Loading ...

Play interactive tourEdit tour

Windows Analysis Report URGENT REQUEST FOR QUOTATION.exe

Overview

General Information

Sample Name:URGENT REQUEST FOR QUOTATION.exe
Analysis ID:452545
MD5:436f3797fc4c39d1a2319196bc15c1c3
SHA1:1a93b32908c5def6129f192fd096f129ea575220
SHA256:f7b11103bbd791d5c2452275ff23fe51eff41ba5071ba015ef50672138c9b459
Tags:exe
Infos:

Most interesting Screenshot:

Detection

AgentTesla
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Found malware configuration
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Yara detected AgentTesla
Yara detected AgentTesla
.NET source code contains very large array initializations
Adds a directory exclusion to Windows Defender
Initial sample is a PE file and has a suspicious name
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Sigma detected: Powershell Defender Exclusion
Uses schtasks.exe or at.exe to add and modify task schedules
Antivirus or Machine Learning detection for unpacked file
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Drops PE files
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
May sleep (evasive loops) to hinder dynamic analysis
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Uses 32bit PE files

Classification

Process Tree

  • System is w10x64
  • URGENT REQUEST FOR QUOTATION.exe (PID: 5464 cmdline: 'C:\Users\user\Desktop\URGENT REQUEST FOR QUOTATION.exe' MD5: 436F3797FC4C39D1A2319196BC15C1C3)
    • powershell.exe (PID: 5516 cmdline: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\URGENT REQUEST FOR QUOTATION.exe' MD5: DBA3E6449E97D4E3DF64527EF7012A10)
      • conhost.exe (PID: 5816 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • powershell.exe (PID: 5788 cmdline: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\CCxRZUAFy.exe' MD5: DBA3E6449E97D4E3DF64527EF7012A10)
      • conhost.exe (PID: 3264 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • schtasks.exe (PID: 4836 cmdline: 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\CCxRZUAFy' /XML 'C:\Users\user\AppData\Local\Temp\tmpD0B6.tmp' MD5: 15FF7D8324231381BAD48A052F85DF04)
      • conhost.exe (PID: 2104 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • powershell.exe (PID: 6156 cmdline: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\CCxRZUAFy.exe' MD5: DBA3E6449E97D4E3DF64527EF7012A10)
      • conhost.exe (PID: 6188 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
  • cleanup

Malware Configuration

Threatname: Agenttesla

{"Exfil Mode": "SMTP", "Username": "brucechuks212@vivaldi.net", "Password": "23456789@@@@", "Host": "smtp.vivaldi.net"}

Yara Overview

Sigma Overview

System Summary:

barindex
Sigma detected: Powershell Defender ExclusionShow sources
Source: Process startedAuthor: Florian Roth: Data: Command: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\URGENT REQUEST FOR QUOTATION.exe', CommandLine: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\URGENT REQUEST FOR QUOTATION.exe', CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: 'C:\Users\user\Desktop\URGENT REQUEST FOR QUOTATION.exe' , ParentImage: C:\Users\user\Desktop\URGENT REQUEST FOR QUOTATION.exe, ParentProcessId: 5464, ProcessCommandLine: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\URGENT REQUEST FOR QUOTATION.exe', ProcessId: 5516
Sigma detected: Non Interactive PowerShellShow sources
Source: Process startedAuthor: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\URGENT REQUEST FOR QUOTATION.exe', CommandLine: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\URGENT REQUEST FOR QUOTATION.exe', CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: 'C:\Users\user\Desktop\URGENT REQUEST FOR QUOTATION.exe' , ParentImage: C:\Users\user\Desktop\URGENT REQUEST FOR QUOTATION.exe, ParentProcessId: 5464, ProcessCommandLine: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\URGENT REQUEST FOR QUOTATION.exe', ProcessId: 5516

Jbx Signature Overview

Click to jump to signature section

Show All Signature Results

AV Detection:

barindex
Found malware configurationShow sources
Source: 20.2.URGENT REQUEST FOR QUOTATION.exe.400000.0.unpackMalware Configuration Extractor: Agenttesla {"Exfil Mode": "SMTP", "Username": "brucechuks212@vivaldi.net", "Password": "23456789@@@@", "Host": "smtp.vivaldi.net"}
Multi AV Scanner detection for dropped fileShow sources
Source: C:\Users\user\AppData\Roaming\CCxRZUAFy.exeReversingLabs: Detection: 39%
Multi AV Scanner detection for submitted fileShow sources
Source: URGENT REQUEST FOR QUOTATION.exeReversingLabs: Detection: 39%
Machine Learning detection for dropped fileShow sources
Source: C:\Users\user\AppData\Roaming\CCxRZUAFy.exeJoe Sandbox ML: detected
Machine Learning detection for sampleShow sources
Source: URGENT REQUEST FOR QUOTATION.exeJoe Sandbox ML: detected
Source: 20.2.URGENT REQUEST FOR QUOTATION.exe.400000.0.unpackAvira: Label: TR/Spy.Gen8
Source: URGENT REQUEST FOR QUOTATION.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
Source: URGENT REQUEST FOR QUOTATION.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
Source: URGENT REQUEST FOR QUOTATION.exe, 00000014.00000002.512448328.00000000033B1000.00000004.00000001.sdmpString found in binary or memory: http://127.0.0.1:HTTP/1.1
Source: URGENT REQUEST FOR QUOTATION.exe, 00000014.00000002.512448328.00000000033B1000.00000004.00000001.sdmpString found in binary or memory: http://DynDns.comDynDNS
Source: URGENT REQUEST FOR QUOTATION.exeString found in binary or memory: http://api.twitter.com/1/direct_messages.xml?since_id=
Source: powershell.exe, 0000000C.00000003.456686092.0000000009AB0000.00000004.00000001.sdmpString found in binary or memory: http://crl.microsof
Source: URGENT REQUEST FOR QUOTATION.exe, 00000014.00000002.512448328.00000000033B1000.00000004.00000001.sdmpString found in binary or memory: http://qxLqgV.com
Source: powershell.exe, 0000000F.00000003.439686163.00000000051FA000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/soap/encoding/
Source: powershell.exe, 0000000F.00000003.439686163.00000000051FA000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/wsdl/
Source: URGENT REQUEST FOR QUOTATION.exeString found in binary or memory: http://twitter.com/statuses/user_timeline.xml?screen_name=
Source: URGENT REQUEST FOR QUOTATION.exe, 00000000.00000003.239863376.0000000005F03000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.comadi
Source: URGENT REQUEST FOR QUOTATION.exe, 00000000.00000003.239863376.0000000005F03000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.comarT
Source: URGENT REQUEST FOR QUOTATION.exe, 00000000.00000003.239863376.0000000005F03000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.cometh
Source: URGENT REQUEST FOR QUOTATION.exe, 00000000.00000003.239863376.0000000005F03000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.comlay
Source: URGENT REQUEST FOR QUOTATION.exe, 00000000.00000003.239482199.0000000005F14000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.como.y
Source: URGENT REQUEST FOR QUOTATION.exe, 00000000.00000003.241974830.0000000005F0A000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.comF
Source: URGENT REQUEST FOR QUOTATION.exe, 00000000.00000003.241974830.0000000005F0A000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.comals
Source: URGENT REQUEST FOR QUOTATION.exe, 00000000.00000003.241974830.0000000005F0A000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.comcomd
Source: URGENT REQUEST FOR QUOTATION.exe, 00000000.00000003.241974830.0000000005F0A000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.comd
Source: URGENT REQUEST FOR QUOTATION.exe, 00000000.00000003.241974830.0000000005F0A000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.comdV
Source: URGENT REQUEST FOR QUOTATION.exe, 00000000.00000003.241974830.0000000005F0A000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.comessedD
Source: URGENT REQUEST FOR QUOTATION.exe, 00000000.00000003.239203447.0000000005F10000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/
Source: URGENT REQUEST FOR QUOTATION.exe, 00000000.00000003.239863376.0000000005F03000.00000004.00000001.sdmp, URGENT REQUEST FOR QUOTATION.exe, 00000000.00000003.241062822.0000000005F0A000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/
Source: URGENT REQUEST FOR QUOTATION.exe, 00000000.00000003.241062822.0000000005F0A000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp//
Source: URGENT REQUEST FOR QUOTATION.exe, 00000000.00000003.241062822.0000000005F0A000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/3
Source: URGENT REQUEST FOR QUOTATION.exe, 00000000.00000003.241062822.0000000005F0A000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/Webd
Source: URGENT REQUEST FOR QUOTATION.exe, 00000000.00000003.240785096.0000000005F08000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/b
Source: URGENT REQUEST FOR QUOTATION.exe, 00000000.00000003.239863376.0000000005F03000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/ers
Source: URGENT REQUEST FOR QUOTATION.exe, 00000000.00000003.240785096.0000000005F08000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/i
Source: URGENT REQUEST FOR QUOTATION.exe, 00000000.00000003.241062822.0000000005F0A000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/jp/
Source: URGENT REQUEST FOR QUOTATION.exe, 00000000.00000003.241062822.0000000005F0A000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/jp/r
Source: URGENT REQUEST FOR QUOTATION.exe, 00000000.00000003.241062822.0000000005F0A000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/p
Source: URGENT REQUEST FOR QUOTATION.exe, 00000000.00000003.240785096.0000000005F08000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/r
Source: URGENT REQUEST FOR QUOTATION.exe, 00000000.00000003.240385875.0000000005F0A000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/roso
Source: powershell.exe, 0000000C.00000003.416484110.0000000007FE1000.00000004.00000001.sdmpString found in binary or memory: http://www.microsoft.
Source: powershell.exe, 0000000C.00000003.422321496.00000000058F8000.00000004.00000001.sdmp, powershell.exe, 0000000F.00000003.427772960.0000000005440000.00000004.00000001.sdmpString found in binary or memory: https://go.micro
Source: URGENT REQUEST FOR QUOTATION.exe, 00000014.00000002.503706672.0000000000402000.00000040.00000001.sdmpString found in binary or memory: https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip
Source: URGENT REQUEST FOR QUOTATION.exe, 00000014.00000002.512448328.00000000033B1000.00000004.00000001.sdmpString found in binary or memory: https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%ha

System Summary:

barindex
.NET source code contains very large array initializationsShow sources
Source: 20.2.URGENT REQUEST FOR QUOTATION.exe.400000.0.unpack, u003cPrivateImplementationDetailsu003eu007bE28EDE1Au002d0DFFu002d45E9u002d9A29u002dC8551D143C75u007d/u0039ACB0DCFu002d05C4u002d49DCu002dB73Au002dD9A6D13ABB59.csLarge array initialization: .cctor: array initializer size 11937
Initial sample is a PE file and has a suspicious nameShow sources
Source: initial sampleStatic PE information: Filename: URGENT REQUEST FOR QUOTATION.exe
Source: C:\Users\user\Desktop\URGENT REQUEST FOR QUOTATION.exeCode function: 20_2_00ECBF7F20_2_00ECBF7F
Source: C:\Users\user\Desktop\URGENT REQUEST FOR QUOTATION.exeCode function: 20_2_018246A020_2_018246A0
Source: C:\Users\user\Desktop\URGENT REQUEST FOR QUOTATION.exeCode function: 20_2_0182469020_2_01824690
Source: C:\Users\user\Desktop\URGENT REQUEST FOR QUOTATION.exeCode function: 20_2_0182467320_2_01824673
Source: C:\Users\user\Desktop\URGENT REQUEST FOR QUOTATION.exeCode function: 20_2_0182D2E120_2_0182D2E1
Source: URGENT REQUEST FOR QUOTATION.exe, 00000000.00000000.234931999.0000000000A72000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameSinkProviderEnt.exe8 vs URGENT REQUEST FOR QUOTATION.exe
Source: URGENT REQUEST FOR QUOTATION.exeBinary or memory string: OriginalFilename vs URGENT REQUEST FOR QUOTATION.exe
Source: URGENT REQUEST FOR QUOTATION.exe, 00000014.00000002.506375111.0000000000EC2000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameSinkProviderEnt.exe8 vs URGENT REQUEST FOR QUOTATION.exe
Source: URGENT REQUEST FOR QUOTATION.exe, 00000014.00000002.520747940.0000000006500000.00000002.00000001.sdmpBinary or memory string: OriginalFilenameKernelbase.dll.muij% vs URGENT REQUEST FOR QUOTATION.exe
Source: URGENT REQUEST FOR QUOTATION.exe, 00000014.00000002.503706672.0000000000402000.00000040.00000001.sdmpBinary or memory string: OriginalFilenameQfAsAXkZdWxBQzlpGkABAoNnttg.exe4 vs URGENT REQUEST FOR QUOTATION.exe
Source: URGENT REQUEST FOR QUOTATION.exeBinary or memory string: OriginalFilenameSinkProviderEnt.exe8 vs URGENT REQUEST FOR QUOTATION.exe
Source: URGENT REQUEST FOR QUOTATION.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
Source: URGENT REQUEST FOR QUOTATION.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: CCxRZUAFy.exe.0.drStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: URGENT REQUEST FOR QUOTATION.exe, ControlePorTwitter/Business/Seguranca.csCryptographic APIs: 'CreateDecryptor'
Source: CCxRZUAFy.exe.0.dr, ControlePorTwitter/Business/Seguranca.csCryptographic APIs: 'CreateDecryptor'
Source: 0.0.URGENT REQUEST FOR QUOTATION.exe.a70000.0.unpack, ControlePorTwitter/Business/Seguranca.csCryptographic APIs: 'CreateDecryptor'
Source: 20.2.URGENT REQUEST FOR QUOTATION.exe.400000.0.unpack, A/b2.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
Source: 20.2.URGENT REQUEST FOR QUOTATION.exe.400000.0.unpack, A/b2.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
Source: 20.2.URGENT REQUEST FOR QUOTATION.exe.ec0000.1.unpack, ControlePorTwitter/Business/Seguranca.csCryptographic APIs: 'CreateDecryptor'
Source: URGENT REQUEST FOR QUOTATION.exeBinary or memory string: ++.vBpQ
Source: classification engineClassification label: mal100.troj.evad.winEXE@15/18@0/0
Source: C:\Users\user\Desktop\URGENT REQUEST FOR QUOTATION.exeFile created: C:\Users\user\AppData\Roaming\CCxRZUAFy.exeJump to behavior
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6188:120:WilError_01
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2104:120:WilError_01
Source: C:\Users\user\Desktop\URGENT REQUEST FOR QUOTATION.exeMutant created: \Sessions\1\BaseNamedObjects\DyOiITGQOZVocaqJg
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3264:120:WilError_01
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5816:120:WilError_01
Source: C:\Users\user\Desktop\URGENT REQUEST FOR QUOTATION.exeFile created: C:\Users\user\AppData\Local\Temp\tmpD0B6.tmpJump to behavior
Source: URGENT REQUEST FOR QUOTATION.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: C:\Users\user\Desktop\URGENT REQUEST FOR QUOTATION.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
Source: C:\Users\user\Desktop\URGENT REQUEST FOR QUOTATION.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
Source: C:\Users\user\Desktop\URGENT REQUEST FOR QUOTATION.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\Desktop\URGENT REQUEST FOR QUOTATION.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
Source: C:\Users\user\Desktop\URGENT REQUEST FOR QUOTATION.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
Source: URGENT REQUEST FOR QUOTATION.exeReversingLabs: Detection: 39%
Source: C:\Users\user\Desktop\URGENT REQUEST FOR QUOTATION.exeFile read: C:\Users\user\Desktop\URGENT REQUEST FOR QUOTATION.exeJump to behavior
Source: unknownProcess created: C:\Users\user\Desktop\URGENT REQUEST FOR QUOTATION.exe 'C:\Users\user\Desktop\URGENT REQUEST FOR QUOTATION.exe'
Source: C:\Users\user\Desktop\URGENT REQUEST FOR QUOTATION.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\URGENT REQUEST FOR QUOTATION.exe'
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\URGENT REQUEST FOR QUOTATION.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\CCxRZUAFy.exe'
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\URGENT REQUEST FOR QUOTATION.exeProcess created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\CCxRZUAFy' /XML 'C:\Users\user\AppData\Local\Temp\tmpD0B6.tmp'
Source: C:\Windows\SysWOW64\schtasks.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\URGENT REQUEST FOR QUOTATION.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\CCxRZUAFy.exe'
Source: C:\Users\user\Desktop\URGENT REQUEST FOR QUOTATION.exeProcess created: C:\Users\user\Desktop\URGENT REQUEST FOR QUOTATION.exe C:\Users\user\Desktop\URGENT REQUEST FOR QUOTATION.exe
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\URGENT REQUEST FOR QUOTATION.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\URGENT REQUEST FOR QUOTATION.exe'Jump to behavior
Source: C:\Users\user\Desktop\URGENT REQUEST FOR QUOTATION.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\CCxRZUAFy.exe'Jump to behavior
Source: C:\Users\user\Desktop\URGENT REQUEST FOR QUOTATION.exeProcess created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\CCxRZUAFy' /XML 'C:\Users\user\AppData\Local\Temp\tmpD0B6.tmp'Jump to behavior
Source: C:\Users\user\Desktop\URGENT REQUEST FOR QUOTATION.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\CCxRZUAFy.exe'Jump to behavior
Source: C:\Users\user\Desktop\URGENT REQUEST FOR QUOTATION.exeProcess created: C:\Users\user\Desktop\URGENT REQUEST FOR QUOTATION.exe C:\Users\user\Desktop\URGENT REQUEST FOR QUOTATION.exeJump to behavior
Source: C:\Users\user\Desktop\URGENT REQUEST FOR QUOTATION.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{95E15D0A-66E6-93D9-C53C-76E6219D3341}\InProcServer32Jump to behavior
Source: Window RecorderWindow detected: More than 3 window changes detected
Source: C:\Users\user\Desktop\URGENT REQUEST FOR QUOTATION.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dllJump to behavior
Source: URGENT REQUEST FOR QUOTATION.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
Source: URGENT REQUEST FOR QUOTATION.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
Source: initial sampleStatic PE information: section name: .text entropy: 7.60723196503
Source: initial sampleStatic PE information: section name: .text entropy: 7.60723196503
Source: C:\Users\user\Desktop\URGENT REQUEST FOR QUOTATION.exeFile created: C:\Users\user\AppData\Roaming\CCxRZUAFy.exeJump to dropped file

Boot Survival:

barindex
Uses schtasks.exe or at.exe to add and modify task schedulesShow sources
Source: C:\Users\user\Desktop\URGENT REQUEST FOR QUOTATION.exeProcess created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\CCxRZUAFy' /XML 'C:\Users\user\AppData\Local\Temp\tmpD0B6.tmp'
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeRegistry key monitored for changes: HKEY_CURRENT_USER_ClassesJump to behavior
Source: C:\Users\user\Desktop\URGENT REQUEST FOR QUOTATION.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\URGENT REQUEST FOR QUOTATION.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\URGENT REQUEST FOR QUOTATION.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\URGENT REQUEST FOR QUOTATION.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\URGENT REQUEST FOR QUOTATION.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\URGENT REQUEST FOR QUOTATION.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\URGENT REQUEST FOR QUOTATION.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\URGENT REQUEST FOR QUOTATION.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\URGENT REQUEST FOR QUOTATION.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\URGENT REQUEST FOR QUOTATION.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\URGENT REQUEST FOR QUOTATION.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\URGENT REQUEST FOR QUOTATION.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\URGENT REQUEST FOR QUOTATION.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\URGENT REQUEST FOR QUOTATION.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\URGENT REQUEST FOR QUOTATION.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\URGENT REQUEST FOR QUOTATION.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\URGENT REQUEST FOR QUOTATION.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\URGENT REQUEST FOR QUOTATION.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\URGENT REQUEST FOR QUOTATION.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\URGENT REQUEST FOR QUOTATION.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\URGENT REQUEST FOR QUOTATION.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\URGENT REQUEST FOR QUOTATION.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\URGENT REQUEST FOR QUOTATION.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\URGENT REQUEST FOR QUOTATION.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\URGENT REQUEST FOR QUOTATION.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\URGENT REQUEST FOR QUOTATION.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\URGENT REQUEST FOR QUOTATION.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\URGENT REQUEST FOR QUOTATION.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\URGENT REQUEST FOR QUOTATION.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\URGENT REQUEST FOR QUOTATION.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\URGENT REQUEST FOR QUOTATION.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\URGENT REQUEST FOR QUOTATION.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\URGENT REQUEST FOR QUOTATION.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\URGENT REQUEST FOR QUOTATION.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\URGENT REQUEST FOR QUOTATION.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\URGENT REQUEST FOR QUOTATION.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\URGENT REQUEST FOR QUOTATION.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\URGENT REQUEST FOR QUOTATION.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\URGENT REQUEST FOR QUOTATION.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\URGENT REQUEST FOR QUOTATION.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\URGENT REQUEST FOR QUOTATION.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\URGENT REQUEST FOR QUOTATION.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\URGENT REQUEST FOR QUOTATION.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\URGENT REQUEST FOR QUOTATION.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\URGENT REQUEST FOR QUOTATION.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\URGENT REQUEST FOR QUOTATION.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\URGENT REQUEST FOR QUOTATION.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\URGENT REQUEST FOR QUOTATION.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\URGENT REQUEST FOR QUOTATION.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\URGENT REQUEST FOR QUOTATION.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\URGENT REQUEST FOR QUOTATION.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\URGENT REQUEST FOR QUOTATION.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\URGENT REQUEST FOR QUOTATION.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\URGENT REQUEST FOR QUOTATION.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\URGENT REQUEST FOR QUOTATION.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\URGENT REQUEST FOR QUOTATION.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\URGENT REQUEST FOR QUOTATION.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\URGENT REQUEST FOR QUOTATION.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\URGENT REQUEST FOR QUOTATION.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\URGENT REQUEST FOR QUOTATION.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\URGENT REQUEST FOR QUOTATION.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\URGENT REQUEST FOR QUOTATION.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\URGENT REQUEST FOR QUOTATION.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\URGENT REQUEST FOR QUOTATION.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\URGENT REQUEST FOR QUOTATION.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\URGENT REQUEST FOR QUOTATION.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\URGENT REQUEST FOR QUOTATION.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\URGENT REQUEST FOR QUOTATION.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\URGENT REQUEST FOR QUOTATION.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\URGENT REQUEST FOR QUOTATION.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\URGENT REQUEST FOR QUOTATION.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\URGENT REQUEST FOR QUOTATION.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\URGENT REQUEST FOR QUOTATION.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\URGENT REQUEST FOR QUOTATION.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\URGENT REQUEST FOR QUOTATION.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\URGENT REQUEST FOR QUOTATION.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\URGENT REQUEST FOR QUOTATION.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\URGENT REQUEST FOR QUOTATION.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\URGENT REQUEST FOR QUOTATION.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\URGENT REQUEST FOR QUOTATION.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\URGENT REQUEST FOR QUOTATION.exeProcess information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion:

barindex
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)Show sources
Source: C:\Users\user\Desktop\URGENT REQUEST FOR QUOTATION.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)Show sources
Source: C:\Users\user\Desktop\URGENT REQUEST FOR QUOTATION.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration
Source: C:\Users\user\Desktop\URGENT REQUEST FOR QUOTATION.exeThread delayed: delay time: 922337203685477Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
Source: C:\Users\user\Desktop\URGENT REQUEST FOR QUOTATION.exeThread delayed: delay time: 922337203685477
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 4268Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 2473Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 4110Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 2640Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 4308
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 4413
Source: C:\Users\user\Desktop\URGENT REQUEST FOR QUOTATION.exeWindow / User API: threadDelayed 538
Source: C:\Users\user\Desktop\URGENT REQUEST FOR QUOTATION.exeWindow / User API: threadDelayed 9302
Source: C:\Users\user\Desktop\URGENT REQUEST FOR QUOTATION.exe TID: 5264Thread sleep time: -39925s >= -30000sJump to behavior
Source: C:\Users\user\Desktop\URGENT REQUEST FOR QUOTATION.exe TID: 4812Thread sleep time: -922337203685477s >= -30000sJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 4960Thread sleep time: -23980767295822402s >= -30000sJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 2148Thread sleep count: 4110 > 30Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 6344Thread sleep count: 45 > 30Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 2148Thread sleep count: 2640 > 30Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 3192Thread sleep time: -922337203685477s >= -30000sJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 6292Thread sleep count: 4308 > 30
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 6292Thread sleep count: 4413 > 30
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 6348Thread sleep time: -6456360425798339s >= -30000s
Source: C:\Users\user\Desktop\URGENT REQUEST FOR QUOTATION.exe TID: 2068Thread sleep time: -14757395258967632s >= -30000s
Source: C:\Users\user\Desktop\URGENT REQUEST FOR QUOTATION.exe TID: 2252Thread sleep count: 538 > 30
Source: C:\Users\user\Desktop\URGENT REQUEST FOR QUOTATION.exe TID: 2252Thread sleep count: 9302 > 30
Source: C:\Users\user\Desktop\URGENT REQUEST FOR QUOTATION.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Users\user\Desktop\URGENT REQUEST FOR QUOTATION.exeThread delayed: delay time: 39925Jump to behavior
Source: C:\Users\user\Desktop\URGENT REQUEST FOR QUOTATION.exeThread delayed: delay time: 922337203685477Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
Source: C:\Users\user\Desktop\URGENT REQUEST FOR QUOTATION.exeThread delayed: delay time: 922337203685477
Source: powershell.exe, 0000000C.00000003.420260208.00000000057FB000.00000004.00000001.sdmp, powershell.exe, 0000000F.00000003.427387537.000000000534E000.00000004.00000001.sdmpBinary or memory string: Hyper-V
Source: URGENT REQUEST FOR QUOTATION.exe, 00000014.00000002.520747940.0000000006500000.00000002.00000001.sdmpBinary or memory string: A Virtual Machine could not be started because Hyper-V is not installed.
Source: URGENT REQUEST FOR QUOTATION.exeBinary or memory string: DdUXhZQ[fUE6Ws]YTSk6WLInYD73f[o5QsEYYq{nV]8XY[8XVpEzfoQZd5M[]WMZ][<IgogJD}4pfy]3[3Y5]DL[]}Y4[3Y5]D75esU[\moJezE[TiU[]qET]m8Z\3QqeMU[]K<IgogJD|YJg4E[eyQ3[3Y5]DL6e3Q5\xDjfoUZd5<pfTU6\osp\SQ[]mopg|Y5XlY5Y843[wEjfoUZd5<pfTU6\osp\SQ[e|<pU843[wEjfoQ[YDL[]nopgyMKX3QZ
Source: powershell.exe, 0000000C.00000003.420260208.00000000057FB000.00000004.00000001.sdmp, powershell.exe, 0000000F.00000003.427387537.000000000534E000.00000004.00000001.sdmpBinary or memory string: #l:C:\Windows\system32\WindowsPowerShell\v1.0\Modules\Hyper-V
Source: URGENT REQUEST FOR QUOTATION.exe, 00000014.00000002.520747940.0000000006500000.00000002.00000001.sdmpBinary or memory string: A communication protocol error has occurred between the Hyper-V Host and Guest Compute Service.
Source: URGENT REQUEST FOR QUOTATION.exe, 00000014.00000002.520747940.0000000006500000.00000002.00000001.sdmpBinary or memory string: The communication protocol version between the Hyper-V Host and Guest Compute Services is not supported.
Source: URGENT REQUEST FOR QUOTATION.exe, 00000014.00000002.520747940.0000000006500000.00000002.00000001.sdmpBinary or memory string: An unknown internal message was received by the Hyper-V Compute Service.
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information queried: ProcessInformationJump to behavior
Source: C:\Users\user\Desktop\URGENT REQUEST FOR QUOTATION.exeProcess token adjusted: DebugJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: Debug
Source: C:\Users\user\Desktop\URGENT REQUEST FOR QUOTATION.exeProcess token adjusted: Debug
Source: C:\Users\user\Desktop\URGENT REQUEST FOR QUOTATION.exeMemory allocated: page read and write | page guardJump to behavior

HIPS / PFW / Operating System Protection Evasion:

barindex
Adds a directory exclusion to Windows DefenderShow sources
Source: C:\Users\user\Desktop\URGENT REQUEST FOR QUOTATION.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\URGENT REQUEST FOR QUOTATION.exe'
Source: C:\Users\user\Desktop\URGENT REQUEST FOR QUOTATION.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\CCxRZUAFy.exe'
Source: C:\Users\user\Desktop\URGENT REQUEST FOR QUOTATION.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\CCxRZUAFy.exe'
Source: C:\Users\user\Desktop\URGENT REQUEST FOR QUOTATION.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\URGENT REQUEST FOR QUOTATION.exe'Jump to behavior
Source: C:\Users\user\Desktop\URGENT REQUEST FOR QUOTATION.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\CCxRZUAFy.exe'Jump to behavior
Source: C:\Users\user\Desktop\URGENT REQUEST FOR QUOTATION.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\CCxRZUAFy.exe'Jump to behavior
Injects a PE file into a foreign processesShow sources
Source: C:\Users\user\Desktop\URGENT REQUEST FOR QUOTATION.exeMemory written: C:\Users\user\Desktop\URGENT REQUEST FOR QUOTATION.exe base: 400000 value starts with: 4D5AJump to behavior
Source: C:\Users\user\Desktop\URGENT REQUEST FOR QUOTATION.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\URGENT REQUEST FOR QUOTATION.exe'Jump to behavior
Source: C:\Users\user\Desktop\URGENT REQUEST FOR QUOTATION.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\CCxRZUAFy.exe'Jump to behavior
Source: C:\Users\user\Desktop\URGENT REQUEST FOR QUOTATION.exeProcess created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\CCxRZUAFy' /XML 'C:\Users\user\AppData\Local\Temp\tmpD0B6.tmp'Jump to behavior
Source: C:\Users\user\Desktop\URGENT REQUEST FOR QUOTATION.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\CCxRZUAFy.exe'Jump to behavior
Source: C:\Users\user\Desktop\URGENT REQUEST FOR QUOTATION.exeProcess created: C:\Users\user\Desktop\URGENT REQUEST FOR QUOTATION.exe C:\Users\user\Desktop\URGENT REQUEST FOR QUOTATION.exeJump to behavior
Source: URGENT REQUEST FOR QUOTATION.exe, 00000014.00000002.511718751.0000000001E00000.00000002.00000001.sdmpBinary or memory string: uProgram Manager
Source: URGENT REQUEST FOR QUOTATION.exe, 00000014.00000002.511718751.0000000001E00000.00000002.00000001.sdmpBinary or memory string: Shell_TrayWnd
Source: URGENT REQUEST FOR QUOTATION.exe, 00000014.00000002.511718751.0000000001E00000.00000002.00000001.sdmpBinary or memory string: Progman
Source: URGENT REQUEST FOR QUOTATION.exe, 00000014.00000002.511718751.0000000001E00000.00000002.00000001.sdmpBinary or memory string: Progmanlock
Source: C:\Users\user\Desktop\URGENT REQUEST FOR QUOTATION.exeQueries volume information: C:\Users\user\Desktop\URGENT REQUEST FOR QUOTATION.exe VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\URGENT REQUEST FOR QUOTATION.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\URGENT REQUEST FOR QUOTATION.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\URGENT REQUEST FOR QUOTATION.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\URGENT REQUEST FOR QUOTATION.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\URGENT REQUEST FOR QUOTATION.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Runtime.Remoting\v4.0_4.0.0.0__b77a5c561934e089\System.Runtime.Remoting.dll VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\URGENT REQUEST FOR QUOTATION.exeQueries volume information: C:\Windows\Fonts\arial.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\URGENT REQUEST FOR QUOTATION.exeQueries volume information: C:\Windows\Fonts\ariali.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\URGENT REQUEST FOR QUOTATION.exeQueries volume information: C:\Windows\Fonts\arialbd.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\URGENT REQUEST FOR QUOTATION.exeQueries volume information: C:\Windows\Fonts\arialbi.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\URGENT REQUEST FOR QUOTATION.exeQueries volume information: C:\Windows\Fonts\ARIALN.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\URGENT REQUEST FOR QUOTATION.exeQueries volume information: C:\Windows\Fonts\ariblk.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\URGENT REQUEST FOR QUOTATION.exeQueries volume information: C:\Windows\Fonts\ARIALNI.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\URGENT REQUEST FOR QUOTATION.exeQueries volume information: C:\Windows\Fonts\ARIALNB.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\URGENT REQUEST FOR QUOTATION.exeQueries volume information: C:\Windows\Fonts\ARIALNBI.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\URGENT REQUEST FOR QUOTATION.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformationJump to behavior
Source: C:\Users\u<