Loading ...

Play interactive tourEdit tour

Windows Analysis Report URGENT REQUEST FOR QUOTATION.exe

Overview

General Information

Sample Name:URGENT REQUEST FOR QUOTATION.exe
Analysis ID:452545
MD5:436f3797fc4c39d1a2319196bc15c1c3
SHA1:1a93b32908c5def6129f192fd096f129ea575220
SHA256:f7b11103bbd791d5c2452275ff23fe51eff41ba5071ba015ef50672138c9b459
Tags:exe
Infos:

Most interesting Screenshot:

Detection

AgentTesla
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Found malware configuration
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Yara detected AgentTesla
Yara detected AgentTesla
.NET source code contains very large array initializations
Adds a directory exclusion to Windows Defender
Initial sample is a PE file and has a suspicious name
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Sigma detected: Powershell Defender Exclusion
Uses schtasks.exe or at.exe to add and modify task schedules
Antivirus or Machine Learning detection for unpacked file
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Drops PE files
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
May sleep (evasive loops) to hinder dynamic analysis
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Uses 32bit PE files

Classification

Process Tree

  • System is w10x64
  • URGENT REQUEST FOR QUOTATION.exe (PID: 5464 cmdline: 'C:\Users\user\Desktop\URGENT REQUEST FOR QUOTATION.exe' MD5: 436F3797FC4C39D1A2319196BC15C1C3)
    • powershell.exe (PID: 5516 cmdline: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\URGENT REQUEST FOR QUOTATION.exe' MD5: DBA3E6449E97D4E3DF64527EF7012A10)
      • conhost.exe (PID: 5816 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • powershell.exe (PID: 5788 cmdline: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\CCxRZUAFy.exe' MD5: DBA3E6449E97D4E3DF64527EF7012A10)
      • conhost.exe (PID: 3264 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • schtasks.exe (PID: 4836 cmdline: 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\CCxRZUAFy' /XML 'C:\Users\user\AppData\Local\Temp\tmpD0B6.tmp' MD5: 15FF7D8324231381BAD48A052F85DF04)
      • conhost.exe (PID: 2104 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • powershell.exe (PID: 6156 cmdline: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\CCxRZUAFy.exe' MD5: DBA3E6449E97D4E3DF64527EF7012A10)
      • conhost.exe (PID: 6188 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
  • cleanup

Malware Configuration

Threatname: Agenttesla

{"Exfil Mode": "SMTP", "Username": "brucechuks212@vivaldi.net", "Password": "23456789@@@@", "Host": "smtp.vivaldi.net"}

Yara Overview

Sigma Overview

System Summary:

barindex
Sigma detected: Powershell Defender ExclusionShow sources
Source: Process startedAuthor: Florian Roth: Data: Command: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\URGENT REQUEST FOR QUOTATION.exe', CommandLine: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\URGENT REQUEST FOR QUOTATION.exe', CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: 'C:\Users\user\Desktop\URGENT REQUEST FOR QUOTATION.exe' , ParentImage: C:\Users\user\Desktop\URGENT REQUEST FOR QUOTATION.exe, ParentProcessId: 5464, ProcessCommandLine: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\URGENT REQUEST FOR QUOTATION.exe', ProcessId: 5516
Sigma detected: Non Interactive PowerShellShow sources
Source: Process startedAuthor: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\URGENT REQUEST FOR QUOTATION.exe', CommandLine: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\URGENT REQUEST FOR QUOTATION.exe', CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: 'C:\Users\user\Desktop\URGENT REQUEST FOR QUOTATION.exe' , ParentImage: C:\Users\user\Desktop\URGENT REQUEST FOR QUOTATION.exe, ParentProcessId: 5464, ProcessCommandLine: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\URGENT REQUEST FOR QUOTATION.exe', ProcessId: 5516

Jbx Signature Overview

Click to jump to signature section

Show All Signature Results

AV Detection:

barindex
Found malware configurationShow sources
Source: 20.2.URGENT REQUEST FOR QUOTATION.exe.400000.0.unpackMalware Configuration Extractor: Agenttesla {"Exfil Mode": "SMTP", "Username": "brucechuks212@vivaldi.net", "Password": "23456789@@@@", "Host": "smtp.vivaldi.net"}
Multi AV Scanner detection for dropped fileShow sources
Source: C:\Users\user\AppData\Roaming\CCxRZUAFy.exeReversingLabs: Detection: 39%
Multi AV Scanner detection for submitted fileShow sources
Source: URGENT REQUEST FOR QUOTATION.exeReversingLabs: Detection: 39%
Machine Learning detection for dropped fileShow sources
Source: C:\Users\user\AppData\Roaming\CCxRZUAFy.exeJoe Sandbox ML: detected
Machine Learning detection for sampleShow sources
Source: URGENT REQUEST FOR QUOTATION.exeJoe Sandbox ML: detected
Source: 20.2.URGENT REQUEST FOR QUOTATION.exe.400000.0.unpackAvira: Label: TR/Spy.Gen8
Source: URGENT REQUEST FOR QUOTATION.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
Source: URGENT REQUEST FOR QUOTATION.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
Source: URGENT REQUEST FOR QUOTATION.exe, 00000014.00000002.512448328.00000000033B1000.00000004.00000001.sdmpString found in binary or memory: http://127.0.0.1:HTTP/1.1
Source: URGENT REQUEST FOR QUOTATION.exe, 00000014.00000002.512448328.00000000033B1000.00000004.00000001.sdmpString found in binary or memory: http://DynDns.comDynDNS
Source: URGENT REQUEST FOR QUOTATION.exeString found in binary or memory: http://api.twitter.com/1/direct_messages.xml?since_id=
Source: powershell.exe, 0000000C.00000003.456686092.0000000009AB0000.00000004.00000001.sdmpString found in binary or memory: http://crl.microsof
Source: URGENT REQUEST FOR QUOTATION.exe, 00000014.00000002.512448328.00000000033B1000.00000004.00000001.sdmpString found in binary or memory: http://qxLqgV.com
Source: powershell.exe, 0000000F.00000003.439686163.00000000051FA000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/soap/encoding/
Source: powershell.exe, 0000000F.00000003.439686163.00000000051FA000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/wsdl/
Source: URGENT REQUEST FOR QUOTATION.exeString found in binary or memory: http://twitter.com/statuses/user_timeline.xml?screen_name=
Source: URGENT REQUEST FOR QUOTATION.exe, 00000000.00000003.239863376.0000000005F03000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.comadi
Source: URGENT REQUEST FOR QUOTATION.exe, 00000000.00000003.239863376.0000000005F03000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.comarT
Source: URGENT REQUEST FOR QUOTATION.exe, 00000000.00000003.239863376.0000000005F03000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.cometh
Source: URGENT REQUEST FOR QUOTATION.exe, 00000000.00000003.239863376.0000000005F03000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.comlay
Source: URGENT REQUEST FOR QUOTATION.exe, 00000000.00000003.239482199.0000000005F14000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.como.y
Source: URGENT REQUEST FOR QUOTATION.exe, 00000000.00000003.241974830.0000000005F0A000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.comF
Source: URGENT REQUEST FOR QUOTATION.exe, 00000000.00000003.241974830.0000000005F0A000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.comals
Source: URGENT REQUEST FOR QUOTATION.exe, 00000000.00000003.241974830.0000000005F0A000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.comcomd
Source: URGENT REQUEST FOR QUOTATION.exe, 00000000.00000003.241974830.0000000005F0A000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.comd
Source: URGENT REQUEST FOR QUOTATION.exe, 00000000.00000003.241974830.0000000005F0A000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.comdV
Source: URGENT REQUEST FOR QUOTATION.exe, 00000000.00000003.241974830.0000000005F0A000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.comessedD
Source: URGENT REQUEST FOR QUOTATION.exe, 00000000.00000003.239203447.0000000005F10000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/
Source: URGENT REQUEST FOR QUOTATION.exe, 00000000.00000003.239863376.0000000005F03000.00000004.00000001.sdmp, URGENT REQUEST FOR QUOTATION.exe, 00000000.00000003.241062822.0000000005F0A000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/
Source: URGENT REQUEST FOR QUOTATION.exe, 00000000.00000003.241062822.0000000005F0A000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp//
Source: URGENT REQUEST FOR QUOTATION.exe, 00000000.00000003.241062822.0000000005F0A000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/3
Source: URGENT REQUEST FOR QUOTATION.exe, 00000000.00000003.241062822.0000000005F0A000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/Webd
Source: URGENT REQUEST FOR QUOTATION.exe, 00000000.00000003.240785096.0000000005F08000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/b
Source: URGENT REQUEST FOR QUOTATION.exe, 00000000.00000003.239863376.0000000005F03000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/ers
Source: URGENT REQUEST FOR QUOTATION.exe, 00000000.00000003.240785096.0000000005F08000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/i
Source: URGENT REQUEST FOR QUOTATION.exe, 00000000.00000003.241062822.0000000005F0A000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/jp/
Source: URGENT REQUEST FOR QUOTATION.exe, 00000000.00000003.241062822.0000000005F0A000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/jp/r
Source: URGENT REQUEST FOR QUOTATION.exe, 00000000.00000003.241062822.0000000005F0A000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/p
Source: URGENT REQUEST FOR QUOTATION.exe, 00000000.00000003.240785096.0000000005F08000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/r
Source: URGENT REQUEST FOR QUOTATION.exe, 00000000.00000003.240385875.0000000005F0A000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/roso
Source: powershell.exe, 0000000C.00000003.416484110.0000000007FE1000.00000004.00000001.sdmpString found in binary or memory: http://www.microsoft.
Source: powershell.exe, 0000000C.00000003.422321496.00000000058F8000.00000004.00000001.sdmp, powershell.exe, 0000000F.00000003.427772960.0000000005440000.00000004.00000001.sdmpString found in binary or memory: https://go.micro
Source: URGENT REQUEST FOR QUOTATION.exe, 00000014.00000002.503706672.0000000000402000.00000040.00000001.sdmpString found in binary or memory: https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip
Source: URGENT REQUEST FOR QUOTATION.exe, 00000014.00000002.512448328.00000000033B1000.00000004.00000001.sdmpString found in binary or memory: https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%ha

System Summary:

barindex
.NET source code contains very large array initializationsShow sources
Source: 20.2.URGENT REQUEST FOR QUOTATION.exe.400000.0.unpack, u003cPrivateImplementationDetailsu003eu007bE28EDE1Au002d0DFFu002d45E9u002d9A29u002dC8551D143C75u007d/u0039ACB0DCFu002d05C4u002d49DCu002dB73Au002dD9A6D13ABB59.csLarge array initialization: .cctor: array initializer size 11937
Initial sample is a PE file and has a suspicious nameShow sources
Source: initial sampleStatic PE information: Filename: URGENT REQUEST FOR QUOTATION.exe
Source: C:\Users\user\Desktop\URGENT REQUEST FOR QUOTATION.exeCode function: 20_2_00ECBF7F
Source: C:\Users\user\Desktop\URGENT REQUEST FOR QUOTATION.exeCode function: 20_2_018246A0
Source: C:\Users\user\Desktop\URGENT REQUEST FOR QUOTATION.exeCode function: 20_2_01824690
Source: C:\Users\user\Desktop\URGENT REQUEST FOR QUOTATION.exeCode function: 20_2_01824673
Source: C:\Users\user\Desktop\URGENT REQUEST FOR QUOTATION.exeCode function: 20_2_0182D2E1
Source: URGENT REQUEST FOR QUOTATION.exe, 00000000.00000000.234931999.0000000000A72000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameSinkProviderEnt.exe8 vs URGENT REQUEST FOR QUOTATION.exe
Source: URGENT REQUEST FOR QUOTATION.exeBinary or memory string: OriginalFilename vs URGENT REQUEST FOR QUOTATION.exe
Source: URGENT REQUEST FOR QUOTATION.exe, 00000014.00000002.506375111.0000000000EC2000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameSinkProviderEnt.exe8 vs URGENT REQUEST FOR QUOTATION.exe
Source: URGENT REQUEST FOR QUOTATION.exe, 00000014.00000002.520747940.0000000006500000.00000002.00000001.sdmpBinary or memory string: OriginalFilenameKernelbase.dll.muij% vs URGENT REQUEST FOR QUOTATION.exe
Source: URGENT REQUEST FOR QUOTATION.exe, 00000014.00000002.503706672.0000000000402000.00000040.00000001.sdmpBinary or memory string: OriginalFilenameQfAsAXkZdWxBQzlpGkABAoNnttg.exe4 vs URGENT REQUEST FOR QUOTATION.exe
Source: URGENT REQUEST FOR QUOTATION.exeBinary or memory string: OriginalFilenameSinkProviderEnt.exe8 vs URGENT REQUEST FOR QUOTATION.exe
Source: URGENT REQUEST FOR QUOTATION.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
Source: URGENT REQUEST FOR QUOTATION.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: CCxRZUAFy.exe.0.drStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: URGENT REQUEST FOR QUOTATION.exe, ControlePorTwitter/Business/Seguranca.csCryptographic APIs: 'CreateDecryptor'
Source: CCxRZUAFy.exe.0.dr, ControlePorTwitter/Business/Seguranca.csCryptographic APIs: 'CreateDecryptor'
Source: 0.0.URGENT REQUEST FOR QUOTATION.exe.a70000.0.unpack, ControlePorTwitter/Business/Seguranca.csCryptographic APIs: 'CreateDecryptor'
Source: 20.2.URGENT REQUEST FOR QUOTATION.exe.400000.0.unpack, A/b2.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
Source: 20.2.URGENT REQUEST FOR QUOTATION.exe.400000.0.unpack, A/b2.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
Source: 20.2.URGENT REQUEST FOR QUOTATION.exe.ec0000.1.unpack, ControlePorTwitter/Business/Seguranca.csCryptographic APIs: 'CreateDecryptor'
Source: URGENT REQUEST FOR QUOTATION.exeBinary or memory string: ++.vBpQ
Source: classification engineClassification label: mal100.troj.evad.winEXE@15/18@0/0
Source: C:\Users\user\Desktop\URGENT REQUEST FOR QUOTATION.exeFile created: C:\Users\user\AppData\Roaming\CCxRZUAFy.exeJump to behavior
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6188:120:WilError_01
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2104:120:WilError_01
Source: C:\Users\user\Desktop\URGENT REQUEST FOR QUOTATION.exeMutant created: \Sessions\1\BaseNamedObjects\DyOiITGQOZVocaqJg
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3264:120:WilError_01
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5816:120:WilError_01
Source: C:\Users\user\Desktop\URGENT REQUEST FOR QUOTATION.exeFile created: C:\Users\user\AppData\Local\Temp\tmpD0B6.tmpJump to behavior
Source: URGENT REQUEST FOR QUOTATION.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: C:\Users\user\Desktop\URGENT REQUEST FOR QUOTATION.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
Source: C:\Users\user\Desktop\URGENT REQUEST FOR QUOTATION.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
Source: C:\Users\user\Desktop\URGENT REQUEST FOR QUOTATION.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\Desktop\URGENT REQUEST FOR QUOTATION.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
Source: C:\Users\user\Desktop\URGENT REQUEST FOR QUOTATION.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers
Source: URGENT REQUEST FOR QUOTATION.exeReversingLabs: Detection: 39%
Source: C:\Users\user\Desktop\URGENT REQUEST FOR QUOTATION.exeFile read: C:\Users\user\Desktop\URGENT REQUEST FOR QUOTATION.exeJump to behavior
Source: unknownProcess created: C:\Users\user\Desktop\URGENT REQUEST FOR QUOTATION.exe 'C:\Users\user\Desktop\URGENT REQUEST FOR QUOTATION.exe'
Source: C:\Users\user\Desktop\URGENT REQUEST FOR QUOTATION.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\URGENT REQUEST FOR QUOTATION.exe'
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\URGENT REQUEST FOR QUOTATION.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\CCxRZUAFy.exe'
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\URGENT REQUEST FOR QUOTATION.exeProcess created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\CCxRZUAFy' /XML 'C:\Users\user\AppData\Local\Temp\tmpD0B6.tmp'
Source: C:\Windows\SysWOW64\schtasks.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\URGENT REQUEST FOR QUOTATION.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\CCxRZUAFy.exe'
Source: C:\Users\user\Desktop\URGENT REQUEST FOR QUOTATION.exeProcess created: C:\Users\user\Desktop\URGENT REQUEST FOR QUOTATION.exe C:\Users\user\Desktop\URGENT REQUEST FOR QUOTATION.exe
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\URGENT REQUEST FOR QUOTATION.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\URGENT REQUEST FOR QUOTATION.exe'
Source: C:\Users\user\Desktop\URGENT REQUEST FOR QUOTATION.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\CCxRZUAFy.exe'
Source: C:\Users\user\Desktop\URGENT REQUEST FOR QUOTATION.exeProcess created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\CCxRZUAFy' /XML 'C:\Users\user\AppData\Local\Temp\tmpD0B6.tmp'
Source: C:\Users\user\Desktop\URGENT REQUEST FOR QUOTATION.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\CCxRZUAFy.exe'
Source: C:\Users\user\Desktop\URGENT REQUEST FOR QUOTATION.exeProcess created: C:\Users\user\Desktop\URGENT REQUEST FOR QUOTATION.exe C:\Users\user\Desktop\URGENT REQUEST FOR QUOTATION.exe
Source: C:\Users\user\Desktop\URGENT REQUEST FOR QUOTATION.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{95E15D0A-66E6-93D9-C53C-76E6219D3341}\InProcServer32
Source: Window RecorderWindow detected: More than 3 window changes detected
Source: C:\Users\user\Desktop\URGENT REQUEST FOR QUOTATION.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll
Source: URGENT REQUEST FOR QUOTATION.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
Source: URGENT REQUEST FOR QUOTATION.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
Source: initial sampleStatic PE information: section name: .text entropy: 7.60723196503
Source: initial sampleStatic PE information: section name: .text entropy: 7.60723196503
Source: C:\Users\user\Desktop\URGENT REQUEST FOR QUOTATION.exeFile created: C:\Users\user\AppData\Roaming\CCxRZUAFy.exeJump to dropped file

Boot Survival:

barindex
Uses schtasks.exe or at.exe to add and modify task schedulesShow sources
Source: C:\Users\user\Desktop\URGENT REQUEST FOR QUOTATION.exeProcess created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\CCxRZUAFy' /XML 'C:\Users\user\AppData\Local\Temp\tmpD0B6.tmp'
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeRegistry key monitored for changes: HKEY_CURRENT_USER_Classes
Source: C:\Users\user\Desktop\URGENT REQUEST FOR QUOTATION.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\URGENT REQUEST FOR QUOTATION.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\URGENT REQUEST FOR QUOTATION.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\URGENT REQUEST FOR QUOTATION.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\URGENT REQUEST FOR QUOTATION.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\URGENT REQUEST FOR QUOTATION.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\URGENT REQUEST FOR QUOTATION.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\URGENT REQUEST FOR QUOTATION.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\URGENT REQUEST FOR QUOTATION.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\URGENT REQUEST FOR QUOTATION.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\URGENT REQUEST FOR QUOTATION.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\URGENT REQUEST FOR QUOTATION.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\URGENT REQUEST FOR QUOTATION.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\URGENT REQUEST FOR QUOTATION.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\URGENT REQUEST FOR QUOTATION.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\URGENT REQUEST FOR QUOTATION.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\URGENT REQUEST FOR QUOTATION.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\URGENT REQUEST FOR QUOTATION.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\URGENT REQUEST FOR QUOTATION.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\URGENT REQUEST FOR QUOTATION.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\URGENT REQUEST FOR QUOTATION.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\URGENT REQUEST FOR QUOTATION.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\URGENT REQUEST FOR QUOTATION.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\URGENT REQUEST FOR QUOTATION.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\URGENT REQUEST FOR QUOTATION.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\URGENT REQUEST FOR QUOTATION.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\URGENT REQUEST FOR QUOTATION.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\URGENT REQUEST FOR QUOTATION.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\URGENT REQUEST FOR QUOTATION.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\URGENT REQUEST FOR QUOTATION.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\URGENT REQUEST FOR QUOTATION.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\URGENT REQUEST FOR QUOTATION.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\URGENT REQUEST FOR QUOTATION.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\URGENT REQUEST FOR QUOTATION.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\URGENT REQUEST FOR QUOTATION.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\URGENT REQUEST FOR QUOTATION.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\URGENT REQUEST FOR QUOTATION.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\URGENT REQUEST FOR QUOTATION.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\URGENT REQUEST FOR QUOTATION.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\URGENT REQUEST FOR QUOTATION.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\URGENT REQUEST FOR QUOTATION.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\URGENT REQUEST FOR QUOTATION.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\URGENT REQUEST FOR QUOTATION.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\URGENT REQUEST FOR QUOTATION.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\URGENT REQUEST FOR QUOTATION.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\URGENT REQUEST FOR QUOTATION.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\URGENT REQUEST FOR QUOTATION.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\URGENT REQUEST FOR QUOTATION.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\URGENT REQUEST FOR QUOTATION.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\URGENT REQUEST FOR QUOTATION.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\URGENT REQUEST FOR QUOTATION.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\URGENT REQUEST FOR QUOTATION.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\URGENT REQUEST FOR QUOTATION.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\URGENT REQUEST FOR QUOTATION.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\URGENT REQUEST FOR QUOTATION.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\URGENT REQUEST FOR QUOTATION.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\URGENT REQUEST FOR QUOTATION.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\URGENT REQUEST FOR QUOTATION.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\URGENT REQUEST FOR QUOTATION.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\URGENT REQUEST FOR QUOTATION.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\URGENT REQUEST FOR QUOTATION.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\URGENT REQUEST FOR QUOTATION.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\URGENT REQUEST FOR QUOTATION.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\URGENT REQUEST FOR QUOTATION.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\URGENT REQUEST FOR QUOTATION.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\URGENT REQUEST FOR QUOTATION.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\URGENT REQUEST FOR QUOTATION.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\URGENT REQUEST FOR QUOTATION.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\URGENT REQUEST FOR QUOTATION.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\URGENT REQUEST FOR QUOTATION.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\URGENT REQUEST FOR QUOTATION.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\URGENT REQUEST FOR QUOTATION.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\URGENT REQUEST FOR QUOTATION.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\URGENT REQUEST FOR QUOTATION.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\URGENT REQUEST FOR QUOTATION.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\URGENT REQUEST FOR QUOTATION.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\URGENT REQUEST FOR QUOTATION.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\URGENT REQUEST FOR QUOTATION.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\URGENT REQUEST FOR QUOTATION.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\URGENT REQUEST FOR QUOTATION.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\URGENT REQUEST FOR QUOTATION.exeProcess information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion:

barindex
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)Show sources
Source: C:\Users\user\Desktop\URGENT REQUEST FOR QUOTATION.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)Show sources
Source: C:\Users\user\Desktop\URGENT REQUEST FOR QUOTATION.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration
Source: C:\Users\user\Desktop\URGENT REQUEST FOR QUOTATION.exeThread delayed: delay time: 922337203685477
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
Source: C:\Users\user\Desktop\URGENT REQUEST FOR QUOTATION.exeThread delayed: delay time: 922337203685477
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 4268
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 2473
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 4110
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 2640
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 4308
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 4413
Source: C:\Users\user\Desktop\URGENT REQUEST FOR QUOTATION.exeWindow / User API: threadDelayed 538
Source: C:\Users\user\Desktop\URGENT REQUEST FOR QUOTATION.exeWindow / User API: threadDelayed 9302
Source: C:\Users\user\Desktop\URGENT REQUEST FOR QUOTATION.exe TID: 5264Thread sleep time: -39925s >= -30000s
Source: C:\Users\user\Desktop\URGENT REQUEST FOR QUOTATION.exe TID: 4812Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 4960Thread sleep time: -23980767295822402s >= -30000s
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 2148Thread sleep count: 4110 > 30
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 6344Thread sleep count: 45 > 30
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 2148Thread sleep count: 2640 > 30
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 3192Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 6292Thread sleep count: 4308 > 30
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 6292Thread sleep count: 4413 > 30
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 6348Thread sleep time: -6456360425798339s >= -30000s
Source: C:\Users\user\Desktop\URGENT REQUEST FOR QUOTATION.exe TID: 2068Thread sleep time: -14757395258967632s >= -30000s
Source: C:\Users\user\Desktop\URGENT REQUEST FOR QUOTATION.exe TID: 2252Thread sleep count: 538 > 30
Source: C:\Users\user\Desktop\URGENT REQUEST FOR QUOTATION.exe TID: 2252Thread sleep count: 9302 > 30
Source: C:\Users\user\Desktop\URGENT REQUEST FOR QUOTATION.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Users\user\Desktop\URGENT REQUEST FOR QUOTATION.exeThread delayed: delay time: 39925
Source: C:\Users\user\Desktop\URGENT REQUEST FOR QUOTATION.exeThread delayed: delay time: 922337203685477
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
Source: C:\Users\user\Desktop\URGENT REQUEST FOR QUOTATION.exeThread delayed: delay time: 922337203685477
Source: powershell.exe, 0000000C.00000003.420260208.00000000057FB000.00000004.00000001.sdmp, powershell.exe, 0000000F.00000003.427387537.000000000534E000.00000004.00000001.sdmpBinary or memory string: Hyper-V
Source: URGENT REQUEST FOR QUOTATION.exe, 00000014.00000002.520747940.0000000006500000.00000002.00000001.sdmpBinary or memory string: A Virtual Machine could not be started because Hyper-V is not installed.
Source: URGENT REQUEST FOR QUOTATION.exeBinary or memory string: DdUXhZQ[fUE6Ws]YTSk6WLInYD73f[o5QsEYYq{nV]8XY[8XVpEzfoQZd5M[]WMZ][<IgogJD}4pfy]3[3Y5]DL[]}Y4[3Y5]D75esU[\moJezE[TiU[]qET]m8Z\3QqeMU[]K<IgogJD|YJg4E[eyQ3[3Y5]DL6e3Q5\xDjfoUZd5<pfTU6\osp\SQ[]mopg|Y5XlY5Y843[wEjfoUZd5<pfTU6\osp\SQ[e|<pU843[wEjfoQ[YDL[]nopgyMKX3QZ
Source: powershell.exe, 0000000C.00000003.420260208.00000000057FB000.00000004.00000001.sdmp, powershell.exe, 0000000F.00000003.427387537.000000000534E000.00000004.00000001.sdmpBinary or memory string: #l:C:\Windows\system32\WindowsPowerShell\v1.0\Modules\Hyper-V
Source: URGENT REQUEST FOR QUOTATION.exe, 00000014.00000002.520747940.0000000006500000.00000002.00000001.sdmpBinary or memory string: A communication protocol error has occurred between the Hyper-V Host and Guest Compute Service.
Source: URGENT REQUEST FOR QUOTATION.exe, 00000014.00000002.520747940.0000000006500000.00000002.00000001.sdmpBinary or memory string: The communication protocol version between the Hyper-V Host and Guest Compute Services is not supported.
Source: URGENT REQUEST FOR QUOTATION.exe, 00000014.00000002.520747940.0000000006500000.00000002.00000001.sdmpBinary or memory string: An unknown internal message was received by the Hyper-V Compute Service.
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information queried: ProcessInformation
Source: C:\Users\user\Desktop\URGENT REQUEST FOR QUOTATION.exeProcess token adjusted: Debug
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: Debug
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: Debug
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: Debug
Source: C:\Users\user\Desktop\URGENT REQUEST FOR QUOTATION.exeProcess token adjusted: Debug
Source: C:\Users\user\Desktop\URGENT REQUEST FOR QUOTATION.exeMemory allocated: page read and write | page guard

HIPS / PFW / Operating System Protection Evasion:

barindex
Adds a directory exclusion to Windows DefenderShow sources
Source: C:\Users\user\Desktop\URGENT REQUEST FOR QUOTATION.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\URGENT REQUEST FOR QUOTATION.exe'
Source: C:\Users\user\Desktop\URGENT REQUEST FOR QUOTATION.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\CCxRZUAFy.exe'
Source: C:\Users\user\Desktop\URGENT REQUEST FOR QUOTATION.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\CCxRZUAFy.exe'
Source: C:\Users\user\Desktop\URGENT REQUEST FOR QUOTATION.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\URGENT REQUEST FOR QUOTATION.exe'
Source: C:\Users\user\Desktop\URGENT REQUEST FOR QUOTATION.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\CCxRZUAFy.exe'
Source: C:\Users\user\Desktop\URGENT REQUEST FOR QUOTATION.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\CCxRZUAFy.exe'
Injects a PE file into a foreign processesShow sources
Source: C:\Users\user\Desktop\URGENT REQUEST FOR QUOTATION.exeMemory written: C:\Users\user\Desktop\URGENT REQUEST FOR QUOTATION.exe base: 400000 value starts with: 4D5A
Source: C:\Users\user\Desktop\URGENT REQUEST FOR QUOTATION.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\URGENT REQUEST FOR QUOTATION.exe'
Source: C:\Users\user\Desktop\URGENT REQUEST FOR QUOTATION.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\CCxRZUAFy.exe'
Source: C:\Users\user\Desktop\URGENT REQUEST FOR QUOTATION.exeProcess created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\CCxRZUAFy' /XML 'C:\Users\user\AppData\Local\Temp\tmpD0B6.tmp'
Source: C:\Users\user\Desktop\URGENT REQUEST FOR QUOTATION.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\CCxRZUAFy.exe'
Source: C:\Users\user\Desktop\URGENT REQUEST FOR QUOTATION.exeProcess created: C:\Users\user\Desktop\URGENT REQUEST FOR QUOTATION.exe C:\Users\user\Desktop\URGENT REQUEST FOR QUOTATION.exe
Source: URGENT REQUEST FOR QUOTATION.exe, 00000014.00000002.511718751.0000000001E00000.00000002.00000001.sdmpBinary or memory string: uProgram Manager
Source: URGENT REQUEST FOR QUOTATION.exe, 00000014.00000002.511718751.0000000001E00000.00000002.00000001.sdmpBinary or memory string: Shell_TrayWnd
Source: URGENT REQUEST FOR QUOTATION.exe, 00000014.00000002.511718751.0000000001E00000.00000002.00000001.sdmpBinary or memory string: Progman
Source: URGENT REQUEST FOR QUOTATION.exe, 00000014.00000002.511718751.0000000001E00000.00000002.00000001.sdmpBinary or memory string: Progmanlock
Source: C:\Users\user\Desktop\URGENT REQUEST FOR QUOTATION.exeQueries volume information: C:\Users\user\Desktop\URGENT REQUEST FOR QUOTATION.exe VolumeInformation
Source: C:\Users\user\Desktop\URGENT REQUEST FOR QUOTATION.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
Source: C:\Users\user\Desktop\URGENT REQUEST FOR QUOTATION.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Users\user\Desktop\URGENT REQUEST FOR QUOTATION.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
Source: C:\Users\user\Desktop\URGENT REQUEST FOR QUOTATION.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
Source: C:\Users\user\Desktop\URGENT REQUEST FOR QUOTATION.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Runtime.Remoting\v4.0_4.0.0.0__b77a5c561934e089\System.Runtime.Remoting.dll VolumeInformation
Source: C:\Users\user\Desktop\URGENT REQUEST FOR QUOTATION.exeQueries volume information: C:\Windows\Fonts\arial.ttf VolumeInformation
Source: C:\Users\user\Desktop\URGENT REQUEST FOR QUOTATION.exeQueries volume information: C:\Windows\Fonts\ariali.ttf VolumeInformation
Source: C:\Users\user\Desktop\URGENT REQUEST FOR QUOTATION.exeQueries volume information: C:\Windows\Fonts\arialbd.ttf VolumeInformation
Source: C:\Users\user\Desktop\URGENT REQUEST FOR QUOTATION.exeQueries volume information: C:\Windows\Fonts\arialbi.ttf VolumeInformation
Source: C:\Users\user\Desktop\URGENT REQUEST FOR QUOTATION.exeQueries volume information: C:\Windows\Fonts\ARIALN.TTF VolumeInformation
Source: C:\Users\user\Desktop\URGENT REQUEST FOR QUOTATION.exeQueries volume information: C:\Windows\Fonts\ariblk.ttf VolumeInformation
Source: C:\Users\user\Desktop\URGENT REQUEST FOR QUOTATION.exeQueries volume information: C:\Windows\Fonts\ARIALNI.TTF VolumeInformation
Source: C:\Users\user\Desktop\URGENT REQUEST FOR QUOTATION.exeQueries volume information: C:\Windows\Fonts\ARIALNB.TTF VolumeInformation
Source: C:\Users\user\Desktop\URGENT REQUEST FOR QUOTATION.exeQueries volume information: C:\Windows\Fonts\ARIALNBI.TTF VolumeInformation
Source: C:\Users\user\Desktop\URGENT REQUEST FOR QUOTATION.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation
Source: C:\Users\user\Desktop\URGENT REQUEST FOR QUOTATION.exeQueries volume information: C:\Windows\Fonts\calibri.ttf VolumeInformation
Source: C:\Users\user\Desktop\URGENT REQUEST FOR QUOTATION.exeQueries volume information: C:\Windows\Fonts\calibril.ttf VolumeInformation
Source: C:\Users\user\Desktop\URGENT REQUEST FOR QUOTATION.exeQueries volume information: C:\Windows\Fonts\calibrii.ttf VolumeInformation
Source: C:\Users\user\Desktop\URGENT REQUEST FOR QUOTATION.exeQueries volume information: C:\Windows\Fonts\calibrili.ttf VolumeInformation
Source: C:\Users\user\Desktop\URGENT REQUEST FOR QUOTATION.exeQueries volume information: C:\Windows\Fonts\calibrib.ttf VolumeInformation
Source: C:\Users\user\Desktop\URGENT REQUEST FOR QUOTATION.exeQueries volume information: C:\Windows\Fonts\calibriz.ttf VolumeInformation
Source: C:\Users\user\Desktop\URGENT REQUEST FOR QUOTATION.exeQueries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformation
Source: C:\Users\user\Desktop\URGENT REQUEST FOR QUOTATION.exeQueries volume information: C:\Windows\Fonts\cambriai.ttf VolumeInformation
Source: C:\Users\user\Desktop\URGENT REQUEST FOR QUOTATION.exeQueries volume information: C:\Windows\Fonts\cambriab.ttf VolumeInformation
Source: C:\Users\user\Desktop\URGENT REQUEST FOR QUOTATION.exeQueries volume information: C:\Windows\Fonts\cambriaz.ttf VolumeInformation
Source: C:\Users\user\Desktop\URGENT REQUEST FOR QUOTATION.exeQueries volume information: C:\Windows\Fonts\Candara.ttf VolumeInformation
Source: C:\Users\user\Desktop\URGENT REQUEST FOR QUOTATION.exeQueries volume information: C:\Windows\Fonts\Candarai.ttf VolumeInformation
Source: C:\Users\user\Desktop\URGENT REQUEST FOR QUOTATION.exeQueries volume information: C:\Windows\Fonts\Candarab.ttf VolumeInformation
Source: C:\Users\user\Desktop\URGENT REQUEST FOR QUOTATION.exeQueries volume information: C:\Windows\Fonts\Candaraz.ttf VolumeInformation
Source: C:\Users\user\Desktop\URGENT REQUEST FOR QUOTATION.exeQueries volume information: C:\Windows\Fonts\comic.ttf VolumeInformation
Source: C:\Users\user\Desktop\URGENT REQUEST FOR QUOTATION.exeQueries volume information: C:\Windows\Fonts\comici.ttf VolumeInformation
Source: C:\Users\user\Desktop\URGENT REQUEST FOR QUOTATION.exeQueries volume information: C:\Windows\Fonts\comicbd.ttf VolumeInformation
Source: C:\Users\user\Desktop\URGENT REQUEST FOR QUOTATION.exeQueries volume information: C:\Windows\Fonts\comicz.ttf VolumeInformation
Source: C:\Users\user\Desktop\URGENT REQUEST FOR QUOTATION.exeQueries volume information: C:\Windows\Fonts\consola.ttf VolumeInformation
Source: C:\Users\user\Desktop\URGENT REQUEST FOR QUOTATION.exeQueries volume information: C:\Windows\Fonts\consolai.ttf VolumeInformation
Source: C:\Users\user\Desktop\URGENT REQUEST FOR QUOTATION.exeQueries volume information: C:\Windows\Fonts\consolab.ttf VolumeInformation
Source: C:\Users\user\Desktop\URGENT REQUEST FOR QUOTATION.exeQueries volume information: C:\Windows\Fonts\consolaz.ttf VolumeInformation
Source: C:\Users\user\Desktop\URGENT REQUEST FOR QUOTATION.exeQueries volume information: C:\Windows\Fonts\constan.ttf VolumeInformation
Source: C:\Users\user\Desktop\URGENT REQUEST FOR QUOTATION.exeQueries volume information: C:\Windows\Fonts\constani.ttf VolumeInformation
Source: C:\Users\user\Desktop\URGENT REQUEST FOR QUOTATION.exeQueries volume information: C:\Windows\Fonts\constanb.ttf VolumeInformation
Source: C:\Users\user\Desktop\URGENT REQUEST FOR QUOTATION.exeQueries volume information: C:\Windows\Fonts\constanz.ttf VolumeInformation
Source: C:\Users\user\Desktop\URGENT REQUEST FOR QUOTATION.exeQueries volume information: C:\Windows\Fonts\corbel.ttf VolumeInformation
Source: C:\Users\user\Desktop\URGENT REQUEST FOR QUOTATION.exeQueries volume information: C:\Windows\Fonts\corbeli.ttf VolumeInformation
Source: C:\Users\user\Desktop\URGENT REQUEST FOR QUOTATION.exeQueries volume information: C:\Windows\Fonts\corbelb.ttf VolumeInformation
Source: C:\Users\user\Desktop\URGENT REQUEST FOR QUOTATION.exeQueries volume information: C:\Windows\Fonts\corbelz.ttf VolumeInformation
Source: C:\Users\user\Desktop\URGENT REQUEST FOR QUOTATION.exeQueries volume information: C:\Windows\Fonts\cour.ttf VolumeInformation
Source: C:\Users\user\Desktop\URGENT REQUEST FOR QUOTATION.exeQueries volume information: C:\Windows\Fonts\couri.ttf VolumeInformation
Source: C:\Users\user\Desktop\URGENT REQUEST FOR QUOTATION.exeQueries volume information: C:\Windows\Fonts\courbd.ttf VolumeInformation
Source: C:\Users\user\Desktop\URGENT REQUEST FOR QUOTATION.exeQueries volume information: C:\Windows\Fonts\courbi.ttf VolumeInformation
Source: C:\Users\user\Desktop\URGENT REQUEST FOR QUOTATION.exeQueries volume information: C:\Windows\Fonts\ebrima.ttf VolumeInformation
Source: C:\Users\user\Desktop\URGENT REQUEST FOR QUOTATION.exeQueries volume information: C:\Windows\Fonts\ebrimabd.ttf VolumeInformation
Source: C:\Users\user\Desktop\URGENT REQUEST FOR QUOTATION.exeQueries volume information: C:\Windows\Fonts\framd.ttf VolumeInformation
Source: C:\Users\user\Desktop\URGENT REQUEST FOR QUOTATION.exeQueries volume information: C:\Windows\Fonts\FRADM.TTF VolumeInformation
Source: C:\Users\user\Desktop\URGENT REQUEST FOR QUOTATION.exeQueries volume information: C:\Windows\Fonts\framdit.ttf VolumeInformation
Source: C:\Users\user\Desktop\URGENT REQUEST FOR QUOTATION.exeQueries volume information: C:\Windows\Fonts\FRADMIT.TTF VolumeInformation
Source: C:\Users\user\Desktop\URGENT REQUEST FOR QUOTATION.exeQueries volume information: C:\Windows\Fonts\FRAMDCN.TTF VolumeInformation
Source: C:\Users\user\Desktop\URGENT REQUEST FOR QUOTATION.exeQueries volume information: C:\Windows\Fonts\FRADMCN.TTF VolumeInformation
Source: C:\Users\user\Desktop\URGENT REQUEST FOR QUOTATION.exeQueries volume information: C:\Windows\Fonts\FRAHV.TTF VolumeInformation
Source: C:\Users\user\Desktop\URGENT REQUEST FOR QUOTATION.exeQueries volume information: C:\Windows\Fonts\FRAHVIT.TTF VolumeInformation
Source: C:\Users\user\Desktop\URGENT REQUEST FOR QUOTATION.exeQueries volume information: C:\Windows\Fonts\Gabriola.ttf VolumeInformation
Source: C:\Users\user\Desktop\URGENT REQUEST FOR QUOTATION.exeQueries volume information: C:\Windows\Fonts\gadugi.ttf VolumeInformation
Source: C:\Users\user\Desktop\URGENT REQUEST FOR QUOTATION.exeQueries volume information: C:\Windows\Fonts\gadugib.ttf VolumeInformation
Source: C:\Users\user\Desktop\URGENT REQUEST FOR QUOTATION.exeQueries volume information: C:\Windows\Fonts\georgia.ttf VolumeInformation
Source: C:\Users\user\Desktop\URGENT REQUEST FOR QUOTATION.exeQueries volume information: C:\Windows\Fonts\georgiai.ttf VolumeInformation
Source: C:\Users\user\Desktop\URGENT REQUEST FOR QUOTATION.exeQueries volume information: C:\Windows\Fonts\georgiab.ttf VolumeInformation
Source: C:\Users\user\Desktop\URGENT REQUEST FOR QUOTATION.exeQueries volume information: C:\Windows\Fonts\georgiaz.ttf VolumeInformation
Source: C:\Users\user\Desktop\URGENT REQUEST FOR QUOTATION.exeQueries volume information: C:\Windows\Fonts\impact.ttf VolumeInformation
Source: C:\Users\user\Desktop\URGENT REQUEST FOR QUOTATION.exeQueries volume information: C:\Windows\Fonts\Inkfree.ttf VolumeInformation
Source: C:\Users\user\Desktop\URGENT REQUEST FOR QUOTATION.exeQueries volume information: C:\Windows\Fonts\javatext.ttf VolumeInformation
Source: C:\Users\user\Desktop\URGENT REQUEST FOR QUOTATION.exeQueries volume information: C:\Windows\Fonts\LeelawUI.ttf VolumeInformation
Source: C:\Users\user\Desktop\URGENT REQUEST FOR QUOTATION.exeQueries volume information: C:\Windows\Fonts\LeelUIsl.ttf VolumeInformation
Source: C:\Users\user\Desktop\URGENT REQUEST FOR QUOTATION.exeQueries volume information: C:\Windows\Fonts\LeelaUIb.ttf VolumeInformation
Source: C:\Users\user\Desktop\URGENT REQUEST FOR QUOTATION.exeQueries volume information: C:\Windows\Fonts\lucon.ttf VolumeInformation
Source: C:\Users\user\Desktop\URGENT REQUEST FOR QUOTATION.exeQueries volume information: C:\Windows\Fonts\l_10646.ttf VolumeInformation
Source: C:\Users\user\Desktop\URGENT REQUEST FOR QUOTATION.exeQueries volume information: C:\Windows\Fonts\malgun.ttf VolumeInformation
Source: C:\Users\user\Desktop\URGENT REQUEST FOR QUOTATION.exeQueries volume information: C:\Windows\Fonts\malgunsl.ttf VolumeInformation
Source: C:\Users\user\Desktop\URGENT REQUEST FOR QUOTATION.exeQueries volume information: C:\Windows\Fonts\malgunbd.ttf VolumeInformation
Source: C:\Users\user\Desktop\URGENT REQUEST FOR QUOTATION.exeQueries volume information: C:\Windows\Fonts\himalaya.ttf VolumeInformation
Source: C:\Users\user\Desktop\URGENT REQUEST FOR QUOTATION.exeQueries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformation
Source: C:\Users\user\Desktop\URGENT REQUEST FOR QUOTATION.exeQueries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformation
Source: C:\Users\user\Desktop\URGENT REQUEST FOR QUOTATION.exeQueries volume information: C:\Windows\Fonts\msjhbd.ttc VolumeInformation
Source: C:\Users\user\Desktop\URGENT REQUEST FOR QUOTATION.exeQueries volume information: C:\Windows\Fonts\ntailu.ttf VolumeInformation
Source: C:\Users\user\Desktop\URGENT REQUEST FOR QUOTATION.exeQueries volume information: C:\Windows\Fonts\ntailub.ttf VolumeInformation
Source: C:\Users\user\Desktop\URGENT REQUEST FOR QUOTATION.exeQueries volume information: C:\Windows\Fonts\phagspa.ttf VolumeInformation
Source: C:\Users\user\Desktop\URGENT REQUEST FOR QUOTATION.exeQueries volume information: C:\Windows\Fonts\phagspab.ttf VolumeInformation
Source: C:\Users\user\Desktop\URGENT REQUEST FOR QUOTATION.exeQueries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation
Source: C:\Users\user\Desktop\URGENT REQUEST FOR QUOTATION.exeQueries volume information: C:\Windows\Fonts\taile.ttf VolumeInformation
Source: C:\Users\user\Desktop\URGENT REQUEST FOR QUOTATION.exeQueries volume information: C:\Windows\Fonts\taileb.ttf VolumeInformation
Source: C:\Users\user\Desktop\URGENT REQUEST FOR QUOTATION.exeQueries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformation
Source: C:\Users\user\Desktop\URGENT REQUEST FOR QUOTATION.exeQueries volume information: C:\Windows\Fonts\msyhl.ttc VolumeInformation
Source: C:\Users\user\Desktop\URGENT REQUEST FOR QUOTATION.exeQueries volume information: C:\Windows\Fonts\msyhbd.ttc VolumeInformation
Source: C:\Users\user\Desktop\URGENT REQUEST FOR QUOTATION.exeQueries volume information: C:\Windows\Fonts\msyi.ttf VolumeInformation
Source: C:\Users\user\Desktop\URGENT REQUEST FOR QUOTATION.exeQueries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformation
Source: C:\Users\user\Desktop\URGENT REQUEST FOR QUOTATION.exeQueries volume information: C:\Windows\Fonts\monbaiti.ttf VolumeInformation
Source: C:\Users\user\Desktop\URGENT REQUEST FOR QUOTATION.exeQueries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformation
Source: C:\Users\user\Desktop\URGENT REQUEST FOR QUOTATION.exeQueries volume information: C:\Windows\Fonts\mvboli.ttf VolumeInformation
Source: C:\Users\user\Desktop\URGENT REQUEST FOR QUOTATION.exeQueries volume information: C:\Windows\Fonts\mmrtext.ttf VolumeInformation
Source: C:\Users\user\Desktop\URGENT REQUEST FOR QUOTATION.exeQueries volume information: C:\Windows\Fonts\mmrtextb.ttf VolumeInformation
Source: C:\Users\user\Desktop\URGENT REQUEST FOR QUOTATION.exeQueries volume information: C:\Windows\Fonts\Nirmala.ttf VolumeInformation
Source: C:\Users\user\Desktop\URGENT REQUEST FOR QUOTATION.exeQueries volume information: C:\Windows\Fonts\NirmalaS.ttf VolumeInformation
Source: C:\Users\user\Desktop\URGENT REQUEST FOR QUOTATION.exeQueries volume information: C:\Windows\Fonts\NirmalaB.ttf VolumeInformation
Source: C:\Users\user\Desktop\URGENT REQUEST FOR QUOTATION.exeQueries volume information: C:\Windows\Fonts\pala.ttf VolumeInformation
Source: C:\Users\user\Desktop\URGENT REQUEST FOR QUOTATION.exeQueries volume information: C:\Windows\Fonts\palai.ttf VolumeInformation
Source: C:\Users\user\Desktop\URGENT REQUEST FOR QUOTATION.exeQueries volume information: C:\Windows\Fonts\palab.ttf VolumeInformation
Source: C:\Users\user\Desktop\URGENT REQUEST FOR QUOTATION.exeQueries volume information: C:\Windows\Fonts\palabi.ttf VolumeInformation
Source: C:\Users\user\Desktop\URGENT REQUEST FOR QUOTATION.exeQueries volume information: C:\Windows\Fonts\segoepr.ttf VolumeInformation
Source: C:\Users\user\Desktop\URGENT REQUEST FOR QUOTATION.exeQueries volume information: C:\Windows\Fonts\segoeprb.ttf VolumeInformation
Source: C:\Users\user\Desktop\URGENT REQUEST FOR QUOTATION.exeQueries volume information: C:\Windows\Fonts\segoesc.ttf VolumeInformation
Source: C:\Users\user\Desktop\URGENT REQUEST FOR QUOTATION.exeQueries volume information: C:\Windows\Fonts\segoescb.ttf VolumeInformation
Source: C:\Users\user\Desktop\URGENT REQUEST FOR QUOTATION.exeQueries volume information: C:\Windows\Fonts\seguiemj.ttf VolumeInformation
Source: C:\Users\user\Desktop\URGENT REQUEST FOR QUOTATION.exeQueries volume information: C:\Windows\Fonts\seguihis.ttf VolumeInformation
Source: C:\Users\user\Desktop\URGENT REQUEST FOR QUOTATION.exeQueries volume information: C:\Windows\Fonts\seguisym.ttf VolumeInformation
Source: C:\Users\user\Desktop\URGENT REQUEST FOR QUOTATION.exeQueries volume information: C:\Windows\Fonts\simsun.ttc VolumeInformation
Source: C:\Users\user\Desktop\URGENT REQUEST FOR QUOTATION.exeQueries volume information: C:\Windows\Fonts\simsunb.ttf VolumeInformation
Source: C:\Users\user\Desktop\URGENT REQUEST FOR QUOTATION.exeQueries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformation
Source: C:\Users\user\Desktop\URGENT REQUEST FOR QUOTATION.exeQueries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformation
Source: C:\Users\user\Desktop\URGENT REQUEST FOR QUOTATION.exeQueries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformation
Source: C:\Users\user\Desktop\URGENT REQUEST FOR QUOTATION.exeQueries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformation
Source: C:\Users\user\Desktop\URGENT REQUEST FOR QUOTATION.exeQueries volume information: C:\Windows\Fonts\sylfaen.ttf VolumeInformation
Source: C:\Users\user\Desktop\URGENT REQUEST FOR QUOTATION.exeQueries volume information: C:\Windows\Fonts\symbol.ttf VolumeInformation
Source: C:\Users\user\Desktop\URGENT REQUEST FOR QUOTATION.exeQueries volume information: C:\Windows\Fonts\tahoma.ttf VolumeInformation
Source: C:\Users\user\Desktop\URGENT REQUEST FOR QUOTATION.exeQueries volume information: C:\Windows\Fonts\tahomabd.ttf VolumeInformation
Source: C:\Users\user\Desktop\URGENT REQUEST FOR QUOTATION.exeQueries volume information: C:\Windows\Fonts\trebuc.ttf VolumeInformation
Source: C:\Users\user\Desktop\URGENT REQUEST FOR QUOTATION.exeQueries volume information: C:\Windows\Fonts\trebucit.ttf VolumeInformation
Source: C:\Users\user\Desktop\URGENT REQUEST FOR QUOTATION.exeQueries volume information: C:\Windows\Fonts\trebucbd.ttf VolumeInformation
Source: C:\Users\user\Desktop\URGENT REQUEST FOR QUOTATION.exeQueries volume information: C:\Windows\Fonts\trebucbi.ttf VolumeInformation
Source: C:\Users\user\Desktop\URGENT REQUEST FOR QUOTATION.exeQueries volume information: C:\Windows\Fonts\verdana.ttf VolumeInformation
Source: C:\Users\user\Desktop\URGENT REQUEST FOR QUOTATION.exeQueries volume information: C:\Windows\Fonts\verdanai.ttf VolumeInformation
Source: C:\Users\user\Desktop\URGENT REQUEST FOR QUOTATION.exeQueries volume information: C:\Windows\Fonts\verdanab.ttf VolumeInformation
Source: C:\Users\user\Desktop\URGENT REQUEST FOR QUOTATION.exeQueries volume information: C:\Windows\Fonts\verdanaz.ttf VolumeInformation
Source: C:\Users\user\Desktop\URGENT REQUEST FOR QUOTATION.exeQueries volume information: C:\Windows\Fonts\webdings.ttf VolumeInformation
Source: C:\Users\user\Desktop\URGENT REQUEST FOR QUOTATION.exeQueries volume information: C:\Windows\Fonts\wingding.ttf VolumeInformation
Source: C:\Users\user\Desktop\URGENT REQUEST FOR QUOTATION.exeQueries volume information: C:\Windows\Fonts\YuGothR.ttc VolumeInformation
Source: C:\Users\user\Desktop\URGENT REQUEST FOR QUOTATION.exeQueries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformation
Source: C:\Users\user\Desktop\URGENT REQUEST FOR QUOTATION.exeQueries volume information: C:\Windows\Fonts\YuGothL.ttc VolumeInformation
Source: C:\Users\user\Desktop\URGENT REQUEST FOR QUOTATION.exeQueries volume information: C:\Windows\Fonts\YuGothB.ttc VolumeInformation
Source: C:\Users\user\Desktop\URGENT REQUEST FOR QUOTATION.exeQueries volume information: C:\Windows\Fonts\holomdl2.ttf VolumeInformation
Source: C:\Users\user\Desktop\URGENT REQUEST FOR QUOTATION.exeQueries volume information: C:\Windows\Fonts\CENTURY.TTF VolumeInformation
Source: C:\Users\user\Desktop\URGENT REQUEST FOR QUOTATION.exeQueries volume information: C:\Windows\Fonts\LEELAWAD.TTF VolumeInformation
Source: C:\Users\user\Desktop\URGENT REQUEST FOR QUOTATION.exeQueries volume information: C:\Windows\Fonts\LEELAWDB.TTF VolumeInformation
Source: C:\Users\user\Desktop\URGENT REQUEST FOR QUOTATION.exeQueries volume information: C:\Windows\Fonts\MSUIGHUR.TTF VolumeInformation
Source: C:\Users\user\Desktop\URGENT REQUEST FOR QUOTATION.exeQueries volume information: C:\Windows\Fonts\MSUIGHUB.TTF VolumeInformation
Source: C:\Users\user\Desktop\URGENT REQUEST FOR QUOTATION.exeQueries volume information: C:\Windows\Fonts\WINGDNG2.TTF VolumeInformation
Source: C:\Users\user\Desktop\URGENT REQUEST FOR QUOTATION.exeQueries volume information: C:\Windows\Fonts\WINGDNG3.TTF VolumeInformation
Source: C:\Users\user\Desktop\URGENT REQUEST FOR QUOTATION.exeQueries volume information: C:\Windows\Fonts\TEMPSITC.TTF VolumeInformation
Source: C:\Users\user\Desktop\URGENT REQUEST FOR QUOTATION.exeQueries volume information: C:\Windows\Fonts\PRISTINA.TTF VolumeInformation
Source: C:\Users\user\Desktop\URGENT REQUEST FOR QUOTATION.exeQueries volume information: C:\Windows\Fonts\PAPYRUS.TTF VolumeInformation
Source: C:\Users\user\Desktop\URGENT REQUEST FOR QUOTATION.exeQueries volume information: C:\Windows\Fonts\MISTRAL.TTF VolumeInformation
Source: C:\Users\user\Desktop\URGENT REQUEST FOR QUOTATION.exeQueries volume information: C:\Windows\Fonts\LHANDW.TTF VolumeInformation
Source: C:\Users\user\Desktop\URGENT REQUEST FOR QUOTATION.exeQueries volume information: C:\Windows\Fonts\ITCKRIST.TTF VolumeInformation
Source: C:\Users\user\Desktop\URGENT REQUEST FOR QUOTATION.exeQueries volume information: C:\Windows\Fonts\JUICE___.TTF VolumeInformation
Source: C:\Users\user\Desktop\URGENT REQUEST FOR QUOTATION.exeQueries volume information: C:\Windows\Fonts\FRSCRIPT.TTF VolumeInformation
Source: C:\Users\user\Desktop\URGENT REQUEST FOR QUOTATION.exeQueries volume information: C:\Windows\Fonts\FREESCPT.TTF VolumeInformation
Source: C:\Users\user\Desktop\URGENT REQUEST FOR QUOTATION.exeQueries volume information: C:\Windows\Fonts\BRADHITC.TTF VolumeInformation
Source: C:\Users\user\Desktop\URGENT REQUEST FOR QUOTATION.exeQueries volume information: C:\Windows\Fonts\OUTLOOK.TTF VolumeInformation
Source: C:\Users\user\Desktop\URGENT REQUEST FOR QUOTATION.exeQueries volume information: C:\Windows\Fonts\BKANT.TTF VolumeInformation
Source: C:\Users\user\Desktop\URGENT REQUEST FOR QUOTATION.exeQueries volume information: C:\Windows\Fonts\ANTQUAI.TTF VolumeInformation
Source: C:\Users\user\Desktop\URGENT REQUEST FOR QUOTATION.exeQueries volume information: C:\Windows\Fonts\ANTQUAB.TTF VolumeInformation
Source: C:\Users\user\Desktop\URGENT REQUEST FOR QUOTATION.exeQueries volume information: C:\Windows\Fonts\ANTQUABI.TTF VolumeInformation
Source: C:\Users\user\Desktop\URGENT REQUEST FOR QUOTATION.exeQueries volume information: C:\Windows\Fonts\GARA.TTF VolumeInformation
Source: C:\Users\user\Desktop\URGENT REQUEST FOR QUOTATION.exeQueries volume information: C:\Windows\Fonts\GARAIT.TTF VolumeInformation
Source: C:\Users\user\Desktop\URGENT REQUEST FOR QUOTATION.exeQueries volume information: C:\Windows\Fonts\GARABD.TTF VolumeInformation
Source: C:\Users\user\Desktop\URGENT REQUEST FOR QUOTATION.exeQueries volume information: C:\Windows\Fonts\MTCORSVA.TTF VolumeInformation
Source: C:\Users\user\Desktop\URGENT REQUEST FOR QUOTATION.exeQueries volume information: C:\Windows\Fonts\GOTHIC.TTF VolumeInformation
Source: C:\Users\user\Desktop\URGENT REQUEST FOR QUOTATION.exeQueries volume information: C:\Windows\Fonts\GOTHICI.TTF VolumeInformation
Source: C:\Users\user\Desktop\URGENT REQUEST FOR QUOTATION.exeQueries volume information: C:\Windows\Fonts\GOTHICB.TTF VolumeInformation
Source: C:\Users\user\Desktop\URGENT REQUEST FOR QUOTATION.exeQueries volume information: C:\Windows\Fonts\GOTHICBI.TTF VolumeInformation
Source: C:\Users\user\Desktop\URGENT REQUEST FOR QUOTATION.exeQueries volume information: C:\Windows\Fonts\ALGER.TTF VolumeInformation
Source: C:\Users\user\Desktop\URGENT REQUEST FOR QUOTATION.exeQueries volume information: C:\Windows\Fonts\BASKVILL.TTF VolumeInformation
Source: C:\Users\user\Desktop\URGENT REQUEST FOR QUOTATION.exeQueries volume information: C:\Windows\Fonts\BAUHS93.TTF VolumeInformation
Source: C:\Users\user\Desktop\URGENT REQUEST FOR QUOTATION.exeQueries volume information: C:\Windows\Fonts\BELL.TTF VolumeInformation
Source: C:\Users\user\Desktop\URGENT REQUEST FOR QUOTATION.exeQueries volume information: C:\Windows\Fonts\BELLI.TTF VolumeInformation
Source: C:\Users\user\Desktop\URGENT REQUEST FOR QUOTATION.exeQueries volume information: C:\Windows\Fonts\BELLB.TTF VolumeInformation
Source: C:\Users\user\Desktop\URGENT REQUEST FOR QUOTATION.exeQueries volume information: C:\Windows\Fonts\BRLNSR.TTF VolumeInformation
Source: C:\Users\user\Desktop\URGENT REQUEST FOR QUOTATION.exeQueries volume information: C:\Windows\Fonts\BRLNSDB.TTF VolumeInformation
Source: C:\Users\user\Desktop\URGENT REQUEST FOR QUOTATION.exeQueries volume information: C:\Windows\Fonts\BRLNSB.TTF VolumeInformation
Source: C:\Users\user\Desktop\URGENT REQUEST FOR QUOTATION.exeQueries volume information: C:\Windows\Fonts\BERNHC.TTF VolumeInformation
Source: C:\Users\user\Desktop\URGENT REQUEST FOR QUOTATION.exeQueries volume information: C:\Windows\Fonts\BOD_PSTC.TTF VolumeInformation
Source: C:\Users\user\Desktop\URGENT REQUEST FOR QUOTATION.exeQueries volume information: C:\Windows\Fonts\BRITANIC.TTF VolumeInformation
Source: C:\Users\user\Desktop\URGENT REQUEST FOR QUOTATION.exeQueries volume information: C:\Windows\Fonts\BROADW.TTF VolumeInformation
Source: C:\Users\user\Desktop\URGENT REQUEST FOR QUOTATION.exeQueries volume information: C:\Windows\Fonts\BRUSHSCI.TTF VolumeInformation
Source: C:\Users\user\Desktop\URGENT REQUEST FOR QUOTATION.exeQueries volume information: C:\Windows\Fonts\CALIFR.TTF VolumeInformation
Source: C:\Users\user\Desktop\URGENT REQUEST FOR QUOTATION.exeQueries volume information: C:\Windows\Fonts\CALIFI.TTF VolumeInformation
Source: C:\Users\user\Desktop\URGENT REQUEST FOR QUOTATION.exeQueries volume information: C:\Windows\Fonts\CALIFB.TTF VolumeInformation
Source: C:\Users\user\Desktop\URGENT REQUEST FOR QUOTATION.exeQueries volume information: C:\Windows\Fonts\CENTAUR.TTF VolumeInformation
Source: C:\Users\user\Desktop\URGENT REQUEST FOR QUOTATION.exeQueries volume information: C:\Windows\Fonts\CHILLER.TTF VolumeInformation
Source: C:\Users\user\Desktop\URGENT REQUEST FOR QUOTATION.exeQueries volume information: C:\Windows\Fonts\COLONNA.TTF VolumeInformation
Source: C:\Users\user\Desktop\URGENT REQUEST FOR QUOTATION.exeQueries volume information: C:\Windows\Fonts\COOPBL.TTF VolumeInformation
Source: C:\Users\user\Desktop\URGENT REQUEST FOR QUOTATION.exeQueries volume information: C:\Windows\Fonts\FTLTLT.TTF VolumeInformation
Source: C:\Users\user\Desktop\URGENT REQUEST FOR QUOTATION.exeQueries volume information: C:\Windows\Fonts\HARLOWSI.TTF VolumeInformation
Source: C:\Users\user\Desktop\URGENT REQUEST FOR QUOTATION.exeQueries volume information: C:\Windows\Fonts\HARNGTON.TTF VolumeInformation
Source: C:\Users\user\Desktop\URGENT REQUEST FOR QUOTATION.exeQueries volume information: C:\Windows\Fonts\HTOWERT.TTF VolumeInformation
Source: C:\Users\user\Desktop\URGENT REQUEST FOR QUOTATION.exeQueries volume information: C:\Windows\Fonts\HTOWERTI.TTF VolumeInformation
Source: C:\Users\user\Desktop\URGENT REQUEST FOR QUOTATION.exeQueries volume information: C:\Windows\Fonts\JOKERMAN.TTF VolumeInformation
Source: C:\Users\user\Desktop\URGENT REQUEST FOR QUOTATION.exeQueries volume information: C:\Windows\Fonts\KUNSTLER.TTF VolumeInformation
Source: C:\Users\user\Desktop\URGENT REQUEST FOR QUOTATION.exeQueries volume information: C:\Windows\Fonts\LBRITE.TTF VolumeInformation
Source: C:\Users\user\Desktop\URGENT REQUEST FOR QUOTATION.exeQueries volume information: C:\Windows\Fonts\LBRITED.TTF VolumeInformation
Source: C:\Users\user\Desktop\URGENT REQUEST FOR QUOTATION.exeQueries volume information: C:\Windows\Fonts\LBRITEI.TTF VolumeInformation
Source: C:\Users\user\Desktop\URGENT REQUEST FOR QUOTATION.exeQueries volume information: C:\Windows\Fonts\LBRITEDI.TTF VolumeInformation
Source: C:\Users\user\Desktop\URGENT REQUEST FOR QUOTATION.exeQueries volume information: C:\Windows\Fonts\LCALLIG.TTF VolumeInformation
Source: C:\Users\user\Desktop\URGENT REQUEST FOR QUOTATION.exeQueries volume information: C:\Windows\Fonts\LFAX.TTF VolumeInformation
Source: C:\Users\user\Desktop\URGENT REQUEST FOR QUOTATION.exeQueries volume information: C:\Windows\Fonts\LFAXD.TTF VolumeInformation
Source: C:\Users\user\Desktop\URGENT REQUEST FOR QUOTATION.exeQueries volume information: C:\Windows\Fonts\LFAXI.TTF VolumeInformation
Source: C:\Users\user\Desktop\URGENT REQUEST FOR QUOTATION.exeQueries volume information: C:\Windows\Fonts\LFAXDI.TTF VolumeInformation
Source: C:\Users\user\Desktop\URGENT REQUEST FOR QUOTATION.exeQueries volume information: C:\Windows\Fonts\MAGNETOB.TTF VolumeInformation
Source: C:\Users\user\Desktop\URGENT REQUEST FOR QUOTATION.exeQueries volume information: C:\Windows\Fonts\MATURASC.TTF VolumeInformation
Source: C:\Users\user\Desktop\URGENT REQUEST FOR QUOTATION.exeQueries volume information: C:\Windows\Fonts\MOD20.TTF VolumeInformation
Source: C:\Users\user\Desktop\URGENT REQUEST FOR QUOTATION.exeQueries volume information: C:\Windows\Fonts\NIAGENG.TTF VolumeInformation
Source: C:\Users\user\Desktop\URGENT REQUEST FOR QUOTATION.exeQueries volume information: C:\Windows\Fonts\NIAGSOL.TTF VolumeInformation
Source: C:\Users\user\Desktop\URGENT REQUEST FOR QUOTATION.exeQueries volume information: C:\Windows\Fonts\OLDENGL.TTF VolumeInformation
Source: C:\Users\user\Desktop\URGENT REQUEST FOR QUOTATION.exeQueries volume information: C:\Windows\Fonts\ONYX.TTF VolumeInformation
Source: C:\Users\user\Desktop\URGENT REQUEST FOR QUOTATION.exeQueries volume information: C:\Windows\Fonts\PARCHM.TTF VolumeInformation
Source: C:\Users\user\Desktop\URGENT REQUEST FOR QUOTATION.exeQueries volume information: C:\Windows\Fonts\PLAYBILL.TTF VolumeInformation
Source: C:\Users\user\Desktop\URGENT REQUEST FOR QUOTATION.exeQueries volume information: C:\Windows\Fonts\POORICH.TTF VolumeInformation
Source: C:\Users\user\Desktop\URGENT REQUEST FOR QUOTATION.exeQueries volume information: C:\Windows\Fonts\RAVIE.TTF VolumeInformation
Source: C:\Users\user\Desktop\URGENT REQUEST FOR QUOTATION.exeQueries volume information: C:\Windows\Fonts\INFROMAN.TTF VolumeInformation
Source: C:\Users\user\Desktop\URGENT REQUEST FOR QUOTATION.exeQueries volume information: C:\Windows\Fonts\SHOWG.TTF VolumeInformation
Source: C:\Users\user\Desktop\URGENT REQUEST FOR QUOTATION.exeQueries volume information: C:\Windows\Fonts\SNAP____.TTF VolumeInformation
Source: C:\Users\user\Desktop\URGENT REQUEST FOR QUOTATION.exeQueries volume information: C:\Windows\Fonts\STENCIL.TTF VolumeInformation
Source: C:\Users\user\Desktop\URGENT REQUEST FOR QUOTATION.exeQueries volume information: C:\Windows\Fonts\VINERITC.TTF VolumeInformation
Source: C:\Users\user\Desktop\URGENT REQUEST FOR QUOTATION.exeQueries volume information: C:\Windows\Fonts\VIVALDII.TTF VolumeInformation
Source: C:\Users\user\Desktop\URGENT REQUEST FOR QUOTATION.exeQueries volume information: C:\Windows\Fonts\VLADIMIR.TTF VolumeInformation
Source: C:\Users\user\Desktop\URGENT REQUEST FOR QUOTATION.exeQueries volume information: C:\Windows\Fonts\LATINWD.TTF VolumeInformation
Source: C:\Users\user\Desktop\URGENT REQUEST FOR QUOTATION.exeQueries volume information: C:\Windows\Fonts\TCM_____.TTF VolumeInformation
Source: C:\Users\user\Desktop\URGENT REQUEST FOR QUOTATION.exeQueries volume information: C:\Windows\Fonts\TCMI____.TTF VolumeInformation
Source: C:\Users\user\Desktop\URGENT REQUEST FOR QUOTATION.exeQueries volume information: C:\Windows\Fonts\TCB_____.TTF VolumeInformation
Source: C:\Users\user\Desktop\URGENT REQUEST FOR QUOTATION.exeQueries volume information: C:\Windows\Fonts\TCBI____.TTF VolumeInformation
Source: C:\Users\user\Desktop\URGENT REQUEST FOR QUOTATION.exeQueries volume information: C:\Windows\Fonts\TCCM____.TTF VolumeInformation
Source: C:\Users\user\Desktop\URGENT REQUEST FOR QUOTATION.exeQueries volume information: C:\Windows\Fonts\TCCB____.TTF VolumeInformation
Source: C:\Users\user\Desktop\URGENT REQUEST FOR QUOTATION.exeQueries volume information: C:\Windows\Fonts\TCCEB.TTF VolumeInformation
Source: C:\Users\user\Desktop\URGENT REQUEST FOR QUOTATION.exeQueries volume information: C:\Windows\Fonts\SCRIPTBL.TTF VolumeInformation
Source: C:\Users\user\Desktop\URGENT REQUEST FOR QUOTATION.exeQueries volume information: C:\Windows\Fonts\ROCK.TTF VolumeInformation
Source: C:\Users\user\Desktop\URGENT REQUEST FOR QUOTATION.exeQueries volume information: C:\Windows\Fonts\ROCKI.TTF VolumeInformation
Source: C:\Users\user\Desktop\URGENT REQUEST FOR QUOTATION.exeQueries volume information: C:\Windows\Fonts\ROCKB.TTF VolumeInformation
Source: C:\Users\user\Desktop\URGENT REQUEST FOR QUOTATION.exeQueries volume information: C:\Windows\Fonts\ROCKEB.TTF VolumeInformation
Source: C:\Users\user\Desktop\URGENT REQUEST FOR QUOTATION.exeQueries volume information: C:\Windows\Fonts\ROCKBI.TTF VolumeInformation
Source: C:\Users\user\Desktop\URGENT REQUEST FOR QUOTATION.exeQueries volume information: C:\Windows\Fonts\ROCC____.TTF VolumeInformation
Source: C:\Users\user\Desktop\URGENT REQUEST FOR QUOTATION.exeQueries volume information: C:\Windows\Fonts\ROCCB___.TTF VolumeInformation
Source: C:\Users\user\Desktop\URGENT REQUEST FOR QUOTATION.exeQueries volume information: C:\Windows\Fonts\RAGE.TTF VolumeInformation
Source: C:\Users\user\Desktop\URGENT REQUEST FOR QUOTATION.exeQueries volume information: C:\Windows\Fonts\PERTILI.TTF VolumeInformation
Source: C:\Users\user\Desktop\URGENT REQUEST FOR QUOTATION.exeQueries volume information: C:\Windows\Fonts\PERTIBD.TTF VolumeInformation
Source: C:\Users\user\Desktop\URGENT REQUEST FOR QUOTATION.exeQueries volume information: C:\Windows\Fonts\PER_____.TTF VolumeInformation
Source: C:\Users\user\Desktop\URGENT REQUEST FOR QUOTATION.exeQueries volume information: C:\Windows\Fonts\PERI____.TTF VolumeInformation
Source: C:\Users\user\Desktop\URGENT REQUEST FOR QUOTATION.exeQueries volume information: C:\Windows\Fonts\PERB____.TTF VolumeInformation
Source: C:\Users\user\Desktop\URGENT REQUEST FOR QUOTATION.exeQueries volume information: C:\Windows\Fonts\PERBI___.TTF VolumeInformation
Source: C:\Users\user\Desktop\URGENT REQUEST FOR QUOTATION.exeQueries volume information: C:\Windows\Fonts\PALSCRI.TTF VolumeInformation
Source: C:\Users\user\Desktop\URGENT REQUEST FOR QUOTATION.exeQueries volume information: C:\Windows\Fonts\OCRAEXT.TTF VolumeInformation
Source: C:\Users\user\Desktop\URGENT REQUEST FOR QUOTATION.exeQueries volume information: C:\Windows\Fonts\MAIAN.TTF VolumeInformation
Source: C:\Users\user\Desktop\URGENT REQUEST FOR QUOTATION.exeQueries volume information: C:\Windows\Fonts\LTYPE.TTF VolumeInformation
Source: C:\Users\user\Desktop\URGENT REQUEST FOR QUOTATION.exeQueries volume information: C:\Windows\Fonts\LTYPEO.TTF VolumeInformation
Source: C:\Users\user\Desktop\URGENT REQUEST FOR QUOTATION.exeQueries volume information: C:\Windows\Fonts\LTYPEB.TTF VolumeInformation
Source: C:\Users\user\Desktop\URGENT REQUEST FOR QUOTATION.exeQueries volume information: C:\Windows\Fonts\LTYPEBO.TTF VolumeInformation
Source: C:\Users\user\Desktop\URGENT REQUEST FOR QUOTATION.exeQueries volume information: C:\Windows\Fonts\LSANS.TTF VolumeInformation
Source: C:\Users\user\Desktop\URGENT REQUEST FOR QUOTATION.exeQueries volume information: C:\Windows\Fonts\LSANSD.TTF VolumeInformation
Source: C:\Users\user\Desktop\URGENT REQUEST FOR QUOTATION.exeQueries volume information: C:\Windows\Fonts\LSANSI.TTF VolumeInformation
Source: C:\Users\user\Desktop\URGENT REQUEST FOR QUOTATION.exeQueries volume information: C:\Windows\Fonts\LSANSDI.TTF VolumeInformation
Source: C:\Users\user\Desktop\URGENT REQUEST FOR QUOTATION.exeQueries volume information: C:\Windows\Fonts\IMPRISHA.TTF VolumeInformation
Source: C:\Users\user\Desktop\URGENT REQUEST FOR QUOTATION.exeQueries volume information: C:\Windows\Fonts\HATTEN.TTF VolumeInformation
Source: C:\Users\user\Desktop\URGENT REQUEST FOR QUOTATION.exeQueries volume information: C:\Windows\Fonts\GOUDYSTO.TTF VolumeInformation
Source: C:\Users\user\Desktop\URGENT REQUEST FOR QUOTATION.exeQueries volume information: C:\Windows\Fonts\GOUDOS.TTF VolumeInformation
Source: C:\Users\user\Desktop\URGENT REQUEST FOR QUOTATION.exeQueries volume information: C:\Windows\Fonts\GOUDOSI.TTF VolumeInformation
Source: C:\Users\user\Desktop\URGENT REQUEST FOR QUOTATION.exeQueries volume information: C:\Windows\Fonts\GOUDOSB.TTF VolumeInformation
Source: C:\Users\user\Desktop\URGENT REQUEST FOR QUOTATION.exeQueries volume information: C:\Windows\Fonts\GLECB.TTF VolumeInformation
Source: C:\Users\user\Desktop\URGENT REQUEST FOR QUOTATION.exeQueries volume information: C:\Windows\Fonts\GIL_____.TTF VolumeInformation
Source: C:\Users\user\Desktop\URGENT REQUEST FOR QUOTATION.exeQueries volume information: C:\Windows\Fonts\GILI____.TTF VolumeInformation
Source: C:\Users\user\Desktop\URGENT REQUEST FOR QUOTATION.exeQueries volume information: C:\Windows\Fonts\GILB____.TTF VolumeInformation
Source: C:\Users\user\Desktop\URGENT REQUEST FOR QUOTATION.exeQueries volume information: C:\Windows\Fonts\GILBI___.TTF VolumeInformation
Source: C:\Users\user\Desktop\URGENT REQUEST FOR QUOTATION.exeQueries volume information: C:\Windows\Fonts\GILC____.TTF VolumeInformation
Source: C:\Users\user\Desktop\URGENT REQUEST FOR QUOTATION.exeQueries volume information: C:\Windows\Fonts\GLSNECB.TTF VolumeInformation
Source: C:\Users\user\Desktop\URGENT REQUEST FOR QUOTATION.exeQueries volume information: C:\Windows\Fonts\GIGI.TTF VolumeInformation
Source: C:\Users\user\Desktop\URGENT REQUEST FOR QUOTATION.exeQueries volume information: C:\Windows\Fonts\FRABK.TTF VolumeInformation
Source: C:\Users\user\Desktop\URGENT REQUEST FOR QUOTATION.exeQueries volume information: C:\Windows\Fonts\FRABKIT.TTF VolumeInformation
Source: C:\Users\user\Desktop\URGENT REQUEST FOR QUOTATION.exeQueries volume information: C:\Windows\Fonts\FORTE.TTF VolumeInformation
Source: C:\Users\user\Desktop\URGENT REQUEST FOR QUOTATION.exeQueries volume information: C:\Windows\Fonts\FELIXTI.TTF VolumeInformation
Source: C:\Users\user\Desktop\URGENT REQUEST FOR QUOTATION.exeQueries volume information: C:\Windows\Fonts\ERASMD.TTF VolumeInformation
Source: C:\Users\user\Desktop\URGENT REQUEST FOR QUOTATION.exeQueries volume information: C:\Windows\Fonts\ERASLGHT.TTF VolumeInformation
Source: C:\Users\user\Desktop\URGENT REQUEST FOR QUOTATION.exeQueries volume information: C:\Windows\Fonts\ERASDEMI.TTF VolumeInformation
Source: C:\Users\user\Desktop\URGENT REQUEST FOR QUOTATION.exeQueries volume information: C:\Windows\Fonts\ERASBD.TTF VolumeInformation
Source: C:\Users\user\Desktop\URGENT REQUEST FOR QUOTATION.exeQueries volume information: C:\Windows\Fonts\ENGR.TTF VolumeInformation
Source: C:\Users\user\Desktop\URGENT REQUEST FOR QUOTATION.exeQueries volume information: C:\Windows\Fonts\ELEPHNT.TTF VolumeInformation
Source: C:\Users\user\Desktop\URGENT REQUEST FOR QUOTATION.exeQueries volume information: C:\Windows\Fonts\ELEPHNTI.TTF VolumeInformation
Source: C:\Users\user\Desktop\URGENT REQUEST FOR QUOTATION.exeQueries volume information: C:\Windows\Fonts\ITCEDSCR.TTF VolumeInformation
Source: C:\Users\user\Desktop\URGENT REQUEST FOR QUOTATION.exeQueries volume information: C:\Windows\Fonts\CURLZ___.TTF VolumeInformation
Source: C:\Users\user\Desktop\URGENT REQUEST FOR QUOTATION.exeQueries volume information: C:\Windows\Fonts\COPRGTL.TTF VolumeInformation
Source: C:\Users\user\Desktop\URGENT REQUEST FOR QUOTATION.exeQueries volume information: C:\Windows\Fonts\COPRGTB.TTF VolumeInformation
Source: C:\Users\user\Desktop\URGENT REQUEST FOR QUOTATION.exeQueries volume information: C:\Windows\Fonts\CENSCBK.TTF VolumeInformation
Source: C:\Users\user\Desktop\URGENT REQUEST FOR QUOTATION.exeQueries volume information: C:\Windows\Fonts\SCHLBKI.TTF VolumeInformation
Source: C:\Users\user\Desktop\URGENT REQUEST FOR QUOTATION.exeQueries volume information: C:\Windows\Fonts\SCHLBKB.TTF VolumeInformation
Source: C:\Users\user\Desktop\URGENT REQUEST FOR QUOTATION.exeQueries volume information: C:\Windows\Fonts\SCHLBKBI.TTF VolumeInformation
Source: C:\Users\user\Desktop\URGENT REQUEST FOR QUOTATION.exeQueries volume information: C:\Windows\Fonts\CASTELAR.TTF VolumeInformation
Source: C:\Users\user\Desktop\URGENT REQUEST FOR QUOTATION.exeQueries volume information: C:\Windows\Fonts\CALIST.TTF VolumeInformation
Source: C:\Users\user\Desktop\URGENT REQUEST FOR QUOTATION.exeQueries volume information: C:\Windows\Fonts\CALISTI.TTF VolumeInformation
Source: C:\Users\user\Desktop\URGENT REQUEST FOR QUOTATION.exeQueries volume information: C:\Windows\Fonts\CALISTB.TTF VolumeInformation
Source: C:\Users\user\Desktop\URGENT REQUEST FOR QUOTATION.exeQueries volume information: C:\Windows\Fonts\CALISTBI.TTF VolumeInformation
Source: C:\Users\user\Desktop\URGENT REQUEST FOR QUOTATION.exeQueries volume information: C:\Windows\Fonts\BOOKOS.TTF VolumeInformation
Source: C:\Users\user\Desktop\URGENT REQUEST FOR QUOTATION.exeQueries volume information: C:\Windows\Fonts\BOOKOSB.TTF VolumeInformation
Source: C:\Users\user\Desktop\URGENT REQUEST FOR QUOTATION.exeQueries volume information: C:\Windows\Fonts\BOOKOSI.TTF VolumeInformation
Source: C:\Users\user\Desktop\URGENT REQUEST FOR QUOTATION.exeQueries volume information: C:\Windows\Fonts\BOOKOSBI.TTF VolumeInformation
Source: C:\Users\user\Desktop\URGENT REQUEST FOR QUOTATION.exeQueries volume information: C:\Windows\Fonts\BOD_R.TTF VolumeInformation
Source: C:\Users\user\Desktop\URGENT REQUEST FOR QUOTATION.exeQueries volume information: C:\Windows\Fonts\BOD_I.TTF VolumeInformation
Source: C:\Users\user\Desktop\URGENT REQUEST FOR QUOTATION.exeQueries volume information: C:\Windows\Fonts\BOD_B.TTF VolumeInformation
Source: C:\Users\user\Desktop\URGENT REQUEST FOR QUOTATION.exeQueries volume information: C:\Windows\Fonts\BOD_BI.TTF VolumeInformation
Source: C:\Users\user\Desktop\URGENT REQUEST FOR QUOTATION.exeQueries volume information: C:\Windows\Fonts\BOD_CR.TTF VolumeInformation
Source: C:\Users\user\Desktop\URGENT REQUEST FOR QUOTATION.exeQueries volume information: C:\Windows\Fonts\BOD_BLAR.TTF VolumeInformation
Source: C:\Users\user\Desktop\URGENT REQUEST FOR QUOTATION.exeQueries volume information: C:\Windows\Fonts\BOD_CI.TTF VolumeInformation
Source: C:\Users\user\Desktop\URGENT REQUEST FOR QUOTATION.exeQueries volume information: C:\Windows\Fonts\BOD_CB.TTF VolumeInformation
Source: C:\Users\user\Desktop\URGENT REQUEST FOR QUOTATION.exeQueries volume information: C:\Windows\Fonts\BOD_BLAI.TTF VolumeInformation
Source: C:\Users\user\Desktop\URGENT REQUEST FOR QUOTATION.exeQueries volume information: C:\Windows\Fonts\BOD_CBI.TTF VolumeInformation
Source: C:\Users\user\Desktop\URGENT REQUEST FOR QUOTATION.exeQueries volume information: C:\Windows\Fonts\ITCBLKAD.TTF VolumeInformation
Source: C:\Users\user\Desktop\URGENT REQUEST FOR QUOTATION.exeQueries volume information: C:\Windows\Fonts\ARLRDBD.TTF VolumeInformation
Source: C:\Users\user\Desktop\URGENT REQUEST FOR QUOTATION.exeQueries volume information: C:\Windows\Fonts\AGENCYR.TTF VolumeInformation
Source: C:\Users\user\Desktop\URGENT REQUEST FOR QUOTATION.exeQueries volume information: C:\Windows\Fonts\AGENCYB.TTF VolumeInformation
Source: C:\Users\user\Desktop\URGENT REQUEST FOR QUOTATION.exeQueries volume information: C:\Windows\Fonts\BSSYM7.TTF VolumeInformation
Source: C:\Users\user\Desktop\URGENT REQUEST FOR QUOTATION.exeQueries volume information: C:\Windows\Fonts\REFSAN.TTF VolumeInformation
Source: C:\Users\user\Desktop\URGENT REQUEST FOR QUOTATION.exeQueries volume information: C:\Windows\Fonts\REFSPCL.TTF VolumeInformation
Source: C:\Users\user\Desktop\URGENT REQUEST FOR QUOTATION.exeQueries volume information: C:\Windows\Fonts\MTEXTRA.TTF VolumeInformation
Source: C:\Users\user\Desktop\URGENT REQUEST FOR QUOTATION.exeQueries volume information: C:\Windows\Fonts\marlett.ttf VolumeInformation
Source: C:\Users\user\Desktop\URGENT REQUEST FOR QUOTATION.exeQueries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.ConsoleHost\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.ConsoleHost.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Numerics\v4.0_4.0.0.0__b77a5c561934e089\System.Numerics.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.DirectoryServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.DirectoryServices.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Security\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Security.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-ds-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-base-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-base-Package~31bf3856ad364e35~amd64~en-US~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Utility\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Utility.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Configuration.Install\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Configuration.Install.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Windows-Defender-Management-Powershell-Group-WOW64-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Windows-Defender-Management-Powershell-Group-WOW64-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.ConsoleHost\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.ConsoleHost.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Numerics\v4.0_4.0.0.0__b77a5c561934e089\System.Numerics.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.DirectoryServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.DirectoryServices.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Security\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Security.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-ds-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-base-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-base-Package~31bf3856ad364e35~amd64~en-US~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Utility\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Utility.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Configuration.Install\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Configuration.Install.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Windows-Defender-Management-Powershell-Group-WOW64-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Windows-Defender-Management-Powershell-Group-WOW64-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.ConsoleHost\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.ConsoleHost.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Numerics\v4.0_4.0.0.0__b77a5c561934e089\System.Numerics.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.DirectoryServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.DirectoryServices.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Security\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Security.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-ds-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-base-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-base-Package~31bf3856ad364e35~amd64~en-US~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Utility\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Utility.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Configuration.Install\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Configuration.Install.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Windows-Defender-Management-Powershell-Group-WOW64-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Windows-Defender-Management-Powershell-Group-WOW64-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Users\user\Desktop\URGENT REQUEST FOR QUOTATION.exeQueries volume information: C:\Users\user\Desktop\URGENT REQUEST FOR QUOTATION.exe VolumeInformation
Source: C:\Users\user\Desktop\URGENT REQUEST FOR QUOTATION.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Users\user\Desktop\URGENT REQUEST FOR QUOTATION.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
Source: C:\Users\user\Desktop\URGENT REQUEST FOR QUOTATION.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation
Source: C:\Users\user\Desktop\URGENT REQUEST FOR QUOTATION.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation
Source: C:\Users\user\Desktop\URGENT REQUEST FOR QUOTATION.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation
Source: C:\Users\user\Desktop\URGENT REQUEST FOR QUOTATION.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation
Source: C:\Users\user\Desktop\URGENT REQUEST FOR QUOTATION.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Stealing of Sensitive Information:

barindex
Yara detected AgentTeslaShow sources
Source: Yara matchFile source: 20.2.URGENT REQUEST FOR QUOTATION.exe.400000.0.unpack, type: UNPACKEDPE
Yara detected AgentTeslaShow sources
Source: Yara matchFile source: 20.2.URGENT REQUEST FOR QUOTATION.exe.400000.0.unpack, type: UNPACKEDPE

Remote Access Functionality:

barindex
Yara detected AgentTeslaShow sources
Source: Yara matchFile source: 20.2.URGENT REQUEST FOR QUOTATION.exe.400000.0.unpack, type: UNPACKEDPE
Yara detected AgentTeslaShow sources
Source: Yara matchFile source: 20.2.URGENT REQUEST FOR QUOTATION.exe.400000.0.unpack, type: UNPACKEDPE

Mitre Att&ck Matrix

Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
Valid AccountsWindows Management Instrumentation211Scheduled Task/Job1Process Injection112Masquerading1OS Credential DumpingQuery Registry1Remote ServicesArchive Collected Data11Exfiltration Over Other Network MediumEncrypted Channel1Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
Default AccountsScheduled Task/Job1Boot or Logon Initialization ScriptsScheduled Task/Job1Disable or Modify Tools11LSASS MemorySecurity Software Discovery211Remote Desktop ProtocolData from Removable MediaExfiltration Over BluetoothJunk DataExploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
Domain AccountsAt (Linux)Logon Script (Windows)Logon Script (Windows)Virtualization/Sandbox Evasion131Security Account ManagerProcess Discovery2SMB/Windows Admin SharesData from Network Shared DriveAutomated ExfiltrationSteganographyExploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)Process Injection112NTDSVirtualization/Sandbox Evasion131Distributed Component Object ModelInput CaptureScheduled TransferProtocol ImpersonationSIM Card SwapCarrier Billing Fraud
Cloud AccountsCronNetwork Logon ScriptNetwork Logon ScriptDeobfuscate/Decode Files or Information1LSA SecretsApplication Window Discovery1SSHKeyloggingData Transfer Size LimitsFallback ChannelsManipulate Device CommunicationManipulate App Store Rankings or Ratings
Replication Through Removable MediaLaunchdRc.commonRc.commonObfuscated Files or Information1Cached Domain CredentialsFile and Directory Discovery1VNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features
External Remote ServicesScheduled TaskStartup ItemsStartup ItemsSoftware Packing3DCSyncSystem Information Discovery113Windows Remote ManagementWeb Portal CaptureExfiltration Over Alternative ProtocolCommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact

Behavior Graph

Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 452545 Sample: URGENT REQUEST FOR QUOTATION.exe Startdate: 22/07/2021 Architecture: WINDOWS Score: 100 35 Found malware configuration 2->35 37 Multi AV Scanner detection for dropped file 2->37 39 Multi AV Scanner detection for submitted file 2->39 41 11 other signatures 2->41 7 URGENT REQUEST FOR QUOTATION.exe 7 2->7         started        process3 file4 27 C:\Users\user\AppData\Roaming\CCxRZUAFy.exe, PE32 7->27 dropped 29 C:\Users\...\CCxRZUAFy.exe:Zone.Identifier, ASCII 7->29 dropped 31 C:\Users\user\AppData\Local\...\tmpD0B6.tmp, XML 7->31 dropped 33 C:\...\URGENT REQUEST FOR QUOTATION.exe.log, ASCII 7->33 dropped 43 Adds a directory exclusion to Windows Defender 7->43 45 Injects a PE file into a foreign processes 7->45 11 powershell.exe 24 7->11         started        13 powershell.exe 24 7->13         started        15 powershell.exe 24 7->15         started        17 2 other processes 7->17 signatures5 process6 process7 19 conhost.exe 11->19         started        21 conhost.exe 13->21         started        23 conhost.exe 15->23         started        25 conhost.exe 17->25         started       

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

windows-stand

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

SourceDetectionScannerLabelLink
URGENT REQUEST FOR QUOTATION.exe39%ReversingLabsByteCode-MSIL.Trojan.AgentTesla
URGENT REQUEST FOR QUOTATION.exe100%Joe Sandbox ML

Dropped Files

SourceDetectionScannerLabelLink
C:\Users\user\AppData\Roaming\CCxRZUAFy.exe100%Joe Sandbox ML
C:\Users\user\AppData\Roaming\CCxRZUAFy.exe39%ReversingLabsByteCode-MSIL.Trojan.AgentTesla

Unpacked PE Files

SourceDetectionScannerLabelLinkDownload
20.2.URGENT REQUEST FOR QUOTATION.exe.400000.0.unpack100%AviraTR/Spy.Gen8Download File

Domains

No Antivirus matches

URLs

SourceDetectionScannerLabelLink
http://127.0.0.1:HTTP/1.10%Avira URL Cloudsafe
http://DynDns.comDynDNS0%URL Reputationsafe
http://DynDns.comDynDNS0%URL Reputationsafe
http://DynDns.comDynDNS0%URL Reputationsafe
http://DynDns.comDynDNS0%URL Reputationsafe
http://www.fontbureau.comF0%URL Reputationsafe
http://www.fontbureau.comF0%URL Reputationsafe
http://www.fontbureau.comF0%URL Reputationsafe
http://www.fontbureau.comF0%URL Reputationsafe
http://www.fontbureau.comcomd0%URL Reputationsafe
http://www.fontbureau.comcomd0%URL Reputationsafe
http://www.fontbureau.comcomd0%URL Reputationsafe
http://www.fontbureau.comcomd0%URL Reputationsafe
https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%ha0%URL Reputationsafe
https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%ha0%URL Reputationsafe
https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%ha0%URL Reputationsafe
https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%ha0%URL Reputationsafe
https://go.micro0%URL Reputationsafe
https://go.micro0%URL Reputationsafe
https://go.micro0%URL Reputationsafe
https://go.micro0%URL Reputationsafe
http://www.jiyu-kobo.co.jp/Webd0%Avira URL Cloudsafe
http://www.jiyu-kobo.co.jp/jp/r0%Avira URL Cloudsafe
http://www.microsoft.0%URL Reputationsafe
http://www.microsoft.0%URL Reputationsafe
http://www.microsoft.0%URL Reputationsafe
http://www.carterandcone.comarT0%Avira URL Cloudsafe
http://www.carterandcone.como.y0%Avira URL Cloudsafe
http://www.jiyu-kobo.co.jp/jp/0%URL Reputationsafe
http://www.jiyu-kobo.co.jp/jp/0%URL Reputationsafe
http://www.jiyu-kobo.co.jp/jp/0%URL Reputationsafe
http://www.fontbureau.comd0%URL Reputationsafe
http://www.fontbureau.comd0%URL Reputationsafe
http://www.fontbureau.comd0%URL Reputationsafe
http://www.jiyu-kobo.co.jp/ers0%Avira URL Cloudsafe
http://www.founder.com.cn/cn/0%URL Reputationsafe
http://www.founder.com.cn/cn/0%URL Reputationsafe
http://www.founder.com.cn/cn/0%URL Reputationsafe
http://www.jiyu-kobo.co.jp/roso0%Avira URL Cloudsafe
http://www.fontbureau.comdV0%Avira URL Cloudsafe
http://qxLqgV.com0%Avira URL Cloudsafe
http://www.jiyu-kobo.co.jp/30%URL Reputationsafe
http://www.jiyu-kobo.co.jp/30%URL Reputationsafe
http://www.jiyu-kobo.co.jp/30%URL Reputationsafe
http://www.jiyu-kobo.co.jp/r0%URL Reputationsafe
http://www.jiyu-kobo.co.jp/r0%URL Reputationsafe
http://www.jiyu-kobo.co.jp/r0%URL Reputationsafe
http://crl.microsof0%URL Reputationsafe
http://crl.microsof0%URL Reputationsafe
http://crl.microsof0%URL Reputationsafe
http://www.jiyu-kobo.co.jp//0%URL Reputationsafe
http://www.jiyu-kobo.co.jp//0%URL Reputationsafe
http://www.jiyu-kobo.co.jp//0%URL Reputationsafe
http://www.jiyu-kobo.co.jp/p0%URL Reputationsafe
http://www.jiyu-kobo.co.jp/p0%URL Reputationsafe
http://www.jiyu-kobo.co.jp/p0%URL Reputationsafe
http://www.fontbureau.comessedD0%Avira URL Cloudsafe
http://www.jiyu-kobo.co.jp/0%URL Reputationsafe
http://www.jiyu-kobo.co.jp/0%URL Reputationsafe
http://www.jiyu-kobo.co.jp/0%URL Reputationsafe
http://www.jiyu-kobo.co.jp/i0%URL Reputationsafe
http://www.jiyu-kobo.co.jp/i0%URL Reputationsafe
http://www.jiyu-kobo.co.jp/i0%URL Reputationsafe
http://www.carterandcone.comadi0%Avira URL Cloudsafe
http://www.fontbureau.comals0%URL Reputationsafe
http://www.fontbureau.comals0%URL Reputationsafe
http://www.fontbureau.comals0%URL Reputationsafe
http://www.carterandcone.comlay0%Avira URL Cloudsafe
http://www.carterandcone.cometh0%Avira URL Cloudsafe
http://www.jiyu-kobo.co.jp/b0%URL Reputationsafe
http://www.jiyu-kobo.co.jp/b0%URL Reputationsafe
http://www.jiyu-kobo.co.jp/b0%URL Reputationsafe
https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip0%URL Reputationsafe
https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip0%URL Reputationsafe
https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip0%URL Reputationsafe

Domains and IPs

Contacted Domains

No contacted domains info

URLs from Memory and Binaries

NameSourceMaliciousAntivirus DetectionReputation
http://127.0.0.1:HTTP/1.1URGENT REQUEST FOR QUOTATION.exe, 00000014.00000002.512448328.00000000033B1000.00000004.00000001.sdmpfalse
  • Avira URL Cloud: safe
low
http://DynDns.comDynDNSURGENT REQUEST FOR QUOTATION.exe, 00000014.00000002.512448328.00000000033B1000.00000004.00000001.sdmpfalse
  • URL Reputation: safe
  • URL Reputation: safe
  • URL Reputation: safe
  • URL Reputation: safe
unknown
http://www.fontbureau.comFURGENT REQUEST FOR QUOTATION.exe, 00000000.00000003.241974830.0000000005F0A000.00000004.00000001.sdmpfalse
  • URL Reputation: safe
  • URL Reputation: safe
  • URL Reputation: safe
  • URL Reputation: safe
unknown
http://schemas.xmlsoap.org/soap/encoding/powershell.exe, 0000000F.00000003.439686163.00000000051FA000.00000004.00000001.sdmpfalse
    high
    http://www.fontbureau.comcomdURGENT REQUEST FOR QUOTATION.exe, 00000000.00000003.241974830.0000000005F0A000.00000004.00000001.sdmpfalse
    • URL Reputation: safe
    • URL Reputation: safe
    • URL Reputation: safe
    • URL Reputation: safe
    unknown
    https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%haURGENT REQUEST FOR QUOTATION.exe, 00000014.00000002.512448328.00000000033B1000.00000004.00000001.sdmpfalse
    • URL Reputation: safe
    • URL Reputation: safe
    • URL Reputation: safe
    • URL Reputation: safe
    unknown
    https://go.micropowershell.exe, 0000000C.00000003.422321496.00000000058F8000.00000004.00000001.sdmp, powershell.exe, 0000000F.00000003.427772960.0000000005440000.00000004.00000001.sdmpfalse
    • URL Reputation: safe
    • URL Reputation: safe
    • URL Reputation: safe
    • URL Reputation: safe
    unknown
    http://www.jiyu-kobo.co.jp/WebdURGENT REQUEST FOR QUOTATION.exe, 00000000.00000003.241062822.0000000005F0A000.00000004.00000001.sdmpfalse
    • Avira URL Cloud: safe
    unknown
    http://api.twitter.com/1/direct_messages.xml?since_id=URGENT REQUEST FOR QUOTATION.exefalse
      high
      http://www.jiyu-kobo.co.jp/jp/rURGENT REQUEST FOR QUOTATION.exe, 00000000.00000003.241062822.0000000005F0A000.00000004.00000001.sdmpfalse
      • Avira URL Cloud: safe
      unknown
      http://www.microsoft.powershell.exe, 0000000C.00000003.416484110.0000000007FE1000.00000004.00000001.sdmpfalse
      • URL Reputation: safe
      • URL Reputation: safe
      • URL Reputation: safe
      unknown
      http://www.carterandcone.comarTURGENT REQUEST FOR QUOTATION.exe, 00000000.00000003.239863376.0000000005F03000.00000004.00000001.sdmpfalse
      • Avira URL Cloud: safe
      unknown
      http://twitter.com/statuses/user_timeline.xml?screen_name=URGENT REQUEST FOR QUOTATION.exefalse
        high
        http://www.carterandcone.como.yURGENT REQUEST FOR QUOTATION.exe, 00000000.00000003.239482199.0000000005F14000.00000004.00000001.sdmpfalse
        • Avira URL Cloud: safe
        unknown
        http://www.jiyu-kobo.co.jp/jp/URGENT REQUEST FOR QUOTATION.exe, 00000000.00000003.241062822.0000000005F0A000.00000004.00000001.sdmpfalse
        • URL Reputation: safe
        • URL Reputation: safe
        • URL Reputation: safe
        unknown
        http://www.fontbureau.comdURGENT REQUEST FOR QUOTATION.exe, 00000000.00000003.241974830.0000000005F0A000.00000004.00000001.sdmpfalse
        • URL Reputation: safe
        • URL Reputation: safe
        • URL Reputation: safe
        unknown
        http://www.jiyu-kobo.co.jp/ersURGENT REQUEST FOR QUOTATION.exe, 00000000.00000003.239863376.0000000005F03000.00000004.00000001.sdmpfalse
        • Avira URL Cloud: safe
        unknown
        http://www.founder.com.cn/cn/URGENT REQUEST FOR QUOTATION.exe, 00000000.00000003.239203447.0000000005F10000.00000004.00000001.sdmpfalse
        • URL Reputation: safe
        • URL Reputation: safe
        • URL Reputation: safe
        unknown
        http://www.jiyu-kobo.co.jp/rosoURGENT REQUEST FOR QUOTATION.exe, 00000000.00000003.240385875.0000000005F0A000.00000004.00000001.sdmpfalse
        • Avira URL Cloud: safe
        unknown
        http://www.fontbureau.comdVURGENT REQUEST FOR QUOTATION.exe, 00000000.00000003.241974830.0000000005F0A000.00000004.00000001.sdmpfalse
        • Avira URL Cloud: safe
        unknown
        http://qxLqgV.comURGENT REQUEST FOR QUOTATION.exe, 00000014.00000002.512448328.00000000033B1000.00000004.00000001.sdmpfalse
        • Avira URL Cloud: safe
        unknown
        http://www.jiyu-kobo.co.jp/3URGENT REQUEST FOR QUOTATION.exe, 00000000.00000003.241062822.0000000005F0A000.00000004.00000001.sdmpfalse
        • URL Reputation: safe
        • URL Reputation: safe
        • URL Reputation: safe
        unknown
        http://www.jiyu-kobo.co.jp/rURGENT REQUEST FOR QUOTATION.exe, 00000000.00000003.240785096.0000000005F08000.00000004.00000001.sdmpfalse
        • URL Reputation: safe
        • URL Reputation: safe
        • URL Reputation: safe
        unknown
        http://crl.microsofpowershell.exe, 0000000C.00000003.456686092.0000000009AB0000.00000004.00000001.sdmpfalse
        • URL Reputation: safe
        • URL Reputation: safe
        • URL Reputation: safe
        unknown
        http://www.jiyu-kobo.co.jp//URGENT REQUEST FOR QUOTATION.exe, 00000000.00000003.241062822.0000000005F0A000.00000004.00000001.sdmpfalse
        • URL Reputation: safe
        • URL Reputation: safe
        • URL Reputation: safe
        unknown
        http://www.jiyu-kobo.co.jp/pURGENT REQUEST FOR QUOTATION.exe, 00000000.00000003.241062822.0000000005F0A000.00000004.00000001.sdmpfalse
        • URL Reputation: safe
        • URL Reputation: safe
        • URL Reputation: safe
        unknown
        http://www.fontbureau.comessedDURGENT REQUEST FOR QUOTATION.exe, 00000000.00000003.241974830.0000000005F0A000.00000004.00000001.sdmpfalse
        • Avira URL Cloud: safe
        unknown
        http://schemas.xmlsoap.org/wsdl/powershell.exe, 0000000F.00000003.439686163.00000000051FA000.00000004.00000001.sdmpfalse
          high
          http://www.jiyu-kobo.co.jp/URGENT REQUEST FOR QUOTATION.exe, 00000000.00000003.239863376.0000000005F03000.00000004.00000001.sdmp, URGENT REQUEST FOR QUOTATION.exe, 00000000.00000003.241062822.0000000005F0A000.00000004.00000001.sdmpfalse
          • URL Reputation: safe
          • URL Reputation: safe
          • URL Reputation: safe
          unknown
          http://www.jiyu-kobo.co.jp/iURGENT REQUEST FOR QUOTATION.exe, 00000000.00000003.240785096.0000000005F08000.00000004.00000001.sdmpfalse
          • URL Reputation: safe
          • URL Reputation: safe
          • URL Reputation: safe
          unknown
          http://www.carterandcone.comadiURGENT REQUEST FOR QUOTATION.exe, 00000000.00000003.239863376.0000000005F03000.00000004.00000001.sdmpfalse
          • Avira URL Cloud: safe
          unknown
          http://www.fontbureau.comalsURGENT REQUEST FOR QUOTATION.exe, 00000000.00000003.241974830.0000000005F0A000.00000004.00000001.sdmpfalse
          • URL Reputation: safe
          • URL Reputation: safe
          • URL Reputation: safe
          unknown
          http://www.carterandcone.comlayURGENT REQUEST FOR QUOTATION.exe, 00000000.00000003.239863376.0000000005F03000.00000004.00000001.sdmpfalse
          • Avira URL Cloud: safe
          unknown
          http://www.carterandcone.comethURGENT REQUEST FOR QUOTATION.exe, 00000000.00000003.239863376.0000000005F03000.00000004.00000001.sdmpfalse
          • Avira URL Cloud: safe
          unknown
          http://www.jiyu-kobo.co.jp/bURGENT REQUEST FOR QUOTATION.exe, 00000000.00000003.240785096.0000000005F08000.00000004.00000001.sdmpfalse
          • URL Reputation: safe
          • URL Reputation: safe
          • URL Reputation: safe
          unknown
          https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zipURGENT REQUEST FOR QUOTATION.exe, 00000014.00000002.503706672.0000000000402000.00000040.00000001.sdmpfalse
          • URL Reputation: safe
          • URL Reputation: safe
          • URL Reputation: safe
          unknown

          Contacted IPs

          No contacted IP infos

          General Information

          Joe Sandbox Version:33.0.0 White Diamond
          Analysis ID:452545
          Start date:22.07.2021
          Start time:15:06:32
          Joe Sandbox Product:CloudBasic
          Overall analysis duration:0h 10m 2s
          Hypervisor based Inspection enabled:false
          Report type:light
          Sample file name:URGENT REQUEST FOR QUOTATION.exe
          Cookbook file name:default.jbs
          Analysis system description:Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
          Number of analysed new started processes analysed:32
          Number of new started drivers analysed:0
          Number of existing processes analysed:0
          Number of existing drivers analysed:0
          Number of injected processes analysed:0
          Technologies:
          • HCA enabled
          • EGA enabled
          • HDC enabled
          • AMSI enabled
          Analysis Mode:default
          Analysis stop reason:Timeout
          Detection:MAL
          Classification:mal100.troj.evad.winEXE@15/18@0/0
          EGA Information:Failed
          HDC Information:
          • Successful, ratio: 1.4% (good quality ratio 1.3%)
          • Quality average: 66%
          • Quality standard deviation: 21.7%
          HCA Information:
          • Successful, ratio: 100%
          • Number of executed functions: 0
          • Number of non-executed functions: 0
          Cookbook Comments:
          • Adjust boot time
          • Enable AMSI
          • Found application associated with file extension: .exe
          Warnings:
          Show All
          • Exclude process from analysis (whitelisted): MpCmdRun.exe, BackgroundTransferHost.exe, backgroundTaskHost.exe, SgrmBroker.exe, conhost.exe, WmiPrvSE.exe, svchost.exe, wuapihost.exe
          • Not all processes where analyzed, report is missing behavior information
          • Report size exceeded maximum capacity and may have missing behavior information.
          • Report size getting too big, too many NtAllocateVirtualMemory calls found.
          • Report size getting too big, too many NtOpenKeyEx calls found.
          • Report size getting too big, too many NtProtectVirtualMemory calls found.
          • Report size getting too big, too many NtQueryValueKey calls found.

          Simulations

          Behavior and APIs

          TimeTypeDescription
          15:07:53API Interceptor388x Sleep call for process: URGENT REQUEST FOR QUOTATION.exe modified
          15:08:00API Interceptor158x Sleep call for process: powershell.exe modified

          Joe Sandbox View / Context

          IPs

          No context

          Domains

          No context

          ASN

          No context

          JA3 Fingerprints

          No context

          Dropped Files

          No context

          Created / dropped Files

          C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\URGENT REQUEST FOR QUOTATION.exe.log
          Process:C:\Users\user\Desktop\URGENT REQUEST FOR QUOTATION.exe
          File Type:ASCII text, with CRLF line terminators
          Category:modified
          Size (bytes):1314
          Entropy (8bit):5.350128552078965
          Encrypted:false
          SSDEEP:24:MLU84jE4K5E4Ks2E1qE4qXKDE4KhK3VZ9pKhPKIE4oKFKHKoZAE4Kzr7FE4sAmEw:MgvjHK5HKXE1qHiYHKhQnoPtHoxHhAHR
          MD5:1DC1A2DCC9EFAA84EABF4F6D6066565B
          SHA1:B7FCF805B6DD8DE815EA9BC089BD99F1E617F4E9
          SHA-256:28D63442C17BF19558655C88A635CB3C3FF1BAD1CCD9784090B9749A7E71FCEF
          SHA-512:95DD7E2AB0884A3EFD9E26033B337D1F97DDF9A8E9E9C4C32187DCD40622D8B1AC8CCDBA12A70A6B9075DF5E7F68DF2F8FBA4AB33DB4576BE9806B8E191802B7
          Malicious:true
          Reputation:high, very likely benign file
          Preview: 1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"Microsoft.VisualBasic, Version=10.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\4f0a7eefa3cd3e0ba98b5ebddbbc72e6\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\f1d8480152e0da9a60ad49c6d16a3b6d\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\8d67d92724ba494b6c7fd089d6f25b48\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a
          C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache
          Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
          File Type:data
          Category:dropped
          Size (bytes):14734
          Entropy (8bit):4.993014478972177
          Encrypted:false
          SSDEEP:384:cBVoGIpN6KQkj2Wkjh4iUxtaKdROdBLNXp5nYoGib4J:cBV3IpNBQkj2Lh4iUxtaKdROdBLNZBYH
          MD5:8D5E194411E038C060288366D6766D3D
          SHA1:DC1A8229ED0B909042065EA69253E86E86D71C88
          SHA-256:44EEE632DEDFB83A545D8C382887DF3EE7EF551F73DD55FEDCDD8C93D390E31F
          SHA-512:21378D13D42FBFA573DE91C1D4282B03E0AA1317B0C37598110DC53900C6321DB2B9DF27B2816D6EE3B3187E54BF066A96DB9EC1FF47FF86FEA36282AB906367
          Malicious:false
          Preview: PSMODULECACHE......<.e...Y...C:\Program Files (x86)\WindowsPowerShell\Modules\PowerShellGet\1.0.0.1\PowerShellGet.psd1........Uninstall-Module........inmo........fimo........Install-Module........New-ScriptFileInfo........Publish-Module........Install-Script........Update-Script........Find-Command........Update-ModuleManifest........Find-DscResource........Save-Module........Save-Script........upmo........Uninstall-Script........Get-InstalledScript........Update-Module........Register-PSRepository........Find-Script........Unregister-PSRepository........pumo........Test-ScriptFileInfo........Update-ScriptFileInfo........Set-PSRepository........Get-PSRepository........Get-InstalledModule........Find-Module........Find-RoleCapability........Publish-Script.........<.e...T...C:\Program Files (x86)\WindowsPowerShell\Modules\PowerShellGet\1.0.0.1\PSModule.psm1*.......Install-Script........Save-Module........Publish-Module........Find-Module........Download-Package........Update-Module....
          C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
          Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
          File Type:data
          Category:dropped
          Size (bytes):22352
          Entropy (8bit):5.602835259520916
          Encrypted:false
          SSDEEP:384:YtCDruDPEN94WkJKIC+RoSBKnGultIuP7Y9gxSTi1BMrm/Z1AV7kv8w564I+JzYB:UEcWgq4KGultxrxA24A9I
          MD5:158CE3622E7B2A3A0171CA62C6A5D08F
          SHA1:C79CC7E0C9AB10DDB443CB017895C198700C6D34
          SHA-256:824F3D803040C23A6FEAA5C567991AACA29B03DE10901F77AD78399C398AA3F9
          SHA-512:BB73F448250057E4705F1BE6C47D522F68F87570BC0FF8E185512379B4F4AD56285E5407B1A38C845ACD508BFB87837FE4997938DB92A251F9532FF1F8246D0C
          Malicious:false
          Preview: @...e...............................R.y...q..........@..........H...............<@.^.L."My...:P..... .Microsoft.PowerShell.ConsoleHostD...............fZve...F.....x.)........System.Management.Automation4...............[...{a.C..%6..h.........System.Core.0...............G-.o...A...4B..........System..4................Zg5..:O..g..q..........System.Xml..L...............7.....J@......~.......#.Microsoft.Management.Infrastructure.8................'....L..}............System.Numerics.@................Lo...QN......<Q........System.DirectoryServices<................H..QN.Y.f............System.Management...4....................].D.E.....#.......System.Data.H................. ....H..m)aUu.........Microsoft.PowerShell.Security...<.................~.[L.D.Z.>..m.........System.Transactions.<................):gK..G...$.1.q........System.ConfigurationP................./.C..J..%...].......%.Microsoft.PowerShell.Commands.Utility...D..................-.D.F.<;.nt.1........System.Configuration.Ins
          C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_atfsddvg.sju.ps1
          Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
          File Type:very short file (no magic)
          Category:dropped
          Size (bytes):1
          Entropy (8bit):0.0
          Encrypted:false
          SSDEEP:3:U:U
          MD5:C4CA4238A0B923820DCC509A6F75849B
          SHA1:356A192B7913B04C54574D18C28D46E6395428AB
          SHA-256:6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
          SHA-512:4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
          Malicious:false
          Preview: 1
          C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_cfw4f2kf.lgt.ps1
          Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
          File Type:very short file (no magic)
          Category:dropped
          Size (bytes):1
          Entropy (8bit):0.0
          Encrypted:false
          SSDEEP:3:U:U
          MD5:C4CA4238A0B923820DCC509A6F75849B
          SHA1:356A192B7913B04C54574D18C28D46E6395428AB
          SHA-256:6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
          SHA-512:4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
          Malicious:false
          Preview: 1
          C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_mby5lfvb.ykp.psm1
          Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
          File Type:very short file (no magic)
          Category:dropped
          Size (bytes):1
          Entropy (8bit):0.0
          Encrypted:false
          SSDEEP:3:U:U
          MD5:C4CA4238A0B923820DCC509A6F75849B
          SHA1:356A192B7913B04C54574D18C28D46E6395428AB
          SHA-256:6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
          SHA-512:4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
          Malicious:false
          Preview: 1
          C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_uj2qse0o.fof.ps1
          Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
          File Type:very short file (no magic)
          Category:dropped
          Size (bytes):1
          Entropy (8bit):0.0
          Encrypted:false
          SSDEEP:3:U:U
          MD5:C4CA4238A0B923820DCC509A6F75849B
          SHA1:356A192B7913B04C54574D18C28D46E6395428AB
          SHA-256:6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
          SHA-512:4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
          Malicious:false
          Preview: 1
          C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_w2ozaui5.3in.psm1
          Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
          File Type:very short file (no magic)
          Category:dropped
          Size (bytes):1
          Entropy (8bit):0.0
          Encrypted:false
          SSDEEP:3:U:U
          MD5:C4CA4238A0B923820DCC509A6F75849B
          SHA1:356A192B7913B04C54574D18C28D46E6395428AB
          SHA-256:6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
          SHA-512:4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
          Malicious:false
          Preview: 1
          C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_xk3kxaoj.0rb.psm1
          Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
          File Type:very short file (no magic)
          Category:dropped
          Size (bytes):1
          Entropy (8bit):0.0
          Encrypted:false
          SSDEEP:3:U:U
          MD5:C4CA4238A0B923820DCC509A6F75849B
          SHA1:356A192B7913B04C54574D18C28D46E6395428AB
          SHA-256:6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
          SHA-512:4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
          Malicious:false
          Preview: 1
          C:\Users\user\AppData\Local\Temp\tmpD0B6.tmp
          Process:C:\Users\user\Desktop\URGENT REQUEST FOR QUOTATION.exe
          File Type:XML 1.0 document, ASCII text, with CRLF line terminators
          Category:dropped
          Size (bytes):1658
          Entropy (8bit):5.178889471468902
          Encrypted:false
          SSDEEP:24:2dH4+SEqC/dp7hdMlNMFpdU/rlMhEMjnGpwjpIgUYODOLD9RJh7h8gKBcYtn:cbhH7MlNQ8/rydbz9I3YODOLNdq3Z
          MD5:904F58B2E90F4AB00574DE411A33549F
          SHA1:CF3C774C3B00515D2CBD0A9AC6D26473832EB35D
          SHA-256:BC8A6B40FDCD693079716DF2B9743443C60565CF085811392BC151918296E3C9
          SHA-512:FB68C70FE0A9324C76439FB5220C285A5C34304723ECD6BB66906259253BA43B646DCE8B89376FA28D47AB26877F4FFD14EBD117D437B93C9DC7D84A076249B2
          Malicious:true
          Preview: <?xml version="1.0" encoding="UTF-16"?>..<Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">.. <RegistrationInfo>.. <Date>2014-10-25T14:27:44.8929027</Date>.. <Author>computer\user</Author>.. </RegistrationInfo>.. <Triggers>.. <LogonTrigger>.. <Enabled>true</Enabled>.. <UserId>computer\user</UserId>.. </LogonTrigger>.. <RegistrationTrigger>.. <Enabled>false</Enabled>.. </RegistrationTrigger>.. </Triggers>.. <Principals>.. <Principal id="Author">.. <UserId>computer\user</UserId>.. <LogonType>InteractiveToken</LogonType>.. <RunLevel>LeastPrivilege</RunLevel>.. </Principal>.. </Principals>.. <Settings>.. <MultipleInstancesPolicy>StopExisting</MultipleInstancesPolicy>.. <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>.. <StopIfGoingOnBatteries>true</StopIfGoingOnBatteries>.. <AllowHardTerminate>false</AllowHardTerminate>.. <StartWhenAv
          C:\Users\user\AppData\Roaming\CCxRZUAFy.exe
          Process:C:\Users\user\Desktop\URGENT REQUEST FOR QUOTATION.exe
          File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
          Category:dropped
          Size (bytes):738304
          Entropy (8bit):7.598227533280257
          Encrypted:false
          SSDEEP:12288:fj1iM6WqpSH5vdGGmEKhJmrNX1xZ7/VY606/S0shF7XsyaUVKnp:fj1lV4SHvJmEKhKlL7K606Hshpzahp
          MD5:436F3797FC4C39D1A2319196BC15C1C3
          SHA1:1A93B32908C5DEF6129F192FD096F129EA575220
          SHA-256:F7B11103BBD791D5C2452275FF23FE51EFF41BA5071BA015EF50672138C9B459
          SHA-512:B7322A3A65D5493DF020B8746C3277511A103298FB8F985F8F13567B4967428CBD1D6F3071970C8E8BD027F071DF808EEA3D24F38F030F61BD3D256563292CE8
          Malicious:true
          Antivirus:
          • Antivirus: Joe Sandbox ML, Detection: 100%
          • Antivirus: ReversingLabs, Detection: 39%
          Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...J..`..............P..8..........fW... ...`....@.. ....................................@..................................W..O....`............................................................................... ............... ..H............text....7... ...8.................. ..`.rsrc........`.......:..............@..@.reloc...............B..............@..B................HW......H...........(............................................................0............( ...(!.........(.....o"....*.....................(#......($......(%......(&......('....*N..(....oE...((....*&..()....*.s*........s+........s,........s-........s.........*....0...........~....o/....+..*.0...........~....o0....+..*.0...........~....o1....+..*.0...........~....o2....+..*.0...........~....o3....+..*.0..<........~.....(4.....,!r...p.....(5...o6...s7............~.....+..*.0......
          C:\Users\user\AppData\Roaming\CCxRZUAFy.exe:Zone.Identifier
          Process:C:\Users\user\Desktop\URGENT REQUEST FOR QUOTATION.exe
          File Type:ASCII text, with CRLF line terminators
          Category:dropped
          Size (bytes):26
          Entropy (8bit):3.95006375643621
          Encrypted:false
          SSDEEP:3:ggPYV:rPYV
          MD5:187F488E27DB4AF347237FE461A079AD
          SHA1:6693BA299EC1881249D59262276A0D2CB21F8E64
          SHA-256:255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
          SHA-512:89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
          Malicious:true
          Preview: [ZoneTransfer]....ZoneId=0
          C:\Users\user\Documents\20210722\PowerShell_transcript.887849.2t_TENv_.20210722150759.txt
          Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
          File Type:UTF-8 Unicode (with BOM) text, with CRLF line terminators
          Category:dropped
          Size (bytes):5825
          Entropy (8bit):5.391778186192845
          Encrypted:false
          SSDEEP:96:BZ1z6eNqqDo1ZfGZMA6eNqqDo1ZoyQ6jZ16eNqqDo1ZoLKK9Za:z
          MD5:268E84561ABAE4E11F17AAFDA39D1CFF
          SHA1:CB45B544D2815DA8A8ECF3A447B0083720106940
          SHA-256:847AEAE2110031F51A2FA6C5DDFA6B7D6906FD1BD2F94E67D1BC4D3A67ABF331
          SHA-512:B8374A3F7405ADBFE0E49A707D4DF775108EDB419FFA43E59503B8EB3CA5DF9838FE40E9F3AA36C43AA08CA486D567B47E4E7E18FE4C3546ED64655C95D62EFD
          Malicious:false
          Preview: .**********************..Windows PowerShell transcript start..Start time: 20210722150800..Username: computer\user..RunAs User: computer\user..Configuration Name: ..Machine: 887849 (Microsoft Windows NT 10.0.17134.0)..Host Application: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath C:\Users\user\AppData\Roaming\CCxRZUAFy.exe..Process ID: 6156..PSVersion: 5.1.17134.1..PSEdition: Desktop..PSCompatibleVersions: 1.0, 2.0, 3.0, 4.0, 5.0, 5.1.17134.1..BuildVersion: 10.0.17134.1..CLRVersion: 4.0.30319.42000..WSManStackVersion: 3.0..PSRemotingProtocolVersion: 2.3..SerializationVersion: 1.1.0.1..**********************..**********************..Command start time: 20210722150800..**********************..PS>Add-MpPreference -ExclusionPath C:\Users\user\AppData\Roaming\CCxRZUAFy.exe..**********************..Windows PowerShell transcript start..Start time: 20210722151326..Username: computer\user..RunAs User: DE
          C:\Users\user\Documents\20210722\PowerShell_transcript.887849.CmVMk4On.20210722150759.txt
          Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
          File Type:UTF-8 Unicode (with BOM) text, with CRLF line terminators
          Category:dropped
          Size (bytes):5825
          Entropy (8bit):5.394986426732518
          Encrypted:false
          SSDEEP:96:BZN6eN4qDo1ZSZk6eN4qDo1ZTyQ6jZo6eN4qDo1ZDLKKBTZLq:Qdq
          MD5:E20587313F3F7E8F2B3EF7C979594AD6
          SHA1:9787A4E54DF0F78145A83E53A160CEB8293CD1AA
          SHA-256:EFB3FEDFFB49E1D9B9D739E6E0AC8C2BFE0F5D0BFBF528D076E03FF56C4D9EE5
          SHA-512:DC304FFE413296EDC92FFD3C175B08820E408CE34EAF513F81ADB28B9436C1FD029CA55A4593AEEE6156C1427C2C84F32454E859C58530AC256C407738FE540B
          Malicious:false
          Preview: .**********************..Windows PowerShell transcript start..Start time: 20210722150826..Username: computer\user..RunAs User: computer\user..Configuration Name: ..Machine: 887849 (Microsoft Windows NT 10.0.17134.0)..Host Application: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath C:\Users\user\AppData\Roaming\CCxRZUAFy.exe..Process ID: 5788..PSVersion: 5.1.17134.1..PSEdition: Desktop..PSCompatibleVersions: 1.0, 2.0, 3.0, 4.0, 5.0, 5.1.17134.1..BuildVersion: 10.0.17134.1..CLRVersion: 4.0.30319.42000..WSManStackVersion: 3.0..PSRemotingProtocolVersion: 2.3..SerializationVersion: 1.1.0.1..**********************..**********************..Command start time: 20210722150826..**********************..PS>Add-MpPreference -ExclusionPath C:\Users\user\AppData\Roaming\CCxRZUAFy.exe..**********************..Windows PowerShell transcript start..Start time: 20210722151626..Username: computer\user..RunAs User: DE
          C:\Users\user\Documents\20210722\PowerShell_transcript.887849.tSO3nJDl.20210722150757.txt
          Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
          File Type:UTF-8 Unicode (with BOM) text, with CRLF line terminators
          Category:dropped
          Size (bytes):3563
          Entropy (8bit):5.381517724278677
          Encrypted:false
          SSDEEP:96:BZx6eNKUqDo1ZMaZU6eNKUqDo1ZZqmEg0cEg0cEg0yZF:20dgAgAgF
          MD5:DB87767DD4402D72A44DAE34A7C1FFA5
          SHA1:2CAE9062D732301ACF9A8CD7B8F8D6EF1231D104
          SHA-256:2CD691AE85743FB44AFA8916B57FC39BE151164A9C748EFD244F7B8DDF8B6899
          SHA-512:FBF13E51D7D3689C8B50182099B021A4AC63D7FCD76354E34CFCD8982369F98ED4117A9AD194C60DA7B07817CACD6684EDB3082839D2A966E9B6BC682574A923
          Malicious:false
          Preview: .**********************..Windows PowerShell transcript start..Start time: 20210722150822..Username: computer\user..RunAs User: computer\user..Configuration Name: ..Machine: 887849 (Microsoft Windows NT 10.0.17134.0)..Host Application: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath C:\Users\user\Desktop\URGENT REQUEST FOR QUOTATION.exe..Process ID: 5516..PSVersion: 5.1.17134.1..PSEdition: Desktop..PSCompatibleVersions: 1.0, 2.0, 3.0, 4.0, 5.0, 5.1.17134.1..BuildVersion: 10.0.17134.1..CLRVersion: 4.0.30319.42000..WSManStackVersion: 3.0..PSRemotingProtocolVersion: 2.3..SerializationVersion: 1.1.0.1..**********************..**********************..Command start time: 20210722150822..**********************..PS>Add-MpPreference -ExclusionPath C:\Users\user\Desktop\URGENT REQUEST FOR QUOTATION.exe..**********************..Command start time: 20210722151529..**********************..PS>TerminatingError(Add-MpPreferen

          Static File Info

          General

          File type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
          Entropy (8bit):7.598227533280257
          TrID:
          • Win32 Executable (generic) Net Framework (10011505/4) 49.80%
          • Win32 Executable (generic) a (10002005/4) 49.75%
          • Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36%
          • Windows Screen Saver (13104/52) 0.07%
          • Generic Win/DOS Executable (2004/3) 0.01%
          File name:URGENT REQUEST FOR QUOTATION.exe
          File size:738304
          MD5:436f3797fc4c39d1a2319196bc15c1c3
          SHA1:1a93b32908c5def6129f192fd096f129ea575220
          SHA256:f7b11103bbd791d5c2452275ff23fe51eff41ba5071ba015ef50672138c9b459
          SHA512:b7322a3a65d5493df020b8746c3277511a103298fb8f985f8f13567b4967428cbd1d6f3071970c8e8bd027f071df808eea3d24f38f030f61bd3d256563292ce8
          SSDEEP:12288:fj1iM6WqpSH5vdGGmEKhJmrNX1xZ7/VY606/S0shF7XsyaUVKnp:fj1lV4SHvJmEKhKlL7K606Hshpzahp
          File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...J..`..............P..8..........fW... ...`....@.. ....................................@................................

          File Icon

          Icon Hash:00828e8e8686b000

          Static PE Info

          General

          Entrypoint:0x4b5766
          Entrypoint Section:.text
          Digitally signed:false
          Imagebase:0x400000
          Subsystem:windows gui
          Image File Characteristics:32BIT_MACHINE, EXECUTABLE_IMAGE
          DLL Characteristics:NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
          Time Stamp:0x60F8CA4A [Thu Jul 22 01:30:50 2021 UTC]
          TLS Callbacks:
          CLR (.Net) Version:v4.0.30319
          OS Version Major:4
          OS Version Minor:0
          File Version Major:4
          File Version Minor:0
          Subsystem Version Major:4
          Subsystem Version Minor:0
          Import Hash:f34d5f2d4577ed6d9ceec516c1f5a744

          Entrypoint Preview

          Instruction
          jmp dword ptr [00402000h]
          int3
          jnc 00007F9E28AA04BDh
          test al, EAh
          pushfd
          inc esi
          add eax, 35C2CDF9h
          adc ebp, dword ptr [edi+0Fh]
          stc
          int C2h
          xor eax, 0F6F132Eh
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al

          Data Directories

          NameVirtual AddressVirtual Size Is in Section
          IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
          IMAGE_DIRECTORY_ENTRY_IMPORT0xb57140x4f.text
          IMAGE_DIRECTORY_ENTRY_RESOURCE0xb60000x608.rsrc
          IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
          IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
          IMAGE_DIRECTORY_ENTRY_BASERELOC0xb80000xc.reloc
          IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
          IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
          IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
          IMAGE_DIRECTORY_ENTRY_TLS0x00x0
          IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
          IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
          IMAGE_DIRECTORY_ENTRY_IAT0x20000x8.text
          IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
          IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x20080x48.text
          IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

          Sections

          NameVirtual AddressVirtual SizeRaw SizeXored PEZLIB ComplexityFile TypeEntropyCharacteristics
          .text0x20000xb37840xb3800False0.784774057712data7.60723196503IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
          .rsrc0xb60000x6080x800False0.3330078125data3.46823340289IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
          .reloc0xb80000xc0x200False0.044921875data0.101910425663IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

          Resources

          NameRVASizeTypeLanguageCountry
          RT_VERSION0xb60900x376data
          RT_MANIFEST0xb64180x1eaXML 1.0 document, UTF-8 Unicode (with BOM) text, with CRLF line terminators

          Imports

          DLLImport
          mscoree.dll_CorExeMain

          Version Infos

          DescriptionData
          Translation0x0000 0x04b0
          LegalCopyright(c) 2019 Riot Games, Inc.
          Assembly Version2.0.26.9
          InternalNameSinkProviderEnt.exe
          FileVersion2.0.26.9
          CompanyNameRiot Games, Inc.
          LegalTrademarks
          Comments
          ProductNameRiot Client
          ProductVersion2.0.26.9
          FileDescriptionRiot Client
          OriginalFilenameSinkProviderEnt.exe

          Network Behavior

          No network behavior found

          Code Manipulations

          Statistics

          Behavior

          Click to jump to process

          System Behavior

          General

          Start time:15:07:24
          Start date:22/07/2021
          Path:C:\Users\user\Desktop\URGENT REQUEST FOR QUOTATION.exe
          Wow64 process (32bit):true
          Commandline:'C:\Users\user\Desktop\URGENT REQUEST FOR QUOTATION.exe'
          Imagebase:0xa70000
          File size:738304 bytes
          MD5 hash:436F3797FC4C39D1A2319196BC15C1C3
          Has elevated privileges:true
          Has administrator privileges:true
          Programmed in:.Net C# or VB.NET
          Reputation:low

          General

          Start time:15:07:54
          Start date:22/07/2021
          Path:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
          Wow64 process (32bit):true
          Commandline:'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\URGENT REQUEST FOR QUOTATION.exe'
          Imagebase:0x1110000
          File size:430592 bytes
          MD5 hash:DBA3E6449E97D4E3DF64527EF7012A10
          Has elevated privileges:true
          Has administrator privileges:true
          Programmed in:.Net C# or VB.NET
          Reputation:high

          General

          Start time:15:07:55
          Start date:22/07/2021
          Path:C:\Windows\System32\conhost.exe
          Wow64 process (32bit):false
          Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
          Imagebase:0x7ff774ee0000
          File size:625664 bytes
          MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
          Has elevated privileges:true
          Has administrator privileges:true
          Programmed in:C, C++ or other language
          Reputation:high

          General

          Start time:15:07:55
          Start date:22/07/2021
          Path:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
          Wow64 process (32bit):true
          Commandline:'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\CCxRZUAFy.exe'
          Imagebase:0x1110000
          File size:430592 bytes
          MD5 hash:DBA3E6449E97D4E3DF64527EF7012A10
          Has elevated privileges:true
          Has administrator privileges:true
          Programmed in:.Net C# or VB.NET
          Reputation:high

          General

          Start time:15:07:56
          Start date:22/07/2021
          Path:C:\Windows\System32\conhost.exe
          Wow64 process (32bit):false
          Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
          Imagebase:0x7ff774ee0000
          File size:625664 bytes
          MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
          Has elevated privileges:true
          Has administrator privileges:true
          Programmed in:C, C++ or other language
          Reputation:high

          General

          Start time:15:07:55
          Start date:22/07/2021
          Path:C:\Windows\SysWOW64\schtasks.exe
          Wow64 process (32bit):true
          Commandline:'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\CCxRZUAFy' /XML 'C:\Users\user\AppData\Local\Temp\tmpD0B6.tmp'
          Imagebase:0x290000
          File size:185856 bytes
          MD5 hash:15FF7D8324231381BAD48A052F85DF04
          Has elevated privileges:true
          Has administrator privileges:true
          Programmed in:C, C++ or other language
          Reputation:high

          General

          Start time:15:07:56
          Start date:22/07/2021
          Path:C:\Windows\System32\conhost.exe
          Wow64 process (32bit):false
          Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
          Imagebase:0x7ff774ee0000
          File size:625664 bytes
          MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
          Has elevated privileges:true
          Has administrator privileges:true
          Programmed in:C, C++ or other language
          Reputation:high

          General

          Start time:15:07:57
          Start date:22/07/2021
          Path:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
          Wow64 process (32bit):true
          Commandline:'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\CCxRZUAFy.exe'
          Imagebase:0x1110000
          File size:430592 bytes
          MD5 hash:DBA3E6449E97D4E3DF64527EF7012A10
          Has elevated privileges:true
          Has administrator privileges:true
          Programmed in:.Net C# or VB.NET
          Reputation:high

          General

          Start time:15:07:57
          Start date:22/07/2021
          Path:C:\Users\user\Desktop\URGENT REQUEST FOR QUOTATION.exe
          Wow64 process (32bit):true
          Commandline:C:\Users\user\Desktop\URGENT REQUEST FOR QUOTATION.exe
          Imagebase:0xec0000
          File size:738304 bytes
          MD5 hash:436F3797FC4C39D1A2319196BC15C1C3
          Has elevated privileges:true
          Has administrator privileges:true
          Programmed in:.Net C# or VB.NET
          Reputation:low

          General

          Start time:15:07:57
          Start date:22/07/2021
          Path:C:\Windows\System32\conhost.exe
          Wow64 process (32bit):false
          Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
          Imagebase:0x7ff774ee0000
          File size:625664 bytes
          MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
          Has elevated privileges:true
          Has administrator privileges:true
          Programmed in:C, C++ or other language
          Reputation:high

          Disassembly

          Code Analysis

          Reset < >