Windows Analysis Report
RFQ-101432620247fl#U00e2#U00aexslx.exe

Overview

General Information

Sample name: RFQ-101432620247fl#U00e2#U00aexslx.exe
renamed because original name is a hash value
Original sample name: RFQ-101432620247flxslx.exe
Analysis ID: 1445865
MD5: 626130b6e15538c11f7c38c2fe4a6039
SHA1: 706ca5ac781496076d1604536b9ce10ac1f62ee1
SHA256: b89d6be0bcfb915492beb7ae726f815dcf289a284e650c200bda4faf5db60fa1
Infos:

Detection

AgentTesla
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Scheduled temp file as task from temp location
Snort IDS alert for network traffic
Yara detected AgentTesla
Yara detected AntiVM3
Yara detected Telegram RAT
.NET source code contains potential unpacker
AI detected suspicious sample
Adds a directory exclusion to Windows Defender
Contains functionality to log keystrokes (.Net Source)
Initial sample is a PE file and has a suspicious name
Installs a global keyboard hook
Loading BitLocker PowerShell Module
Machine Learning detection for dropped file
Machine Learning detection for sample
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to steal Mail credentials (via file / registry access)
Uses schtasks.exe or at.exe to add and modify task schedules
Uses the Telegram API (likely for C&C communication)
Yara detected Generic Downloader
Allocates memory with a write watch (potentially for evading sandboxes)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Creates a window with clipboard capturing capabilities
Detected potential crypto function
Drops PE files
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found inlined nop instructions (likely shell or obfuscated code)
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
PE / OLE file has an invalid certificate
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Sigma detected: Powershell Defender Exclusion
Sigma detected: Suspicious Add Scheduled Task Parent
Sigma detected: Suspicious Schtasks From Env Var Folder
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)
Yara detected Credential Stealer
Yara signature match

Classification

Name Description Attribution Blogpost URLs Link
Agent Tesla, AgentTesla A .NET based information stealer readily available to actors due to leaked builders. The malware is able to log keystrokes, can access the host's clipboard and crawls the disk for credentials or other valuable information. It has the capability to send information back to its C&C via HTTP(S), SMTP, FTP, or towards a Telegram channel.
  • SWEED
 https://malpedia.caad.fkie.fraunhofer.de/details/win.agent_tesla

AV Detection
barindex
Antivirus / Scanner detection for submitted sample
Source: RFQ-101432620247fl#U00e2#U00aexslx.exe Avira: detected
Antivirus detection for dropped file
Source: C:\Users\user\AppData\Roaming\ywKDUBCUA.exe Avira: detection malicious, Label: TR/AVI.PWS.Agent.apilj
Found malware configuration
Source: 0.2.RFQ-101432620247fl#U00e2#U00aexslx.exe.3ba04c8.5.raw.unpack Malware Configuration Extractor: Agenttesla {"Exfil Mode": "Telegram", "Telegram Url": "https://api.telegram.org/bot7156462915:AAE3EIUy20eRSFdNZcqhQa0y1tAvt8IT_oY/sendMessage?chat_id=7062075018"}
Source: ywKDUBCUA.exe.2260.10.memstrmin Malware Configuration Extractor: Telegram RAT {"C2 url": "https://api.telegram.org/bot7156462915:AAE3EIUy20eRSFdNZcqhQa0y1tAvt8IT_oY/sendMessage"}
Multi AV Scanner detection for dropped file
Source: C:\Users\user\AppData\Roaming\ywKDUBCUA.exe ReversingLabs: Detection: 83%
Multi AV Scanner detection for submitted file
Source: RFQ-101432620247fl#U00e2#U00aexslx.exe ReversingLabs: Detection: 83%
AI detected suspicious sample
Source: Submited Sample Integrated Neural Analysis Model: Matched 100.0% probability
Machine Learning detection for dropped file
Source: C:\Users\user\AppData\Roaming\ywKDUBCUA.exe Joe Sandbox ML: detected
Machine Learning detection for sample
Source: RFQ-101432620247fl#U00e2#U00aexslx.exe Joe Sandbox ML: detected
Uses 32bit PE files
Source: RFQ-101432620247fl#U00e2#U00aexslx.exe Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
Source: unknown HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.5:49709 version: TLS 1.2
Source: unknown HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.5:49712 version: TLS 1.2
Source: RFQ-101432620247fl#U00e2#U00aexslx.exe Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Found inlined nop instructions (likely shell or obfuscated code)
Source: C:\Users\user\Desktop\RFQ-101432620247fl#U00e2#U00aexslx.exe Code function: 4x nop then jmp 048C3FC9h 0_2_048C38A3
Source: C:\Users\user\AppData\Roaming\ywKDUBCUA.exe Code function: 4x nop then jmp 050D31F1h 10_2_050D2ACB

Networking
barindex
Snort IDS alert for network traffic
Source: Traffic Snort IDS: 2851779 ETPRO TROJAN Agent Tesla Telegram Exfil 192.168.2.5:49709 -> 149.154.167.220:443
Source: Traffic Snort IDS: 2851779 ETPRO TROJAN Agent Tesla Telegram Exfil 192.168.2.5:49712 -> 149.154.167.220:443
Uses the Telegram API (likely for C&C communication)
Source: unknown DNS query: name: api.telegram.org
Yara detected Generic Downloader
Source: Yara match File source: 0.2.RFQ-101432620247fl#U00e2#U00aexslx.exe.3bdb0e8.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.RFQ-101432620247fl#U00e2#U00aexslx.exe.3ba04c8.5.raw.unpack, type: UNPACKEDPE
HTTP GET or POST without a user agent
Source: global traffic HTTP traffic detected: POST /bot7156462915:AAE3EIUy20eRSFdNZcqhQa0y1tAvt8IT_oY/sendDocument HTTP/1.1Content-Type: multipart/form-data; boundary=---------------------------8dc7a52168f7017Host: api.telegram.orgContent-Length: 918Expect: 100-continueConnection: Keep-Alive
Source: global traffic HTTP traffic detected: POST /bot7156462915:AAE3EIUy20eRSFdNZcqhQa0y1tAvt8IT_oY/sendDocument HTTP/1.1Content-Type: multipart/form-data; boundary=---------------------------8dc7a521867a3caHost: api.telegram.orgContent-Length: 918Expect: 100-continueConnection: Keep-Alive
IP address seen in connection with other malware
Source: Joe Sandbox View IP Address: 149.154.167.220 149.154.167.220
Internet Provider seen in connection with other malware
Source: Joe Sandbox View ASN Name: TELEGRAMRU TELEGRAMRU
JA3 SSL client fingerprint seen in connection with other malware
Source: Joe Sandbox View JA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: global traffic DNS traffic detected: DNS query: api.telegram.org
Source: unknown HTTP traffic detected: POST /bot7156462915:AAE3EIUy20eRSFdNZcqhQa0y1tAvt8IT_oY/sendDocument HTTP/1.1Content-Type: multipart/form-data; boundary=---------------------------8dc7a52168f7017Host: api.telegram.orgContent-Length: 918Expect: 100-continueConnection: Keep-Alive
Source: RFQ-101432620247fl#U00e2#U00aexslx.exe, 00000009.00000002.3268439480.000000000327D000.00000004.00000800.00020000.00000000.sdmp, ywKDUBCUA.exe, 00000010.00000002.3268715008.0000000002D1D000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://api.telegram.org
Source: RFQ-101432620247fl#U00e2#U00aexslx.exe, ywKDUBCUA.exe.0.dr String found in binary or memory: http://crl.comodoca.com/COMODORSACertificationAuthority.crl0q
Source: RFQ-101432620247fl#U00e2#U00aexslx.exe, ywKDUBCUA.exe.0.dr String found in binary or memory: http://crl.comodoca.com/COMODORSACodeSigningCA.crl0t
Source: RFQ-101432620247fl#U00e2#U00aexslx.exe, ywKDUBCUA.exe.0.dr String found in binary or memory: http://ocsp.comodoca.com0
Source: RFQ-101432620247fl#U00e2#U00aexslx.exe, 00000000.00000002.2063886948.00000000028CA000.00000004.00000800.00020000.00000000.sdmp, RFQ-101432620247fl#U00e2#U00aexslx.exe, 00000009.00000002.3268439480.000000000326A000.00000004.00000800.00020000.00000000.sdmp, ywKDUBCUA.exe, 0000000A.00000002.2102960401.00000000030DA000.00000004.00000800.00020000.00000000.sdmp, ywKDUBCUA.exe, 00000010.00000002.3268715008.0000000002D0A000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: RFQ-101432620247fl#U00e2#U00aexslx.exe, 00000000.00000002.2064422472.0000000003BA0000.00000004.00000800.00020000.00000000.sdmp, RFQ-101432620247fl#U00e2#U00aexslx.exe, 00000000.00000002.2064422472.00000000044C2000.00000004.00000800.00020000.00000000.sdmp, ywKDUBCUA.exe, 0000000A.00000002.2104193964.00000000043B1000.00000004.00000800.00020000.00000000.sdmp, ywKDUBCUA.exe, 00000010.00000002.3264244060.0000000000436000.00000040.00000400.00020000.00000000.sdmp String found in binary or memory: https://account.dyn.com/
Source: RFQ-101432620247fl#U00e2#U00aexslx.exe, 00000009.00000002.3268439480.000000000326A000.00000004.00000800.00020000.00000000.sdmp, ywKDUBCUA.exe, 00000010.00000002.3268715008.0000000002D0A000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://api.telegram.org
Source: RFQ-101432620247fl#U00e2#U00aexslx.exe, 00000000.00000002.2064422472.0000000003BA0000.00000004.00000800.00020000.00000000.sdmp, RFQ-101432620247fl#U00e2#U00aexslx.exe, 00000000.00000002.2064422472.00000000044C2000.00000004.00000800.00020000.00000000.sdmp, RFQ-101432620247fl#U00e2#U00aexslx.exe, 00000009.00000002.3268439480.0000000003211000.00000004.00000800.00020000.00000000.sdmp, ywKDUBCUA.exe, 0000000A.00000002.2104193964.00000000043B1000.00000004.00000800.00020000.00000000.sdmp, ywKDUBCUA.exe, 00000010.00000002.3264244060.0000000000434000.00000040.00000400.00020000.00000000.sdmp, ywKDUBCUA.exe, 00000010.00000002.3268715008.0000000002CB1000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://api.telegram.org/bot7156462915:AAE3EIUy20eRSFdNZcqhQa0y1tAvt8IT_oY/
Source: RFQ-101432620247fl#U00e2#U00aexslx.exe, 00000009.00000002.3268439480.0000000003266000.00000004.00000800.00020000.00000000.sdmp, ywKDUBCUA.exe, 00000010.00000002.3268715008.0000000002D06000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://api.telegram.org/bot7156462915:AAE3EIUy20eRSFdNZcqhQa0y1tAvt8IT_oY/sendDocument
Source: RFQ-101432620247fl#U00e2#U00aexslx.exe, ywKDUBCUA.exe.0.dr String found in binary or memory: https://www.chiark.greenend.org.uk/~sgtatham/putty/0
Source: unknown Network traffic detected: HTTP traffic on port 49709 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49712 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49709
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49712
Source: unknown HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.5:49709 version: TLS 1.2
Source: unknown HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.5:49712 version: TLS 1.2

Key, Mouse, Clipboard, Microphone and Screen Capturing
barindex
Contains functionality to log keystrokes (.Net Source)
Source: 0.2.RFQ-101432620247fl#U00e2#U00aexslx.exe.3ba04c8.5.raw.unpack, NDL2m67zO.cs .Net Code: tmyAmPp
Source: 0.2.RFQ-101432620247fl#U00e2#U00aexslx.exe.3bdb0e8.3.raw.unpack, NDL2m67zO.cs .Net Code: tmyAmPp
Installs a global keyboard hook
Source: C:\Users\user\Desktop\RFQ-101432620247fl#U00e2#U00aexslx.exe Windows user hook set: 0 keyboard low level C:\Users\user\Desktop\RFQ-101432620247fl#U00e2#U00aexslx.exe Jump to behavior
Source: C:\Users\user\AppData\Roaming\ywKDUBCUA.exe Windows user hook set: 0 keyboard low level C:\Users\user\AppData\Roaming\ywKDUBCUA.exe
Creates a window with clipboard capturing capabilities
Source: C:\Users\user\Desktop\RFQ-101432620247fl#U00e2#U00aexslx.exe Window created: window name: CLIPBRDWNDCLASS Jump to behavior
Source: C:\Users\user\AppData\Roaming\ywKDUBCUA.exe Window created: window name: CLIPBRDWNDCLASS

System Summary
barindex
Malicious sample detected (through community Yara rule)
Source: 0.2.RFQ-101432620247fl#U00e2#U00aexslx.exe.3bdb0e8.3.unpack, type: UNPACKEDPE Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 10.2.ywKDUBCUA.exe.43ebdd0.5.unpack, type: UNPACKEDPE Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 0.2.RFQ-101432620247fl#U00e2#U00aexslx.exe.3ba04c8.5.unpack, type: UNPACKEDPE Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 10.2.ywKDUBCUA.exe.43b11b0.3.unpack, type: UNPACKEDPE Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 10.2.ywKDUBCUA.exe.43ebdd0.5.raw.unpack, type: UNPACKEDPE Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 10.2.ywKDUBCUA.exe.43b11b0.3.raw.unpack, type: UNPACKEDPE Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 0.2.RFQ-101432620247fl#U00e2#U00aexslx.exe.3bdb0e8.3.raw.unpack, type: UNPACKEDPE Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 0.2.RFQ-101432620247fl#U00e2#U00aexslx.exe.3ba04c8.5.raw.unpack, type: UNPACKEDPE Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Initial sample is a PE file and has a suspicious name
Source: initial sample Static PE information: Filename: RFQ-101432620247fl#U00e2#U00aexslx.exe
Detected potential crypto function
Source: C:\Users\user\Desktop\RFQ-101432620247fl#U00e2#U00aexslx.exe Code function: 0_2_00E9DE8C 0_2_00E9DE8C
Source: C:\Users\user\Desktop\RFQ-101432620247fl#U00e2#U00aexslx.exe Code function: 0_2_048C3360 0_2_048C3360
Source: C:\Users\user\Desktop\RFQ-101432620247fl#U00e2#U00aexslx.exe Code function: 0_2_048C3350 0_2_048C3350
Source: C:\Users\user\Desktop\RFQ-101432620247fl#U00e2#U00aexslx.exe Code function: 0_2_048C08C0 0_2_048C08C0
Source: C:\Users\user\Desktop\RFQ-101432620247fl#U00e2#U00aexslx.exe Code function: 0_2_048C58F8 0_2_048C58F8
Source: C:\Users\user\Desktop\RFQ-101432620247fl#U00e2#U00aexslx.exe Code function: 0_2_06BF7458 0_2_06BF7458
Source: C:\Users\user\Desktop\RFQ-101432620247fl#U00e2#U00aexslx.exe Code function: 0_2_06BF5230 0_2_06BF5230
Source: C:\Users\user\Desktop\RFQ-101432620247fl#U00e2#U00aexslx.exe Code function: 0_2_06BF2106 0_2_06BF2106
Source: C:\Users\user\Desktop\RFQ-101432620247fl#U00e2#U00aexslx.exe Code function: 0_2_06BF7449 0_2_06BF7449
Source: C:\Users\user\Desktop\RFQ-101432620247fl#U00e2#U00aexslx.exe Code function: 0_2_06BFE570 0_2_06BFE570
Source: C:\Users\user\Desktop\RFQ-101432620247fl#U00e2#U00aexslx.exe Code function: 0_2_06BF521F 0_2_06BF521F
Source: C:\Users\user\Desktop\RFQ-101432620247fl#U00e2#U00aexslx.exe Code function: 0_2_06BFE138 0_2_06BFE138
Source: C:\Users\user\Desktop\RFQ-101432620247fl#U00e2#U00aexslx.exe Code function: 0_2_06BF2DD8 0_2_06BF2DD8
Source: C:\Users\user\Desktop\RFQ-101432620247fl#U00e2#U00aexslx.exe Code function: 0_2_06BFDD00 0_2_06BFDD00
Source: C:\Users\user\Desktop\RFQ-101432620247fl#U00e2#U00aexslx.exe Code function: 0_2_06BF7AB9 0_2_06BF7AB9
Source: C:\Users\user\Desktop\RFQ-101432620247fl#U00e2#U00aexslx.exe Code function: 0_2_06BF7AC8 0_2_06BF7AC8
Source: C:\Users\user\Desktop\RFQ-101432620247fl#U00e2#U00aexslx.exe Code function: 0_2_06BFF810 0_2_06BFF810
Source: C:\Users\user\Desktop\RFQ-101432620247fl#U00e2#U00aexslx.exe Code function: 9_2_014F9420 9_2_014F9420
Source: C:\Users\user\Desktop\RFQ-101432620247fl#U00e2#U00aexslx.exe Code function: 9_2_014F9BE0 9_2_014F9BE0
Source: C:\Users\user\Desktop\RFQ-101432620247fl#U00e2#U00aexslx.exe Code function: 9_2_014F4A68 9_2_014F4A68
Source: C:\Users\user\Desktop\RFQ-101432620247fl#U00e2#U00aexslx.exe Code function: 9_2_014F3E50 9_2_014F3E50
Source: C:\Users\user\Desktop\RFQ-101432620247fl#U00e2#U00aexslx.exe Code function: 9_2_014FCE60 9_2_014FCE60
Source: C:\Users\user\Desktop\RFQ-101432620247fl#U00e2#U00aexslx.exe Code function: 9_2_014F4198 9_2_014F4198
Source: C:\Users\user\Desktop\RFQ-101432620247fl#U00e2#U00aexslx.exe Code function: 9_2_066D2EF0 9_2_066D2EF0
Source: C:\Users\user\Desktop\RFQ-101432620247fl#U00e2#U00aexslx.exe Code function: 9_2_066D56D0 9_2_066D56D0
Source: C:\Users\user\Desktop\RFQ-101432620247fl#U00e2#U00aexslx.exe Code function: 9_2_066D3F48 9_2_066D3F48
Source: C:\Users\user\Desktop\RFQ-101432620247fl#U00e2#U00aexslx.exe Code function: 9_2_066DDC30 9_2_066DDC30
Source: C:\Users\user\Desktop\RFQ-101432620247fl#U00e2#U00aexslx.exe Code function: 9_2_066DBCF8 9_2_066DBCF8
Source: C:\Users\user\Desktop\RFQ-101432620247fl#U00e2#U00aexslx.exe Code function: 9_2_066D9AD8 9_2_066D9AD8
Source: C:\Users\user\Desktop\RFQ-101432620247fl#U00e2#U00aexslx.exe Code function: 9_2_066D8B88 9_2_066D8B88
Source: C:\Users\user\Desktop\RFQ-101432620247fl#U00e2#U00aexslx.exe Code function: 9_2_066D0040 9_2_066D0040
Source: C:\Users\user\Desktop\RFQ-101432620247fl#U00e2#U00aexslx.exe Code function: 9_2_066D3640 9_2_066D3640
Source: C:\Users\user\Desktop\RFQ-101432620247fl#U00e2#U00aexslx.exe Code function: 9_2_066D4FF0 9_2_066D4FF0
Source: C:\Users\user\Desktop\RFQ-101432620247fl#U00e2#U00aexslx.exe Code function: 9_2_06811DAE 9_2_06811DAE
Source: C:\Users\user\Desktop\RFQ-101432620247fl#U00e2#U00aexslx.exe Code function: 9_2_06811DC8 9_2_06811DC8
Source: C:\Users\user\Desktop\RFQ-101432620247fl#U00e2#U00aexslx.exe Code function: 9_2_071C4C48 9_2_071C4C48
Source: C:\Users\user\Desktop\RFQ-101432620247fl#U00e2#U00aexslx.exe Code function: 9_2_071C0040 9_2_071C0040
Source: C:\Users\user\AppData\Roaming\ywKDUBCUA.exe Code function: 10_2_016DDE8C 10_2_016DDE8C
Source: C:\Users\user\AppData\Roaming\ywKDUBCUA.exe Code function: 10_2_050D2588 10_2_050D2588
Source: C:\Users\user\AppData\Roaming\ywKDUBCUA.exe Code function: 10_2_050D2578 10_2_050D2578
Source: C:\Users\user\AppData\Roaming\ywKDUBCUA.exe Code function: 10_2_050D4C18 10_2_050D4C18
Source: C:\Users\user\AppData\Roaming\ywKDUBCUA.exe Code function: 10_2_07307458 10_2_07307458
Source: C:\Users\user\AppData\Roaming\ywKDUBCUA.exe Code function: 10_2_07302106 10_2_07302106
Source: C:\Users\user\AppData\Roaming\ywKDUBCUA.exe Code function: 10_2_0730E570 10_2_0730E570
Source: C:\Users\user\AppData\Roaming\ywKDUBCUA.exe Code function: 10_2_07307449 10_2_07307449
Source: C:\Users\user\AppData\Roaming\ywKDUBCUA.exe Code function: 10_2_07305230 10_2_07305230
Source: C:\Users\user\AppData\Roaming\ywKDUBCUA.exe Code function: 10_2_0730521F 10_2_0730521F
Source: C:\Users\user\AppData\Roaming\ywKDUBCUA.exe Code function: 10_2_0730E138 10_2_0730E138
Source: C:\Users\user\AppData\Roaming\ywKDUBCUA.exe Code function: 10_2_0730DD00 10_2_0730DD00
Source: C:\Users\user\AppData\Roaming\ywKDUBCUA.exe Code function: 10_2_07302C38 10_2_07302C38
Source: C:\Users\user\AppData\Roaming\ywKDUBCUA.exe Code function: 10_2_07307AB9 10_2_07307AB9
Source: C:\Users\user\AppData\Roaming\ywKDUBCUA.exe Code function: 10_2_07307AC8 10_2_07307AC8
Source: C:\Users\user\AppData\Roaming\ywKDUBCUA.exe Code function: 10_2_0730F810 10_2_0730F810
Source: C:\Users\user\AppData\Roaming\ywKDUBCUA.exe Code function: 16_2_00F24A68 16_2_00F24A68
Source: C:\Users\user\AppData\Roaming\ywKDUBCUA.exe Code function: 16_2_00F29BE0 16_2_00F29BE0
Source: C:\Users\user\AppData\Roaming\ywKDUBCUA.exe Code function: 16_2_00F2CE60 16_2_00F2CE60
Source: C:\Users\user\AppData\Roaming\ywKDUBCUA.exe Code function: 16_2_00F23E50 16_2_00F23E50
Source: C:\Users\user\AppData\Roaming\ywKDUBCUA.exe Code function: 16_2_00F24198 16_2_00F24198
Source: C:\Users\user\AppData\Roaming\ywKDUBCUA.exe Code function: 16_2_05D6BCF8 16_2_05D6BCF8
Source: C:\Users\user\AppData\Roaming\ywKDUBCUA.exe Code function: 16_2_05D63F48 16_2_05D63F48
Source: C:\Users\user\AppData\Roaming\ywKDUBCUA.exe Code function: 16_2_05D656D0 16_2_05D656D0
Source: C:\Users\user\AppData\Roaming\ywKDUBCUA.exe Code function: 16_2_05D62EF0 16_2_05D62EF0
Source: C:\Users\user\AppData\Roaming\ywKDUBCUA.exe Code function: 16_2_05D60040 16_2_05D60040
Source: C:\Users\user\AppData\Roaming\ywKDUBCUA.exe Code function: 16_2_05D68B7A 16_2_05D68B7A
Source: C:\Users\user\AppData\Roaming\ywKDUBCUA.exe Code function: 16_2_05D69AD8 16_2_05D69AD8
Source: C:\Users\user\AppData\Roaming\ywKDUBCUA.exe Code function: 16_2_05D64FF0 16_2_05D64FF0
Source: C:\Users\user\AppData\Roaming\ywKDUBCUA.exe Code function: 16_2_05D6362F 16_2_05D6362F
Source: C:\Users\user\AppData\Roaming\ywKDUBCUA.exe Code function: 16_2_05EA1DC8 16_2_05EA1DC8
Source: C:\Users\user\AppData\Roaming\ywKDUBCUA.exe Code function: 16_2_05EA1DBA 16_2_05EA1DBA
Source: C:\Users\user\AppData\Roaming\ywKDUBCUA.exe Code function: 16_2_06854C48 16_2_06854C48
Source: C:\Users\user\AppData\Roaming\ywKDUBCUA.exe Code function: 16_2_06850040 16_2_06850040
PE / OLE file has an invalid certificate
Source: RFQ-101432620247fl#U00e2#U00aexslx.exe Static PE information: invalid certificate
Sample file is different than original file name gathered from version info
Source: RFQ-101432620247fl#U00e2#U00aexslx.exe, 00000000.00000002.2070955375.00000000088F0000.00000004.08000000.00040000.00000000.sdmp Binary or memory string: OriginalFilenameTyrone.dll8 vs RFQ-101432620247fl#U00e2#U00aexslx.exe
Source: RFQ-101432620247fl#U00e2#U00aexslx.exe, 00000000.00000000.2012931126.0000000000554000.00000002.00000001.01000000.00000003.sdmp Binary or memory string: OriginalFilenameKZAH.exe" vs RFQ-101432620247fl#U00e2#U00aexslx.exe
Source: RFQ-101432620247fl#U00e2#U00aexslx.exe, 00000000.00000002.2063886948.00000000028CA000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilename93176932-712c-4cc3-b1ef-f9b971c9a078.exe4 vs RFQ-101432620247fl#U00e2#U00aexslx.exe
Source: RFQ-101432620247fl#U00e2#U00aexslx.exe, 00000000.00000002.2069571272.0000000008217000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: OriginalFilenameKZAH.exe" vs RFQ-101432620247fl#U00e2#U00aexslx.exe
Source: RFQ-101432620247fl#U00e2#U00aexslx.exe, 00000000.00000002.2064422472.0000000003BA0000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilename93176932-712c-4cc3-b1ef-f9b971c9a078.exe4 vs RFQ-101432620247fl#U00e2#U00aexslx.exe
Source: RFQ-101432620247fl#U00e2#U00aexslx.exe, 00000000.00000002.2064422472.0000000003BA0000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenameTyrone.dll8 vs RFQ-101432620247fl#U00e2#U00aexslx.exe
Source: RFQ-101432620247fl#U00e2#U00aexslx.exe, 00000000.00000002.2062667965.0000000000B2E000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: OriginalFilenameclr.dllT vs RFQ-101432620247fl#U00e2#U00aexslx.exe
Source: RFQ-101432620247fl#U00e2#U00aexslx.exe, 00000009.00000002.3264863330.00000000012F9000.00000004.00000010.00020000.00000000.sdmp Binary or memory string: OriginalFilenameUNKNOWN_FILET vs RFQ-101432620247fl#U00e2#U00aexslx.exe
Source: RFQ-101432620247fl#U00e2#U00aexslx.exe, 00000009.00000002.3264260880.000000000043E000.00000040.00000400.00020000.00000000.sdmp Binary or memory string: OriginalFilename93176932-712c-4cc3-b1ef-f9b971c9a078.exe4 vs RFQ-101432620247fl#U00e2#U00aexslx.exe
Source: RFQ-101432620247fl#U00e2#U00aexslx.exe Binary or memory string: OriginalFilenameKZAH.exe" vs RFQ-101432620247fl#U00e2#U00aexslx.exe
Uses 32bit PE files
Source: RFQ-101432620247fl#U00e2#U00aexslx.exe Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
Yara signature match
Source: 0.2.RFQ-101432620247fl#U00e2#U00aexslx.exe.3bdb0e8.3.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 10.2.ywKDUBCUA.exe.43ebdd0.5.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 0.2.RFQ-101432620247fl#U00e2#U00aexslx.exe.3ba04c8.5.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 10.2.ywKDUBCUA.exe.43b11b0.3.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 10.2.ywKDUBCUA.exe.43ebdd0.5.raw.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 10.2.ywKDUBCUA.exe.43b11b0.3.raw.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 0.2.RFQ-101432620247fl#U00e2#U00aexslx.exe.3bdb0e8.3.raw.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 0.2.RFQ-101432620247fl#U00e2#U00aexslx.exe.3ba04c8.5.raw.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: RFQ-101432620247fl#U00e2#U00aexslx.exe Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: ywKDUBCUA.exe.0.dr Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: 0.2.RFQ-101432620247fl#U00e2#U00aexslx.exe.3ba04c8.5.raw.unpack, OTWUo99bfyR.cs Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.RFQ-101432620247fl#U00e2#U00aexslx.exe.3ba04c8.5.raw.unpack, OTWUo99bfyR.cs Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.RFQ-101432620247fl#U00e2#U00aexslx.exe.3ba04c8.5.raw.unpack, Ui9qhZiA7.cs Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.RFQ-101432620247fl#U00e2#U00aexslx.exe.3ba04c8.5.raw.unpack, Ui9qhZiA7.cs Cryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
Source: 0.2.RFQ-101432620247fl#U00e2#U00aexslx.exe.3ba04c8.5.raw.unpack, BqMB7yHhrXg.cs Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.RFQ-101432620247fl#U00e2#U00aexslx.exe.3ba04c8.5.raw.unpack, BqMB7yHhrXg.cs Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.RFQ-101432620247fl#U00e2#U00aexslx.exe.3ba04c8.5.raw.unpack, BqMB7yHhrXg.cs Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.RFQ-101432620247fl#U00e2#U00aexslx.exe.3ba04c8.5.raw.unpack, BqMB7yHhrXg.cs Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.RFQ-101432620247fl#U00e2#U00aexslx.exe.88f0000.8.raw.unpack, WXLXx86ylIQfeMsLR5.cs Security API names: _0020.SetAccessControl
Source: 0.2.RFQ-101432620247fl#U00e2#U00aexslx.exe.88f0000.8.raw.unpack, WXLXx86ylIQfeMsLR5.cs Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.RFQ-101432620247fl#U00e2#U00aexslx.exe.88f0000.8.raw.unpack, WXLXx86ylIQfeMsLR5.cs Security API names: _0020.AddAccessRule
Source: 0.2.RFQ-101432620247fl#U00e2#U00aexslx.exe.3c46370.4.raw.unpack, WXLXx86ylIQfeMsLR5.cs Security API names: _0020.SetAccessControl
Source: 0.2.RFQ-101432620247fl#U00e2#U00aexslx.exe.3c46370.4.raw.unpack, WXLXx86ylIQfeMsLR5.cs Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.RFQ-101432620247fl#U00e2#U00aexslx.exe.3c46370.4.raw.unpack, WXLXx86ylIQfeMsLR5.cs Security API names: _0020.AddAccessRule
Source: 0.2.RFQ-101432620247fl#U00e2#U00aexslx.exe.3c46370.4.raw.unpack, lMgrnFqi5rRuM663RZ.cs Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.RFQ-101432620247fl#U00e2#U00aexslx.exe.88f0000.8.raw.unpack, lMgrnFqi5rRuM663RZ.cs Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.RFQ-101432620247fl#U00e2#U00aexslx.exe.28a3730.0.raw.unpack, ReactionVessel.cs Suspicious method names: .ReactionVessel.Inject
Source: 0.2.RFQ-101432620247fl#U00e2#U00aexslx.exe.28ab748.2.raw.unpack, ReactionVessel.cs Suspicious method names: .ReactionVessel.Inject
Source: 0.2.RFQ-101432620247fl#U00e2#U00aexslx.exe.6bc0000.7.raw.unpack, ReactionVessel.cs Suspicious method names: .ReactionVessel.Inject
Source: classification engine Classification label: mal100.troj.spyw.evad.winEXE@23/15@1/1
Source: C:\Users\user\Desktop\RFQ-101432620247fl#U00e2#U00aexslx.exe File created: C:\Users\user\AppData\Roaming\ywKDUBCUA.exe Jump to behavior
Source: C:\Users\user\AppData\Roaming\ywKDUBCUA.exe Mutant created: NULL
Source: C:\Users\user\AppData\Roaming\ywKDUBCUA.exe Mutant created: \Sessions\1\BaseNamedObjects\amrvdJsEeRNf
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1308:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1892:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5012:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7380:120:WilError_03
Source: C:\Users\user\Desktop\RFQ-101432620247fl#U00e2#U00aexslx.exe File created: C:\Users\user\AppData\Local\Temp\tmp9347.tmp Jump to behavior
Source: RFQ-101432620247fl#U00e2#U00aexslx.exe Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: RFQ-101432620247fl#U00e2#U00aexslx.exe Static file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 50.01%
Source: C:\Users\user\Desktop\RFQ-101432620247fl#U00e2#U00aexslx.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\Desktop\RFQ-101432620247fl#U00e2#U00aexslx.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Desktop\RFQ-101432620247fl#U00e2#U00aexslx.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Roaming\ywKDUBCUA.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\AppData\Roaming\ywKDUBCUA.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Roaming\ywKDUBCUA.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Desktop\RFQ-101432620247fl#U00e2#U00aexslx.exe File read: C:\Users\user\Desktop\desktop.ini Jump to behavior
Source: C:\Users\user\Desktop\RFQ-101432620247fl#U00e2#U00aexslx.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: RFQ-101432620247fl#U00e2#U00aexslx.exe ReversingLabs: Detection: 83%
Source: C:\Users\user\Desktop\RFQ-101432620247fl#U00e2#U00aexslx.exe File read: C:\Users\user\Desktop\RFQ-101432620247fl#U00e2#U00aexslx.exe Jump to behavior
Source: unknown Process created: C:\Users\user\Desktop\RFQ-101432620247fl#U00e2#U00aexslx.exe "C:\Users\user\Desktop\RFQ-101432620247fl#U00e2#U00aexslx.exe"
Source: C:\Users\user\Desktop\RFQ-101432620247fl#U00e2#U00aexslx.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\RFQ-101432620247fl#U00e2#U00aexslx.exe"
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\RFQ-101432620247fl#U00e2#U00aexslx.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\ywKDUBCUA.exe"
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\RFQ-101432620247fl#U00e2#U00aexslx.exe Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\ywKDUBCUA" /XML "C:\Users\user\AppData\Local\Temp\tmp9347.tmp"
Source: C:\Windows\SysWOW64\schtasks.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\RFQ-101432620247fl#U00e2#U00aexslx.exe Process created: C:\Users\user\Desktop\RFQ-101432620247fl#U00e2#U00aexslx.exe "C:\Users\user\Desktop\RFQ-101432620247fl#U00e2#U00aexslx.exe"
Source: unknown Process created: C:\Users\user\AppData\Roaming\ywKDUBCUA.exe C:\Users\user\AppData\Roaming\ywKDUBCUA.exe
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\System32\wbem\WmiPrvSE.exe C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
Source: C:\Users\user\AppData\Roaming\ywKDUBCUA.exe Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\ywKDUBCUA" /XML "C:\Users\user\AppData\Local\Temp\tmpA374.tmp"
Source: C:\Windows\SysWOW64\schtasks.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Roaming\ywKDUBCUA.exe Process created: C:\Users\user\AppData\Roaming\ywKDUBCUA.exe "C:\Users\user\AppData\Roaming\ywKDUBCUA.exe"
Source: C:\Users\user\AppData\Roaming\ywKDUBCUA.exe Process created: C:\Users\user\AppData\Roaming\ywKDUBCUA.exe "C:\Users\user\AppData\Roaming\ywKDUBCUA.exe"
Source: C:\Users\user\AppData\Roaming\ywKDUBCUA.exe Process created: C:\Users\user\AppData\Roaming\ywKDUBCUA.exe "C:\Users\user\AppData\Roaming\ywKDUBCUA.exe"
Source: C:\Users\user\Desktop\RFQ-101432620247fl#U00e2#U00aexslx.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\RFQ-101432620247fl#U00e2#U00aexslx.exe" Jump to behavior
Source: C:\Users\user\Desktop\RFQ-101432620247fl#U00e2#U00aexslx.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\ywKDUBCUA.exe" Jump to behavior
Source: C:\Users\user\Desktop\RFQ-101432620247fl#U00e2#U00aexslx.exe Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\ywKDUBCUA" /XML "C:\Users\user\AppData\Local\Temp\tmp9347.tmp" Jump to behavior
Source: C:\Users\user\Desktop\RFQ-101432620247fl#U00e2#U00aexslx.exe Process created: C:\Users\user\Desktop\RFQ-101432620247fl#U00e2#U00aexslx.exe "C:\Users\user\Desktop\RFQ-101432620247fl#U00e2#U00aexslx.exe" Jump to behavior
Source: C:\Users\user\AppData\Roaming\ywKDUBCUA.exe Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\ywKDUBCUA" /XML "C:\Users\user\AppData\Local\Temp\tmpA374.tmp" Jump to behavior
Source: C:\Users\user\AppData\Roaming\ywKDUBCUA.exe Process created: C:\Users\user\AppData\Roaming\ywKDUBCUA.exe "C:\Users\user\AppData\Roaming\ywKDUBCUA.exe" Jump to behavior
Source: C:\Users\user\AppData\Roaming\ywKDUBCUA.exe Process created: C:\Users\user\AppData\Roaming\ywKDUBCUA.exe "C:\Users\user\AppData\Roaming\ywKDUBCUA.exe" Jump to behavior
Source: C:\Users\user\AppData\Roaming\ywKDUBCUA.exe Process created: C:\Users\user\AppData\Roaming\ywKDUBCUA.exe "C:\Users\user\AppData\Roaming\ywKDUBCUA.exe" Jump to behavior
Source: C:\Users\user\Desktop\RFQ-101432620247fl#U00e2#U00aexslx.exe Section loaded: mscoree.dll Jump to behavior
Source: C:\Users\user\Desktop\RFQ-101432620247fl#U00e2#U00aexslx.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\Desktop\RFQ-101432620247fl#U00e2#U00aexslx.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\Desktop\RFQ-101432620247fl#U00e2#U00aexslx.exe Section loaded: version.dll Jump to behavior
Source: C:\Users\user\Desktop\RFQ-101432620247fl#U00e2#U00aexslx.exe Section loaded: vcruntime140_clr0400.dll Jump to behavior
Source: C:\Users\user\Desktop\RFQ-101432620247fl#U00e2#U00aexslx.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Users\user\Desktop\RFQ-101432620247fl#U00e2#U00aexslx.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Users\user\Desktop\RFQ-101432620247fl#U00e2#U00aexslx.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\Desktop\RFQ-101432620247fl#U00e2#U00aexslx.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\user\Desktop\RFQ-101432620247fl#U00e2#U00aexslx.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Users\user\Desktop\RFQ-101432620247fl#U00e2#U00aexslx.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Users\user\Desktop\RFQ-101432620247fl#U00e2#U00aexslx.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Users\user\Desktop\RFQ-101432620247fl#U00e2#U00aexslx.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Users\user\Desktop\RFQ-101432620247fl#U00e2#U00aexslx.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Users\user\Desktop\RFQ-101432620247fl#U00e2#U00aexslx.exe Section loaded: dwrite.dll Jump to behavior
Source: C:\Users\user\Desktop\RFQ-101432620247fl#U00e2#U00aexslx.exe Section loaded: textshaping.dll Jump to behavior
Source: C:\Users\user\Desktop\RFQ-101432620247fl#U00e2#U00aexslx.exe Section loaded: windowscodecs.dll Jump to behavior
Source: C:\Users\user\Desktop\RFQ-101432620247fl#U00e2#U00aexslx.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\RFQ-101432620247fl#U00e2#U00aexslx.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Users\user\Desktop\RFQ-101432620247fl#U00e2#U00aexslx.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Users\user\Desktop\RFQ-101432620247fl#U00e2#U00aexslx.exe Section loaded: gpapi.dll Jump to behavior
Source: C:\Users\user\Desktop\RFQ-101432620247fl#U00e2#U00aexslx.exe Section loaded: propsys.dll Jump to behavior
Source: C:\Users\user\Desktop\RFQ-101432620247fl#U00e2#U00aexslx.exe Section loaded: edputil.dll Jump to behavior
Source: C:\Users\user\Desktop\RFQ-101432620247fl#U00e2#U00aexslx.exe Section loaded: urlmon.dll Jump to behavior
Source: C:\Users\user\Desktop\RFQ-101432620247fl#U00e2#U00aexslx.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\Users\user\Desktop\RFQ-101432620247fl#U00e2#U00aexslx.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Users\user\Desktop\RFQ-101432620247fl#U00e2#U00aexslx.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Users\user\Desktop\RFQ-101432620247fl#U00e2#U00aexslx.exe Section loaded: windows.staterepositoryps.dll Jump to behavior
Source: C:\Users\user\Desktop\RFQ-101432620247fl#U00e2#U00aexslx.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Users\user\Desktop\RFQ-101432620247fl#U00e2#U00aexslx.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\Desktop\RFQ-101432620247fl#U00e2#U00aexslx.exe Section loaded: appresolver.dll Jump to behavior
Source: C:\Users\user\Desktop\RFQ-101432620247fl#U00e2#U00aexslx.exe Section loaded: bcp47langs.dll Jump to behavior
Source: C:\Users\user\Desktop\RFQ-101432620247fl#U00e2#U00aexslx.exe Section loaded: slc.dll Jump to behavior
Source: C:\Users\user\Desktop\RFQ-101432620247fl#U00e2#U00aexslx.exe Section loaded: sppc.dll Jump to behavior
Source: C:\Users\user\Desktop\RFQ-101432620247fl#U00e2#U00aexslx.exe Section loaded: onecorecommonproxystub.dll Jump to behavior
Source: C:\Users\user\Desktop\RFQ-101432620247fl#U00e2#U00aexslx.exe Section loaded: onecoreuapcommonproxystub.dll Jump to behavior
Source: C:\Users\user\Desktop\RFQ-101432620247fl#U00e2#U00aexslx.exe Section loaded: ntmarta.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: atl.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: mscoree.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: version.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: vcruntime140_clr0400.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: gpapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: msisip.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: wshext.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: appxsip.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: opcservices.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: secur32.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: urlmon.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: propsys.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: wininet.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: microsoft.management.infrastructure.native.unmanaged.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: mi.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: miutils.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: wmidcom.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: dpapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: wbemcomn.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: atl.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: mscoree.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: version.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: vcruntime140_clr0400.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: msisip.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: wshext.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: appxsip.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: opcservices.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: gpapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: secur32.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: urlmon.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: propsys.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: wininet.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: microsoft.management.infrastructure.native.unmanaged.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: mi.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: miutils.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: wmidcom.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: dpapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: wbemcomn.dll Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe Section loaded: taskschd.dll Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Users\user\Desktop\RFQ-101432620247fl#U00e2#U00aexslx.exe Section loaded: mscoree.dll Jump to behavior
Source: C:\Users\user\Desktop\RFQ-101432620247fl#U00e2#U00aexslx.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\Desktop\RFQ-101432620247fl#U00e2#U00aexslx.exe Section loaded: version.dll Jump to behavior
Source: C:\Users\user\Desktop\RFQ-101432620247fl#U00e2#U00aexslx.exe Section loaded: vcruntime140_clr0400.dll Jump to behavior
Source: C:\Users\user\Desktop\RFQ-101432620247fl#U00e2#U00aexslx.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Users\user\Desktop\RFQ-101432620247fl#U00e2#U00aexslx.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Users\user\Desktop\RFQ-101432620247fl#U00e2#U00aexslx.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\Desktop\RFQ-101432620247fl#U00e2#U00aexslx.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\user\Desktop\RFQ-101432620247fl#U00e2#U00aexslx.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Users\user\Desktop\RFQ-101432620247fl#U00e2#U00aexslx.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Users\user\Desktop\RFQ-101432620247fl#U00e2#U00aexslx.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Users\user\Desktop\RFQ-101432620247fl#U00e2#U00aexslx.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Users\user\Desktop\RFQ-101432620247fl#U00e2#U00aexslx.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Users\user\Desktop\RFQ-101432620247fl#U00e2#U00aexslx.exe Section loaded: wbemcomn.dll Jump to behavior
Source: C:\Users\user\Desktop\RFQ-101432620247fl#U00e2#U00aexslx.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\RFQ-101432620247fl#U00e2#U00aexslx.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Users\user\Desktop\RFQ-101432620247fl#U00e2#U00aexslx.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Users\user\Desktop\RFQ-101432620247fl#U00e2#U00aexslx.exe Section loaded: vaultcli.dll Jump to behavior
Source: C:\Users\user\Desktop\RFQ-101432620247fl#U00e2#U00aexslx.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\Desktop\RFQ-101432620247fl#U00e2#U00aexslx.exe Section loaded: rasapi32.dll Jump to behavior
Source: C:\Users\user\Desktop\RFQ-101432620247fl#U00e2#U00aexslx.exe Section loaded: rasman.dll Jump to behavior
Source: C:\Users\user\Desktop\RFQ-101432620247fl#U00e2#U00aexslx.exe Section loaded: rtutils.dll Jump to behavior
Source: C:\Users\user\Desktop\RFQ-101432620247fl#U00e2#U00aexslx.exe Section loaded: mswsock.dll Jump to behavior
Source: C:\Users\user\Desktop\RFQ-101432620247fl#U00e2#U00aexslx.exe Section loaded: winhttp.dll Jump to behavior
Source: C:\Users\user\Desktop\RFQ-101432620247fl#U00e2#U00aexslx.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Users\user\Desktop\RFQ-101432620247fl#U00e2#U00aexslx.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Users\user\Desktop\RFQ-101432620247fl#U00e2#U00aexslx.exe Section loaded: dhcpcsvc6.dll Jump to behavior
Source: C:\Users\user\Desktop\RFQ-101432620247fl#U00e2#U00aexslx.exe Section loaded: dhcpcsvc.dll Jump to behavior
Source: C:\Users\user\Desktop\RFQ-101432620247fl#U00e2#U00aexslx.exe Section loaded: dnsapi.dll Jump to behavior
Source: C:\Users\user\Desktop\RFQ-101432620247fl#U00e2#U00aexslx.exe Section loaded: winnsi.dll Jump to behavior
Source: C:\Users\user\Desktop\RFQ-101432620247fl#U00e2#U00aexslx.exe Section loaded: rasadhlp.dll Jump to behavior
Source: C:\Users\user\Desktop\RFQ-101432620247fl#U00e2#U00aexslx.exe Section loaded: fwpuclnt.dll Jump to behavior
Source: C:\Users\user\Desktop\RFQ-101432620247fl#U00e2#U00aexslx.exe Section loaded: secur32.dll Jump to behavior
Source: C:\Users\user\Desktop\RFQ-101432620247fl#U00e2#U00aexslx.exe Section loaded: schannel.dll Jump to behavior
Source: C:\Users\user\Desktop\RFQ-101432620247fl#U00e2#U00aexslx.exe Section loaded: mskeyprotect.dll Jump to behavior
Source: C:\Users\user\Desktop\RFQ-101432620247fl#U00e2#U00aexslx.exe Section loaded: ntasn1.dll Jump to behavior
Source: C:\Users\user\Desktop\RFQ-101432620247fl#U00e2#U00aexslx.exe Section loaded: ncrypt.dll Jump to behavior
Source: C:\Users\user\Desktop\RFQ-101432620247fl#U00e2#U00aexslx.exe Section loaded: ncryptsslp.dll Jump to behavior
Source: C:\Users\user\Desktop\RFQ-101432620247fl#U00e2#U00aexslx.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Users\user\Desktop\RFQ-101432620247fl#U00e2#U00aexslx.exe Section loaded: gpapi.dll Jump to behavior
Source: C:\Users\user\Desktop\RFQ-101432620247fl#U00e2#U00aexslx.exe Section loaded: edputil.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\ywKDUBCUA.exe Section loaded: mscoree.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\ywKDUBCUA.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\ywKDUBCUA.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\ywKDUBCUA.exe Section loaded: version.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\ywKDUBCUA.exe Section loaded: vcruntime140_clr0400.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\ywKDUBCUA.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\ywKDUBCUA.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\ywKDUBCUA.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\ywKDUBCUA.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\ywKDUBCUA.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\ywKDUBCUA.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\ywKDUBCUA.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\ywKDUBCUA.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\ywKDUBCUA.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\ywKDUBCUA.exe Section loaded: dwrite.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\ywKDUBCUA.exe Section loaded: textshaping.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\ywKDUBCUA.exe Section loaded: windowscodecs.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\ywKDUBCUA.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\ywKDUBCUA.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\ywKDUBCUA.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\ywKDUBCUA.exe Section loaded: gpapi.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\ywKDUBCUA.exe Section loaded: propsys.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\ywKDUBCUA.exe Section loaded: edputil.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\ywKDUBCUA.exe Section loaded: urlmon.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\ywKDUBCUA.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\ywKDUBCUA.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\ywKDUBCUA.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\ywKDUBCUA.exe Section loaded: windows.staterepositoryps.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\ywKDUBCUA.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\ywKDUBCUA.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\ywKDUBCUA.exe Section loaded: appresolver.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\ywKDUBCUA.exe Section loaded: bcp47langs.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\ywKDUBCUA.exe Section loaded: slc.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\ywKDUBCUA.exe Section loaded: sppc.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\ywKDUBCUA.exe Section loaded: onecorecommonproxystub.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\ywKDUBCUA.exe Section loaded: onecoreuapcommonproxystub.dll Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe Section loaded: fastprox.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe Section loaded: ncobjapi.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe Section loaded: wbemcomn.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe Section loaded: wbemcomn.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe Section loaded: mpclient.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe Section loaded: userenv.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe Section loaded: version.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe Section loaded: msasn1.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe Section loaded: wmitomi.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe Section loaded: mi.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe Section loaded: miutils.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe Section loaded: miutils.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe Section loaded: gpapi.dll
Source: C:\Windows\SysWOW64\schtasks.exe Section loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\schtasks.exe Section loaded: taskschd.dll
Source: C:\Windows\SysWOW64\schtasks.exe Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Roaming\ywKDUBCUA.exe Section loaded: mscoree.dll
Source: C:\Users\user\AppData\Roaming\ywKDUBCUA.exe Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Roaming\ywKDUBCUA.exe Section loaded: version.dll
Source: C:\Users\user\AppData\Roaming\ywKDUBCUA.exe Section loaded: vcruntime140_clr0400.dll
Source: C:\Users\user\AppData\Roaming\ywKDUBCUA.exe Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Roaming\ywKDUBCUA.exe Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Roaming\ywKDUBCUA.exe Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Roaming\ywKDUBCUA.exe Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Roaming\ywKDUBCUA.exe Section loaded: wldp.dll
Source: C:\Users\user\AppData\Roaming\ywKDUBCUA.exe Section loaded: profapi.dll
Source: C:\Users\user\AppData\Roaming\ywKDUBCUA.exe Section loaded: cryptsp.dll
Source: C:\Users\user\AppData\Roaming\ywKDUBCUA.exe Section loaded: rsaenh.dll
Source: C:\Users\user\AppData\Roaming\ywKDUBCUA.exe Section loaded: cryptbase.dll
Source: C:\Users\user\AppData\Roaming\ywKDUBCUA.exe Section loaded: wbemcomn.dll
Source: C:\Users\user\AppData\Roaming\ywKDUBCUA.exe Section loaded: amsi.dll
Source: C:\Users\user\AppData\Roaming\ywKDUBCUA.exe Section loaded: userenv.dll
Source: C:\Users\user\AppData\Roaming\ywKDUBCUA.exe Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Roaming\ywKDUBCUA.exe Section loaded: vaultcli.dll
Source: C:\Users\user\AppData\Roaming\ywKDUBCUA.exe Section loaded: wintypes.dll
Source: C:\Users\user\AppData\Roaming\ywKDUBCUA.exe Section loaded: rasapi32.dll
Source: C:\Users\user\AppData\Roaming\ywKDUBCUA.exe Section loaded: rasman.dll
Source: C:\Users\user\AppData\Roaming\ywKDUBCUA.exe Section loaded: rtutils.dll
Source: C:\Users\user\AppData\Roaming\ywKDUBCUA.exe Section loaded: mswsock.dll
Source: C:\Users\user\AppData\Roaming\ywKDUBCUA.exe Section loaded: winhttp.dll
Source: C:\Users\user\AppData\Roaming\ywKDUBCUA.exe Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Roaming\ywKDUBCUA.exe Section loaded: iphlpapi.dll
Source: C:\Users\user\AppData\Roaming\ywKDUBCUA.exe Section loaded: dhcpcsvc6.dll
Source: C:\Users\user\AppData\Roaming\ywKDUBCUA.exe Section loaded: dhcpcsvc.dll
Source: C:\Users\user\AppData\Roaming\ywKDUBCUA.exe Section loaded: dnsapi.dll
Source: C:\Users\user\AppData\Roaming\ywKDUBCUA.exe Section loaded: winnsi.dll
Source: C:\Users\user\AppData\Roaming\ywKDUBCUA.exe Section loaded: rasadhlp.dll
Source: C:\Users\user\AppData\Roaming\ywKDUBCUA.exe Section loaded: fwpuclnt.dll
Source: C:\Users\user\AppData\Roaming\ywKDUBCUA.exe Section loaded: secur32.dll
Source: C:\Users\user\AppData\Roaming\ywKDUBCUA.exe Section loaded: schannel.dll
Source: C:\Users\user\AppData\Roaming\ywKDUBCUA.exe Section loaded: mskeyprotect.dll
Source: C:\Users\user\AppData\Roaming\ywKDUBCUA.exe Section loaded: ntasn1.dll
Source: C:\Users\user\AppData\Roaming\ywKDUBCUA.exe Section loaded: ncrypt.dll
Source: C:\Users\user\AppData\Roaming\ywKDUBCUA.exe Section loaded: ncryptsslp.dll
Source: C:\Users\user\AppData\Roaming\ywKDUBCUA.exe Section loaded: msasn1.dll
Source: C:\Users\user\AppData\Roaming\ywKDUBCUA.exe Section loaded: gpapi.dll
Source: C:\Users\user\AppData\Roaming\ywKDUBCUA.exe Section loaded: edputil.dll
Source: C:\Users\user\Desktop\RFQ-101432620247fl#U00e2#U00aexslx.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32 Jump to behavior
Source: Window Recorder Window detected: More than 3 window changes detected
Source: C:\Users\user\Desktop\RFQ-101432620247fl#U00e2#U00aexslx.exe File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll Jump to behavior
Source: C:\Users\user\Desktop\RFQ-101432620247fl#U00e2#U00aexslx.exe Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\11.0\Outlook\Profiles Jump to behavior
Source: RFQ-101432620247fl#U00e2#U00aexslx.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
Source: RFQ-101432620247fl#U00e2#U00aexslx.exe Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Data Obfuscation
barindex
.NET source code contains potential unpacker
Source: 0.2.RFQ-101432620247fl#U00e2#U00aexslx.exe.3c46370.4.raw.unpack, WXLXx86ylIQfeMsLR5.cs .Net Code: USmjbMq54i System.Reflection.Assembly.Load(byte[])
Source: 0.2.RFQ-101432620247fl#U00e2#U00aexslx.exe.288e26c.1.raw.unpack, wehuuoKhMKMbnQu72K.cs .Net Code: LOPk5OGwQvvejRfJl7n System.Reflection.Assembly.Load(byte[])
Source: 0.2.RFQ-101432620247fl#U00e2#U00aexslx.exe.88f0000.8.raw.unpack, WXLXx86ylIQfeMsLR5.cs .Net Code: USmjbMq54i System.Reflection.Assembly.Load(byte[])
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\Desktop\RFQ-101432620247fl#U00e2#U00aexslx.exe Code function: 0_2_00E9D5C0 push eax; ret 0_2_00E9D5C1
Source: C:\Users\user\Desktop\RFQ-101432620247fl#U00e2#U00aexslx.exe Code function: 0_2_06BF9850 pushfd ; iretd 0_2_06BF9879
Source: C:\Users\user\Desktop\RFQ-101432620247fl#U00e2#U00aexslx.exe Code function: 9_2_014F9BD0 pushad ; ret 9_2_014F9BD1
Source: C:\Users\user\Desktop\RFQ-101432620247fl#U00e2#U00aexslx.exe Code function: 9_2_06811658 push cs; retf 9_2_0681165B
Source: C:\Users\user\Desktop\RFQ-101432620247fl#U00e2#U00aexslx.exe Code function: 9_2_0681B3C0 push es; ret 9_2_0681B3D0
Source: C:\Users\user\Desktop\RFQ-101432620247fl#U00e2#U00aexslx.exe Code function: 9_2_071C4790 pushfd ; retf 9_2_071C4791
Source: C:\Users\user\Desktop\RFQ-101432620247fl#U00e2#U00aexslx.exe Code function: 9_2_071C2A10 push es; ret 9_2_071C2A20
Source: C:\Users\user\AppData\Roaming\ywKDUBCUA.exe Code function: 10_2_016DD5C0 push eax; ret 10_2_016DD5C1
Source: C:\Users\user\AppData\Roaming\ywKDUBCUA.exe Code function: 10_2_07309850 pushfd ; iretd 10_2_07309879
Source: C:\Users\user\AppData\Roaming\ywKDUBCUA.exe Code function: 16_2_00F29BD0 pushad ; ret 16_2_00F29BD1
Source: C:\Users\user\AppData\Roaming\ywKDUBCUA.exe Code function: 16_2_05EA1578 push cs; retf 16_2_05EA157C
Source: C:\Users\user\AppData\Roaming\ywKDUBCUA.exe Code function: 16_2_05EA1499 pushad ; retf 16_2_05EA149A
Source: C:\Users\user\AppData\Roaming\ywKDUBCUA.exe Code function: 16_2_05EA1658 push cs; retf 16_2_05EA165B
Source: C:\Users\user\AppData\Roaming\ywKDUBCUA.exe Code function: 16_2_05EAB3C0 push es; ret 16_2_05EAB3D0
Source: C:\Users\user\AppData\Roaming\ywKDUBCUA.exe Code function: 16_2_06854790 pushfd ; retf 16_2_06854791
Source: C:\Users\user\AppData\Roaming\ywKDUBCUA.exe Code function: 16_2_06852A10 push es; ret 16_2_06852A20
Source: RFQ-101432620247fl#U00e2#U00aexslx.exe Static PE information: section name: .text entropy: 7.804264542022236
Source: ywKDUBCUA.exe.0.dr Static PE information: section name: .text entropy: 7.804264542022236
Source: 0.2.RFQ-101432620247fl#U00e2#U00aexslx.exe.3c46370.4.raw.unpack, BXf6FBO8RUpjNfUvb9.cs High entropy of concatenated method names: 'mhUvMcwqon', 'IAOviKPKa5', 'jVCvKk9uNr', 'oFFKIv2Q9E', 'dXpKz8YSZ4', 'Jn5vCtCapQ', 'HnPvGYHQkj', 'ntSvS3v78y', 'Cq5vnr57wd', 'vh1vjBwX4A'
Source: 0.2.RFQ-101432620247fl#U00e2#U00aexslx.exe.3c46370.4.raw.unpack, t0Q8xKg2Rt1VrenmFW.cs High entropy of concatenated method names: 'H3VKfcptMI', 'ApxKDPuCVh', 'EVXKxXidVL', 'B17KvgMWAR', 'qajK6j4F0j', 'tG1xtnY5cL', 'G7GxwkLdQ7', 'b7gx9q8Hhc', 'LI2xJ2pehw', 'LxAxrJ6I2l'
Source: 0.2.RFQ-101432620247fl#U00e2#U00aexslx.exe.3c46370.4.raw.unpack, z4Lt9BGCCfMS3EUAYkN.cs High entropy of concatenated method names: 'qE8Y8tgVAq', 'uWqY5QBjba', 'aZLYb8He3d', 'jWiY1hu1P4', 'CTjYkhxgjj', 'f8XYyke7OR', 'PrKYsOWfGw', 'dMJYqaOQRj', 'XV3YPGBv3x', 'hMUYUEnKXF'
Source: 0.2.RFQ-101432620247fl#U00e2#U00aexslx.exe.3c46370.4.raw.unpack, lMgrnFqi5rRuM663RZ.cs High entropy of concatenated method names: 'pJ6Da2IbYg', 'lhfDFycPY9', 'POqDVajNoF', 'SwfDuqA7o3', 'AMHDtuun4L', 'HTLDwE1eKA', 'oJfD9IEfqC', 'lodDJMpIVO', 'wSiDr85Lhv', 'xpSDIV9aPF'
Source: 0.2.RFQ-101432620247fl#U00e2#U00aexslx.exe.3c46370.4.raw.unpack, qrKNNWIs1iYM2TK7gp.cs High entropy of concatenated method names: 'gWoYGhdVAx', 'nCHYn3uVIJ', 'Rn7Yj1uD02', 'TAeYMdTIya', 'kv9YDgKdyO', 'W7mYxm78GO', 'm3lYKARpgE', 'q5q09vm0n9', 'rTq0JqQKOj', 'aU80rUDyVJ'
Source: 0.2.RFQ-101432620247fl#U00e2#U00aexslx.exe.3c46370.4.raw.unpack, uwv9tXGnDnUKhCEBhfI.cs High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'VY9RaHt1RX', 'tZeRFu2b5W', 'in6RVpfY3K', 'l2XRuY1cMa', 'omDRt5qpFk', 'FmYRwbvEw2', 'Tr1R9N3amn'
Source: 0.2.RFQ-101432620247fl#U00e2#U00aexslx.exe.3c46370.4.raw.unpack, WXLXx86ylIQfeMsLR5.cs High entropy of concatenated method names: 'sKynf5yHPQ', 'Lg5nMC3SVq', 'dWLnDSdHNB', 'Rq8niDlRBu', 'k1XnxLShZM', 'oQqnKaXL1s', 'HQZnvK96Om', 'YDFn6w8YFe', 'NUZndorCoA', 'Iblnl6gjux'
Source: 0.2.RFQ-101432620247fl#U00e2#U00aexslx.exe.3c46370.4.raw.unpack, FxkmO9PvtoTWIXJWG1.cs High entropy of concatenated method names: 'pfCi1prOjy', 'UYYiy3QDPB', 'VpSiqgDFR5', 'plUiPDBEDc', 'TfTiXUAcEl', 'qXkioceSUY', 'JOWimYSXIM', 'eKTi0PUjvy', 'CwpiYXfkFl', 'C0ViRmCs7f'
Source: 0.2.RFQ-101432620247fl#U00e2#U00aexslx.exe.3c46370.4.raw.unpack, S4uTr5z7YJMyG0JPGE.cs High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'eKVYZlFYBd', 'PEwYX8p87g', 'VOtYowKfA0', 'NylYmCx31I', 'CM4Y0jMyO9', 'SlEYYlL09f', 'CsdYRA58HM'
Source: 0.2.RFQ-101432620247fl#U00e2#U00aexslx.exe.3c46370.4.raw.unpack, hZ9TRjivh2CC91EfYt.cs High entropy of concatenated method names: 'EditValue', 'GetEditStyle', 'X0LSrTBQP5', 'yTtSIJN8Oa', 'H02Sz97U8S', 'mwDnCjy9Pv', 'E42nGGahrj', 'NXbnSvptGm', 'tqqnnobipD', 'saGI2FQQmKXk73q2q1G'
Source: 0.2.RFQ-101432620247fl#U00e2#U00aexslx.exe.3c46370.4.raw.unpack, sAxS2MJSRGlYALqvZ9.cs High entropy of concatenated method names: 'kB90MogDrp', 'RW00DFKJCu', 'aLY0ib3oL2', 'WcR0xMnveW', 'LvC0KNVStp', 'gTJ0v328Ey', 'GJb06lYPp2', 'Cna0dM3B8p', 'fXa0lsZ8nE', 'fJJ0ARQDM3'
Source: 0.2.RFQ-101432620247fl#U00e2#U00aexslx.exe.3c46370.4.raw.unpack, xJ3quUjxTCHPdrK6rQ.cs High entropy of concatenated method names: 'mXdGvMgrnF', 'h5rG6RuM66', 'WvtGloTWIX', 'XWGGA1qoJR', 'DlxGXmyL0Q', 'xxKGo2Rt1V', 'cxFY9OvLZcN6ESiIpv', 'LHkIpUcgbvgKTH7bnE', 'FHNGGf0O2x', 'BWPGn7TZ16'
Source: 0.2.RFQ-101432620247fl#U00e2#U00aexslx.exe.3c46370.4.raw.unpack, waO3TSuHyF8gZH4h0U.cs High entropy of concatenated method names: 'IhEmluFBeC', 'jrdmAuH19N', 'ToString', 'xICmMScR6F', 'wFimDJfP5W', 'UgmmijA0VD', 'd3Hmxg4aMw', 'Jj9mK1NtLV', 'hqvmvYGLjK', 'QxUm6CigB7'
Source: 0.2.RFQ-101432620247fl#U00e2#U00aexslx.exe.3c46370.4.raw.unpack, srYjTdcb7xHXR2ikdO.cs High entropy of concatenated method names: 'pwZv8Nen0Q', 'eXQv5IiPSd', 'z4svb11qja', 'kpsv1qUKFa', 'knYvkZHsIM', 'Ojdvy4NlOr', 'yjuvs7F5G4', 'fZHvqb8hDu', 'rRivPxEFlK', 'WV8vUrslC1'
Source: 0.2.RFQ-101432620247fl#U00e2#U00aexslx.exe.3c46370.4.raw.unpack, FYINXRa7WnDljwogyG.cs High entropy of concatenated method names: 'x2SXBl4VIE', 'LtPXH3AtKo', 'nxaXa5ce4w', 'vrXXFgMPAV', 'dJeX41QWwQ', 'UWrXTGEUnx', 'i8sXN3uL6Q', 'PZGX2UubPe', 'B6gX7BH9t3', 'HCRXO0papt'
Source: 0.2.RFQ-101432620247fl#U00e2#U00aexslx.exe.3c46370.4.raw.unpack, DoJRnRUQZ8SJGqlxmy.cs High entropy of concatenated method names: 'eJ5xkPv8rx', 'yPBxsROcPo', 'Sh6iTT0STg', 'DFMiNwpE5H', 'qKWi2Wtbwk', 'CDgi7S3LKC', 'yFmiOra0ZR', 'yTjiEkmMKI', 'vLficMP1gP', 'jusiBlrgyk'
Source: 0.2.RFQ-101432620247fl#U00e2#U00aexslx.exe.3c46370.4.raw.unpack, sPshwgSvwCm5KLaMaH.cs High entropy of concatenated method names: 'G3UbUhyTo', 'Nv51p96qR', 'pxYy6stj4', 'msPsm0Wss', 'zYbPEB0Fh', 'xi5UGISgI', 'XDvO9CJofB4me6kT7y', 'xOvNkboYggKS31dyEA', 'i5t0kMK87', 'dZ0RGW935'
Source: 0.2.RFQ-101432620247fl#U00e2#U00aexslx.exe.3c46370.4.raw.unpack, K6uYoxwYkvgQZqPZti.cs High entropy of concatenated method names: 'MSlmJf9su5', 'NVlmIl2RLQ', 'THZ0CdgddE', 'sUv0GPf9wH', 'l4YmpffOXR', 'qmxmHl2nlL', 'or5meRudfy', 'g9hmaZNspi', 'ww3mFtyw0s', 'nvfmVNPqWr'
Source: 0.2.RFQ-101432620247fl#U00e2#U00aexslx.exe.3c46370.4.raw.unpack, irAqRReI113hs4CKMq.cs High entropy of concatenated method names: 'VuBZqZVRHX', 'GmGZPL8RNq', 'OZtZgaV88e', 'KGOZ4JHnwX', 'Y0yZNqnqbg', 'HuRZ2GfjwA', 'CPqZOD0x0w', 'R5aZEOXckS', 'mZxZB7Gw1D', 'cdaZpCBAM4'
Source: 0.2.RFQ-101432620247fl#U00e2#U00aexslx.exe.3c46370.4.raw.unpack, dqNH5EDJbwOd74asBH.cs High entropy of concatenated method names: 'Dispose', 'rN0GrBjrtQ', 'SltS4Fcypp', 'CbQNN8N4u7', 'WRAGIxS2MS', 'tGlGzYALqv', 'ProcessDialogKey', 'n95SCIBlSe', 'dJYSG14MQO', 'auESSmrKNN'
Source: 0.2.RFQ-101432620247fl#U00e2#U00aexslx.exe.288e26c.1.raw.unpack, kdFvaMFVPKs73pA7Ae.cs High entropy of concatenated method names: 'jlLbsIppcp4pe', 'HUDVafGQx3A5lYPXEbC', 'bWxlDPGFKtjOUjq8ME9', 'J13JY7Gs9VegMR0Usdn', 'gjnvHYGCPTFBSN5sXDA', 'UXn9pRGVr5JYGFjuCRJ', 'g8bQ3yGYPoLwrRusK3E', 'KwwAwLG5jtFVjgr5V0l', 'lJyLiGG0wAjthymuVo5', 'KrHGd2G9wj507LdZGDe'
Source: 0.2.RFQ-101432620247fl#U00e2#U00aexslx.exe.288e26c.1.raw.unpack, DD.cs High entropy of concatenated method names: 'wgRxinKHcbWANUbFNm', 'dwveif1E9jqp4XTbTA', 'iYTXHL2SDoNZBJVsGw', 'hFySdn3keDBvJSvKal', 'PVIytPpWpuEYQLk40u'
Source: 0.2.RFQ-101432620247fl#U00e2#U00aexslx.exe.288e26c.1.raw.unpack, ihWImL1h2qjtIkVYDh.cs High entropy of concatenated method names: 'qJUttacKFT', 'djwp7oGHZ8xfNf3m5ut', 'AZqALCG67UykKuowXP2', 'dkLCJpGlCfFdqtD7Epf', 'iHWSkAGjDuGN31hXJsT', 'u4UYnDGE5xCOMnt15QR', 'jhES7Va4c', 'jWmROKkjL', 'Dispose', 'BJj7gBhfp'
Source: 0.2.RFQ-101432620247fl#U00e2#U00aexslx.exe.288e26c.1.raw.unpack, oImfMJtvGUo8fMQNBQ.cs High entropy of concatenated method names: 'cxsORewNJ', 'VvrninWuk', 'ustvIxt9o', 'QtXoY7g0N', 'cMKlMbnQu', 'w2KLAB5Xx', 'hNkF6TG2YCh7xU8s3hJ', 'hs4l1PGKtLhAeRnm1c4', 'Dispose', 'MoveNext'
Source: 0.2.RFQ-101432620247fl#U00e2#U00aexslx.exe.288e26c.1.raw.unpack, wehuuoKhMKMbnQu72K.cs High entropy of concatenated method names: 'NXMyxc8eI', 'GTZadPHeP', 'DEVNaDCj9', 'cflmBNqev', 'VFQ0OImLC', 'PbYVMxZvt', 'UPdFjbLed', 'AeEi93ui9', 'oM66buTLn', 'nxFUIfcfn'
Source: 0.2.RFQ-101432620247fl#U00e2#U00aexslx.exe.88f0000.8.raw.unpack, BXf6FBO8RUpjNfUvb9.cs High entropy of concatenated method names: 'mhUvMcwqon', 'IAOviKPKa5', 'jVCvKk9uNr', 'oFFKIv2Q9E', 'dXpKz8YSZ4', 'Jn5vCtCapQ', 'HnPvGYHQkj', 'ntSvS3v78y', 'Cq5vnr57wd', 'vh1vjBwX4A'
Source: 0.2.RFQ-101432620247fl#U00e2#U00aexslx.exe.88f0000.8.raw.unpack, t0Q8xKg2Rt1VrenmFW.cs High entropy of concatenated method names: 'H3VKfcptMI', 'ApxKDPuCVh', 'EVXKxXidVL', 'B17KvgMWAR', 'qajK6j4F0j', 'tG1xtnY5cL', 'G7GxwkLdQ7', 'b7gx9q8Hhc', 'LI2xJ2pehw', 'LxAxrJ6I2l'
Source: 0.2.RFQ-101432620247fl#U00e2#U00aexslx.exe.88f0000.8.raw.unpack, z4Lt9BGCCfMS3EUAYkN.cs High entropy of concatenated method names: 'qE8Y8tgVAq', 'uWqY5QBjba', 'aZLYb8He3d', 'jWiY1hu1P4', 'CTjYkhxgjj', 'f8XYyke7OR', 'PrKYsOWfGw', 'dMJYqaOQRj', 'XV3YPGBv3x', 'hMUYUEnKXF'
Source: 0.2.RFQ-101432620247fl#U00e2#U00aexslx.exe.88f0000.8.raw.unpack, lMgrnFqi5rRuM663RZ.cs High entropy of concatenated method names: 'pJ6Da2IbYg', 'lhfDFycPY9', 'POqDVajNoF', 'SwfDuqA7o3', 'AMHDtuun4L', 'HTLDwE1eKA', 'oJfD9IEfqC', 'lodDJMpIVO', 'wSiDr85Lhv', 'xpSDIV9aPF'
Source: 0.2.RFQ-101432620247fl#U00e2#U00aexslx.exe.88f0000.8.raw.unpack, qrKNNWIs1iYM2TK7gp.cs High entropy of concatenated method names: 'gWoYGhdVAx', 'nCHYn3uVIJ', 'Rn7Yj1uD02', 'TAeYMdTIya', 'kv9YDgKdyO', 'W7mYxm78GO', 'm3lYKARpgE', 'q5q09vm0n9', 'rTq0JqQKOj', 'aU80rUDyVJ'
Source: 0.2.RFQ-101432620247fl#U00e2#U00aexslx.exe.88f0000.8.raw.unpack, uwv9tXGnDnUKhCEBhfI.cs High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'VY9RaHt1RX', 'tZeRFu2b5W', 'in6RVpfY3K', 'l2XRuY1cMa', 'omDRt5qpFk', 'FmYRwbvEw2', 'Tr1R9N3amn'
Source: 0.2.RFQ-101432620247fl#U00e2#U00aexslx.exe.88f0000.8.raw.unpack, WXLXx86ylIQfeMsLR5.cs High entropy of concatenated method names: 'sKynf5yHPQ', 'Lg5nMC3SVq', 'dWLnDSdHNB', 'Rq8niDlRBu', 'k1XnxLShZM', 'oQqnKaXL1s', 'HQZnvK96Om', 'YDFn6w8YFe', 'NUZndorCoA', 'Iblnl6gjux'
Source: 0.2.RFQ-101432620247fl#U00e2#U00aexslx.exe.88f0000.8.raw.unpack, FxkmO9PvtoTWIXJWG1.cs High entropy of concatenated method names: 'pfCi1prOjy', 'UYYiy3QDPB', 'VpSiqgDFR5', 'plUiPDBEDc', 'TfTiXUAcEl', 'qXkioceSUY', 'JOWimYSXIM', 'eKTi0PUjvy', 'CwpiYXfkFl', 'C0ViRmCs7f'
Source: 0.2.RFQ-101432620247fl#U00e2#U00aexslx.exe.88f0000.8.raw.unpack, S4uTr5z7YJMyG0JPGE.cs High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'eKVYZlFYBd', 'PEwYX8p87g', 'VOtYowKfA0', 'NylYmCx31I', 'CM4Y0jMyO9', 'SlEYYlL09f', 'CsdYRA58HM'
Source: 0.2.RFQ-101432620247fl#U00e2#U00aexslx.exe.88f0000.8.raw.unpack, hZ9TRjivh2CC91EfYt.cs High entropy of concatenated method names: 'EditValue', 'GetEditStyle', 'X0LSrTBQP5', 'yTtSIJN8Oa', 'H02Sz97U8S', 'mwDnCjy9Pv', 'E42nGGahrj', 'NXbnSvptGm', 'tqqnnobipD', 'saGI2FQQmKXk73q2q1G'
Source: 0.2.RFQ-101432620247fl#U00e2#U00aexslx.exe.88f0000.8.raw.unpack, sAxS2MJSRGlYALqvZ9.cs High entropy of concatenated method names: 'kB90MogDrp', 'RW00DFKJCu', 'aLY0ib3oL2', 'WcR0xMnveW', 'LvC0KNVStp', 'gTJ0v328Ey', 'GJb06lYPp2', 'Cna0dM3B8p', 'fXa0lsZ8nE', 'fJJ0ARQDM3'
Source: 0.2.RFQ-101432620247fl#U00e2#U00aexslx.exe.88f0000.8.raw.unpack, xJ3quUjxTCHPdrK6rQ.cs High entropy of concatenated method names: 'mXdGvMgrnF', 'h5rG6RuM66', 'WvtGloTWIX', 'XWGGA1qoJR', 'DlxGXmyL0Q', 'xxKGo2Rt1V', 'cxFY9OvLZcN6ESiIpv', 'LHkIpUcgbvgKTH7bnE', 'FHNGGf0O2x', 'BWPGn7TZ16'
Source: 0.2.RFQ-101432620247fl#U00e2#U00aexslx.exe.88f0000.8.raw.unpack, waO3TSuHyF8gZH4h0U.cs High entropy of concatenated method names: 'IhEmluFBeC', 'jrdmAuH19N', 'ToString', 'xICmMScR6F', 'wFimDJfP5W', 'UgmmijA0VD', 'd3Hmxg4aMw', 'Jj9mK1NtLV', 'hqvmvYGLjK', 'QxUm6CigB7'
Source: 0.2.RFQ-101432620247fl#U00e2#U00aexslx.exe.88f0000.8.raw.unpack, srYjTdcb7xHXR2ikdO.cs High entropy of concatenated method names: 'pwZv8Nen0Q', 'eXQv5IiPSd', 'z4svb11qja', 'kpsv1qUKFa', 'knYvkZHsIM', 'Ojdvy4NlOr', 'yjuvs7F5G4', 'fZHvqb8hDu', 'rRivPxEFlK', 'WV8vUrslC1'
Source: 0.2.RFQ-101432620247fl#U00e2#U00aexslx.exe.88f0000.8.raw.unpack, FYINXRa7WnDljwogyG.cs High entropy of concatenated method names: 'x2SXBl4VIE', 'LtPXH3AtKo', 'nxaXa5ce4w', 'vrXXFgMPAV', 'dJeX41QWwQ', 'UWrXTGEUnx', 'i8sXN3uL6Q', 'PZGX2UubPe', 'B6gX7BH9t3', 'HCRXO0papt'
Source: 0.2.RFQ-101432620247fl#U00e2#U00aexslx.exe.88f0000.8.raw.unpack, DoJRnRUQZ8SJGqlxmy.cs High entropy of concatenated method names: 'eJ5xkPv8rx', 'yPBxsROcPo', 'Sh6iTT0STg', 'DFMiNwpE5H', 'qKWi2Wtbwk', 'CDgi7S3LKC', 'yFmiOra0ZR', 'yTjiEkmMKI', 'vLficMP1gP', 'jusiBlrgyk'
Source: 0.2.RFQ-101432620247fl#U00e2#U00aexslx.exe.88f0000.8.raw.unpack, sPshwgSvwCm5KLaMaH.cs High entropy of concatenated method names: 'G3UbUhyTo', 'Nv51p96qR', 'pxYy6stj4', 'msPsm0Wss', 'zYbPEB0Fh', 'xi5UGISgI', 'XDvO9CJofB4me6kT7y', 'xOvNkboYggKS31dyEA', 'i5t0kMK87', 'dZ0RGW935'
Source: 0.2.RFQ-101432620247fl#U00e2#U00aexslx.exe.88f0000.8.raw.unpack, K6uYoxwYkvgQZqPZti.cs High entropy of concatenated method names: 'MSlmJf9su5', 'NVlmIl2RLQ', 'THZ0CdgddE', 'sUv0GPf9wH', 'l4YmpffOXR', 'qmxmHl2nlL', 'or5meRudfy', 'g9hmaZNspi', 'ww3mFtyw0s', 'nvfmVNPqWr'
Source: 0.2.RFQ-101432620247fl#U00e2#U00aexslx.exe.88f0000.8.raw.unpack, irAqRReI113hs4CKMq.cs High entropy of concatenated method names: 'VuBZqZVRHX', 'GmGZPL8RNq', 'OZtZgaV88e', 'KGOZ4JHnwX', 'Y0yZNqnqbg', 'HuRZ2GfjwA', 'CPqZOD0x0w', 'R5aZEOXckS', 'mZxZB7Gw1D', 'cdaZpCBAM4'
Source: 0.2.RFQ-101432620247fl#U00e2#U00aexslx.exe.88f0000.8.raw.unpack, dqNH5EDJbwOd74asBH.cs High entropy of concatenated method names: 'Dispose', 'rN0GrBjrtQ', 'SltS4Fcypp', 'CbQNN8N4u7', 'WRAGIxS2MS', 'tGlGzYALqv', 'ProcessDialogKey', 'n95SCIBlSe', 'dJYSG14MQO', 'auESSmrKNN'
Drops PE files
Source: C:\Users\user\Desktop\RFQ-101432620247fl#U00e2#U00aexslx.exe File created: C:\Users\user\AppData\Roaming\ywKDUBCUA.exe Jump to dropped file

Boot Survival
barindex
Uses schtasks.exe or at.exe to add and modify task schedules
Source: C:\Users\user\Desktop\RFQ-101432620247fl#U00e2#U00aexslx.exe Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\ywKDUBCUA" /XML "C:\Users\user\AppData\Local\Temp\tmp9347.tmp"

Hooking and other Techniques for Hiding and Protection
barindex
Loading BitLocker PowerShell Module
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1 Jump to behavior
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Source: C:\Users\user\Desktop\RFQ-101432620247fl#U00e2#U00aexslx.exe Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\AutoUpdate Jump to behavior
Source: C:\Users\user\Desktop\RFQ-101432620247fl#U00e2#U00aexslx.exe Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot Jump to behavior
Source: C:\Users\user\AppData\Roaming\ywKDUBCUA.exe Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\AutoUpdate
Source: C:\Users\user\AppData\Roaming\ywKDUBCUA.exe Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot
Source: C:\Users\user\Desktop\RFQ-101432620247fl#U00e2#U00aexslx.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\RFQ-101432620247fl#U00e2#U00aexslx.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\RFQ-101432620247fl#U00e2#U00aexslx.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\RFQ-101432620247fl#U00e2#U00aexslx.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\RFQ-101432620247fl#U00e2#U00aexslx.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\RFQ-101432620247fl#U00e2#U00aexslx.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\RFQ-101432620247fl#U00e2#U00aexslx.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\RFQ-101432620247fl#U00e2#U00aexslx.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\RFQ-101432620247fl#U00e2#U00aexslx.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\RFQ-101432620247fl#U00e2#U00aexslx.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\RFQ-101432620247fl#U00e2#U00aexslx.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\RFQ-101432620247fl#U00e2#U00aexslx.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\RFQ-101432620247fl#U00e2#U00aexslx.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\RFQ-101432620247fl#U00e2#U00aexslx.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\RFQ-101432620247fl#U00e2#U00aexslx.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\RFQ-101432620247fl#U00e2#U00aexslx.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\RFQ-101432620247fl#U00e2#U00aexslx.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\RFQ-101432620247fl#U00e2#U00aexslx.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\RFQ-101432620247fl#U00e2#U00aexslx.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\RFQ-101432620247fl#U00e2#U00aexslx.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\RFQ-101432620247fl#U00e2#U00aexslx.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\RFQ-101432620247fl#U00e2#U00aexslx.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\RFQ-101432620247fl#U00e2#U00aexslx.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\RFQ-101432620247fl#U00e2#U00aexslx.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\RFQ-101432620247fl#U00e2#U00aexslx.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\RFQ-101432620247fl#U00e2#U00aexslx.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\RFQ-101432620247fl#U00e2#U00aexslx.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\RFQ-101432620247fl#U00e2#U00aexslx.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\RFQ-101432620247fl#U00e2#U00aexslx.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\RFQ-101432620247fl#U00e2#U00aexslx.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\RFQ-101432620247fl#U00e2#U00aexslx.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\RFQ-101432620247fl#U00e2#U00aexslx.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\RFQ-101432620247fl#U00e2#U00aexslx.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\RFQ-101432620247fl#U00e2#U00aexslx.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\RFQ-101432620247fl#U00e2#U00aexslx.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\RFQ-101432620247fl#U00e2#U00aexslx.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\RFQ-101432620247fl#U00e2#U00aexslx.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\RFQ-101432620247fl#U00e2#U00aexslx.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\RFQ-101432620247fl#U00e2#U00aexslx.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\RFQ-101432620247fl#U00e2#U00aexslx.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\RFQ-101432620247fl#U00e2#U00aexslx.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\RFQ-101432620247fl#U00e2#U00aexslx.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\RFQ-101432620247fl#U00e2#U00aexslx.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\RFQ-101432620247fl#U00e2#U00aexslx.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\RFQ-101432620247fl#U00e2#U00aexslx.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\RFQ-101432620247fl#U00e2#U00aexslx.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\RFQ-101432620247fl#U00e2#U00aexslx.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\RFQ-101432620247fl#U00e2#U00aexslx.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\RFQ-101432620247fl#U00e2#U00aexslx.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\RFQ-101432620247fl#U00e2#U00aexslx.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\RFQ-101432620247fl#U00e2#U00aexslx.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\RFQ-101432620247fl#U00e2#U00aexslx.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\RFQ-101432620247fl#U00e2#U00aexslx.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\RFQ-101432620247fl#U00e2#U00aexslx.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\RFQ-101432620247fl#U00e2#U00aexslx.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\RFQ-101432620247fl#U00e2#U00aexslx.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\RFQ-101432620247fl#U00e2#U00aexslx.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\RFQ-101432620247fl#U00e2#U00aexslx.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\RFQ-101432620247fl#U00e2#U00aexslx.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\RFQ-101432620247fl#U00e2#U00aexslx.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\RFQ-101432620247fl#U00e2#U00aexslx.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\RFQ-101432620247fl#U00e2#U00aexslx.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\RFQ-101432620247fl#U00e2#U00aexslx.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\RFQ-101432620247fl#U00e2#U00aexslx.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\RFQ-101432620247fl#U00e2#U00aexslx.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\RFQ-101432620247fl#U00e2#U00aexslx.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\RFQ-101432620247fl#U00e2#U00aexslx.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\RFQ-101432620247fl#U00e2#U00aexslx.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\RFQ-101432620247fl#U00e2#U00aexslx.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\RFQ-101432620247fl#U00e2#U00aexslx.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\RFQ-101432620247fl#U00e2#U00aexslx.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\RFQ-101432620247fl#U00e2#U00aexslx.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\RFQ-101432620247fl#U00e2#U00aexslx.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\RFQ-101432620247fl#U00e2#U00aexslx.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\RFQ-101432620247fl#U00e2#U00aexslx.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\RFQ-101432620247fl#U00e2#U00aexslx.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\RFQ-101432620247fl#U00e2#U00aexslx.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\RFQ-101432620247fl#U00e2#U00aexslx.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\RFQ-101432620247fl#U00e2#U00aexslx.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\RFQ-101432620247fl#U00e2#U00aexslx.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\RFQ-101432620247fl#U00e2#U00aexslx.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\RFQ-101432620247fl#U00e2#U00aexslx.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\RFQ-101432620247fl#U00e2#U00aexslx.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\RFQ-101432620247fl#U00e2#U00aexslx.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\RFQ-101432620247fl#U00e2#U00aexslx.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\RFQ-101432620247fl#U00e2#U00aexslx.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\RFQ-101432620247fl#U00e2#U00aexslx.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\RFQ-101432620247fl#U00e2#U00aexslx.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\RFQ-101432620247fl#U00e2#U00aexslx.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\RFQ-101432620247fl#U00e2#U00aexslx.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\RFQ-101432620247fl#U00e2#U00aexslx.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\RFQ-101432620247fl#U00e2#U00aexslx.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\RFQ-101432620247fl#U00e2#U00aexslx.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\RFQ-101432620247fl#U00e2#U00aexslx.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\RFQ-101432620247fl#U00e2#U00aexslx.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\RFQ-101432620247fl#U00e2#U00aexslx.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\RFQ-101432620247fl#U00e2#U00aexslx.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\RFQ-101432620247fl#U00e2#U00aexslx.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\RFQ-101432620247fl#U00e2#U00aexslx.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\RFQ-101432620247fl#U00e2#U00aexslx.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\RFQ-101432620247fl#U00e2#U00aexslx.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\RFQ-101432620247fl#U00e2#U00aexslx.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\RFQ-101432620247fl#U00e2#U00aexslx.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\RFQ-101432620247fl#U00e2#U00aexslx.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\RFQ-101432620247fl#U00e2#U00aexslx.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\RFQ-101432620247fl#U00e2#U00aexslx.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\RFQ-101432620247fl#U00e2#U00aexslx.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\RFQ-101432620247fl#U00e2#U00aexslx.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\RFQ-101432620247fl#U00e2#U00aexslx.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\RFQ-101432620247fl#U00e2#U00aexslx.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\RFQ-101432620247fl#U00e2#U00aexslx.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\RFQ-101432620247fl#U00e2#U00aexslx.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\RFQ-101432620247fl#U00e2#U00aexslx.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\ywKDUBCUA.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\ywKDUBCUA.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\ywKDUBCUA.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\ywKDUBCUA.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\ywKDUBCUA.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\ywKDUBCUA.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\ywKDUBCUA.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\ywKDUBCUA.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\ywKDUBCUA.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\ywKDUBCUA.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\ywKDUBCUA.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\ywKDUBCUA.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\ywKDUBCUA.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\ywKDUBCUA.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\ywKDUBCUA.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\ywKDUBCUA.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\ywKDUBCUA.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\ywKDUBCUA.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\ywKDUBCUA.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\ywKDUBCUA.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\ywKDUBCUA.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\ywKDUBCUA.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\ywKDUBCUA.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\ywKDUBCUA.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\ywKDUBCUA.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\ywKDUBCUA.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\ywKDUBCUA.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\ywKDUBCUA.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\ywKDUBCUA.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\ywKDUBCUA.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\ywKDUBCUA.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\ywKDUBCUA.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\ywKDUBCUA.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\ywKDUBCUA.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\ywKDUBCUA.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\ywKDUBCUA.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\ywKDUBCUA.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\ywKDUBCUA.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\ywKDUBCUA.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\ywKDUBCUA.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\ywKDUBCUA.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\ywKDUBCUA.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\ywKDUBCUA.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\ywKDUBCUA.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\ywKDUBCUA.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\ywKDUBCUA.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\ywKDUBCUA.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\ywKDUBCUA.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\ywKDUBCUA.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\ywKDUBCUA.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\ywKDUBCUA.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\ywKDUBCUA.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\ywKDUBCUA.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\ywKDUBCUA.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\ywKDUBCUA.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\ywKDUBCUA.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\ywKDUBCUA.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\ywKDUBCUA.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\ywKDUBCUA.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\ywKDUBCUA.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\ywKDUBCUA.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ywKDUBCUA.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ywKDUBCUA.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ywKDUBCUA.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ywKDUBCUA.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ywKDUBCUA.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ywKDUBCUA.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ywKDUBCUA.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ywKDUBCUA.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ywKDUBCUA.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ywKDUBCUA.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ywKDUBCUA.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ywKDUBCUA.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ywKDUBCUA.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ywKDUBCUA.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ywKDUBCUA.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ywKDUBCUA.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ywKDUBCUA.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ywKDUBCUA.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ywKDUBCUA.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ywKDUBCUA.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ywKDUBCUA.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ywKDUBCUA.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ywKDUBCUA.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ywKDUBCUA.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ywKDUBCUA.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ywKDUBCUA.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ywKDUBCUA.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ywKDUBCUA.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ywKDUBCUA.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ywKDUBCUA.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ywKDUBCUA.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ywKDUBCUA.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ywKDUBCUA.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ywKDUBCUA.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ywKDUBCUA.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ywKDUBCUA.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ywKDUBCUA.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ywKDUBCUA.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ywKDUBCUA.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ywKDUBCUA.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ywKDUBCUA.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ywKDUBCUA.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ywKDUBCUA.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ywKDUBCUA.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ywKDUBCUA.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ywKDUBCUA.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ywKDUBCUA.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ywKDUBCUA.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ywKDUBCUA.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ywKDUBCUA.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ywKDUBCUA.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ywKDUBCUA.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ywKDUBCUA.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ywKDUBCUA.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ywKDUBCUA.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ywKDUBCUA.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ywKDUBCUA.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ywKDUBCUA.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ywKDUBCUA.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ywKDUBCUA.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ywKDUBCUA.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ywKDUBCUA.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ywKDUBCUA.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ywKDUBCUA.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ywKDUBCUA.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ywKDUBCUA.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ywKDUBCUA.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ywKDUBCUA.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ywKDUBCUA.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ywKDUBCUA.exe Process information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion
barindex
Yara detected AntiVM3
Source: Yara match File source: Process Memory Space: RFQ-101432620247fl#U00e2#U00aexslx.exe PID: 3964, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: ywKDUBCUA.exe PID: 2260, type: MEMORYSTR
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Source: C:\Users\user\Desktop\RFQ-101432620247fl#U00e2#U00aexslx.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration
Source: C:\Users\user\AppData\Roaming\ywKDUBCUA.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration
Allocates memory with a write watch (potentially for evading sandboxes)
Source: C:\Users\user\Desktop\RFQ-101432620247fl#U00e2#U00aexslx.exe Memory allocated: E90000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\RFQ-101432620247fl#U00e2#U00aexslx.exe Memory allocated: 2860000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\RFQ-101432620247fl#U00e2#U00aexslx.exe Memory allocated: 4860000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\RFQ-101432620247fl#U00e2#U00aexslx.exe Memory allocated: 8970000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\RFQ-101432620247fl#U00e2#U00aexslx.exe Memory allocated: 9970000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\RFQ-101432620247fl#U00e2#U00aexslx.exe Memory allocated: 9C70000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\RFQ-101432620247fl#U00e2#U00aexslx.exe Memory allocated: AC70000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\RFQ-101432620247fl#U00e2#U00aexslx.exe Memory allocated: 14B0000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\RFQ-101432620247fl#U00e2#U00aexslx.exe Memory allocated: 3210000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\RFQ-101432620247fl#U00e2#U00aexslx.exe Memory allocated: 3090000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\AppData\Roaming\ywKDUBCUA.exe Memory allocated: 16D0000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\AppData\Roaming\ywKDUBCUA.exe Memory allocated: 3070000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\AppData\Roaming\ywKDUBCUA.exe Memory allocated: 5070000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\AppData\Roaming\ywKDUBCUA.exe Memory allocated: 8C80000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\AppData\Roaming\ywKDUBCUA.exe Memory allocated: 9C80000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\AppData\Roaming\ywKDUBCUA.exe Memory allocated: 8C80000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\AppData\Roaming\ywKDUBCUA.exe Memory allocated: EE0000 memory reserve | memory write watch
Source: C:\Users\user\AppData\Roaming\ywKDUBCUA.exe Memory allocated: 2CB0000 memory reserve | memory write watch
Source: C:\Users\user\AppData\Roaming\ywKDUBCUA.exe Memory allocated: 1060000 memory reserve | memory write watch
Contains long sleeps (>= 3 min)
Source: C:\Users\user\Desktop\RFQ-101432620247fl#U00e2#U00aexslx.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\Desktop\RFQ-101432620247fl#U00e2#U00aexslx.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\Desktop\RFQ-101432620247fl#U00e2#U00aexslx.exe Thread delayed: delay time: 1200000 Jump to behavior
Source: C:\Users\user\Desktop\RFQ-101432620247fl#U00e2#U00aexslx.exe Thread delayed: delay time: 1199891 Jump to behavior
Source: C:\Users\user\Desktop\RFQ-101432620247fl#U00e2#U00aexslx.exe Thread delayed: delay time: 1199766 Jump to behavior
Source: C:\Users\user\Desktop\RFQ-101432620247fl#U00e2#U00aexslx.exe Thread delayed: delay time: 1199656 Jump to behavior
Source: C:\Users\user\Desktop\RFQ-101432620247fl#U00e2#U00aexslx.exe Thread delayed: delay time: 1199547 Jump to behavior
Source: C:\Users\user\Desktop\RFQ-101432620247fl#U00e2#U00aexslx.exe Thread delayed: delay time: 1199435 Jump to behavior
Source: C:\Users\user\Desktop\RFQ-101432620247fl#U00e2#U00aexslx.exe Thread delayed: delay time: 1199328 Jump to behavior
Source: C:\Users\user\Desktop\RFQ-101432620247fl#U00e2#U00aexslx.exe Thread delayed: delay time: 1199219 Jump to behavior
Source: C:\Users\user\Desktop\RFQ-101432620247fl#U00e2#U00aexslx.exe Thread delayed: delay time: 1199109 Jump to behavior
Source: C:\Users\user\Desktop\RFQ-101432620247fl#U00e2#U00aexslx.exe Thread delayed: delay time: 1199000 Jump to behavior
Source: C:\Users\user\Desktop\RFQ-101432620247fl#U00e2#U00aexslx.exe Thread delayed: delay time: 1198889 Jump to behavior
Source: C:\Users\user\Desktop\RFQ-101432620247fl#U00e2#U00aexslx.exe Thread delayed: delay time: 1198781 Jump to behavior
Source: C:\Users\user\Desktop\RFQ-101432620247fl#U00e2#U00aexslx.exe Thread delayed: delay time: 1198672 Jump to behavior
Source: C:\Users\user\Desktop\RFQ-101432620247fl#U00e2#U00aexslx.exe Thread delayed: delay time: 1198563 Jump to behavior
Source: C:\Users\user\Desktop\RFQ-101432620247fl#U00e2#U00aexslx.exe Thread delayed: delay time: 1198453 Jump to behavior
Source: C:\Users\user\Desktop\RFQ-101432620247fl#U00e2#U00aexslx.exe Thread delayed: delay time: 1198344 Jump to behavior
Source: C:\Users\user\Desktop\RFQ-101432620247fl#U00e2#U00aexslx.exe Thread delayed: delay time: 1198234 Jump to behavior
Source: C:\Users\user\Desktop\RFQ-101432620247fl#U00e2#U00aexslx.exe Thread delayed: delay time: 1198125 Jump to behavior
Source: C:\Users\user\Desktop\RFQ-101432620247fl#U00e2#U00aexslx.exe Thread delayed: delay time: 1198016 Jump to behavior
Source: C:\Users\user\Desktop\RFQ-101432620247fl#U00e2#U00aexslx.exe Thread delayed: delay time: 1197906 Jump to behavior
Source: C:\Users\user\Desktop\RFQ-101432620247fl#U00e2#U00aexslx.exe Thread delayed: delay time: 1197797 Jump to behavior
Source: C:\Users\user\Desktop\RFQ-101432620247fl#U00e2#U00aexslx.exe Thread delayed: delay time: 1197688 Jump to behavior
Source: C:\Users\user\Desktop\RFQ-101432620247fl#U00e2#U00aexslx.exe Thread delayed: delay time: 1197563 Jump to behavior
Source: C:\Users\user\Desktop\RFQ-101432620247fl#U00e2#U00aexslx.exe Thread delayed: delay time: 1197438 Jump to behavior
Source: C:\Users\user\Desktop\RFQ-101432620247fl#U00e2#U00aexslx.exe Thread delayed: delay time: 1197313 Jump to behavior
Source: C:\Users\user\Desktop\RFQ-101432620247fl#U00e2#U00aexslx.exe Thread delayed: delay time: 1197203 Jump to behavior
Source: C:\Users\user\Desktop\RFQ-101432620247fl#U00e2#U00aexslx.exe Thread delayed: delay time: 1197094 Jump to behavior
Source: C:\Users\user\Desktop\RFQ-101432620247fl#U00e2#U00aexslx.exe Thread delayed: delay time: 1196969 Jump to behavior
Source: C:\Users\user\Desktop\RFQ-101432620247fl#U00e2#U00aexslx.exe Thread delayed: delay time: 1196859 Jump to behavior
Source: C:\Users\user\Desktop\RFQ-101432620247fl#U00e2#U00aexslx.exe Thread delayed: delay time: 1196681 Jump to behavior
Source: C:\Users\user\Desktop\RFQ-101432620247fl#U00e2#U00aexslx.exe Thread delayed: delay time: 1196531 Jump to behavior
Source: C:\Users\user\Desktop\RFQ-101432620247fl#U00e2#U00aexslx.exe Thread delayed: delay time: 1196422 Jump to behavior
Source: C:\Users\user\Desktop\RFQ-101432620247fl#U00e2#U00aexslx.exe Thread delayed: delay time: 1196312 Jump to behavior
Source: C:\Users\user\Desktop\RFQ-101432620247fl#U00e2#U00aexslx.exe Thread delayed: delay time: 1196203 Jump to behavior
Source: C:\Users\user\Desktop\RFQ-101432620247fl#U00e2#U00aexslx.exe Thread delayed: delay time: 1196094 Jump to behavior
Source: C:\Users\user\Desktop\RFQ-101432620247fl#U00e2#U00aexslx.exe Thread delayed: delay time: 1195984 Jump to behavior
Source: C:\Users\user\Desktop\RFQ-101432620247fl#U00e2#U00aexslx.exe Thread delayed: delay time: 1195875 Jump to behavior
Source: C:\Users\user\Desktop\RFQ-101432620247fl#U00e2#U00aexslx.exe Thread delayed: delay time: 1195766 Jump to behavior
Source: C:\Users\user\Desktop\RFQ-101432620247fl#U00e2#U00aexslx.exe Thread delayed: delay time: 1195656 Jump to behavior
Source: C:\Users\user\Desktop\RFQ-101432620247fl#U00e2#U00aexslx.exe Thread delayed: delay time: 1195547 Jump to behavior
Source: C:\Users\user\Desktop\RFQ-101432620247fl#U00e2#U00aexslx.exe Thread delayed: delay time: 1195438 Jump to behavior
Source: C:\Users\user\Desktop\RFQ-101432620247fl#U00e2#U00aexslx.exe Thread delayed: delay time: 1195313 Jump to behavior
Source: C:\Users\user\Desktop\RFQ-101432620247fl#U00e2#U00aexslx.exe Thread delayed: delay time: 1195188 Jump to behavior
Source: C:\Users\user\Desktop\RFQ-101432620247fl#U00e2#U00aexslx.exe Thread delayed: delay time: 1195063 Jump to behavior
Source: C:\Users\user\Desktop\RFQ-101432620247fl#U00e2#U00aexslx.exe Thread delayed: delay time: 1194953 Jump to behavior
Source: C:\Users\user\Desktop\RFQ-101432620247fl#U00e2#U00aexslx.exe Thread delayed: delay time: 1194844 Jump to behavior
Source: C:\Users\user\Desktop\RFQ-101432620247fl#U00e2#U00aexslx.exe Thread delayed: delay time: 1194719 Jump to behavior
Source: C:\Users\user\Desktop\RFQ-101432620247fl#U00e2#U00aexslx.exe Thread delayed: delay time: 1194609 Jump to behavior
Source: C:\Users\user\Desktop\RFQ-101432620247fl#U00e2#U00aexslx.exe Thread delayed: delay time: 1194500 Jump to behavior
Source: C:\Users\user\Desktop\RFQ-101432620247fl#U00e2#U00aexslx.exe Thread delayed: delay time: 1194391 Jump to behavior
Source: C:\Users\user\Desktop\RFQ-101432620247fl#U00e2#U00aexslx.exe Thread delayed: delay time: 1194281 Jump to behavior
Source: C:\Users\user\AppData\Roaming\ywKDUBCUA.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\AppData\Roaming\ywKDUBCUA.exe Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Roaming\ywKDUBCUA.exe Thread delayed: delay time: 1200000
Source: C:\Users\user\AppData\Roaming\ywKDUBCUA.exe Thread delayed: delay time: 1199874
Source: C:\Users\user\AppData\Roaming\ywKDUBCUA.exe Thread delayed: delay time: 1199764
Source: C:\Users\user\AppData\Roaming\ywKDUBCUA.exe Thread delayed: delay time: 1199656
Source: C:\Users\user\AppData\Roaming\ywKDUBCUA.exe Thread delayed: delay time: 1199546
Source: C:\Users\user\AppData\Roaming\ywKDUBCUA.exe Thread delayed: delay time: 1199250
Source: C:\Users\user\AppData\Roaming\ywKDUBCUA.exe Thread delayed: delay time: 1199125
Source: C:\Users\user\AppData\Roaming\ywKDUBCUA.exe Thread delayed: delay time: 1199015
Source: C:\Users\user\AppData\Roaming\ywKDUBCUA.exe Thread delayed: delay time: 1198906
Source: C:\Users\user\AppData\Roaming\ywKDUBCUA.exe Thread delayed: delay time: 1198796
Source: C:\Users\user\AppData\Roaming\ywKDUBCUA.exe Thread delayed: delay time: 1198687
Source: C:\Users\user\AppData\Roaming\ywKDUBCUA.exe Thread delayed: delay time: 1198578
Source: C:\Users\user\AppData\Roaming\ywKDUBCUA.exe Thread delayed: delay time: 1198468
Source: C:\Users\user\AppData\Roaming\ywKDUBCUA.exe Thread delayed: delay time: 1198359
Source: C:\Users\user\AppData\Roaming\ywKDUBCUA.exe Thread delayed: delay time: 1198250
Source: C:\Users\user\AppData\Roaming\ywKDUBCUA.exe Thread delayed: delay time: 1198140
Source: C:\Users\user\AppData\Roaming\ywKDUBCUA.exe Thread delayed: delay time: 1198031
Source: C:\Users\user\AppData\Roaming\ywKDUBCUA.exe Thread delayed: delay time: 1197921
Source: C:\Users\user\AppData\Roaming\ywKDUBCUA.exe Thread delayed: delay time: 1197812
Source: C:\Users\user\AppData\Roaming\ywKDUBCUA.exe Thread delayed: delay time: 1197703
Source: C:\Users\user\AppData\Roaming\ywKDUBCUA.exe Thread delayed: delay time: 1197593
Source: C:\Users\user\AppData\Roaming\ywKDUBCUA.exe Thread delayed: delay time: 1197484
Source: C:\Users\user\AppData\Roaming\ywKDUBCUA.exe Thread delayed: delay time: 1197373
Source: C:\Users\user\AppData\Roaming\ywKDUBCUA.exe Thread delayed: delay time: 1197265
Source: C:\Users\user\AppData\Roaming\ywKDUBCUA.exe Thread delayed: delay time: 1197156
Source: C:\Users\user\AppData\Roaming\ywKDUBCUA.exe Thread delayed: delay time: 1197046
Source: C:\Users\user\AppData\Roaming\ywKDUBCUA.exe Thread delayed: delay time: 1196937
Source: C:\Users\user\AppData\Roaming\ywKDUBCUA.exe Thread delayed: delay time: 1196828
Source: C:\Users\user\AppData\Roaming\ywKDUBCUA.exe Thread delayed: delay time: 1196718
Source: C:\Users\user\AppData\Roaming\ywKDUBCUA.exe Thread delayed: delay time: 1196609
Source: C:\Users\user\AppData\Roaming\ywKDUBCUA.exe Thread delayed: delay time: 1196500
Source: C:\Users\user\AppData\Roaming\ywKDUBCUA.exe Thread delayed: delay time: 1196390
Source: C:\Users\user\AppData\Roaming\ywKDUBCUA.exe Thread delayed: delay time: 1196281
Source: C:\Users\user\AppData\Roaming\ywKDUBCUA.exe Thread delayed: delay time: 1196171
Source: C:\Users\user\AppData\Roaming\ywKDUBCUA.exe Thread delayed: delay time: 1196060
Source: C:\Users\user\AppData\Roaming\ywKDUBCUA.exe Thread delayed: delay time: 1195951
Source: C:\Users\user\AppData\Roaming\ywKDUBCUA.exe Thread delayed: delay time: 1195843
Source: C:\Users\user\AppData\Roaming\ywKDUBCUA.exe Thread delayed: delay time: 1195734
Source: C:\Users\user\AppData\Roaming\ywKDUBCUA.exe Thread delayed: delay time: 1195624
Source: C:\Users\user\AppData\Roaming\ywKDUBCUA.exe Thread delayed: delay time: 1195515
Source: C:\Users\user\AppData\Roaming\ywKDUBCUA.exe Thread delayed: delay time: 1195406
Source: C:\Users\user\AppData\Roaming\ywKDUBCUA.exe Thread delayed: delay time: 1195296
Source: C:\Users\user\AppData\Roaming\ywKDUBCUA.exe Thread delayed: delay time: 1195187
Source: C:\Users\user\AppData\Roaming\ywKDUBCUA.exe Thread delayed: delay time: 1195078
Source: C:\Users\user\AppData\Roaming\ywKDUBCUA.exe Thread delayed: delay time: 1194954
Source: C:\Users\user\AppData\Roaming\ywKDUBCUA.exe Thread delayed: delay time: 1194730
Source: C:\Users\user\AppData\Roaming\ywKDUBCUA.exe Thread delayed: delay time: 1194598
Source: C:\Users\user\AppData\Roaming\ywKDUBCUA.exe Thread delayed: delay time: 1194308
Source: C:\Users\user\AppData\Roaming\ywKDUBCUA.exe Thread delayed: delay time: 1194202
Source: C:\Users\user\AppData\Roaming\ywKDUBCUA.exe Thread delayed: delay time: 1194093
Source: C:\Users\user\AppData\Roaming\ywKDUBCUA.exe Thread delayed: delay time: 1193982
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Window / User API: threadDelayed 8249 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Window / User API: threadDelayed 1391 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Window / User API: threadDelayed 8012 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Window / User API: threadDelayed 1532 Jump to behavior
Source: C:\Users\user\Desktop\RFQ-101432620247fl#U00e2#U00aexslx.exe Window / User API: threadDelayed 3254 Jump to behavior
Source: C:\Users\user\Desktop\RFQ-101432620247fl#U00e2#U00aexslx.exe Window / User API: threadDelayed 6595 Jump to behavior
Source: C:\Users\user\AppData\Roaming\ywKDUBCUA.exe Window / User API: threadDelayed 7343
Source: C:\Users\user\AppData\Roaming\ywKDUBCUA.exe Window / User API: threadDelayed 2516
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Users\user\Desktop\RFQ-101432620247fl#U00e2#U00aexslx.exe TID: 5820 Thread sleep time: -922337203685477s >= -30000s Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 6516 Thread sleep count: 8249 > 30 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 6656 Thread sleep count: 1391 > 30 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 3732 Thread sleep time: -11068046444225724s >= -30000s Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 6784 Thread sleep time: -8301034833169293s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\RFQ-101432620247fl#U00e2#U00aexslx.exe TID: 7436 Thread sleep count: 32 > 30 Jump to behavior
Source: C:\Users\user\Desktop\RFQ-101432620247fl#U00e2#U00aexslx.exe TID: 7436 Thread sleep time: -29514790517935264s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\RFQ-101432620247fl#U00e2#U00aexslx.exe TID: 7436 Thread sleep time: -1200000s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\RFQ-101432620247fl#U00e2#U00aexslx.exe TID: 7460 Thread sleep count: 3254 > 30 Jump to behavior
Source: C:\Users\user\Desktop\RFQ-101432620247fl#U00e2#U00aexslx.exe TID: 7436 Thread sleep time: -1199891s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\RFQ-101432620247fl#U00e2#U00aexslx.exe TID: 7460 Thread sleep count: 6595 > 30 Jump to behavior
Source: C:\Users\user\Desktop\RFQ-101432620247fl#U00e2#U00aexslx.exe TID: 7436 Thread sleep time: -1199766s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\RFQ-101432620247fl#U00e2#U00aexslx.exe TID: 7436 Thread sleep time: -1199656s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\RFQ-101432620247fl#U00e2#U00aexslx.exe TID: 7436 Thread sleep time: -1199547s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\RFQ-101432620247fl#U00e2#U00aexslx.exe TID: 7436 Thread sleep time: -1199435s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\RFQ-101432620247fl#U00e2#U00aexslx.exe TID: 7436 Thread sleep time: -1199328s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\RFQ-101432620247fl#U00e2#U00aexslx.exe TID: 7436 Thread sleep time: -1199219s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\RFQ-101432620247fl#U00e2#U00aexslx.exe TID: 7436 Thread sleep time: -1199109s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\RFQ-101432620247fl#U00e2#U00aexslx.exe TID: 7436 Thread sleep time: -1199000s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\RFQ-101432620247fl#U00e2#U00aexslx.exe TID: 7436 Thread sleep time: -1198889s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\RFQ-101432620247fl#U00e2#U00aexslx.exe TID: 7436 Thread sleep time: -1198781s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\RFQ-101432620247fl#U00e2#U00aexslx.exe TID: 7436 Thread sleep time: -1198672s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\RFQ-101432620247fl#U00e2#U00aexslx.exe TID: 7436 Thread sleep time: -1198563s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\RFQ-101432620247fl#U00e2#U00aexslx.exe TID: 7436 Thread sleep time: -1198453s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\RFQ-101432620247fl#U00e2#U00aexslx.exe TID: 7436 Thread sleep time: -1198344s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\RFQ-101432620247fl#U00e2#U00aexslx.exe TID: 7436 Thread sleep time: -1198234s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\RFQ-101432620247fl#U00e2#U00aexslx.exe TID: 7436 Thread sleep time: -1198125s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\RFQ-101432620247fl#U00e2#U00aexslx.exe TID: 7436 Thread sleep time: -1198016s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\RFQ-101432620247fl#U00e2#U00aexslx.exe TID: 7436 Thread sleep time: -1197906s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\RFQ-101432620247fl#U00e2#U00aexslx.exe TID: 7436 Thread sleep time: -1197797s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\RFQ-101432620247fl#U00e2#U00aexslx.exe TID: 7436 Thread sleep time: -1197688s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\RFQ-101432620247fl#U00e2#U00aexslx.exe TID: 7436 Thread sleep time: -1197563s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\RFQ-101432620247fl#U00e2#U00aexslx.exe TID: 7436 Thread sleep time: -1197438s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\RFQ-101432620247fl#U00e2#U00aexslx.exe TID: 7436 Thread sleep time: -1197313s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\RFQ-101432620247fl#U00e2#U00aexslx.exe TID: 7436 Thread sleep time: -1197203s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\RFQ-101432620247fl#U00e2#U00aexslx.exe TID: 7436 Thread sleep time: -1197094s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\RFQ-101432620247fl#U00e2#U00aexslx.exe TID: 7436 Thread sleep time: -1196969s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\RFQ-101432620247fl#U00e2#U00aexslx.exe TID: 7436 Thread sleep time: -1196859s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\RFQ-101432620247fl#U00e2#U00aexslx.exe TID: 7436 Thread sleep time: -1196681s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\RFQ-101432620247fl#U00e2#U00aexslx.exe TID: 7436 Thread sleep time: -1196531s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\RFQ-101432620247fl#U00e2#U00aexslx.exe TID: 7436 Thread sleep time: -1196422s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\RFQ-101432620247fl#U00e2#U00aexslx.exe TID: 7436 Thread sleep time: -1196312s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\RFQ-101432620247fl#U00e2#U00aexslx.exe TID: 7436 Thread sleep time: -1196203s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\RFQ-101432620247fl#U00e2#U00aexslx.exe TID: 7436 Thread sleep time: -1196094s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\RFQ-101432620247fl#U00e2#U00aexslx.exe TID: 7436 Thread sleep time: -1195984s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\RFQ-101432620247fl#U00e2#U00aexslx.exe TID: 7436 Thread sleep time: -1195875s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\RFQ-101432620247fl#U00e2#U00aexslx.exe TID: 7436 Thread sleep time: -1195766s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\RFQ-101432620247fl#U00e2#U00aexslx.exe TID: 7436 Thread sleep time: -1195656s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\RFQ-101432620247fl#U00e2#U00aexslx.exe TID: 7436 Thread sleep time: -1195547s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\RFQ-101432620247fl#U00e2#U00aexslx.exe TID: 7436 Thread sleep time: -1195438s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\RFQ-101432620247fl#U00e2#U00aexslx.exe TID: 7436 Thread sleep time: -1195313s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\RFQ-101432620247fl#U00e2#U00aexslx.exe TID: 7436 Thread sleep time: -1195188s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\RFQ-101432620247fl#U00e2#U00aexslx.exe TID: 7436 Thread sleep time: -1195063s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\RFQ-101432620247fl#U00e2#U00aexslx.exe TID: 7436 Thread sleep time: -1194953s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\RFQ-101432620247fl#U00e2#U00aexslx.exe TID: 7436 Thread sleep time: -1194844s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\RFQ-101432620247fl#U00e2#U00aexslx.exe TID: 7436 Thread sleep time: -1194719s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\RFQ-101432620247fl#U00e2#U00aexslx.exe TID: 7436 Thread sleep time: -1194609s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\RFQ-101432620247fl#U00e2#U00aexslx.exe TID: 7436 Thread sleep time: -1194500s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\RFQ-101432620247fl#U00e2#U00aexslx.exe TID: 7436 Thread sleep time: -1194391s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\RFQ-101432620247fl#U00e2#U00aexslx.exe TID: 7436 Thread sleep time: -1194281s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Roaming\ywKDUBCUA.exe TID: 1848 Thread sleep time: -922337203685477s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Roaming\ywKDUBCUA.exe TID: 7572 Thread sleep count: 34 > 30
Source: C:\Users\user\AppData\Roaming\ywKDUBCUA.exe TID: 7572 Thread sleep time: -31359464925306218s >= -30000s
Source: C:\Users\user\AppData\Roaming\ywKDUBCUA.exe TID: 7572 Thread sleep time: -1200000s >= -30000s
Source: C:\Users\user\AppData\Roaming\ywKDUBCUA.exe TID: 7576 Thread sleep count: 7343 > 30
Source: C:\Users\user\AppData\Roaming\ywKDUBCUA.exe TID: 7572 Thread sleep time: -1199874s >= -30000s
Source: C:\Users\user\AppData\Roaming\ywKDUBCUA.exe TID: 7576 Thread sleep count: 2516 > 30
Source: C:\Users\user\AppData\Roaming\ywKDUBCUA.exe TID: 7572 Thread sleep time: -1199764s >= -30000s
Source: C:\Users\user\AppData\Roaming\ywKDUBCUA.exe TID: 7572 Thread sleep time: -1199656s >= -30000s
Source: C:\Users\user\AppData\Roaming\ywKDUBCUA.exe TID: 7572 Thread sleep time: -1199546s >= -30000s
Source: C:\Users\user\AppData\Roaming\ywKDUBCUA.exe TID: 7572 Thread sleep time: -1199250s >= -30000s
Source: C:\Users\user\AppData\Roaming\ywKDUBCUA.exe TID: 7572 Thread sleep time: -1199125s >= -30000s
Source: C:\Users\user\AppData\Roaming\ywKDUBCUA.exe TID: 7572 Thread sleep time: -1199015s >= -30000s
Source: C:\Users\user\AppData\Roaming\ywKDUBCUA.exe TID: 7572 Thread sleep time: -1198906s >= -30000s
Source: C:\Users\user\AppData\Roaming\ywKDUBCUA.exe TID: 7572 Thread sleep time: -1198796s >= -30000s
Source: C:\Users\user\AppData\Roaming\ywKDUBCUA.exe TID: 7572 Thread sleep time: -1198687s >= -30000s
Source: C:\Users\user\AppData\Roaming\ywKDUBCUA.exe TID: 7572 Thread sleep time: -1198578s >= -30000s
Source: C:\Users\user\AppData\Roaming\ywKDUBCUA.exe TID: 7572 Thread sleep time: -1198468s >= -30000s
Source: C:\Users\user\AppData\Roaming\ywKDUBCUA.exe TID: 7572 Thread sleep time: -1198359s >= -30000s
Source: C:\Users\user\AppData\Roaming\ywKDUBCUA.exe TID: 7572 Thread sleep time: -1198250s >= -30000s
Source: C:\Users\user\AppData\Roaming\ywKDUBCUA.exe TID: 7572 Thread sleep time: -1198140s >= -30000s
Source: C:\Users\user\AppData\Roaming\ywKDUBCUA.exe TID: 7572 Thread sleep time: -1198031s >= -30000s
Source: C:\Users\user\AppData\Roaming\ywKDUBCUA.exe TID: 7572 Thread sleep time: -1197921s >= -30000s
Source: C:\Users\user\AppData\Roaming\ywKDUBCUA.exe TID: 7572 Thread sleep time: -1197812s >= -30000s
Source: C:\Users\user\AppData\Roaming\ywKDUBCUA.exe TID: 7572 Thread sleep time: -1197703s >= -30000s
Source: C:\Users\user\AppData\Roaming\ywKDUBCUA.exe TID: 7572 Thread sleep time: -1197593s >= -30000s
Source: C:\Users\user\AppData\Roaming\ywKDUBCUA.exe TID: 7572 Thread sleep time: -1197484s >= -30000s
Source: C:\Users\user\AppData\Roaming\ywKDUBCUA.exe TID: 7572 Thread sleep time: -1197373s >= -30000s
Source: C:\Users\user\AppData\Roaming\ywKDUBCUA.exe TID: 7572 Thread sleep time: -1197265s >= -30000s
Source: C:\Users\user\AppData\Roaming\ywKDUBCUA.exe TID: 7572 Thread sleep time: -1197156s >= -30000s
Source: C:\Users\user\AppData\Roaming\ywKDUBCUA.exe TID: 7572 Thread sleep time: -1197046s >= -30000s
Source: C:\Users\user\AppData\Roaming\ywKDUBCUA.exe TID: 7572 Thread sleep time: -1196937s >= -30000s
Source: C:\Users\user\AppData\Roaming\ywKDUBCUA.exe TID: 7572 Thread sleep time: -1196828s >= -30000s
Source: C:\Users\user\AppData\Roaming\ywKDUBCUA.exe TID: 7572 Thread sleep time: -1196718s >= -30000s
Source: C:\Users\user\AppData\Roaming\ywKDUBCUA.exe TID: 7572 Thread sleep time: -1196609s >= -30000s
Source: C:\Users\user\AppData\Roaming\ywKDUBCUA.exe TID: 7572 Thread sleep time: -1196500s >= -30000s
Source: C:\Users\user\AppData\Roaming\ywKDUBCUA.exe TID: 7572 Thread sleep time: -1196390s >= -30000s
Source: C:\Users\user\AppData\Roaming\ywKDUBCUA.exe TID: 7572 Thread sleep time: -1196281s >= -30000s
Source: C:\Users\user\AppData\Roaming\ywKDUBCUA.exe TID: 7572 Thread sleep time: -1196171s >= -30000s
Source: C:\Users\user\AppData\Roaming\ywKDUBCUA.exe TID: 7572 Thread sleep time: -1196060s >= -30000s
Source: C:\Users\user\AppData\Roaming\ywKDUBCUA.exe TID: 7572 Thread sleep time: -1195951s >= -30000s
Source: C:\Users\user\AppData\Roaming\ywKDUBCUA.exe TID: 7572 Thread sleep time: -1195843s >= -30000s
Source: C:\Users\user\AppData\Roaming\ywKDUBCUA.exe TID: 7572 Thread sleep time: -1195734s >= -30000s
Source: C:\Users\user\AppData\Roaming\ywKDUBCUA.exe TID: 7572 Thread sleep time: -1195624s >= -30000s
Source: C:\Users\user\AppData\Roaming\ywKDUBCUA.exe TID: 7572 Thread sleep time: -1195515s >= -30000s
Source: C:\Users\user\AppData\Roaming\ywKDUBCUA.exe TID: 7572 Thread sleep time: -1195406s >= -30000s
Source: C:\Users\user\AppData\Roaming\ywKDUBCUA.exe TID: 7572 Thread sleep time: -1195296s >= -30000s
Source: C:\Users\user\AppData\Roaming\ywKDUBCUA.exe TID: 7572 Thread sleep time: -1195187s >= -30000s
Source: C:\Users\user\AppData\Roaming\ywKDUBCUA.exe TID: 7572 Thread sleep time: -1195078s >= -30000s
Source: C:\Users\user\AppData\Roaming\ywKDUBCUA.exe TID: 7572 Thread sleep time: -1194954s >= -30000s
Source: C:\Users\user\AppData\Roaming\ywKDUBCUA.exe TID: 7572 Thread sleep time: -1194730s >= -30000s
Source: C:\Users\user\AppData\Roaming\ywKDUBCUA.exe TID: 7572 Thread sleep time: -1194598s >= -30000s
Source: C:\Users\user\AppData\Roaming\ywKDUBCUA.exe TID: 7572 Thread sleep time: -1194308s >= -30000s
Source: C:\Users\user\AppData\Roaming\ywKDUBCUA.exe TID: 7572 Thread sleep time: -1194202s >= -30000s
Source: C:\Users\user\AppData\Roaming\ywKDUBCUA.exe TID: 7572 Thread sleep time: -1194093s >= -30000s
Source: C:\Users\user\AppData\Roaming\ywKDUBCUA.exe TID: 7572 Thread sleep time: -1193982s >= -30000s
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Source: C:\Users\user\Desktop\RFQ-101432620247fl#U00e2#U00aexslx.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
Source: C:\Users\user\AppData\Roaming\ywKDUBCUA.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Source: C:\Users\user\Desktop\RFQ-101432620247fl#U00e2#U00aexslx.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\Desktop\RFQ-101432620247fl#U00e2#U00aexslx.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Desktop\RFQ-101432620247fl#U00e2#U00aexslx.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Roaming\ywKDUBCUA.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\AppData\Roaming\ywKDUBCUA.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Roaming\ywKDUBCUA.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Sample execution stops while process was sleeping (likely an evasion)
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Users\user\Desktop\RFQ-101432620247fl#U00e2#U00aexslx.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\Desktop\RFQ-101432620247fl#U00e2#U00aexslx.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\Desktop\RFQ-101432620247fl#U00e2#U00aexslx.exe Thread delayed: delay time: 1200000 Jump to behavior
Source: C:\Users\user\Desktop\RFQ-101432620247fl#U00e2#U00aexslx.exe Thread delayed: delay time: 1199891 Jump to behavior
Source: C:\Users\user\Desktop\RFQ-101432620247fl#U00e2#U00aexslx.exe Thread delayed: delay time: 1199766 Jump to behavior
Source: C:\Users\user\Desktop\RFQ-101432620247fl#U00e2#U00aexslx.exe Thread delayed: delay time: 1199656 Jump to behavior
Source: C:\Users\user\Desktop\RFQ-101432620247fl#U00e2#U00aexslx.exe Thread delayed: delay time: 1199547 Jump to behavior
Source: C:\Users\user\Desktop\RFQ-101432620247fl#U00e2#U00aexslx.exe Thread delayed: delay time: 1199435 Jump to behavior
Source: C:\Users\user\Desktop\RFQ-101432620247fl#U00e2#U00aexslx.exe Thread delayed: delay time: 1199328 Jump to behavior
Source: C:\Users\user\Desktop\RFQ-101432620247fl#U00e2#U00aexslx.exe Thread delayed: delay time: 1199219 Jump to behavior
Source: C:\Users\user\Desktop\RFQ-101432620247fl#U00e2#U00aexslx.exe Thread delayed: delay time: 1199109 Jump to behavior
Source: C:\Users\user\Desktop\RFQ-101432620247fl#U00e2#U00aexslx.exe Thread delayed: delay time: 1199000 Jump to behavior
Source: C:\Users\user\Desktop\RFQ-101432620247fl#U00e2#U00aexslx.exe Thread delayed: delay time: 1198889 Jump to behavior
Source: C:\Users\user\Desktop\RFQ-101432620247fl#U00e2#U00aexslx.exe Thread delayed: delay time: 1198781 Jump to behavior
Source: C:\Users\user\Desktop\RFQ-101432620247fl#U00e2#U00aexslx.exe Thread delayed: delay time: 1198672 Jump to behavior
Source: C:\Users\user\Desktop\RFQ-101432620247fl#U00e2#U00aexslx.exe Thread delayed: delay time: 1198563 Jump to behavior
Source: C:\Users\user\Desktop\RFQ-101432620247fl#U00e2#U00aexslx.exe Thread delayed: delay time: 1198453 Jump to behavior
Source: C:\Users\user\Desktop\RFQ-101432620247fl#U00e2#U00aexslx.exe Thread delayed: delay time: 1198344 Jump to behavior
Source: C:\Users\user\Desktop\RFQ-101432620247fl#U00e2#U00aexslx.exe Thread delayed: delay time: 1198234 Jump to behavior
Source: C:\Users\user\Desktop\RFQ-101432620247fl#U00e2#U00aexslx.exe Thread delayed: delay time: 1198125 Jump to behavior
Source: C:\Users\user\Desktop\RFQ-101432620247fl#U00e2#U00aexslx.exe Thread delayed: delay time: 1198016 Jump to behavior
Source: C:\Users\user\Desktop\RFQ-101432620247fl#U00e2#U00aexslx.exe Thread delayed: delay time: 1197906 Jump to behavior
Source: C:\Users\user\Desktop\RFQ-101432620247fl#U00e2#U00aexslx.exe Thread delayed: delay time: 1197797 Jump to behavior
Source: C:\Users\user\Desktop\RFQ-101432620247fl#U00e2#U00aexslx.exe Thread delayed: delay time: 1197688 Jump to behavior
Source: C:\Users\user\Desktop\RFQ-101432620247fl#U00e2#U00aexslx.exe Thread delayed: delay time: 1197563 Jump to behavior
Source: C:\Users\user\Desktop\RFQ-101432620247fl#U00e2#U00aexslx.exe Thread delayed: delay time: 1197438 Jump to behavior
Source: C:\Users\user\Desktop\RFQ-101432620247fl#U00e2#U00aexslx.exe Thread delayed: delay time: 1197313 Jump to behavior
Source: C:\Users\user\Desktop\RFQ-101432620247fl#U00e2#U00aexslx.exe Thread delayed: delay time: 1197203 Jump to behavior
Source: C:\Users\user\Desktop\RFQ-101432620247fl#U00e2#U00aexslx.exe Thread delayed: delay time: 1197094 Jump to behavior
Source: C:\Users\user\Desktop\RFQ-101432620247fl#U00e2#U00aexslx.exe Thread delayed: delay time: 1196969 Jump to behavior
Source: C:\Users\user\Desktop\RFQ-101432620247fl#U00e2#U00aexslx.exe Thread delayed: delay time: 1196859 Jump to behavior
Source: C:\Users\user\Desktop\RFQ-101432620247fl#U00e2#U00aexslx.exe Thread delayed: delay time: 1196681 Jump to behavior
Source: C:\Users\user\Desktop\RFQ-101432620247fl#U00e2#U00aexslx.exe Thread delayed: delay time: 1196531 Jump to behavior
Source: C:\Users\user\Desktop\RFQ-101432620247fl#U00e2#U00aexslx.exe Thread delayed: delay time: 1196422 Jump to behavior
Source: C:\Users\user\Desktop\RFQ-101432620247fl#U00e2#U00aexslx.exe Thread delayed: delay time: 1196312 Jump to behavior
Source: C:\Users\user\Desktop\RFQ-101432620247fl#U00e2#U00aexslx.exe Thread delayed: delay time: 1196203 Jump to behavior
Source: C:\Users\user\Desktop\RFQ-101432620247fl#U00e2#U00aexslx.exe Thread delayed: delay time: 1196094 Jump to behavior
Source: C:\Users\user\Desktop\RFQ-101432620247fl#U00e2#U00aexslx.exe Thread delayed: delay time: 1195984 Jump to behavior
Source: C:\Users\user\Desktop\RFQ-101432620247fl#U00e2#U00aexslx.exe Thread delayed: delay time: 1195875 Jump to behavior
Source: C:\Users\user\Desktop\RFQ-101432620247fl#U00e2#U00aexslx.exe Thread delayed: delay time: 1195766 Jump to behavior
Source: C:\Users\user\Desktop\RFQ-101432620247fl#U00e2#U00aexslx.exe Thread delayed: delay time: 1195656 Jump to behavior
Source: C:\Users\user\Desktop\RFQ-101432620247fl#U00e2#U00aexslx.exe Thread delayed: delay time: 1195547 Jump to behavior
Source: C:\Users\user\Desktop\RFQ-101432620247fl#U00e2#U00aexslx.exe Thread delayed: delay time: 1195438 Jump to behavior
Source: C:\Users\user\Desktop\RFQ-101432620247fl#U00e2#U00aexslx.exe Thread delayed: delay time: 1195313 Jump to behavior
Source: C:\Users\user\Desktop\RFQ-101432620247fl#U00e2#U00aexslx.exe Thread delayed: delay time: 1195188 Jump to behavior
Source: C:\Users\user\Desktop\RFQ-101432620247fl#U00e2#U00aexslx.exe Thread delayed: delay time: 1195063 Jump to behavior
Source: C:\Users\user\Desktop\RFQ-101432620247fl#U00e2#U00aexslx.exe Thread delayed: delay time: 1194953 Jump to behavior
Source: C:\Users\user\Desktop\RFQ-101432620247fl#U00e2#U00aexslx.exe Thread delayed: delay time: 1194844 Jump to behavior
Source: C:\Users\user\Desktop\RFQ-101432620247fl#U00e2#U00aexslx.exe Thread delayed: delay time: 1194719 Jump to behavior
Source: C:\Users\user\Desktop\RFQ-101432620247fl#U00e2#U00aexslx.exe Thread delayed: delay time: 1194609 Jump to behavior
Source: C:\Users\user\Desktop\RFQ-101432620247fl#U00e2#U00aexslx.exe Thread delayed: delay time: 1194500 Jump to behavior
Source: C:\Users\user\Desktop\RFQ-101432620247fl#U00e2#U00aexslx.exe Thread delayed: delay time: 1194391 Jump to behavior
Source: C:\Users\user\Desktop\RFQ-101432620247fl#U00e2#U00aexslx.exe Thread delayed: delay time: 1194281 Jump to behavior
Source: C:\Users\user\AppData\Roaming\ywKDUBCUA.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\AppData\Roaming\ywKDUBCUA.exe Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Roaming\ywKDUBCUA.exe Thread delayed: delay time: 1200000
Source: C:\Users\user\AppData\Roaming\ywKDUBCUA.exe Thread delayed: delay time: 1199874
Source: C:\Users\user\AppData\Roaming\ywKDUBCUA.exe Thread delayed: delay time: 1199764
Source: C:\Users\user\AppData\Roaming\ywKDUBCUA.exe Thread delayed: delay time: 1199656
Source: C:\Users\user\AppData\Roaming\ywKDUBCUA.exe Thread delayed: delay time: 1199546
Source: C:\Users\user\AppData\Roaming\ywKDUBCUA.exe Thread delayed: delay time: 1199250
Source: C:\Users\user\AppData\Roaming\ywKDUBCUA.exe Thread delayed: delay time: 1199125
Source: C:\Users\user\AppData\Roaming\ywKDUBCUA.exe Thread delayed: delay time: 1199015
Source: C:\Users\user\AppData\Roaming\ywKDUBCUA.exe Thread delayed: delay time: 1198906
Source: C:\Users\user\AppData\Roaming\ywKDUBCUA.exe Thread delayed: delay time: 1198796
Source: C:\Users\user\AppData\Roaming\ywKDUBCUA.exe Thread delayed: delay time: 1198687
Source: C:\Users\user\AppData\Roaming\ywKDUBCUA.exe Thread delayed: delay time: 1198578
Source: C:\Users\user\AppData\Roaming\ywKDUBCUA.exe Thread delayed: delay time: 1198468
Source: C:\Users\user\AppData\Roaming\ywKDUBCUA.exe Thread delayed: delay time: 1198359
Source: C:\Users\user\AppData\Roaming\ywKDUBCUA.exe Thread delayed: delay time: 1198250
Source: C:\Users\user\AppData\Roaming\ywKDUBCUA.exe Thread delayed: delay time: 1198140
Source: C:\Users\user\AppData\Roaming\ywKDUBCUA.exe Thread delayed: delay time: 1198031
Source: C:\Users\user\AppData\Roaming\ywKDUBCUA.exe Thread delayed: delay time: 1197921
Source: C:\Users\user\AppData\Roaming\ywKDUBCUA.exe Thread delayed: delay time: 1197812
Source: C:\Users\user\AppData\Roaming\ywKDUBCUA.exe Thread delayed: delay time: 1197703
Source: C:\Users\user\AppData\Roaming\ywKDUBCUA.exe Thread delayed: delay time: 1197593
Source: C:\Users\user\AppData\Roaming\ywKDUBCUA.exe Thread delayed: delay time: 1197484
Source: C:\Users\user\AppData\Roaming\ywKDUBCUA.exe Thread delayed: delay time: 1197373
Source: C:\Users\user\AppData\Roaming\ywKDUBCUA.exe Thread delayed: delay time: 1197265
Source: C:\Users\user\AppData\Roaming\ywKDUBCUA.exe Thread delayed: delay time: 1197156
Source: C:\Users\user\AppData\Roaming\ywKDUBCUA.exe Thread delayed: delay time: 1197046
Source: C:\Users\user\AppData\Roaming\ywKDUBCUA.exe Thread delayed: delay time: 1196937
Source: C:\Users\user\AppData\Roaming\ywKDUBCUA.exe Thread delayed: delay time: 1196828
Source: C:\Users\user\AppData\Roaming\ywKDUBCUA.exe Thread delayed: delay time: 1196718
Source: C:\Users\user\AppData\Roaming\ywKDUBCUA.exe Thread delayed: delay time: 1196609
Source: C:\Users\user\AppData\Roaming\ywKDUBCUA.exe Thread delayed: delay time: 1196500
Source: C:\Users\user\AppData\Roaming\ywKDUBCUA.exe Thread delayed: delay time: 1196390
Source: C:\Users\user\AppData\Roaming\ywKDUBCUA.exe Thread delayed: delay time: 1196281
Source: C:\Users\user\AppData\Roaming\ywKDUBCUA.exe Thread delayed: delay time: 1196171
Source: C:\Users\user\AppData\Roaming\ywKDUBCUA.exe Thread delayed: delay time: 1196060
Source: C:\Users\user\AppData\Roaming\ywKDUBCUA.exe Thread delayed: delay time: 1195951
Source: C:\Users\user\AppData\Roaming\ywKDUBCUA.exe Thread delayed: delay time: 1195843
Source: C:\Users\user\AppData\Roaming\ywKDUBCUA.exe Thread delayed: delay time: 1195734
Source: C:\Users\user\AppData\Roaming\ywKDUBCUA.exe Thread delayed: delay time: 1195624
Source: C:\Users\user\AppData\Roaming\ywKDUBCUA.exe Thread delayed: delay time: 1195515
Source: C:\Users\user\AppData\Roaming\ywKDUBCUA.exe Thread delayed: delay time: 1195406
Source: C:\Users\user\AppData\Roaming\ywKDUBCUA.exe Thread delayed: delay time: 1195296
Source: C:\Users\user\AppData\Roaming\ywKDUBCUA.exe Thread delayed: delay time: 1195187
Source: C:\Users\user\AppData\Roaming\ywKDUBCUA.exe Thread delayed: delay time: 1195078
Source: C:\Users\user\AppData\Roaming\ywKDUBCUA.exe Thread delayed: delay time: 1194954
Source: C:\Users\user\AppData\Roaming\ywKDUBCUA.exe Thread delayed: delay time: 1194730
Source: C:\Users\user\AppData\Roaming\ywKDUBCUA.exe Thread delayed: delay time: 1194598
Source: C:\Users\user\AppData\Roaming\ywKDUBCUA.exe Thread delayed: delay time: 1194308
Source: C:\Users\user\AppData\Roaming\ywKDUBCUA.exe Thread delayed: delay time: 1194202
Source: C:\Users\user\AppData\Roaming\ywKDUBCUA.exe Thread delayed: delay time: 1194093
Source: C:\Users\user\AppData\Roaming\ywKDUBCUA.exe Thread delayed: delay time: 1193982
Source: ywKDUBCUA.exe, 00000010.00000002.3265209027.0000000000C1E000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dlllf$
Source: RFQ-101432620247fl#U00e2#U00aexslx.exe, 00000000.00000002.2070955375.00000000088F0000.00000004.08000000.00040000.00000000.sdmp, RFQ-101432620247fl#U00e2#U00aexslx.exe, 00000000.00000002.2064422472.0000000003BA0000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: wHGfSH4OfX
Source: RFQ-101432620247fl#U00e2#U00aexslx.exe, 00000009.00000002.3266474447.0000000001629000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: C:\Users\user\Desktop\RFQ-101432620247fl#U00e2#U00aexslx.exe Process information queried: ProcessInformation Jump to behavior
Enables debug privileges
Source: C:\Users\user\Desktop\RFQ-101432620247fl#U00e2#U00aexslx.exe Process token adjusted: Debug Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process token adjusted: Debug Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process token adjusted: Debug Jump to behavior
Source: C:\Users\user\Desktop\RFQ-101432620247fl#U00e2#U00aexslx.exe Process token adjusted: Debug Jump to behavior
Source: C:\Users\user\Desktop\RFQ-101432620247fl#U00e2#U00aexslx.exe Memory allocated: page read and write | page guard Jump to behavior

HIPS / PFW / Operating System Protection Evasion
barindex
Adds a directory exclusion to Windows Defender
Source: C:\Users\user\Desktop\RFQ-101432620247fl#U00e2#U00aexslx.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\RFQ-101432620247fl#U00e2#U00aexslx.exe"
Source: C:\Users\user\Desktop\RFQ-101432620247fl#U00e2#U00aexslx.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\ywKDUBCUA.exe"
Source: C:\Users\user\Desktop\RFQ-101432620247fl#U00e2#U00aexslx.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\RFQ-101432620247fl#U00e2#U00aexslx.exe" Jump to behavior
Source: C:\Users\user\Desktop\RFQ-101432620247fl#U00e2#U00aexslx.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\ywKDUBCUA.exe" Jump to behavior
Creates a process in suspended mode (likely to inject code)
Source: C:\Users\user\Desktop\RFQ-101432620247fl#U00e2#U00aexslx.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\RFQ-101432620247fl#U00e2#U00aexslx.exe" Jump to behavior
Source: C:\Users\user\Desktop\RFQ-101432620247fl#U00e2#U00aexslx.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\ywKDUBCUA.exe" Jump to behavior
Source: C:\Users\user\Desktop\RFQ-101432620247fl#U00e2#U00aexslx.exe Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\ywKDUBCUA" /XML "C:\Users\user\AppData\Local\Temp\tmp9347.tmp" Jump to behavior
Source: C:\Users\user\Desktop\RFQ-101432620247fl#U00e2#U00aexslx.exe Process created: C:\Users\user\Desktop\RFQ-101432620247fl#U00e2#U00aexslx.exe "C:\Users\user\Desktop\RFQ-101432620247fl#U00e2#U00aexslx.exe" Jump to behavior
Source: C:\Users\user\AppData\Roaming\ywKDUBCUA.exe Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\ywKDUBCUA" /XML "C:\Users\user\AppData\Local\Temp\tmpA374.tmp" Jump to behavior
Source: C:\Users\user\AppData\Roaming\ywKDUBCUA.exe Process created: C:\Users\user\AppData\Roaming\ywKDUBCUA.exe "C:\Users\user\AppData\Roaming\ywKDUBCUA.exe" Jump to behavior
Source: C:\Users\user\AppData\Roaming\ywKDUBCUA.exe Process created: C:\Users\user\AppData\Roaming\ywKDUBCUA.exe "C:\Users\user\AppData\Roaming\ywKDUBCUA.exe" Jump to behavior
Source: C:\Users\user\AppData\Roaming\ywKDUBCUA.exe Process created: C:\Users\user\AppData\Roaming\ywKDUBCUA.exe "C:\Users\user\AppData\Roaming\ywKDUBCUA.exe" Jump to behavior
Queries the volume information (name, serial number etc) of a device
Source: C:\Users\user\Desktop\RFQ-101432620247fl#U00e2#U00aexslx.exe Queries volume information: C:\Users\user\Desktop\RFQ-101432620247fl#U00e2#U00aexslx.exe VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\RFQ-101432620247fl#U00e2#U00aexslx.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\RFQ-101432620247fl#U00e2#U00aexslx.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\RFQ-101432620247fl#U00e2#U00aexslx.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\RFQ-101432620247fl#U00e2#U00aexslx.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\RFQ-101432620247fl#U00e2#U00aexslx.exe Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\RFQ-101432620247fl#U00e2#U00aexslx.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\RFQ-101432620247fl#U00e2#U00aexslx.exe Queries volume information: C:\Users\user\Desktop\RFQ-101432620247fl#U00e2#U00aexslx.exe VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\RFQ-101432620247fl#U00e2#U00aexslx.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\RFQ-101432620247fl#U00e2#U00aexslx.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\RFQ-101432620247fl#U00e2#U00aexslx.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\RFQ-101432620247fl#U00e2#U00aexslx.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\RFQ-101432620247fl#U00e2#U00aexslx.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\ywKDUBCUA.exe Queries volume information: C:\Users\user\AppData\Roaming\ywKDUBCUA.exe VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\ywKDUBCUA.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\ywKDUBCUA.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\ywKDUBCUA.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\ywKDUBCUA.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\ywKDUBCUA.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\ywKDUBCUA.exe Queries volume information: C:\Users\user\AppData\Roaming\ywKDUBCUA.exe VolumeInformation
Source: C:\Users\user\AppData\Roaming\ywKDUBCUA.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\ywKDUBCUA.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\ywKDUBCUA.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\ywKDUBCUA.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\ywKDUBCUA.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
Source: C:\Users\user\Desktop\RFQ-101432620247fl#U00e2#U00aexslx.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior

Stealing of Sensitive Information
barindex
Yara detected AgentTesla
Source: Yara match File source: sslproxydump.pcap, type: PCAP
Source: Yara match File source: 0.2.RFQ-101432620247fl#U00e2#U00aexslx.exe.3bdb0e8.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 10.2.ywKDUBCUA.exe.43ebdd0.5.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.RFQ-101432620247fl#U00e2#U00aexslx.exe.3ba04c8.5.unpack, type: UNPACKEDPE
Source: Yara match File source: 10.2.ywKDUBCUA.exe.43b11b0.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 10.2.ywKDUBCUA.exe.43ebdd0.5.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 16.2.ywKDUBCUA.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 10.2.ywKDUBCUA.exe.43b11b0.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.RFQ-101432620247fl#U00e2#U00aexslx.exe.3bdb0e8.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.RFQ-101432620247fl#U00e2#U00aexslx.exe.3ba04c8.5.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0000000A.00000002.2104193964.00000000043B1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000009.00000002.3268439480.0000000003262000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000010.00000002.3268715008.0000000002D02000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000010.00000002.3268715008.0000000002D1D000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000009.00000002.3268439480.000000000327D000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.2064422472.00000000044C2000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000010.00000002.3264244060.0000000000436000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000009.00000002.3268439480.0000000003211000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000010.00000002.3268715008.0000000002CB1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.2064422472.0000000003BA0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: RFQ-101432620247fl#U00e2#U00aexslx.exe PID: 3964, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: RFQ-101432620247fl#U00e2#U00aexslx.exe PID: 6224, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: ywKDUBCUA.exe PID: 2260, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: ywKDUBCUA.exe PID: 7448, type: MEMORYSTR
Yara detected Telegram RAT
Source: Yara match File source: 0.2.RFQ-101432620247fl#U00e2#U00aexslx.exe.3bdb0e8.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 10.2.ywKDUBCUA.exe.43ebdd0.5.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.RFQ-101432620247fl#U00e2#U00aexslx.exe.3ba04c8.5.unpack, type: UNPACKEDPE
Source: Yara match File source: 10.2.ywKDUBCUA.exe.43b11b0.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 10.2.ywKDUBCUA.exe.43ebdd0.5.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 16.2.ywKDUBCUA.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 10.2.ywKDUBCUA.exe.43b11b0.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.RFQ-101432620247fl#U00e2#U00aexslx.exe.3bdb0e8.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.RFQ-101432620247fl#U00e2#U00aexslx.exe.3ba04c8.5.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0000000A.00000002.2104193964.00000000043B1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.2064422472.00000000044C2000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000009.00000002.3268439480.0000000003211000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000010.00000002.3268715008.0000000002CB1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.2064422472.0000000003BA0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: RFQ-101432620247fl#U00e2#U00aexslx.exe PID: 3964, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: RFQ-101432620247fl#U00e2#U00aexslx.exe PID: 6224, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: ywKDUBCUA.exe PID: 2260, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: ywKDUBCUA.exe PID: 7448, type: MEMORYSTR
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Source: C:\Users\user\Desktop\RFQ-101432620247fl#U00e2#U00aexslx.exe Key opened: HKEY_CURRENT_USER\SOFTWARE\Martin Prikryl\WinSCP 2\Sessions Jump to behavior
Source: C:\Users\user\AppData\Roaming\ywKDUBCUA.exe Key opened: HKEY_CURRENT_USER\SOFTWARE\Martin Prikryl\WinSCP 2\Sessions
Tries to harvest and steal browser information (history, passwords, etc)
Source: C:\Users\user\AppData\Roaming\ywKDUBCUA.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data
Source: C:\Users\user\AppData\Roaming\ywKDUBCUA.exe File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data
Source: C:\Users\user\AppData\Roaming\ywKDUBCUA.exe File opened: C:\Users\user\AppData\Roaming\NETGATE Technologies\BlackHawk\profiles.ini
Source: C:\Users\user\AppData\Roaming\ywKDUBCUA.exe File opened: C:\Users\user\AppData\Roaming\8pecxstudios\Cyberfox\profiles.ini
Source: C:\Users\user\AppData\Roaming\ywKDUBCUA.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini
Tries to harvest and steal ftp login credentials
Source: C:\Users\user\AppData\Roaming\ywKDUBCUA.exe File opened: C:\FTP Navigator\Ftplist.txt
Tries to steal Mail credentials (via file / registry access)
Source: C:\Users\user\Desktop\RFQ-101432620247fl#U00e2#U00aexslx.exe File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini Jump to behavior
Source: C:\Users\user\Desktop\RFQ-101432620247fl#U00e2#U00aexslx.exe File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini Jump to behavior
Source: C:\Users\user\Desktop\RFQ-101432620247fl#U00e2#U00aexslx.exe Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles Jump to behavior
Source: C:\Users\user\Desktop\RFQ-101432620247fl#U00e2#U00aexslx.exe Key opened: HKEY_CURRENT_USER\Software\IncrediMail\Identities Jump to behavior
Source: C:\Users\user\AppData\Roaming\ywKDUBCUA.exe File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini
Source: C:\Users\user\AppData\Roaming\ywKDUBCUA.exe File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini
Source: C:\Users\user\AppData\Roaming\ywKDUBCUA.exe Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles
Source: C:\Users\user\AppData\Roaming\ywKDUBCUA.exe Key opened: HKEY_CURRENT_USER\Software\IncrediMail\Identities
Yara detected Credential Stealer
Source: Yara match File source: 0.2.RFQ-101432620247fl#U00e2#U00aexslx.exe.3bdb0e8.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 10.2.ywKDUBCUA.exe.43ebdd0.5.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.RFQ-101432620247fl#U00e2#U00aexslx.exe.3ba04c8.5.unpack, type: UNPACKEDPE
Source: Yara match File source: 10.2.ywKDUBCUA.exe.43b11b0.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 10.2.ywKDUBCUA.exe.43ebdd0.5.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 16.2.ywKDUBCUA.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 10.2.ywKDUBCUA.exe.43b11b0.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.RFQ-101432620247fl#U00e2#U00aexslx.exe.3bdb0e8.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.RFQ-101432620247fl#U00e2#U00aexslx.exe.3ba04c8.5.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0000000A.00000002.2104193964.00000000043B1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.2064422472.00000000044C2000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000010.00000002.3264244060.0000000000436000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000009.00000002.3268439480.0000000003211000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000010.00000002.3268715008.0000000002CB1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.2064422472.0000000003BA0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: RFQ-101432620247fl#U00e2#U00aexslx.exe PID: 3964, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: RFQ-101432620247fl#U00e2#U00aexslx.exe PID: 6224, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: ywKDUBCUA.exe PID: 2260, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: ywKDUBCUA.exe PID: 7448, type: MEMORYSTR

Remote Access Functionality
barindex
Yara detected AgentTesla
Source: Yara match File source: sslproxydump.pcap, type: PCAP
Source: Yara match File source: 0.2.RFQ-101432620247fl#U00e2#U00aexslx.exe.3bdb0e8.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 10.2.ywKDUBCUA.exe.43ebdd0.5.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.RFQ-101432620247fl#U00e2#U00aexslx.exe.3ba04c8.5.unpack, type: UNPACKEDPE
Source: Yara match File source: 10.2.ywKDUBCUA.exe.43b11b0.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 10.2.ywKDUBCUA.exe.43ebdd0.5.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 16.2.ywKDUBCUA.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 10.2.ywKDUBCUA.exe.43b11b0.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.RFQ-101432620247fl#U00e2#U00aexslx.exe.3bdb0e8.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.RFQ-101432620247fl#U00e2#U00aexslx.exe.3ba04c8.5.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0000000A.00000002.2104193964.00000000043B1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000009.00000002.3268439480.0000000003262000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000010.00000002.3268715008.0000000002D02000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000010.00000002.3268715008.0000000002D1D000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000009.00000002.3268439480.000000000327D000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.2064422472.00000000044C2000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000010.00000002.3264244060.0000000000436000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000009.00000002.3268439480.0000000003211000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000010.00000002.3268715008.0000000002CB1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.2064422472.0000000003BA0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: RFQ-101432620247fl#U00e2#U00aexslx.exe PID: 3964, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: RFQ-101432620247fl#U00e2#U00aexslx.exe PID: 6224, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: ywKDUBCUA.exe PID: 2260, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: ywKDUBCUA.exe PID: 7448, type: MEMORYSTR
Yara detected Telegram RAT
Source: Yara match File source: 0.2.RFQ-101432620247fl#U00e2#U00aexslx.exe.3bdb0e8.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 10.2.ywKDUBCUA.exe.43ebdd0.5.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.RFQ-101432620247fl#U00e2#U00aexslx.exe.3ba04c8.5.unpack, type: UNPACKEDPE
Source: Yara match File source: 10.2.ywKDUBCUA.exe.43b11b0.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 10.2.ywKDUBCUA.exe.43ebdd0.5.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 16.2.ywKDUBCUA.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 10.2.ywKDUBCUA.exe.43b11b0.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.RFQ-101432620247fl#U00e2#U00aexslx.exe.3bdb0e8.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.RFQ-101432620247fl#U00e2#U00aexslx.exe.3ba04c8.5.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0000000A.00000002.2104193964.00000000043B1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.2064422472.00000000044C2000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000009.00000002.3268439480.0000000003211000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000010.00000002.3268715008.0000000002CB1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.2064422472.0000000003BA0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: RFQ-101432620247fl#U00e2#U00aexslx.exe PID: 3964, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: RFQ-101432620247fl#U00e2#U00aexslx.exe PID: 6224, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: ywKDUBCUA.exe PID: 2260, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: ywKDUBCUA.exe PID: 7448, type: MEMORYSTR
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1445865 Sample: RFQ-101432620247fl#U00e2#U0... Startdate: 22/05/2024 Architecture: WINDOWS Score: 100 46 api.telegram.org 2->46 50 Snort IDS alert for network traffic 2->50 52 Found malware configuration 2->52 54 Malicious sample detected (through community Yara rule) 2->54 58 13 other signatures 2->58 8 RFQ-101432620247fl#U00e2#U00aexslx.exe 7 2->8         started        12 ywKDUBCUA.exe 5 2->12         started        signatures3 56 Uses the Telegram API (likely for C&C communication) 46->56 process4 file5 42 C:\Users\user\AppData\Roaming\ywKDUBCUA.exe, PE32 8->42 dropped 44 C:\Users\user\AppData\Local\...\tmp9347.tmp, XML 8->44 dropped 60 Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines) 8->60 62 Uses schtasks.exe or at.exe to add and modify task schedules 8->62 64 Adds a directory exclusion to Windows Defender 8->64 14 RFQ-101432620247fl#U00e2#U00aexslx.exe 15 2 8->14         started        18 powershell.exe 23 8->18         started        20 powershell.exe 23 8->20         started        22 schtasks.exe 1 8->22         started        66 Antivirus detection for dropped file 12->66 68 Multi AV Scanner detection for dropped file 12->68 70 Machine Learning detection for dropped file 12->70 24 ywKDUBCUA.exe 12->24         started        26 schtasks.exe 12->26         started        28 ywKDUBCUA.exe 12->28         started        30 ywKDUBCUA.exe 12->30         started        signatures6 process7 dnsIp8 48 api.telegram.org 149.154.167.220, 443, 49709, 49712 TELEGRAMRU United Kingdom 14->48 72 Installs a global keyboard hook 14->72 74 Loading BitLocker PowerShell Module 18->74 32 conhost.exe 18->32         started        34 WmiPrvSE.exe 18->34         started        36 conhost.exe 20->36         started        38 conhost.exe 22->38         started        76 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 24->76 78 Tries to steal Mail credentials (via file / registry access) 24->78 80 Tries to harvest and steal ftp login credentials 24->80 82 Tries to harvest and steal browser information (history, passwords, etc) 24->82 40 conhost.exe 26->40         started        signatures9 process10
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
149.154.167.220
 api.telegram.org United Kingdom
62041 TELEGRAMRU true

Contacted Domains

Name IP Active
api.telegram.org 149.154.167.220 true

Contacted URLs

Name Malicious Antivirus Detection Reputation
https://api.telegram.org/bot7156462915:AAE3EIUy20eRSFdNZcqhQa0y1tAvt8IT_oY/sendDocument true
  • Avira URL Cloud: safe
 unknown