Loading ...

Play interactive tourEdit tour

Analysis Report Request for Quotation-V-40795.exe

Overview

General Information

Sample Name:Request for Quotation-V-40795.exe
Analysis ID:288069
MD5:da90b811a5cfbba379ddae86b8c491ab
SHA1:dce5319b767478c31ad53c0c9dd641aeb8a8dcad
SHA256:59dff99d3dc07fa8fe98e9a6ad0860e45dd938214c344a6099bd32d9256b5e2e

Most interesting Screenshot:

Detection

GuLoader
Score:96
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Multi AV Scanner detection for submitted file
Yara detected GuLoader
Contains functionality to detect hardware virtualization (CPUID execution measurement)
Contains functionality to hide a thread from the debugger
Detected RDTSC dummy instruction sequence (likely for instruction hammering)
Found evasive API chain (may stop execution after reading information in the PEB, e.g. number of processors)
Hides threads from debuggers
Machine Learning detection for sample
Tries to detect Any.run
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to detect virtualization through RDTSC time measurements
Yara detected VB6 Downloader Generic
Abnormal high CPU Usage
Checks if the current process is being debugged
Contains functionality for execution timing, often used to detect debuggers
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to call native functions
Contains functionality to read the PEB
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
May sleep (evasive loops) to hinder dynamic analysis
PE file contains an invalid checksum
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Uses code obfuscation techniques (call, push, ret)

Classification

Startup

  • System is w10x64
  • cleanup

Malware Configuration

No configs have been found

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000001.00000002.432762625.0000000000560000.00000040.00000001.sdmpJoeSecurity_GuLoaderYara detected GuLoaderJoe Security
    Process Memory Space: Request for Quotation-V-40795.exe PID: 3364JoeSecurity_VB6DownloaderGenericYara detected VB6 Downloader GenericJoe Security
      Process Memory Space: Request for Quotation-V-40795.exe PID: 3364JoeSecurity_GuLoaderYara detected GuLoaderJoe Security
        Process Memory Space: Request for Quotation-V-40795.exe PID: 5456JoeSecurity_VB6DownloaderGenericYara detected VB6 Downloader GenericJoe Security
          Process Memory Space: Request for Quotation-V-40795.exe PID: 5456JoeSecurity_GuLoaderYara detected GuLoaderJoe Security

            Sigma Overview

            No Sigma rule has matched

            Signature Overview

            Click to jump to signature section

            Show All Signature Results

            AV Detection:

            barindex
            Multi AV Scanner detection for submitted fileShow sources
            Source: Request for Quotation-V-40795.exeVirustotal: Detection: 58%Perma Link
            Source: Request for Quotation-V-40795.exeReversingLabs: Detection: 68%
            Machine Learning detection for sampleShow sources
            Source: Request for Quotation-V-40795.exeJoe Sandbox ML: detected
            Source: C:\Users\user\Desktop\Request for Quotation-V-40795.exeCode function: 1_2_00568734 InternetReadFile,1_2_00568734
            Source: unknownDNS traffic detected: queries for: onedrive.live.com
            Source: Request for Quotation-V-40795.exe, 00000001.00000002.433473170.0000000000A76000.00000004.00000020.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2SecureServerCA.crt0
            Source: Request for Quotation-V-40795.exe, 00000001.00000002.433297858.0000000000A2E000.00000004.00000020.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootCA.crl07
            Source: Request for Quotation-V-40795.exe, 00000001.00000002.433297858.0000000000A2E000.00000004.00000020.sdmpString found in binary or memory: http://crl3.digicert.com/Omniroot2025.crl0=
            Source: Request for Quotation-V-40795.exe, 00000001.00000002.433297858.0000000000A2E000.00000004.00000020.sdmpString found in binary or memory: http://crl3.digicert.com/ssca-sha2-g6.crl0/
            Source: Request for Quotation-V-40795.exe, 00000001.00000002.433297858.0000000000A2E000.00000004.00000020.sdmpString found in binary or memory: http://crl4.digicert.com/DigiCertGlobalRootCA.crl0=
            Source: Request for Quotation-V-40795.exe, 00000001.00000002.433297858.0000000000A2E000.00000004.00000020.sdmpString found in binary or memory: http://crl4.digicert.com/ssca-sha2-g6.crl0L
            Source: Request for Quotation-V-40795.exe, 00000001.00000002.433297858.0000000000A2E000.00000004.00000020.sdmpString found in binary or memory: http://ocsp.digicert.com0
            Source: Request for Quotation-V-40795.exe, 00000001.00000002.433297858.0000000000A2E000.00000004.00000020.sdmpString found in binary or memory: http://ocsp.digicert.com0:
            Source: Request for Quotation-V-40795.exe, 00000001.00000002.433297858.0000000000A2E000.00000004.00000020.sdmpString found in binary or memory: http://ocsp.digicert.com0F
            Source: Request for Quotation-V-40795.exe, 00000001.00000002.433297858.0000000000A2E000.00000004.00000020.sdmpString found in binary or memory: http://ocsp.msocsp.com0
            Source: Request for Quotation-V-40795.exe, 00000001.00000002.433297858.0000000000A2E000.00000004.00000020.sdmpString found in binary or memory: https://account.live.com/security/LoginStage.aspx?lmif=1000&ru=https://login.live.com/login.srf%3Fwa
            Source: Request for Quotation-V-40795.exe, 00000001.00000002.433297858.0000000000A2E000.00000004.00000020.sdmpString found in binary or memory: https://login.live.com/
            Source: Request for Quotation-V-40795.exe, 00000001.00000002.433297858.0000000000A2E000.00000004.00000020.sdmpString found in binary or memory: https://login.live.com/%2Fonedrive.live.com%2Fdownload%3Fcid%3DB86046E8
            Source: Request for Quotation-V-40795.exe, 00000001.00000002.433297858.0000000000A2E000.00000004.00000020.sdmpString found in binary or memory: https://login.live.com/-
            Source: Request for Quotation-V-40795.exe, 00000001.00000002.433297858.0000000000A2E000.00000004.00000020.sdmpString found in binary or memory: https://login.live.com/.b.lg.prod.aadmsa.trafficmanager.net
            Source: Request for Quotation-V-40795.exe, 00000001.00000002.433297858.0000000000A2E000.00000004.00000020.sdmpString found in binary or memory: https://login.live.com/.b.lg.prod.aadmsa.trafficmanager.net#
            Source: Request for Quotation-V-40795.exe, 00000001.00000002.433297858.0000000000A2E000.00000004.00000020.sdmpString found in binary or memory: https://login.live.com/.b.lg.prod.aadmsa.trafficmanager.net-
            Source: Request for Quotation-V-40795.exe, 00000001.00000002.433297858.0000000000A2E000.00000004.00000020.sdmpString found in binary or memory: https://login.live.com/.b.lg.prod.aadmsa.trafficmanager.net?
            Source: Request for Quotation-V-40795.exe, 00000001.00000002.433297858.0000000000A2E000.00000004.00000020.sdmpString found in binary or memory: https://login.live.com/.b.lg.prod.aadmsa.trafficmanager.netG
            Source: Request for Quotation-V-40795.exe, 00000001.00000002.433297858.0000000000A2E000.00000004.00000020.sdmpString found in binary or memory: https://login.live.com/6962.0&wp=MBI_SSL_SHARED&wreply=https:%2F%2Foned
            Source: Request for Quotation-V-40795.exe, 00000001.00000002.433297858.0000000000A2E000.00000004.00000020.sdmpString found in binary or memory: https://login.live.com/8
            Source: Request for Quotation-V-40795.exe, 00000001.00000002.433297858.0000000000A2E000.00000004.00000020.sdmpString found in binary or memory: https://login.live.com/?
            Source: Request for Quotation-V-40795.exe, 00000001.00000002.433297858.0000000000A2E000.00000004.00000020.sdmpString found in binary or memory: https://login.live.com/AKylfVJFuNg4ZGY&lc=1033&id=250206&cbcxt=sky&cbcx
            Source: Request for Quotation-V-40795.exe, 00000001.00000002.433297858.0000000000A2E000.00000004.00000020.sdmpString found in binary or memory: https://login.live.com/J
            Source: Request for Quotation-V-40795.exe, 00000001.00000002.433297858.0000000000A2E000.00000004.00000020.sdmpString found in binary or memory: https://login.live.com/Q
            Source: Request for Quotation-V-40795.exe, 00000001.00000002.433297858.0000000000A2E000.00000004.00000020.sdmpString found in binary or memory: https://login.live.com/Ref
            Source: Request for Quotation-V-40795.exe, 00000001.00000002.433297858.0000000000A2E000.00000004.00000020.sdmpString found in binary or memory: https://login.live.com/W
            Source: Request for Quotation-V-40795.exe, 00000001.00000002.433297858.0000000000A2E000.00000004.00000020.sdmpString found in binary or memory: https://login.live.com/WebServer:
            Source: Request for Quotation-V-40795.exe, 00000001.00000002.433297858.0000000000A2E000.00000004.00000020.sdmpString found in binary or memory: https://login.live.com/c
            Source: Request for Quotation-V-40795.exe, 00000001.00000002.433297858.0000000000A2E000.00000004.00000020.sdmpString found in binary or memory: https://login.live.com/d%3DB86046E8CBD4254B%2521106%26authkey%3DAKylfVJ
            Source: Request for Quotation-V-40795.exe, 00000001.00000002.433297858.0000000000A2E000.00000004.00000020.sdmpString found in binary or memory: https://login.live.com/e:
            Source: Request for Quotation-V-40795.exe, 00000001.00000002.433297858.0000000000A2E000.00000004.00000020.sdmpString found in binary or memory: https://login.live.com/g
            Source: Request for Quotation-V-40795.exe, 00000001.00000002.433297858.0000000000A2E000.00000004.00000020.sdmpString found in binary or memory: https://login.live.com/idseq=1;
            Source: Request for Quotation-V-40795.exe, 00000001.00000002.433297858.0000000000A2E000.00000004.00000020.sdmpString found in binary or memory: https://login.live.com/ie:
            Source: Request for Quotation-V-40795.exe, 00000001.00000002.433297858.0000000000A2E000.00000004.00000020.sdmpString found in binary or memory: https://login.live.com/k
            Source: Request for Quotation-V-40795.exe, 00000001.00000002.433297858.0000000000A2E000.00000004.00000020.sdmpString found in binary or memory: https://login.live.com/l
            Source: Request for Quotation-V-40795.exe, 00000001.00000002.433297858.0000000000A2E000.00000004.00000020.sdmpString found in binary or memory: https://login.live.com/lKz
            Source: Request for Quotation-V-40795.exe, 00000001.00000002.433297858.0000000000A2E000.00000004.00000020.sdmpString found in binary or memory: https://login.live.com/login.srf?wa=wsignin1.0&rpsnv=13&ct=1600695770&rver=7.3.6962.0&wp=MBI_SSL_SHA
            Source: Request for Quotation-V-40795.exe, 00000001.00000002.433182487.0000000000A0C000.00000004.00000020.sdmpString found in binary or memory: https://login.live.com/login.srf?wa=wsignin1.0&rpsnv=13&ct=1600695777&rver=7.3.6962.0&wp=MBI_SSL_SHA
            Source: Request for Quotation-V-40795.exe, 00000001.00000002.433182487.0000000000A0C000.00000004.00000020.sdmpString found in binary or memory: https://login.live.com/login.srf?wa=wsignin1.0&rpsnv=13&ct=1600695778&rver=7.3.6962.0&wp=MBI_SSL_SHA
            Source: Request for Quotation-V-40795.exe, 00000001.00000002.433182487.0000000000A0C000.00000004.00000020.sdmpString found in binary or memory: https://login.live.com/login.srf?wa=wsignin1.0&rpsnv=13&ct=1600695779&rver=7.3.6962.0&wp=MBI_SSL_SHA
            Source: Request for Quotation-V-40795.exe, 00000001.00000002.433182487.0000000000A0C000.00000004.00000020.sdmpString found in binary or memory: https://login.live.com/login.srf?wa=wsignin1.0&rpsnv=13&ct=1600695780&rver=7.3.6962.0&wp=MBI_SSL_SHA
            Source: Request for Quotation-V-40795.exe, 00000001.00000002.433182487.0000000000A0C000.00000004.00000020.sdmpString found in binary or memory: https://login.live.com/login.srf?wa=wsignin1.0&rpsnv=13&ct=1600695781&rver=7.3.6962.0&wp=MBI_SSL_SHA
            Source: Request for Quotation-V-40795.exe, 00000001.00000002.433182487.0000000000A0C000.00000004.00000020.sdmpString found in binary or memory: https://login.live.com/login.srf?wa=wsignin1.0&rpsnv=13&ct=1600695782&rver=7.3.6962.0&wp=MBI_SSL_SHA
            Source: Request for Quotation-V-40795.exe, 00000001.00000002.433473170.0000000000A76000.00000004.00000020.sdmpString found in binary or memory: https://login.live.com/login.srf?wa=wsignin1.0&rpsnv=13&ct=1600695784&rver=7.3.6962.0&wp=MBI_SSL_SHA
            Source: Request for Quotation-V-40795.exe, 00000001.00000002.433473170.0000000000A76000.00000004.00000020.sdmpString found in binary or memory: https://login.live.com/login.srf?wa=wsignin1.0&rpsnv=13&ct=1600695785&rver=7.3.6962.0&wp=MBI_SSL_SHA
            Source: Request for Quotation-V-40795.exe, 00000001.00000002.433473170.0000000000A76000.00000004.00000020.sdmpString found in binary or memory: https://login.live.com/login.srf?wa=wsignin1.0&rpsnv=13&ct=1600695786&rver=7.3.6962.0&wp=MBI_SSL_SHA
            Source: Request for Quotation-V-40795.exe, 00000001.00000002.433473170.0000000000A76000.00000004.00000020.sdmpString found in binary or memory: https://login.live.com/login.srf?wa=wsignin1.0&rpsnv=13&ct=1600695787&rver=7.3.6962.0&wp=MBI_SSL_SHA
            Source: Request for Quotation-V-40795.exe, 00000001.00000002.433473170.0000000000A76000.00000004.00000020.sdmpString found in binary or memory: https://login.live.com/login.srf?wa=wsignin1.0&rpsnv=13&ct=1600695788&rver=7.3.6962.0&wp=MBI_SSL_SHA
            Source: Request for Quotation-V-40795.exe, 00000001.00000002.433473170.0000000000A76000.00000004.00000020.sdmpString found in binary or memory: https://login.live.com/login.srf?wa=wsignin1.0&rpsnv=13&ct=1600695789&rver=7.3.6962.0&wp=MBI_SSL_SHA
            Source: Request for Quotation-V-40795.exe, 00000001.00000002.433473170.0000000000A76000.00000004.00000020.sdmpString found in binary or memory: https://login.live.com/login.srf?wa=wsignin1.0&rpsnv=13&ct=1600695790&rver=7.3.6962.0&wp=MBI_SSL_SHA
            Source: Request for Quotation-V-40795.exe, 00000001.00000002.433473170.0000000000A76000.00000004.00000020.sdmpString found in binary or memory: https://login.live.com/login.srf?wa=wsignin1.0&rpsnv=13&ct=1600695791&rver=7.3.6962.0&wp=MBI_SSL_SHA
            Source: Request for Quotation-V-40795.exe, 00000001.00000002.433473170.0000000000A76000.00000004.00000020.sdmpString found in binary or memory: https://login.live.com/login.srf?wa=wsignin1.0&rpsnv=13&ct=1600695792&rver=7.3.6962.0&wp=MBI_SSL_SHA
            Source: Request for Quotation-V-40795.exe, 00000001.00000002.433473170.0000000000A76000.00000004.00000020.sdmpString found in binary or memory: https://login.live.com/login.srf?wa=wsignin1.0&rpsnv=13&ct=1600695793&rver=7.3.6962.0&wp=MBI_SSL_SHA
            Source: Request for Quotation-V-40795.exe, 00000001.00000002.433473170.0000000000A76000.00000004.00000020.sdmpString found in binary or memory: https://login.live.com/login.srf?wa=wsignin1.0&rpsnv=13&ct=1600695794&rver=7.3.6962.0&wp=MBI_SSL_SHA
            Source: Request for Quotation-V-40795.exe, 00000001.00000002.433473170.0000000000A76000.00000004.00000020.sdmpString found in binary or memory: https://login.live.com/login.srf?wa=wsignin1.0&rpsnv=13&ct=1600695795&rver=7.3.6962.0&wp=MBI_SSL_SHA
            Source: Request for Quotation-V-40795.exe, 00000001.00000002.433473170.0000000000A76000.00000004.00000020.sdmpString found in binary or memory: https://login.live.com/login.srf?wa=wsignin1.0&rpsnv=13&ct=1600695796&rver=7.3.6962.0&wp=MBI_SSL_SHA
            Source: Request for Quotation-V-40795.exe, 00000001.00000002.433473170.0000000000A76000.00000004.00000020.sdmpString found in binary or memory: https://login.live.com/login.srf?wa=wsignin1.0&rpsnv=13&ct=1600695797&rver=7.3.6962.0&wp=MBI_SSL_SHA
            Source: Request for Quotation-V-40795.exe, 00000001.00000002.433473170.0000000000A76000.00000004.00000020.sdmpString found in binary or memory: https://login.live.com/login.srf?wa=wsignin1.0&rpsnv=13&ct=1600695798&rver=7.3.6962.0&wp=MBI_SSL_SHA
            Source: Request for Quotation-V-40795.exe, 00000001.00000002.433473170.0000000000A76000.00000004.00000020.sdmpString found in binary or memory: https://login.live.com/login.srf?wa=wsignin1.0&rpsnv=13&ct=1600695799&rver=7.3.6962.0&wp=MBI_SSL_SHA
            Source: Request for Quotation-V-40795.exe, 00000001.00000002.433473170.0000000000A76000.00000004.00000020.sdmpString found in binary or memory: https://login.live.com/login.srf?wa=wsignin1.0&rpsnv=13&ct=1600695800&rver=7.3.6962.0&wp=MBI_SSL_SHA
            Source: Request for Quotation-V-40795.exe, 00000001.00000002.433473170.0000000000A76000.00000004.00000020.sdmpString found in binary or memory: https://login.live.com/login.srf?wa=wsignin1.0&rpsnv=13&ct=1600695801&rver=7.3.6962.0&wp=MBI_SSL_SHA
            Source: Request for Quotation-V-40795.exe, 00000001.00000002.433473170.0000000000A76000.00000004.00000020.sdmpString found in binary or memory: https://login.live.com/login.srf?wa=wsignin1.0&rpsnv=13&ct=1600695802&rver=7.3.6962.0&wp=MBI_SSL_SHA
            Source: Request for Quotation-V-40795.exe, 00000001.00000002.433473170.0000000000A76000.00000004.00000020.sdmpString found in binary or memory: https://login.live.com/login.srf?wa=wsignin1.0&rpsnv=13&ct=1600695803&rver=7.3.6962.0&wp=MBI_SSL_SHA
            Source: Request for Quotation-V-40795.exe, 00000001.00000002.433473170.0000000000A76000.00000004.00000020.sdmpString found in binary or memory: https://login.live.com/login.srf?wa=wsignin1.0&rpsnv=13&ct=1600695804&rver=7.3.6962.0&wp=MBI_SSL_SHA
            Source: Request for Quotation-V-40795.exe, 00000001.00000002.433473170.0000000000A76000.00000004.00000020.sdmpString found in binary or memory: https://login.live.com/login.srf?wa=wsignin1.0&rpsnv=13&ct=1600695805&rver=7.3.6962.0&wp=MBI_SSL_SHA
            Source: Request for Quotation-V-40795.exe, 00000001.00000002.433473170.0000000000A76000.00000004.00000020.sdmpString found in binary or memory: https://login.live.com/login.srf?wa=wsignin1.0&rpsnv=13&ct=1600695806&rver=7.3.6962.0&wp=MBI_SSL_SHA
            Source: Request for Quotation-V-40795.exe, 00000001.00000002.433473170.0000000000A76000.00000004.00000020.sdmpString found in binary or memory: https://login.live.com/login.srf?wa=wsignin1.0&rpsnv=13&ct=1600695807&rver=7.3.6962.0&wp=MBI_SSL_SHA
            Source: Request for Quotation-V-40795.exe, 00000001.00000002.433473170.0000000000A76000.00000004.00000020.sdmpString found in binary or memory: https://login.live.com/login.srf?wa=wsignin1.0&rpsnv=13&ct=1600695809&rver=7.3.6962.0&wp=MBI_SSL_SHA
            Source: Request for Quotation-V-40795.exe, 00000001.00000002.433473170.0000000000A76000.00000004.00000020.sdmpString found in binary or memory: https://login.live.com/login.srf?wa=wsignin1.0&rpsnv=13&ct=1600695810&rver=7.3.6962.0&wp=MBI_SSL_SHA
            Source: Request for Quotation-V-40795.exe, 00000001.00000002.433473170.0000000000A76000.00000004.00000020.sdmpString found in binary or memory: https://login.live.com/login.srf?wa=wsignin1.0&rpsnv=13&ct=1600695811&rver=7.3.6962.0&wp=MBI_SSL_SHA
            Source: Request for Quotation-V-40795.exe, 00000001.00000002.433473170.0000000000A76000.00000004.00000020.sdmpString found in binary or memory: https://login.live.com/login.srf?wa=wsignin1.0&rpsnv=13&ct=1600695812&rver=7.3.6962.0&wp=MBI_SSL_SHA
            Source: Request for Quotation-V-40795.exe, 00000001.00000002.433473170.0000000000A76000.00000004.00000020.sdmpString found in binary or memory: https://login.live.com/login.srf?wa=wsignin1.0&rpsnv=13&ct=1600695813&rver=7.3.6962.0&wp=MBI_SSL_SHA
            Source: Request for Quotation-V-40795.exe, 00000001.00000002.433473170.0000000000A76000.00000004.00000020.sdmpString found in binary or memory: https://login.live.com/login.srf?wa=wsignin1.0&rpsnv=13&ct=1600695814&rver=7.3.6962.0&wp=MBI_SSL_SHA
            Source: Request for Quotation-V-40795.exe, 00000001.00000002.433473170.0000000000A76000.00000004.00000020.sdmpString found in binary or memory: https://login.live.com/login.srf?wa=wsignin1.0&rpsnv=13&ct=1600695815&rver=7.3.6962.0&wp=MBI_SSL_SHA
            Source: Request for Quotation-V-40795.exe, 00000001.00000002.433473170.0000000000A76000.00000004.00000020.sdmpString found in binary or memory: https://login.live.com/login.srf?wa=wsignin1.0&rpsnv=13&ct=1600695816&rver=7.3.6962.0&wp=MBI_SSL_SHA
            Source: Request for Quotation-V-40795.exe, 00000001.00000002.433473170.0000000000A76000.00000004.00000020.sdmpString found in binary or memory: https://login.live.com/login.srf?wa=wsignin1.0&rpsnv=13&ct=1600695817&rver=7.3.6962.0&wp=MBI_SSL_SHA
            Source: Request for Quotation-V-40795.exe, 00000001.00000002.433473170.0000000000A76000.00000004.00000020.sdmpString found in binary or memory: https://login.live.com/login.srf?wa=wsignin1.0&rpsnv=13&ct=1600695818&rver=7.3.6962.0&wp=MBI_SSL_SHA
            Source: Request for Quotation-V-40795.exe, 00000001.00000002.433473170.0000000000A76000.00000004.00000020.sdmpString found in binary or memory: https://login.live.com/login.srf?wa=wsignin1.0&rpsnv=13&ct=1600695819&rver=7.3.6962.0&wp=MBI_SSL_SHA
            Source: Request for Quotation-V-40795.exe, 00000001.00000002.433473170.0000000000A76000.00000004.00000020.sdmpString found in binary or memory: https://login.live.com/login.srf?wa=wsignin1.0&rpsnv=13&ct=1600695820&rver=7.3.6962.0&wp=MBI_SSL_SHA
            Source: Request for Quotation-V-40795.exe, 00000001.00000002.433473170.0000000000A76000.00000004.00000020.sdmpString found in binary or memory: https://login.live.com/login.srf?wa=wsignin1.0&rpsnv=13&ct=1600695822&rver=7.3.6962.0&wp=MBI_SSL_SHA
            Source: Request for Quotation-V-40795.exe, 00000001.00000002.433473170.0000000000A76000.00000004.00000020.sdmpString found in binary or memory: https://login.live.com/login.srf?wa=wsignin1.0&rpsnv=13&ct=1600695823&rver=7.3.6962.0&wp=MBI_SSL_SHA
            Source: Request for Quotation-V-40795.exe, 00000001.00000002.433473170.0000000000A76000.00000004.00000020.sdmpString found in binary or memory: https://login.live.com/login.srf?wa=wsignin1.0&rpsnv=13&ct=1600695824&rver=7.3.6962.0&wp=MBI_SSL_SHA
            Source: Request for Quotation-V-40795.exe, 00000001.00000002.433473170.0000000000A76000.00000004.00000020.sdmpString found in binary or memory: https://login.live.com/login.srf?wa=wsignin1.0&rpsnv=13&ct=1600695825&rver=7.3.6962.0&wp=MBI_SSL_SHA
            Source: Request for Quotation-V-40795.exe, 00000001.00000002.433473170.0000000000A76000.00000004.00000020.sdmpString found in binary or memory: https://login.live.com/login.srf?wa=wsignin1.0&rpsnv=13&ct=1600695826&rver=7.3.6962.0&wp=MBI_SSL_SHA
            Source: Request for Quotation-V-40795.exe, 00000001.00000002.433473170.0000000000A76000.00000004.00000020.sdmpString found in binary or memory: https://login.live.com/login.srf?wa=wsignin1.0&rpsnv=13&ct=1600695827&rver=7.3.6962.0&wp=MBI_SSL_SHA
            Source: Request for Quotation-V-40795.exe, 00000001.00000002.433473170.0000000000A76000.00000004.00000020.sdmpString found in binary or memory: https://login.live.com/login.srf?wa=wsignin1.0&rpsnv=13&ct=1600695828&rver=7.3.6962.0&wp=MBI_SSL_SHA
            Source: Request for Quotation-V-40795.exe, 00000001.00000002.433473170.0000000000A76000.00000004.00000020.sdmpString found in binary or memory: https://login.live.com/login.srf?wa=wsignin1.0&rpsnv=13&ct=1600695832&rver=7.3.6962.0&wp=MBI_SSL_SHA
            Source: Request for Quotation-V-40795.exe, 00000001.00000002.433473170.0000000000A76000.00000004.00000020.sdmpString found in binary or memory: https://login.live.com/login.srf?wa=wsignin1.0&rpsnv=13&ct=1600695834&rver=7.3.6962.0&wp=MBI_SSL_SHA
            Source: Request for Quotation-V-40795.exe, 00000001.00000002.433473170.0000000000A76000.00000004.00000020.sdmpString found in binary or memory: https://login.live.com/login.srf?wa=wsignin1.0&rpsnv=13&ct=1600695835&rver=7.3.6962.0&wp=MBI_SSL_SHA
            Source: Request for Quotation-V-40795.exe, 00000001.00000002.433473170.0000000000A76000.00000004.00000020.sdmp, Request for Quotation-V-40795.exe, 00000001.00000002.433079728.00000000009C8000.00000004.00000020.sdmpString found in binary or memory: https://login.live.com/login.srf?wa=wsignin1.0&rpsnv=13&ct=1600695836&rver=7.3.6962.0&wp=MBI_SSL_SHA
            Source: Request for Quotation-V-40795.exe, 00000001.00000002.433473170.0000000000A76000.00000004.00000020.sdmpString found in binary or memory: https://login.live.com/login.srf?wa=wsignin1.0&rpsnv=13&ct=1600695837&rver=7.3.6962.0&wp=MBI_SSL_SHA
            Source: Request for Quotation-V-40795.exe, 00000001.00000002.433473170.0000000000A76000.00000004.00000020.sdmpString found in binary or memory: https://login.live.com/login.srf?wa=wsignin1.0&rpsnv=13&ct=1600695838&rver=7.3.6962.0&wp=MBI_SSL_SHA
            Source: Request for Quotation-V-40795.exe, 00000001.00000002.433473170.0000000000A76000.00000004.00000020.sdmpString found in binary or memory: https://login.live.com/login.srf?wa=wsignin1.0&rpsnv=13&ct=1600695839&rver=7.3.6962.0&wp=MBI_SSL_SHA
            Source: Request for Quotation-V-40795.exe, 00000001.00000002.433473170.0000000000A76000.00000004.00000020.sdmpString found in binary or memory: https://login.live.com/login.srf?wa=wsignin1.0&rpsnv=13&ct=1600695840&rver=7.3.6962.0&wp=MBI_SSL_SHA
            Source: Request for Quotation-V-40795.exe, 00000001.00000002.433473170.0000000000A76000.00000004.00000020.sdmpString found in binary or memory: https://login.live.com/login.srf?wa=wsignin1.0&rpsnv=13&ct=1600695841&rver=7.3.6962.0&wp=MBI_SSL_SHA
            Source: Request for Quotation-V-40795.exe, 00000001.00000002.433473170.0000000000A76000.00000004.00000020.sdmpString found in binary or memory: https://login.live.com/login.srf?wa=wsignin1.0&rpsnv=13&ct=1600695842&rver=7.3.6962.0&wp=MBI_SSL_SHA
            Source: Request for Quotation-V-40795.exe, 00000001.00000002.433473170.0000000000A76000.00000004.00000020.sdmpString found in binary or memory: https://login.live.com/login.srf?wa=wsignin1.0&rpsnv=13&ct=1600695843&rver=7.3.6962.0&wp=MBI_SSL_SHA
            Source: Request for Quotation-V-40795.exe, 00000001.00000002.433473170.0000000000A76000.00000004.00000020.sdmpString found in binary or memory: https://login.live.com/login.srf?wa=wsignin1.0&rpsnv=13&ct=1600695844&rver=7.3.6962.0&wp=MBI_SSL_SHA
            Source: Request for Quotation-V-40795.exe, 00000001.00000002.433473170.0000000000A76000.00000004.00000020.sdmpString found in binary or memory: https://login.live.com/login.srf?wa=wsignin1.0&rpsnv=13&ct=1600695845&rver=7.3.6962.0&wp=MBI_SSL_SHA
            Source: Request for Quotation-V-40795.exe, 00000001.00000002.433473170.0000000000A76000.00000004.00000020.sdmpString found in binary or memory: https://login.live.com/login.srf?wa=wsignin1.0&rpsnv=13&ct=1600695846&rver=7.3.6962.0&wp=MBI_SSL_SHA
            Source: Request for Quotation-V-40795.exe, 00000001.00000002.433473170.0000000000A76000.00000004.00000020.sdmpString found in binary or memory: https://login.live.com/login.srf?wa=wsignin1.0&rpsnv=13&ct=1600695847&rver=7.3.6962.0&wp=MBI_SSL_SHA
            Source: Request for Quotation-V-40795.exe, 00000001.00000002.433473170.0000000000A76000.00000004.00000020.sdmpString found in binary or memory: https://login.live.com/login.srf?wa=wsignin1.0&rpsnv=13&ct=1600695848&rver=7.3.6962.0&wp=MBI_SSL_SHA
            Source: Request for Quotation-V-40795.exe, 00000001.00000002.433473170.0000000000A76000.00000004.00000020.sdmpString found in binary or memory: https://login.live.com/login.srf?wa=wsignin1.0&rpsnv=13&ct=1600695849&rver=7.3.6962.0&wp=MBI_SSL_SHA
            Source: Request for Quotation-V-40795.exe, 00000001.00000002.433473170.0000000000A76000.00000004.00000020.sdmpString found in binary or memory: https://login.live.com/login.srf?wa=wsignin1.0&rpsnv=13&ct=1600695850&rver=7.3.6962.0&wp=MBI_SSL_SHA
            Source: Request for Quotation-V-40795.exe, 00000001.00000002.433473170.0000000000A76000.00000004.00000020.sdmpString found in binary or memory: https://login.live.com/login.srf?wa=wsignin1.0&rpsnv=13&ct=1600695851&rver=7.3.6962.0&wp=MBI_SSL_SHA
            Source: Request for Quotation-V-40795.exe, 00000001.00000002.433473170.0000000000A76000.00000004.00000020.sdmpString found in binary or memory: https://login.live.com/login.srf?wa=wsignin1.0&rpsnv=13&ct=1600695852&rver=7.3.6962.0&wp=MBI_SSL_SHA
            Source: Request for Quotation-V-40795.exe, 00000001.00000002.433473170.0000000000A76000.00000004.00000020.sdmpString found in binary or memory: https://login.live.com/login.srf?wa=wsignin1.0&rpsnv=13&ct=1600695853&rver=7.3.6962.0&wp=MBI_SSL_SHA
            Source: Request for Quotation-V-40795.exe, 00000001.00000002.433473170.0000000000A76000.00000004.00000020.sdmpString found in binary or memory: https://login.live.com/login.srf?wa=wsignin1.0&rpsnv=13&ct=1600695854&rver=7.3.6962.0&wp=MBI_SSL_SHA
            Source: Request for Quotation-V-40795.exe, 00000001.00000002.433473170.0000000000A76000.00000004.00000020.sdmpString found in binary or memory: https://login.live.com/login.srf?wa=wsignin1.0&rpsnv=13&ct=1600695855&rver=7.3.6962.0&wp=MBI_SSL_SHA
            Source: Request for Quotation-V-40795.exe, 00000001.00000002.433473170.0000000000A76000.00000004.00000020.sdmpString found in binary or memory: https://login.live.com/login.srf?wa=wsignin1.0&rpsnv=13&ct=1600695856&rver=7.3.6962.0&wp=MBI_SSL_SHA
            Source: Request for Quotation-V-40795.exe, 00000001.00000002.433473170.0000000000A76000.00000004.00000020.sdmpString found in binary or memory: https://login.live.com/login.srf?wa=wsignin1.0&rpsnv=13&ct=1600695857&rver=7.3.6962.0&wp=MBI_SSL_SHA
            Source: Request for Quotation-V-40795.exe, 00000001.00000002.433297858.0000000000A2E000.00000004.00000020.sdmpString found in binary or memory: https://login.live.com/login.srf?wa=wsignin1.0&rpsnv=13&ct=1600695858&rver=7.3.6962.0&wp=MBI_SSL_SHA
            Source: Request for Quotation-V-40795.exe, 00000001.00000002.433473170.0000000000A76000.00000004.00000020.sdmpString found in binary or memory: https://login.live.com/login.srf?wa=wsignin1.0&rpsnv=13&ct=1600695859&rver=7.3.6962.0&wp=MBI_SSL_SHA
            Source: Request for Quotation-V-40795.exe, 00000001.00000002.433473170.0000000000A76000.00000004.00000020.sdmp, Request for Quotation-V-40795.exe, 00000001.00000002.433297858.0000000000A2E000.00000004.00000020.sdmpString found in binary or memory: https://login.live.com/login.srf?wa=wsignin1.0&rpsnv=13&ct=1600695860&rver=7.3.6962.0&wp=MBI_SSL_SHA
            Source: Request for Quotation-V-40795.exe, 00000001.00000002.433473170.0000000000A76000.00000004.00000020.sdmpString found in binary or memory: https://login.live.com/login.srf?wa=wsignin1.0&rpsnv=13&ct=1600695861&rver=7.3.6962.0&wp=MBI_SSL_SHA
            Source: Request for Quotation-V-40795.exe, 00000001.00000002.433473170.0000000000A76000.00000004.00000020.sdmpString found in binary or memory: https://login.live.com/login.srf?wa=wsignin1.0&rpsnv=13&ct=1600695862&rver=7.3.6962.0&wp=MBI_SSL_SHA
            Source: Request for Quotation-V-40795.exe, 00000001.00000002.433473170.0000000000A76000.00000004.00000020.sdmpString found in binary or memory: https://login.live.com/login.srf?wa=wsignin1.0&rpsnv=13&ct=1600695863&rver=7.3.6962.0&wp=MBI_SSL_SHA
            Source: Request for Quotation-V-40795.exe, 00000001.00000002.433473170.0000000000A76000.00000004.00000020.sdmp, Request for Quotation-V-40795.exe, 00000001.00000002.433448910.0000000000A6F000.00000004.00000020.sdmpString found in binary or memory: https://login.live.com/login.srf?wa=wsignin1.0&rpsnv=13&ct=1600695864&rver=7.3.6962.0&wp=MBI_SSL_SHA
            Source: Request for Quotation-V-40795.exe, 00000001.00000002.433473170.0000000000A76000.00000004.00000020.sdmpString found in binary or memory: https://login.live.com/login.srf?wa=wsignin1.0&rpsnv=13&ct=1600695865&rver=7.3.6962.0&wp=MBI_SSL_SHA
            Source: Request for Quotation-V-40795.exe, 00000001.00000002.433473170.0000000000A76000.00000004.00000020.sdmp, Request for Quotation-V-40795.exe, 00000001.00000002.433297858.0000000000A2E000.00000004.00000020.sdmpString found in binary or memory: https://login.live.com/login.srf?wa=wsignin1.0&rpsnv=13&ct=1600695866&rver=7.3.6962.0&wp=MBI_SSL_SHA
            Source: Request for Quotation-V-40795.exe, 00000001.00000002.433473170.0000000000A76000.00000004.00000020.sdmp, Request for Quotation-V-40795.exe, 00000001.00000002.433297858.0000000000A2E000.00000004.00000020.sdmpString found in binary or memory: https://login.live.com/login.srf?wa=wsignin1.0&rpsnv=13&ct=1600695867&rver=7.3.6962.0&wp=MBI_SSL_SHA
            Source: Request for Quotation-V-40795.exe, 00000001.00000002.433448910.0000000000A6F000.00000004.00000020.sdmpString found in binary or memory: https://login.live.com/login.srf?wa=wsignin1.0&rpsnv=13&ct=1600695868&rver=7.3.6962.0&wp=MBI_SSL_SHA
            Source: Request for Quotation-V-40795.exe, 00000001.00000002.433473170.0000000000A76000.00000004.00000020.sdmp, Request for Quotation-V-40795.exe, 00000001.00000002.433297858.0000000000A2E000.00000004.00000020.sdmpString found in binary or memory: https://login.live.com/login.srf?wa=wsignin1.0&rpsnv=13&ct=1600695869&rver=7.3.6962.0&wp=MBI_SSL_SHA
            Source: Request for Quotation-V-40795.exe, 00000001.00000002.433297858.0000000000A2E000.00000004.00000020.sdmp, Request for Quotation-V-40795.exe, 00000001.00000002.433448910.0000000000A6F000.00000004.00000020.sdmpString found in binary or memory: https://login.live.com/login.srf?wa=wsignin1.0&rpsnv=13&ct=1600695870&rver=7.3.6962.0&wp=MBI_SSL_SHA
            Source: Request for Quotation-V-40795.exe, 00000001.00000002.433297858.0000000000A2E000.00000004.00000020.sdmpString found in binary or memory: https://login.live.com/login.srf?wa=wsignin1.0&rpsnv=13&ct=1600695871&rver=7.3.6962.0&wp=MBI_SSL_SHA
            Source: Request for Quotation-V-40795.exe, 00000001.00000002.433297858.0000000000A2E000.00000004.00000020.sdmpString found in binary or memory: https://login.live.com/login.srf?wa=wsignin1.0&rpsnv=13&rver=7.3.6962.0&wp=MBI_SSL_SHARED&wreply=htt
            Source: Request for Quotation-V-40795.exe, 00000001.00000002.433297858.0000000000A2E000.00000004.00000020.sdmpString found in binary or memory: https://login.live.com/nt-Type-Options:
            Source: Request for Quotation-V-40795.exe, 00000001.00000002.433297858.0000000000A2E000.00000004.00000020.sdmpString found in binary or memory: https://login.live.com/ography
            Source: Request for Quotation-V-40795.exe, 00000001.00000002.433297858.0000000000A2E000.00000004.00000020.sdmpString found in binary or memory: https://login.live.com/pp1600/
            Source: Request for Quotation-V-40795.exe, 00000001.00000002.433297858.0000000000A2E000.00000004.00000020.sdmpString found in binary or memory: https://login.live.com/y
            Source: Request for Quotation-V-40795.exe, 00000001.00000002.433297858.0000000000A2E000.00000004.00000020.sdmpString found in binary or memory: https://logincdn.msauth.net/shared/1.0/
            Source: Request for Quotation-V-40795.exe, 00000001.00000002.433297858.0000000000A2E000.00000004.00000020.sdmpString found in binary or memory: https://onedrive.live.com/
            Source: Request for Quotation-V-40795.exe, 00000001.00000002.433079728.00000000009C8000.00000004.00000020.sdmpString found in binary or memory: https://onedrive.live.com/)
            Source: Request for Quotation-V-40795.exe, 00000001.00000002.433297858.0000000000A2E000.00000004.00000020.sdmpString found in binary or memory: https://onedrive.live.com/B&resid=B86046E8CBD4254B%21106&authkey=AKylfVJFuNg4ZGY
            Source: Request for Quotation-V-40795.exe, 00000001.00000002.433297858.0000000000A2E000.00000004.00000020.sdmpString found in binary or memory: https://onedrive.live.com/download%3fcid%3dB86046E8CBD4254B%26resid%3dB86046E8CBD4254B%2521106%26aut
            Source: Request for Quotation-V-40795.exe, 00000001.00000002.432711145.000000000019A000.00000004.00000001.sdmpString found in binary or memory: https://onedrive.live.com/download?cid=B86046E8CBD4254B&resid=B
            Source: Request for Quotation-V-40795.exe, 00000001.00000002.433297858.0000000000A2E000.00000004.00000020.sdmpString found in binary or memory: https://onedrive.live.com/download?cid=B86046E8CBD4254B&resid=B86046E8CBD4254B%21106&authkey=AKylfVJ
            Source: Request for Quotation-V-40795.exe, 00000001.00000002.433297858.0000000000A2E000.00000004.00000020.sdmpString found in binary or memory: https://onedrive.live.com/ownload?cid=B86046E8CBD4254B&resid=B86046E8CBD4254B%21106&authkey=AKylfVJF
            Source: Request for Quotation-V-40795.exe, 00000001.00000002.433297858.0000000000A2E000.00000004.00000020.sdmpString found in binary or memory: https://p.sfx.ms/login/v1/header.html?id=250206&mkt=EN-US&cbcxt=sky
            Source: Request for Quotation-V-40795.exe, 00000001.00000002.433473170.0000000000A76000.00000004.00000020.sdmpString found in binary or memory: https://www.digicert.com/CPS0
            Source: C:\Users\user\Desktop\Request for Quotation-V-40795.exeProcess Stats: CPU usage > 98%
            Source: C:\Users\user\Desktop\Request for Quotation-V-40795.exeCode function: 0_2_02167648 NtSetInformationThread,TerminateProcess,0_2_02167648
            Source: C:\Users\user\Desktop\Request for Quotation-V-40795.exeCode function: 0_2_02167A80 NtSetInformationThread,TerminateProcess,0_2_02167A80
            Source: C:\Users\user\Desktop\Request for Quotation-V-40795.exeCode function: 0_2_0216810D NtProtectVirtualMemory,0_2_0216810D
            Source: C:\Users\user\Desktop\Request for Quotation-V-40795.exeCode function: 0_2_02168734 NtResumeThread,0_2_02168734
            Source: C:\Users\user\Desktop\Request for Quotation-V-40795.exeCode function: 0_2_02163139 NtWriteVirtualMemory,0_2_02163139
            Source: C:\Users\user\Desktop\Request for Quotation-V-40795.exeCode function: 0_2_021605E0 EnumWindows,NtSetInformationThread,NtWriteVirtualMemory,TerminateProcess,0_2_021605E0
            Source: C:\Users\user\Desktop\Request for Quotation-V-40795.exeCode function: 0_2_0216340A NtWriteVirtualMemory,0_2_0216340A
            Source: C:\Users\user\Desktop\Request for Quotation-V-40795.exeCode function: 0_2_02163628 NtWriteVirtualMemory,0_2_02163628
            Source: C:\Users\user\Desktop\Request for Quotation-V-40795.exeCode function: 0_2_02168848 NtResumeThread,0_2_02168848
            Source: C:\Users\user\Desktop\Request for Quotation-V-40795.exeCode function: 0_2_021666FB NtSetInformationThread,TerminateProcess,0_2_021666FB
            Source: C:\Users\user\Desktop\Request for Quotation-V-40795.exeCode function: 0_2_02168B1A NtResumeThread,0_2_02168B1A
            Source: C:\Users\user\Desktop\Request for Quotation-V-40795.exeCode function: 0_2_02160732 NtSetInformationThread,TerminateProcess,0_2_02160732
            Source: C:\Users\user\Desktop\Request for Quotation-V-40795.exeCode function: 0_2_0216873E NtResumeThread,0_2_0216873E
            Source: C:\Users\user\Desktop\Request for Quotation-V-40795.exeCode function: 0_2_0216173B NtSetInformationThread,TerminateProcess,0_2_0216173B
            Source: C:\Users\user\Desktop\Request for Quotation-V-40795.exeCode function: 0_2_0216895A NtResumeThread,0_2_0216895A
            Source: C:\Users\user\Desktop\Request for Quotation-V-40795.exeCode function: 0_2_02161343 NtSetInformationThread,TerminateProcess,0_2_02161343
            Source: C:\Users\user\Desktop\Request for Quotation-V-40795.exeCode function: 0_2_02163392 NtWriteVirtualMemory,0_2_02163392
            Source: C:\Users\user\Desktop\Request for Quotation-V-40795.exeCode function: 0_2_02168592 NtProtectVirtualMemory,0_2_02168592
            Source: C:\Users\user\Desktop\Request for Quotation-V-40795.exeCode function: 0_2_021631D6 NtWriteVirtualMemory,0_2_021631D6
            Source: C:\Users\user\Desktop\Request for Quotation-V-40795.exeCode function: 1_2_00567648 NtSetInformationThread,NtProtectVirtualMemory,1_2_00567648
            Source: C:\Users\user\Desktop\Request for Quotation-V-40795.exeCode function: 1_2_00567A80 NtSetInformationThread,1_2_00567A80
            Source: C:\Users\user\Desktop\Request for Quotation-V-40795.exeCode function: 1_2_0056810D NtProtectVirtualMemory,1_2_0056810D
            Source: C:\Users\user\Desktop\Request for Quotation-V-40795.exeCode function: 1_2_005605E0 EnumWindows,NtSetInformationThread,1_2_005605E0
            Source: C:\Users\user\Desktop\Request for Quotation-V-40795.exeCode function: 1_2_00561061 NtProtectVirtualMemory,1_2_00561061
            Source: C:\Users\user\Desktop\Request for Quotation-V-40795.exeCode function: 1_2_005610F4 NtProtectVirtualMemory,1_2_005610F4
            Source: C:\Users\user\Desktop\Request for Quotation-V-40795.exeCode function: 1_2_005666FB NtSetInformationThread,1_2_005666FB
            Source: C:\Users\user\Desktop\Request for Quotation-V-40795.exeCode function: 1_2_00561087 NtProtectVirtualMemory,1_2_00561087
            Source: C:\Users\user\Desktop\Request for Quotation-V-40795.exeCode function: 1_2_00561343 NtSetInformationThread,1_2_00561343
            Source: C:\Users\user\Desktop\Request for Quotation-V-40795.exeCode function: 1_2_0056114B NtProtectVirtualMemory,1_2_0056114B
            Source: C:\Users\user\Desktop\Request for Quotation-V-40795.exeCode function: 1_2_00560732 NtSetInformationThread,1_2_00560732
            Source: C:\Users\user\Desktop\Request for Quotation-V-40795.exeCode function: 1_2_0056173B NtSetInformationThread,1_2_0056173B
            Source: C:\Users\user\Desktop\Request for Quotation-V-40795.exeCode function: 1_2_00568592 NtProtectVirtualMemory,1_2_00568592
            Source: C:\Users\user\Desktop\Request for Quotation-V-40795.exeCode function: 0_2_00401BE70_2_00401BE7
            Source: C:\Users\user\Desktop\Request for Quotation-V-40795.exeCode function: 0_2_004020A00_2_004020A0
            Source: C:\Users\user\Desktop\Request for Quotation-V-40795.exeCode function: 1_2_005676481_2_00567648
            Source: Request for Quotation-V-40795.exe, 00000000.00000002.188583346.0000000002130000.00000002.00000001.sdmpBinary or memory string: OriginalFilenameuser32j% vs Request for Quotation-V-40795.exe
            Source: Request for Quotation-V-40795.exe, 00000000.00000000.167757867.0000000000414000.00000002.00020000.sdmpBinary or memory string: OriginalFilenamePreassigns9.exe vs Request for Quotation-V-40795.exe
            Source: Request for Quotation-V-40795.exe, 00000001.00000002.438579232.000000001DD90000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamemswsock.dll.muij% vs Request for Quotation-V-40795.exe
            Source: Request for Quotation-V-40795.exe, 00000001.00000000.187186046.0000000000414000.00000002.00020000.sdmpBinary or memory string: OriginalFilenamePreassigns9.exe vs Request for Quotation-V-40795.exe
            Source: Request for Quotation-V-40795.exe, 00000001.00000002.438624845.000000001DEE0000.00000002.00000001.sdmpBinary or memory string: OriginalFilenameCRYPT32.DLL.MUIj% vs Request for Quotation-V-40795.exe
            Source: Request for Quotation-V-40795.exeBinary or memory string: OriginalFilenamePreassigns9.exe vs Request for Quotation-V-40795.exe
            Source: classification engineClassification label: mal96.troj.evad.winEXE@3/0@1/0
            Source: C:\Users\user\Desktop\Request for Quotation-V-40795.exeFile created: C:\Users\user\AppData\Local\Temp\~DF5B67993ED5509A7B.TMPJump to behavior
            Source: Request for Quotation-V-40795.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
            Source: C:\Users\user\Desktop\Request for Quotation-V-40795.exeSection loaded: C:\Windows\SysWOW64\msvbvm60.dllJump to behavior
            Source: C:\Users\user\Desktop\Request for Quotation-V-40795.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
            Source: C:\Users\user\Desktop\Request for Quotation-V-40795.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
            Source: C:\Users\user\Desktop\Request for Quotation-V-40795.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
            Source: C:\Users\user\Desktop\Request for Quotation-V-40795.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
            Source: C:\Users\user\Desktop\Request for Quotation-V-40795.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
            Source: Request for Quotation-V-40795.exeVirustotal: Detection: 58%
            Source: Request for Quotation-V-40795.exeReversingLabs: Detection: 68%
            Source: unknownProcess created: C:\Users\user\Desktop\Request for Quotation-V-40795.exe 'C:\Users\user\Desktop\Request for Quotation-V-40795.exe'
            Source: unknownProcess created: C:\Users\user\Desktop\Request for Quotation-V-40795.exe 'C:\Users\user\Desktop\Request for Quotation-V-40795.exe'
            Source: C:\Users\user\Desktop\Request for Quotation-V-40795.exeProcess created: C:\Users\user\Desktop\Request for Quotation-V-40795.exe 'C:\Users\user\Desktop\Request for Quotation-V-40795.exe' Jump to behavior

            Data Obfuscation:

            barindex
            Yara detected GuLoaderShow sources
            Source: Yara matchFile source: 00000001.00000002.432762625.0000000000560000.00000040.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: Request for Quotation-V-40795.exe PID: 3364, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: Request for Quotation-V-40795.exe PID: 5456, type: MEMORY
            Yara detected VB6 Downloader GenericShow sources
            Source: Yara matchFile source: Process Memory Space: Request for Quotation-V-40795.exe PID: 3364, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: Request for Quotation-V-40795.exe PID: 5456, type: MEMORY
            Source: Request for Quotation-V-40795.exeStatic PE information: real checksum: 0x1a7d8 should be: 0x1c522
            Source: C:\Users\user\Desktop\Request for Quotation-V-40795.exeCode function: 0_2_00411657 push eax; ret 0_2_00411CCA
            Source: C:\Users\user\Desktop\Request for Quotation-V-40795.exeCode function: 0_2_0040B05D push ebp; retf 0_2_0040B060
            Source: C:\Users\user\Desktop\Request for Quotation-V-40795.exeCode function: 0_2_00404E94 push esi; iretd 0_2_00404E95
            Source: C:\Users\user\Desktop\Request for Quotation-V-40795.exeCode function: 0_2_0040D79A push dword ptr [eax-3C004F50h]; ret 0_2_0040D7C4
            Source: C:\Users\user\Desktop\Request for Quotation-V-40795.exeCode function: 0_2_0040B19E push DABA655Bh; iretd 0_2_0040B1C6
            Source: C:\Users\user\Desktop\Request for Quotation-V-40795.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Request for Quotation-V-40795.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Request for Quotation-V-40795.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Request for Quotation-V-40795.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Request for Quotation-V-40795.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

            Malware Analysis System Evasion:

            barindex
            Contains functionality to detect hardware virtualization (CPUID execution measurement)Show sources
            Source: C:\Users\user\Desktop\Request for Quotation-V-40795.exeCode function: 0_2_02163139 NtWriteVirtualMemory,0_2_02163139
            Source: C:\Users\user\Desktop\Request for Quotation-V-40795.exeCode function: 0_2_021605E0 EnumWindows,NtSetInformationThread,NtWriteVirtualMemory,TerminateProcess,0_2_021605E0
            Source: C:\Users\user\Desktop\Request for Quotation-V-40795.exeCode function: 0_2_021631D6 NtWriteVirtualMemory,0_2_021631D6
            Source: C:\Users\user\Desktop\Request for Quotation-V-40795.exeCode function: 1_2_005605E0 EnumWindows,NtSetInformationThread,1_2_005605E0
            Source: C:\Users\user\Desktop\Request for Quotation-V-40795.exeCode function: 1_2_00563139 1_2_00563139
            Source: C:\Users\user\Desktop\Request for Quotation-V-40795.exeCode function: 1_2_005631D6 1_2_005631D6
            Detected RDTSC dummy instruction sequence (likely for instruction hammering)Show sources
            Source: C:\Users\user\Desktop\Request for Quotation-V-40795.exeRDTSC instruction interceptor: First address: 0000000002167138 second address: 0000000002167138 instructions: 0x00000000 rdtsc 0x00000002 mov eax, 00000001h 0x00000007 cpuid 0x00000009 popad 0x0000000a call 00007FC968A8B148h 0x0000000f lfence 0x00000012 mov edx, dword ptr [7FFE0014h] 0x00000018 lfence 0x0000001b ret 0x0000001c sub edx, esi 0x0000001e ret 0x0000001f pushad 0x00000020 mov si, 5728h 0x00000024 cmp si, 5728h 0x00000029 jne 00007FC968A8A5E1h 0x0000002f popad 0x00000030 cmp edx, edx 0x00000032 pop ecx 0x00000033 add edi, edx 0x00000035 dec ecx 0x00000036 cmp ecx, 00000000h 0x00000039 jne 00007FC968A8B11Ah 0x0000003b cmp edx, eax 0x0000003d cmp dl, cl 0x0000003f push ecx 0x00000040 test ah, dh 0x00000042 call 00007FC968A8B19Eh 0x00000047 call 00007FC968A8B15Ah 0x0000004c lfence 0x0000004f mov edx, dword ptr [7FFE0014h] 0x00000055 lfence 0x00000058 ret 0x00000059 mov esi, edx 0x0000005b pushad 0x0000005c rdtsc
            Found evasive API chain (may stop execution after reading information in the PEB, e.g. number of processors)Show sources
            Source: C:\Users\user\Desktop\Request for Quotation-V-40795.exeEvasive API call chain: GetPEB, DecisionNodes, Sleepgraph_1-13042
            Tries to detect Any.runShow sources
            Source: C:\Users\user\Desktop\Request for Quotation-V-40795.exeFile opened: C:\Program Files\Qemu-ga\qemu-ga.exeJump to behavior
            Source: C:\Users\user\Desktop\Request for Quotation-V-40795.exeFile opened: C:\Program Files\qga\qga.exeJump to behavior
            Source: C:\Users\user\Desktop\Request for Quotation-V-40795.exeFile opened: C:\Program Files\Qemu-ga\qemu-ga.exeJump to behavior
            Source: C:\Users\user\Desktop\Request for Quotation-V-40795.exeFile opened: C:\Program Files\qga\qga.exeJump to behavior
            Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)Show sources
            Source: Request for Quotation-V-40795.exe, 00000000.00000002.188595008.0000000002160000.00000040.00000001.sdmp, Request for Quotation-V-40795.exe, 00000001.00000002.432762625.0000000000560000.00000040.00000001.sdmpBinary or memory string: C:\PROGRAM FILES\QEMU-GA\QEMU-GA.EXE
            Tries to detect virtualization through RDTSC time measurementsShow sources
            Source: C:\Users\user\Desktop\Request for Quotation-V-40795.exeRDTSC instruction interceptor: First address: 0000000002167138 second address: 0000000002167138 instructions: 0x00000000 rdtsc 0x00000002 mov eax, 00000001h 0x00000007 cpuid 0x00000009 popad 0x0000000a call 00007FC968A8B148h 0x0000000f lfence 0x00000012 mov edx, dword ptr [7FFE0014h] 0x00000018 lfence 0x0000001b ret 0x0000001c sub edx, esi 0x0000001e ret 0x0000001f pushad 0x00000020 mov si, 5728h 0x00000024 cmp si, 5728h 0x00000029 jne 00007FC968A8A5E1h 0x0000002f popad 0x00000030 cmp edx, edx 0x00000032 pop ecx 0x00000033 add edi, edx 0x00000035 dec ecx 0x00000036 cmp ecx, 00000000h 0x00000039 jne 00007FC968A8B11Ah 0x0000003b cmp edx, eax 0x0000003d cmp dl, cl 0x0000003f push ecx 0x00000040 test ah, dh 0x00000042 call 00007FC968A8B19Eh 0x00000047 call 00007FC968A8B15Ah 0x0000004c lfence 0x0000004f mov edx, dword ptr [7FFE0014h] 0x00000055 lfence 0x00000058 ret 0x00000059 mov esi, edx 0x0000005b pushad 0x0000005c rdtsc
            Source: C:\Users\user\Desktop\Request for Quotation-V-40795.exeRDTSC instruction interceptor: First address: 000000000216715A second address: 000000000216715A instructions: 0x00000000 rdtsc 0x00000002 lfence 0x00000005 shl edx, 20h 0x00000008 or edx, eax 0x0000000a ret 0x0000000b mov esi, edx 0x0000000d pushad 0x0000000e mov eax, 00000001h 0x00000013 cpuid 0x00000015 bt ecx, 1Fh 0x00000019 jc 00007FC968E181D7h 0x0000001f popad 0x00000020 call 00007FC968E17D01h 0x00000025 lfence 0x00000028 rdtsc
            Source: C:\Users\user\Desktop\Request for Quotation-V-40795.exeRDTSC instruction interceptor: First address: 000000000056715A second address: 000000000056715A instructions: 0x00000000 rdtsc 0x00000002 lfence 0x00000005 shl edx, 20h 0x00000008 or edx, eax 0x0000000a ret 0x0000000b mov esi, edx 0x0000000d pushad 0x0000000e mov eax, 00000001h 0x00000013 cpuid 0x00000015 bt ecx, 1Fh 0x00000019 jc 00007FC968A8B7F7h 0x0000001f popad 0x00000020 call 00007FC968A8B321h 0x00000025 lfence 0x00000028 rdtsc
            Source: C:\Users\user\Desktop\Request for Quotation-V-40795.exeCode function: 0_2_02167648 rdtsc 0_2_02167648
            Source: C:\Users\user\Desktop\Request for Quotation-V-40795.exe TID: 852Thread sleep count: 154 > 30Jump to behavior
            Source: C:\Users\user\Desktop\Request for Quotation-V-40795.exe TID: 852Thread sleep time: -1540000s >= -30000sJump to behavior
            Source: C:\Users\user\Desktop\Request for Quotation-V-40795.exeLast function: Thread delayed
            Source: C:\Users\user\Desktop\Request for Quotation-V-40795.exeLast function: Thread delayed
            Source: Request for Quotation-V-40795.exe, 00000000.00000002.197076336.0000000004BAA000.00000004.00000001.sdmp, Request for Quotation-V-40795.exe, 00000001.00000002.434000416.000000000254A000.00000004.00000001.sdmpBinary or memory string: Hyper-V Guest Shutdown Service
            Source: Request for Quotation-V-40795.exe, 00000000.00000002.197076336.0000000004BAA000.00000004.00000001.sdmp, Request for Quotation-V-40795.exe, 00000001.00000002.434000416.000000000254A000.00000004.00000001.sdmpBinary or memory string: Hyper-V Remote Desktop Virtualization Service
            Source: Request for Quotation-V-40795.exe, 00000001.00000002.434000416.000000000254A000.00000004.00000001.sdmpBinary or memory string: vmicshutdown
            Source: Request for Quotation-V-40795.exe, 00000000.00000002.197076336.0000000004BAA000.00000004.00000001.sdmp, Request for Quotation-V-40795.exe, 00000001.00000002.434000416.000000000254A000.00000004.00000001.sdmpBinary or memory string: Hyper-V Volume Shadow Copy Requestor
            Source: Request for Quotation-V-40795.exe, 00000000.00000002.197076336.0000000004BAA000.00000004.00000001.sdmp, Request for Quotation-V-40795.exe, 00000001.00000002.434000416.000000000254A000.00000004.00000001.sdmpBinary or memory string: Hyper-V PowerShell Direct Service
            Source: Request for Quotation-V-40795.exe, 00000000.00000002.197076336.0000000004BAA000.00000004.00000001.sdmp, Request for Quotation-V-40795.exe, 00000001.00000002.434000416.000000000254A000.00000004.00000001.sdmpBinary or memory string: Hyper-V Time Synchronization Service
            Source: Request for Quotation-V-40795.exe, 00000001.00000002.434000416.000000000254A000.00000004.00000001.sdmpBinary or memory string: vmicvss
            Source: Request for Quotation-V-40795.exe, 00000001.00000002.433240597.0000000000A17000.00000004.00000020.sdmpBinary or memory string: Hyper-V RAW
            Source: Request for Quotation-V-40795.exe, 00000001.00000002.433079728.00000000009C8000.00000004.00000020.sdmpBinary or memory string: Hyper-V RAWP>
            Source: Request for Quotation-V-40795.exe, 00000000.00000002.188595008.0000000002160000.00000040.00000001.sdmp, Request for Quotation-V-40795.exe, 00000001.00000002.432762625.0000000000560000.00000040.00000001.sdmpBinary or memory string: C:\Program Files\Qemu-ga\qemu-ga.exe
            Source: Request for Quotation-V-40795.exe, 00000000.00000002.197076336.0000000004BAA000.00000004.00000001.sdmp, Request for Quotation-V-40795.exe, 00000001.00000002.434000416.000000000254A000.00000004.00000001.sdmpBinary or memory string: Hyper-V Data Exchange Service
            Source: Request for Quotation-V-40795.exe, 00000000.00000002.197076336.0000000004BAA000.00000004.00000001.sdmp, Request for Quotation-V-40795.exe, 00000001.00000002.434000416.000000000254A000.00000004.00000001.sdmpBinary or memory string: Hyper-V Heartbeat Service
            Source: Request for Quotation-V-40795.exe, 00000000.00000002.197076336.0000000004BAA000.00000004.00000001.sdmp, Request for Quotation-V-40795.exe, 00000001.00000002.434000416.000000000254A000.00000004.00000001.sdmpBinary or memory string: Hyper-V Guest Service Interface
            Source: Request for Quotation-V-40795.exe, 00000001.00000002.434000416.000000000254A000.00000004.00000001.sdmpBinary or memory string: vmicheartbeat

            Anti Debugging:

            barindex
            Contains functionality to hide a thread from the debuggerShow sources
            Source: C:\Users\user\Desktop\Request for Quotation-V-40795.exeCode function: 0_2_02167648 NtSetInformationThread 000000FE,00000011,00000000,00000000,00000000,00000000,00000000,?,00000000,00000000,02160793,00000000,00000000,00000000,00000000,?0_2_02167648
            Hides threads from debuggersShow sources
            Source: C:\Users\user\Desktop\Request for Quotation-V-40795.exeThread information set: HideFromDebuggerJump to behavior
            Source: C:\Users\user\Desktop\Request for Quotation-V-40795.exeThread information set: HideFromDebuggerJump to behavior
            Source: C:\Users\user\Desktop\Request for Quotation-V-40795.exeProcess queried: DebugPortJump to behavior
            Source: C:\Users\user\Desktop\Request for Quotation-V-40795.exeProcess queried: DebugPortJump to behavior
            Source: C:\Users\user\Desktop\Request for Quotation-V-40795.exeCode function: 0_2_02167648 rdtsc 0_2_02167648
            Source: C:\Users\user\Desktop\Request for Quotation-V-40795.exeCode function: 0_2_02164166 LdrInitializeThunk,0_2_02164166
            Source: C:\Users\user\Desktop\Request for Quotation-V-40795.exeCode function: 0_2_02167648 mov eax, dword ptr fs:[00000030h]0_2_02167648
            Source: C:\Users\user\Desktop\Request for Quotation-V-40795.exeCode function: 0_2_02167A80 mov eax, dword ptr fs:[00000030h]0_2_02167A80
            Source: C:\Users\user\Desktop\Request for Quotation-V-40795.exeCode function: 0_2_02167427 mov eax, dword ptr fs:[00000030h]0_2_02167427
            Source: C:\Users\user\Desktop\Request for Quotation-V-40795.exeCode function: 0_2_02166C5F mov eax, dword ptr fs:[00000030h]0_2_02166C5F
            Source: C:\Users\user\Desktop\Request for Quotation-V-40795.exeCode function: 0_2_02163B28 mov eax, dword ptr fs:[00000030h]0_2_02163B28
            Source: C:\Users\user\Desktop\Request for Quotation-V-40795.exeCode function: 0_2_02166F5C mov eax, dword ptr fs:[00000030h]0_2_02166F5C
            Source: C:\Users\user\Desktop\Request for Quotation-V-40795.exeCode function: 0_2_02162B45 mov eax, dword ptr fs:[00000030h]0_2_02162B45
            Source: C:\Users\user\Desktop\Request for Quotation-V-40795.exeCode function: 0_2_02166567 mov eax, dword ptr fs:[00000030h]0_2_02166567
            Source: C:\Users\user\Desktop\Request for Quotation-V-40795.exeCode function: 0_2_02161FC0 mov eax, dword ptr fs:[00000030h]0_2_02161FC0
            Source: C:\Users\user\Desktop\Request for Quotation-V-40795.exeCode function: 1_2_00567648 mov eax, dword ptr fs:[00000030h]1_2_00567648
            Source: C:\Users\user\Desktop\Request for Quotation-V-40795.exeCode function: 1_2_00567A80 mov eax, dword ptr fs:[00000030h]1_2_00567A80
            Source: C:\Users\user\Desktop\Request for Quotation-V-40795.exeCode function: 1_2_00566C5F mov eax, dword ptr fs:[00000030h]1_2_00566C5F
            Source: C:\Users\user\Desktop\Request for Quotation-V-40795.exeCode function: 1_2_00567427 mov eax, dword ptr fs:[00000030h]1_2_00567427
            Source: C:\Users\user\Desktop\Request for Quotation-V-40795.exeCode function: 1_2_00566F5C mov eax, dword ptr fs:[00000030h]1_2_00566F5C
            Source: C:\Users\user\Desktop\Request for Quotation-V-40795.exeCode function: 1_2_00562B45 mov eax, dword ptr fs:[00000030h]1_2_00562B45
            Source: C:\Users\user\Desktop\Request for Quotation-V-40795.exeCode function: 1_2_00566567 mov eax, dword ptr fs:[00000030h]1_2_00566567
            Source: C:\Users\user\Desktop\Request for Quotation-V-40795.exeCode function: 1_2_00563B28 mov eax, dword ptr fs:[00000030h]1_2_00563B28
            Source: C:\Users\user\Desktop\Request for Quotation-V-40795.exeCode function: 1_2_00561FC0 mov eax, dword ptr fs:[00000030h]1_2_00561FC0
            Source: C:\Users\user\Desktop\Request for Quotation-V-40795.exeProcess created: C:\Users\user\Desktop\Request for Quotation-V-40795.exe 'C:\Users\user\Desktop\Request for Quotation-V-40795.exe' Jump to behavior
            Source: Request for Quotation-V-40795.exe, 00000001.00000002.433646241.0000000000F50000.00000002.00000001.sdmpBinary or memory string: Program Manager
            Source: Request for Quotation-V-40795.exe, 00000001.00000002.433646241.0000000000F50000.00000002.00000001.sdmpBinary or memory string: Shell_TrayWnd
            Source: Request for Quotation-V-40795.exe, 00000001.00000002.433646241.0000000000F50000.00000002.00000001.sdmpBinary or memory string: Progman
            Source: Request for Quotation-V-40795.exe, 00000001.00000002.433646241.0000000000F50000.00000002.00000001.sdmpBinary or memory string: Progmanlock

            Mitre Att&ck Matrix

            Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
            Valid AccountsNative API1Path InterceptionProcess Injection12Virtualization/Sandbox Evasion22OS Credential DumpingSecurity Software Discovery721Remote ServicesArchive Collected Data1Exfiltration Over Other Network MediumEncrypted Channel1Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
            Default AccountsScheduled Task/JobBoot or Logon Initialization ScriptsBoot or Logon Initialization ScriptsProcess Injection12LSASS MemoryVirtualization/Sandbox Evasion22Remote Desktop ProtocolData from Removable MediaExfiltration Over BluetoothIngress Tool Transfer1Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
            Domain AccountsAt (Linux)Logon Script (Windows)Logon Script (Windows)Obfuscated Files or Information1Security Account ManagerProcess Discovery1SMB/Windows Admin SharesData from Network Shared DriveAutomated ExfiltrationNon-Application Layer Protocol1Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
            Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)Binary PaddingNTDSRemote System Discovery1Distributed Component Object ModelInput CaptureScheduled TransferApplication Layer Protocol1SIM Card SwapCarrier Billing Fraud
            Cloud AccountsCronNetwork Logon ScriptNetwork Logon ScriptSoftware PackingLSA SecretsSystem Information Discovery31SSHKeyloggingData Transfer Size LimitsFallback ChannelsManipulate Device CommunicationManipulate App Store Rankings or Ratings

            Behavior Graph

            Hide Legend

            Legend:

            • Process
            • Signature
            • Created File
            • DNS/IP Info
            • Is Dropped
            • Is Windows Process
            • Number of created Registry Values
            • Number of created Files
            • Visual Basic
            • Delphi
            • Java
            • .Net C# or VB.NET
            • C, C++ or other language
            • Is malicious
            • Internet

            Screenshots

            Thumbnails

            This section contains all screenshots as thumbnails, including those not shown in the slideshow.