Loading ...

Play interactive tourEdit tour

Analysis Report Products Request for Quotation - RFQ - 20201016.exe

Overview

General Information

Sample Name:Products Request for Quotation - RFQ - 20201016.exe
Analysis ID:299594
MD5:ade2434d3015afe2ea549e17fdae7b71
SHA1:110abbd50218a12b8a68a32c86733e9636d3b4a8
SHA256:f062f04463a6c13f0235fb13d721547d99382b68b4381834b1e9ca4b1ea7d5e3
Tags:exeSendGrid

Most interesting Screenshot:

Detection

AgentTesla
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Multi AV Scanner detection for submitted file
Yara detected AgentTesla
Allocates memory in foreign processes
Connects to a pastebin service (likely for C&C)
Contains functionality to hide a thread from the debugger
Hides threads from debuggers
Initial sample is a PE file and has a suspicious name
Injects a PE file into a foreign processes
Machine Learning detection for sample
May check the online IP address of the machine
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Writes to foreign memory regions
Antivirus or Machine Learning detection for unpacked file
Checks if the current process is being debugged
Contains functionality to call native functions
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Creates a window with clipboard capturing capabilities
Creates processes with suspicious names
Detected potential crypto function
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found inlined nop instructions (likely shell or obfuscated code)
IP address seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
One or more processes crash
PE / OLE file has an invalid certificate
Queries disk information (often used to detect virtual machines)
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Stores large binary data to the registry
Tries to load missing DLLs
Uses code obfuscation techniques (call, push, ret)
Yara detected Credential Stealer

Classification

Startup

  • System is w10x64
  • Products Request for Quotation - RFQ - 20201016.exe (PID: 1740 cmdline: 'C:\Users\user\Desktop\Products Request for Quotation - RFQ - 20201016.exe' MD5: ADE2434D3015AFE2EA549E17FDAE7B71)
    • timeout.exe (PID: 4464 cmdline: timeout 18 MD5: 121A4EDAE60A7AF6F5DFA82F7BB95659)
      • conhost.exe (PID: 4532 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • InstallUtil.exe (PID: 6772 cmdline: C:\Windows\Microsoft.NET\Framework\v4.0.30319\installutil.exe MD5: EFEC8C379D165E3F33B536739AEE26A3)
    • WerFault.exe (PID: 6292 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 1740 -s 1272 MD5: 9E2B8ACAD48ECCA55C0230D63623661B)
  • cleanup

Malware Configuration

No configs have been found

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000001.00000002.409687211.00000000041A5000.00000004.00000001.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
    00000011.00000002.507593981.0000000000402000.00000040.00000001.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
      00000011.00000002.510382688.0000000002C41000.00000004.00000001.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
        Process Memory Space: Products Request for Quotation - RFQ - 20201016.exe PID: 1740JoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
          Process Memory Space: InstallUtil.exe PID: 6772JoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
            Click to see the 1 entries

            Unpacked PEs

            SourceRuleDescriptionAuthorStrings
            17.2.InstallUtil.exe.400000.0.unpackJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security

              Sigma Overview

              No Sigma rule has matched

              Signature Overview

              Click to jump to signature section

              Show All Signature Results

              AV Detection:

              barindex
              Multi AV Scanner detection for submitted fileShow sources
              Source: Products Request for Quotation - RFQ - 20201016.exeReversingLabs: Detection: 27%
              Machine Learning detection for sampleShow sources
              Source: Products Request for Quotation - RFQ - 20201016.exeJoe Sandbox ML: detected
              Source: 17.2.InstallUtil.exe.400000.0.unpackAvira: Label: TR/Spy.Gen8
              Source: C:\Users\user\Desktop\Products Request for Quotation - RFQ - 20201016.exeCode function: 4x nop then jmp 02EDBB07h1_2_02EDADF8

              Networking:

              barindex
              Connects to a pastebin service (likely for C&C)Show sources
              Source: unknownDNS query: name: hastebin.com
              May check the online IP address of the machineShow sources
              Source: unknownDNS query: name: api.ipify.org
              Source: unknownDNS query: name: api.ipify.org
              Source: unknownDNS query: name: api.ipify.org
              Source: unknownDNS query: name: api.ipify.org
              Source: unknownDNS query: name: api.ipify.org
              Source: unknownDNS query: name: api.ipify.org
              Source: Joe Sandbox ViewIP Address: 172.67.143.180 172.67.143.180
              Source: Joe Sandbox ViewJA3 fingerprint: 54328bd36c14bd82ddaa0c04b25ed9ad
              Source: unknownDNS traffic detected: queries for: hastebin.com
              Source: InstallUtil.exe, 00000011.00000002.510382688.0000000002C41000.00000004.00000001.sdmpString found in binary or memory: http://127.0.0.1:HTTP/1.1
              Source: InstallUtil.exe, 00000011.00000002.510382688.0000000002C41000.00000004.00000001.sdmpString found in binary or memory: http://ANcRtw.com
              Source: InstallUtil.exe, 00000011.00000002.510382688.0000000002C41000.00000004.00000001.sdmpString found in binary or memory: http://DynDns.comDynDNS
              Source: Products Request for Quotation - RFQ - 20201016.exe, 00000001.00000002.406855531.0000000003026000.00000004.00000001.sdmpString found in binary or memory: http://cacerts.digicert.com/CloudflareIncECCCA-3.crt0
              Source: Products Request for Quotation - RFQ - 20201016.exeString found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0
              Source: Products Request for Quotation - RFQ - 20201016.exeString found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2AssuredIDTimestampingCA.crt0
              Source: Products Request for Quotation - RFQ - 20201016.exe, 00000001.00000002.406855531.0000000003026000.00000004.00000001.sdmpString found in binary or memory: http://crl3.digicert.com/CloudflareIncECCCA-3.crl07
              Source: Products Request for Quotation - RFQ - 20201016.exeString found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0P
              Source: Products Request for Quotation - RFQ - 20201016.exeString found in binary or memory: http://crl3.digicert.com/sha2-assured-ts.crl02
              Source: Products Request for Quotation - RFQ - 20201016.exe, 00000001.00000002.406855531.0000000003026000.00000004.00000001.sdmpString found in binary or memory: http://crl4.digicert.com/CloudflareIncECCCA-3.crl0L
              Source: Products Request for Quotation - RFQ - 20201016.exeString found in binary or memory: http://crl4.digicert.com/DigiCertAssuredIDRootCA.crl0:
              Source: Products Request for Quotation - RFQ - 20201016.exeString found in binary or memory: http://crl4.digicert.com/sha2-assured-ts.crl0
              Source: Products Request for Quotation - RFQ - 20201016.exe, 00000001.00000002.406855531.0000000003026000.00000004.00000001.sdmpString found in binary or memory: http://ocsp.digicert.com0
              Source: Products Request for Quotation - RFQ - 20201016.exeString found in binary or memory: http://ocsp.digicert.com0C
              Source: Products Request for Quotation - RFQ - 20201016.exeString found in binary or memory: http://ocsp.digicert.com0O
              Source: WerFault.exe, 00000015.00000003.375025044.0000000005730000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/authentication
              Source: WerFault.exe, 00000015.00000003.375025044.0000000005730000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/authorizationdecisionzhttp://schemas.xmlsoap.o
              Source: WerFault.exe, 00000015.00000003.375025044.0000000005730000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/dateofbirthrhttp://schemas.xmlsoap.org/ws/2005
              Source: WerFault.exe, 00000015.00000003.375025044.0000000005730000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/denyonlysid
              Source: WerFault.exe, 00000015.00000003.375025044.0000000005730000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddressxhttp://schemas.xmlsoap.org/ws/200
              Source: WerFault.exe, 00000015.00000003.375025044.0000000005730000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/locality
              Source: WerFault.exe, 00000015.00000003.375025044.0000000005730000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/mobilephone
              Source: Products Request for Quotation - RFQ - 20201016.exe, 00000001.00000002.406470958.0000000002FD1000.00000004.00000001.sdmp, WerFault.exe, 00000015.00000003.375025044.0000000005730000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
              Source: WerFault.exe, 00000015.00000003.375025044.0000000005730000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier
              Source: WerFault.exe, 00000015.00000003.375025044.0000000005730000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/otherphone
              Source: WerFault.exe, 00000015.00000003.375025044.0000000005730000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/postalcoderhttp://schemas.xmlsoap.org/ws/2005/
              Source: WerFault.exe, 00000015.00000003.375025044.0000000005730000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/stateorprovince
              Source: WerFault.exe, 00000015.00000003.375025044.0000000005730000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/streetaddresszhttp://schemas.xmlsoap.org/ws/20
              Source: WerFault.exe, 00000015.00000003.375025044.0000000005730000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/thumbprintrhttp://schemas.xmlsoap.org/ws/2005/
              Source: WerFault.exe, 00000015.00000003.375025044.0000000005730000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/x500distinguishednamejhttp://schemas.xmlsoap.o
              Source: InstallUtil.exe, 00000011.00000002.510382688.0000000002C41000.00000004.00000001.sdmpString found in binary or memory: https://api.ipify.orgGETMozilla/5.0
              Source: Products Request for Quotation - RFQ - 20201016.exe, 00000001.00000002.409687211.00000000041A5000.00000004.00000001.sdmp, InstallUtil.exe, 00000011.00000002.507593981.0000000000402000.00000040.00000001.sdmpString found in binary or memory: https://api.telegram.org/bot%telegramapi%/
              Source: InstallUtil.exe, 00000011.00000002.510382688.0000000002C41000.00000004.00000001.sdmpString found in binary or memory: https://api.telegram.org/bot%telegramapi%/sendDocumentdocument---------------------------x
              Source: Products Request for Quotation - RFQ - 20201016.exe, 00000001.00000002.406470958.0000000002FD1000.00000004.00000001.sdmpString found in binary or memory: https://hastebin.com
              Source: Products Request for Quotation - RFQ - 20201016.exeString found in binary or memory: https://hastebin.com/raw/epekayugaw
              Source: Products Request for Quotation - RFQ - 20201016.exeString found in binary or memory: https://hastebin.com/raw/exijarubeq
              Source: Products Request for Quotation - RFQ - 20201016.exe, 00000001.00000002.406855531.0000000003026000.00000004.00000001.sdmp, Products Request for Quotation - RFQ - 20201016.exe, 00000001.00000002.406933618.0000000003040000.00000004.00000001.sdmpString found in binary or memory: https://report-uri.cloudflare.com/cdn-cgi/beacon/expect-ct
              Source: Products Request for Quotation - RFQ - 20201016.exeString found in binary or memory: https://www.digicert.com/CPS0
              Source: Products Request for Quotation - RFQ - 20201016.exe, 00000001.00000002.409687211.00000000041A5000.00000004.00000001.sdmp, InstallUtil.exe, 00000011.00000002.507593981.0000000000402000.00000040.00000001.sdmpString found in binary or memory: https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip
              Source: InstallUtil.exe, 00000011.00000002.510382688.0000000002C41000.00000004.00000001.sdmpString found in binary or memory: https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%ha
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49737
              Source: unknownNetwork traffic detected: HTTP traffic on port 49737 -> 443
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior

              System Summary:

              barindex
              Initial sample is a PE file and has a suspicious nameShow sources
              Source: initial sampleStatic PE information: Filename: Products Request for Quotation - RFQ - 20201016.exe
              Source: C:\Users\user\Desktop\Products Request for Quotation - RFQ - 20201016.exeCode function: 1_2_02ED94D8 NtSetInformationThread,1_2_02ED94D8
              Source: C:\Users\user\Desktop\Products Request for Quotation - RFQ - 20201016.exeCode function: 1_2_02EDA528 NtSetInformationThread,1_2_02EDA528
              Source: C:\Users\user\Desktop\Products Request for Quotation - RFQ - 20201016.exeCode function: 1_2_02ED8B801_2_02ED8B80
              Source: C:\Users\user\Desktop\Products Request for Quotation - RFQ - 20201016.exeCode function: 1_2_02EDA67F1_2_02EDA67F
              Source: C:\Users\user\Desktop\Products Request for Quotation - RFQ - 20201016.exeCode function: 1_2_02EDADF81_2_02EDADF8
              Source: C:\Users\user\Desktop\Products Request for Quotation - RFQ - 20201016.exeCode function: 1_2_02ED29D01_2_02ED29D0
              Source: C:\Users\user\Desktop\Products Request for Quotation - RFQ - 20201016.exeCode function: 1_2_02ED79001_2_02ED7900
              Source: C:\Users\user\Desktop\Products Request for Quotation - RFQ - 20201016.exeCode function: 1_2_05D8DCA01_2_05D8DCA0
              Source: C:\Users\user\Desktop\Products Request for Quotation - RFQ - 20201016.exeCode function: 1_2_05D8B2C01_2_05D8B2C0
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 17_2_02A746E017_2_02A746E0
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 17_2_02A735E417_2_02A735E4
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 17_2_02A73D8017_2_02A73D80
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 17_2_02A746D017_2_02A746D0
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 17_2_02A7465017_2_02A74650
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 17_2_02A753D217_2_02A753D2
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 17_2_02A7D34017_2_02A7D340
              Source: unknownProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 1740 -s 1272
              Source: Products Request for Quotation - RFQ - 20201016.exeStatic PE information: invalid certificate
              Source: Products Request for Quotation - RFQ - 20201016.exe, 00000001.00000002.412760313.0000000005410000.00000002.00000001.sdmpBinary or memory string: OriginalFilenameKernelbase.dll.muij% vs Products Request for Quotation - RFQ - 20201016.exe
              Source: Products Request for Quotation - RFQ - 20201016.exe, 00000001.00000002.409687211.00000000041A5000.00000004.00000001.sdmpBinary or memory string: OriginalFilename vs Products Request for Quotation - RFQ - 20201016.exe
              Source: Products Request for Quotation - RFQ - 20201016.exe, 00000001.00000002.413391227.0000000005FE0000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamemscorrc.dllT vs Products Request for Quotation - RFQ - 20201016.exe
              Source: C:\Windows\SysWOW64\WerFault.exeSection loaded: sfc.dllJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeSection loaded: phoneinfo.dllJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeSection loaded: ext-ms-win-xblauth-console-l1.dllJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeSection loaded: ext-ms-win-xblauth-console-l1.dllJump to behavior
              Source: classification engineClassification label: mal100.troj.evad.winEXE@7/4@3/1
              Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4532:120:WilError_01
              Source: C:\Windows\SysWOW64\WerFault.exeMutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess1740
              Source: C:\Windows\SysWOW64\WerFault.exeFile created: C:\ProgramData\Microsoft\Windows\WER\Temp\WER187A.tmpJump to behavior
              Source: Products Request for Quotation - RFQ - 20201016.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
              Source: C:\Users\user\Desktop\Products Request for Quotation - RFQ - 20201016.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
              Source: C:\Users\user\Desktop\Products Request for Quotation - RFQ - 20201016.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
              Source: C:\Users\user\Desktop\Products Request for Quotation - RFQ - 20201016.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
              Source: C:\Users\user\Desktop\Products Request for Quotation - RFQ - 20201016.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
              Source: Products Request for Quotation - RFQ - 20201016.exeReversingLabs: Detection: 27%
              Source: C:\Users\user\Desktop\Products Request for Quotation - RFQ - 20201016.exeFile read: C:\Users\user\Desktop\Products Request for Quotation - RFQ - 20201016.exeJump to behavior
              Source: unknownProcess created: C:\Users\user\Desktop\Products Request for Quotation - RFQ - 20201016.exe 'C:\Users\user\Desktop\Products Request for Quotation - RFQ - 20201016.exe'
              Source: unknownProcess created: C:\Windows\SysWOW64\timeout.exe timeout 18
              Source: unknownProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
              Source: unknownProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\installutil.exe
              Source: unknownProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 1740 -s 1272
              Source: C:\Users\user\Desktop\Products Request for Quotation - RFQ - 20201016.exeProcess created: C:\Windows\SysWOW64\timeout.exe timeout 18Jump to behavior
              Source: C:\Users\user\Desktop\Products Request for Quotation - RFQ - 20201016.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\installutil.exeJump to behavior
              Source: C:\Users\user\Desktop\Products Request for Quotation - RFQ - 20201016.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0A29FF9E-7F9C-4437-8B11-F424491E3931}\InprocServer32Jump to behavior
              Source: C:\Users\user\Desktop\Products Request for Quotation - RFQ - 20201016.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dllJump to behavior
              Source: Products Request for Quotation - RFQ - 20201016.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
              Source: Products Request for Quotation - RFQ - 20201016.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
              Source: Binary string: rsaenh.pdb source: WerFault.exe, 00000015.00000003.381072715.000000000557A000.00000004.00000040.sdmp
              Source: Binary string: onfiguration.ni.pdb" source: WerFault.exe, 00000015.00000003.381325187.000000000558B000.00000004.00000001.sdmp
              Source: Binary string: System.ni.pdb% source: WerFault.exe, 00000015.00000003.380608000.000000000557E000.00000004.00000040.sdmp
              Source: Binary string: Microsoft.VisualBasic.pdbx source: WerFault.exe, 00000015.00000002.402467389.0000000005C80000.00000004.00000001.sdmp
              Source: Binary string: wkernel32.pdb source: WerFault.exe, 00000015.00000003.367870318.000000000315F000.00000004.00000001.sdmp
              Source: Binary string: bcrypt.pdb source: WerFault.exe, 00000015.00000003.381072715.000000000557A000.00000004.00000040.sdmp
              Source: Binary string: onfiguration.ni.pdb source: WerFault.exe, 00000015.00000003.381325187.000000000558B000.00000004.00000001.sdmp
              Source: Binary string: ucrtbase.pdb source: WerFault.exe, 00000015.00000003.382844234.0000000005570000.00000004.00000040.sdmp
              Source: Binary string: mskeyprotect.pdb source: WerFault.exe, 00000015.00000003.380608000.000000000557E000.00000004.00000040.sdmp
              Source: Binary string: msvcrt.pdb source: WerFault.exe, 00000015.00000003.381126712.0000000005451000.00000004.00000001.sdmp
              Source: Binary string: wrpcrt4.pdb source: WerFault.exe, 00000015.00000003.381126712.0000000005451000.00000004.00000001.sdmp
              Source: Binary string: wntdll.pdb source: WerFault.exe, 00000015.00000003.366901081.0000000003153000.00000004.00000001.sdmp
              Source: Binary string: ml.pdb source: WerFault.exe, 00000015.00000003.381325187.000000000558B000.00000004.00000001.sdmp
              Source: Binary string: winnsi.pdb source: WerFault.exe, 00000015.00000003.380608000.000000000557E000.00000004.00000040.sdmp
              Source: Binary string: .ni.pdb source: WerFault.exe, 00000015.00000003.381325187.000000000558B000.00000004.00000001.sdmp
              Source: Binary string: clr.pdb source: WerFault.exe, 00000015.00000003.382844234.0000000005570000.00000004.00000040.sdmp
              Source: Binary string: cryptsp.pdb source: WerFault.exe, 00000015.00000003.381072715.000000000557A000.00000004.00000040.sdmp
              Source: Binary string: System.Xml.pdbf source: WerFault.exe, 00000015.00000003.380608000.000000000557E000.00000004.00000040.sdmp
              Source: Binary string: advapi32.pdb source: WerFault.exe, 00000015.00000003.381126712.0000000005451000.00000004.00000001.sdmp
              Source: Binary string: wsspicli.pdb source: WerFault.exe, 00000015.00000003.381126712.0000000005451000.00000004.00000001.sdmp
              Source: Binary string: System.Configuration.ni.pdb% source: WerFault.exe, 00000015.00000003.380608000.000000000557E000.00000004.00000040.sdmp
              Source: Binary string: cryptbase.pdbN source: WerFault.exe, 00000015.00000003.381126712.0000000005451000.00000004.00000001.sdmp
              Source: Binary string: Microsoft.VisualBasic.pdb source: WerFault.exe, 00000015.00000002.402467389.0000000005C80000.00000004.00000001.sdmp, WER187A.tmp.dmp.21.dr
              Source: Binary string: System.Configuration.ni.pdb? source: WerFault.exe, 00000015.00000003.380608000.000000000557E000.00000004.00000040.sdmp
              Source: Binary string: System.Configuration.pdbx source: WerFault.exe, 00000015.00000002.402467389.0000000005C80000.00000004.00000001.sdmp
              Source: Binary string: schannel.pdb source: WerFault.exe, 00000015.00000003.380608000.000000000557E000.00000004.00000040.sdmp
              Source: Binary string: wkernelbase.pdb source: WerFault.exe, 00000015.00000003.366926725.0000000003165000.00000004.00000001.sdmp
              Source: Binary string: shlwapi.pdb source: WerFault.exe, 00000015.00000003.380757128.0000000005572000.00000004.00000040.sdmp
              Source: Binary string: mscorlib.ni.pdb source: WerFault.exe, 00000015.00000002.402467389.0000000005C80000.00000004.00000001.sdmp, WER187A.tmp.dmp.21.dr
              Source: Binary string: C:\Users\user\Desktop\Products Request for Quotation - RFQ - 20201016.PDB$ source: Products Request for Quotation - RFQ - 20201016.exe, 00000001.00000002.403755758.0000000000F75000.00000004.00000010.sdmp
              Source: Binary string: System.Xml.pdbx source: WerFault.exe, 00000015.00000002.402467389.0000000005C80000.00000004.00000001.sdmp
              Source: Binary string: indows.Forms.pdb source: WerFault.exe, 00000015.00000003.381325187.000000000558B000.00000004.00000001.sdmp
              Source: Binary string: mscoree.pdb source: WerFault.exe, 00000015.00000003.381126712.0000000005451000.00000004.00000001.sdmp
              Source: Binary string: ws2_32.pdb source: WerFault.exe, 00000015.00000003.380608000.000000000557E000.00000004.00000040.sdmp
              Source: Binary string: powrprof.pdb source: WerFault.exe, 00000015.00000003.381072715.000000000557A000.00000004.00000040.sdmp
              Source: Binary string: shlwapi.pdbk source: WerFault.exe, 00000015.00000003.380757128.0000000005572000.00000004.00000040.sdmp
              Source: Binary string: System.Configuration.pdb" source: WerFault.exe, 00000015.00000003.381325187.000000000558B000.00000004.00000001.sdmp
              Source: Binary string: iphlpapi.pdb source: WerFault.exe, 00000015.00000003.380608000.000000000557E000.00000004.00000040.sdmp
              Source: Binary string: System.pdbh source: WerFault.exe, 00000015.00000003.381325187.000000000558B000.00000004.00000001.sdmp, WER187A.tmp.dmp.21.dr
              Source: Binary string: nsi.pdb source: WerFault.exe, 00000015.00000003.380608000.000000000557E000.00000004.00000040.sdmp
              Source: Binary string: powrprof.pdb source: WerFault.exe, 00000015.00000003.381072715.000000000557A000.00000004.00000040.sdmp
              Source: Binary string: mscorlib.ni.pdbRSDS source: WER187A.tmp.dmp.21.dr
              Source: Binary string: psapi.pdbY source: WerFault.exe, 00000015.00000003.381072715.000000000557A000.00000004.00000040.sdmp
              Source: Binary string: System.Configuration.pdb source: WerFault.exe, 00000015.00000003.381325187.000000000558B000.00000004.00000001.sdmp, WER187A.tmp.dmp.21.dr
              Source: Binary string: ole32.pdb source: WerFault.exe, 00000015.00000003.381072715.000000000557A000.00000004.00000040.sdmp
              Source: Binary string: rtutils.pdb2* source: WerFault.exe, 00000015.00000003.380608000.000000000557E000.00000004.00000040.sdmp
              Source: Binary string: rasapi32.pdbE source: WerFault.exe, 00000015.00000003.381072715.000000000557A000.00000004.00000040.sdmp
              Source: Binary string: mscorlib.ni.pdbx source: WerFault.exe, 00000015.00000002.402467389.0000000005C80000.00000004.00000001.sdmp
              Source: Binary string: msasn1.pdb source: WerFault.exe, 00000015.00000003.380608000.000000000557E000.00000004.00000040.sdmp
              Source: Binary string: System.pdb? source: WerFault.exe, 00000015.00000003.380608000.000000000557E000.00000004.00000040.sdmp
              Source: Binary string: ole32.pdbC source: WerFault.exe, 00000015.00000003.381072715.000000000557A000.00000004.00000040.sdmp
              Source: Binary string: mscorlib.pdb source: WerFault.exe, 00000015.00000002.402467389.0000000005C80000.00000004.00000001.sdmp, WER187A.tmp.dmp.21.dr
              Source: Binary string: ws2_32.pdb4* source: WerFault.exe, 00000015.00000003.380608000.000000000557E000.00000004.00000040.sdmp
              Source: Binary string: System.Configuration.pdb? source: WerFault.exe, 00000015.00000003.380608000.000000000557E000.00000004.00000040.sdmp
              Source: Binary string: cfgmgr32.pdb source: WerFault.exe, 00000015.00000003.381072715.000000000557A000.00000004.00000040.sdmp
              Source: Binary string: combase.pdb source: WerFault.exe, 00000015.00000003.381818546.0000000005577000.00000004.00000040.sdmp
              Source: Binary string: Windows.Storage.pdb source: WerFault.exe, 00000015.00000003.380608000.000000000557E000.00000004.00000040.sdmp
              Source: Binary string: profapi.pdbO source: WerFault.exe, 00000015.00000003.381072715.000000000557A000.00000004.00000040.sdmp
              Source: Binary string: wkernel32.pdb( source: WerFault.exe, 00000015.00000003.367870318.000000000315F000.00000004.00000001.sdmp
              Source: Binary string: System.Configuration.ni.pdbRSDSO* source: WER187A.tmp.dmp.21.dr
              Source: Binary string: wuser32.pdb< source: WerFault.exe, 00000015.00000003.380816654.000000000557A000.00000004.00000040.sdmp
              Source: Binary string: ncrypt.pdb source: WerFault.exe, 00000015.00000003.380608000.000000000557E000.00000004.00000040.sdmp
              Source: Binary string: secur32.pdb source: WerFault.exe, 00000015.00000003.380608000.000000000557E000.00000004.00000040.sdmp
              Source: Binary string: apphelp.pdb source: WerFault.exe, 00000015.00000003.381126712.0000000005451000.00000004.00000001.sdmp
              Source: Binary string: System.Xml.ni.pdbRSDS source: WER187A.tmp.dmp.21.dr
              Source: Binary string: msvcp_win.pdb% source: WerFault.exe, 00000015.00000003.381072715.000000000557A000.00000004.00000040.sdmp
              Source: Binary string: rasadhlp.pdb source: WerFault.exe, 00000015.00000003.380608000.000000000557E000.00000004.00000040.sdmp
              Source: Binary string: ml.ni.pdb source: WerFault.exe, 00000015.00000003.381325187.000000000558B000.00000004.00000001.sdmp
              Source: Binary string: cryptsp.pdbk source: WerFault.exe, 00000015.00000003.381072715.000000000557A000.00000004.00000040.sdmp
              Source: Binary string: System.Core.ni.pdbRSDSD source: WER187A.tmp.dmp.21.dr
              Source: Binary string: dhcpcsvc.pdb source: WerFault.exe, 00000015.00000003.380608000.000000000557E000.00000004.00000040.sdmp
              Source: Binary string: diasymreader.pdb_ source: WerFault.exe, 00000015.00000003.380608000.000000000557E000.00000004.00000040.sdmp
              Source: Binary string: mscorlib.pdbx source: WerFault.exe, 00000015.00000002.402467389.0000000005C80000.00000004.00000001.sdmp
              Source: Binary string: mscoreei.pdbk source: WerFault.exe, 00000015.00000003.380757128.0000000005572000.00000004.00000040.sdmp
              Source: Binary string: shcore.pdb source: WerFault.exe, 00000015.00000003.381072715.000000000557A000.00000004.00000040.sdmp
              Source: Binary string: clrjit.pdbu source: WerFault.exe, 00000015.00000003.381072715.000000000557A000.00000004.00000040.sdmp
              Source: Binary string: System.Core.ni.pdb% source: WerFault.exe, 00000015.00000003.380608000.000000000557E000.00000004.00000040.sdmp
              Source: Binary string: wgdi32.pdb source: WerFault.exe, 00000015.00000003.382844234.0000000005570000.00000004.00000040.sdmp
              Source: Binary string: System.Core.ni.pdb" source: WerFault.exe, 00000015.00000003.381325187.000000000558B000.00000004.00000001.sdmp
              Source: Binary string: fltLib.pdb source: WerFault.exe, 00000015.00000003.381072715.000000000557A000.00000004.00000040.sdmp
              Source: Binary string: wwin32u.pdbm source: WerFault.exe, 00000015.00000003.381072715.000000000557A000.00000004.00000040.sdmp
              Source: Binary string: winhttp.pdb,* source: WerFault.exe, 00000015.00000003.380608000.000000000557E000.00000004.00000040.sdmp
              Source: Binary string: shell32.pdb source: WerFault.exe, 00000015.00000003.381072715.000000000557A000.00000004.00000040.sdmp
              Source: Binary string: System.Core.ni.pdb source: WerFault.exe, 00000015.00000003.381325187.000000000558B000.00000004.00000001.sdmp, WER187A.tmp.dmp.21.dr
              Source: Binary string: wimm32.pdb/ source: WerFault.exe, 00000015.00000003.381072715.000000000557A000.00000004.00000040.sdmp
              Source: Binary string: rsaenh.pdbW source: WerFault.exe, 00000015.00000003.381072715.000000000557A000.00000004.00000040.sdmp
              Source: Binary string: msvcp_win.pdb source: WerFault.exe, 00000015.00000003.381072715.000000000557A000.00000004.00000040.sdmp
              Source: Binary string: dnsapi.pdb source: WerFault.exe, 00000015.00000003.380608000.000000000557E000.00000004.00000040.sdmp
              Source: Binary string: rasapi32.pdb source: WerFault.exe, 00000015.00000003.381072715.000000000557A000.00000004.00000040.sdmp
              Source: Binary string: wimm32.pdb source: WerFault.exe, 00000015.00000003.381072715.000000000557A000.00000004.00000040.sdmp
              Source: Binary string: wwin32u.pdb source: WerFault.exe, 00000015.00000003.381072715.000000000557A000.00000004.00000040.sdmp
              Source: Binary string: System.Xml.ni.pdbT source: WerFault.exe, 00000015.00000002.402467389.0000000005C80000.00000004.00000001.sdmp
              Source: Binary string: diasymreader.pdb source: WerFault.exe, 00000015.00000003.380608000.000000000557E000.00000004.00000040.sdmp
              Source: Binary string: winhttp.pdb source: WerFault.exe, 00000015.00000003.380608000.000000000557E000.00000004.00000040.sdmp
              Source: Binary string: ntasn1.pdb source: WerFault.exe, 00000015.00000003.380608000.000000000557E000.00000004.00000040.sdmp
              Source: Binary string: mscorlib.ni.pdb% source: WerFault.exe, 00000015.00000003.380608000.000000000557E000.00000004.00000040.sdmp
              Source: Binary string: System.Core.ni.pdb? source: WerFault.exe, 00000015.00000003.380608000.000000000557E000.00000004.00000040.sdmp
              Source: Binary string: System.ni.pdbT3 source: WerFault.exe, 00000015.00000002.402467389.0000000005C80000.00000004.00000001.sdmp
              Source: Binary string: System.pdbx source: WerFault.exe, 00000015.00000002.402467389.0000000005C80000.00000004.00000001.sdmp
              Source: Binary string: rtutils.pdb source: WerFault.exe, 00000015.00000003.380608000.000000000557E000.00000004.00000040.sdmp
              Source: Binary string: wntdll.pdb( source: WerFault.exe, 00000015.00000003.366901081.0000000003153000.00000004.00000001.sdmp
              Source: Binary string: fltLib.pdbs source: WerFault.exe, 00000015.00000003.381072715.000000000557A000.00000004.00000040.sdmp
              Source: Binary string: profapi.pdb source: WerFault.exe, 00000015.00000003.381072715.000000000557A000.00000004.00000040.sdmp
              Source: Binary string: dhcpcsvc6.pdb source: WerFault.exe, 00000015.00000003.380608000.000000000557E000.00000004.00000040.sdmp
              Source: Binary string: System.Xml.ni.pdb source: WerFault.exe, 00000015.00000002.402467389.0000000005C80000.00000004.00000001.sdmp, WER187A.tmp.dmp.21.dr
              Source: Binary string: wgdi32full.pdb source: WerFault.exe, 00000015.00000003.382844234.0000000005570000.00000004.00000040.sdmp
              Source: Binary string: WLDP.pdb source: WerFault.exe, 00000015.00000003.380608000.000000000557E000.00000004.00000040.sdmp
              Source: Binary string: sechost.pdb source: WerFault.exe, 00000015.00000003.381126712.0000000005451000.00000004.00000001.sdmp
              Source: Binary string: System.ni.pdbRSDS source: WER187A.tmp.dmp.21.dr
              Source: Binary string: clrjit.pdb source: WerFault.exe, 00000015.00000003.381072715.000000000557A000.00000004.00000040.sdmp
              Source: Binary string: rasman.pdb source: WerFault.exe, 00000015.00000003.381072715.000000000557A000.00000004.00000040.sdmp
              Source: Binary string: msvcr120_clr0400.i386.pdb source: WerFault.exe, 00000015.00000003.381072715.000000000557A000.00000004.00000040.sdmp
              Source: Binary string: System.Configuration.ni.pdb source: WerFault.exe, 00000015.00000002.402467389.0000000005C80000.00000004.00000001.sdmp, WER187A.tmp.dmp.21.dr
              Source: Binary string: ncryptsslp.pdb source: WerFault.exe, 00000015.00000003.380608000.000000000557E000.00000004.00000040.sdmp
              Source: Binary string: bcrypt.pdba source: WerFault.exe, 00000015.00000003.381072715.000000000557A000.00000004.00000040.sdmp
              Source: Binary string: wmswsock.pdb source: WerFault.exe, 00000015.00000003.380608000.000000000557E000.00000004.00000040.sdmp
              Source: Binary string: version.pdb source: WerFault.exe, 00000015.00000003.381072715.000000000557A000.00000004.00000040.sdmp
              Source: Binary string: wintrust.pdb source: WerFault.exe, 00000015.00000003.380608000.000000000557E000.00000004.00000040.sdmp
              Source: Binary string: System.Xml.pdb source: WerFault.exe, 00000015.00000002.402467389.0000000005C80000.00000004.00000001.sdmp, WER187A.tmp.dmp.21.dr
              Source: Binary string: System.pdb source: WerFault.exe, 00000015.00000003.381325187.000000000558B000.00000004.00000001.sdmp, WER187A.tmp.dmp.21.dr
              Source: Binary string: System.Windows.Forms.pdb source: WerFault.exe, 00000015.00000002.402467389.0000000005C80000.00000004.00000001.sdmp, WER187A.tmp.dmp.21.dr
              Source: Binary string: Kernel.Appcore.pdb source: WerFault.exe, 00000015.00000003.382844234.0000000005570000.00000004.00000040.sdmp
              Source: Binary string: psapi.pdb source: WerFault.exe, 00000015.00000003.381072715.000000000557A000.00000004.00000040.sdmp
              Source: Binary string: fwpuclnt.pdb source: WerFault.exe, 00000015.00000003.380608000.000000000557E000.00000004.00000040.sdmp
              Source: Binary string: cryptbase.pdb source: WerFault.exe, 00000015.00000003.381126712.0000000005451000.00000004.00000001.sdmp
              Source: Binary string: System.Core.pdbx source: WerFault.exe, 00000015.00000002.402467389.0000000005C80000.00000004.00000001.sdmp
              Source: Binary string: wkernelbase.pdb( source: WerFault.exe, 00000015.00000003.366926725.0000000003165000.00000004.00000001.sdmp
              Source: Binary string: Products Request for Quotation - RFQ - 20201016.PDB source: Products Request for Quotation - RFQ - 20201016.exe, 00000001.00000002.403755758.0000000000F75000.00000004.00000010.sdmp
              Source: Binary string: bcryptprimitives.pdb source: WerFault.exe, 00000015.00000003.380757128.0000000005572000.00000004.00000040.sdmp
              Source: Binary string: mscoreei.pdb source: WerFault.exe, 00000015.00000003.380757128.0000000005572000.00000004.00000040.sdmp
              Source: Binary string: ncrypt.pdb>* source: WerFault.exe, 00000015.00000003.380608000.000000000557E000.00000004.00000040.sdmp
              Source: Binary string: combase.pdbk source: WerFault.exe, 00000015.00000003.381818546.0000000005577000.00000004.00000040.sdmp
              Source: Binary string: System.Core.pdb source: WerFault.exe, 00000015.00000003.381325187.000000000558B000.00000004.00000001.sdmp, WER187A.tmp.dmp.21.dr
              Source: Binary string: .pdbN source: Products Request for Quotation - RFQ - 20201016.exe, 00000001.00000002.403755758.0000000000F75000.00000004.00000010.sdmp
              Source: Binary string: oleaut32.pdb source: WerFault.exe, 00000015.00000003.381072715.000000000557A000.00000004.00000040.sdmp
              Source: Binary string: System.Core.pdb` source: WER187A.tmp.dmp.21.dr
              Source: Binary string: System.Windows.Forms.pdbx source: WerFault.exe, 00000015.00000002.402467389.0000000005C80000.00000004.00000001.sdmp
              Source: Binary string: bcryptprimitives.pdbk source: WerFault.exe, 00000015.00000003.380757128.0000000005572000.00000004.00000040.sdmp
              Source: Binary string: wuser32.pdb source: WerFault.exe, 00000015.00000003.381072715.000000000557A000.00000004.00000040.sdmp
              Source: Binary string: Microsoft.VisualBasic.pdb" source: WerFault.exe, 00000015.00000003.381236180.0000000005466000.00000004.00000001.sdmp
              Source: Binary string: System.Xml.pdbD source: WER187A.tmp.dmp.21.dr
              Source: Binary string: npboVisualBasic.pdb source: Products Request for Quotation - RFQ - 20201016.exe, 00000001.00000002.403755758.0000000000F75000.00000004.00000010.sdmp
              Source: Binary string: System.ni.pdb source: WerFault.exe, 00000015.00000002.402467389.0000000005C80000.00000004.00000001.sdmp, WER187A.tmp.dmp.21.dr
              Source: Binary string: crypt32.pdb source: WerFault.exe, 00000015.00000003.380608000.000000000557E000.00000004.00000040.sdmp
              Source: C:\Users\user\Desktop\Products Request for Quotation - RFQ - 20201016.exeCode function: 1_2_02ED3B21 push 4802F0E8h; ret 1_2_02ED3B2D
              Source: C:\Users\user\Desktop\Products Request for Quotation - RFQ - 20201016.exeCode function: 1_2_05D61DCB pushfd ; iretd 1_2_05D61DD5
              Source: C:\Users\user\Desktop\Products Request for Quotation - RFQ - 20201016.exeCode function: 1_2_05D615E3 push eax; iretd 1_2_05D615E4
              Source: C:\Users\user\Desktop\Products Request for Quotation - RFQ - 20201016.exeCode function: 1_2_05D65515 push eax; retf 1_2_05D65516
              Source: C:\Users\user\Desktop\Products Request for Quotation - RFQ - 20201016.exeCode function: 1_2_05D64D24 pushfd ; retf 1_2_05D64D25
              Source: C:\Users\user\Desktop\Products Request for Quotation - RFQ - 20201016.exeCode function: 1_2_05D64D2F pushfd ; retf 1_2_05D64D31
              Source: C:\Users\user\Desktop\Products Request for Quotation - RFQ - 20201016.exeCode function: 1_2_05D654AA push esp; retf 1_2_05D654AB
              Source: C:\Users\user\Desktop\Products Request for Quotation - RFQ - 20201016.exeCode function: 1_2_05D65374 pushad ; retf 1_2_05D65376
              Source: C:\Users\user\Desktop\Products Request for Quotation - RFQ - 20201016.exeCode function: 1_2_05D65369 pushad ; retf 1_2_05D6536A
              Source: C:\Users\user\Desktop\Products Request for Quotation - RFQ - 20201016.exeCode function: 1_2_05D6164E push esp; iretd 1_2_05D6164F
              Source: C:\Users\user\Desktop\Products Request for Quotation - RFQ - 20201016.exeFile created: \products request for quotation - rfq - 20201016.exeJump to behavior
              Source: C:\Users\user\Desktop\Products Request for Quotation - RFQ - 20201016.exeFile created: \products request for quotation - rfq - 20201016.exeJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeKey value created or modified: HKEY_CURRENT_USER\Software\Microsoft\IdentityCRL\Immersive\production\Token\{67082621-8D18-4333-9C64-10DE93676363} DeviceTicketJump to behavior
              Source: C:\Users\user\Desktop\Products Request for Quotation - RFQ - 20201016.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\Products Request for Quotation - RFQ - 20201016.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\Products Request for Quotation - RFQ - 20201016.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\Products Request for Quotation - RFQ - 20201016.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\Products Request for Quotation - RFQ - 20201016.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\Products Request for Quotation - RFQ - 20201016.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\Products Request for Quotation - RFQ - 20201016.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\Products Request for Quotation - RFQ - 20201016.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\Products Request for Quotation - RFQ - 20201016.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\Products Request for Quotation - RFQ - 20201016.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\Products Request for Quotation - RFQ - 20201016.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\Products Request for Quotation - RFQ - 20201016.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\Products Request for Quotation - RFQ - 20201016.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\Products Request for Quotation - RFQ - 20201016.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\Products Request for Quotation - RFQ - 20201016.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\Products Request for Quotation - RFQ - 20201016.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\Products Request for Quotation - RFQ - 20201016.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\Products Request for Quotation - RFQ - 20201016.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\Products Request for Quotation - RFQ - 20201016.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\Products Request for Quotation - RFQ - 20201016.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\Products Request for Quotation - RFQ - 20201016.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\Products Request for Quotation - RFQ - 20201016.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\Products Request for Quotation - RFQ - 20201016.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\Products Request for Quotation - RFQ - 20201016.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\Products Request for Quotation - RFQ - 20201016.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\Products Request for Quotation - RFQ - 20201016.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\Products Request for Quotation - RFQ - 20201016.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\Products Request for Quotation - RFQ - 20201016.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\Products Request for Quotation - RFQ - 20201016.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\Products Request for Quotation - RFQ - 20201016.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\Products Request for Quotation - RFQ - 20201016.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\Products Request for Quotation - RFQ - 20201016.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\Products Request for Quotation - RFQ - 20201016.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\Products Request for Quotation - RFQ - 20201016.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\Products Request for Quotation - RFQ - 20201016.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\Products Request for Quotation - RFQ - 20201016.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\Products Request for Quotation - RFQ - 20201016.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\Products Request for Quotation - RFQ - 20201016.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\Products Request for Quotation - RFQ - 20201016.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\Products Request for Quotation - RFQ - 20201016.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\Products Request for Quotation - RFQ - 20201016.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\Products Request for Quotation - RFQ - 20201016.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\Products Request for Quotation - RFQ - 20201016.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\Products Request for Quotation - RFQ - 20201016.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

              Malware Analysis System Evasion:

              barindex
              Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)Show sources
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
              Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)Show sources
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 922337203685477Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeWindow / User API: threadDelayed 492Jump to behavior
              Source: C:\Windows\System32\conhost.exe TID: 6204Thread sleep count: 41 > 30Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 6480Thread sleep time: -2767011611056431s >= -30000sJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 6536Thread sleep count: 492 > 30Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 6480Thread sleep time: -59500s >= -30000sJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 6480Thread sleep time: -59312s >= -30000sJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 6480Thread sleep time: -58406s >= -30000sJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 6480Thread sleep time: -57312s >= -30000sJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 6480Thread sleep time: -56718s >= -30000sJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 6480Thread sleep time: -56218s >= -30000sJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 6480Thread sleep time: -55812s >= -30000sJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 6480Thread sleep time: -55594s >= -30000sJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 6480Thread sleep time: -54906s >= -30000sJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 6480Thread sleep time: -54718s >= -30000sJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 6480Thread sleep time: -54500s >= -30000sJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 6480Thread sleep time: -53812s >= -30000sJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 6480Thread sleep time: -53594s >= -30000sJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 6480Thread sleep time: -53406s >= -30000sJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 6480Thread sleep time: -53218s >= -30000sJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 6480Thread sleep time: -52718s >= -30000sJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 6480Thread sleep time: -52500s >= -30000sJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 6480Thread sleep time: -52312s >= -30000sJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 6480Thread sleep time: -51406s >= -30000sJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 6480Thread sleep time: -51218s >= -30000sJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 6480Thread sleep time: -50312s >= -30000sJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 6480Thread sleep time: -49906s >= -30000sJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 6480Thread sleep time: -49718s >= -30000sJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 6480Thread sleep time: -49218s >= -30000sJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 6480Thread sleep time: -48812s >= -30000sJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 6480Thread sleep time: -48594s >= -30000sJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 6480Thread sleep time: -47718s >= -30000sJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 6480Thread sleep time: -47500s >= -30000sJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 6480Thread sleep time: -46406s >= -30000sJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 6480Thread sleep time: -46218s >= -30000sJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 6480Thread sleep time: -45718s >= -30000sJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 6480Thread sleep time: -45500s >= -30000sJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 6480Thread sleep time: -44406s >= -30000sJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 6480Thread sleep time: -44218s >= -30000sJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 6480Thread sleep time: -43312s >= -30000sJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 6480Thread sleep time: -43094s >= -30000sJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 6480Thread sleep time: -42218s >= -30000sJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 6480Thread sleep time: -40906s >= -30000sJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 6480Thread sleep time: -40718s >= -30000sJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 6480Thread sleep time: -34218s >= -30000sJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 6480Thread sleep time: -33906s >= -30000sJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 6480Thread sleep time: -33500s >= -30000sJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 6480Thread sleep time: -33312s >= -30000sJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 6480Thread sleep time: -30718s >= -30000sJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 6480Thread sleep time: -30000s >= -30000sJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 6480Thread sleep time: -30000s >= -30000sJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeFile opened: PhysicalDrive0Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
              Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
              Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeLast function: Thread delayed
              Source: Products Request for Quotation - RFQ - 20201016.exe, 00000001.00000002.412760313.0000000005410000.00000002.00000001.sdmp, InstallUtil.exe, 00000011.00000002.513853445.0000000005DD0000.00000002.00000001.sdmp, WerFault.exe, 00000015.00000002.401552196.0000000005250000.00000002.00000001.sdmpBinary or memory string: A Virtual Machine could not be started because Hyper-V is not installed.
              Source: WerFault.exe, 00000015.00000002.401437402.0000000005034000.00000004.00000001.sdmpBinary or memory string: Hyper-V RAW0
              Source: WerFault.exe, 00000015.00000002.400440295.0000000003140000.00000004.00000020.sdmpBinary or memory string: Hyper-V RAW
              Source: WerFault.exe, 00000015.00000002.400418410.0000000003129000.00000004.00000020.sdmpBinary or memory string: Hyper-V RAW8P{
              Source: Products Request for Quotation - RFQ - 20201016.exe, 00000001.00000002.412760313.0000000005410000.00000002.00000001.sdmp, InstallUtil.exe, 00000011.00000002.513853445.0000000005DD0000.00000002.00000001.sdmp, WerFault.exe, 00000015.00000002.401552196.0000000005250000.00000002.00000001.sdmpBinary or memory string: A communication protocol error has occurred between the Hyper-V Host and Guest Compute Service.
              Source: Products Request for Quotation - RFQ - 20201016.exe, 00000001.00000002.412760313.0000000005410000.00000002.00000001.sdmp, InstallUtil.exe, 00000011.00000002.513853445.0000000005DD0000.00000002.00000001.sdmp, WerFault.exe, 00000015.00000002.401552196.0000000005250000.00000002.00000001.sdmpBinary or memory string: The communication protocol version between the Hyper-V Host and Guest Compute Services is not supported.
              Source: Products Request for Quotation - RFQ - 20201016.exe, 00000001.00000002.412760313.0000000005410000.00000002.00000001.sdmp, InstallUtil.exe, 00000011.00000002.513853445.0000000005DD0000.00000002.00000001.sdmp, WerFault.exe, 00000015.00000002.401552196.0000000005250000.00000002.00000001.sdmpBinary or memory string: An unknown internal message was received by the Hyper-V Compute Service.
              Source: C:\Users\user\Desktop\Products Request for Quotation - RFQ - 20201016.exeProcess information queried: ProcessInformationJump to behavior

              Anti Debugging:

              barindex
              Contains functionality to hide a thread from the debuggerShow sources
              Source: C:\Users\user\Desktop\Products Request for Quotation - RFQ - 20201016.exeCode function: 1_2_02ED94D8 NtSetInformationThread ?,00000011,?,?1_2_02ED94D8
              Hides threads from debuggersShow sources
              Source: C:\Users\user\Desktop\Products Request for Quotation - RFQ - 20201016.exeThread information set: HideFromDebuggerJump to behavior
              Source: C:\Users\user\Desktop\Products Request for Quotation - RFQ - 20201016.exeThread information set: HideFromDebuggerJump to behavior
              Source: C:\Users\user\Desktop\Products Request for Quotation - RFQ - 20201016.exeThread information set: HideFromDebuggerJump to behavior
              Source: C:\Users\user\Desktop\Products Request for Quotation - RFQ - 20201016.exeThread information set: HideFromDebuggerJump to behavior
              Source: C:\Users\user\Desktop\Products Request for Quotation - RFQ - 20201016.exeThread information set: HideFromDebuggerJump to behavior
              Source: C:\Users\user\Desktop\Products Request for Quotation - RFQ - 20201016.exeThread information set: HideFromDebuggerJump to behavior
              Source: C:\Users\user\Desktop\Products Request for Quotation - RFQ - 20201016.exeThread information set: HideFromDebuggerJump to behavior
              Source: C:\Users\user\Desktop\Products Request for Quotation - RFQ - 20201016.exeThread information set: HideFromDebuggerJump to behavior
              Source: C:\Users\user\Desktop\Products Request for Quotation - RFQ - 20201016.exeThread information set: HideFromDebuggerJump to behavior
              Source: C:\Users\user\Desktop\Products Request for Quotation - RFQ - 20201016.exeThread information set: HideFromDebuggerJump to behavior
              Source: C:\Users\user\Desktop\Products Request for Quotation - RFQ - 20201016.exeThread information set: HideFromDebuggerJump to behavior
              Source: C:\Users\user\Desktop\Products Request for Quotation - RFQ - 20201016.exeThread information set: HideFromDebuggerJump to behavior
              Source: C:\Users\user\Desktop\Products Request for Quotation - RFQ - 20201016.exeThread information set: HideFromDebuggerJump to behavior
              Source: C:\Users\user\Desktop\Products Request for Quotation - RFQ - 20201016.exeProcess queried: DebugPortJump to behavior
              Source: C:\Users\user\Desktop\Products Request for Quotation - RFQ - 20201016.exeProcess queried: DebugPortJump to behavior
              Source: C:\Users\user\Desktop\Products Request for Quotation - RFQ - 20201016.exeProcess token adjusted: DebugJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess token adjusted: DebugJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess token adjusted: DebugJump to behavior
              Source: C:\Users\user\Desktop\Products Request for Quotation - RFQ - 20201016.exeMemory allocated: page read and write | page guardJump to behavior

              HIPS / PFW / Operating System Protection Evasion:

              bar