Windows Analysis Report
rrequestforquotation.exe

Overview

General Information

Sample name: rrequestforquotation.exe
Analysis ID: 1560713
MD5: 4a15ed0feb9e90b56e82c2e45a3b3f5e
SHA1: 659661291eb5fd6452d6cabdc24cd9fbc1fb17f7
SHA256: d5d8c33957e90d1caca4b5207d8da5ab1bc4caa9f702abc0ec006d0518ea9aec
Tags: exeuser-Porcupine
Infos:

Detection

Snake Keylogger
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Scheduled temp file as task from temp location
Yara detected AntiVM3
Yara detected Snake Keylogger
.NET source code contains potential unpacker
AI detected suspicious sample
Adds a directory exclusion to Windows Defender
Initial sample is a PE file and has a suspicious name
Injects a PE file into a foreign processes
Loading BitLocker PowerShell Module
Machine Learning detection for dropped file
Machine Learning detection for sample
Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
Tries to detect the country of the analysis system (by using the IP)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected Generic Downloader
Allocates memory with a write watch (potentially for evading sandboxes)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Drops PE files
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found inlined nop instructions (likely shell or obfuscated code)
HTTP GET or POST without a user agent
IP address seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May check the online IP address of the machine
May sleep (evasive loops) to hinder dynamic analysis
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Sigma detected: Powershell Defender Exclusion
Sigma detected: Suspicious Add Scheduled Task Parent
Sigma detected: Suspicious Schtasks From Env Var Folder
Suricata IDS alerts with low severity for network traffic
Uses 32bit PE files
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Uses insecure TLS / SSL version for HTTPS connection
Yara detected Credential Stealer
Yara signature match

Classification

Name Description Attribution Blogpost URLs Link
404 Keylogger, Snake Keylogger Snake Keylogger (aka 404 Keylogger) is a subscription-based keylogger that has many capabilities. The infostealer can steal a victims sensitive information, log keyboard strokes, take screenshots and extract information from the system clipboard. It was initially released on a Russian hacking forum in August 2019. It is notable for its relatively unusual methods of data exfiltration, including via email, FTP, SMTP, Pastebin or the messaging app Telegram. No Attribution https://malpedia.caad.fkie.fraunhofer.de/details/win.404keylogger

AV Detection
barindex
Antivirus / Scanner detection for submitted sample
Source: rrequestforquotation.exe Avira: detected
Antivirus detection for dropped file
Source: C:\Users\user\AppData\Roaming\oGnCNPiCwiAocn.exe Avira: detection malicious, Label: HEUR/AGEN.1309540
Multi AV Scanner detection for dropped file
Source: C:\Users\user\AppData\Roaming\oGnCNPiCwiAocn.exe Virustotal: Detection: 43% Perma Link
Multi AV Scanner detection for submitted file
Source: rrequestforquotation.exe Virustotal: Detection: 43% Perma Link
AI detected suspicious sample
Source: Submited Sample Integrated Neural Analysis Model: Matched 100.0% probability
Machine Learning detection for dropped file
Source: C:\Users\user\AppData\Roaming\oGnCNPiCwiAocn.exe Joe Sandbox ML: detected
Machine Learning detection for sample
Source: rrequestforquotation.exe Joe Sandbox ML: detected

Location Tracking
barindex
Tries to detect the country of the analysis system (by using the IP)
Source: unknown DNS query: name: reallyfreegeoip.org
Uses 32bit PE files
Source: rrequestforquotation.exe Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
Uses insecure TLS / SSL version for HTTPS connection
Source: unknown HTTPS traffic detected: 172.67.177.134:443 -> 192.168.2.4:49736 version: TLS 1.0
Source: unknown HTTPS traffic detected: 172.67.177.134:443 -> 192.168.2.4:49744 version: TLS 1.0
Source: rrequestforquotation.exe Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Found inlined nop instructions (likely shell or obfuscated code)
Source: C:\Users\user\Desktop\rrequestforquotation.exe Code function: 4x nop then jmp 012A483Fh 0_2_012A4668
Source: C:\Users\user\Desktop\rrequestforquotation.exe Code function: 4x nop then jmp 0778AB84h 0_2_0778A756
Source: C:\Users\user\Desktop\rrequestforquotation.exe Code function: 4x nop then jmp 00F9F1F6h 8_2_00F9F017
Source: C:\Users\user\Desktop\rrequestforquotation.exe Code function: 4x nop then jmp 00F9FB80h 8_2_00F9F017
Source: C:\Users\user\Desktop\rrequestforquotation.exe Code function: 4x nop then mov dword ptr [ebp-14h], 00000000h 8_2_00F9E528
Source: C:\Users\user\Desktop\rrequestforquotation.exe Code function: 4x nop then mov dword ptr [ebp-14h], 00000000h 8_2_00F9EB5B
Source: C:\Users\user\Desktop\rrequestforquotation.exe Code function: 4x nop then mov dword ptr [ebp-14h], 00000000h 8_2_00F9ED3C
Source: C:\Users\user\Desktop\rrequestforquotation.exe Code function: 4x nop then jmp 06758945h 8_2_06758608
Source: C:\Users\user\Desktop\rrequestforquotation.exe Code function: 4x nop then jmp 067558C1h 8_2_06755618
Source: C:\Users\user\Desktop\rrequestforquotation.exe Code function: 4x nop then jmp 06756171h 8_2_06755EC8
Source: C:\Users\user\Desktop\rrequestforquotation.exe Code function: 4x nop then jmp 06756A21h 8_2_06756778
Source: C:\Users\user\Desktop\rrequestforquotation.exe Code function: 4x nop then jmp 06757751h 8_2_067574A8
Source: C:\Users\user\Desktop\rrequestforquotation.exe Code function: 4x nop then jmp 06750741h 8_2_06750498
Source: C:\Users\user\Desktop\rrequestforquotation.exe Code function: 4x nop then jmp 06758001h 8_2_06757D58
Source: C:\Users\user\Desktop\rrequestforquotation.exe Code function: 4x nop then jmp 06750FF1h 8_2_06750D48
Source: C:\Users\user\Desktop\rrequestforquotation.exe Code function: 4x nop then jmp 06755D19h 8_2_06755A70
Source: C:\Users\user\Desktop\rrequestforquotation.exe Code function: 4x nop then jmp 067565C9h 8_2_06756320
Source: C:\Users\user\Desktop\rrequestforquotation.exe Code function: 4x nop then jmp 06756E79h 8_2_06756BD0
Source: C:\Users\user\Desktop\rrequestforquotation.exe Code function: 4x nop then lea esp, dword ptr [ebp-04h] 8_2_067533B8
Source: C:\Users\user\Desktop\rrequestforquotation.exe Code function: 4x nop then lea esp, dword ptr [ebp-04h] 8_2_067533A8
Source: C:\Users\user\Desktop\rrequestforquotation.exe Code function: 4x nop then jmp 067572FAh 8_2_06757050
Source: C:\Users\user\Desktop\rrequestforquotation.exe Code function: 4x nop then jmp 067502E9h 8_2_06750040
Source: C:\Users\user\Desktop\rrequestforquotation.exe Code function: 4x nop then jmp 06750B99h 8_2_067508F0
Source: C:\Users\user\Desktop\rrequestforquotation.exe Code function: 4x nop then jmp 06757BA9h 8_2_06757900
Source: C:\Users\user\Desktop\rrequestforquotation.exe Code function: 4x nop then jmp 06758459h 8_2_067581B0
Source: C:\Users\user\Desktop\rrequestforquotation.exe Code function: 4x nop then jmp 06755441h 8_2_06755198
Source: C:\Users\user\AppData\Roaming\oGnCNPiCwiAocn.exe Code function: 4x nop then jmp 0258483Fh 9_2_02584668
Source: C:\Users\user\AppData\Roaming\oGnCNPiCwiAocn.exe Code function: 4x nop then jmp 06F09DC4h 9_2_06F09996
Source: C:\Users\user\AppData\Roaming\oGnCNPiCwiAocn.exe Code function: 4x nop then jmp 0144F1F6h 15_2_0144F007
Source: C:\Users\user\AppData\Roaming\oGnCNPiCwiAocn.exe Code function: 4x nop then jmp 0144FB80h 15_2_0144F007
Source: C:\Users\user\AppData\Roaming\oGnCNPiCwiAocn.exe Code function: 4x nop then mov dword ptr [ebp-14h], 00000000h 15_2_0144E528
Source: C:\Users\user\AppData\Roaming\oGnCNPiCwiAocn.exe Code function: 4x nop then jmp 059F8945h 15_2_059F8608
Source: C:\Users\user\AppData\Roaming\oGnCNPiCwiAocn.exe Code function: 4x nop then jmp 059F5441h 15_2_059F5198
Source: C:\Users\user\AppData\Roaming\oGnCNPiCwiAocn.exe Code function: 4x nop then jmp 059F8459h 15_2_059F81B0
Source: C:\Users\user\AppData\Roaming\oGnCNPiCwiAocn.exe Code function: 4x nop then jmp 059F7BA9h 15_2_059F7900
Source: C:\Users\user\AppData\Roaming\oGnCNPiCwiAocn.exe Code function: 4x nop then jmp 059F8001h 15_2_059F7D58
Source: C:\Users\user\AppData\Roaming\oGnCNPiCwiAocn.exe Code function: 4x nop then jmp 059F0FF1h 15_2_059F0D48
Source: C:\Users\user\AppData\Roaming\oGnCNPiCwiAocn.exe Code function: 4x nop then jmp 059F0741h 15_2_059F0498
Source: C:\Users\user\AppData\Roaming\oGnCNPiCwiAocn.exe Code function: 4x nop then jmp 059F7751h 15_2_059F74A8
Source: C:\Users\user\AppData\Roaming\oGnCNPiCwiAocn.exe Code function: 4x nop then jmp 059F0B99h 15_2_059F08F0
Source: C:\Users\user\AppData\Roaming\oGnCNPiCwiAocn.exe Code function: 4x nop then jmp 059F72FAh 15_2_059F7050
Source: C:\Users\user\AppData\Roaming\oGnCNPiCwiAocn.exe Code function: 4x nop then jmp 059F02E9h 15_2_059F0040
Source: C:\Users\user\AppData\Roaming\oGnCNPiCwiAocn.exe Code function: 4x nop then lea esp, dword ptr [ebp-04h] 15_2_059F33B8
Source: C:\Users\user\AppData\Roaming\oGnCNPiCwiAocn.exe Code function: 4x nop then lea esp, dword ptr [ebp-04h] 15_2_059F33A8
Source: C:\Users\user\AppData\Roaming\oGnCNPiCwiAocn.exe Code function: 4x nop then jmp 059F6E79h 15_2_059F6BD0
Source: C:\Users\user\AppData\Roaming\oGnCNPiCwiAocn.exe Code function: 4x nop then jmp 059F65C9h 15_2_059F6320
Source: C:\Users\user\AppData\Roaming\oGnCNPiCwiAocn.exe Code function: 4x nop then jmp 059F6A21h 15_2_059F6778
Source: C:\Users\user\AppData\Roaming\oGnCNPiCwiAocn.exe Code function: 4x nop then lea esp, dword ptr [ebp-04h] 15_2_059F36CE
Source: C:\Users\user\AppData\Roaming\oGnCNPiCwiAocn.exe Code function: 4x nop then jmp 059F6171h 15_2_059F5EC8
Source: C:\Users\user\AppData\Roaming\oGnCNPiCwiAocn.exe Code function: 4x nop then jmp 059F58C1h 15_2_059F5618
Source: C:\Users\user\AppData\Roaming\oGnCNPiCwiAocn.exe Code function: 4x nop then jmp 059F5D19h 15_2_059F5A70

Networking
barindex
Yara detected Generic Downloader
Source: Yara match File source: 0.2.rrequestforquotation.exe.3e80ff0.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.rrequestforquotation.exe.3e603d0.2.raw.unpack, type: UNPACKEDPE
HTTP GET or POST without a user agent
Source: global traffic HTTP traffic detected: GET /xml/8.46.123.75 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /xml/8.46.123.75 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic HTTP traffic detected: GET /xml/8.46.123.75 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic HTTP traffic detected: GET /xml/8.46.123.75 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic HTTP traffic detected: GET /xml/8.46.123.75 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /xml/8.46.123.75 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic HTTP traffic detected: GET /xml/8.46.123.75 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /xml/8.46.123.75 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /xml/8.46.123.75 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /xml/8.46.123.75 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /xml/8.46.123.75 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic HTTP traffic detected: GET /xml/8.46.123.75 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic HTTP traffic detected: GET /xml/8.46.123.75 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic HTTP traffic detected: GET /xml/8.46.123.75 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic HTTP traffic detected: GET /xml/8.46.123.75 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /xml/8.46.123.75 HTTP/1.1Host: reallyfreegeoip.org
IP address seen in connection with other malware
Source: Joe Sandbox View IP Address: 193.122.6.168 193.122.6.168
Source: Joe Sandbox View IP Address: 172.67.177.134 172.67.177.134
JA3 SSL client fingerprint seen in connection with other malware
Source: Joe Sandbox View JA3 fingerprint: 54328bd36c14bd82ddaa0c04b25ed9ad
May check the online IP address of the machine
Source: unknown DNS query: name: checkip.dyndns.org
Source: unknown DNS query: name: reallyfreegeoip.org
Suricata IDS alerts with low severity for network traffic
Source: Network traffic Suricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.4:49741 -> 193.122.6.168:80
Source: Network traffic Suricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.4:49742 -> 193.122.6.168:80
Source: Network traffic Suricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.4:49738 -> 193.122.6.168:80
Source: Network traffic Suricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.4:49735 -> 193.122.6.168:80
Source: Network traffic Suricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.4:49752 -> 193.122.6.168:80
Source: Network traffic Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.4:49766 -> 172.67.177.134:443
Source: Network traffic Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.4:49763 -> 172.67.177.134:443
Source: Network traffic Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.4:49737 -> 172.67.177.134:443
Source: Network traffic Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.4:49749 -> 172.67.177.134:443
Source: Network traffic Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.4:49745 -> 172.67.177.134:443
Source: Network traffic Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.4:49760 -> 172.67.177.134:443
Source: Network traffic Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.4:49770 -> 172.67.177.134:443
Source: Network traffic Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.4:49764 -> 172.67.177.134:443
Source: Network traffic Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.4:49739 -> 172.67.177.134:443
Uses a known web browser user agent for HTTP communication
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Uses insecure TLS / SSL version for HTTPS connection
Source: unknown HTTPS traffic detected: 172.67.177.134:443 -> 192.168.2.4:49736 version: TLS 1.0
Source: unknown HTTPS traffic detected: 172.67.177.134:443 -> 192.168.2.4:49744 version: TLS 1.0
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: global traffic HTTP traffic detected: GET /xml/8.46.123.75 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /xml/8.46.123.75 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic HTTP traffic detected: GET /xml/8.46.123.75 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic HTTP traffic detected: GET /xml/8.46.123.75 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic HTTP traffic detected: GET /xml/8.46.123.75 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /xml/8.46.123.75 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic HTTP traffic detected: GET /xml/8.46.123.75 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /xml/8.46.123.75 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /xml/8.46.123.75 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /xml/8.46.123.75 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /xml/8.46.123.75 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic HTTP traffic detected: GET /xml/8.46.123.75 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic HTTP traffic detected: GET /xml/8.46.123.75 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic HTTP traffic detected: GET /xml/8.46.123.75 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic HTTP traffic detected: GET /xml/8.46.123.75 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /xml/8.46.123.75 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic DNS traffic detected: DNS query: checkip.dyndns.org
Source: global traffic DNS traffic detected: DNS query: reallyfreegeoip.org
Source: rrequestforquotation.exe, 00000008.00000002.4145794163.0000000002B52000.00000004.00000800.00020000.00000000.sdmp, rrequestforquotation.exe, 00000008.00000002.4145794163.0000000002A5C000.00000004.00000800.00020000.00000000.sdmp, rrequestforquotation.exe, 00000008.00000002.4145794163.0000000002B44000.00000004.00000800.00020000.00000000.sdmp, rrequestforquotation.exe, 00000008.00000002.4145794163.0000000002B09000.00000004.00000800.00020000.00000000.sdmp, rrequestforquotation.exe, 00000008.00000002.4145794163.0000000002AEE000.00000004.00000800.00020000.00000000.sdmp, rrequestforquotation.exe, 00000008.00000002.4145794163.0000000002B16000.00000004.00000800.00020000.00000000.sdmp, oGnCNPiCwiAocn.exe, 0000000F.00000002.4146056209.000000000300D000.00000004.00000800.00020000.00000000.sdmp, oGnCNPiCwiAocn.exe, 0000000F.00000002.4146056209.0000000002F7A000.00000004.00000800.00020000.00000000.sdmp, oGnCNPiCwiAocn.exe, 0000000F.00000002.4146056209.0000000003028000.00000004.00000800.00020000.00000000.sdmp, oGnCNPiCwiAocn.exe, 0000000F.00000002.4146056209.0000000003071000.00000004.00000800.00020000.00000000.sdmp, oGnCNPiCwiAocn.exe, 0000000F.00000002.4146056209.000000000301A000.00000004.00000800.00020000.00000000.sdmp, oGnCNPiCwiAocn.exe, 0000000F.00000002.4146056209.0000000003063000.00000004.00000800.00020000.00000000.sdmp, oGnCNPiCwiAocn.exe, 0000000F.00000002.4146056209.0000000003035000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://checkip.dyndns.com
Source: rrequestforquotation.exe, 00000008.00000002.4145794163.0000000002B52000.00000004.00000800.00020000.00000000.sdmp, rrequestforquotation.exe, 00000008.00000002.4145794163.0000000002A3F000.00000004.00000800.00020000.00000000.sdmp, rrequestforquotation.exe, 00000008.00000002.4145794163.0000000002B24000.00000004.00000800.00020000.00000000.sdmp, rrequestforquotation.exe, 00000008.00000002.4145794163.0000000002A5C000.00000004.00000800.00020000.00000000.sdmp, rrequestforquotation.exe, 00000008.00000002.4145794163.0000000002A9A000.00000004.00000800.00020000.00000000.sdmp, rrequestforquotation.exe, 00000008.00000002.4145794163.0000000002B44000.00000004.00000800.00020000.00000000.sdmp, rrequestforquotation.exe, 00000008.00000002.4145794163.0000000002B09000.00000004.00000800.00020000.00000000.sdmp, rrequestforquotation.exe, 00000008.00000002.4145794163.0000000002AEE000.00000004.00000800.00020000.00000000.sdmp, rrequestforquotation.exe, 00000008.00000002.4145794163.0000000002B16000.00000004.00000800.00020000.00000000.sdmp, oGnCNPiCwiAocn.exe, 0000000F.00000002.4146056209.000000000300D000.00000004.00000800.00020000.00000000.sdmp, oGnCNPiCwiAocn.exe, 0000000F.00000002.4146056209.0000000002F7A000.00000004.00000800.00020000.00000000.sdmp, oGnCNPiCwiAocn.exe, 0000000F.00000002.4146056209.0000000003043000.00000004.00000800.00020000.00000000.sdmp, oGnCNPiCwiAocn.exe, 0000000F.00000002.4146056209.0000000002F6B000.00000004.00000800.00020000.00000000.sdmp, oGnCNPiCwiAocn.exe, 0000000F.00000002.4146056209.0000000003028000.00000004.00000800.00020000.00000000.sdmp, oGnCNPiCwiAocn.exe, 0000000F.00000002.4146056209.0000000003071000.00000004.00000800.00020000.00000000.sdmp, oGnCNPiCwiAocn.exe, 0000000F.00000002.4146056209.0000000002FBD000.00000004.00000800.00020000.00000000.sdmp, oGnCNPiCwiAocn.exe, 0000000F.00000002.4146056209.000000000301A000.00000004.00000800.00020000.00000000.sdmp, oGnCNPiCwiAocn.exe, 0000000F.00000002.4146056209.0000000003063000.00000004.00000800.00020000.00000000.sdmp, oGnCNPiCwiAocn.exe, 0000000F.00000002.4146056209.0000000003035000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://checkip.dyndns.org
Source: rrequestforquotation.exe, 00000008.00000002.4145794163.0000000002991000.00000004.00000800.00020000.00000000.sdmp, oGnCNPiCwiAocn.exe, 0000000F.00000002.4146056209.0000000002EB1000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://checkip.dyndns.org/
Source: rrequestforquotation.exe, 00000000.00000002.1748719685.0000000003CB1000.00000004.00000800.00020000.00000000.sdmp, rrequestforquotation.exe, 00000008.00000002.4142621856.0000000000415000.00000040.00000400.00020000.00000000.sdmp String found in binary or memory: http://checkip.dyndns.org/q
Source: rrequestforquotation.exe, 00000008.00000002.4145794163.0000000002B52000.00000004.00000800.00020000.00000000.sdmp, rrequestforquotation.exe, 00000008.00000002.4145794163.0000000002B44000.00000004.00000800.00020000.00000000.sdmp, rrequestforquotation.exe, 00000008.00000002.4145794163.0000000002B09000.00000004.00000800.00020000.00000000.sdmp, rrequestforquotation.exe, 00000008.00000002.4145794163.0000000002AEE000.00000004.00000800.00020000.00000000.sdmp, rrequestforquotation.exe, 00000008.00000002.4145794163.0000000002B16000.00000004.00000800.00020000.00000000.sdmp, rrequestforquotation.exe, 00000008.00000002.4145794163.0000000002A74000.00000004.00000800.00020000.00000000.sdmp, oGnCNPiCwiAocn.exe, 0000000F.00000002.4146056209.000000000300D000.00000004.00000800.00020000.00000000.sdmp, oGnCNPiCwiAocn.exe, 0000000F.00000002.4146056209.0000000003028000.00000004.00000800.00020000.00000000.sdmp, oGnCNPiCwiAocn.exe, 0000000F.00000002.4146056209.0000000003071000.00000004.00000800.00020000.00000000.sdmp, oGnCNPiCwiAocn.exe, 0000000F.00000002.4146056209.000000000301A000.00000004.00000800.00020000.00000000.sdmp, oGnCNPiCwiAocn.exe, 0000000F.00000002.4146056209.0000000003063000.00000004.00000800.00020000.00000000.sdmp, oGnCNPiCwiAocn.exe, 0000000F.00000002.4146056209.0000000002F92000.00000004.00000800.00020000.00000000.sdmp, oGnCNPiCwiAocn.exe, 0000000F.00000002.4146056209.0000000003035000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://reallyfreegeoip.org
Source: rrequestforquotation.exe, 00000000.00000002.1746469982.0000000002CB1000.00000004.00000800.00020000.00000000.sdmp, rrequestforquotation.exe, 00000008.00000002.4145794163.0000000002991000.00000004.00000800.00020000.00000000.sdmp, oGnCNPiCwiAocn.exe, 00000009.00000002.1838856282.00000000026E1000.00000004.00000800.00020000.00000000.sdmp, oGnCNPiCwiAocn.exe, 0000000F.00000002.4146056209.0000000002EB1000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: rrequestforquotation.exe, 00000000.00000002.1756452809.0000000006F72000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
Source: rrequestforquotation.exe, 00000000.00000002.1756452809.0000000006F72000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.carterandcone.coml
Source: rrequestforquotation.exe, 00000000.00000002.1756452809.0000000006F72000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.fontbureau.com
Source: rrequestforquotation.exe, 00000000.00000002.1756452809.0000000006F72000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.fontbureau.com/designers
Source: rrequestforquotation.exe, 00000000.00000002.1756452809.0000000006F72000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.fontbureau.com/designers/?
Source: rrequestforquotation.exe, 00000000.00000002.1756452809.0000000006F72000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
Source: rrequestforquotation.exe, 00000000.00000002.1756452809.0000000006F72000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.fontbureau.com/designers/frere-user.html
Source: rrequestforquotation.exe, 00000000.00000002.1756452809.0000000006F72000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.fontbureau.com/designers8
Source: rrequestforquotation.exe, 00000000.00000002.1756452809.0000000006F72000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.fontbureau.com/designers?
Source: rrequestforquotation.exe, 00000000.00000002.1756452809.0000000006F72000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.fontbureau.com/designersG
Source: rrequestforquotation.exe, 00000000.00000002.1756452809.0000000006F72000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.fonts.com
Source: rrequestforquotation.exe, 00000000.00000002.1756452809.0000000006F72000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.founder.com.cn/cn
Source: rrequestforquotation.exe, 00000000.00000002.1756452809.0000000006F72000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.founder.com.cn/cn/bThe
Source: rrequestforquotation.exe, 00000000.00000002.1756452809.0000000006F72000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.founder.com.cn/cn/cThe
Source: rrequestforquotation.exe, 00000000.00000002.1756452809.0000000006F72000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.galapagosdesign.com/DPlease
Source: rrequestforquotation.exe, 00000000.00000002.1756452809.0000000006F72000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
Source: rrequestforquotation.exe, 00000000.00000002.1756452809.0000000006F72000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.goodfont.co.kr
Source: rrequestforquotation.exe, 00000000.00000002.1756452809.0000000006F72000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.jiyu-kobo.co.jp/
Source: rrequestforquotation.exe, 00000000.00000002.1756452809.0000000006F72000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.sajatypeworks.com
Source: rrequestforquotation.exe, 00000000.00000002.1756404377.0000000005EA0000.00000004.00000020.00020000.00000000.sdmp, rrequestforquotation.exe, 00000000.00000002.1756452809.0000000006F72000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.sakkal.com
Source: rrequestforquotation.exe, 00000000.00000002.1756452809.0000000006F72000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.sandoll.co.kr
Source: rrequestforquotation.exe, 00000000.00000002.1756452809.0000000006F72000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.tiro.com
Source: rrequestforquotation.exe, 00000000.00000002.1756452809.0000000006F72000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.typography.netD
Source: rrequestforquotation.exe, 00000000.00000002.1756452809.0000000006F72000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.urwpp.deDPlease
Source: rrequestforquotation.exe, 00000000.00000002.1756452809.0000000006F72000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.zhongyicts.com.cn
Source: rrequestforquotation.exe, oGnCNPiCwiAocn.exe.0.dr String found in binary or memory: https://github.com/ppx17/Onkyo-Remote-Control
Source: rrequestforquotation.exe, 00000008.00000002.4145794163.0000000002B52000.00000004.00000800.00020000.00000000.sdmp, rrequestforquotation.exe, 00000008.00000002.4145794163.0000000002A5C000.00000004.00000800.00020000.00000000.sdmp, rrequestforquotation.exe, 00000008.00000002.4145794163.0000000002A9A000.00000004.00000800.00020000.00000000.sdmp, rrequestforquotation.exe, 00000008.00000002.4145794163.0000000002B44000.00000004.00000800.00020000.00000000.sdmp, rrequestforquotation.exe, 00000008.00000002.4145794163.0000000002B09000.00000004.00000800.00020000.00000000.sdmp, rrequestforquotation.exe, 00000008.00000002.4145794163.0000000002AEE000.00000004.00000800.00020000.00000000.sdmp, rrequestforquotation.exe, 00000008.00000002.4145794163.0000000002B16000.00000004.00000800.00020000.00000000.sdmp, oGnCNPiCwiAocn.exe, 0000000F.00000002.4146056209.000000000300D000.00000004.00000800.00020000.00000000.sdmp, oGnCNPiCwiAocn.exe, 0000000F.00000002.4146056209.0000000002F7A000.00000004.00000800.00020000.00000000.sdmp, oGnCNPiCwiAocn.exe, 0000000F.00000002.4146056209.0000000003028000.00000004.00000800.00020000.00000000.sdmp, oGnCNPiCwiAocn.exe, 0000000F.00000002.4146056209.0000000003071000.00000004.00000800.00020000.00000000.sdmp, oGnCNPiCwiAocn.exe, 0000000F.00000002.4146056209.0000000002FBD000.00000004.00000800.00020000.00000000.sdmp, oGnCNPiCwiAocn.exe, 0000000F.00000002.4146056209.000000000301A000.00000004.00000800.00020000.00000000.sdmp, oGnCNPiCwiAocn.exe, 0000000F.00000002.4146056209.0000000003063000.00000004.00000800.00020000.00000000.sdmp, oGnCNPiCwiAocn.exe, 0000000F.00000002.4146056209.0000000003035000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://reallyfreegeoip.org
Source: rrequestforquotation.exe, 00000000.00000002.1748719685.0000000003CB1000.00000004.00000800.00020000.00000000.sdmp, rrequestforquotation.exe, 00000008.00000002.4145794163.0000000002A5C000.00000004.00000800.00020000.00000000.sdmp, rrequestforquotation.exe, 00000008.00000002.4142621856.0000000000415000.00000040.00000400.00020000.00000000.sdmp, oGnCNPiCwiAocn.exe, 0000000F.00000002.4146056209.0000000002F7A000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://reallyfreegeoip.org/xml/
Source: oGnCNPiCwiAocn.exe, 0000000F.00000002.4146056209.0000000003035000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://reallyfreegeoip.org/xml/8.46.123.75
Source: rrequestforquotation.exe, 00000008.00000002.4145794163.0000000002B52000.00000004.00000800.00020000.00000000.sdmp, rrequestforquotation.exe, 00000008.00000002.4145794163.0000000002A9A000.00000004.00000800.00020000.00000000.sdmp, rrequestforquotation.exe, 00000008.00000002.4145794163.0000000002B44000.00000004.00000800.00020000.00000000.sdmp, rrequestforquotation.exe, 00000008.00000002.4145794163.0000000002B09000.00000004.00000800.00020000.00000000.sdmp, rrequestforquotation.exe, 00000008.00000002.4145794163.0000000002AEE000.00000004.00000800.00020000.00000000.sdmp, rrequestforquotation.exe, 00000008.00000002.4145794163.0000000002B16000.00000004.00000800.00020000.00000000.sdmp, oGnCNPiCwiAocn.exe, 0000000F.00000002.4146056209.000000000300D000.00000004.00000800.00020000.00000000.sdmp, oGnCNPiCwiAocn.exe, 0000000F.00000002.4146056209.0000000003028000.00000004.00000800.00020000.00000000.sdmp, oGnCNPiCwiAocn.exe, 0000000F.00000002.4146056209.0000000003071000.00000004.00000800.00020000.00000000.sdmp, oGnCNPiCwiAocn.exe, 0000000F.00000002.4146056209.0000000002FBD000.00000004.00000800.00020000.00000000.sdmp, oGnCNPiCwiAocn.exe, 0000000F.00000002.4146056209.000000000301A000.00000004.00000800.00020000.00000000.sdmp, oGnCNPiCwiAocn.exe, 0000000F.00000002.4146056209.0000000003063000.00000004.00000800.00020000.00000000.sdmp, oGnCNPiCwiAocn.exe, 0000000F.00000002.4146056209.0000000003035000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://reallyfreegeoip.org/xml/8.46.123.75$
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49744
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49766
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49764
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49763
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49760
Source: unknown Network traffic detected: HTTP traffic on port 49766 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49760 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49764 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49745 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49770 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49739
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49737
Source: unknown Network traffic detected: HTTP traffic on port 49736 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49759
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49736
Source: unknown Network traffic detected: HTTP traffic on port 49759 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49756
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49754
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49750
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49770
Source: unknown Network traffic detected: HTTP traffic on port 49749 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49763 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49744 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49768 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49750 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49749
Source: unknown Network traffic detected: HTTP traffic on port 49754 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49737 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49768
Source: unknown Network traffic detected: HTTP traffic on port 49756 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49745
Source: unknown Network traffic detected: HTTP traffic on port 49739 -> 443

System Summary
barindex
Malicious sample detected (through community Yara rule)
Source: 0.2.rrequestforquotation.exe.3e80ff0.3.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 0.2.rrequestforquotation.exe.3e80ff0.3.unpack, type: UNPACKEDPE Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 0.2.rrequestforquotation.exe.3e80ff0.3.unpack, type: UNPACKEDPE Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 0.2.rrequestforquotation.exe.3e80ff0.3.unpack, type: UNPACKEDPE Matched rule: Detects Snake Keylogger Author: ditekSHen
Source: 0.2.rrequestforquotation.exe.3e603d0.2.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 0.2.rrequestforquotation.exe.3e603d0.2.unpack, type: UNPACKEDPE Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 0.2.rrequestforquotation.exe.3e603d0.2.unpack, type: UNPACKEDPE Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 0.2.rrequestforquotation.exe.3e603d0.2.unpack, type: UNPACKEDPE Matched rule: Detects Snake Keylogger Author: ditekSHen
Source: 0.2.rrequestforquotation.exe.3e80ff0.3.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 0.2.rrequestforquotation.exe.3e80ff0.3.raw.unpack, type: UNPACKEDPE Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 0.2.rrequestforquotation.exe.3e80ff0.3.raw.unpack, type: UNPACKEDPE Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 0.2.rrequestforquotation.exe.3e80ff0.3.raw.unpack, type: UNPACKEDPE Matched rule: Detects Snake Keylogger Author: ditekSHen
Source: 0.2.rrequestforquotation.exe.3e603d0.2.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 0.2.rrequestforquotation.exe.3e603d0.2.raw.unpack, type: UNPACKEDPE Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 0.2.rrequestforquotation.exe.3e603d0.2.raw.unpack, type: UNPACKEDPE Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 0.2.rrequestforquotation.exe.3e603d0.2.raw.unpack, type: UNPACKEDPE Matched rule: Detects Snake Keylogger Author: ditekSHen
Source: 00000008.00000002.4142621856.0000000000415000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 00000008.00000002.4142621856.0000000000415000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: Detects Snake Keylogger Author: ditekSHen
Source: 00000000.00000002.1748719685.0000000003CB1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 00000000.00000002.1748719685.0000000003CB1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Detects Snake Keylogger Author: ditekSHen
Source: Process Memory Space: rrequestforquotation.exe PID: 7284, type: MEMORYSTR Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: Process Memory Space: rrequestforquotation.exe PID: 7284, type: MEMORYSTR Matched rule: Detects Snake Keylogger Author: ditekSHen
Source: Process Memory Space: rrequestforquotation.exe PID: 7792, type: MEMORYSTR Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: Process Memory Space: rrequestforquotation.exe PID: 7792, type: MEMORYSTR Matched rule: Detects Snake Keylogger Author: ditekSHen
Initial sample is a PE file and has a suspicious name
Source: initial sample Static PE information: Filename: rrequestforquotation.exe
Detected potential crypto function
Source: C:\Users\user\Desktop\rrequestforquotation.exe Code function: 0_2_012ADF94 0_2_012ADF94
Source: C:\Users\user\Desktop\rrequestforquotation.exe Code function: 0_2_0778BD78 0_2_0778BD78
Source: C:\Users\user\Desktop\rrequestforquotation.exe Code function: 0_2_07785670 0_2_07785670
Source: C:\Users\user\Desktop\rrequestforquotation.exe Code function: 0_2_07785238 0_2_07785238
Source: C:\Users\user\Desktop\rrequestforquotation.exe Code function: 0_2_07785228 0_2_07785228
Source: C:\Users\user\Desktop\rrequestforquotation.exe Code function: 0_2_07784E00 0_2_07784E00
Source: C:\Users\user\Desktop\rrequestforquotation.exe Code function: 0_2_07786E88 0_2_07786E88
Source: C:\Users\user\Desktop\rrequestforquotation.exe Code function: 0_2_077849C8 0_2_077849C8
Source: C:\Users\user\Desktop\rrequestforquotation.exe Code function: 0_2_077849A7 0_2_077849A7
Source: C:\Users\user\Desktop\rrequestforquotation.exe Code function: 0_2_07A04FC8 0_2_07A04FC8
Source: C:\Users\user\Desktop\rrequestforquotation.exe Code function: 0_2_07A08500 0_2_07A08500
Source: C:\Users\user\Desktop\rrequestforquotation.exe Code function: 0_2_07A054D8 0_2_07A054D8
Source: C:\Users\user\Desktop\rrequestforquotation.exe Code function: 0_2_07A02106 0_2_07A02106
Source: C:\Users\user\Desktop\rrequestforquotation.exe Code function: 0_2_07A02C38 0_2_07A02C38
Source: C:\Users\user\Desktop\rrequestforquotation.exe Code function: 0_2_07A0E288 0_2_07A0E288
Source: C:\Users\user\Desktop\rrequestforquotation.exe Code function: 0_2_07A0E279 0_2_07A0E279
Source: C:\Users\user\Desktop\rrequestforquotation.exe Code function: 8_2_00F9F017 8_2_00F9F017
Source: C:\Users\user\Desktop\rrequestforquotation.exe Code function: 8_2_00F9C190 8_2_00F9C190
Source: C:\Users\user\Desktop\rrequestforquotation.exe Code function: 8_2_00F96108 8_2_00F96108
Source: C:\Users\user\Desktop\rrequestforquotation.exe Code function: 8_2_00F9B4FB 8_2_00F9B4FB
Source: C:\Users\user\Desktop\rrequestforquotation.exe Code function: 8_2_00F9C477 8_2_00F9C477
Source: C:\Users\user\Desktop\rrequestforquotation.exe Code function: 8_2_00F9C75F 8_2_00F9C75F
Source: C:\Users\user\Desktop\rrequestforquotation.exe Code function: 8_2_00F96730 8_2_00F96730
Source: C:\Users\user\Desktop\rrequestforquotation.exe Code function: 8_2_00F94AD9 8_2_00F94AD9
Source: C:\Users\user\Desktop\rrequestforquotation.exe Code function: 8_2_00F9CA31 8_2_00F9CA31
Source: C:\Users\user\Desktop\rrequestforquotation.exe Code function: 8_2_00F9BBD7 8_2_00F9BBD7
Source: C:\Users\user\Desktop\rrequestforquotation.exe Code function: 8_2_00F9BEB0 8_2_00F9BEB0
Source: C:\Users\user\Desktop\rrequestforquotation.exe Code function: 8_2_00F9357F 8_2_00F9357F
Source: C:\Users\user\Desktop\rrequestforquotation.exe Code function: 8_2_00F9E528 8_2_00F9E528
Source: C:\Users\user\Desktop\rrequestforquotation.exe Code function: 8_2_00F9E523 8_2_00F9E523
Source: C:\Users\user\Desktop\rrequestforquotation.exe Code function: 8_2_0675D670 8_2_0675D670
Source: C:\Users\user\Desktop\rrequestforquotation.exe Code function: 8_2_06758608 8_2_06758608
Source: C:\Users\user\Desktop\rrequestforquotation.exe Code function: 8_2_0675B6E8 8_2_0675B6E8
Source: C:\Users\user\Desktop\rrequestforquotation.exe Code function: 8_2_0675A408 8_2_0675A408
Source: C:\Users\user\Desktop\rrequestforquotation.exe Code function: 8_2_0675BD38 8_2_0675BD38
Source: C:\Users\user\Desktop\rrequestforquotation.exe Code function: 8_2_0675AA58 8_2_0675AA58
Source: C:\Users\user\Desktop\rrequestforquotation.exe Code function: 8_2_06758B58 8_2_06758B58
Source: C:\Users\user\Desktop\rrequestforquotation.exe Code function: 8_2_0675C388 8_2_0675C388
Source: C:\Users\user\Desktop\rrequestforquotation.exe Code function: 8_2_0675D028 8_2_0675D028
Source: C:\Users\user\Desktop\rrequestforquotation.exe Code function: 8_2_0675B0A0 8_2_0675B0A0
Source: C:\Users\user\Desktop\rrequestforquotation.exe Code function: 8_2_0675C9D8 8_2_0675C9D8
Source: C:\Users\user\Desktop\rrequestforquotation.exe Code function: 8_2_067511A0 8_2_067511A0
Source: C:\Users\user\Desktop\rrequestforquotation.exe Code function: 8_2_0675D663 8_2_0675D663
Source: C:\Users\user\Desktop\rrequestforquotation.exe Code function: 8_2_06755618 8_2_06755618
Source: C:\Users\user\Desktop\rrequestforquotation.exe Code function: 8_2_0675560A 8_2_0675560A
Source: C:\Users\user\Desktop\rrequestforquotation.exe Code function: 8_2_0675B6D9 8_2_0675B6D9
Source: C:\Users\user\Desktop\rrequestforquotation.exe Code function: 8_2_06755EC8 8_2_06755EC8
Source: C:\Users\user\Desktop\rrequestforquotation.exe Code function: 8_2_06755EB8 8_2_06755EB8
Source: C:\Users\user\Desktop\rrequestforquotation.exe Code function: 8_2_06756778 8_2_06756778
Source: C:\Users\user\Desktop\rrequestforquotation.exe Code function: 8_2_06753730 8_2_06753730
Source: C:\Users\user\Desktop\rrequestforquotation.exe Code function: 8_2_06754430 8_2_06754430
Source: C:\Users\user\Desktop\rrequestforquotation.exe Code function: 8_2_067574A8 8_2_067574A8
Source: C:\Users\user\Desktop\rrequestforquotation.exe Code function: 8_2_06757497 8_2_06757497
Source: C:\Users\user\Desktop\rrequestforquotation.exe Code function: 8_2_06750498 8_2_06750498
Source: C:\Users\user\Desktop\rrequestforquotation.exe Code function: 8_2_06750488 8_2_06750488
Source: C:\Users\user\Desktop\rrequestforquotation.exe Code function: 8_2_06757D58 8_2_06757D58
Source: C:\Users\user\Desktop\rrequestforquotation.exe Code function: 8_2_06750D48 8_2_06750D48
Source: C:\Users\user\Desktop\rrequestforquotation.exe Code function: 8_2_06757D48 8_2_06757D48
Source: C:\Users\user\Desktop\rrequestforquotation.exe Code function: 8_2_06750D39 8_2_06750D39
Source: C:\Users\user\Desktop\rrequestforquotation.exe Code function: 8_2_0675BD28 8_2_0675BD28
Source: C:\Users\user\Desktop\rrequestforquotation.exe Code function: 8_2_067585FC 8_2_067585FC
Source: C:\Users\user\Desktop\rrequestforquotation.exe Code function: 8_2_06755A70 8_2_06755A70
Source: C:\Users\user\Desktop\rrequestforquotation.exe Code function: 8_2_06755A60 8_2_06755A60
Source: C:\Users\user\Desktop\rrequestforquotation.exe Code function: 8_2_0675AA48 8_2_0675AA48
Source: C:\Users\user\Desktop\rrequestforquotation.exe Code function: 8_2_0675C378 8_2_0675C378
Source: C:\Users\user\Desktop\rrequestforquotation.exe Code function: 8_2_06756320 8_2_06756320
Source: C:\Users\user\Desktop\rrequestforquotation.exe Code function: 8_2_06756312 8_2_06756312
Source: C:\Users\user\Desktop\rrequestforquotation.exe Code function: 8_2_0675A3F8 8_2_0675A3F8
Source: C:\Users\user\Desktop\rrequestforquotation.exe Code function: 8_2_06756BD0 8_2_06756BD0
Source: C:\Users\user\Desktop\rrequestforquotation.exe Code function: 8_2_06756BC1 8_2_06756BC1
Source: C:\Users\user\Desktop\rrequestforquotation.exe Code function: 8_2_067533B8 8_2_067533B8
Source: C:\Users\user\Desktop\rrequestforquotation.exe Code function: 8_2_067533A8 8_2_067533A8
Source: C:\Users\user\Desktop\rrequestforquotation.exe Code function: 8_2_06757050 8_2_06757050
Source: C:\Users\user\Desktop\rrequestforquotation.exe Code function: 8_2_06750040 8_2_06750040
Source: C:\Users\user\Desktop\rrequestforquotation.exe Code function: 8_2_06757040 8_2_06757040
Source: C:\Users\user\Desktop\rrequestforquotation.exe Code function: 8_2_06752818 8_2_06752818
Source: C:\Users\user\Desktop\rrequestforquotation.exe Code function: 8_2_0675D018 8_2_0675D018
Source: C:\Users\user\Desktop\rrequestforquotation.exe Code function: 8_2_06750007 8_2_06750007
Source: C:\Users\user\Desktop\rrequestforquotation.exe Code function: 8_2_06752807 8_2_06752807
Source: C:\Users\user\Desktop\rrequestforquotation.exe Code function: 8_2_067508F0 8_2_067508F0
Source: C:\Users\user\Desktop\rrequestforquotation.exe Code function: 8_2_067578F0 8_2_067578F0
Source: C:\Users\user\Desktop\rrequestforquotation.exe Code function: 8_2_067508E0 8_2_067508E0
Source: C:\Users\user\Desktop\rrequestforquotation.exe Code function: 8_2_0675B090 8_2_0675B090
Source: C:\Users\user\Desktop\rrequestforquotation.exe Code function: 8_2_06757900 8_2_06757900
Source: C:\Users\user\Desktop\rrequestforquotation.exe Code function: 8_2_0675C9C8 8_2_0675C9C8
Source: C:\Users\user\Desktop\rrequestforquotation.exe Code function: 8_2_067581B0 8_2_067581B0
Source: C:\Users\user\Desktop\rrequestforquotation.exe Code function: 8_2_067581A0 8_2_067581A0
Source: C:\Users\user\Desktop\rrequestforquotation.exe Code function: 8_2_06751191 8_2_06751191
Source: C:\Users\user\Desktop\rrequestforquotation.exe Code function: 8_2_06755198 8_2_06755198
Source: C:\Users\user\Desktop\rrequestforquotation.exe Code function: 8_2_0675518A 8_2_0675518A
Source: C:\Users\user\AppData\Roaming\oGnCNPiCwiAocn.exe Code function: 9_2_0258DF94 9_2_0258DF94
Source: C:\Users\user\AppData\Roaming\oGnCNPiCwiAocn.exe Code function: 9_2_06F0B0A9 9_2_06F0B0A9
Source: C:\Users\user\AppData\Roaming\oGnCNPiCwiAocn.exe Code function: 9_2_06F06E88 9_2_06F06E88
Source: C:\Users\user\AppData\Roaming\oGnCNPiCwiAocn.exe Code function: 9_2_06F05670 9_2_06F05670
Source: C:\Users\user\AppData\Roaming\oGnCNPiCwiAocn.exe Code function: 9_2_06F04E00 9_2_06F04E00
Source: C:\Users\user\AppData\Roaming\oGnCNPiCwiAocn.exe Code function: 9_2_06F05238 9_2_06F05238
Source: C:\Users\user\AppData\Roaming\oGnCNPiCwiAocn.exe Code function: 9_2_06F05228 9_2_06F05228
Source: C:\Users\user\AppData\Roaming\oGnCNPiCwiAocn.exe Code function: 9_2_06F049C8 9_2_06F049C8
Source: C:\Users\user\AppData\Roaming\oGnCNPiCwiAocn.exe Code function: 9_2_06F049A7 9_2_06F049A7
Source: C:\Users\user\AppData\Roaming\oGnCNPiCwiAocn.exe Code function: 15_2_01446108 15_2_01446108
Source: C:\Users\user\AppData\Roaming\oGnCNPiCwiAocn.exe Code function: 15_2_0144C190 15_2_0144C190
Source: C:\Users\user\AppData\Roaming\oGnCNPiCwiAocn.exe Code function: 15_2_0144F007 15_2_0144F007
Source: C:\Users\user\AppData\Roaming\oGnCNPiCwiAocn.exe Code function: 15_2_0144B328 15_2_0144B328
Source: C:\Users\user\AppData\Roaming\oGnCNPiCwiAocn.exe Code function: 15_2_0144C470 15_2_0144C470
Source: C:\Users\user\AppData\Roaming\oGnCNPiCwiAocn.exe Code function: 15_2_0144C752 15_2_0144C752
Source: C:\Users\user\AppData\Roaming\oGnCNPiCwiAocn.exe Code function: 15_2_01449858 15_2_01449858
Source: C:\Users\user\AppData\Roaming\oGnCNPiCwiAocn.exe Code function: 15_2_01446880 15_2_01446880
Source: C:\Users\user\AppData\Roaming\oGnCNPiCwiAocn.exe Code function: 15_2_0144BBD2 15_2_0144BBD2
Source: C:\Users\user\AppData\Roaming\oGnCNPiCwiAocn.exe Code function: 15_2_0144CA32 15_2_0144CA32
Source: C:\Users\user\AppData\Roaming\oGnCNPiCwiAocn.exe Code function: 15_2_01444AD9 15_2_01444AD9
Source: C:\Users\user\AppData\Roaming\oGnCNPiCwiAocn.exe Code function: 15_2_0144BEB0 15_2_0144BEB0
Source: C:\Users\user\AppData\Roaming\oGnCNPiCwiAocn.exe Code function: 15_2_01443572 15_2_01443572
Source: C:\Users\user\AppData\Roaming\oGnCNPiCwiAocn.exe Code function: 15_2_0144E517 15_2_0144E517
Source: C:\Users\user\AppData\Roaming\oGnCNPiCwiAocn.exe Code function: 15_2_0144E528 15_2_0144E528
Source: C:\Users\user\AppData\Roaming\oGnCNPiCwiAocn.exe Code function: 15_2_0144B4F2 15_2_0144B4F2
Source: C:\Users\user\AppData\Roaming\oGnCNPiCwiAocn.exe Code function: 15_2_059FC9D8 15_2_059FC9D8
Source: C:\Users\user\AppData\Roaming\oGnCNPiCwiAocn.exe Code function: 15_2_059FBD38 15_2_059FBD38
Source: C:\Users\user\AppData\Roaming\oGnCNPiCwiAocn.exe Code function: 15_2_059FB0A0 15_2_059FB0A0
Source: C:\Users\user\AppData\Roaming\oGnCNPiCwiAocn.exe Code function: 15_2_059FA408 15_2_059FA408
Source: C:\Users\user\AppData\Roaming\oGnCNPiCwiAocn.exe Code function: 15_2_059FD028 15_2_059FD028
Source: C:\Users\user\AppData\Roaming\oGnCNPiCwiAocn.exe Code function: 15_2_059FC388 15_2_059FC388
Source: C:\Users\user\AppData\Roaming\oGnCNPiCwiAocn.exe Code function: 15_2_059F8B58 15_2_059F8B58
Source: C:\Users\user\AppData\Roaming\oGnCNPiCwiAocn.exe Code function: 15_2_059FB6E8 15_2_059FB6E8
Source: C:\Users\user\AppData\Roaming\oGnCNPiCwiAocn.exe Code function: 15_2_059F8608 15_2_059F8608
Source: C:\Users\user\AppData\Roaming\oGnCNPiCwiAocn.exe Code function: 15_2_059FAA58 15_2_059FAA58
Source: C:\Users\user\AppData\Roaming\oGnCNPiCwiAocn.exe Code function: 15_2_059FD670 15_2_059FD670
Source: C:\Users\user\AppData\Roaming\oGnCNPiCwiAocn.exe Code function: 15_2_059F5198 15_2_059F5198
Source: C:\Users\user\AppData\Roaming\oGnCNPiCwiAocn.exe Code function: 15_2_059F1191 15_2_059F1191
Source: C:\Users\user\AppData\Roaming\oGnCNPiCwiAocn.exe Code function: 15_2_059F518A 15_2_059F518A
Source: C:\Users\user\AppData\Roaming\oGnCNPiCwiAocn.exe Code function: 15_2_059F81B0 15_2_059F81B0
Source: C:\Users\user\AppData\Roaming\oGnCNPiCwiAocn.exe Code function: 15_2_059F11A0 15_2_059F11A0
Source: C:\Users\user\AppData\Roaming\oGnCNPiCwiAocn.exe Code function: 15_2_059F81A0 15_2_059F81A0
Source: C:\Users\user\AppData\Roaming\oGnCNPiCwiAocn.exe Code function: 15_2_059FC9C8 15_2_059FC9C8
Source: C:\Users\user\AppData\Roaming\oGnCNPiCwiAocn.exe Code function: 15_2_059F85FC 15_2_059F85FC
Source: C:\Users\user\AppData\Roaming\oGnCNPiCwiAocn.exe Code function: 15_2_059F7900 15_2_059F7900
Source: C:\Users\user\AppData\Roaming\oGnCNPiCwiAocn.exe Code function: 15_2_059F0D39 15_2_059F0D39
Source: C:\Users\user\AppData\Roaming\oGnCNPiCwiAocn.exe Code function: 15_2_059FBD28 15_2_059FBD28
Source: C:\Users\user\AppData\Roaming\oGnCNPiCwiAocn.exe Code function: 15_2_059F7D58 15_2_059F7D58
Source: C:\Users\user\AppData\Roaming\oGnCNPiCwiAocn.exe Code function: 15_2_059F0D48 15_2_059F0D48
Source: C:\Users\user\AppData\Roaming\oGnCNPiCwiAocn.exe Code function: 15_2_059F7D48 15_2_059F7D48
Source: C:\Users\user\AppData\Roaming\oGnCNPiCwiAocn.exe Code function: 15_2_059F0498 15_2_059F0498
Source: C:\Users\user\AppData\Roaming\oGnCNPiCwiAocn.exe Code function: 15_2_059F7497 15_2_059F7497
Source: C:\Users\user\AppData\Roaming\oGnCNPiCwiAocn.exe Code function: 15_2_059FB08F 15_2_059FB08F
Source: C:\Users\user\AppData\Roaming\oGnCNPiCwiAocn.exe Code function: 15_2_059F0488 15_2_059F0488
Source: C:\Users\user\AppData\Roaming\oGnCNPiCwiAocn.exe Code function: 15_2_059F74A8 15_2_059F74A8
Source: C:\Users\user\AppData\Roaming\oGnCNPiCwiAocn.exe Code function: 15_2_059F08F0 15_2_059F08F0
Source: C:\Users\user\AppData\Roaming\oGnCNPiCwiAocn.exe Code function: 15_2_059F78F0 15_2_059F78F0
Source: C:\Users\user\AppData\Roaming\oGnCNPiCwiAocn.exe Code function: 15_2_059F08E0 15_2_059F08E0
Source: C:\Users\user\AppData\Roaming\oGnCNPiCwiAocn.exe Code function: 15_2_059F2818 15_2_059F2818
Source: C:\Users\user\AppData\Roaming\oGnCNPiCwiAocn.exe Code function: 15_2_059FD018 15_2_059FD018
Source: C:\Users\user\AppData\Roaming\oGnCNPiCwiAocn.exe Code function: 15_2_059F2807 15_2_059F2807
Source: C:\Users\user\AppData\Roaming\oGnCNPiCwiAocn.exe Code function: 15_2_059F0006 15_2_059F0006
Source: C:\Users\user\AppData\Roaming\oGnCNPiCwiAocn.exe Code function: 15_2_059F4430 15_2_059F4430
Source: C:\Users\user\AppData\Roaming\oGnCNPiCwiAocn.exe Code function: 15_2_059F7050 15_2_059F7050
Source: C:\Users\user\AppData\Roaming\oGnCNPiCwiAocn.exe Code function: 15_2_059F0040 15_2_059F0040
Source: C:\Users\user\AppData\Roaming\oGnCNPiCwiAocn.exe Code function: 15_2_059F7040 15_2_059F7040
Source: C:\Users\user\AppData\Roaming\oGnCNPiCwiAocn.exe Code function: 15_2_059F33B8 15_2_059F33B8
Source: C:\Users\user\AppData\Roaming\oGnCNPiCwiAocn.exe Code function: 15_2_059F33A8 15_2_059F33A8
Source: C:\Users\user\AppData\Roaming\oGnCNPiCwiAocn.exe Code function: 15_2_059F6BD0 15_2_059F6BD0
Source: C:\Users\user\AppData\Roaming\oGnCNPiCwiAocn.exe Code function: 15_2_059F6BC1 15_2_059F6BC1
Source: C:\Users\user\AppData\Roaming\oGnCNPiCwiAocn.exe Code function: 15_2_059FA3F8 15_2_059FA3F8
Source: C:\Users\user\AppData\Roaming\oGnCNPiCwiAocn.exe Code function: 15_2_059F6310 15_2_059F6310
Source: C:\Users\user\AppData\Roaming\oGnCNPiCwiAocn.exe Code function: 15_2_059F3730 15_2_059F3730
Source: C:\Users\user\AppData\Roaming\oGnCNPiCwiAocn.exe Code function: 15_2_059F6320 15_2_059F6320
Source: C:\Users\user\AppData\Roaming\oGnCNPiCwiAocn.exe Code function: 15_2_059F6778 15_2_059F6778
Source: C:\Users\user\AppData\Roaming\oGnCNPiCwiAocn.exe Code function: 15_2_059FC378 15_2_059FC378
Source: C:\Users\user\AppData\Roaming\oGnCNPiCwiAocn.exe Code function: 15_2_059F676A 15_2_059F676A
Source: C:\Users\user\AppData\Roaming\oGnCNPiCwiAocn.exe Code function: 15_2_059F5EB8 15_2_059F5EB8
Source: C:\Users\user\AppData\Roaming\oGnCNPiCwiAocn.exe Code function: 15_2_059FB6D9 15_2_059FB6D9
Source: C:\Users\user\AppData\Roaming\oGnCNPiCwiAocn.exe Code function: 15_2_059F5EC8 15_2_059F5EC8
Source: C:\Users\user\AppData\Roaming\oGnCNPiCwiAocn.exe Code function: 15_2_059F5618 15_2_059F5618
Source: C:\Users\user\AppData\Roaming\oGnCNPiCwiAocn.exe Code function: 15_2_059F5609 15_2_059F5609
Source: C:\Users\user\AppData\Roaming\oGnCNPiCwiAocn.exe Code function: 15_2_059FAA48 15_2_059FAA48
Source: C:\Users\user\AppData\Roaming\oGnCNPiCwiAocn.exe Code function: 15_2_059F5A70 15_2_059F5A70
Source: C:\Users\user\AppData\Roaming\oGnCNPiCwiAocn.exe Code function: 15_2_059FD662 15_2_059FD662
Source: C:\Users\user\AppData\Roaming\oGnCNPiCwiAocn.exe Code function: 15_2_059F5A60 15_2_059F5A60
Sample file is different than original file name gathered from version info
Source: rrequestforquotation.exe, 00000000.00000002.1753494185.0000000005590000.00000004.08000000.00040000.00000000.sdmp Binary or memory string: OriginalFilenameArthur.dll" vs rrequestforquotation.exe
Source: rrequestforquotation.exe, 00000000.00000002.1746469982.0000000002CB1000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenamelfwhUWZlmFnGhDYPudAJ.exeX vs rrequestforquotation.exe
Source: rrequestforquotation.exe, 00000000.00000002.1746469982.0000000002CB1000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenameArthur.dll" vs rrequestforquotation.exe
Source: rrequestforquotation.exe, 00000000.00000002.1744711417.0000000000E6E000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: OriginalFilenameclr.dllT vs rrequestforquotation.exe
Source: rrequestforquotation.exe, 00000000.00000000.1664980863.00000000008F6000.00000002.00000001.01000000.00000003.sdmp Binary or memory string: OriginalFilenamerwui.exeB vs rrequestforquotation.exe
Source: rrequestforquotation.exe, 00000000.00000002.1754030257.0000000005CA6000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: OriginalFilenameschtasks.exe.muij% vs rrequestforquotation.exe
Source: rrequestforquotation.exe, 00000000.00000002.1748719685.0000000003CB1000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenamelfwhUWZlmFnGhDYPudAJ.exeX vs rrequestforquotation.exe
Source: rrequestforquotation.exe, 00000000.00000002.1748719685.0000000003CB1000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenameMontero.dll8 vs rrequestforquotation.exe
Source: rrequestforquotation.exe, 00000000.00000002.1759798565.00000000076E0000.00000004.08000000.00040000.00000000.sdmp Binary or memory string: OriginalFilenameMontero.dll8 vs rrequestforquotation.exe
Source: rrequestforquotation.exe, 00000008.00000002.4142621856.0000000000415000.00000040.00000400.00020000.00000000.sdmp Binary or memory string: OriginalFilenamelfwhUWZlmFnGhDYPudAJ.exeX vs rrequestforquotation.exe
Source: rrequestforquotation.exe, 00000008.00000002.4142900425.0000000000B37000.00000004.00000010.00020000.00000000.sdmp Binary or memory string: OriginalFilenameUNKNOWN_FILET vs rrequestforquotation.exe
Source: rrequestforquotation.exe Binary or memory string: OriginalFilenamerwui.exeB vs rrequestforquotation.exe
Uses 32bit PE files
Source: rrequestforquotation.exe Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
Yara signature match
Source: 0.2.rrequestforquotation.exe.3e80ff0.3.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 0.2.rrequestforquotation.exe.3e80ff0.3.unpack, type: UNPACKEDPE Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0.2.rrequestforquotation.exe.3e80ff0.3.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 0.2.rrequestforquotation.exe.3e80ff0.3.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: 0.2.rrequestforquotation.exe.3e603d0.2.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 0.2.rrequestforquotation.exe.3e603d0.2.unpack, type: UNPACKEDPE Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0.2.rrequestforquotation.exe.3e603d0.2.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 0.2.rrequestforquotation.exe.3e603d0.2.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: 0.2.rrequestforquotation.exe.3e80ff0.3.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 0.2.rrequestforquotation.exe.3e80ff0.3.raw.unpack, type: UNPACKEDPE Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0.2.rrequestforquotation.exe.3e80ff0.3.raw.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 0.2.rrequestforquotation.exe.3e80ff0.3.raw.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: 0.2.rrequestforquotation.exe.3e603d0.2.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 0.2.rrequestforquotation.exe.3e603d0.2.raw.unpack, type: UNPACKEDPE Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0.2.rrequestforquotation.exe.3e603d0.2.raw.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 0.2.rrequestforquotation.exe.3e603d0.2.raw.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: 00000008.00000002.4142621856.0000000000415000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 00000008.00000002.4142621856.0000000000415000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: 00000000.00000002.1748719685.0000000003CB1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 00000000.00000002.1748719685.0000000003CB1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: Process Memory Space: rrequestforquotation.exe PID: 7284, type: MEMORYSTR Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: Process Memory Space: rrequestforquotation.exe PID: 7284, type: MEMORYSTR Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: Process Memory Space: rrequestforquotation.exe PID: 7792, type: MEMORYSTR Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: Process Memory Space: rrequestforquotation.exe PID: 7792, type: MEMORYSTR Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: rrequestforquotation.exe Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: oGnCNPiCwiAocn.exe.0.dr Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: 0.2.rrequestforquotation.exe.3e603d0.2.raw.unpack, C--K.cs Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.rrequestforquotation.exe.3e603d0.2.raw.unpack, C--K.cs Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.rrequestforquotation.exe.3e603d0.2.raw.unpack, --A.cs Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.rrequestforquotation.exe.3e603d0.2.raw.unpack, --A.cs Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.rrequestforquotation.exe.3e80ff0.3.raw.unpack, C--K.cs Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.rrequestforquotation.exe.3e80ff0.3.raw.unpack, C--K.cs Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.rrequestforquotation.exe.3e80ff0.3.raw.unpack, --A.cs Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.rrequestforquotation.exe.3e80ff0.3.raw.unpack, --A.cs Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.rrequestforquotation.exe.76e0000.5.raw.unpack, juqVWnykJF34oGXK3k.cs Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.rrequestforquotation.exe.3ec4bd0.1.raw.unpack, juqVWnykJF34oGXK3k.cs Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.rrequestforquotation.exe.3ec4bd0.1.raw.unpack, DpwDuYlfrcsRiIHau0.cs Security API names: _0020.SetAccessControl
Source: 0.2.rrequestforquotation.exe.3ec4bd0.1.raw.unpack, DpwDuYlfrcsRiIHau0.cs Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.rrequestforquotation.exe.3ec4bd0.1.raw.unpack, DpwDuYlfrcsRiIHau0.cs Security API names: System.Security.AccessControl.FileSystemSecurity.AddAccessRule(System.Security.AccessControl.FileSystemAccessRule)
Source: 0.2.rrequestforquotation.exe.76e0000.5.raw.unpack, DpwDuYlfrcsRiIHau0.cs Security API names: _0020.SetAccessControl
Source: 0.2.rrequestforquotation.exe.76e0000.5.raw.unpack, DpwDuYlfrcsRiIHau0.cs Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.rrequestforquotation.exe.76e0000.5.raw.unpack, DpwDuYlfrcsRiIHau0.cs Security API names: System.Security.AccessControl.FileSystemSecurity.AddAccessRule(System.Security.AccessControl.FileSystemAccessRule)
Source: classification engine Classification label: mal100.troj.spyw.evad.winEXE@21/15@2/2
Source: C:\Users\user\Desktop\rrequestforquotation.exe File created: C:\Users\user\AppData\Roaming\oGnCNPiCwiAocn.exe Jump to behavior
Source: C:\Users\user\AppData\Roaming\oGnCNPiCwiAocn.exe Mutant created: NULL
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:8152:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7540:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7600:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7668:120:WilError_03
Source: C:\Users\user\Desktop\rrequestforquotation.exe File created: C:\Users\user\AppData\Local\Temp\tmpC98D.tmp Jump to behavior
Source: rrequestforquotation.exe Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: rrequestforquotation.exe Static file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.80%
Source: C:\Users\user\Desktop\rrequestforquotation.exe File read: C:\Users\user\Desktop\desktop.ini Jump to behavior
Source: C:\Users\user\Desktop\rrequestforquotation.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: rrequestforquotation.exe, 00000008.00000002.4145794163.0000000002BF0000.00000004.00000800.00020000.00000000.sdmp, rrequestforquotation.exe, 00000008.00000002.4145794163.0000000002BD2000.00000004.00000800.00020000.00000000.sdmp, rrequestforquotation.exe, 00000008.00000002.4145794163.0000000002BE1000.00000004.00000800.00020000.00000000.sdmp, oGnCNPiCwiAocn.exe, 0000000F.00000002.4146056209.00000000030FF000.00000004.00000800.00020000.00000000.sdmp, oGnCNPiCwiAocn.exe, 0000000F.00000002.4146056209.00000000030F0000.00000004.00000800.00020000.00000000.sdmp, oGnCNPiCwiAocn.exe, 0000000F.00000002.4146056209.000000000310E000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));
Source: rrequestforquotation.exe Virustotal: Detection: 43%
Source: rrequestforquotation.exe String found in binary or memory: 0 All OKS1 Not all required parameters are given-2 Invalid IP-Address
Source: C:\Users\user\Desktop\rrequestforquotation.exe File read: C:\Users\user\Desktop\rrequestforquotation.exe Jump to behavior
Source: unknown Process created: C:\Users\user\Desktop\rrequestforquotation.exe "C:\Users\user\Desktop\rrequestforquotation.exe"
Source: C:\Users\user\Desktop\rrequestforquotation.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\rrequestforquotation.exe"
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\rrequestforquotation.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\oGnCNPiCwiAocn.exe"
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\rrequestforquotation.exe Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\oGnCNPiCwiAocn" /XML "C:\Users\user\AppData\Local\Temp\tmpC98D.tmp"
Source: C:\Windows\SysWOW64\schtasks.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\rrequestforquotation.exe Process created: C:\Users\user\Desktop\rrequestforquotation.exe "C:\Users\user\Desktop\rrequestforquotation.exe"
Source: unknown Process created: C:\Users\user\AppData\Roaming\oGnCNPiCwiAocn.exe C:\Users\user\AppData\Roaming\oGnCNPiCwiAocn.exe
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\System32\wbem\WmiPrvSE.exe C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
Source: C:\Users\user\AppData\Roaming\oGnCNPiCwiAocn.exe Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\oGnCNPiCwiAocn" /XML "C:\Users\user\AppData\Local\Temp\tmpEF35.tmp"
Source: C:\Windows\SysWOW64\schtasks.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Roaming\oGnCNPiCwiAocn.exe Process created: C:\Users\user\AppData\Roaming\oGnCNPiCwiAocn.exe "C:\Users\user\AppData\Roaming\oGnCNPiCwiAocn.exe"
Source: C:\Users\user\AppData\Roaming\oGnCNPiCwiAocn.exe Process created: C:\Users\user\AppData\Roaming\oGnCNPiCwiAocn.exe "C:\Users\user\AppData\Roaming\oGnCNPiCwiAocn.exe"
Source: C:\Users\user\Desktop\rrequestforquotation.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\rrequestforquotation.exe" Jump to behavior
Source: C:\Users\user\Desktop\rrequestforquotation.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\oGnCNPiCwiAocn.exe" Jump to behavior
Source: C:\Users\user\Desktop\rrequestforquotation.exe Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\oGnCNPiCwiAocn" /XML "C:\Users\user\AppData\Local\Temp\tmpC98D.tmp" Jump to behavior
Source: C:\Users\user\Desktop\rrequestforquotation.exe Process created: C:\Users\user\Desktop\rrequestforquotation.exe "C:\Users\user\Desktop\rrequestforquotation.exe" Jump to behavior
Source: C:\Users\user\AppData\Roaming\oGnCNPiCwiAocn.exe Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\oGnCNPiCwiAocn" /XML "C:\Users\user\AppData\Local\Temp\tmpEF35.tmp" Jump to behavior
Source: C:\Users\user\AppData\Roaming\oGnCNPiCwiAocn.exe Process created: C:\Users\user\AppData\Roaming\oGnCNPiCwiAocn.exe "C:\Users\user\AppData\Roaming\oGnCNPiCwiAocn.exe" Jump to behavior
Source: C:\Users\user\AppData\Roaming\oGnCNPiCwiAocn.exe Process created: C:\Users\user\AppData\Roaming\oGnCNPiCwiAocn.exe "C:\Users\user\AppData\Roaming\oGnCNPiCwiAocn.exe" Jump to behavior
Source: C:\Users\user\Desktop\rrequestforquotation.exe Section loaded: mscoree.dll Jump to behavior
Source: C:\Users\user\Desktop\rrequestforquotation.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\Desktop\rrequestforquotation.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\Desktop\rrequestforquotation.exe Section loaded: version.dll Jump to behavior
Source: C:\Users\user\Desktop\rrequestforquotation.exe Section loaded: vcruntime140_clr0400.dll Jump to behavior
Source: C:\Users\user\Desktop\rrequestforquotation.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Users\user\Desktop\rrequestforquotation.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Users\user\Desktop\rrequestforquotation.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\Desktop\rrequestforquotation.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\user\Desktop\rrequestforquotation.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Users\user\Desktop\rrequestforquotation.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Users\user\Desktop\rrequestforquotation.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Users\user\Desktop\rrequestforquotation.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Users\user\Desktop\rrequestforquotation.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Users\user\Desktop\rrequestforquotation.exe Section loaded: dwrite.dll Jump to behavior
Source: C:\Users\user\Desktop\rrequestforquotation.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\rrequestforquotation.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Users\user\Desktop\rrequestforquotation.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Users\user\Desktop\rrequestforquotation.exe Section loaded: gpapi.dll Jump to behavior
Source: C:\Users\user\Desktop\rrequestforquotation.exe Section loaded: windowscodecs.dll Jump to behavior
Source: C:\Users\user\Desktop\rrequestforquotation.exe Section loaded: propsys.dll Jump to behavior
Source: C:\Users\user\Desktop\rrequestforquotation.exe Section loaded: edputil.dll Jump to behavior
Source: C:\Users\user\Desktop\rrequestforquotation.exe Section loaded: urlmon.dll Jump to behavior
Source: C:\Users\user\Desktop\rrequestforquotation.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\Users\user\Desktop\rrequestforquotation.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Users\user\Desktop\rrequestforquotation.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Users\user\Desktop\rrequestforquotation.exe Section loaded: windows.staterepositoryps.dll Jump to behavior
Source: C:\Users\user\Desktop\rrequestforquotation.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Users\user\Desktop\rrequestforquotation.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\Desktop\rrequestforquotation.exe Section loaded: appresolver.dll Jump to behavior
Source: C:\Users\user\Desktop\rrequestforquotation.exe Section loaded: bcp47langs.dll Jump to behavior
Source: C:\Users\user\Desktop\rrequestforquotation.exe Section loaded: slc.dll Jump to behavior
Source: C:\Users\user\Desktop\rrequestforquotation.exe Section loaded: sppc.dll Jump to behavior
Source: C:\Users\user\Desktop\rrequestforquotation.exe Section loaded: onecorecommonproxystub.dll Jump to behavior
Source: C:\Users\user\Desktop\rrequestforquotation.exe Section loaded: onecoreuapcommonproxystub.dll Jump to behavior
Source: C:\Users\user\Desktop\rrequestforquotation.exe Section loaded: ntmarta.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: atl.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: mscoree.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: version.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: vcruntime140_clr0400.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: gpapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: msisip.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: wshext.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: appxsip.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: opcservices.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: secur32.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: urlmon.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: propsys.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: wininet.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: microsoft.management.infrastructure.native.unmanaged.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: mi.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: miutils.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: wmidcom.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: dpapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: wbemcomn.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: atl.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: mscoree.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: version.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: vcruntime140_clr0400.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: gpapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: msisip.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: wshext.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: appxsip.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: opcservices.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: secur32.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: urlmon.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: propsys.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: wininet.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: microsoft.management.infrastructure.native.unmanaged.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: mi.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: miutils.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: wmidcom.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: dpapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: wbemcomn.dll Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe Section loaded: taskschd.dll Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Users\user\Desktop\rrequestforquotation.exe Section loaded: mscoree.dll Jump to behavior
Source: C:\Users\user\Desktop\rrequestforquotation.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\Desktop\rrequestforquotation.exe Section loaded: version.dll Jump to behavior
Source: C:\Users\user\Desktop\rrequestforquotation.exe Section loaded: vcruntime140_clr0400.dll Jump to behavior
Source: C:\Users\user\Desktop\rrequestforquotation.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Users\user\Desktop\rrequestforquotation.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Users\user\Desktop\rrequestforquotation.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\Desktop\rrequestforquotation.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\user\Desktop\rrequestforquotation.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Users\user\Desktop\rrequestforquotation.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Users\user\Desktop\rrequestforquotation.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Users\user\Desktop\rrequestforquotation.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Users\user\Desktop\rrequestforquotation.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Users\user\Desktop\rrequestforquotation.exe Section loaded: rasapi32.dll Jump to behavior
Source: C:\Users\user\Desktop\rrequestforquotation.exe Section loaded: rasman.dll Jump to behavior
Source: C:\Users\user\Desktop\rrequestforquotation.exe Section loaded: rtutils.dll Jump to behavior
Source: C:\Users\user\Desktop\rrequestforquotation.exe Section loaded: mswsock.dll Jump to behavior
Source: C:\Users\user\Desktop\rrequestforquotation.exe Section loaded: winhttp.dll Jump to behavior
Source: C:\Users\user\Desktop\rrequestforquotation.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Users\user\Desktop\rrequestforquotation.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Users\user\Desktop\rrequestforquotation.exe Section loaded: dhcpcsvc6.dll Jump to behavior
Source: C:\Users\user\Desktop\rrequestforquotation.exe Section loaded: dhcpcsvc.dll Jump to behavior
Source: C:\Users\user\Desktop\rrequestforquotation.exe Section loaded: dnsapi.dll Jump to behavior
Source: C:\Users\user\Desktop\rrequestforquotation.exe Section loaded: winnsi.dll Jump to behavior
Source: C:\Users\user\Desktop\rrequestforquotation.exe Section loaded: rasadhlp.dll Jump to behavior
Source: C:\Users\user\Desktop\rrequestforquotation.exe Section loaded: fwpuclnt.dll Jump to behavior
Source: C:\Users\user\Desktop\rrequestforquotation.exe Section loaded: secur32.dll Jump to behavior
Source: C:\Users\user\Desktop\rrequestforquotation.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Users\user\Desktop\rrequestforquotation.exe Section loaded: schannel.dll Jump to behavior
Source: C:\Users\user\Desktop\rrequestforquotation.exe Section loaded: mskeyprotect.dll Jump to behavior
Source: C:\Users\user\Desktop\rrequestforquotation.exe Section loaded: ntasn1.dll Jump to behavior
Source: C:\Users\user\Desktop\rrequestforquotation.exe Section loaded: ncrypt.dll Jump to behavior
Source: C:\Users\user\Desktop\rrequestforquotation.exe Section loaded: ncryptsslp.dll Jump to behavior
Source: C:\Users\user\Desktop\rrequestforquotation.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Users\user\Desktop\rrequestforquotation.exe Section loaded: gpapi.dll Jump to behavior
Source: C:\Users\user\Desktop\rrequestforquotation.exe Section loaded: dpapi.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\oGnCNPiCwiAocn.exe Section loaded: mscoree.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\oGnCNPiCwiAocn.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\oGnCNPiCwiAocn.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\oGnCNPiCwiAocn.exe Section loaded: version.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\oGnCNPiCwiAocn.exe Section loaded: vcruntime140_clr0400.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\oGnCNPiCwiAocn.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\oGnCNPiCwiAocn.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\oGnCNPiCwiAocn.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\oGnCNPiCwiAocn.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\oGnCNPiCwiAocn.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\oGnCNPiCwiAocn.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\oGnCNPiCwiAocn.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\oGnCNPiCwiAocn.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\oGnCNPiCwiAocn.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\oGnCNPiCwiAocn.exe Section loaded: dwrite.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\oGnCNPiCwiAocn.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\oGnCNPiCwiAocn.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\oGnCNPiCwiAocn.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\oGnCNPiCwiAocn.exe Section loaded: gpapi.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\oGnCNPiCwiAocn.exe Section loaded: windowscodecs.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\oGnCNPiCwiAocn.exe Section loaded: propsys.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\oGnCNPiCwiAocn.exe Section loaded: edputil.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\oGnCNPiCwiAocn.exe Section loaded: urlmon.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\oGnCNPiCwiAocn.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\oGnCNPiCwiAocn.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\oGnCNPiCwiAocn.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\oGnCNPiCwiAocn.exe Section loaded: windows.staterepositoryps.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\oGnCNPiCwiAocn.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\oGnCNPiCwiAocn.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\oGnCNPiCwiAocn.exe Section loaded: appresolver.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\oGnCNPiCwiAocn.exe Section loaded: bcp47langs.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\oGnCNPiCwiAocn.exe Section loaded: slc.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\oGnCNPiCwiAocn.exe Section loaded: sppc.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\oGnCNPiCwiAocn.exe Section loaded: onecorecommonproxystub.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\oGnCNPiCwiAocn.exe Section loaded: onecoreuapcommonproxystub.dll Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe Section loaded: fastprox.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe Section loaded: ncobjapi.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe Section loaded: wbemcomn.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe Section loaded: wbemcomn.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe Section loaded: mpclient.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe Section loaded: userenv.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe Section loaded: version.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe Section loaded: userenv.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe Section loaded: msasn1.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe Section loaded: wmitomi.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe Section loaded: mi.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe Section loaded: miutils.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe Section loaded: miutils.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe Section loaded: gpapi.dll
Source: C:\Windows\SysWOW64\schtasks.exe Section loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\schtasks.exe Section loaded: taskschd.dll
Source: C:\Windows\SysWOW64\schtasks.exe Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Roaming\oGnCNPiCwiAocn.exe Section loaded: mscoree.dll
Source: C:\Users\user\AppData\Roaming\oGnCNPiCwiAocn.exe Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Roaming\oGnCNPiCwiAocn.exe Section loaded: version.dll
Source: C:\Users\user\AppData\Roaming\oGnCNPiCwiAocn.exe Section loaded: vcruntime140_clr0400.dll
Source: C:\Users\user\AppData\Roaming\oGnCNPiCwiAocn.exe Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Roaming\oGnCNPiCwiAocn.exe Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Roaming\oGnCNPiCwiAocn.exe Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Roaming\oGnCNPiCwiAocn.exe Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Roaming\oGnCNPiCwiAocn.exe Section loaded: wldp.dll
Source: C:\Users\user\AppData\Roaming\oGnCNPiCwiAocn.exe Section loaded: profapi.dll
Source: C:\Users\user\AppData\Roaming\oGnCNPiCwiAocn.exe Section loaded: cryptsp.dll
Source: C:\Users\user\AppData\Roaming\oGnCNPiCwiAocn.exe Section loaded: rsaenh.dll
Source: C:\Users\user\AppData\Roaming\oGnCNPiCwiAocn.exe Section loaded: cryptbase.dll
Source: C:\Users\user\AppData\Roaming\oGnCNPiCwiAocn.exe Section loaded: rasapi32.dll
Source: C:\Users\user\AppData\Roaming\oGnCNPiCwiAocn.exe Section loaded: rasman.dll
Source: C:\Users\user\AppData\Roaming\oGnCNPiCwiAocn.exe Section loaded: rtutils.dll
Source: C:\Users\user\AppData\Roaming\oGnCNPiCwiAocn.exe Section loaded: mswsock.dll
Source: C:\Users\user\AppData\Roaming\oGnCNPiCwiAocn.exe Section loaded: winhttp.dll
Source: C:\Users\user\AppData\Roaming\oGnCNPiCwiAocn.exe Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Roaming\oGnCNPiCwiAocn.exe Section loaded: iphlpapi.dll
Source: C:\Users\user\AppData\Roaming\oGnCNPiCwiAocn.exe Section loaded: dhcpcsvc6.dll
Source: C:\Users\user\AppData\Roaming\oGnCNPiCwiAocn.exe Section loaded: dhcpcsvc.dll
Source: C:\Users\user\AppData\Roaming\oGnCNPiCwiAocn.exe Section loaded: dnsapi.dll
Source: C:\Users\user\AppData\Roaming\oGnCNPiCwiAocn.exe Section loaded: winnsi.dll
Source: C:\Users\user\AppData\Roaming\oGnCNPiCwiAocn.exe Section loaded: rasadhlp.dll
Source: C:\Users\user\AppData\Roaming\oGnCNPiCwiAocn.exe Section loaded: fwpuclnt.dll
Source: C:\Users\user\AppData\Roaming\oGnCNPiCwiAocn.exe Section loaded: secur32.dll
Source: C:\Users\user\AppData\Roaming\oGnCNPiCwiAocn.exe Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Roaming\oGnCNPiCwiAocn.exe Section loaded: schannel.dll
Source: C:\Users\user\AppData\Roaming\oGnCNPiCwiAocn.exe Section loaded: mskeyprotect.dll
Source: C:\Users\user\AppData\Roaming\oGnCNPiCwiAocn.exe Section loaded: ntasn1.dll
Source: C:\Users\user\AppData\Roaming\oGnCNPiCwiAocn.exe Section loaded: ncrypt.dll
Source: C:\Users\user\AppData\Roaming\oGnCNPiCwiAocn.exe Section loaded: ncryptsslp.dll
Source: C:\Users\user\AppData\Roaming\oGnCNPiCwiAocn.exe Section loaded: msasn1.dll
Source: C:\Users\user\AppData\Roaming\oGnCNPiCwiAocn.exe Section loaded: gpapi.dll
Source: C:\Users\user\AppData\Roaming\oGnCNPiCwiAocn.exe Section loaded: dpapi.dll
Source: C:\Users\user\Desktop\rrequestforquotation.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32 Jump to behavior
Source: Window Recorder Window detected: More than 3 window changes detected
Source: C:\Users\user\Desktop\rrequestforquotation.exe File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll Jump to behavior
Source: C:\Users\user\Desktop\rrequestforquotation.exe Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 Jump to behavior
Source: rrequestforquotation.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
Source: rrequestforquotation.exe Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Data Obfuscation
barindex
.NET source code contains potential unpacker
Source: 0.2.rrequestforquotation.exe.76e0000.5.raw.unpack, DpwDuYlfrcsRiIHau0.cs .Net Code: eoFUgZjjTi System.Reflection.Assembly.Load(byte[])
Source: 0.2.rrequestforquotation.exe.3ec4bd0.1.raw.unpack, DpwDuYlfrcsRiIHau0.cs .Net Code: eoFUgZjjTi System.Reflection.Assembly.Load(byte[])
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\Desktop\rrequestforquotation.exe Code function: 0_2_077804EC push eax; ret 0_2_077804ED
Source: C:\Users\user\Desktop\rrequestforquotation.exe Code function: 0_2_07788240 pushfd ; retf 0_2_07788241
Source: C:\Users\user\Desktop\rrequestforquotation.exe Code function: 0_2_07A036D7 push ebx; iretd 0_2_07A036DA
Source: C:\Users\user\Desktop\rrequestforquotation.exe Code function: 0_2_07A03AD9 push ebx; retf 0_2_07A03ADA
Source: C:\Users\user\Desktop\rrequestforquotation.exe Code function: 0_2_07A0A9A8 push 000569C3h; ret 0_2_07A0AB89
Source: C:\Users\user\AppData\Roaming\oGnCNPiCwiAocn.exe Code function: 9_2_0258EEE0 push eax; iretd 9_2_0258EEE1
Source: C:\Users\user\AppData\Roaming\oGnCNPiCwiAocn.exe Code function: 9_2_0258EF28 pushad ; iretd 9_2_0258EF29
Source: C:\Users\user\AppData\Roaming\oGnCNPiCwiAocn.exe Code function: 9_2_06F0A720 push 0000005Dh; ret 9_2_06F0A71A
Source: C:\Users\user\AppData\Roaming\oGnCNPiCwiAocn.exe Code function: 9_2_06F004EC push eax; ret 9_2_06F004ED
Source: C:\Users\user\AppData\Roaming\oGnCNPiCwiAocn.exe Code function: 9_2_06F08578 push eax; iretd 9_2_06F08579
Source: C:\Users\user\AppData\Roaming\oGnCNPiCwiAocn.exe Code function: 15_2_014494D5 push 8BF88B71h; retf 15_2_014494DA
Source: rrequestforquotation.exe Static PE information: section name: .text entropy: 7.816513553096816
Source: oGnCNPiCwiAocn.exe.0.dr Static PE information: section name: .text entropy: 7.816513553096816
Source: 0.2.rrequestforquotation.exe.76e0000.5.raw.unpack, GYku1roNwo5rBaMuWt.cs High entropy of concatenated method names: 'HiG962KvRq', 'kFy9wLUSb1', 'EDU9yd5CFb', 'iJm9o42faP', 'cuH9QflC5l', 'Mjv9Dorc9t', 'Hh1954I0bQ', 'Qlr9JQRrAB', 'tFQ9KwY4oN', 'SRG9Y5MlGZ'
Source: 0.2.rrequestforquotation.exe.76e0000.5.raw.unpack, QSpSsQL0khNy7Qj79R.cs High entropy of concatenated method names: 'fGpSEVu8VO', 'BApSeINopN', 'geF9rynHLj', 'LXb9NniBh4', 'ndw9C7ogd1', 'zdd9MSJVHX', 'eGe94X0Ibg', 'ugb9aYHmwA', 'IrG9hnKmx2', 'MTc9j9HxIw'
Source: 0.2.rrequestforquotation.exe.76e0000.5.raw.unpack, YX4IEbBrg4SD6qmE5u.cs High entropy of concatenated method names: 'kLQn7YE2Ih', 'IENnI2hudE', 'wx5nS4eYan', 'diYnpDTce2', 'bDbnlvDab2', 'XUKSGYD1VA', 'tSvS3PD1mn', 'VoQSvBgGEN', 'GvGSbbJVfP', 'Wc3SAgsiPA'
Source: 0.2.rrequestforquotation.exe.76e0000.5.raw.unpack, OeiyTIhDn8YGOTrZlh.cs High entropy of concatenated method names: 'Rt8pTE1bs4', 'BuNptERmrk', 'GR0pgdreGS', 'ysOp6jVg5Y', 'vjqpEbTXEF', 'XJ8pw2CErB', 'Ve8peKrDaw', 'fJvpyNLTij', 'sMZpoQUwup', 'rUcpLr7sjM'
Source: 0.2.rrequestforquotation.exe.76e0000.5.raw.unpack, LlYKnD1V9gkRGyC1p5.cs High entropy of concatenated method names: 'TNnglcwR1', 'BhY6BQVck', 'qsDw3S0jo', 'qiseECCU1', 'TJ1oyPrde', 'dmlLCLmql', 'UFDMhLnHhYSyqc9Jmp', 'VUvVu3HjTFL4VLkIWS', 'yBNJLq0sp', 'BdxYQsowe'
Source: 0.2.rrequestforquotation.exe.76e0000.5.raw.unpack, noJVUCPHmWUAi424VOb.cs High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'tghY8vgNSB', 'YsUYmV5vi7', 'tuhYxc8wlr', 'e0cYuGyiUf', 'dkgYFfT0xt', 'ahcYW3K6yF', 'roSY2nQPKR'
Source: 0.2.rrequestforquotation.exe.76e0000.5.raw.unpack, q9AcqOUYlHAMkDLhYw.cs High entropy of concatenated method names: 'y4nPpuqVWn', 'HJFPl34oGX', 'HNwPZo5rBa', 'KuWP0txSpS', 'oj7PQ9RiX4', 'gEbPDrg4SD', 'YbNQtStToN8IAuJDjO', 'JqMjheW3pYqdDXrDll', 'yJOPPbZcxj', 'KF1PsBvZYl'
Source: 0.2.rrequestforquotation.exe.76e0000.5.raw.unpack, NEKS1qPsAFU1Osfwq1h.cs High entropy of concatenated method names: 'RwBOiwRy8W', 'WIOOzgQyV9', 'WrIXHf0UMs', 'YusTijSYNavnmmwtyeL', 'pBKsF1SzlGPMrjcbs3c', 'h6GfP9q4Pwnv420IBJH', 'w7uowfqXQaHEI6kwHmX'
Source: 0.2.rrequestforquotation.exe.76e0000.5.raw.unpack, gCTJf33HZ6l9Op9aZO.cs High entropy of concatenated method names: 'UYl5bc4iCW', 'dOF5iVa5yK', 'eQgJHxERT2', 'JJiJProqJU', 'PBl58JW3oU', 'N6c5mTLgYS', 'N7H5xAQ7yu', 'UHm5uQhYJR', 'kdk5FJeNyG', 'rJj5Wcn43Q'
Source: 0.2.rrequestforquotation.exe.76e0000.5.raw.unpack, e6HY9Yx1ceLU0f0cxR.cs High entropy of concatenated method names: 'u2BRye9atX', 'AxQRoVPHf8', 'NQPRBLfM1U', 'KZ1RkV1P6d', 'tdWRN9x7RD', 'e5lRC7YW7X', 'SG0R43Lubp', 'CLARaQJEDg', 'qSpRjbsf7r', 'nfKR8ertZi'
Source: 0.2.rrequestforquotation.exe.76e0000.5.raw.unpack, r3Pmvkz50iQUhHHYPJ.cs High entropy of concatenated method names: 'Q1BYwsWGe0', 'OjOYysuN8d', 'SoSYoecYm3', 'a28YBvb0J6', 'E7wYkqXrJT', 'YBoYNisfPM', 'W6NYCG8cjb', 'PivYfMw6oq', 'AbcYTSUPeZ', 'dUfYtpgB03'
Source: 0.2.rrequestforquotation.exe.76e0000.5.raw.unpack, V9oYJ5PUNJtmrX5Oda7.cs High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'DetXK9dOaE', 'WwWXYAj0uh', 'svFXOYtEcC', 'DYYXXDxbMe', 'WeKXc9pmBf', 'EEHXdZcdO1', 'PLfXfHuD2m'
Source: 0.2.rrequestforquotation.exe.76e0000.5.raw.unpack, DpwDuYlfrcsRiIHau0.cs High entropy of concatenated method names: 'hNUs71RsHe', 'jtusqNuYvg', 'EEFsIRF7o2', 'Wqgs9MawBC', 'bp4sSpubSQ', 'CgwsnACAth', 'AhaspZlYG8', 'XcuslZUQLx', 'HeasVP7ZsM', 'PRSsZZDAfu'
Source: 0.2.rrequestforquotation.exe.76e0000.5.raw.unpack, eyv5YOuMjDLrlxxby8.cs High entropy of concatenated method names: 'TBsQjMdnj4', 'hbkQmToKY1', 'S4yQuZJ3K8', 'jvjQFWLgPB', 'iErQkARCih', 'G63Qr4RXJ8', 'bP3QN3qllB', 'zvLQCViqIl', 'uSGQMU9oxq', 'JvkQ4MFfAj'
Source: 0.2.rrequestforquotation.exe.76e0000.5.raw.unpack, OlKBxpAU6MoVNw4Ycq.cs High entropy of concatenated method names: 'HBpKBBKhsI', 'TTGKkl4bE6', 'HybKrDOk7p', 'Du2KNY2s6n', 'xiCKC1mRhU', 'UYuKMTkwrX', 'KGCK4eUp05', 'uKGKabbvdZ', 'mhiKh8SwmT', 'k1eKjEOOHy'
Source: 0.2.rrequestforquotation.exe.76e0000.5.raw.unpack, I7dWmOvlfxTPrEsXZh.cs High entropy of concatenated method names: 'tBJKQXEauU', 'ojwK5WrHc1', 'DuuKKlCGjn', 'eQeKOKQGJ1', 'cDjKcRipXe', 'wX7Kf57qxb', 'Dispose', 'PljJqBrkai', 'PV0JIB1sYQ', 'ljcJ9H8pT5'
Source: 0.2.rrequestforquotation.exe.76e0000.5.raw.unpack, FsVG3kPPXPBJ5utfbyr.cs High entropy of concatenated method names: 'uxqYi5iImu', 'EhjYzKQTej', 'OlhOH6RXdm', 'XZkOP7uNsa', 'bYSO1adajF', 'CA3OsAkPS3', 'mmmOUC1ju5', 'jsSO7cVA0e', 'PbyOqhVGws', 'wJ1OISaS1x'
Source: 0.2.rrequestforquotation.exe.76e0000.5.raw.unpack, bHBohr2Tn3xNRHDyxl.cs High entropy of concatenated method names: 'uBS5Z82B7J', 'SZP50gFU18', 'ToString', 'I0d5qZHVGQ', 'IJN5IbJOlR', 'UsL59SJyaq', 'IrB5SPKTEy', 'FBN5nG89aw', 'VYA5pdGqn3', 'U7T5l5HmAT'
Source: 0.2.rrequestforquotation.exe.76e0000.5.raw.unpack, rha776WQSPKos2EHbJ.cs High entropy of concatenated method names: 'ToString', 't2YD8MPnT6', 'jJGDkytpO5', 'bMODroPurI', 'VpcDNEHATn', 'lRnDCHaufL', 'ybeDM0XPh6', 'l35D4Y2dql', 'YiADaRHeSq', 'PSQDhxs5uP'
Source: 0.2.rrequestforquotation.exe.76e0000.5.raw.unpack, juqVWnykJF34oGXK3k.cs High entropy of concatenated method names: 'psKIuej4bp', 'pM8IFvDN1i', 'NMjIWTkkOR', 'NLII2yO5IT', 'G46IGhy3a4', 'G4xI3EKe6S', 'gVHIvMuKL6', 'KxgIbYuPZ3', 'mbMIASNfhZ', 'jl7IidbwtC'
Source: 0.2.rrequestforquotation.exe.76e0000.5.raw.unpack, F5O3tc92kohVo17ZZC.cs High entropy of concatenated method names: 'EditValue', 'GetEditStyle', 'Ptl1A0Y5kl', 'jTj1iJf1kN', 'DaY1znNUr4', 'nNBsHwg1v6', 'U6gsPCGtVs', 'UFFs1LgtEr', 'Rm5ssabF1A', 'TmULl5XAcgryKURRD8H'
Source: 0.2.rrequestforquotation.exe.76e0000.5.raw.unpack, A9wJF2IoxiZX04GLPG.cs High entropy of concatenated method names: 'Dispose', 'QTPPArEsXZ', 'lha1k5M2JS', 'PMHEXYlvWx', 'NN5Pi8YBfx', 'BbcPzmuOca', 'ProcessDialogKey', 'hS81HlKBxp', 'd6M1PoVNw4', 'scq11rfSvG'
Source: 0.2.rrequestforquotation.exe.3ec4bd0.1.raw.unpack, GYku1roNwo5rBaMuWt.cs High entropy of concatenated method names: 'HiG962KvRq', 'kFy9wLUSb1', 'EDU9yd5CFb', 'iJm9o42faP', 'cuH9QflC5l', 'Mjv9Dorc9t', 'Hh1954I0bQ', 'Qlr9JQRrAB', 'tFQ9KwY4oN', 'SRG9Y5MlGZ'
Source: 0.2.rrequestforquotation.exe.3ec4bd0.1.raw.unpack, QSpSsQL0khNy7Qj79R.cs High entropy of concatenated method names: 'fGpSEVu8VO', 'BApSeINopN', 'geF9rynHLj', 'LXb9NniBh4', 'ndw9C7ogd1', 'zdd9MSJVHX', 'eGe94X0Ibg', 'ugb9aYHmwA', 'IrG9hnKmx2', 'MTc9j9HxIw'
Source: 0.2.rrequestforquotation.exe.3ec4bd0.1.raw.unpack, YX4IEbBrg4SD6qmE5u.cs High entropy of concatenated method names: 'kLQn7YE2Ih', 'IENnI2hudE', 'wx5nS4eYan', 'diYnpDTce2', 'bDbnlvDab2', 'XUKSGYD1VA', 'tSvS3PD1mn', 'VoQSvBgGEN', 'GvGSbbJVfP', 'Wc3SAgsiPA'
Source: 0.2.rrequestforquotation.exe.3ec4bd0.1.raw.unpack, OeiyTIhDn8YGOTrZlh.cs High entropy of concatenated method names: 'Rt8pTE1bs4', 'BuNptERmrk', 'GR0pgdreGS', 'ysOp6jVg5Y', 'vjqpEbTXEF', 'XJ8pw2CErB', 'Ve8peKrDaw', 'fJvpyNLTij', 'sMZpoQUwup', 'rUcpLr7sjM'
Source: 0.2.rrequestforquotation.exe.3ec4bd0.1.raw.unpack, LlYKnD1V9gkRGyC1p5.cs High entropy of concatenated method names: 'TNnglcwR1', 'BhY6BQVck', 'qsDw3S0jo', 'qiseECCU1', 'TJ1oyPrde', 'dmlLCLmql', 'UFDMhLnHhYSyqc9Jmp', 'VUvVu3HjTFL4VLkIWS', 'yBNJLq0sp', 'BdxYQsowe'
Source: 0.2.rrequestforquotation.exe.3ec4bd0.1.raw.unpack, noJVUCPHmWUAi424VOb.cs High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'tghY8vgNSB', 'YsUYmV5vi7', 'tuhYxc8wlr', 'e0cYuGyiUf', 'dkgYFfT0xt', 'ahcYW3K6yF', 'roSY2nQPKR'
Source: 0.2.rrequestforquotation.exe.3ec4bd0.1.raw.unpack, q9AcqOUYlHAMkDLhYw.cs High entropy of concatenated method names: 'y4nPpuqVWn', 'HJFPl34oGX', 'HNwPZo5rBa', 'KuWP0txSpS', 'oj7PQ9RiX4', 'gEbPDrg4SD', 'YbNQtStToN8IAuJDjO', 'JqMjheW3pYqdDXrDll', 'yJOPPbZcxj', 'KF1PsBvZYl'
Source: 0.2.rrequestforquotation.exe.3ec4bd0.1.raw.unpack, NEKS1qPsAFU1Osfwq1h.cs High entropy of concatenated method names: 'RwBOiwRy8W', 'WIOOzgQyV9', 'WrIXHf0UMs', 'YusTijSYNavnmmwtyeL', 'pBKsF1SzlGPMrjcbs3c', 'h6GfP9q4Pwnv420IBJH', 'w7uowfqXQaHEI6kwHmX'
Source: 0.2.rrequestforquotation.exe.3ec4bd0.1.raw.unpack, gCTJf33HZ6l9Op9aZO.cs High entropy of concatenated method names: 'UYl5bc4iCW', 'dOF5iVa5yK', 'eQgJHxERT2', 'JJiJProqJU', 'PBl58JW3oU', 'N6c5mTLgYS', 'N7H5xAQ7yu', 'UHm5uQhYJR', 'kdk5FJeNyG', 'rJj5Wcn43Q'
Source: 0.2.rrequestforquotation.exe.3ec4bd0.1.raw.unpack, e6HY9Yx1ceLU0f0cxR.cs High entropy of concatenated method names: 'u2BRye9atX', 'AxQRoVPHf8', 'NQPRBLfM1U', 'KZ1RkV1P6d', 'tdWRN9x7RD', 'e5lRC7YW7X', 'SG0R43Lubp', 'CLARaQJEDg', 'qSpRjbsf7r', 'nfKR8ertZi'
Source: 0.2.rrequestforquotation.exe.3ec4bd0.1.raw.unpack, r3Pmvkz50iQUhHHYPJ.cs High entropy of concatenated method names: 'Q1BYwsWGe0', 'OjOYysuN8d', 'SoSYoecYm3', 'a28YBvb0J6', 'E7wYkqXrJT', 'YBoYNisfPM', 'W6NYCG8cjb', 'PivYfMw6oq', 'AbcYTSUPeZ', 'dUfYtpgB03'
Source: 0.2.rrequestforquotation.exe.3ec4bd0.1.raw.unpack, V9oYJ5PUNJtmrX5Oda7.cs High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'DetXK9dOaE', 'WwWXYAj0uh', 'svFXOYtEcC', 'DYYXXDxbMe', 'WeKXc9pmBf', 'EEHXdZcdO1', 'PLfXfHuD2m'
Source: 0.2.rrequestforquotation.exe.3ec4bd0.1.raw.unpack, DpwDuYlfrcsRiIHau0.cs High entropy of concatenated method names: 'hNUs71RsHe', 'jtusqNuYvg', 'EEFsIRF7o2', 'Wqgs9MawBC', 'bp4sSpubSQ', 'CgwsnACAth', 'AhaspZlYG8', 'XcuslZUQLx', 'HeasVP7ZsM', 'PRSsZZDAfu'
Source: 0.2.rrequestforquotation.exe.3ec4bd0.1.raw.unpack, eyv5YOuMjDLrlxxby8.cs High entropy of concatenated method names: 'TBsQjMdnj4', 'hbkQmToKY1', 'S4yQuZJ3K8', 'jvjQFWLgPB', 'iErQkARCih', 'G63Qr4RXJ8', 'bP3QN3qllB', 'zvLQCViqIl', 'uSGQMU9oxq', 'JvkQ4MFfAj'
Source: 0.2.rrequestforquotation.exe.3ec4bd0.1.raw.unpack, OlKBxpAU6MoVNw4Ycq.cs High entropy of concatenated method names: 'HBpKBBKhsI', 'TTGKkl4bE6', 'HybKrDOk7p', 'Du2KNY2s6n', 'xiCKC1mRhU', 'UYuKMTkwrX', 'KGCK4eUp05', 'uKGKabbvdZ', 'mhiKh8SwmT', 'k1eKjEOOHy'
Source: 0.2.rrequestforquotation.exe.3ec4bd0.1.raw.unpack, I7dWmOvlfxTPrEsXZh.cs High entropy of concatenated method names: 'tBJKQXEauU', 'ojwK5WrHc1', 'DuuKKlCGjn', 'eQeKOKQGJ1', 'cDjKcRipXe', 'wX7Kf57qxb', 'Dispose', 'PljJqBrkai', 'PV0JIB1sYQ', 'ljcJ9H8pT5'
Source: 0.2.rrequestforquotation.exe.3ec4bd0.1.raw.unpack, FsVG3kPPXPBJ5utfbyr.cs High entropy of concatenated method names: 'uxqYi5iImu', 'EhjYzKQTej', 'OlhOH6RXdm', 'XZkOP7uNsa', 'bYSO1adajF', 'CA3OsAkPS3', 'mmmOUC1ju5', 'jsSO7cVA0e', 'PbyOqhVGws', 'wJ1OISaS1x'
Source: 0.2.rrequestforquotation.exe.3ec4bd0.1.raw.unpack, bHBohr2Tn3xNRHDyxl.cs High entropy of concatenated method names: 'uBS5Z82B7J', 'SZP50gFU18', 'ToString', 'I0d5qZHVGQ', 'IJN5IbJOlR', 'UsL59SJyaq', 'IrB5SPKTEy', 'FBN5nG89aw', 'VYA5pdGqn3', 'U7T5l5HmAT'
Source: 0.2.rrequestforquotation.exe.3ec4bd0.1.raw.unpack, rha776WQSPKos2EHbJ.cs High entropy of concatenated method names: 'ToString', 't2YD8MPnT6', 'jJGDkytpO5', 'bMODroPurI', 'VpcDNEHATn', 'lRnDCHaufL', 'ybeDM0XPh6', 'l35D4Y2dql', 'YiADaRHeSq', 'PSQDhxs5uP'
Source: 0.2.rrequestforquotation.exe.3ec4bd0.1.raw.unpack, juqVWnykJF34oGXK3k.cs High entropy of concatenated method names: 'psKIuej4bp', 'pM8IFvDN1i', 'NMjIWTkkOR', 'NLII2yO5IT', 'G46IGhy3a4', 'G4xI3EKe6S', 'gVHIvMuKL6', 'KxgIbYuPZ3', 'mbMIASNfhZ', 'jl7IidbwtC'
Source: 0.2.rrequestforquotation.exe.3ec4bd0.1.raw.unpack, F5O3tc92kohVo17ZZC.cs High entropy of concatenated method names: 'EditValue', 'GetEditStyle', 'Ptl1A0Y5kl', 'jTj1iJf1kN', 'DaY1znNUr4', 'nNBsHwg1v6', 'U6gsPCGtVs', 'UFFs1LgtEr', 'Rm5ssabF1A', 'TmULl5XAcgryKURRD8H'
Source: 0.2.rrequestforquotation.exe.3ec4bd0.1.raw.unpack, A9wJF2IoxiZX04GLPG.cs High entropy of concatenated method names: 'Dispose', 'QTPPArEsXZ', 'lha1k5M2JS', 'PMHEXYlvWx', 'NN5Pi8YBfx', 'BbcPzmuOca', 'ProcessDialogKey', 'hS81HlKBxp', 'd6M1PoVNw4', 'scq11rfSvG'
Drops PE files
Source: C:\Users\user\Desktop\rrequestforquotation.exe File created: C:\Users\user\AppData\Roaming\oGnCNPiCwiAocn.exe Jump to dropped file

Boot Survival
barindex
Uses schtasks.exe or at.exe to add and modify task schedules
Source: C:\Users\user\Desktop\rrequestforquotation.exe Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\oGnCNPiCwiAocn" /XML "C:\Users\user\AppData\Local\Temp\tmpC98D.tmp"

Hooking and other Techniques for Hiding and Protection
barindex
Loading BitLocker PowerShell Module
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1 Jump to behavior
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Source: C:\Users\user\Desktop\rrequestforquotation.exe Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\AutoUpdate Jump to behavior
Source: C:\Users\user\Desktop\rrequestforquotation.exe Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot Jump to behavior
Source: C:\Users\user\AppData\Roaming\oGnCNPiCwiAocn.exe Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\AutoUpdate
Source: C:\Users\user\AppData\Roaming\oGnCNPiCwiAocn.exe Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot
Source: C:\Users\user\Desktop\rrequestforquotation.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\rrequestforquotation.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\rrequestforquotation.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\rrequestforquotation.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\rrequestforquotation.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\rrequestforquotation.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\rrequestforquotation.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\rrequestforquotation.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\rrequestforquotation.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\rrequestforquotation.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\rrequestforquotation.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\rrequestforquotation.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\rrequestforquotation.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\rrequestforquotation.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\rrequestforquotation.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\rrequestforquotation.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\rrequestforquotation.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\rrequestforquotation.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\rrequestforquotation.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\rrequestforquotation.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\rrequestforquotation.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\rrequestforquotation.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\rrequestforquotation.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\rrequestforquotation.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\rrequestforquotation.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\rrequestforquotation.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\rrequestforquotation.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\rrequestforquotation.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\rrequestforquotation.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\rrequestforquotation.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\rrequestforquotation.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\rrequestforquotation.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\rrequestforquotation.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\rrequestforquotation.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\rrequestforquotation.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\rrequestforquotation.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\rrequestforquotation.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\rrequestforquotation.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\rrequestforquotation.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\rrequestforquotation.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\rrequestforquotation.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\rrequestforquotation.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\rrequestforquotation.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\rrequestforquotation.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\rrequestforquotation.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\rrequestforquotation.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\rrequestforquotation.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\rrequestforquotation.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\rrequestforquotation.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\rrequestforquotation.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\rrequestforquotation.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\rrequestforquotation.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\rrequestforquotation.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\rrequestforquotation.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\rrequestforquotation.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\rrequestforquotation.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\rrequestforquotation.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\rrequestforquotation.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\rrequestforquotation.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\rrequestforquotation.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\rrequestforquotation.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\rrequestforquotation.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\rrequestforquotation.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\rrequestforquotation.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\rrequestforquotation.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\rrequestforquotation.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\rrequestforquotation.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\rrequestforquotation.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\rrequestforquotation.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\rrequestforquotation.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\rrequestforquotation.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\rrequestforquotation.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\rrequestforquotation.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\rrequestforquotation.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\rrequestforquotation.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\rrequestforquotation.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\rrequestforquotation.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\rrequestforquotation.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\rrequestforquotation.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\rrequestforquotation.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\rrequestforquotation.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\rrequestforquotation.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\rrequestforquotation.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\rrequestforquotation.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\rrequestforquotation.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\rrequestforquotation.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\rrequestforquotation.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\rrequestforquotation.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\rrequestforquotation.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\rrequestforquotation.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\rrequestforquotation.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\rrequestforquotation.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\rrequestforquotation.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\rrequestforquotation.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\rrequestforquotation.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\rrequestforquotation.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\rrequestforquotation.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\rrequestforquotation.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\rrequestforquotation.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\rrequestforquotation.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\rrequestforquotation.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\rrequestforquotation.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\oGnCNPiCwiAocn.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\oGnCNPiCwiAocn.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\oGnCNPiCwiAocn.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\oGnCNPiCwiAocn.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\oGnCNPiCwiAocn.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\oGnCNPiCwiAocn.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\oGnCNPiCwiAocn.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\oGnCNPiCwiAocn.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\oGnCNPiCwiAocn.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\oGnCNPiCwiAocn.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\oGnCNPiCwiAocn.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\oGnCNPiCwiAocn.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\oGnCNPiCwiAocn.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\oGnCNPiCwiAocn.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\oGnCNPiCwiAocn.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\oGnCNPiCwiAocn.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\oGnCNPiCwiAocn.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\oGnCNPiCwiAocn.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\oGnCNPiCwiAocn.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\oGnCNPiCwiAocn.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\oGnCNPiCwiAocn.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\oGnCNPiCwiAocn.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\oGnCNPiCwiAocn.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\oGnCNPiCwiAocn.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\oGnCNPiCwiAocn.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\oGnCNPiCwiAocn.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\oGnCNPiCwiAocn.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\oGnCNPiCwiAocn.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\oGnCNPiCwiAocn.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\oGnCNPiCwiAocn.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\oGnCNPiCwiAocn.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\oGnCNPiCwiAocn.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\oGnCNPiCwiAocn.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\oGnCNPiCwiAocn.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\oGnCNPiCwiAocn.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\oGnCNPiCwiAocn.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\oGnCNPiCwiAocn.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\oGnCNPiCwiAocn.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\oGnCNPiCwiAocn.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\oGnCNPiCwiAocn.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\oGnCNPiCwiAocn.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\oGnCNPiCwiAocn.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\oGnCNPiCwiAocn.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\oGnCNPiCwiAocn.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\oGnCNPiCwiAocn.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\oGnCNPiCwiAocn.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\oGnCNPiCwiAocn.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\oGnCNPiCwiAocn.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\oGnCNPiCwiAocn.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\oGnCNPiCwiAocn.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\oGnCNPiCwiAocn.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\oGnCNPiCwiAocn.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\oGnCNPiCwiAocn.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\oGnCNPiCwiAocn.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\oGnCNPiCwiAocn.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\oGnCNPiCwiAocn.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\oGnCNPiCwiAocn.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\oGnCNPiCwiAocn.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\oGnCNPiCwiAocn.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\oGnCNPiCwiAocn.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\oGnCNPiCwiAocn.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\oGnCNPiCwiAocn.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\oGnCNPiCwiAocn.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\oGnCNPiCwiAocn.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\oGnCNPiCwiAocn.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\oGnCNPiCwiAocn.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\oGnCNPiCwiAocn.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\oGnCNPiCwiAocn.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\oGnCNPiCwiAocn.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\oGnCNPiCwiAocn.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\oGnCNPiCwiAocn.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\oGnCNPiCwiAocn.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\oGnCNPiCwiAocn.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\oGnCNPiCwiAocn.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\oGnCNPiCwiAocn.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\oGnCNPiCwiAocn.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\oGnCNPiCwiAocn.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\oGnCNPiCwiAocn.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\oGnCNPiCwiAocn.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\oGnCNPiCwiAocn.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\oGnCNPiCwiAocn.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\oGnCNPiCwiAocn.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\oGnCNPiCwiAocn.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\oGnCNPiCwiAocn.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\oGnCNPiCwiAocn.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\oGnCNPiCwiAocn.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\oGnCNPiCwiAocn.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\oGnCNPiCwiAocn.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\oGnCNPiCwiAocn.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\oGnCNPiCwiAocn.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\oGnCNPiCwiAocn.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\oGnCNPiCwiAocn.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\oGnCNPiCwiAocn.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\oGnCNPiCwiAocn.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\oGnCNPiCwiAocn.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\oGnCNPiCwiAocn.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\oGnCNPiCwiAocn.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\oGnCNPiCwiAocn.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\oGnCNPiCwiAocn.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\oGnCNPiCwiAocn.exe Process information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion
barindex
Yara detected AntiVM3
Source: Yara match File source: Process Memory Space: rrequestforquotation.exe PID: 7284, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: oGnCNPiCwiAocn.exe PID: 7896, type: MEMORYSTR
Allocates memory with a write watch (potentially for evading sandboxes)
Source: C:\Users\user\Desktop\rrequestforquotation.exe Memory allocated: 1260000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\rrequestforquotation.exe Memory allocated: 2CB0000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\rrequestforquotation.exe Memory allocated: 2BB0000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\rrequestforquotation.exe Memory allocated: 7B10000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\rrequestforquotation.exe Memory allocated: 8B10000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\rrequestforquotation.exe Memory allocated: 8CC0000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\rrequestforquotation.exe Memory allocated: 9CC0000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\rrequestforquotation.exe Memory allocated: F90000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\rrequestforquotation.exe Memory allocated: 2990000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\rrequestforquotation.exe Memory allocated: 1010000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\AppData\Roaming\oGnCNPiCwiAocn.exe Memory allocated: 24E0000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\AppData\Roaming\oGnCNPiCwiAocn.exe Memory allocated: 26E0000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\AppData\Roaming\oGnCNPiCwiAocn.exe Memory allocated: 24E0000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\AppData\Roaming\oGnCNPiCwiAocn.exe Memory allocated: 7050000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\AppData\Roaming\oGnCNPiCwiAocn.exe Memory allocated: 8050000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\AppData\Roaming\oGnCNPiCwiAocn.exe Memory allocated: 81F0000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\AppData\Roaming\oGnCNPiCwiAocn.exe Memory allocated: 91F0000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\AppData\Roaming\oGnCNPiCwiAocn.exe Memory allocated: 1440000 memory reserve | memory write watch
Source: C:\Users\user\AppData\Roaming\oGnCNPiCwiAocn.exe Memory allocated: 2EB0000 memory reserve | memory write watch
Source: C:\Users\user\AppData\Roaming\oGnCNPiCwiAocn.exe Memory allocated: 4EB0000 memory reserve | memory write watch
Contains long sleeps (>= 3 min)
Source: C:\Users\user\Desktop\rrequestforquotation.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\Desktop\rrequestforquotation.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\Desktop\rrequestforquotation.exe Thread delayed: delay time: 600000 Jump to behavior
Source: C:\Users\user\Desktop\rrequestforquotation.exe Thread delayed: delay time: 599875 Jump to behavior
Source: C:\Users\user\Desktop\rrequestforquotation.exe Thread delayed: delay time: 599766 Jump to behavior
Source: C:\Users\user\Desktop\rrequestforquotation.exe Thread delayed: delay time: 599656 Jump to behavior
Source: C:\Users\user\Desktop\rrequestforquotation.exe Thread delayed: delay time: 599547 Jump to behavior
Source: C:\Users\user\Desktop\rrequestforquotation.exe Thread delayed: delay time: 599437 Jump to behavior
Source: C:\Users\user\Desktop\rrequestforquotation.exe Thread delayed: delay time: 599328 Jump to behavior
Source: C:\Users\user\Desktop\rrequestforquotation.exe Thread delayed: delay time: 599219 Jump to behavior
Source: C:\Users\user\Desktop\rrequestforquotation.exe Thread delayed: delay time: 599094 Jump to behavior
Source: C:\Users\user\Desktop\rrequestforquotation.exe Thread delayed: delay time: 598984 Jump to behavior
Source: C:\Users\user\Desktop\rrequestforquotation.exe Thread delayed: delay time: 598875 Jump to behavior
Source: C:\Users\user\Desktop\rrequestforquotation.exe Thread delayed: delay time: 598766 Jump to behavior
Source: C:\Users\user\Desktop\rrequestforquotation.exe Thread delayed: delay time: 598655 Jump to behavior
Source: C:\Users\user\Desktop\rrequestforquotation.exe Thread delayed: delay time: 598547 Jump to behavior
Source: C:\Users\user\Desktop\rrequestforquotation.exe Thread delayed: delay time: 598437 Jump to behavior
Source: C:\Users\user\Desktop\rrequestforquotation.exe Thread delayed: delay time: 598328 Jump to behavior
Source: C:\Users\user\Desktop\rrequestforquotation.exe Thread delayed: delay time: 598218 Jump to behavior
Source: C:\Users\user\Desktop\rrequestforquotation.exe Thread delayed: delay time: 598109 Jump to behavior
Source: C:\Users\user\Desktop\rrequestforquotation.exe Thread delayed: delay time: 598000 Jump to behavior
Source: C:\Users\user\Desktop\rrequestforquotation.exe Thread delayed: delay time: 597788 Jump to behavior
Source: C:\Users\user\Desktop\rrequestforquotation.exe Thread delayed: delay time: 597679 Jump to behavior
Source: C:\Users\user\Desktop\rrequestforquotation.exe Thread delayed: delay time: 597446 Jump to behavior
Source: C:\Users\user\Desktop\rrequestforquotation.exe Thread delayed: delay time: 597318 Jump to behavior
Source: C:\Users\user\Desktop\rrequestforquotation.exe Thread delayed: delay time: 597188 Jump to behavior
Source: C:\Users\user\Desktop\rrequestforquotation.exe Thread delayed: delay time: 597078 Jump to behavior
Source: C:\Users\user\Desktop\rrequestforquotation.exe Thread delayed: delay time: 596968 Jump to behavior
Source: C:\Users\user\Desktop\rrequestforquotation.exe Thread delayed: delay time: 596859 Jump to behavior
Source: C:\Users\user\Desktop\rrequestforquotation.exe Thread delayed: delay time: 596750 Jump to behavior
Source: C:\Users\user\Desktop\rrequestforquotation.exe Thread delayed: delay time: 596641 Jump to behavior
Source: C:\Users\user\Desktop\rrequestforquotation.exe Thread delayed: delay time: 596531 Jump to behavior
Source: C:\Users\user\Desktop\rrequestforquotation.exe Thread delayed: delay time: 596421 Jump to behavior
Source: C:\Users\user\Desktop\rrequestforquotation.exe Thread delayed: delay time: 596312 Jump to behavior
Source: C:\Users\user\Desktop\rrequestforquotation.exe Thread delayed: delay time: 596203 Jump to behavior
Source: C:\Users\user\Desktop\rrequestforquotation.exe Thread delayed: delay time: 596086 Jump to behavior
Source: C:\Users\user\Desktop\rrequestforquotation.exe Thread delayed: delay time: 595969 Jump to behavior
Source: C:\Users\user\Desktop\rrequestforquotation.exe Thread delayed: delay time: 595859 Jump to behavior
Source: C:\Users\user\Desktop\rrequestforquotation.exe Thread delayed: delay time: 595750 Jump to behavior
Source: C:\Users\user\Desktop\rrequestforquotation.exe Thread delayed: delay time: 595641 Jump to behavior
Source: C:\Users\user\Desktop\rrequestforquotation.exe Thread delayed: delay time: 595531 Jump to behavior
Source: C:\Users\user\Desktop\rrequestforquotation.exe Thread delayed: delay time: 595422 Jump to behavior
Source: C:\Users\user\Desktop\rrequestforquotation.exe Thread delayed: delay time: 595313 Jump to behavior
Source: C:\Users\user\Desktop\rrequestforquotation.exe Thread delayed: delay time: 595188 Jump to behavior
Source: C:\Users\user\Desktop\rrequestforquotation.exe Thread delayed: delay time: 595063 Jump to behavior
Source: C:\Users\user\Desktop\rrequestforquotation.exe Thread delayed: delay time: 594938 Jump to behavior
Source: C:\Users\user\Desktop\rrequestforquotation.exe Thread delayed: delay time: 594823 Jump to behavior
Source: C:\Users\user\Desktop\rrequestforquotation.exe Thread delayed: delay time: 594701 Jump to behavior
Source: C:\Users\user\Desktop\rrequestforquotation.exe Thread delayed: delay time: 594587 Jump to behavior
Source: C:\Users\user\Desktop\rrequestforquotation.exe Thread delayed: delay time: 594469 Jump to behavior
Source: C:\Users\user\Desktop\rrequestforquotation.exe Thread delayed: delay time: 594359 Jump to behavior
Source: C:\Users\user\Desktop\rrequestforquotation.exe Thread delayed: delay time: 594250 Jump to behavior
Source: C:\Users\user\Desktop\rrequestforquotation.exe Thread delayed: delay time: 594141 Jump to behavior
Source: C:\Users\user\Desktop\rrequestforquotation.exe Thread delayed: delay time: 594029 Jump to behavior
Source: C:\Users\user\AppData\Roaming\oGnCNPiCwiAocn.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\AppData\Roaming\oGnCNPiCwiAocn.exe Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Roaming\oGnCNPiCwiAocn.exe Thread delayed: delay time: 600000
Source: C:\Users\user\AppData\Roaming\oGnCNPiCwiAocn.exe Thread delayed: delay time: 599891
Source: C:\Users\user\AppData\Roaming\oGnCNPiCwiAocn.exe Thread delayed: delay time: 599782
Source: C:\Users\user\AppData\Roaming\oGnCNPiCwiAocn.exe Thread delayed: delay time: 599657
Source: C:\Users\user\AppData\Roaming\oGnCNPiCwiAocn.exe Thread delayed: delay time: 599547
Source: C:\Users\user\AppData\Roaming\oGnCNPiCwiAocn.exe Thread delayed: delay time: 599438
Source: C:\Users\user\AppData\Roaming\oGnCNPiCwiAocn.exe Thread delayed: delay time: 599313
Source: C:\Users\user\AppData\Roaming\oGnCNPiCwiAocn.exe Thread delayed: delay time: 599188
Source: C:\Users\user\AppData\Roaming\oGnCNPiCwiAocn.exe Thread delayed: delay time: 599063
Source: C:\Users\user\AppData\Roaming\oGnCNPiCwiAocn.exe Thread delayed: delay time: 598938
Source: C:\Users\user\AppData\Roaming\oGnCNPiCwiAocn.exe Thread delayed: delay time: 598829
Source: C:\Users\user\AppData\Roaming\oGnCNPiCwiAocn.exe Thread delayed: delay time: 598678
Source: C:\Users\user\AppData\Roaming\oGnCNPiCwiAocn.exe Thread delayed: delay time: 598419
Source: C:\Users\user\AppData\Roaming\oGnCNPiCwiAocn.exe Thread delayed: delay time: 598217
Source: C:\Users\user\AppData\Roaming\oGnCNPiCwiAocn.exe Thread delayed: delay time: 598110
Source: C:\Users\user\AppData\Roaming\oGnCNPiCwiAocn.exe Thread delayed: delay time: 597999
Source: C:\Users\user\AppData\Roaming\oGnCNPiCwiAocn.exe Thread delayed: delay time: 597891
Source: C:\Users\user\AppData\Roaming\oGnCNPiCwiAocn.exe Thread delayed: delay time: 597766
Source: C:\Users\user\AppData\Roaming\oGnCNPiCwiAocn.exe Thread delayed: delay time: 597656
Source: C:\Users\user\AppData\Roaming\oGnCNPiCwiAocn.exe Thread delayed: delay time: 597547
Source: C:\Users\user\AppData\Roaming\oGnCNPiCwiAocn.exe Thread delayed: delay time: 597438
Source: C:\Users\user\AppData\Roaming\oGnCNPiCwiAocn.exe Thread delayed: delay time: 597313
Source: C:\Users\user\AppData\Roaming\oGnCNPiCwiAocn.exe Thread delayed: delay time: 597188
Source: C:\Users\user\AppData\Roaming\oGnCNPiCwiAocn.exe Thread delayed: delay time: 597079
Source: C:\Users\user\AppData\Roaming\oGnCNPiCwiAocn.exe Thread delayed: delay time: 596954
Source: C:\Users\user\AppData\Roaming\oGnCNPiCwiAocn.exe Thread delayed: delay time: 596829
Source: C:\Users\user\AppData\Roaming\oGnCNPiCwiAocn.exe Thread delayed: delay time: 596704
Source: C:\Users\user\AppData\Roaming\oGnCNPiCwiAocn.exe Thread delayed: delay time: 596579
Source: C:\Users\user\AppData\Roaming\oGnCNPiCwiAocn.exe Thread delayed: delay time: 596454
Source: C:\Users\user\AppData\Roaming\oGnCNPiCwiAocn.exe Thread delayed: delay time: 596329
Source: C:\Users\user\AppData\Roaming\oGnCNPiCwiAocn.exe Thread delayed: delay time: 596204
Source: C:\Users\user\AppData\Roaming\oGnCNPiCwiAocn.exe Thread delayed: delay time: 596079
Source: C:\Users\user\AppData\Roaming\oGnCNPiCwiAocn.exe Thread delayed: delay time: 595954
Source: C:\Users\user\AppData\Roaming\oGnCNPiCwiAocn.exe Thread delayed: delay time: 595829
Source: C:\Users\user\AppData\Roaming\oGnCNPiCwiAocn.exe Thread delayed: delay time: 595704
Source: C:\Users\user\AppData\Roaming\oGnCNPiCwiAocn.exe Thread delayed: delay time: 595579
Source: C:\Users\user\AppData\Roaming\oGnCNPiCwiAocn.exe Thread delayed: delay time: 595454
Source: C:\Users\user\AppData\Roaming\oGnCNPiCwiAocn.exe Thread delayed: delay time: 595329
Source: C:\Users\user\AppData\Roaming\oGnCNPiCwiAocn.exe Thread delayed: delay time: 595204
Source: C:\Users\user\AppData\Roaming\oGnCNPiCwiAocn.exe Thread delayed: delay time: 595078
Source: C:\Users\user\AppData\Roaming\oGnCNPiCwiAocn.exe Thread delayed: delay time: 594969
Source: C:\Users\user\AppData\Roaming\oGnCNPiCwiAocn.exe Thread delayed: delay time: 594844
Source: C:\Users\user\AppData\Roaming\oGnCNPiCwiAocn.exe Thread delayed: delay time: 594735
Source: C:\Users\user\AppData\Roaming\oGnCNPiCwiAocn.exe Thread delayed: delay time: 594610
Source: C:\Users\user\AppData\Roaming\oGnCNPiCwiAocn.exe Thread delayed: delay time: 594485
Source: C:\Users\user\AppData\Roaming\oGnCNPiCwiAocn.exe Thread delayed: delay time: 594360
Source: C:\Users\user\AppData\Roaming\oGnCNPiCwiAocn.exe Thread delayed: delay time: 594235
Source: C:\Users\user\AppData\Roaming\oGnCNPiCwiAocn.exe Thread delayed: delay time: 594110
Source: C:\Users\user\AppData\Roaming\oGnCNPiCwiAocn.exe Thread delayed: delay time: 593985
Source: C:\Users\user\AppData\Roaming\oGnCNPiCwiAocn.exe Thread delayed: delay time: 593860
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Window / User API: threadDelayed 5497 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Window / User API: threadDelayed 6780 Jump to behavior
Source: C:\Users\user\Desktop\rrequestforquotation.exe Window / User API: threadDelayed 2537 Jump to behavior
Source: C:\Users\user\Desktop\rrequestforquotation.exe Window / User API: threadDelayed 7305 Jump to behavior
Source: C:\Users\user\AppData\Roaming\oGnCNPiCwiAocn.exe Window / User API: threadDelayed 6992
Source: C:\Users\user\AppData\Roaming\oGnCNPiCwiAocn.exe Window / User API: threadDelayed 2829
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Users\user\Desktop\rrequestforquotation.exe TID: 7304 Thread sleep time: -922337203685477s >= -30000s Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7852 Thread sleep time: -4611686018427385s >= -30000s Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7732 Thread sleep time: -922337203685477s >= -30000s Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7908 Thread sleep time: -4611686018427385s >= -30000s Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7728 Thread sleep time: -922337203685477s >= -30000s Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7844 Thread sleep time: -922337203685477s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\rrequestforquotation.exe TID: 8060 Thread sleep count: 34 > 30 Jump to behavior
Source: C:\Users\user\Desktop\rrequestforquotation.exe TID: 8060 Thread sleep time: -31359464925306218s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\rrequestforquotation.exe TID: 8060 Thread sleep time: -600000s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\rrequestforquotation.exe TID: 8060 Thread sleep time: -599875s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\rrequestforquotation.exe TID: 8064 Thread sleep count: 2537 > 30 Jump to behavior
Source: C:\Users\user\Desktop\rrequestforquotation.exe TID: 8064 Thread sleep count: 7305 > 30 Jump to behavior
Source: C:\Users\user\Desktop\rrequestforquotation.exe TID: 8060 Thread sleep time: -599766s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\rrequestforquotation.exe TID: 8060 Thread sleep time: -599656s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\rrequestforquotation.exe TID: 8060 Thread sleep time: -599547s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\rrequestforquotation.exe TID: 8060 Thread sleep time: -599437s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\rrequestforquotation.exe TID: 8060 Thread sleep time: -599328s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\rrequestforquotation.exe TID: 8060 Thread sleep time: -599219s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\rrequestforquotation.exe TID: 8060 Thread sleep time: -599094s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\rrequestforquotation.exe TID: 8060 Thread sleep time: -598984s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\rrequestforquotation.exe TID: 8060 Thread sleep time: -598875s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\rrequestforquotation.exe TID: 8060 Thread sleep time: -598766s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\rrequestforquotation.exe TID: 8060 Thread sleep time: -598655s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\rrequestforquotation.exe TID: 8060 Thread sleep time: -598547s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\rrequestforquotation.exe TID: 8060 Thread sleep time: -598437s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\rrequestforquotation.exe TID: 8060 Thread sleep time: -598328s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\rrequestforquotation.exe TID: 8060 Thread sleep time: -598218s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\rrequestforquotation.exe TID: 8060 Thread sleep time: -598109s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\rrequestforquotation.exe TID: 8060 Thread sleep time: -598000s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\rrequestforquotation.exe TID: 8060 Thread sleep time: -597788s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\rrequestforquotation.exe TID: 8060 Thread sleep time: -597679s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\rrequestforquotation.exe TID: 8060 Thread sleep time: -597446s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\rrequestforquotation.exe TID: 8060 Thread sleep time: -597318s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\rrequestforquotation.exe TID: 8060 Thread sleep time: -597188s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\rrequestforquotation.exe TID: 8060 Thread sleep time: -597078s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\rrequestforquotation.exe TID: 8060 Thread sleep time: -596968s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\rrequestforquotation.exe TID: 8060 Thread sleep time: -596859s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\rrequestforquotation.exe TID: 8060 Thread sleep time: -596750s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\rrequestforquotation.exe TID: 8060 Thread sleep time: -596641s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\rrequestforquotation.exe TID: 8060 Thread sleep time: -596531s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\rrequestforquotation.exe TID: 8060 Thread sleep time: -596421s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\rrequestforquotation.exe TID: 8060 Thread sleep time: -596312s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\rrequestforquotation.exe TID: 8060 Thread sleep time: -596203s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\rrequestforquotation.exe TID: 8060 Thread sleep time: -596086s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\rrequestforquotation.exe TID: 8060 Thread sleep time: -595969s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\rrequestforquotation.exe TID: 8060 Thread sleep time: -595859s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\rrequestforquotation.exe TID: 8060 Thread sleep time: -595750s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\rrequestforquotation.exe TID: 8060 Thread sleep time: -595641s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\rrequestforquotation.exe TID: 8060 Thread sleep time: -595531s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\rrequestforquotation.exe TID: 8060 Thread sleep time: -595422s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\rrequestforquotation.exe TID: 8060 Thread sleep time: -595313s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\rrequestforquotation.exe TID: 8060 Thread sleep time: -595188s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\rrequestforquotation.exe TID: 8060 Thread sleep time: -595063s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\rrequestforquotation.exe TID: 8060 Thread sleep time: -594938s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\rrequestforquotation.exe TID: 8060 Thread sleep time: -594823s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\rrequestforquotation.exe TID: 8060 Thread sleep time: -594701s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\rrequestforquotation.exe TID: 8060 Thread sleep time: -594587s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\rrequestforquotation.exe TID: 8060 Thread sleep time: -594469s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\rrequestforquotation.exe TID: 8060 Thread sleep time: -594359s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\rrequestforquotation.exe TID: 8060 Thread sleep time: -594250s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\rrequestforquotation.exe TID: 8060 Thread sleep time: -594141s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\rrequestforquotation.exe TID: 8060 Thread sleep time: -594029s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Roaming\oGnCNPiCwiAocn.exe TID: 7924 Thread sleep time: -922337203685477s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Roaming\oGnCNPiCwiAocn.exe TID: 1740 Thread sleep count: 41 > 30
Source: C:\Users\user\AppData\Roaming\oGnCNPiCwiAocn.exe TID: 1740 Thread sleep time: -37815825351104557s >= -30000s
Source: C:\Users\user\AppData\Roaming\oGnCNPiCwiAocn.exe TID: 1740 Thread sleep time: -600000s >= -30000s
Source: C:\Users\user\AppData\Roaming\oGnCNPiCwiAocn.exe TID: 1740 Thread sleep time: -599891s >= -30000s
Source: C:\Users\user\AppData\Roaming\oGnCNPiCwiAocn.exe TID: 2316 Thread sleep count: 6992 > 30
Source: C:\Users\user\AppData\Roaming\oGnCNPiCwiAocn.exe TID: 2316 Thread sleep count: 2829 > 30
Source: C:\Users\user\AppData\Roaming\oGnCNPiCwiAocn.exe TID: 1740 Thread sleep time: -599782s >= -30000s
Source: C:\Users\user\AppData\Roaming\oGnCNPiCwiAocn.exe TID: 1740 Thread sleep time: -599657s >= -30000s
Source: C:\Users\user\AppData\Roaming\oGnCNPiCwiAocn.exe TID: 1740 Thread sleep time: -599547s >= -30000s
Source: C:\Users\user\AppData\Roaming\oGnCNPiCwiAocn.exe TID: 1740 Thread sleep time: -599438s >= -30000s
Source: C:\Users\user\AppData\Roaming\oGnCNPiCwiAocn.exe TID: 1740 Thread sleep time: -599313s >= -30000s
Source: C:\Users\user\AppData\Roaming\oGnCNPiCwiAocn.exe TID: 1740 Thread sleep time: -599188s >= -30000s
Source: C:\Users\user\AppData\Roaming\oGnCNPiCwiAocn.exe TID: 1740 Thread sleep time: -599063s >= -30000s
Source: C:\Users\user\AppData\Roaming\oGnCNPiCwiAocn.exe TID: 1740 Thread sleep time: -598938s >= -30000s
Source: C:\Users\user\AppData\Roaming\oGnCNPiCwiAocn.exe TID: 1740 Thread sleep time: -598829s >= -30000s
Source: C:\Users\user\AppData\Roaming\oGnCNPiCwiAocn.exe TID: 1740 Thread sleep time: -598678s >= -30000s
Source: C:\Users\user\AppData\Roaming\oGnCNPiCwiAocn.exe TID: 1740 Thread sleep time: -598419s >= -30000s
Source: C:\Users\user\AppData\Roaming\oGnCNPiCwiAocn.exe TID: 1740 Thread sleep time: -598217s >= -30000s
Source: C:\Users\user\AppData\Roaming\oGnCNPiCwiAocn.exe TID: 1740 Thread sleep time: -598110s >= -30000s
Source: C:\Users\user\AppData\Roaming\oGnCNPiCwiAocn.exe TID: 1740 Thread sleep time: -597999s >= -30000s
Source: C:\Users\user\AppData\Roaming\oGnCNPiCwiAocn.exe TID: 1740 Thread sleep time: -597891s >= -30000s
Source: C:\Users\user\AppData\Roaming\oGnCNPiCwiAocn.exe TID: 1740 Thread sleep time: -597766s >= -30000s
Source: C:\Users\user\AppData\Roaming\oGnCNPiCwiAocn.exe TID: 1740 Thread sleep time: -597656s >= -30000s
Source: C:\Users\user\AppData\Roaming\oGnCNPiCwiAocn.exe TID: 1740 Thread sleep time: -597547s >= -30000s
Source: C:\Users\user\AppData\Roaming\oGnCNPiCwiAocn.exe TID: 1740 Thread sleep time: -597438s >= -30000s
Source: C:\Users\user\AppData\Roaming\oGnCNPiCwiAocn.exe TID: 1740 Thread sleep time: -597313s >= -30000s
Source: C:\Users\user\AppData\Roaming\oGnCNPiCwiAocn.exe TID: 1740 Thread sleep time: -597188s >= -30000s
Source: C:\Users\user\AppData\Roaming\oGnCNPiCwiAocn.exe TID: 1740 Thread sleep time: -597079s >= -30000s
Source: C:\Users\user\AppData\Roaming\oGnCNPiCwiAocn.exe TID: 1740 Thread sleep time: -596954s >= -30000s
Source: C:\Users\user\AppData\Roaming\oGnCNPiCwiAocn.exe TID: 1740 Thread sleep time: -596829s >= -30000s
Source: C:\Users\user\AppData\Roaming\oGnCNPiCwiAocn.exe TID: 1740 Thread sleep time: -596704s >= -30000s
Source: C:\Users\user\AppData\Roaming\oGnCNPiCwiAocn.exe TID: 1740 Thread sleep time: -596579s >= -30000s
Source: C:\Users\user\AppData\Roaming\oGnCNPiCwiAocn.exe TID: 1740 Thread sleep time: -596454s >= -30000s
Source: C:\Users\user\AppData\Roaming\oGnCNPiCwiAocn.exe TID: 1740 Thread sleep time: -596329s >= -30000s
Source: C:\Users\user\AppData\Roaming\oGnCNPiCwiAocn.exe TID: 1740 Thread sleep time: -596204s >= -30000s
Source: C:\Users\user\AppData\Roaming\oGnCNPiCwiAocn.exe TID: 1740 Thread sleep time: -596079s >= -30000s
Source: C:\Users\user\AppData\Roaming\oGnCNPiCwiAocn.exe TID: 1740 Thread sleep time: -595954s >= -30000s
Source: C:\Users\user\AppData\Roaming\oGnCNPiCwiAocn.exe TID: 1740 Thread sleep time: -595829s >= -30000s
Source: C:\Users\user\AppData\Roaming\oGnCNPiCwiAocn.exe TID: 1740 Thread sleep time: -595704s >= -30000s
Source: C:\Users\user\AppData\Roaming\oGnCNPiCwiAocn.exe TID: 1740 Thread sleep time: -595579s >= -30000s
Source: C:\Users\user\AppData\Roaming\oGnCNPiCwiAocn.exe TID: 1740 Thread sleep time: -595454s >= -30000s
Source: C:\Users\user\AppData\Roaming\oGnCNPiCwiAocn.exe TID: 1740 Thread sleep time: -595329s >= -30000s
Source: C:\Users\user\AppData\Roaming\oGnCNPiCwiAocn.exe TID: 1740 Thread sleep time: -595204s >= -30000s
Source: C:\Users\user\AppData\Roaming\oGnCNPiCwiAocn.exe TID: 1740 Thread sleep time: -595078s >= -30000s
Source: C:\Users\user\AppData\Roaming\oGnCNPiCwiAocn.exe TID: 1740 Thread sleep time: -594969s >= -30000s
Source: C:\Users\user\AppData\Roaming\oGnCNPiCwiAocn.exe TID: 1740 Thread sleep time: -594844s >= -30000s
Source: C:\Users\user\AppData\Roaming\oGnCNPiCwiAocn.exe TID: 1740 Thread sleep time: -594735s >= -30000s
Source: C:\Users\user\AppData\Roaming\oGnCNPiCwiAocn.exe TID: 1740 Thread sleep time: -594610s >= -30000s
Source: C:\Users\user\AppData\Roaming\oGnCNPiCwiAocn.exe TID: 1740 Thread sleep time: -594485s >= -30000s
Source: C:\Users\user\AppData\Roaming\oGnCNPiCwiAocn.exe TID: 1740 Thread sleep time: -594360s >= -30000s
Source: C:\Users\user\AppData\Roaming\oGnCNPiCwiAocn.exe TID: 1740 Thread sleep time: -594235s >= -30000s
Source: C:\Users\user\AppData\Roaming\oGnCNPiCwiAocn.exe TID: 1740 Thread sleep time: -594110s >= -30000s
Source: C:\Users\user\AppData\Roaming\oGnCNPiCwiAocn.exe TID: 1740 Thread sleep time: -593985s >= -30000s
Source: C:\Users\user\AppData\Roaming\oGnCNPiCwiAocn.exe TID: 1740 Thread sleep time: -593860s >= -30000s
Sample execution stops while process was sleeping (likely an evasion)
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Users\user\Desktop\rrequestforquotation.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\Desktop\rrequestforquotation.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\Desktop\rrequestforquotation.exe Thread delayed: delay time: 600000 Jump to behavior
Source: C:\Users\user\Desktop\rrequestforquotation.exe Thread delayed: delay time: 599875 Jump to behavior
Source: C:\Users\user\Desktop\rrequestforquotation.exe Thread delayed: delay time: 599766 Jump to behavior
Source: C:\Users\user\Desktop\rrequestforquotation.exe Thread delayed: delay time: 599656 Jump to behavior
Source: C:\Users\user\Desktop\rrequestforquotation.exe Thread delayed: delay time: 599547 Jump to behavior
Source: C:\Users\user\Desktop\rrequestforquotation.exe Thread delayed: delay time: 599437 Jump to behavior
Source: C:\Users\user\Desktop\rrequestforquotation.exe Thread delayed: delay time: 599328 Jump to behavior
Source: C:\Users\user\Desktop\rrequestforquotation.exe Thread delayed: delay time: 599219 Jump to behavior
Source: C:\Users\user\Desktop\rrequestforquotation.exe Thread delayed: delay time: 599094 Jump to behavior
Source: C:\Users\user\Desktop\rrequestforquotation.exe Thread delayed: delay time: 598984 Jump to behavior
Source: C:\Users\user\Desktop\rrequestforquotation.exe Thread delayed: delay time: 598875 Jump to behavior
Source: C:\Users\user\Desktop\rrequestforquotation.exe Thread delayed: delay time: 598766 Jump to behavior
Source: C:\Users\user\Desktop\rrequestforquotation.exe Thread delayed: delay time: 598655 Jump to behavior
Source: C:\Users\user\Desktop\rrequestforquotation.exe Thread delayed: delay time: 598547 Jump to behavior
Source: C:\Users\user\Desktop\rrequestforquotation.exe Thread delayed: delay time: 598437 Jump to behavior
Source: C:\Users\user\Desktop\rrequestforquotation.exe Thread delayed: delay time: 598328 Jump to behavior
Source: C:\Users\user\Desktop\rrequestforquotation.exe Thread delayed: delay time: 598218 Jump to behavior
Source: C:\Users\user\Desktop\rrequestforquotation.exe Thread delayed: delay time: 598109 Jump to behavior
Source: C:\Users\user\Desktop\rrequestforquotation.exe Thread delayed: delay time: 598000 Jump to behavior
Source: C:\Users\user\Desktop\rrequestforquotation.exe Thread delayed: delay time: 597788 Jump to behavior
Source: C:\Users\user\Desktop\rrequestforquotation.exe Thread delayed: delay time: 597679 Jump to behavior
Source: C:\Users\user\Desktop\rrequestforquotation.exe Thread delayed: delay time: 597446 Jump to behavior
Source: C:\Users\user\Desktop\rrequestforquotation.exe Thread delayed: delay time: 597318 Jump to behavior
Source: C:\Users\user\Desktop\rrequestforquotation.exe Thread delayed: delay time: 597188 Jump to behavior
Source: C:\Users\user\Desktop\rrequestforquotation.exe Thread delayed: delay time: 597078 Jump to behavior
Source: C:\Users\user\Desktop\rrequestforquotation.exe Thread delayed: delay time: 596968 Jump to behavior
Source: C:\Users\user\Desktop\rrequestforquotation.exe Thread delayed: delay time: 596859 Jump to behavior
Source: C:\Users\user\Desktop\rrequestforquotation.exe Thread delayed: delay time: 596750 Jump to behavior
Source: C:\Users\user\Desktop\rrequestforquotation.exe Thread delayed: delay time: 596641 Jump to behavior
Source: C:\Users\user\Desktop\rrequestforquotation.exe Thread delayed: delay time: 596531 Jump to behavior
Source: C:\Users\user\Desktop\rrequestforquotation.exe Thread delayed: delay time: 596421 Jump to behavior
Source: C:\Users\user\Desktop\rrequestforquotation.exe Thread delayed: delay time: 596312 Jump to behavior
Source: C:\Users\user\Desktop\rrequestforquotation.exe Thread delayed: delay time: 596203 Jump to behavior
Source: C:\Users\user\Desktop\rrequestforquotation.exe Thread delayed: delay time: 596086 Jump to behavior
Source: C:\Users\user\Desktop\rrequestforquotation.exe Thread delayed: delay time: 595969 Jump to behavior
Source: C:\Users\user\Desktop\rrequestforquotation.exe Thread delayed: delay time: 595859 Jump to behavior
Source: C:\Users\user\Desktop\rrequestforquotation.exe Thread delayed: delay time: 595750 Jump to behavior
Source: C:\Users\user\Desktop\rrequestforquotation.exe Thread delayed: delay time: 595641 Jump to behavior
Source: C:\Users\user\Desktop\rrequestforquotation.exe Thread delayed: delay time: 595531 Jump to behavior
Source: C:\Users\user\Desktop\rrequestforquotation.exe Thread delayed: delay time: 595422 Jump to behavior
Source: C:\Users\user\Desktop\rrequestforquotation.exe Thread delayed: delay time: 595313 Jump to behavior
Source: C:\Users\user\Desktop\rrequestforquotation.exe Thread delayed: delay time: 595188 Jump to behavior
Source: C:\Users\user\Desktop\rrequestforquotation.exe Thread delayed: delay time: 595063 Jump to behavior
Source: C:\Users\user\Desktop\rrequestforquotation.exe Thread delayed: delay time: 594938 Jump to behavior
Source: C:\Users\user\Desktop\rrequestforquotation.exe Thread delayed: delay time: 594823 Jump to behavior
Source: C:\Users\user\Desktop\rrequestforquotation.exe Thread delayed: delay time: 594701 Jump to behavior
Source: C:\Users\user\Desktop\rrequestforquotation.exe Thread delayed: delay time: 594587 Jump to behavior
Source: C:\Users\user\Desktop\rrequestforquotation.exe Thread delayed: delay time: 594469 Jump to behavior
Source: C:\Users\user\Desktop\rrequestforquotation.exe Thread delayed: delay time: 594359 Jump to behavior
Source: C:\Users\user\Desktop\rrequestforquotation.exe Thread delayed: delay time: 594250 Jump to behavior
Source: C:\Users\user\Desktop\rrequestforquotation.exe Thread delayed: delay time: 594141 Jump to behavior
Source: C:\Users\user\Desktop\rrequestforquotation.exe Thread delayed: delay time: 594029 Jump to behavior
Source: C:\Users\user\AppData\Roaming\oGnCNPiCwiAocn.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\AppData\Roaming\oGnCNPiCwiAocn.exe Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Roaming\oGnCNPiCwiAocn.exe Thread delayed: delay time: 600000
Source: C:\Users\user\AppData\Roaming\oGnCNPiCwiAocn.exe Thread delayed: delay time: 599891
Source: C:\Users\user\AppData\Roaming\oGnCNPiCwiAocn.exe Thread delayed: delay time: 599782
Source: C:\Users\user\AppData\Roaming\oGnCNPiCwiAocn.exe Thread delayed: delay time: 599657
Source: C:\Users\user\AppData\Roaming\oGnCNPiCwiAocn.exe Thread delayed: delay time: 599547
Source: C:\Users\user\AppData\Roaming\oGnCNPiCwiAocn.exe Thread delayed: delay time: 599438
Source: C:\Users\user\AppData\Roaming\oGnCNPiCwiAocn.exe Thread delayed: delay time: 599313
Source: C:\Users\user\AppData\Roaming\oGnCNPiCwiAocn.exe Thread delayed: delay time: 599188
Source: C:\Users\user\AppData\Roaming\oGnCNPiCwiAocn.exe Thread delayed: delay time: 599063
Source: C:\Users\user\AppData\Roaming\oGnCNPiCwiAocn.exe Thread delayed: delay time: 598938
Source: C:\Users\user\AppData\Roaming\oGnCNPiCwiAocn.exe Thread delayed: delay time: 598829
Source: C:\Users\user\AppData\Roaming\oGnCNPiCwiAocn.exe Thread delayed: delay time: 598678
Source: C:\Users\user\AppData\Roaming\oGnCNPiCwiAocn.exe Thread delayed: delay time: 598419
Source: C:\Users\user\AppData\Roaming\oGnCNPiCwiAocn.exe Thread delayed: delay time: 598217
Source: C:\Users\user\AppData\Roaming\oGnCNPiCwiAocn.exe Thread delayed: delay time: 598110
Source: C:\Users\user\AppData\Roaming\oGnCNPiCwiAocn.exe Thread delayed: delay time: 597999
Source: C:\Users\user\AppData\Roaming\oGnCNPiCwiAocn.exe Thread delayed: delay time: 597891
Source: C:\Users\user\AppData\Roaming\oGnCNPiCwiAocn.exe Thread delayed: delay time: 597766
Source: C:\Users\user\AppData\Roaming\oGnCNPiCwiAocn.exe Thread delayed: delay time: 597656
Source: C:\Users\user\AppData\Roaming\oGnCNPiCwiAocn.exe Thread delayed: delay time: 597547
Source: C:\Users\user\AppData\Roaming\oGnCNPiCwiAocn.exe Thread delayed: delay time: 597438
Source: C:\Users\user\AppData\Roaming\oGnCNPiCwiAocn.exe Thread delayed: delay time: 597313
Source: C:\Users\user\AppData\Roaming\oGnCNPiCwiAocn.exe Thread delayed: delay time: 597188
Source: C:\Users\user\AppData\Roaming\oGnCNPiCwiAocn.exe Thread delayed: delay time: 597079
Source: C:\Users\user\AppData\Roaming\oGnCNPiCwiAocn.exe Thread delayed: delay time: 596954
Source: C:\Users\user\AppData\Roaming\oGnCNPiCwiAocn.exe Thread delayed: delay time: 596829
Source: C:\Users\user\AppData\Roaming\oGnCNPiCwiAocn.exe Thread delayed: delay time: 596704
Source: C:\Users\user\AppData\Roaming\oGnCNPiCwiAocn.exe Thread delayed: delay time: 596579
Source: C:\Users\user\AppData\Roaming\oGnCNPiCwiAocn.exe Thread delayed: delay time: 596454
Source: C:\Users\user\AppData\Roaming\oGnCNPiCwiAocn.exe Thread delayed: delay time: 596329
Source: C:\Users\user\AppData\Roaming\oGnCNPiCwiAocn.exe Thread delayed: delay time: 596204
Source: C:\Users\user\AppData\Roaming\oGnCNPiCwiAocn.exe Thread delayed: delay time: 596079
Source: C:\Users\user\AppData\Roaming\oGnCNPiCwiAocn.exe Thread delayed: delay time: 595954
Source: C:\Users\user\AppData\Roaming\oGnCNPiCwiAocn.exe Thread delayed: delay time: 595829
Source: C:\Users\user\AppData\Roaming\oGnCNPiCwiAocn.exe Thread delayed: delay time: 595704
Source: C:\Users\user\AppData\Roaming\oGnCNPiCwiAocn.exe Thread delayed: delay time: 595579
Source: C:\Users\user\AppData\Roaming\oGnCNPiCwiAocn.exe Thread delayed: delay time: 595454
Source: C:\Users\user\AppData\Roaming\oGnCNPiCwiAocn.exe Thread delayed: delay time: 595329
Source: C:\Users\user\AppData\Roaming\oGnCNPiCwiAocn.exe Thread delayed: delay time: 595204
Source: C:\Users\user\AppData\Roaming\oGnCNPiCwiAocn.exe Thread delayed: delay time: 595078
Source: C:\Users\user\AppData\Roaming\oGnCNPiCwiAocn.exe Thread delayed: delay time: 594969
Source: C:\Users\user\AppData\Roaming\oGnCNPiCwiAocn.exe Thread delayed: delay time: 594844
Source: C:\Users\user\AppData\Roaming\oGnCNPiCwiAocn.exe Thread delayed: delay time: 594735
Source: C:\Users\user\AppData\Roaming\oGnCNPiCwiAocn.exe Thread delayed: delay time: 594610
Source: C:\Users\user\AppData\Roaming\oGnCNPiCwiAocn.exe Thread delayed: delay time: 594485
Source: C:\Users\user\AppData\Roaming\oGnCNPiCwiAocn.exe Thread delayed: delay time: 594360
Source: C:\Users\user\AppData\Roaming\oGnCNPiCwiAocn.exe Thread delayed: delay time: 594235
Source: C:\Users\user\AppData\Roaming\oGnCNPiCwiAocn.exe Thread delayed: delay time: 594110
Source: C:\Users\user\AppData\Roaming\oGnCNPiCwiAocn.exe Thread delayed: delay time: 593985
Source: C:\Users\user\AppData\Roaming\oGnCNPiCwiAocn.exe Thread delayed: delay time: 593860
Source: oGnCNPiCwiAocn.exe, 0000000F.00000002.4143308407.00000000011B8000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllpHandlers />
Source: rrequestforquotation.exe, 00000008.00000002.4144260321.0000000000EC6000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll-
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information queried: ProcessInformation Jump to behavior
Enables debug privileges
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process token adjusted: Debug Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process token adjusted: Debug Jump to behavior
Source: C:\Users\user\Desktop\rrequestforquotation.exe Process token adjusted: Debug Jump to behavior
Source: C:\Users\user\Desktop\rrequestforquotation.exe Memory allocated: page read and write | page guard Jump to behavior

HIPS / PFW / Operating System Protection Evasion
barindex
Adds a directory exclusion to Windows Defender
Source: C:\Users\user\Desktop\rrequestforquotation.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\rrequestforquotation.exe"
Source: C:\Users\user\Desktop\rrequestforquotation.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\oGnCNPiCwiAocn.exe"
Source: C:\Users\user\Desktop\rrequestforquotation.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\rrequestforquotation.exe" Jump to behavior
Source: C:\Users\user\Desktop\rrequestforquotation.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\oGnCNPiCwiAocn.exe" Jump to behavior
Injects a PE file into a foreign processes
Source: C:\Users\user\Desktop\rrequestforquotation.exe Memory written: C:\Users\user\Desktop\rrequestforquotation.exe base: 400000 value starts with: 4D5A Jump to behavior
Source: C:\Users\user\AppData\Roaming\oGnCNPiCwiAocn.exe Memory written: C:\Users\user\AppData\Roaming\oGnCNPiCwiAocn.exe base: 400000 value starts with: 4D5A Jump to behavior
Creates a process in suspended mode (likely to inject code)
Source: C:\Users\user\Desktop\rrequestforquotation.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\rrequestforquotation.exe" Jump to behavior
Source: C:\Users\user\Desktop\rrequestforquotation.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\oGnCNPiCwiAocn.exe" Jump to behavior
Source: C:\Users\user\Desktop\rrequestforquotation.exe Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\oGnCNPiCwiAocn" /XML "C:\Users\user\AppData\Local\Temp\tmpC98D.tmp" Jump to behavior
Source: C:\Users\user\Desktop\rrequestforquotation.exe Process created: C:\Users\user\Desktop\rrequestforquotation.exe "C:\Users\user\Desktop\rrequestforquotation.exe" Jump to behavior
Source: C:\Users\user\AppData\Roaming\oGnCNPiCwiAocn.exe Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\oGnCNPiCwiAocn" /XML "C:\Users\user\AppData\Local\Temp\tmpEF35.tmp" Jump to behavior
Source: C:\Users\user\AppData\Roaming\oGnCNPiCwiAocn.exe Process created: C:\Users\user\AppData\Roaming\oGnCNPiCwiAocn.exe "C:\Users\user\AppData\Roaming\oGnCNPiCwiAocn.exe" Jump to behavior
Source: C:\Users\user\AppData\Roaming\oGnCNPiCwiAocn.exe Process created: C:\Users\user\AppData\Roaming\oGnCNPiCwiAocn.exe "C:\Users\user\AppData\Roaming\oGnCNPiCwiAocn.exe" Jump to behavior
Queries the volume information (name, serial number etc) of a device
Source: C:\Users\user\Desktop\rrequestforquotation.exe Queries volume information: C:\Users\user\Desktop\rrequestforquotation.exe VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\rrequestforquotation.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\rrequestforquotation.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\rrequestforquotation.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\rrequestforquotation.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\rrequestforquotation.exe Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\rrequestforquotation.exe Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\rrequestforquotation.exe Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\rrequestforquotation.exe Queries volume information: C:\Windows\Fonts\calibrii.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\rrequestforquotation.exe Queries volume information: C:\Windows\Fonts\calibrili.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\rrequestforquotation.exe Queries volume information: C:\Windows\Fonts\calibrib.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\rrequestforquotation.exe Queries volume information: C:\Windows\Fonts\calibriz.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\rrequestforquotation.exe Queries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\rrequestforquotation.exe Queries volume information: C:\Windows\Fonts\cambriab.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\rrequestforquotation.exe Queries volume information: C:\Windows\Fonts\cambriaz.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\rrequestforquotation.exe Queries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\rrequestforquotation.exe Queries volume information: C:\Windows\Fonts\Candara.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\rrequestforquotation.exe Queries volume information: C:\Windows\Fonts\Candaral.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\rrequestforquotation.exe Queries volume information: C:\Windows\Fonts\Candarai.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\rrequestforquotation.exe Queries volume information: C:\Windows\Fonts\Candarali.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\rrequestforquotation.exe Queries volume information: C:\Windows\Fonts\Candarab.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\rrequestforquotation.exe Queries volume information: C:\Windows\Fonts\Candaraz.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\rrequestforquotation.exe Queries volume information: C:\Windows\Fonts\comic.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\rrequestforquotation.exe Queries volume information: C:\Windows\Fonts\comici.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\rrequestforquotation.exe Queries volume information: C:\Windows\Fonts\comicbd.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\rrequestforquotation.exe Queries volume information: C:\Windows\Fonts\comicz.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\rrequestforquotation.exe Queries volume information: C:\Windows\Fonts\constan.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\rrequestforquotation.exe Queries volume information: C:\Windows\Fonts\constani.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\rrequestforquotation.exe Queries volume information: C:\Windows\Fonts\constanb.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\rrequestforquotation.exe Queries volume information: C:\Windows\Fonts\constanz.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\rrequestforquotation.exe Queries volume information: C:\Windows\Fonts\corbel.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\rrequestforquotation.exe Queries volume information: C:\Windows\Fonts\corbell.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\rrequestforquotation.exe Queries volume information: C:\Windows\Fonts\corbeli.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\rrequestforquotation.exe Queries volume information: C:\Windows\Fonts\corbelli.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\rrequestforquotation.exe Queries volume information: C:\Windows\Fonts\corbelb.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\rrequestforquotation.exe Queries volume information: C:\Windows\Fonts\corbelz.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\rrequestforquotation.exe Queries volume information: C:\Windows\Fonts\cour.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\rrequestforquotation.exe Queries volume information: C:\Windows\Fonts\couri.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\rrequestforquotation.exe Queries volume information: C:\Windows\Fonts\courbd.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\rrequestforquotation.exe Queries volume information: C:\Windows\Fonts\courbi.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\rrequestforquotation.exe Queries volume information: C:\Windows\Fonts\ebrima.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\rrequestforquotation.exe Queries volume information: C:\Windows\Fonts\ebrimabd.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\rrequestforquotation.exe Queries volume information: C:\Windows\Fonts\framd.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\rrequestforquotation.exe Queries volume information: C:\Windows\Fonts\FRADM.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\rrequestforquotation.exe Queries volume information: C:\Windows\Fonts\framdit.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\rrequestforquotation.exe Queries volume information: C:\Windows\Fonts\FRAMDCN.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\rrequestforquotation.exe Queries volume information: C:\Windows\Fonts\FRADMCN.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\rrequestforquotation.exe Queries volume information: C:\Windows\Fonts\FRAHVIT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\rrequestforquotation.exe Queries volume information: C:\Windows\Fonts\Gabriola.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\rrequestforquotation.exe Queries volume information: C:\Windows\Fonts\gadugib.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\rrequestforquotation.exe Queries volume information: C:\Windows\Fonts\georgia.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\rrequestforquotation.exe Queries volume information: C:\Windows\Fonts\georgiai.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\rrequestforquotation.exe Queries volume information: C:\Windows\Fonts\georgiab.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\rrequestforquotation.exe Queries volume information: C:\Windows\Fonts\georgiaz.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\rrequestforquotation.exe Queries volume information: C:\Windows\Fonts\impact.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\rrequestforquotation.exe Queries volume information: C:\Windows\Fonts\Inkfree.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\rrequestforquotation.exe Queries volume information: C:\Windows\Fonts\javatext.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\rrequestforquotation.exe Queries volume information: C:\Windows\Fonts\LeelawUI.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\rrequestforquotation.exe Queries volume information: C:\Windows\Fonts\LeelUIsl.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\rrequestforquotation.exe Queries volume information: C:\Windows\Fonts\LeelaUIb.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\rrequestforquotation.exe Queries volume information: C:\Windows\Fonts\lucon.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\rrequestforquotation.exe Queries volume information: C:\Windows\Fonts\l_10646.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\rrequestforquotation.exe Queries volume information: C:\Windows\Fonts\malgun.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\rrequestforquotation.exe Queries volume information: C:\Windows\Fonts\malgunsl.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\rrequestforquotation.exe Queries volume information: C:\Windows\Fonts\malgunbd.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\rrequestforquotation.exe Queries volume information: C:\Windows\Fonts\himalaya.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\rrequestforquotation.exe Queries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\rrequestforquotation.exe Queries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\rrequestforquotation.exe Queries volume information: C:\Windows\Fonts\msjhbd.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\rrequestforquotation.exe Queries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\rrequestforquotation.exe Queries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\rrequestforquotation.exe Queries volume information: C:\Windows\Fonts\ntailu.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\rrequestforquotation.exe Queries volume information: C:\Windows\Fonts\ntailub.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\rrequestforquotation.exe Queries volume information: C:\Windows\Fonts\phagspa.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\rrequestforquotation.exe Queries volume information: C:\Windows\Fonts\phagspab.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\rrequestforquotation.exe Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\rrequestforquotation.exe Queries volume information: C:\Windows\Fonts\taile.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\rrequestforquotation.exe Queries volume information: C:\Windows\Fonts\taileb.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\rrequestforquotation.exe Queries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\rrequestforquotation.exe Queries volume information: C:\Windows\Fonts\msyhl.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\rrequestforquotation.exe Queries volume information: C:\Windows\Fonts\msyhbd.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\rrequestforquotation.exe Queries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\rrequestforquotation.exe Queries volume information: C:\Windows\Fonts\msyhl.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\rrequestforquotation.exe Queries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\rrequestforquotation.exe Queries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\rrequestforquotation.exe Queries volume information: C:\Windows\Fonts\monbaiti.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\rrequestforquotation.exe Queries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\rrequestforquotation.exe Queries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\rrequestforquotation.exe Queries volume information: C:\Windows\Fonts\mvboli.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\rrequestforquotation.exe Queries volume information: C:\Windows\Fonts\mmrtext.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\rrequestforquotation.exe Queries volume information: C:\Windows\Fonts\mmrtextb.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\rrequestforquotation.exe Queries volume information: C:\Windows\Fonts\Nirmala.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\rrequestforquotation.exe Queries volume information: C:\Windows\Fonts\NirmalaS.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\rrequestforquotation.exe Queries volume information: C:\Windows\Fonts\NirmalaB.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\rrequestforquotation.exe Queries volume information: C:\Windows\Fonts\pala.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\rrequestforquotation.exe Queries volume information: C:\Windows\Fonts\palai.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\rrequestforquotation.exe Queries volume information: C:\Windows\Fonts\palab.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\rrequestforquotation.exe Queries volume information: C:\Windows\Fonts\palabi.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\rrequestforquotation.exe Queries volume information: C:\Windows\Fonts\segoepr.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\rrequestforquotation.exe Queries volume information: C:\Windows\Fonts\segoeprb.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\rrequestforquotation.exe Queries volume information: C:\Windows\Fonts\segoesc.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\rrequestforquotation.exe Queries volume information: C:\Windows\Fonts\segoescb.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\rrequestforquotation.exe Queries volume information: C:\Windows\Fonts\seguihis.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\rrequestforquotation.exe Queries volume information: C:\Windows\Fonts\simsun.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\rrequestforquotation.exe Queries volume information: C:\Windows\Fonts\simsunb.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\rrequestforquotation.exe Queries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\rrequestforquotation.exe Queries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\rrequestforquotation.exe Queries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\rrequestforquotation.exe Queries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\rrequestforquotation.exe Queries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\rrequestforquotation.exe Queries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\rrequestforquotation.exe Queries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\rrequestforquotation.exe Queries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\rrequestforquotation.exe Queries volume information: C:\Windows\Fonts\sylfaen.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\rrequestforquotation.exe Queries volume information: C:\Windows\Fonts\symbol.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\rrequestforquotation.exe Queries volume information: C:\Windows\Fonts\tahoma.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\rrequestforquotation.exe Queries volume information: C:\Windows\Fonts\tahomabd.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\rrequestforquotation.exe Queries volume information: C:\Windows\Fonts\timesi.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\rrequestforquotation.exe Queries volume information: C:\Windows\Fonts\timesbi.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\rrequestforquotation.exe Queries volume information: C:\Windows\Fonts\trebuc.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\rrequestforquotation.exe Queries volume information: C:\Windows\Fonts\trebucit.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\rrequestforquotation.exe Queries volume information: C:\Windows\Fonts\trebucbd.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\rrequestforquotation.exe Queries volume information: C:\Windows\Fonts\trebucbi.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\rrequestforquotation.exe Queries volume information: C:\Windows\Fonts\verdana.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\rrequestforquotation.exe Queries volume information: C:\Windows\Fonts\verdanai.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\rrequestforquotation.exe Queries volume information: C:\Windows\Fonts\verdanab.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\rrequestforquotation.exe Queries volume information: C:\Windows\Fonts\verdanaz.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\rrequestforquotation.exe Queries volume information: C:\Windows\Fonts\webdings.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\rrequestforquotation.exe Queries volume information: C:\Windows\Fonts\wingding.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\rrequestforquotation.exe Queries volume information: C:\Windows\Fonts\YuGothR.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\rrequestforquotation.exe Queries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\rrequestforquotation.exe Queries volume information: C:\Windows\Fonts\YuGothL.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\rrequestforquotation.exe Queries volume information: C:\Windows\Fonts\YuGothB.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\rrequestforquotation.exe Queries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\rrequestforquotation.exe Queries volume information: C:\Windows\Fonts\YuGothR.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\rrequestforquotation.exe Queries volume information: C:\Windows\Fonts\holomdl2.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\rrequestforquotation.exe Queries volume information: C:\Windows\Fonts\AGENCYR.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\rrequestforquotation.exe Queries volume information: C:\Windows\Fonts\AGENCYB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\rrequestforquotation.exe Queries volume information: C:\Windows\Fonts\ALGER.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\rrequestforquotation.exe Queries volume information: C:\Windows\Fonts\BKANT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\rrequestforquotation.exe Queries volume information: C:\Windows\Fonts\ANTQUAI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\rrequestforquotation.exe Queries volume information: C:\Windows\Fonts\ARLRDBD.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\rrequestforquotation.exe Queries volume information: C:\Windows\Fonts\BELL.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\rrequestforquotation.exe Queries volume information: C:\Windows\Fonts\BOD_R.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\rrequestforquotation.exe Queries volume information: C:\Windows\Fonts\BOD_B.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\rrequestforquotation.exe Queries volume information: C:\Windows\Fonts\BOD_CBI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\rrequestforquotation.exe Queries volume information: C:\Windows\Fonts\BOD_PSTC.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\rrequestforquotation.exe Queries volume information: C:\Windows\Fonts\BOOKOS.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\rrequestforquotation.exe Queries volume information: C:\Windows\Fonts\BOOKOSB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\rrequestforquotation.exe Queries volume information: C:\Windows\Fonts\BRITANIC.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\rrequestforquotation.exe Queries volume information: C:\Windows\Fonts\CALIFB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\rrequestforquotation.exe Queries volume information: C:\Windows\Fonts\CALIST.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\rrequestforquotation.exe Queries volume information: C:\Windows\Fonts\CALISTBI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\rrequestforquotation.exe Queries volume information: C:\Windows\Fonts\COPRGTL.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\rrequestforquotation.exe Queries volume information: C:\Windows\Fonts\COPRGTB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\rrequestforquotation.exe Queries volume information: C:\Windows\Fonts\DUBAI-LIGHT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\rrequestforquotation.exe Queries volume information: C:\Windows\Fonts\ELEPHNT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\rrequestforquotation.exe Queries volume information: C:\Windows\Fonts\ENGR.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\rrequestforquotation.exe Queries volume information: C:\Windows\Fonts\ERASDEMI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\rrequestforquotation.exe Queries volume information: C:\Windows\Fonts\FORTE.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\rrequestforquotation.exe Queries volume information: C:\Windows\Fonts\FRABKIT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\rrequestforquotation.exe Queries volume information: C:\Windows\Fonts\GARA.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\rrequestforquotation.exe Queries volume information: C:\Windows\Fonts\GARAIT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\rrequestforquotation.exe Queries volume information: C:\Windows\Fonts\GIGI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\rrequestforquotation.exe Queries volume information: C:\Windows\Fonts\GILBI___.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\rrequestforquotation.exe Queries volume information: C:\Windows\Fonts\GOTHICI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\rrequestforquotation.exe Queries volume information: C:\Windows\Fonts\GOTHICBI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\rrequestforquotation.exe Queries volume information: C:\Windows\Fonts\GOUDYSTO.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\rrequestforquotation.exe Queries volume information: C:\Windows\Fonts\IMPRISHA.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\rrequestforquotation.exe Queries volume information: C:\Windows\Fonts\ITCEDSCR.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\rrequestforquotation.exe Queries volume information: C:\Windows\Fonts\LEELAWAD.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\rrequestforquotation.exe Queries volume information: C:\Windows\Fonts\LFAXD.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\rrequestforquotation.exe Queries volume information: C:\Windows\Fonts\OLDENGL.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\rrequestforquotation.exe Queries volume information: C:\Windows\Fonts\REFSPCL.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\rrequestforquotation.exe Queries volume information: C:\Windows\Fonts\TCM_____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\rrequestforquotation.exe Queries volume information: C:\Windows\Fonts\TCB_____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\rrequestforquotation.exe Queries volume information: C:\Windows\Fonts\OFFSYMSL.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\rrequestforquotation.exe Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\rrequestforquotation.exe Queries volume information: C:\Users\user\Desktop\rrequestforquotation.exe VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\rrequestforquotation.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\rrequestforquotation.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\rrequestforquotation.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\rrequestforquotation.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Web.Extensions\v4.0_4.0.0.0__31bf3856ad364e35\System.Web.Extensions.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\rrequestforquotation.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\rrequestforquotation.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\oGnCNPiCwiAocn.exe Queries volume information: C:\Users\user\AppData\Roaming\oGnCNPiCwiAocn.exe VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\oGnCNPiCwiAocn.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\oGnCNPiCwiAocn.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\oGnCNPiCwiAocn.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\oGnCNPiCwiAocn.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\oGnCNPiCwiAocn.exe Queries volume information: C:\Users\user\AppData\Roaming\oGnCNPiCwiAocn.exe VolumeInformation
Source: C:\Users\user\AppData\Roaming\oGnCNPiCwiAocn.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\oGnCNPiCwiAocn.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\oGnCNPiCwiAocn.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\oGnCNPiCwiAocn.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Web.Extensions\v4.0_4.0.0.0__31bf3856ad364e35\System.Web.Extensions.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\oGnCNPiCwiAocn.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\oGnCNPiCwiAocn.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
Source: C:\Users\user\Desktop\rrequestforquotation.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior

Stealing of Sensitive Information
barindex
Yara detected Snake Keylogger
Source: Yara match File source: 0.2.rrequestforquotation.exe.3e80ff0.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.rrequestforquotation.exe.3e603d0.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.rrequestforquotation.exe.3e80ff0.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.rrequestforquotation.exe.3e603d0.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000008.00000002.4142621856.0000000000415000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000008.00000002.4145794163.0000000002B60000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000F.00000002.4146056209.000000000307F000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000008.00000002.4145794163.0000000002991000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000F.00000002.4146056209.0000000002EB1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.1748719685.0000000003CB1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: rrequestforquotation.exe PID: 7284, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: rrequestforquotation.exe PID: 7792, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: oGnCNPiCwiAocn.exe PID: 6112, type: MEMORYSTR
Tries to harvest and steal browser information (history, passwords, etc)
Source: C:\Users\user\AppData\Roaming\oGnCNPiCwiAocn.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data
Source: C:\Users\user\AppData\Roaming\oGnCNPiCwiAocn.exe File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data
Tries to steal Mail credentials (via file / registry access)
Source: C:\Users\user\Desktop\rrequestforquotation.exe File opened: C:\Users\user\AppData\Roaming\PostboxApp\Profiles\ Jump to behavior
Source: C:\Users\user\Desktop\rrequestforquotation.exe Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 Jump to behavior
Source: C:\Users\user\AppData\Roaming\oGnCNPiCwiAocn.exe File opened: C:\Users\user\AppData\Roaming\PostboxApp\Profiles\
Source: C:\Users\user\AppData\Roaming\oGnCNPiCwiAocn.exe Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676
Yara detected Credential Stealer
Source: Yara match File source: 0.2.rrequestforquotation.exe.3e80ff0.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.rrequestforquotation.exe.3e603d0.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.rrequestforquotation.exe.3e80ff0.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.rrequestforquotation.exe.3e603d0.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000008.00000002.4142621856.0000000000415000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.1748719685.0000000003CB1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: rrequestforquotation.exe PID: 7284, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: rrequestforquotation.exe PID: 7792, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: oGnCNPiCwiAocn.exe PID: 6112, type: MEMORYSTR

Remote Access Functionality
barindex
Yara detected Snake Keylogger
Source: Yara match File source: 0.2.rrequestforquotation.exe.3e80ff0.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.rrequestforquotation.exe.3e603d0.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.rrequestforquotation.exe.3e80ff0.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.rrequestforquotation.exe.3e603d0.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000008.00000002.4142621856.0000000000415000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000008.00000002.4145794163.0000000002B60000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000F.00000002.4146056209.000000000307F000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000008.00000002.4145794163.0000000002991000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000F.00000002.4146056209.0000000002EB1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.1748719685.0000000003CB1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: rrequestforquotation.exe PID: 7284, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: rrequestforquotation.exe PID: 7792, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: oGnCNPiCwiAocn.exe PID: 6112, type: MEMORYSTR
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1560713 Sample: rrequestforquotation.exe Startdate: 22/11/2024 Architecture: WINDOWS Score: 100 52 reallyfreegeoip.org 2->52 54 checkip.dyndns.org 2->54 56 checkip.dyndns.com 2->56 58 Malicious sample detected (through community Yara rule) 2->58 60 Antivirus / Scanner detection for submitted sample 2->60 62 Sigma detected: Scheduled temp file as task from temp location 2->62 66 9 other signatures 2->66 8 rrequestforquotation.exe 7 2->8         started        12 oGnCNPiCwiAocn.exe 5 2->12         started        signatures3 64 Tries to detect the country of the analysis system (by using the IP) 52->64 process4 file5 40 C:\Users\user\AppData\...\oGnCNPiCwiAocn.exe, PE32 8->40 dropped 42 C:\...\oGnCNPiCwiAocn.exe:Zone.Identifier, ASCII 8->42 dropped 44 C:\Users\user\AppData\Local\...\tmpC98D.tmp, XML 8->44 dropped 46 C:\Users\...\rrequestforquotation.exe.log, ASCII 8->46 dropped 68 Uses schtasks.exe or at.exe to add and modify task schedules 8->68 70 Adds a directory exclusion to Windows Defender 8->70 72 Injects a PE file into a foreign processes 8->72 14 powershell.exe 23 8->14         started        17 rrequestforquotation.exe 15 2 8->17         started        20 powershell.exe 23 8->20         started        22 schtasks.exe 1 8->22         started        74 Antivirus detection for dropped file 12->74 76 Multi AV Scanner detection for dropped file 12->76 78 Machine Learning detection for dropped file 12->78 24 oGnCNPiCwiAocn.exe 12->24         started        26 schtasks.exe 12->26         started        28 oGnCNPiCwiAocn.exe 12->28         started        signatures6 process7 dnsIp8 80 Loading BitLocker PowerShell Module 14->80 30 conhost.exe 14->30         started        32 WmiPrvSE.exe 14->32         started        48 checkip.dyndns.com 193.122.6.168, 49735, 49738, 49741 ORACLE-BMC-31898US United States 17->48 50 reallyfreegeoip.org 172.67.177.134, 443, 49736, 49737 CLOUDFLARENETUS United States 17->50 34 conhost.exe 20->34         started        36 conhost.exe 22->36         started        82 Tries to steal Mail credentials (via file / registry access) 24->82 84 Tries to harvest and steal browser information (history, passwords, etc) 24->84 38 conhost.exe 26->38         started        signatures9 process10
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
193.122.6.168
 checkip.dyndns.com United States
31898 ORACLE-BMC-31898US false
172.67.177.134
 reallyfreegeoip.org United States
13335 CLOUDFLARENETUS false

Contacted Domains

Name IP Active
reallyfreegeoip.org 172.67.177.134 true
checkip.dyndns.com 193.122.6.168 true
checkip.dyndns.org unknown unknown

Contacted URLs

Name Malicious Antivirus Detection Reputation
https://reallyfreegeoip.org/xml/8.46.123.75 false
    		high
    http://checkip.dyndns.org/ false
      		high