.bat' /WindowState ''0'' /PriorityClass ''32'' /CommandLine '' /StartDirectory '' /RunAs 8 /Run
Source: unknown Process created: C:\Users\user\AppData\Local\Temp\3f77e94d-b01b-49a3-88ba-e6fd38451fb3\AdvancedRun.exe 'C:\Users\user\AppData\Local\Temp\3f77e94d-b01b-49a3-88ba-e6fd38451fb3\AdvancedRun.exe' /SpecialRun 4101d8 5504
Source: unknown Process created: C:\Windows\explorer.exe 'C:\Windows\explorer.exe' 'C:\Windows\Microsoft.NET\Framework\fEPqNDVRKakftSbrsO\svchost.exe'
Source: unknown Process created: C:\Windows\explorer.exe C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
Source: unknown Process created: C:\Windows\Microsoft.NET\Framework\fEPqNDVRKakftSbrsO\svchost.exe 'C:\Windows\Microsoft.NET\Framework\fEPqNDVRKakftSbrsO\svchost.exe'
Source: unknown Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\RFQ - REF 208056-pdf.exe' -Force
Source: unknown Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown Process created: C:\Windows\SysWOW64\cmd.exe 'C:\Windows\System32\cmd.exe' /c timeout 1
Source: unknown Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown Process created: C:\Windows\SysWOW64\timeout.exe timeout 1
Source: unknown Process created: C:\Windows\explorer.exe 'C:\Windows\explorer.exe' 'C:\Windows\Microsoft.NET\Framework\fEPqNDVRKakftSbrsO\svchost.exe'
Source: unknown Process created: C:\Windows\explorer.exe C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
Source: unknown Process created: C:\Windows\Microsoft.NET\Framework\fEPqNDVRKakftSbrsO\svchost.exe 'C:\Windows\Microsoft.NET\Framework\fEPqNDVRKakftSbrsO\svchost.exe'
Source: unknown Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p
Source: unknown Process created: C:\Users\user\Desktop\RFQ - REF 208056-pdf.exe C:\Users\user\Desktop\RFQ - REF 208056-pdf.exe
Source: unknown Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k WerSvcGroup
Source: unknown Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -pss -s 468 -p 6556 -ip 6556
Source: unknown Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 6556 -s 2200
Source: unknown Process created: C:\Program Files\Windows Defender\MpCmdRun.exe 'C:\Program Files\Windows Defender\mpcmdrun.exe' -wdenable
Source: unknown Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\RFQ - REF 208056-pdf.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Windows\Microsoft.NET\Framework\fEPqNDVRKakftSbrsO\svchost.exe' -Force Jump to behavior
Source: C:\Users\user\Desktop\RFQ - REF 208056-pdf.exe Process created: C:\Users\user\AppData\Local\Temp\3f77e94d-b01b-49a3-88ba-e6fd38451fb3\AdvancedRun.exe 'C:\Users\user\AppData\Local\Temp\3f77e94d-b01b-49a3-88ba-e6fd38451fb3\AdvancedRun.exe' /EXEFilename 'C:\Users\user\AppData\Local\Temp\3f77e94d-b01b-49a3-88ba-e6fd38451fb3\test.bat' /WindowState ''0'' /PriorityClass ''32'' /CommandLine '' /StartDirectory '' /RunAs 8 /Run Jump to behavior
Source: C:\Users\user\Desktop\RFQ - REF 208056-pdf.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\RFQ - REF 208056-pdf.exe' -Force Jump to behavior
Source: C:\Users\user\Desktop\RFQ - REF 208056-pdf.exe Process created: C:\Windows\SysWOW64\cmd.exe 'C:\Windows\System32\cmd.exe' /c timeout 1 Jump to behavior
Source: C:\Users\user\Desktop\RFQ - REF 208056-pdf.exe Process created: C:\Users\user\Desktop\RFQ - REF 208056-pdf.exe C:\Users\user\Desktop\RFQ - REF 208056-pdf.exe Jump to behavior
Source: C:\Windows\System32\svchost.exe Process created: C:\Program Files\Windows Defender\MpCmdRun.exe 'C:\Program Files\Windows Defender\mpcmdrun.exe' -wdenable Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\3f77e94d-b01b-49a3-88ba-e6fd38451fb3\AdvancedRun.exe Process created: C:\Users\user\AppData\Local\Temp\3f77e94d-b01b-49a3-88ba-e6fd38451fb3\AdvancedRun.exe 'C:\Users\user\AppData\Local\Temp\3f77e94d-b01b-49a3-88ba-e6fd38451fb3\AdvancedRun.exe' /SpecialRun 4101d8 5504 Jump to behavior
Source: C:\Windows\explorer.exe Process created: C:\Windows\Microsoft.NET\Framework\fEPqNDVRKakftSbrsO\svchost.exe 'C:\Windows\Microsoft.NET\Framework\fEPqNDVRKakftSbrsO\svchost.exe'
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\timeout.exe timeout 1
Source: C:\Users\user\Desktop\RFQ - REF 208056-pdf.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{F324E4F9-8496-40b2-A1FF-9617C1C9AFFE}\InProcServer32 Jump to behavior
Source: Window Recorder Window detected: More than 3 window changes detected
Source: C:\Users\user\Desktop\RFQ - REF 208056-pdf.exe File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll Jump to behavior
Source: RFQ - REF 208056-pdf.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
Source: RFQ - REF 208056-pdf.exe Static PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
Source: Binary string: c:\Projects\VS2005\AdvancedRun\Release\AdvancedRun.pdb source: RFQ - REF 208056-pdf.exe, 00000000.00000002.492361781.000000000395D000.00000004.00000001.sdmp, AdvancedRun.exe, 0000000B.00000000.311587089.000000000040C000.00000002.00020000.sdmp, AdvancedRun.exe, 0000000D.00000000.329692687.000000000040C000.00000002.00020000.sdmp, svchost.exe, 00000010.00000002.554662869.0000000007201000.00000004.00000001.sdmp
Source: Binary string: \??\C:\Windows\symbols\dll\mscorlib.pdb source: RFQ - REF 208056-pdf.exe, 00000000.00000002.543172698.0000000005AF0000.00000004.00000001.sdmp
Source: Binary string: C:\Users\user\Desktop\RFQ - REF 208056-pdf.PDB source: RFQ - REF 208056-pdf.exe, 00000000.00000002.394246360.00000000004F9000.00000004.00000010.sdmp
Source: Binary string: OnpeiVisualBasic.pdb source: RFQ - REF 208056-pdf.exe, 00000000.00000002.394246360.00000000004F9000.00000004.00000010.sdmp
Source: Binary string: O.pdb3X source: RFQ - REF 208056-pdf.exe, 00000000.00000002.394246360.00000000004F9000.00000004.00000010.sdmp
Source: Binary string: \??\C:\Windows\mscorlib.pdb source: RFQ - REF 208056-pdf.exe, 00000000.00000002.543172698.0000000005AF0000.00000004.00000001.sdmp
Source: Binary string: \??\C:\Windows\symbols\dll\mscorlib.pdbA source: RFQ - REF 208056-pdf.exe, 00000000.00000002.543172698.0000000005AF0000.00000004.00000001.sdmp
Source: Binary string: \??\C:\Windows\Microsoft.VisualBasic.pdbn source: RFQ - REF 208056-pdf.exe, 00000000.00000002.543172698.0000000005AF0000.00000004.00000001.sdmp
Source: Binary string: hhRFQ - REF 208056-pdf.PDB source: RFQ - REF 208056-pdf.exe, 00000000.00000002.394246360.00000000004F9000.00000004.00000010.sdmp
Source: Binary string: System.Management.Automation.pdb-4053062332-1002_Classes\WOW6432Node\CLSID\{0A29FF9E-7F9C-4437-8B11-F424491E3931}\InprocServer3215EBB53FAC1131AE0BD333C5EE6021672D9718EA31A8AEBD0DA0072F25D87DBA6FC90FFD598ED4DA35E44C398C454307E8E33B8426143DAEC9F596836F97C8F7479F source: powershell.exe, 00000011.00000002.548053273.0000000008392000.00000004.00000001.sdmp
Source: Binary string: \??\C:\Windows\Microsoft.VisualBasic.pdb source: RFQ - REF 208056-pdf.exe, 00000000.00000002.543172698.0000000005AF0000.00000004.00000001.sdmp
Source: Binary string: \??\C:\Windows\mscorlib.pdb^ source: RFQ - REF 208056-pdf.exe, 00000000.00000002.543172698.0000000005AF0000.00000004.00000001.sdmp

Data Obfuscation:

barindex
Binary contains a suspicious time stamp
Source: initial sample Static PE information: 0x85456217 [Wed Nov 7 16:00:23 2040 UTC]
Contains functionality to dynamically determine API calls
Source: C:\Users\user\AppData\Local\Temp\3f77e94d-b01b-49a3-88ba-e6fd38451fb3\AdvancedRun.exe Code function: 11_2_0040289F LoadLibraryW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress, 11_2_0040289F
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\Desktop\RFQ - REF 208056-pdf.exe Code function: 0_2_0237E040 push 00000025h; retf 0_2_0237E044
Source: C:\Users\user\AppData\Local\Temp\3f77e94d-b01b-49a3-88ba-e6fd38451fb3\AdvancedRun.exe Code function: 11_2_0040B550 push eax; ret 11_2_0040B564
Source: C:\Users\user\AppData\Local\Temp\3f77e94d-b01b-49a3-88ba-e6fd38451fb3\AdvancedRun.exe Code function: 11_2_0040B550 push eax; ret 11_2_0040B58C
Source: C:\Users\user\AppData\Local\Temp\3f77e94d-b01b-49a3-88ba-e6fd38451fb3\AdvancedRun.exe Code function: 11_2_0040B50D push ecx; ret 11_2_0040B51D
Source: C:\Users\user\AppData\Local\Temp\3f77e94d-b01b-49a3-88ba-e6fd38451fb3\AdvancedRun.exe Code function: 13_2_0040B550 push eax; ret 13_2_0040B564
Source: C:\Users\user\AppData\Local\Temp\3f77e94d-b01b-49a3-88ba-e6fd38451fb3\AdvancedRun.exe Code function: 13_2_0040B550 push eax; ret 13_2_0040B58C
Source: C:\Users\user\AppData\Local\Temp\3f77e94d-b01b-49a3-88ba-e6fd38451fb3\AdvancedRun.exe Code function: 13_2_0040B50D push ecx; ret 13_2_0040B51D
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 17_2_0378BE90 push es; ret 17_2_0378BEA6
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 17_2_08273BA8 pushad ; ret 17_2_08273BA9
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 17_2_0830FE40 push eax; mov dword ptr [esp], edx 17_2_0830FF0C
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 17_2_0830F861 push 00000007h; ret 17_2_0830F870
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 17_2_0830FEF8 push eax; mov dword ptr [esp], edx 17_2_0830FF0C

Persistence and Installation Behavior:

barindex
Drops PE files with benign system names
Source: C:\Users\user\Desktop\RFQ - REF 208056-pdf.exe File created: C:\Windows\Microsoft.NET\Framework\fEPqNDVRKakftSbrsO\svchost.exe Jump to dropped file
Drops executables to the windows directory (C:\Windows) and starts them
Source: C:\Windows\explorer.exe Executable created and started: C:\Windows\Microsoft.NET\Framework\fEPqNDVRKakftSbrsO\svchost.exe
Drops PE files
Source: C:\Users\user\Desktop\RFQ - REF 208056-pdf.exe File created: C:\Windows\Microsoft.NET\Framework\fEPqNDVRKakftSbrsO\svchost.exe Jump to dropped file
Source: C:\Users\user\Desktop\RFQ - REF 208056-pdf.exe File created: C:\Users\user\AppData\Local\Temp\3f77e94d-b01b-49a3-88ba-e6fd38451fb3\AdvancedRun.exe Jump to dropped file
Drops PE files to the windows directory (C:\Windows)
Source: C:\Users\user\Desktop\RFQ - REF 208056-pdf.exe File created: C:\Windows\Microsoft.NET\Framework\fEPqNDVRKakftSbrsO\svchost.exe Jump to dropped file

Boot Survival:

barindex
Creates an autostart registry key pointing to binary in C:\Windows
Source: C:\Users\user\Desktop\RFQ - REF 208056-pdf.exe Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce XZFSGXzndMljLVEovPfqdS Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\3f77e94d-b01b-49a3-88ba-e6fd38451fb3\AdvancedRun.exe Code function: 11_2_00401306 OpenServiceW,CloseServiceHandle,QueryServiceStatus,StartServiceW,CloseServiceHandle,CloseServiceHandle, 11_2_00401306
Source: C:\Users\user\Desktop\RFQ - REF 208056-pdf.exe Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce XZFSGXzndMljLVEovPfqdS Jump to behavior
Source: C:\Users\user\Desktop\RFQ - REF 208056-pdf.exe Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce XZFSGXzndMljLVEovPfqdS Jump to behavior
Source: C:\Users\user\Desktop\RFQ - REF 208056-pdf.exe Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce XZFSGXzndMljLVEovPfqdS Jump to behavior
Source: C:\Users\user\Desktop\RFQ - REF 208056-pdf.exe Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce XZFSGXzndMljLVEovPfqdS Jump to behavior

Hooking and other Techniques for Hiding and Protection:

barindex
Extensive use of GetProcAddress (often used to hide API calls)
Source: C:\Users\user\AppData\Local\Temp\3f77e94d-b01b-49a3-88ba-e6fd38451fb3\AdvancedRun.exe Code function: 11_2_00408E31 GetModuleHandleW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress, 11_2_00408E31
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Source: C:\Users\user\Desktop\RFQ - REF 208056-pdf.exe Registry key monitored for changes: HKEY_CURRENT_USER_Classes Jump to behavior
Source: C:\Users\user\Desktop\RFQ - REF 208056-pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\RFQ - REF 208056-pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\RFQ - REF 208056-pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\RFQ - REF 208056-pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\RFQ - REF 208056-pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\RFQ - REF 208056-pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\RFQ - REF 208056-pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\RFQ - REF 208056-pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\RFQ - REF 208056-pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\RFQ - REF 208056-pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\RFQ - REF 208056-pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\RFQ - REF 208056-pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\RFQ - REF 208056-pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\RFQ - REF 208056-pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\RFQ - REF 208056-pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\RFQ - REF 208056-pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\RFQ - REF 208056-pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\RFQ - REF 208056-pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\RFQ - REF 208056-pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\RFQ - REF 208056-pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\RFQ - REF 208056-pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\RFQ - REF 208056-pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\RFQ - REF 208056-pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\RFQ - REF 208056-pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\RFQ - REF 208056-pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\RFQ - REF 208056-pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\RFQ - REF 208056-pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\RFQ - REF 208056-pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\RFQ - REF 208056-pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\RFQ - REF 208056-pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\RFQ - REF 208056-pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\RFQ - REF 208056-pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\RFQ - REF 208056-pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\RFQ - REF 208056-pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\RFQ - REF 208056-pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\RFQ - REF 208056-pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\RFQ - REF 208056-pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\RFQ - REF 208056-pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\RFQ - REF 208056-pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\RFQ - REF 208056-pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\RFQ - REF 208056-pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\RFQ - REF 208056-pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\RFQ - REF 208056-pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\RFQ - REF 208056-pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\3f77e94d-b01b-49a3-88ba-e6fd38451fb3\AdvancedRun.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\3f77e94d-b01b-49a3-88ba-e6fd38451fb3\AdvancedRun.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\3f77e94d-b01b-49a3-88ba-e6fd38451fb3\AdvancedRun.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\3f77e94d-b01b-49a3-88ba-e6fd38451fb3\AdvancedRun.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\3f77e94d-b01b-49a3-88ba-e6fd38451fb3\AdvancedRun.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\3f77e94d-b01b-49a3-88ba-e6fd38451fb3\AdvancedRun.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\3f77e94d-b01b-49a3-88ba-e6fd38451fb3\AdvancedRun.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\3f77e94d-b01b-49a3-88ba-e6fd38451fb3\AdvancedRun.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\3f77e94d-b01b-49a3-88ba-e6fd38451fb3\AdvancedRun.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\fEPqNDVRKakftSbrsO\svchost.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\fEPqNDVRKakftSbrsO\svchost.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\fEPqNDVRKakftSbrsO\svchost.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\fEPqNDVRKakftSbrsO\svchost.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\fEPqNDVRKakftSbrsO\svchost.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\fEPqNDVRKakftSbrsO\svchost.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\fEPqNDVRKakftSbrsO\svchost.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\fEPqNDVRKakftSbrsO\svchost.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\fEPqNDVRKakftSbrsO\svchost.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\fEPqNDVRKakftSbrsO\svchost.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\fEPqNDVRKakftSbrsO\svchost.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\fEPqNDVRKakftSbrsO\svchost.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\fEPqNDVRKakftSbrsO\svchost.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\fEPqNDVRKakftSbrsO\svchost.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\fEPqNDVRKakftSbrsO\svchost.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\fEPqNDVRKakftSbrsO\svchost.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\fEPqNDVRKakftSbrsO\svchost.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\fEPqNDVRKakftSbrsO\svchost.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\fEPqNDVRKakftSbrsO\svchost.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\fEPqNDVRKakftSbrsO\svchost.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\fEPqNDVRKakftSbrsO\svchost.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\fEPqNDVRKakftSbrsO\svchost.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\fEPqNDVRKakftSbrsO\svchost.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\fEPqNDVRKakftSbrsO\svchost.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\fEPqNDVRKakftSbrsO\svchost.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\fEPqNDVRKakftSbrsO\svchost.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\fEPqNDVRKakftSbrsO\svchost.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\fEPqNDVRKakftSbrsO\svchost.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\fEPqNDVRKakftSbrsO\svchost.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\fEPqNDVRKakftSbrsO\svchost.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\fEPqNDVRKakftSbrsO\svchost.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\fEPqNDVRKakftSbrsO\svchost.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\fEPqNDVRKakftSbrsO\svchost.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\fEPqNDVRKakftSbrsO\svchost.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\fEPqNDVRKakftSbrsO\svchost.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion:

barindex
Tries to delay execution (extensive OutputDebugStringW loop)
Source: C:\Users\user\Desktop\RFQ - REF 208056-pdf.exe Section loaded: OutputDebugStringW count: 1933
Source: C:\Windows\Microsoft.NET\Framework\fEPqNDVRKakftSbrsO\svchost.exe Section loaded: OutputDebugStringW count: 1937
Contains capabilities to detect virtual machines
Source: C:\Windows\explorer.exe File opened / queried: SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Contains long sleeps (>= 3 min)
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Window / User API: threadDelayed 4594 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Window / User API: threadDelayed 2345 Jump to behavior
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Windows\System32\svchost.exe TID: 6860 Thread sleep time: -30000s >= -30000s Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 5236 Thread sleep time: -14757395258967632s >= -30000s Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 5236 Thread sleep time: -922337203685477s >= -30000s Jump to behavior
Source: C:\Windows\System32\conhost.exe TID: 6760 Thread sleep count: 67 > 30 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 6212 Thread sleep time: -4611686018427385s >= -30000s
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 6212 Thread sleep time: -922337203685477s >= -30000s
Queries disk information (often used to detect virtual machines)
Source: C:\Windows\System32\svchost.exe File opened: PhysicalDrive0 Jump to behavior
Sample execution stops while process was sleeping (likely an evasion)
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: powershell.exe, 00000009.00000003.517902896.0000000005964000.00000004.00000001.sdmp Binary or memory string: Hyper-V
Source: svchost.exe, 00000003.00000002.519119102.000002451B6C0000.00000002.00000001.sdmp Binary or memory string: A Virtual Machine could not be started because Hyper-V is not installed.
Source: explorer.exe, 0000000F.00000002.512322019.0000000001329000.00000004.00000020.sdmp Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}b8b}\
Source: explorer.exe, 0000000F.00000002.512322019.0000000001329000.00000004.00000020.sdmp Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\b8b}\
Source: svchost.exe, 00000002.00000002.530073283.000001EAA1C4D000.00000004.00000001.sdmp Binary or memory string: Hyper-V RAW
Source: svchost.exe, 00000002.00000002.505437886.000001EA9C629000.00000004.00000001.sdmp Binary or memory string: Hyper-V RAW@0
Source: svchost.exe, 00000003.00000002.519119102.000002451B6C0000.00000002.00000001.sdmp Binary or memory string: A communication protocol error has occurred between the Hyper-V Host and Guest Compute Service.
Source: svchost.exe, 00000003.00000002.519119102.000002451B6C0000.00000002.00000001.sdmp Binary or memory string: The communication protocol version between the Hyper-V Host and Guest Compute Services is not supported.
Source: explorer.exe, 0000000F.00000002.512322019.0000000001329000.00000004.00000020.sdmp Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\Device\CdRom0\??\Volume{e6e9dfd8-98f2-11e9-90ce-806e6f6e6963}\DosDevices\D:DB
Source: svchost.exe, 00000003.00000002.515379536.000002451B067000.00000004.00000001.sdmp, svchost.exe, 00000004.00000002.504484042.0000027C99E29000.00000004.00000001.sdmp Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: svchost.exe, 00000003.00000002.519119102.000002451B6C0000.00000002.00000001.sdmp Binary or memory string: An unknown internal message was received by the Hyper-V Compute Service.
Source: powershell.exe, 00000009.00000003.517902896.0000000005964000.00000004.00000001.sdmp, powershell.exe, 00000011.00000002.524764005.0000000005201000.00000004.00000001.sdmp Binary or memory string: l:C:\Windows\system32\WindowsPowerShell\v1.0\Modules\Hyper-V
Source: C:\Users\user\Desktop\RFQ - REF 208056-pdf.exe Process information queried: ProcessInformation Jump to behavior

Anti Debugging:

barindex
Hides threads from debuggers
Source: C:\Users\user\Desktop\RFQ - REF 208056-pdf.exe Thread information set: HideFromDebugger Jump to behavior
Source: C:\Users\user\Desktop\RFQ - REF 208056-pdf.exe Thread information set: HideFromDebugger Jump to behavior
Source: C:\Users\user\Desktop\RFQ - REF 208056-pdf.exe Thread information set: HideFromDebugger Jump to behavior
Source: C:\Users\user\Desktop\RFQ - REF 208056-pdf.exe Thread information set: HideFromDebugger Jump to behavior
Source: C:\Users\user\Desktop\RFQ - REF 208056-pdf.exe Thread information set: HideFromDebugger Jump to behavior
Source: C:\Users\user\Desktop\RFQ - REF 208056-pdf.exe Thread information set: HideFromDebugger Jump to behavior
Source: C:\Users\user\Desktop\RFQ - REF 208056-pdf.exe Thread information set: HideFromDebugger Jump to behavior
Source: C:\Users\user\Desktop\RFQ - REF 208056-pdf.exe Thread information set: HideFromDebugger Jump to behavior
Source: C:\Users\user\Desktop\RFQ - REF 208056-pdf.exe Thread information set: HideFromDebugger Jump to behavior
Source: C:\Users\user\Desktop\RFQ - REF 208056-pdf.exe Thread information set: HideFromDebugger Jump to behavior
Source: C:\Users\user\Desktop\RFQ - REF 208056-pdf.exe Thread information set: HideFromDebugger Jump to behavior
Source: C:\Users\user\Desktop\RFQ - REF 208056-pdf.exe Thread information set: HideFromDebugger Jump to behavior
Source: C:\Users\user\Desktop\RFQ - REF 208056-pdf.exe Thread information set: HideFromDebugger Jump to behavior
Source: C:\Users\user\Desktop\RFQ - REF 208056-pdf.exe Thread information set: HideFromDebugger Jump to behavior
Contains functionality to dynamically determine API calls
Source: C:\Users\user\AppData\Local\Temp\3f77e94d-b01b-49a3-88ba-e6fd38451fb3\AdvancedRun.exe Code function: 11_2_0040289F LoadLibraryW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress, 11_2_0040289F
Enables debug privileges
Source: C:\Users\user\Desktop\RFQ - REF 208056-pdf.exe Process token adjusted: Debug Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process token adjusted: Debug Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\3f77e94d-b01b-49a3-88ba-e6fd38451fb3\AdvancedRun.exe Process token adjusted: Debug Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\3f77e94d-b01b-49a3-88ba-e6fd38451fb3\AdvancedRun.exe Process token adjusted: Debug
Source: C:\Windows\Microsoft.NET\Framework\fEPqNDVRKakftSbrsO\svchost.exe Process token adjusted: Debug
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process token adjusted: Debug
Source: C:\Users\user\Desktop\RFQ - REF 208056-pdf.exe Memory allocated: page read and write | page guard Jump to behavior

HIPS / PFW / Operating System Protection Evasion:

barindex
System process connects to network (likely due to code injection or exploit)
Source: C:\Windows\Microsoft.NET\Framework\fEPqNDVRKakftSbrsO\svchost.exe Network Connect: 172.67.172.17 80
Adds a directory exclusion to Windows Defender
Source: unknown Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Windows\Microsoft.NET\Framework\fEPqNDVRKakftSbrsO\svchost.exe' -Force
Source: unknown Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\RFQ - REF 208056-pdf.exe' -Force
Source: C:\Users\user\Desktop\RFQ - REF 208056-pdf.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Windows\Microsoft.NET\Framework\fEPqNDVRKakftSbrsO\svchost.exe' -Force Jump to behavior
Source: C:\Users\user\Desktop\RFQ - REF 208056-pdf.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\RFQ - REF 208056-pdf.exe' -Force Jump to behavior
Injects a PE file into a foreign processes
Source: C:\Users\user\Desktop\RFQ - REF 208056-pdf.exe Memory written: C:\Users\user\Desktop\RFQ - REF 208056-pdf.exe base: 400000 value starts with: 4D5A Jump to behavior
Contains functionality to launch a program with higher privileges
Source: C:\Users\user\AppData\Local\Temp\3f77e94d-b01b-49a3-88ba-e6fd38451fb3\AdvancedRun.exe Code function: 11_2_00401C26 GetCurrentProcessId,memset,memset,_snwprintf,memset,ShellExecuteExW,WaitForSingleObject,GetExitCodeProcess,GetLastError, 11_2_00401C26
Creates a process in suspended mode (likely to inject code)
Source: C:\Users\user\Desktop\RFQ - REF 208056-pdf.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Windows\Microsoft.NET\Framework\fEPqNDVRKakftSbrsO\svchost.exe' -Force Jump to behavior
Source: C:\Users\user\Desktop\RFQ - REF 208056-pdf.exe Process created: C:\Users\user\AppData\Local\Temp\3f77e94d-b01b-49a3-88ba-e6fd38451fb3\AdvancedRun.exe 'C:\Users\user\AppData\Local\Temp\3f77e94d-b01b-49a3-88ba-e6fd38451fb3\AdvancedRun.exe' /EXEFilename 'C:\Users\user\AppData\Local\Temp\3f77e94d-b01b-49a3-88ba-e6fd38451fb3\test.bat' /WindowState ''0'' /PriorityClass ''32'' /CommandLine '' /StartDirectory '' /RunAs 8 /Run Jump to behavior
Source: C:\Users\user\Desktop\RFQ - REF 208056-pdf.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\RFQ - REF 208056-pdf.exe' -Force Jump to behavior
Source: C:\Users\user\Desktop\RFQ - REF 208056-pdf.exe Process created: C:\Windows\SysWOW64\cmd.exe 'C:\Windows\System32\cmd.exe' /c timeout 1 Jump to behavior
Source: C:\Users\user\Desktop\RFQ - REF 208056-pdf.exe Process created: C:\Users\user\Desktop\RFQ - REF 208056-pdf.exe C:\Users\user\Desktop\RFQ - REF 208056-pdf.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\3f77e94d-b01b-49a3-88ba-e6fd38451fb3\AdvancedRun.exe Process created: C:\Users\user\AppData\Local\Temp\3f77e94d-b01b-49a3-88ba-e6fd38451fb3\AdvancedRun.exe 'C:\Users\user\AppData\Local\Temp\3f77e94d-b01b-49a3-88ba-e6fd38451fb3\AdvancedRun.exe' /SpecialRun 4101d8 5504 Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\timeout.exe timeout 1
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
Source: unknown Process created: C:\Users\user\AppData\Local\Temp\3f77e94d-b01b-49a3-88ba-e6fd38451fb3\AdvancedRun.exe 'C:\Users\user\AppData\Local\Temp\3f77e94d-b01b-49a3-88ba-e6fd38451fb3\AdvancedRun.exe' /EXEFilename 'C:\Users\user\AppData\Local\Temp\3f77e94d-b01b-49a3-88ba-e6fd38451fb3\test.bat' /WindowState ''0'' /PriorityClass ''32'' /CommandLine '' /StartDirectory '' /RunAs 8 /Run
Source: C:\Users\user\Desktop\RFQ - REF 208056-pdf.exe Process created: C:\Users\user\AppData\Local\Temp\3f77e94d-b01b-49a3-88ba-e6fd38451fb3\AdvancedRun.exe 'C:\Users\user\AppData\Local\Temp\3f77e94d-b01b-49a3-88ba-e6fd38451fb3\AdvancedRun.exe' /EXEFilename 'C:\Users\user\AppData\Local\Temp\3f77e94d-b01b-49a3-88ba-e6fd38451fb3\test.bat' /WindowState ''0'' /PriorityClass ''32'' /CommandLine '' /StartDirectory '' /RunAs 8 /Run Jump to behavior
Source: powershell.exe, 00000009.00000002.536326386.0000000003B60000.00000002.00000001.sdmp, explorer.exe, 0000000F.00000002.515784160.00000000019E0000.00000002.00000001.sdmp Binary or memory string: uProgram Manager
Source: powershell.exe, 00000009.00000002.536326386.0000000003B60000.00000002.00000001.sdmp, explorer.exe, 0000000F.00000002.515784160.00000000019E0000.00000002.00000001.sdmp Binary or memory string: Shell_TrayWnd
Source: powershell.exe, 00000009.00000002.536326386.0000000003B60000.00000002.00000001.sdmp, explorer.exe, 0000000F.00000002.515784160.00000000019E0000.00000002.00000001.sdmp Binary or memory string: Progman
Source: powershell.exe, 00000009.00000002.536326386.0000000003B60000.00000002.00000001.sdmp, explorer.exe, 0000000F.00000002.515784160.00000000019E0000.00000002.00000001.sdmp Binary or memory string: Progmanlock

Language, Device and Operating System Detection:

barindex
Queries the volume information (name, serial number etc) of a device
Source: C:\Users\user\Desktop\RFQ - REF 208056-pdf.exe Queries volume information: C:\Users\user\Desktop\RFQ - REF 208056-pdf.exe VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\RFQ - REF 208056-pdf.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\RFQ - REF 208056-pdf.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\RFQ - REF 208056-pdf.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\RFQ - REF 208056-pdf.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation Jump to behavior
Source: C:\Windows\System32\svchost.exe Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation Jump to behavior
Source: C:\Windows\System32\svchost.exe Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation Jump to behavior
Source: C:\Windows\System32\svchost.exe Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation Jump to behavior
Source: C:\Windows\System32\svchost.exe Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation Jump to behavior
Source: C:\Windows\System32\svchost.exe Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation Jump to behavior
Source: C:\Windows\System32\svchost.exe Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation Jump to behavior
Source: C:\Windows\System32\svchost.exe Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation Jump to behavior
Source: C:\Windows\System32\svchost.exe Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation Jump to behavior
Source: C:\Windows\System32\svchost.exe Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.jfm VolumeInformation Jump to behavior
Source: C:\Windows\System32\svchost.exe Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation Jump to behavior
Source: C:\Windows\System32\svchost.exe Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation Jump to behavior
Source: C:\Windows\System32\svchost.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\System32\svchost.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.ConsoleHost\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.ConsoleHost.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Numerics\v4.0_4.0.0.0__b77a5c561934e089\System.Numerics.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.DirectoryServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.DirectoryServices.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Security\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Security.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-ds-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-base-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-base-Package~31bf3856ad364e35~amd64~en-US~10.0.17134.1.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Utility\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Utility.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Configuration.Install\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Configuration.Install.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Windows-Defender-Management-Powershell-Group-WOW64-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Windows-Defender-Management-Powershell-Group-WOW64-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\fEPqNDVRKakftSbrsO\svchost.exe Queries volume information: C:\Windows\Microsoft.NET\Framework\fEPqNDVRKakftSbrsO\svchost.exe VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\fEPqNDVRKakftSbrsO\svchost.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\fEPqNDVRKakftSbrsO\svchost.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\fEPqNDVRKakftSbrsO\svchost.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\fEPqNDVRKakftSbrsO\svchost.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.ConsoleHost\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.ConsoleHost.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Numerics\v4.0_4.0.0.0__b77a5c561934e089\System.Numerics.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.DirectoryServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.DirectoryServices.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Security\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Security.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\ VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Windows-Defender-Management-Powershell-Group-WOW64-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Windows-Defender-Management-Powershell-Group-WOW64-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\3f77e94d-b01b-49a3-88ba-e6fd38451fb3\AdvancedRun.exe Code function: 11_2_0040A272 WriteProcessMemory,GetVersionExW,CreateRemoteThread, 11_2_0040A272
Source: C:\Users\user\Desktop\RFQ - REF 208056-pdf.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior

Lowering of HIPS / PFW / Operating System Security Settings:

barindex
Changes security center settings (notifications, updates, antivirus, firewall)
Source: C:\Windows\System32\svchost.exe Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center cval Jump to behavior
AV process strings found (often used to terminate AV products)
Source: svchost.exe, 00000007.00000002.506679598.000002B19E23D000.00000004.00000001.sdmp Binary or memory string: (@V%ProgramFiles%\Windows Defender\MsMpeng.exe
Source: svchost.exe, 00000007.00000002.509083393.000002B19E302000.00000004.00000001.sdmp Binary or memory string: %ProgramFiles%\Windows Defender\MsMpeng.exe
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Source: C:\Windows\System32\svchost.exe WMI Queries: IWbemServices::ExecNotificationQuery - ROOT\SecurityCenter : SELECT * FROM __InstanceOperationEvent WHERE TargetInstance ISA &apos;AntiVirusProduct&apos; OR TargetInstance ISA &apos;FirewallProduct&apos; OR TargetInstance ISA &apos;AntiSpywareProduct&apos;
Source: C:\Windows\System32\svchost.exe WMI Queries: IWbemServices::CreateInstanceEnum - ROOT\SecurityCenter2 : FirewallProduct
Source: C:\Windows\System32\svchost.exe WMI Queries: IWbemServices::CreateInstanceEnum - ROOT\SecurityCenter2 : AntiVirusProduct
Source: C:\Windows\System32\svchost.exe WMI Queries: IWbemServices::CreateInstanceEnum - ROOT\SecurityCenter2 : AntiSpywareProduct

Stealing of Sensitive Information:

barindex
Yara detected AgentTesla
Source: Yara match File source: 0000001B.00000002.497563880.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000001B.00000002.519847077.0000000002C91000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000010.00000002.544302148.000000000477A000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000019.00000002.544137822.0000000003D04000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.509634686.0000000003B23000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: RFQ - REF 208056-pdf.exe PID: 6556, type: MEMORY
Source: Yara match File source: Process Memory Space: svchost.exe PID: 1020, type: MEMORY
Source: Yara match File source: 0.2.RFQ - REF 208056-pdf.exe.3d586d0.7.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 16.2.svchost.exe.47b10f0.5.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 16.2.svchost.exe.47b10f0.5.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.RFQ - REF 208056-pdf.exe.3d586d0.7.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.RFQ - REF 208056-pdf.exe.3b23dd8.8.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.RFQ - REF 208056-pdf.exe.3b23dd8.8.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 16.2.svchost.exe.477aed0.6.unpack, type: UNPACKEDPE
Source: Yara match File source: 16.2.svchost.exe.477aed0.6.raw.unpack, type: UNPACKEDPE
Yara detected Credential Stealer
Source: Yara match File source: 0000001B.00000002.519847077.0000000002C91000.00000004.00000001.sdmp, type: MEMORY

Remote Access Functionality:

barindex
Yara detected AgentTesla
Source: Yara match File source: 0000001B.00000002.497563880.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000001B.00000002.519847077.0000000002C91000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000010.00000002.544302148.000000000477A000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000019.00000002.544137822.0000000003D04000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.509634686.0000000003B23000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: RFQ - REF 208056-pdf.exe PID: 6556, type: MEMORY
Source: Yara match File source: Process Memory Space: svchost.exe PID: 1020, type: MEMORY
Source: Yara match File source: 0.2.RFQ - REF 208056-pdf.exe.3d586d0.7.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 16.2.svchost.exe.47b10f0.5.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 16.2.svchost.exe.47b10f0.5.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.RFQ - REF 208056-pdf.exe.3d586d0.7.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.RFQ - REF 208056-pdf.exe.3b23dd8.8.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.RFQ - REF 208056-pdf.exe.3b23dd8.8.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 16.2.svchost.exe.477aed0.6.unpack, type: UNPACKEDPE
Source: Yara match File source: 16.2.svchost.exe.477aed0.6.raw.unpack, type: UNPACKEDPE
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 358398 Sample: RFQ - REF 208056-pdf.exe Startdate: 25/02/2021 Architecture: WINDOWS Score: 100 48 coroloboxorozor.com 2->48 58 Multi AV Scanner detection for domain / URL 2->58 60 Found malware configuration 2->60 62 Multi AV Scanner detection for submitted file 2->62 64 8 other signatures 2->64 8 RFQ - REF 208056-pdf.exe 23 9 2->8         started        13 explorer.exe 2->13         started        15 svchost.exe 2->15         started        17 5 other processes 2->17 signatures3 process4 dnsIp5 50 coroloboxorozor.com 172.67.172.17, 49708, 49730, 49736 CLOUDFLARENETUS United States 8->50 42 C:\Windows\Microsoft.NET\...\svchost.exe, PE32 8->42 dropped 44 C:\Windows\...\svchost.exe:Zone.Identifier, ASCII 8->44 dropped 46 C:\Users\user\AppData\...\AdvancedRun.exe, PE32 8->46 dropped 66 Creates an autostart registry key pointing to binary in C:\Windows 8->66 68 Adds a directory exclusion to Windows Defender 8->68 70 Hides threads from debuggers 8->70 72 Injects a PE file into a foreign processes 8->72 19 AdvancedRun.exe 1 8->19         started        21 cmd.exe 8->21         started        23 powershell.exe 23 8->23         started        25 powershell.exe 8->25         started        74 Drops executables to the windows directory (C:\Windows) and starts them 13->74 27 svchost.exe 13->27         started        76 Changes security center settings (notifications, updates, antivirus, firewall) 15->76 52 127.0.0.1 unknown unknown 17->52 file6 signatures7 process8 dnsIp9 31 AdvancedRun.exe 19->31         started        34 conhost.exe 21->34         started        36 timeout.exe 21->36         started        38 conhost.exe 23->38         started        40 conhost.exe 25->40         started        54 coroloboxorozor.com 27->54 78 System process connects to network (likely due to code injection or exploit) 27->78 80 Multi AV Scanner detection for dropped file 27->80 82 Machine Learning detection for dropped file 27->82 84 Tries to delay execution (extensive OutputDebugStringW loop) 27->84 signatures10 process11 dnsIp12 56 192.168.2.1 unknown unknown 31->56
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
172.67.172.17
 unknown United States
13335 CLOUDFLARENETUS true

Private
IP
192.168.2.1
127.0.0.1

Contacted Domains

Name IP Active
coroloboxorozor.com 172.67.172.17 true

Contacted URLs

Name Malicious Antivirus Detection Reputation
http://coroloboxorozor.com/base/4FDB764474638ADF12639B4DA858CE81.html true
  • 15%, Virustotal, Browse
  • Avira URL Cloud: safe
 unknown
http://coroloboxorozor.com/base/7DD0ECB3FED3970A09258155874027F0.html true
  • Avira URL Cloud: safe
 unknown
http://coroloboxorozor.com/base/67CF952D671D30AE6DA37F3E241170D6.html true
  • Avira URL Cloud: safe
 unknown