Play interactive tour

Edit tour

Analysis Report Request for Quotation.exe

Overview

General Information

Sample Name:	Request for Quotation.exe
Analysis ID:	356426
MD5:	ae4bd6c5a7eaa50704d43d6054fc5dbd
SHA1:	ab597cfc0433999f2032c56fe2c9e17081bcab46
SHA256:	8e51354c8b2f461ab0cfb92409bc45bf4e06ae244080513e2d6224dc22f47771
Tags:	RemcosRAT
Most interesting Screenshot:

Detection

Remcos

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Detected Remcos RAT

Detected unpacking (changes PE section rights)

Detected unpacking (overwrites its own PE header)

Found malware configuration

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

Yara detected Remcos RAT

C2 URLs / IPs found in malware configuration

Contains functionality to capture and log keystrokes

Contains functionality to inject code into remote processes

Contains functionality to steal Chrome passwords or cookies

Contains functionality to steal Firefox passwords or cookies

Initial sample is a PE file and has a suspicious name

Injects a PE file into a foreign processes

Machine Learning detection for sample

Maps a DLL or memory area into another process

Tries to harvest and steal browser information (history, passwords, etc)

Tries to steal Instant Messenger accounts or passwords

Tries to steal Mail credentials (via file access)

Tries to steal Mail credentials (via file registry)

Yara detected WebBrowserPassView password recovery tool

Antivirus or Machine Learning detection for unpacked file

Contains capabilities to detect virtual machines

Contains functionality for read data from the clipboard

Contains functionality to call native functions

Contains functionality to check the parent process ID (often done to detect debuggers and analysis systems)

Contains functionality to download and launch executables

Contains functionality to dynamically determine API calls

Contains functionality to enumerate process and check for explorer.exe or svchost.exe (often used for thread injection)

Contains functionality to enumerate running services

Contains functionality to launch a control a shell (cmd.exe)

Contains functionality to query CPU information (cpuid)

Contains functionality to query locales information (e.g. system language)

Contains functionality to read the PEB

Contains functionality to read the clipboard data

Contains functionality to shutdown / reboot the system

Contains functionality to simulate mouse events

Creates a process in suspended mode (likely to inject code)

Detected TCP or UDP traffic on non-standard ports

Detected potential crypto function

Drops PE files

Enables debug privileges

Extensive use of GetProcAddress (often used to hide API calls)

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found potential string decryption / allocating functions

IP address seen in connection with other malware

Internet Provider seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

PE file contains sections with non-standard names

Potential key logger detected (key state polling based)

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Sample file is different than original file name gathered from version info

Uses 32bit PE files

Uses Microsoft's Enhanced Cryptographic Provider

Uses code obfuscation techniques (call, push, ret)

Uses the keyboard layout for branch decision (may execute only for specific keyboard layouts)

Yara signature match

Classification

Startup

System is w10x64

Request for Quotation.exe (PID: 7164 cmdline: 'C:\Users\user\Desktop\Request for Quotation.exe' MD5: AE4BD6C5A7EAA50704D43D6054FC5DBD)

Request for Quotation.exe (PID: 612 cmdline: 'C:\Users\user\Desktop\Request for Quotation.exe' MD5: AE4BD6C5A7EAA50704D43D6054FC5DBD)

Request for Quotation.exe (PID: 6188 cmdline: 'C:\Users\user\Desktop\Request for Quotation.exe' /stext 'C:\Users\user\AppData\Local\Temp\hbieekorpghvpuxbpehxjpq' MD5: AE4BD6C5A7EAA50704D43D6054FC5DBD)

Request for Quotation.exe (PID: 6424 cmdline: 'C:\Users\user\Desktop\Request for Quotation.exe' /stext 'C:\Users\user\AppData\Local\Temp\rvowfdgtdozazitngptymckjrq' MD5: AE4BD6C5A7EAA50704D43D6054FC5DBD)

Request for Quotation.exe (PID: 5692 cmdline: 'C:\Users\user\Desktop\Request for Quotation.exe' /stext 'C:\Users\user\AppData\Local\Temp\uptpyvrmrwrfbohrpagsxhxaawaqan' MD5: AE4BD6C5A7EAA50704D43D6054FC5DBD)

cleanup

Malware Configuration

Threatname: Remcos

{"Host:Port:Password": "103.89.88.238:4299:s%qDr", "Assigned name": "RemoteHost", "Connect interval": "1", "Install flag": "Disable", "Setup HKCU\\Run": "Enable", "Setup HKLM\\Run": "Disable", "Install path": "AppData", "Copy file": "excel.exe", "Startup value": "excel", "Hide file": "Disable", "Mutex": "excel-8OHAVR", "Keylog flag": "1", "Keylog path": "AppData", "Keylog file": "logs.dat", "Keylog crypt": "Disable", "Hide keylog file": "Disable", "Screenshot flag": "Disable", "Screenshot time": "10", "Take Screenshot option": "Disable", "Take screenshot title": "wikipedia;solitaire;", "Take screenshot time": "5", "Screenshot path": "AppData", "Screenshot file": "Screenshots", "Screenshot crypt": "Disable", "Mouse option": "Disable", "Delete file": "Disable", "Audio record time": "5", "Audio path": "AppData", "Audio folder": "MicRecords", "Connect delay": "0"}

Yara Overview

Memory Dumps

Source	Rule	Description	Author	Strings
00000001.00000002.903195414.0000000000400000.00000040.00000001.sdmp	JoeSecurity_Remcos	Yara detected Remcos RAT	Joe Security
00000001.00000002.903195414.0000000000400000.00000040.00000001.sdmp	Remcos_1	Remcos Payload	kevoreilly	0x16510:$name: Remcos 0x16888:$name: Remcos 0x16de0:$name: Remcos 0x16e33:$name: Remcos 0x15674:$time: %02i:%02i:%02i:%03i 0x156fc:$time: %02i:%02i:%02i:%03i 0x16be4:$time: %02i:%02i:%02i:%03i 0x3074:$crypto: 0F B6 D0 8B 45 08 89 16 8D 34 07 8B 01 03 C2 8B CB 99 F7 F9 8A 84 95 F8 FB FF FF 30 06 47 3B 7D ...
00000001.00000002.903195414.0000000000400000.00000040.00000001.sdmp	REMCOS_RAT_variants	unknown	unknown	0x166f8:$str_a1: C:\Windows\System32\cmd.exe 0x16714:$str_a3: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR 0x16714:$str_a4: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR 0x15dfc:$str_a5: \AppData\Local\Google\Chrome\User Data\Default\Login Data 0x16400:$str_b1: CreateObject("Scripting.FileSystemObject").DeleteFile(Wscript.ScriptFullName) 0x159e0:$str_b2: Executing file: 0x16798:$str_b3: GetDirectListeningPort 0x16240:$str_b4: Set fso = CreateObject("Scripting.FileSystemObject") 0x16534:$str_b5: licence_code.txt 0x1649c:$str_b6: \restart.vbs 0x163c0:$str_b8: \uninstall.vbs 0x1596c:$str_b9: Downloaded file: 0x15998:$str_b10: Downloading file: 0x15690:$str_b11: KeepAlive Enabled! Timeout: %i seconds 0x159fc:$str_b12: Failed to upload file: 0x167d8:$str_b13: StartForward 0x167bc:$str_b14: StopForward 0x16330:$str_b15: fso.DeleteFile " 0x16394:$str_b16: On Error Resume Next 0x162fc:$str_b17: fso.DeleteFolder " 0x15a14:$str_b18: Uploaded file:
00000001.00000001.641497403.0000000000400000.00000040.00020000.sdmp	JoeSecurity_Remcos	Yara detected Remcos RAT	Joe Security
00000001.00000001.641497403.0000000000400000.00000040.00020000.sdmp	Remcos_1	Remcos Payload	kevoreilly	0x16510:$name: Remcos 0x16888:$name: Remcos 0x16de0:$name: Remcos 0x16e33:$name: Remcos 0x15674:$time: %02i:%02i:%02i:%03i 0x156fc:$time: %02i:%02i:%02i:%03i 0x16be4:$time: %02i:%02i:%02i:%03i 0x3074:$crypto: 0F B6 D0 8B 45 08 89 16 8D 34 07 8B 01 03 C2 8B CB 99 F7 F9 8A 84 95 F8 FB FF FF 30 06 47 3B 7D ...
00000001.00000001.641497403.0000000000400000.00000040.00020000.sdmp	REMCOS_RAT_variants	unknown	unknown	0x166f8:$str_a1: C:\Windows\System32\cmd.exe 0x16714:$str_a3: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR 0x16714:$str_a4: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR 0x15dfc:$str_a5: \AppData\Local\Google\Chrome\User Data\Default\Login Data 0x16400:$str_b1: CreateObject("Scripting.FileSystemObject").DeleteFile(Wscript.ScriptFullName) 0x159e0:$str_b2: Executing file: 0x16798:$str_b3: GetDirectListeningPort 0x16240:$str_b4: Set fso = CreateObject("Scripting.FileSystemObject") 0x16534:$str_b5: licence_code.txt 0x1649c:$str_b6: \restart.vbs 0x163c0:$str_b8: \uninstall.vbs 0x1596c:$str_b9: Downloaded file: 0x15998:$str_b10: Downloading file: 0x15690:$str_b11: KeepAlive Enabled! Timeout: %i seconds 0x159fc:$str_b12: Failed to upload file: 0x167d8:$str_b13: StartForward 0x167bc:$str_b14: StopForward 0x16330:$str_b15: fso.DeleteFile " 0x16394:$str_b16: On Error Resume Next 0x162fc:$str_b17: fso.DeleteFolder " 0x15a14:$str_b18: Uploaded file:
00000000.00000002.644079874.0000000002A50000.00000004.00000001.sdmp	JoeSecurity_Remcos	Yara detected Remcos RAT	Joe Security
00000000.00000002.644079874.0000000002A50000.00000004.00000001.sdmp	Remcos_1	Remcos Payload	kevoreilly	0x16510:$name: Remcos 0x16888:$name: Remcos 0x16de0:$name: Remcos 0x16e33:$name: Remcos 0x15674:$time: %02i:%02i:%02i:%03i 0x156fc:$time: %02i:%02i:%02i:%03i 0x16be4:$time: %02i:%02i:%02i:%03i 0x3074:$crypto: 0F B6 D0 8B 45 08 89 16 8D 34 07 8B 01 03 C2 8B CB 99 F7 F9 8A 84 95 F8 FB FF FF 30 06 47 3B 7D ...
00000000.00000002.644079874.0000000002A50000.00000004.00000001.sdmp	REMCOS_RAT_variants	unknown	unknown	0x166f8:$str_a1: C:\Windows\System32\cmd.exe 0x16714:$str_a3: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR 0x16714:$str_a4: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR 0x15dfc:$str_a5: \AppData\Local\Google\Chrome\User Data\Default\Login Data 0x16400:$str_b1: CreateObject("Scripting.FileSystemObject").DeleteFile(Wscript.ScriptFullName) 0x159e0:$str_b2: Executing file: 0x16798:$str_b3: GetDirectListeningPort 0x16240:$str_b4: Set fso = CreateObject("Scripting.FileSystemObject") 0x16534:$str_b5: licence_code.txt 0x1649c:$str_b6: \restart.vbs 0x163c0:$str_b8: \uninstall.vbs 0x1596c:$str_b9: Downloaded file: 0x15998:$str_b10: Downloading file: 0x15690:$str_b11: KeepAlive Enabled! Timeout: %i seconds 0x159fc:$str_b12: Failed to upload file: 0x167d8:$str_b13: StartForward 0x167bc:$str_b14: StopForward 0x16330:$str_b15: fso.DeleteFile " 0x16394:$str_b16: On Error Resume Next 0x162fc:$str_b17: fso.DeleteFolder " 0x15a14:$str_b18: Uploaded file:
Process Memory Space: Request for Quotation.exe PID: 6188	JoeSecurity_WebBrowserPassView	Yara detected WebBrowserPassView password recovery tool	Joe Security
Process Memory Space: Request for Quotation.exe PID: 7164	JoeSecurity_Remcos	Yara detected Remcos RAT	Joe Security
Process Memory Space: Request for Quotation.exe PID: 612	JoeSecurity_Remcos	Yara detected Remcos RAT	Joe Security
Click to see the 7 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
1.1.Request for Quotation.exe.400000.0.raw.unpack	JoeSecurity_Remcos	Yara detected Remcos RAT	Joe Security
1.1.Request for Quotation.exe.400000.0.raw.unpack	Remcos_1	Remcos Payload	kevoreilly	0x16510:$name: Remcos 0x16888:$name: Remcos 0x16de0:$name: Remcos 0x16e33:$name: Remcos 0x15674:$time: %02i:%02i:%02i:%03i 0x156fc:$time: %02i:%02i:%02i:%03i 0x16be4:$time: %02i:%02i:%02i:%03i 0x3074:$crypto: 0F B6 D0 8B 45 08 89 16 8D 34 07 8B 01 03 C2 8B CB 99 F7 F9 8A 84 95 F8 FB FF FF 30 06 47 3B 7D ...
1.1.Request for Quotation.exe.400000.0.raw.unpack	REMCOS_RAT_variants	unknown	unknown	0x166f8:$str_a1: C:\Windows\System32\cmd.exe 0x16714:$str_a3: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR 0x16714:$str_a4: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR 0x15dfc:$str_a5: \AppData\Local\Google\Chrome\User Data\Default\Login Data 0x16400:$str_b1: CreateObject("Scripting.FileSystemObject").DeleteFile(Wscript.ScriptFullName) 0x159e0:$str_b2: Executing file: 0x16798:$str_b3: GetDirectListeningPort 0x16240:$str_b4: Set fso = CreateObject("Scripting.FileSystemObject") 0x16534:$str_b5: licence_code.txt 0x1649c:$str_b6: \restart.vbs 0x163c0:$str_b8: \uninstall.vbs 0x1596c:$str_b9: Downloaded file: 0x15998:$str_b10: Downloading file: 0x15690:$str_b11: KeepAlive Enabled! Timeout: %i seconds 0x159fc:$str_b12: Failed to upload file: 0x167d8:$str_b13: StartForward 0x167bc:$str_b14: StopForward 0x16330:$str_b15: fso.DeleteFile " 0x16394:$str_b16: On Error Resume Next 0x162fc:$str_b17: fso.DeleteFolder " 0x15a14:$str_b18: Uploaded file:
1.1.Request for Quotation.exe.400000.0.unpack	JoeSecurity_Remcos	Yara detected Remcos RAT	Joe Security
1.1.Request for Quotation.exe.400000.0.unpack	Remcos_1	Remcos Payload	kevoreilly	0x16510:$name: Remcos 0x16888:$name: Remcos 0x16de0:$name: Remcos 0x16e33:$name: Remcos 0x15674:$time: %02i:%02i:%02i:%03i 0x156fc:$time: %02i:%02i:%02i:%03i 0x16be4:$time: %02i:%02i:%02i:%03i 0x3074:$crypto: 0F B6 D0 8B 45 08 89 16 8D 34 07 8B 01 03 C2 8B CB 99 F7 F9 8A 84 95 F8 FB FF FF 30 06 47 3B 7D ...
1.1.Request for Quotation.exe.400000.0.unpack	REMCOS_RAT_variants	unknown	unknown	0x166f8:$str_a1: C:\Windows\System32\cmd.exe 0x16714:$str_a3: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR 0x16714:$str_a4: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR 0x15dfc:$str_a5: \AppData\Local\Google\Chrome\User Data\Default\Login Data 0x16400:$str_b1: CreateObject("Scripting.FileSystemObject").DeleteFile(Wscript.ScriptFullName) 0x159e0:$str_b2: Executing file: 0x16798:$str_b3: GetDirectListeningPort 0x16240:$str_b4: Set fso = CreateObject("Scripting.FileSystemObject") 0x16534:$str_b5: licence_code.txt 0x1649c:$str_b6: \restart.vbs 0x163c0:$str_b8: \uninstall.vbs 0x1596c:$str_b9: Downloaded file: 0x15998:$str_b10: Downloading file: 0x15690:$str_b11: KeepAlive Enabled! Timeout: %i seconds 0x159fc:$str_b12: Failed to upload file: 0x167d8:$str_b13: StartForward 0x167bc:$str_b14: StopForward 0x16330:$str_b15: fso.DeleteFile " 0x16394:$str_b16: On Error Resume Next 0x162fc:$str_b17: fso.DeleteFolder " 0x15a14:$str_b18: Uploaded file:
1.2.Request for Quotation.exe.400000.0.raw.unpack	JoeSecurity_Remcos	Yara detected Remcos RAT	Joe Security
1.2.Request for Quotation.exe.400000.0.raw.unpack	Remcos_1	Remcos Payload	kevoreilly	0x16510:$name: Remcos 0x16888:$name: Remcos 0x16de0:$name: Remcos 0x16e33:$name: Remcos 0x15674:$time: %02i:%02i:%02i:%03i 0x156fc:$time: %02i:%02i:%02i:%03i 0x16be4:$time: %02i:%02i:%02i:%03i 0x3074:$crypto: 0F B6 D0 8B 45 08 89 16 8D 34 07 8B 01 03 C2 8B CB 99 F7 F9 8A 84 95 F8 FB FF FF 30 06 47 3B 7D ...
1.2.Request for Quotation.exe.400000.0.raw.unpack	REMCOS_RAT_variants	unknown	unknown	0x166f8:$str_a1: C:\Windows\System32\cmd.exe 0x16714:$str_a3: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR 0x16714:$str_a4: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR 0x15dfc:$str_a5: \AppData\Local\Google\Chrome\User Data\Default\Login Data 0x16400:$str_b1: CreateObject("Scripting.FileSystemObject").DeleteFile(Wscript.ScriptFullName) 0x159e0:$str_b2: Executing file: 0x16798:$str_b3: GetDirectListeningPort 0x16240:$str_b4: Set fso = CreateObject("Scripting.FileSystemObject") 0x16534:$str_b5: licence_code.txt 0x1649c:$str_b6: \restart.vbs 0x163c0:$str_b8: \uninstall.vbs 0x1596c:$str_b9: Downloaded file: 0x15998:$str_b10: Downloading file: 0x15690:$str_b11: KeepAlive Enabled! Timeout: %i seconds 0x159fc:$str_b12: Failed to upload file: 0x167d8:$str_b13: StartForward 0x167bc:$str_b14: StopForward 0x16330:$str_b15: fso.DeleteFile " 0x16394:$str_b16: On Error Resume Next 0x162fc:$str_b17: fso.DeleteFolder " 0x15a14:$str_b18: Uploaded file:
0.2.Request for Quotation.exe.2a50000.5.raw.unpack	JoeSecurity_Remcos	Yara detected Remcos RAT	Joe Security
0.2.Request for Quotation.exe.2a50000.5.raw.unpack	Remcos_1	Remcos Payload	kevoreilly	0x16510:$name: Remcos 0x16888:$name: Remcos 0x16de0:$name: Remcos 0x16e33:$name: Remcos 0x15674:$time: %02i:%02i:%02i:%03i 0x156fc:$time: %02i:%02i:%02i:%03i 0x16be4:$time: %02i:%02i:%02i:%03i 0x3074:$crypto: 0F B6 D0 8B 45 08 89 16 8D 34 07 8B 01 03 C2 8B CB 99 F7 F9 8A 84 95 F8 FB FF FF 30 06 47 3B 7D ...
0.2.Request for Quotation.exe.2a50000.5.raw.unpack	REMCOS_RAT_variants	unknown	unknown	0x166f8:$str_a1: C:\Windows\System32\cmd.exe 0x16714:$str_a3: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR 0x16714:$str_a4: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR 0x15dfc:$str_a5: \AppData\Local\Google\Chrome\User Data\Default\Login Data 0x16400:$str_b1: CreateObject("Scripting.FileSystemObject").DeleteFile(Wscript.ScriptFullName) 0x159e0:$str_b2: Executing file: 0x16798:$str_b3: GetDirectListeningPort 0x16240:$str_b4: Set fso = CreateObject("Scripting.FileSystemObject") 0x16534:$str_b5: licence_code.txt 0x1649c:$str_b6: \restart.vbs 0x163c0:$str_b8: \uninstall.vbs 0x1596c:$str_b9: Downloaded file: 0x15998:$str_b10: Downloading file: 0x15690:$str_b11: KeepAlive Enabled! Timeout: %i seconds 0x159fc:$str_b12: Failed to upload file: 0x167d8:$str_b13: StartForward 0x167bc:$str_b14: StopForward 0x16330:$str_b15: fso.DeleteFile " 0x16394:$str_b16: On Error Resume Next 0x162fc:$str_b17: fso.DeleteFolder " 0x15a14:$str_b18: Uploaded file:
0.2.Request for Quotation.exe.2a50000.5.unpack	JoeSecurity_Remcos	Yara detected Remcos RAT	Joe Security
0.2.Request for Quotation.exe.2a50000.5.unpack	Remcos_1	Remcos Payload	kevoreilly	0x16510:$name: Remcos 0x16888:$name: Remcos 0x16de0:$name: Remcos 0x16e33:$name: Remcos 0x15674:$time: %02i:%02i:%02i:%03i 0x156fc:$time: %02i:%02i:%02i:%03i 0x16be4:$time: %02i:%02i:%02i:%03i 0x3074:$crypto: 0F B6 D0 8B 45 08 89 16 8D 34 07 8B 01 03 C2 8B CB 99 F7 F9 8A 84 95 F8 FB FF FF 30 06 47 3B 7D ...
0.2.Request for Quotation.exe.2a50000.5.unpack	REMCOS_RAT_variants	unknown	unknown	0x166f8:$str_a1: C:\Windows\System32\cmd.exe 0x16714:$str_a3: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR 0x16714:$str_a4: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR 0x15dfc:$str_a5: \AppData\Local\Google\Chrome\User Data\Default\Login Data 0x16400:$str_b1: CreateObject("Scripting.FileSystemObject").DeleteFile(Wscript.ScriptFullName) 0x159e0:$str_b2: Executing file: 0x16798:$str_b3: GetDirectListeningPort 0x16240:$str_b4: Set fso = CreateObject("Scripting.FileSystemObject") 0x16534:$str_b5: licence_code.txt 0x1649c:$str_b6: \restart.vbs 0x163c0:$str_b8: \uninstall.vbs 0x1596c:$str_b9: Downloaded file: 0x15998:$str_b10: Downloading file: 0x15690:$str_b11: KeepAlive Enabled! Timeout: %i seconds 0x159fc:$str_b12: Failed to upload file: 0x167d8:$str_b13: StartForward 0x167bc:$str_b14: StopForward 0x16330:$str_b15: fso.DeleteFile " 0x16394:$str_b16: On Error Resume Next 0x162fc:$str_b17: fso.DeleteFolder " 0x15a14:$str_b18: Uploaded file:
1.2.Request for Quotation.exe.400000.0.unpack	JoeSecurity_Remcos	Yara detected Remcos RAT	Joe Security
1.2.Request for Quotation.exe.400000.0.unpack	Remcos_1	Remcos Payload	kevoreilly	0x16510:$name: Remcos 0x16888:$name: Remcos 0x16de0:$name: Remcos 0x16e33:$name: Remcos 0x15674:$time: %02i:%02i:%02i:%03i 0x156fc:$time: %02i:%02i:%02i:%03i 0x16be4:$time: %02i:%02i:%02i:%03i 0x3074:$crypto: 0F B6 D0 8B 45 08 89 16 8D 34 07 8B 01 03 C2 8B CB 99 F7 F9 8A 84 95 F8 FB FF FF 30 06 47 3B 7D ...
1.2.Request for Quotation.exe.400000.0.unpack	REMCOS_RAT_variants	unknown	unknown	0x166f8:$str_a1: C:\Windows\System32\cmd.exe 0x16714:$str_a3: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR 0x16714:$str_a4: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR 0x15dfc:$str_a5: \AppData\Local\Google\Chrome\User Data\Default\Login Data 0x16400:$str_b1: CreateObject("Scripting.FileSystemObject").DeleteFile(Wscript.ScriptFullName) 0x159e0:$str_b2: Executing file: 0x16798:$str_b3: GetDirectListeningPort 0x16240:$str_b4: Set fso = CreateObject("Scripting.FileSystemObject") 0x16534:$str_b5: licence_code.txt 0x1649c:$str_b6: \restart.vbs 0x163c0:$str_b8: \uninstall.vbs 0x1596c:$str_b9: Downloaded file: 0x15998:$str_b10: Downloading file: 0x15690:$str_b11: KeepAlive Enabled! Timeout: %i seconds 0x159fc:$str_b12: Failed to upload file: 0x167d8:$str_b13: StartForward 0x167bc:$str_b14: StopForward 0x16330:$str_b15: fso.DeleteFile " 0x16394:$str_b16: On Error Resume Next 0x162fc:$str_b17: fso.DeleteFolder " 0x15a14:$str_b18: Uploaded file:
Click to see the 13 entries

Sigma Overview

No Sigma rule has matched

Signature Overview

Click to jump to signature section

Show All Signature Results

AV Detection:

Found malware configuration

Show sources

Source: 1.1.Request for Quotation.exe.400000.0.unpack

Malware Configuration Extractor: Remcos {"Host:Port:Password": "103.89.88.238:4299:s%qDr", "Assigned name": "RemoteHost", "Connect interval": "1", "Install flag": "Disable", "Setup HKCU\\Run": "Enable", "Setup HKLM\\Run": "Disable", "Install path": "AppData", "Copy file": "excel.exe", "Startup value": "excel", "Hide file": "Disable", "Mutex": "excel-8OHAVR", "Keylog flag": "1", "Keylog path": "AppData", "Keylog file": "logs.dat", "Keylog crypt": "Disable", "Hide keylog file": "Disable", "Screenshot flag": "Disable", "Screenshot time": "10", "Take Screenshot option": "Disable", "Take screenshot title": "wikipedia;solitaire;", "Take screenshot time": "5", "Screenshot path": "AppData", "Screenshot file": "Screenshots", "Screenshot crypt": "Disable", "Mouse option": "Disable", "Delete file": "Disable", "Audio record time": "5", "Audio path": "AppData", "Audio folder": "MicRecords", "Connect delay": "0"}

Multi AV Scanner detection for submitted file

Show sources

Source: Request for Quotation.exe	Virustotal: Detection: 27%			Perma Link
Source: Request for Quotation.exe	ReversingLabs: Detection: 21%

Yara detected Remcos RAT

Show sources

Source: Yara match	File source: 00000001.00000002.903195414.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000001.641497403.0000000000400000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.644079874.0000000002A50000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: Request for Quotation.exe PID: 7164, type: MEMORY
Source: Yara match	File source: Process Memory Space: Request for Quotation.exe PID: 612, type: MEMORY
Source: Yara match	File source: 1.1.Request for Quotation.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.1.Request for Quotation.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.Request for Quotation.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Request for Quotation.exe.2a50000.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Request for Quotation.exe.2a50000.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.Request for Quotation.exe.400000.0.unpack, type: UNPACKEDPE

Machine Learning detection for sample

Show sources

Source: Request for Quotation.exe

Joe Sandbox ML: detected

Source: 1.1.Request for Quotation.exe.400000.0.unpack	Avira: Label: BDS/Backdoor.Gen
Source: 0.2.Request for Quotation.exe.2a50000.5.unpack	Avira: Label: BDS/Backdoor.Gen
Source: 1.2.Request for Quotation.exe.400000.0.unpack	Avira: Label: BDS/Backdoor.Gen

Cryptography:

Source: C:\Users\user\Desktop\Request for Quotation.exe

Code function: 3_2_00404423 GetProcAddress,FreeLibrary,CryptUnprotectData,

Compliance:

Detected unpacking (overwrites its own PE header)

Show sources

Source: C:\Users\user\Desktop\Request for Quotation.exe

Unpacked PE file: 1.2.Request for Quotation.exe.400000.0.unpack

Uses 32bit PE files

Show sources

Source: Request for Quotation.exe

Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED

Contains modern PE file flags such as dynamic base (ASLR) or NX

Show sources

Source: Request for Quotation.exe

Static PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT

Binary contains paths to debug symbols

Show sources

Source:	Binary string: wntdll.pdbUGP source: Request for Quotation.exe, 00000000.00000003.638506500.0000000002A70000.00000004.00000001.sdmp
Source:	Binary string: wntdll.pdb source: Request for Quotation.exe, 00000000.00000003.638506500.0000000002A70000.00000004.00000001.sdmp

Spreading:

Source: C:\Users\user\Desktop\Request for Quotation.exe	Code function: 0_2_00405A15 CloseHandle,GetTempPathA,DeleteFileA,lstrcatA,lstrcatA,lstrlenA,FindFirstFileA,FindNextFileA,FindClose,
Source: C:\Users\user\Desktop\Request for Quotation.exe	Code function: 0_2_004065C1 FindFirstFileA,FindClose,
Source: C:\Users\user\Desktop\Request for Quotation.exe	Code function: 0_2_004027A1 FindFirstFileA,
Source: C:\Users\user\Desktop\Request for Quotation.exe	Code function: 1_2_00404C0A wcscmp,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV?$allocator@D@1@@Z,tolower,tolower,?begin@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEPAGXZ,?end@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEPAGXZ,?begin@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEPAGXZ,??Hstd@@YA?AV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@ABV10@PBG@Z,?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ,FindFirstFileW,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,FindNextFileW,wcscmp,wcscmp,wcscmp,??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@PBGABV?$allocator@G@1@@Z,??Hstd@@YA?AV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@ABV10@0@Z,??Hstd@@YA?AV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@ABV10@G@Z,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@ABV01@@Z,??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@ABV01@@Z,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@PBGABV?$allocator@G@1@@Z,tolower,?begin@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEPAGXZ,?end@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEPAGXZ,?begin@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEPAGXZ,?find@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEIABV12@I@Z,?npos@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@2IB,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDIABV?$allocator@D@1@@Z,??4?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@ABV01@@Z,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,FindClose,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,
Source: C:\Users\user\Desktop\Request for Quotation.exe	Code function: 1_2_0040751B Sleep,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV?$allocator@D@1@@Z,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV?$allocator@D@1@@Z,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z,getenv,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@PBDABV10@@Z,??4?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@ABV01@@Z,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@PBD@Z,?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ,FindFirstFileA,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,FindClose,FindNextFileA,FindNextFileA,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@PBD@Z,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@PBD@Z,??4?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@ABV01@@Z,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ,DeleteFileA,GetLastError,FindClose,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z,FindClose,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,
Source: C:\Users\user\Desktop\Request for Quotation.exe	Code function: 1_2_00410586 ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ,?npos@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@2IB,?npos@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@2IB,?substr@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBE?AV12@II@Z,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z,??Hstd@@YA?AV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@ABV10@PBG@Z,??Hstd@@YA?AV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@ABV10@0@Z,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV?$allocator@D@1@@Z,?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ,?data@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ,?size@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEIXZ,?data@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ,?size@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEIXZ,?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ,??4?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@ABV01@@Z,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV?$allocator@D@1@@Z,??Hstd@@YA?AV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@ABV10@PBG@Z,?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ,FindFirstFileW,??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@PBGABV?$allocator@G@1@@Z,??9std@@YA_NABV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@PBG@Z,??9std@@YA_NABV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@PBG@Z,??1?$basic_string@GU?$char_tr
Source: C:\Users\user\Desktop\Request for Quotation.exe	Code function: 1_2_0040728F Sleep,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV?$allocator@D@1@@Z,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV?$allocator@D@1@@Z,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV?$allocator@D@1@@Z,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z,getenv,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@PBDABV10@@Z,??4?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@ABV01@@Z,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@PBD@Z,?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ,FindFirstFileA,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,FindClose,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z,FindNextFileA,FindNextFileA,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@PBD@Z,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@PBD@Z,??4?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@ABV01@@Z,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@PBD@Z,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@PBD@Z,??4?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@ABV01@@Z,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ,DeleteFileA,DeleteFileA,GetLastError,?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ,DeleteFileA,GetLastError,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z,FindClose,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,
Source: C:\Users\user\Desktop\Request for Quotation.exe	Code function: 1_2_0040477E _EH_prolog,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV?$allocator@D@1@@Z,socket,connect,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,_CxxThrowException,?begin@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEPAGXZ,?end@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEPAGXZ,?begin@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEPAGXZ,??Hstd@@YA?AV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@ABV10@PBG@Z,?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ,FindFirstFileW,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z,_CxxThrowException,FindNextFileW,wcscmp,wcscmp,wcscmp,??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@PBGABV?$allocator@G@1@@Z,??Hstd@@YA?AV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@ABV10@0@Z,??Hstd@@YA?AV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@ABV10@PBG@Z,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@ABV01@@Z,??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@ABV01@@Z,_CxxThrowException,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@PBGABV?$allocator@G@1@@Z,?begin@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEPAGXZ,?end@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEPAGXZ,?begin@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEPAGXZ,?find@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEIABV12@I@Z,?npos@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@2IB,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDIABV?$allocator@D@1@@Z,??4?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@ABV01@@Z,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,_CxxThrowException,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,FindClose,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE
Source: C:\Users\user\Desktop\Request for Quotation.exe	Code function: 1_2_00403325 ?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ,FindFirstFileW,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV?$allocator@D@1@@Z,??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@PBGABV?$allocator@G@1@@Z,??9std@@YA_NABV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@PBG@Z,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDIABV?$allocator@D@1@@Z,??4?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@ABV01@@Z,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,FindNextFileW,FindNextFileW,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDIABV?$allocator@D@1@@Z,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z,??4?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@ABV01@@Z,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,
Source: C:\Users\user\Desktop\Request for Quotation.exe	Code function: 1_2_00412BEE wcscpy,wcscpy,wcscat,wcscat,wcscpy,wcscat,FindFirstFileW,wcscpy,RemoveDirectoryW,FindNextFileW,wcscat,RemoveDirectoryW,wcscpy,SetFileAttributesW,DeleteFileW,GetLastError,FindClose,RemoveDirectoryW,FindClose,
Source: C:\Users\user\Desktop\Request for Quotation.exe	Code function: 1_1_00404C0A wcscmp,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV?$allocator@D@1@@Z,tolower,tolower,?begin@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEPAGXZ,?end@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEPAGXZ,?begin@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEPAGXZ,??Hstd@@YA?AV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@ABV10@PBG@Z,?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ,FindFirstFileW,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,FindNextFileW,wcscmp,wcscmp,wcscmp,??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@PBGABV?$allocator@G@1@@Z,??Hstd@@YA?AV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@ABV10@0@Z,??Hstd@@YA?AV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@ABV10@G@Z,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@ABV01@@Z,??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@ABV01@@Z,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@PBGABV?$allocator@G@1@@Z,tolower,?begin@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEPAGXZ,?end@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEPAGXZ,?begin@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEPAGXZ,?find@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEIABV12@I@Z,?npos@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@2IB,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDIABV?$allocator@D@1@@Z,??4?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@ABV01@@Z,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,FindClose,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,
Source: C:\Users\user\Desktop\Request for Quotation.exe	Code function: 1_1_0040751B Sleep,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV?$allocator@D@1@@Z,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV?$allocator@D@1@@Z,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z,getenv,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@PBDABV10@@Z,??4?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@ABV01@@Z,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@PBD@Z,?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ,FindFirstFileA,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,FindClose,FindNextFileA,FindNextFileA,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@PBD@Z,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@PBD@Z,??4?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@ABV01@@Z,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ,DeleteFileA,GetLastError,FindClose,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z,FindClose,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,
Source: C:\Users\user\Desktop\Request for Quotation.exe	Code function: 1_1_00410586 ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ,?npos@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@2IB,?npos@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@2IB,?substr@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBE?AV12@II@Z,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z,??Hstd@@YA?AV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@ABV10@PBG@Z,??Hstd@@YA?AV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@ABV10@0@Z,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV?$allocator@D@1@@Z,?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ,?data@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ,?size@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEIXZ,?data@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ,?size@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEIXZ,?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ,??4?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@ABV01@@Z,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV?$allocator@D@1@@Z,??Hstd@@YA?AV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@ABV10@PBG@Z,?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ,FindFirstFileW,??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@PBGABV?$allocator@G@1@@Z,??9std@@YA_NABV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@PBG@Z,??9std@@YA_NABV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@PBG@Z,??1?$basic_string@GU?$char_tr
Source: C:\Users\user\Desktop\Request for Quotation.exe	Code function: 1_1_0040728F Sleep,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV?$allocator@D@1@@Z,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV?$allocator@D@1@@Z,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV?$allocator@D@1@@Z,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z,getenv,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@PBDABV10@@Z,??4?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@ABV01@@Z,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@PBD@Z,?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ,FindFirstFileA,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,FindClose,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z,FindNextFileA,FindNextFileA,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@PBD@Z,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@PBD@Z,??4?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@ABV01@@Z,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@PBD@Z,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@PBD@Z,??4?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@ABV01@@Z,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ,DeleteFileA,DeleteFileA,GetLastError,?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ,DeleteFileA,GetLastError,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z,FindClose,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,
Source: C:\Users\user\Desktop\Request for Quotation.exe	Code function: 1_1_0040477E _EH_prolog,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV?$allocator@D@1@@Z,#23,#4,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,_CxxThrowException,?begin@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEPAGXZ,?end@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEPAGXZ,?begin@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEPAGXZ,??Hstd@@YA?AV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@ABV10@PBG@Z,?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ,FindFirstFileW,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z,_CxxThrowException,FindNextFileW,wcscmp,wcscmp,wcscmp,??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@PBGABV?$allocator@G@1@@Z,??Hstd@@YA?AV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@ABV10@0@Z,??Hstd@@YA?AV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@ABV10@PBG@Z,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@ABV01@@Z,??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@ABV01@@Z,_CxxThrowException,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@PBGABV?$allocator@G@1@@Z,?begin@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEPAGXZ,?end@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEPAGXZ,?begin@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEPAGXZ,?find@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEIABV12@I@Z,?npos@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@2IB,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDIABV?$allocator@D@1@@Z,??4?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@ABV01@@Z,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,_CxxThrowException,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,FindClose,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,?c_s
Source: C:\Users\user\Desktop\Request for Quotation.exe	Code function: 1_1_00403325 ?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ,FindFirstFileW,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV?$allocator@D@1@@Z,??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@PBGABV?$allocator@G@1@@Z,??9std@@YA_NABV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@PBG@Z,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDIABV?$allocator@D@1@@Z,??4?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@ABV01@@Z,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,FindNextFileW,FindNextFileW,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDIABV?$allocator@D@1@@Z,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z,??4?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@ABV01@@Z,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,
Source: C:\Users\user\Desktop\Request for Quotation.exe	Code function: 1_1_00412BEE wcscpy,wcscpy,wcscat,wcscat,wcscpy,wcscat,FindFirstFileW,wcscpy,RemoveDirectoryW,FindNextFileW,wcscat,RemoveDirectoryW,wcscpy,SetFileAttributesW,DeleteFileW,GetLastError,FindClose,RemoveDirectoryW,FindClose,
Source: C:\Users\user\Desktop\Request for Quotation.exe	Code function: 3_2_0040AE51 FindFirstFileW,FindNextFileW,
Source: C:\Users\user\Desktop\Request for Quotation.exe	Code function: 4_2_00407898 FindFirstFileA,FindNextFileA,strlen,strlen,
Source: C:\Users\user\Desktop\Request for Quotation.exe	Code function: 5_2_00407C87 FindFirstFileA,FindNextFileA,strlen,strlen,

Source: C:\Users\user\Desktop\Request for Quotation.exe

Code function: 1_2_00403C4A ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z,SetEvent,?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ,?npos@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@2IB,?npos@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@2IB,?substr@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBE?AV12@II@Z,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z,?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@PBDABV10@@Z,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@PBDABV10@@Z,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ,ShellExecuteW,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@PBDABV10@@Z,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@ABV01@@Z,?length@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEIXZ,?substr@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBE?AV12@II@Z,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@PBDABV10@@Z,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,GetLogicalDriveStringsA,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDIABV?$allocator@D@1@@Z,?find@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEIPBDII@Z,?resize@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEXI@Z,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@DU?$cha

Networking:

C2 URLs / IPs found in malware configuration

Show sources

Source: Malware configuration extractor

URLs: 103.89.88.238

Source: global traffic

TCP traffic: 192.168.2.4:49726 -> 103.89.88.238:4299

Source: Joe Sandbox View

IP Address: 103.89.88.238 103.89.88.238

Source: Joe Sandbox View

ASN Name: VNPT-AS-VNVIETNAMPOSTSANDTELECOMMUNICATIONSGROUPVN VNPT-AS-VNVIETNAMPOSTSANDTELECOMMUNICATIONSGROUPVN

Source: unknown	TCP traffic detected without corresponding DNS query: 103.89.88.238
Source: unknown	TCP traffic detected without corresponding DNS query: 103.89.88.238
Source: unknown	TCP traffic detected without corresponding DNS query: 103.89.88.238
Source: unknown	TCP traffic detected without corresponding DNS query: 103.89.88.238
Source: unknown	TCP traffic detected without corresponding DNS query: 103.89.88.238
Source: unknown	TCP traffic detected without corresponding DNS query: 103.89.88.238
Source: unknown	TCP traffic detected without corresponding DNS query: 103.89.88.238
Source: unknown	TCP traffic detected without corresponding DNS query: 103.89.88.238
Source: unknown	TCP traffic detected without corresponding DNS query: 103.89.88.238
Source: unknown	TCP traffic detected without corresponding DNS query: 103.89.88.238
Source: unknown	TCP traffic detected without corresponding DNS query: 103.89.88.238
Source: unknown	TCP traffic detected without corresponding DNS query: 103.89.88.238
Source: unknown	TCP traffic detected without corresponding DNS query: 103.89.88.238
Source: unknown	TCP traffic detected without corresponding DNS query: 103.89.88.238
Source: unknown	TCP traffic detected without corresponding DNS query: 103.89.88.238
Source: unknown	TCP traffic detected without corresponding DNS query: 103.89.88.238
Source: unknown	TCP traffic detected without corresponding DNS query: 103.89.88.238
Source: unknown	TCP traffic detected without corresponding DNS query: 103.89.88.238
Source: unknown	TCP traffic detected without corresponding DNS query: 103.89.88.238
Source: unknown	TCP traffic detected without corresponding DNS query: 103.89.88.238
Source: unknown	TCP traffic detected without corresponding DNS query: 103.89.88.238
Source: unknown	TCP traffic detected without corresponding DNS query: 103.89.88.238
Source: unknown	TCP traffic detected without corresponding DNS query: 103.89.88.238
Source: unknown	TCP traffic detected without corresponding DNS query: 103.89.88.238
Source: unknown	TCP traffic detected without corresponding DNS query: 103.89.88.238
Source: unknown	TCP traffic detected without corresponding DNS query: 103.89.88.238
Source: unknown	TCP traffic detected without corresponding DNS query: 103.89.88.238
Source: unknown	TCP traffic detected without corresponding DNS query: 103.89.88.238
Source: unknown	TCP traffic detected without corresponding DNS query: 103.89.88.238
Source: unknown	TCP traffic detected without corresponding DNS query: 103.89.88.238
Source: unknown	TCP traffic detected without corresponding DNS query: 103.89.88.238
Source: unknown	TCP traffic detected without corresponding DNS query: 103.89.88.238
Source: unknown	TCP traffic detected without corresponding DNS query: 103.89.88.238
Source: unknown	TCP traffic detected without corresponding DNS query: 103.89.88.238
Source: unknown	TCP traffic detected without corresponding DNS query: 103.89.88.238
Source: unknown	TCP traffic detected without corresponding DNS query: 103.89.88.238
Source: unknown	TCP traffic detected without corresponding DNS query: 103.89.88.238
Source: unknown	TCP traffic detected without corresponding DNS query: 103.89.88.238
Source: unknown	TCP traffic detected without corresponding DNS query: 103.89.88.238
Source: unknown	TCP traffic detected without corresponding DNS query: 103.89.88.238
Source: unknown	TCP traffic detected without corresponding DNS query: 103.89.88.238
Source: unknown	TCP traffic detected without corresponding DNS query: 103.89.88.238
Source: unknown	TCP traffic detected without corresponding DNS query: 103.89.88.238
Source: unknown	TCP traffic detected without corresponding DNS query: 103.89.88.238
Source: unknown	TCP traffic detected without corresponding DNS query: 103.89.88.238
Source: unknown	TCP traffic detected without corresponding DNS query: 103.89.88.238
Source: unknown	TCP traffic detected without corresponding DNS query: 103.89.88.238
Source: unknown	TCP traffic detected without corresponding DNS query: 103.89.88.238
Source: unknown	TCP traffic detected without corresponding DNS query: 103.89.88.238
Source: unknown	TCP traffic detected without corresponding DNS query: 103.89.88.238

Source: C:\Users\user\Desktop\Request for Quotation.exe

Code function: 1_2_00402149 ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV?$allocator@D@1@@Z,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV?$allocator@D@1@@Z,malloc,recv,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDIABV?$allocator@D@1@@Z,??4?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@ABV01@@Z,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??Y?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@ABV01@@Z,free,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,

Source: Request for Quotation.exe, 00000004.00000002.652481642.0000000000400000.00000040.00000001.sdmp	String found in binary or memory: Software\America Online\AOL Instant Messenger (TM)\CurrentVersion\Users%s\Loginprpl-msnprpl-yahooprpl-jabberprpl-novellprpl-oscarprpl-ggprpl-ircaccounts.xmlaimaim_1icqicq_1jabberjabber_1msnmsn_1yahoogggg_1http://www.imvu.comhttp://www.ebuddy.comhttps://www.google.com equals www.ebuddy.com (eBuggy)
Source: Request for Quotation.exe, 00000003.00000003.653713973.00000000022C4000.00000004.00000001.sdmp	String found in binary or memory: earchhttps://www.google.com/search?source=hp&ei=djJ0X6TKCL6IjLsPqriogAY&q=chrome&oq=chrome&gs_lcp=CgZwc3ktYWIQAzIFCAAQsQMyCAgAELEDEIMBMgUIABCxAzIFCAAQsQMyBQgAELEDMgUIABCxAzIICAAQsQMQgwEyAggAMgIIADIFCAAQsQM6CwguELEDEMcBEKMCOggILhCxAxCDAToOCC4QsQMQgwEQxwEQowI6CwguELEDEIMBEJMCOgUILhCxAzoLCC4QsQMQxwEQrwE6AgguUMpIWMFNYPhRaABwAHgAgAF_iAHIBJIBAzUuMZgBAKABAaoBB2d3cy13aXo&sclient=psy-ab&ved=0ahUKEwik3ey3rJDsAhU-BGMBHSocCmAQ4dUDCAw&uact=5https://www.google.com/intl/en_uk/chrome/thank-you.html?statcb=0&installdataindex=empty&defaultbrowser=0https://www.google.com/intl/en_uk/chrome/thank-you.htmlhttps://www.google.com/intl/en_uk/chrome/https://www.google.com/url?sa=t&rct=j&q=&esrc=s&source=web&cd=&ved=2ahUKEwj8k7G9rJDsAhWNTxUIHZZGDCQQFjAAegQIDhAB&url=https%3A%2F%2Fwww.google.com%2Fintl%2Fen_uk%2Fchrome%2F&usg=AOvVaw3tRKGAbA7yncokivgyNZzyhttps://www.google.com/urlhttps://www.google.com/?gws_rd=sslhttps://www.google.com/http://www.msn.com/?ocid=iehphttp://www.msn.com/http://www.msn.com/de-ch/?ocid=iehphttp://www.msn.com/de-ch/https://go.microsoft.com/fwlink/?LinkId=517287https://go.microsoft.com/fwlink/https://go.microsoft.com/fwlink/?LinkId=838604https://go.microsoft.com/fwlink/p/?LinkId=255141https://go.microsoft.com/fwlink/p/https://ogs.google.com/widget/callout?prid=19020392&pgid=19020380&puid=93eb0881ae9ec1db&origin=https%3A%2F%2Fwww.google.com&cn=callout&pid=1&spid=1&hl=enhttps://ogs.google.com/widget/callouthttps://contextual.media.net/checksync.php?&vsSync=1&cs=1&hb=1&cv=37&ndec=1&cid=8HBI57XIG&prvid=77%2C184%2C188%2C226&rtime=278&https=1&usp_status=0&usp_consent=1&dcfp=gdpr,usphttps://contextual.media.net/checksync.phphttps://contextual.media.net/medianet.php?cid=8CU157172&crid=722878611&size=306x271&https=1https://contextual.media.net/medianet.phphttps://contextual.media.net/medianet.php?cid=8CU157172&crid=858412214&size=306x271&https=1https://contextual.media.net/checksync.php?&vsSync=1&cs=1&hb=1&cv=37&ndec=1&cid=8HBI57XIG&prvid=77%2C184%2C188%2C226&rtime=145&https=1&usp_status=0&usp_consent=1&dcfp=gdpr,usphttps://contextual.media.net/checksync.php?&vsSync=1&cs=1&hb=1&cv=37&ndec=1&cid=8HBI57XIG&prvid=77%2C184%2C188%2C226&rtime=3&https=1&usp_status=0&usp_consent=1&dcfp=gdpr,usphttps://www.microsoft.com/en-us/edge/?form=MA13DL&OCID=MA13DLhttps://www.microsoft.com/en-us/edge/https://www.microsoft.com/en-us/welcomeie11/https://www.microsoft.com/en-us/edge?form=MA13DL&OCID=MA13DLhttps://www.microsoft.com/en-us/edgehttps://www.microsoft.com/edge/?form=MA13DL&OCID=MA13DLhttps://www.microsoft.com/edge/https://adservice.google.com/ddm/fls/i/src=2542116;type=2542116;cat=chom0;ord=8072167097284;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fintl%2Fen_uk%2Fchrome%2Fhttps://consent.google.com/done8?continue=https://www.google.com/?gws_rd%3Dssl&origin=https://www.google.com&gl=GB&pc=s&uxe=4421591https://consent.google.com/done8https://consent.google.com/set?pc=s&uxe=4421591https://consent.google.com/sethttps://consent.google.com/?hl=en-GB&origin=https://www.goog
Source: Request for Quotation.exe, 00000003.00000003.653713973.00000000022C4000.00000004.00000001.sdmp	String found in binary or memory: earchhttps://www.google.com/search?source=hp&ei=djJ0X6TKCL6IjLsPqriogAY&q=chrome&oq=chrome&gs_lcp=CgZwc3ktYWIQAzIFCAAQsQMyCAgAELEDEIMBMgUIABCxAzIFCAAQsQMyBQgAELEDMgUIABCxAzIICAAQsQMQgwEyAggAMgIIADIFCAAQsQM6CwguELEDEMcBEKMCOggILhCxAxCDAToOCC4QsQMQgwEQxwEQowI6CwguELEDEIMBEJMCOgUILhCxAzoLCC4QsQMQxwEQrwE6AgguUMpIWMFNYPhRaABwAHgAgAF_iAHIBJIBAzUuMZgBAKABAaoBB2d3cy13aXo&sclient=psy-ab&ved=0ahUKEwik3ey3rJDsAhU-BGMBHSocCmAQ4dUDCAw&uact=5https://www.google.com/intl/en_uk/chrome/thank-you.html?statcb=0&installdataindex=empty&defaultbrowser=0https://www.google.com/intl/en_uk/chrome/thank-you.htmlhttps://www.google.com/intl/en_uk/chrome/https://www.google.com/url?sa=t&rct=j&q=&esrc=s&source=web&cd=&ved=2ahUKEwj8k7G9rJDsAhWNTxUIHZZGDCQQFjAAegQIDhAB&url=https%3A%2F%2Fwww.google.com%2Fintl%2Fen_uk%2Fchrome%2F&usg=AOvVaw3tRKGAbA7yncokivgyNZzyhttps://www.google.com/urlhttps://www.google.com/?gws_rd=sslhttps://www.google.com/http://www.msn.com/?ocid=iehphttp://www.msn.com/http://www.msn.com/de-ch/?ocid=iehphttp://www.msn.com/de-ch/https://go.microsoft.com/fwlink/?LinkId=517287https://go.microsoft.com/fwlink/https://go.microsoft.com/fwlink/?LinkId=838604https://go.microsoft.com/fwlink/p/?LinkId=255141https://go.microsoft.com/fwlink/p/https://ogs.google.com/widget/callout?prid=19020392&pgid=19020380&puid=93eb0881ae9ec1db&origin=https%3A%2F%2Fwww.google.com&cn=callout&pid=1&spid=1&hl=enhttps://ogs.google.com/widget/callouthttps://contextual.media.net/checksync.php?&vsSync=1&cs=1&hb=1&cv=37&ndec=1&cid=8HBI57XIG&prvid=77%2C184%2C188%2C226&rtime=278&https=1&usp_status=0&usp_consent=1&dcfp=gdpr,usphttps://contextual.media.net/checksync.phphttps://contextual.media.net/medianet.php?cid=8CU157172&crid=722878611&size=306x271&https=1https://contextual.media.net/medianet.phphttps://contextual.media.net/medianet.php?cid=8CU157172&crid=858412214&size=306x271&https=1https://contextual.media.net/checksync.php?&vsSync=1&cs=1&hb=1&cv=37&ndec=1&cid=8HBI57XIG&prvid=77%2C184%2C188%2C226&rtime=145&https=1&usp_status=0&usp_consent=1&dcfp=gdpr,usphttps://contextual.media.net/checksync.php?&vsSync=1&cs=1&hb=1&cv=37&ndec=1&cid=8HBI57XIG&prvid=77%2C184%2C188%2C226&rtime=3&https=1&usp_status=0&usp_consent=1&dcfp=gdpr,usphttps://www.microsoft.com/en-us/edge/?form=MA13DL&OCID=MA13DLhttps://www.microsoft.com/en-us/edge/https://www.microsoft.com/en-us/welcomeie11/https://www.microsoft.com/en-us/edge?form=MA13DL&OCID=MA13DLhttps://www.microsoft.com/en-us/edgehttps://www.microsoft.com/edge/?form=MA13DL&OCID=MA13DLhttps://www.microsoft.com/edge/https://adservice.google.com/ddm/fls/i/src=2542116;type=2542116;cat=chom0;ord=8072167097284;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fintl%2Fen_uk%2Fchrome%2Fhttps://consent.google.com/done8?continue=https://www.google.com/?gws_rd%3Dssl&origin=https://www.google.com&gl=GB&pc=s&uxe=4421591https://consent.google.com/done8https://consent.google.com/set?pc=s&uxe=4421591https://consent.google.com/sethttps://consent.google.com/?hl=en-GB&origin=https://www.goog
Source: Request for Quotation.exe, 00000003.00000003.652133843.00000000022C3000.00000004.00000001.sdmp	String found in binary or memory: http://go.microsoft.com/fwlink/?LinkId=838604http://go.microsoft.com/fwlink/http://go.microsoft.com/fwlink/p/?LinkId=255141http://go.microsoft.com/fwlink/p/https://www.google.com/searchhttps://www.google.com/search?source=hp&ei=djJ0X6TKCL6IjLsPqriogAY&q=chrome&oq=chrome&gs_lcp=CgZwc3ktYWIQAzIFCAAQsQMyCAgAELEDEIMBMgUIABCxAzIFCAAQsQMyBQgAELEDMgUIABCxAzIICAAQsQMQgwEyAggAMgIIADIFCAAQsQM6CwguELEDEMcBEKMCOggILhCxAxCDAToOCC4QsQMQgwEQxwEQowI6CwguELEDEIMBEJMCOgUILhCxAzoLCC4QsQMQxwEQrwE6AgguUMpIWMFNYPhRaABwAHgAgAF_iAHIBJIBAzUuMZgBAKABAaoBB2d3cy13aXo&sclient=psy-ab&ved=0ahUKEwik3ey3rJDsAhU-BGMBHSocCmAQ4dUDCAw&uact=5https://www.google.com/intl/en_uk/chrome/thank-you.html?statcb=0&installdataindex=empty&defaultbrowser=0https://www.google.com/intl/en_uk/chrome/thank-you.htmlhttps://www.google.com/intl/en_uk/chrome/https://www.google.com/url?sa=t&rct=j&q=&esrc=s&source=web&cd=&ved=2ahUKEwj8k7G9rJDsAhWNTxUIHZZGDCQQFjAAegQIDhAB&url=https%3A%2F%2Fwww.google.com%2Fintl%2Fen_uk%2Fchrome%2F&usg=AOvVaw3tRKGAbA7yncokivgyNZzyhttps://www.google.com/urlhttps://www.google.com/?gws_rd=sslhttps://www.google.com/http://www.msn.com/?ocid=iehphttp://www.msn.com/http://www.msn.com/de-ch/?ocid=iehphttp://www.msn.com/de-ch/https://go.microsoft.com/fwlink/?LinkId=517287https://go.microsoft.com/fwlink/https://go.microsoft.com/fwlink/?LinkId=838604https://go.microsoft.com/fwlink/p/?LinkId=255141https://go.microsoft.com/fwlink/p/https://ogs.google.com/widget/callout?prid=19020392&pgid=19020380&puid=93eb0881ae9ec1db&origin=https%3A%2F%2Fwww.google.com&cn=callout&pid=1&spid=1&hl=enhttps://ogs.google.com/widget/callouthttps://contextual.media.net/checksync.php?&vsSync=1&cs=1&hb=1&cv=37&ndec=1&cid=8HBI57XIG&prvid=77%2C184%2C188%2C226&rtime=278&https=1&usp_status=0&usp_consent=1&dcfp=gdpr,usphttps://contextual.media.net/checksync.phphttps://contextual.media.net/medianet.php?cid=8CU157172&crid=722878611&size=306x271&https=1https://contextual.media.net/medianet.phphttps://contextual.media.net/medianet.php?cid=8CU157172&crid=858412214&size=306x271&https=1https://contextual.media.net/checksync.php?&vsSync=1&cs=1&hb=1&cv=37&ndec=1&cid=8HBI57XIG&prvid=77%2C184%2C188%2C226&rtime=145&https=1&usp_status=0&usp_consent=1&dcfp=gdpr,usphttps://contextual.media.net/checksync.php?&vsSync=1&cs=1&hb=1&cv=37&ndec=1&cid=8HBI57XIG&prvid=77%2C184%2C188%2C226&rtime=3&https=1&usp_status=0&usp_consent=1&dcfp=gdpr,usphttps://www.microsoft.com/en-us/edge/?form=MA13DL&OCID=MA13DLhttps://www.microsoft.com/en-us/edge/https://www.microsoft.com/en-us/welcomeie11/https://www.microsoft.com/en-us/edge?form=MA13DL&OCID=MA13DLhttps://www.microsoft.com/en-us/edgehttps://www.microsoft.com/edge/?form=MA13DL&OCID=MA13DLhttps://www.microsoft.com/edge/https://adservice.google.com/ddm/fls/i/src=2542116;type=2542116;cat=chom0;ord=8072167097284;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fintl%2Fen_uk%2Fchrome%2Fhttps://consent.google.com/done8?continue=https://www.google.com/?gws_rd%3Dssl&origin=https://www.google.com&gl=GB&pc=s&
Source: Request for Quotation.exe, 00000003.00000003.652133843.00000000022C3000.00000004.00000001.sdmp	String found in binary or memory: http://go.microsoft.com/fwlink/?LinkId=838604http://go.microsoft.com/fwlink/http://go.microsoft.com/fwlink/p/?LinkId=255141http://go.microsoft.com/fwlink/p/https://www.google.com/searchhttps://www.google.com/search?source=hp&ei=djJ0X6TKCL6IjLsPqriogAY&q=chrome&oq=chrome&gs_lcp=CgZwc3ktYWIQAzIFCAAQsQMyCAgAELEDEIMBMgUIABCxAzIFCAAQsQMyBQgAELEDMgUIABCxAzIICAAQsQMQgwEyAggAMgIIADIFCAAQsQM6CwguELEDEMcBEKMCOggILhCxAxCDAToOCC4QsQMQgwEQxwEQowI6CwguELEDEIMBEJMCOgUILhCxAzoLCC4QsQMQxwEQrwE6AgguUMpIWMFNYPhRaABwAHgAgAF_iAHIBJIBAzUuMZgBAKABAaoBB2d3cy13aXo&sclient=psy-ab&ved=0ahUKEwik3ey3rJDsAhU-BGMBHSocCmAQ4dUDCAw&uact=5https://www.google.com/intl/en_uk/chrome/thank-you.html?statcb=0&installdataindex=empty&defaultbrowser=0https://www.google.com/intl/en_uk/chrome/thank-you.htmlhttps://www.google.com/intl/en_uk/chrome/https://www.google.com/url?sa=t&rct=j&q=&esrc=s&source=web&cd=&ved=2ahUKEwj8k7G9rJDsAhWNTxUIHZZGDCQQFjAAegQIDhAB&url=https%3A%2F%2Fwww.google.com%2Fintl%2Fen_uk%2Fchrome%2F&usg=AOvVaw3tRKGAbA7yncokivgyNZzyhttps://www.google.com/urlhttps://www.google.com/?gws_rd=sslhttps://www.google.com/http://www.msn.com/?ocid=iehphttp://www.msn.com/http://www.msn.com/de-ch/?ocid=iehphttp://www.msn.com/de-ch/https://go.microsoft.com/fwlink/?LinkId=517287https://go.microsoft.com/fwlink/https://go.microsoft.com/fwlink/?LinkId=838604https://go.microsoft.com/fwlink/p/?LinkId=255141https://go.microsoft.com/fwlink/p/https://ogs.google.com/widget/callout?prid=19020392&pgid=19020380&puid=93eb0881ae9ec1db&origin=https%3A%2F%2Fwww.google.com&cn=callout&pid=1&spid=1&hl=enhttps://ogs.google.com/widget/callouthttps://contextual.media.net/checksync.php?&vsSync=1&cs=1&hb=1&cv=37&ndec=1&cid=8HBI57XIG&prvid=77%2C184%2C188%2C226&rtime=278&https=1&usp_status=0&usp_consent=1&dcfp=gdpr,usphttps://contextual.media.net/checksync.phphttps://contextual.media.net/medianet.php?cid=8CU157172&crid=722878611&size=306x271&https=1https://contextual.media.net/medianet.phphttps://contextual.media.net/medianet.php?cid=8CU157172&crid=858412214&size=306x271&https=1https://contextual.media.net/checksync.php?&vsSync=1&cs=1&hb=1&cv=37&ndec=1&cid=8HBI57XIG&prvid=77%2C184%2C188%2C226&rtime=145&https=1&usp_status=0&usp_consent=1&dcfp=gdpr,usphttps://contextual.media.net/checksync.php?&vsSync=1&cs=1&hb=1&cv=37&ndec=1&cid=8HBI57XIG&prvid=77%2C184%2C188%2C226&rtime=3&https=1&usp_status=0&usp_consent=1&dcfp=gdpr,usphttps://www.microsoft.com/en-us/edge/?form=MA13DL&OCID=MA13DLhttps://www.microsoft.com/en-us/edge/https://www.microsoft.com/en-us/welcomeie11/https://www.microsoft.com/en-us/edge?form=MA13DL&OCID=MA13DLhttps://www.microsoft.com/en-us/edgehttps://www.microsoft.com/edge/?form=MA13DL&OCID=MA13DLhttps://www.microsoft.com/edge/https://adservice.google.com/ddm/fls/i/src=2542116;type=2542116;cat=chom0;ord=8072167097284;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fintl%2Fen_uk%2Fchrome%2Fhttps://consent.google.com/done8?continue=https://www.google.com/?gws_rd%3Dssl&origin=https://www.google.com&gl=GB&pc=s&
Source: Request for Quotation.exe	String found in binary or memory: http://www.ebuddy.com equals www.ebuddy.com (eBuggy)
Source: Request for Quotation.exe	String found in binary or memory: http://www.facebook.com/ equals www.facebook.com (Facebook)
Source: Request for Quotation.exe, 00000003.00000002.654150838.0000000000400000.00000040.00000001.sdmp	String found in binary or memory: ~@:9@0123456789ABCDEFURL index.datvisited:https://www.google.com/accounts/serviceloginhttp://www.facebook.com/https://login.yahoo.com/config/login$ equals www.facebook.com (Facebook)
Source: Request for Quotation.exe, 00000003.00000002.654150838.0000000000400000.00000040.00000001.sdmp	String found in binary or memory: ~@:9@0123456789ABCDEFURL index.datvisited:https://www.google.com/accounts/serviceloginhttp://www.facebook.com/https://login.yahoo.com/config/login$ equals www.yahoo.com (Yahoo)

Source: Request for Quotation.exe	String found in binary or memory: http://nsis.sf.net/NSIS_Error
Source: Request for Quotation.exe	String found in binary or memory: http://nsis.sf.net/NSIS_ErrorError
Source: Request for Quotation.exe	String found in binary or memory: http://www.ebuddy.com
Source: Request for Quotation.exe	String found in binary or memory: http://www.imvu.com
Source: Request for Quotation.exe, 00000004.00000002.652481642.0000000000400000.00000040.00000001.sdmp	String found in binary or memory: http://www.imvu.comhttp://www.ebuddy.comhttps://www.google.com
Source: Request for Quotation.exe, 00000004.00000002.652481642.0000000000400000.00000040.00000001.sdmp	String found in binary or memory: http://www.imvu.comr
Source: Request for Quotation.exe, 00000003.00000002.654097061.0000000000193000.00000004.00000010.sdmp	String found in binary or memory: http://www.nirsoft.net
Source: Request for Quotation.exe, Request for Quotation.exe, 00000005.00000001.652992004.0000000000400000.00000040.00020000.sdmp	String found in binary or memory: http://www.nirsoft.net/
Source: Request for Quotation.exe, 00000003.00000003.652133843.00000000022C3000.00000004.00000001.sdmp, Request for Quotation.exe, 00000003.00000003.653713973.00000000022C4000.00000004.00000001.sdmp	String found in binary or memory: https://contextual.media.net/checksync.php?&vsSync=1&cs=1&hb=1&cv=37&ndec=1&cid=8HBI57XIG&prvid=77%2
Source: Request for Quotation.exe, 00000003.00000003.653713973.00000000022C4000.00000004.00000001.sdmp	String found in binary or memory: https://contextual.media.net/checksync.phphttps://contextual.media.net/medianet.php?cid=8CU157172&cr
Source: Request for Quotation.exe	String found in binary or memory: https://login.yahoo.com/config/login
Source: Request for Quotation.exe, 00000003.00000003.652407744.00000000022C3000.00000004.00000001.sdmp	String found in binary or memory: https://support.google.com/chrome/?p=plugin_flash
Source: Request for Quotation.exe, 00000003.00000003.652407744.00000000022C3000.00000004.00000001.sdmp	String found in binary or memory: https://support.google.com/chrome/answer/6258784
Source: Request for Quotation.exe	String found in binary or memory: https://www.google.com
Source: Request for Quotation.exe	String found in binary or memory: https://www.google.com/accounts/servicelogin
Source: Request for Quotation.exe, 00000003.00000003.653713973.00000000022C4000.00000004.00000001.sdmp	String found in binary or memory: https://www.google.com/search?source=hp&ei=djJ0X6TKCL6IjLsPqriogAY&q=chrome&oq=chrome&gs_lcp=CgZwc3k

Key, Mouse, Clipboard, Microphone and Screen Capturing:

Contains functionality to capture and log keystrokes

Show sources

Source: C:\Users\user\Desktop\Request for Quotation.exe	Code function: [Esc]
Source: C:\Users\user\Desktop\Request for Quotation.exe	Code function: [Enter]
Source: C:\Users\user\Desktop\Request for Quotation.exe	Code function: [Tab]
Source: C:\Users\user\Desktop\Request for Quotation.exe	Code function: [Down]
Source: C:\Users\user\Desktop\Request for Quotation.exe	Code function: [Right]
Source: C:\Users\user\Desktop\Request for Quotation.exe	Code function: [Up]
Source: C:\Users\user\Desktop\Request for Quotation.exe	Code function: [Left]
Source: C:\Users\user\Desktop\Request for Quotation.exe	Code function: [End]
Source: C:\Users\user\Desktop\Request for Quotation.exe	Code function: [F2]
Source: C:\Users\user\Desktop\Request for Quotation.exe	Code function: [F1]
Source: C:\Users\user\Desktop\Request for Quotation.exe	Code function: [Del]
Source: C:\Users\user\Desktop\Request for Quotation.exe	Code function: [Del]
Source: C:\Users\user\Desktop\Request for Quotation.exe	Code function: [Esc]
Source: C:\Users\user\Desktop\Request for Quotation.exe	Code function: [Enter]
Source: C:\Users\user\Desktop\Request for Quotation.exe	Code function: [Tab]
Source: C:\Users\user\Desktop\Request for Quotation.exe	Code function: [Down]
Source: C:\Users\user\Desktop\Request for Quotation.exe	Code function: [Right]
Source: C:\Users\user\Desktop\Request for Quotation.exe	Code function: [Up]
Source: C:\Users\user\Desktop\Request for Quotation.exe	Code function: [Left]
Source: C:\Users\user\Desktop\Request for Quotation.exe	Code function: [End]
Source: C:\Users\user\Desktop\Request for Quotation.exe	Code function: [F2]
Source: C:\Users\user\Desktop\Request for Quotation.exe	Code function: [F1]
Source: C:\Users\user\Desktop\Request for Quotation.exe	Code function: [Del]
Source: C:\Users\user\Desktop\Request for Quotation.exe	Code function: [Del]

Source: C:\Users\user\Desktop\Request for Quotation.exe

Code function: 0_2_004054B2 GetDlgItem,GetDlgItem,GetDlgItem,GetDlgItem,GetClientRect,GetSystemMetrics,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,ShowWindow,ShowWindow,GetDlgItem,SendMessageA,SendMessageA,SendMessageA,GetDlgItem,CreateThread,CloseHandle,ShowWindow,ShowWindow,ShowWindow,ShowWindow,SendMessageA,CreatePopupMenu,AppendMenuA,GetWindowRect,TrackPopupMenu,SendMessageA,OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,SendMessageA,GlobalUnlock,SetClipboardData,CloseClipboard,

Source: C:\Users\user\Desktop\Request for Quotation.exe

Code function: 1_2_0040D2A6 ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z,SetEvent,?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ,?npos@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@2IB,?npos@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@2IB,?substr@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBE?AV12@II@Z,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z,GetTickCount,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ,atoi,??8std@@YA_NABV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@PBD@Z,Sleep,?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ,?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ,?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ,URLDownloadToFileW,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@ABV01@@Z,OpenClipboard,Sleep,?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ,?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z,??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@ABV01@@Z,?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ,atoi,?c_str@?$basic_string@GU?$char_trait

Source: C:\Users\user\Desktop\Request for Quotation.exe	Code function: 1_2_0040532D GetKeyState,GetKeyState,GetKeyState,CallNextHookEx,
Source: C:\Users\user\Desktop\Request for Quotation.exe	Code function: 1_1_0040532D GetKeyState,GetKeyState,GetKeyState,CallNextHookEx,

E-Banking Fraud:

Yara detected Remcos RAT

Show sources

Source: Yara match	File source: 00000001.00000002.903195414.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000001.641497403.0000000000400000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.644079874.0000000002A50000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: Request for Quotation.exe PID: 7164, type: MEMORY
Source: Yara match	File source: Process Memory Space: Request for Quotation.exe PID: 612, type: MEMORY
Source: Yara match	File source: 1.1.Request for Quotation.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.1.Request for Quotation.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.Request for Quotation.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Request for Quotation.exe.2a50000.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Request for Quotation.exe.2a50000.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.Request for Quotation.exe.400000.0.unpack, type: UNPACKEDPE

System Summary:

Malicious sample detected (through community Yara rule)

Show sources

Source: 00000001.00000002.903195414.0000000000400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Remcos Payload Author: kevoreilly
Source: 00000001.00000002.903195414.0000000000400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: REMCOS_RAT_variants Author: unknown
Source: 00000001.00000001.641497403.0000000000400000.00000040.00020000.sdmp, type: MEMORY	Matched rule: Remcos Payload Author: kevoreilly
Source: 00000001.00000001.641497403.0000000000400000.00000040.00020000.sdmp, type: MEMORY	Matched rule: REMCOS_RAT_variants Author: unknown
Source: 00000000.00000002.644079874.0000000002A50000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Remcos Payload Author: kevoreilly
Source: 00000000.00000002.644079874.0000000002A50000.00000004.00000001.sdmp, type: MEMORY	Matched rule: REMCOS_RAT_variants Author: unknown
Source: 1.1.Request for Quotation.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Remcos Payload Author: kevoreilly
Source: 1.1.Request for Quotation.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Author: unknown
Source: 1.1.Request for Quotation.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Remcos Payload Author: kevoreilly
Source: 1.1.Request for Quotation.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Author: unknown
Source: 1.2.Request for Quotation.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Remcos Payload Author: kevoreilly
Source: 1.2.Request for Quotation.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Author: unknown
Source: 0.2.Request for Quotation.exe.2a50000.5.raw.unpack, type: UNPACKEDPE	Matched rule: Remcos Payload Author: kevoreilly
Source: 0.2.Request for Quotation.exe.2a50000.5.raw.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Author: unknown
Source: 0.2.Request for Quotation.exe.2a50000.5.unpack, type: UNPACKEDPE	Matched rule: Remcos Payload Author: kevoreilly
Source: 0.2.Request for Quotation.exe.2a50000.5.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Author: unknown
Source: 1.2.Request for Quotation.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Remcos Payload Author: kevoreilly
Source: 1.2.Request for Quotation.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Author: unknown

Initial sample is a PE file and has a suspicious name

Show sources

Source: initial sample

Static PE information: Filename: Request for Quotation.exe

Source: C:\Users\user\Desktop\Request for Quotation.exe	Code function: 1_2_0040F219 _EH_prolog,CloseHandle,GetModuleHandleA,GetProcAddress,CreateProcessW,VirtualAlloc,GetThreadContext,ReadProcessMemory,NtUnmapViewOfSection,VirtualAllocEx,WriteProcessMemory,WriteProcessMemory,WriteProcessMemory,WriteProcessMemory,SetThreadContext,ResumeThread,
Source: C:\Users\user\Desktop\Request for Quotation.exe	Code function: 1_1_0040F219 _EH_prolog,CloseHandle,GetModuleHandleA,GetProcAddress,CreateProcessW,VirtualAlloc,GetThreadContext,ReadProcessMemory,NtUnmapViewOfSection,VirtualAllocEx,WriteProcessMemory,WriteProcessMemory,WriteProcessMemory,WriteProcessMemory,SetThreadContext,ResumeThread,
Source: C:\Users\user\Desktop\Request for Quotation.exe	Code function: 3_2_0040DD85 memset,CreateFileW,NtQuerySystemInformation,NtQuerySystemInformation,FindCloseChangeNotification,GetCurrentProcessId,_wcsicmp,_wcsicmp,_wcsicmp,OpenProcess,GetCurrentProcess,DuplicateHandle,memset,NtQueryObject,CloseHandle,_wcsicmp,CloseHandle,
Source: C:\Users\user\Desktop\Request for Quotation.exe	Code function: 3_2_00401806 NtdllDefWindowProc_W,
Source: C:\Users\user\Desktop\Request for Quotation.exe	Code function: 3_2_004018C0 NtdllDefWindowProc_W,
Source: C:\Users\user\Desktop\Request for Quotation.exe	Code function: 3_1_0040DD85 CreateFileW,NtQuerySystemInformation,FindCloseChangeNotification,GetCurrentProcessId,
Source: C:\Users\user\Desktop\Request for Quotation.exe	Code function: 3_1_0040DE0B NtQuerySystemInformation,NtQuerySystemInformation,FindCloseChangeNotification,GetCurrentProcessId,OpenProcess,GetCurrentProcess,DuplicateHandle,NtQueryObject,CloseHandle,CloseHandle,
Source: C:\Users\user\Desktop\Request for Quotation.exe	Code function: 4_2_00402CAC NtdllDefWindowProc_A,
Source: C:\Users\user\Desktop\Request for Quotation.exe	Code function: 4_2_00402D66 NtdllDefWindowProc_A,
Source: C:\Users\user\Desktop\Request for Quotation.exe	Code function: 5_2_004016FC NtdllDefWindowProc_A,
Source: C:\Users\user\Desktop\Request for Quotation.exe	Code function: 5_2_004017B6 NtdllDefWindowProc_A,

Source: C:\Users\user\Desktop\Request for Quotation.exe	Code function: 0_2_00403486 EntryPoint,SetErrorMode,GetVersion,lstrlenA,#17,OleInitialize,SHGetFileInfoA,GetCommandLineA,CharNextA,GetTempPathA,GetTempPathA,GetWindowsDirectoryA,lstrcatA,GetTempPathA,lstrcatA,SetEnvironmentVariableA,SetEnvironmentVariableA,SetEnvironmentVariableA,DeleteFileA,OleUninitialize,ExitProcess,lstrcatA,lstrcatA,lstrcatA,lstrcmpiA,SetCurrentDirectoryA,DeleteFileA,CopyFileA,CloseHandle,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess,
Source: C:\Users\user\Desktop\Request for Quotation.exe	Code function: 1_2_0040D2A6 ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z,SetEvent,?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ,?npos@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@2IB,?npos@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@2IB,?substr@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBE?AV12@II@Z,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z,GetTickCount,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ,atoi,??8std@@YA_NABV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@PBD@Z,Sleep,?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ,?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ,?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ,URLDownloadToFileW,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@ABV01@@Z,OpenClipboard,Sleep,?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ,?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z,??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@ABV01@@Z,?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ,atoi,?c_str@?$basic_string@GU?$char_trait
Source: C:\Users\user\Desktop\Request for Quotation.exe	Code function: 1_1_0040D2A6 ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z,SetEvent,?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ,?npos@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@2IB,?npos@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@2IB,?substr@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBE?AV12@II@Z,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z,GetTickCount,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ,atoi,??8std@@YA_NABV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@PBD@Z,Sleep,?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ,?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ,?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ,URLDownloadToFileW,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@ABV01@@Z,OpenClipboard,Sleep,?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ,?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z,??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@ABV01@@Z,?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ,atoi,?c_str@?$basic_string@GU?$char_trait

Source: C:\Users\user\Desktop\Request for Quotation.exe	Code function: 0_2_00407272
Source: C:\Users\user\Desktop\Request for Quotation.exe	Code function: 0_2_00406A9B
Source: C:\Users\user\Desktop\Request for Quotation.exe	Code function: 0_2_6F711A98
Source: C:\Users\user\Desktop\Request for Quotation.exe	Code function: 1_2_0040D2A6
Source: C:\Users\user\Desktop\Request for Quotation.exe	Code function: 1_1_0040D2A6
Source: C:\Users\user\Desktop\Request for Quotation.exe	Code function: 3_2_0044B040
Source: C:\Users\user\Desktop\Request for Quotation.exe	Code function: 3_2_0043610D
Source: C:\Users\user\Desktop\Request for Quotation.exe	Code function: 3_2_00447310
Source: C:\Users\user\Desktop\Request for Quotation.exe	Code function: 3_2_0044A490
Source: C:\Users\user\Desktop\Request for Quotation.exe	Code function: 3_2_0040755A
Source: C:\Users\user\Desktop\Request for Quotation.exe	Code function: 3_2_0043C560
Source: C:\Users\user\Desktop\Request for Quotation.exe	Code function: 3_2_0044B610
Source: C:\Users\user\Desktop\Request for Quotation.exe	Code function: 3_2_0044D6C0
Source: C:\Users\user\Desktop\Request for Quotation.exe	Code function: 3_2_004476F0
Source: C:\Users\user\Desktop\Request for Quotation.exe	Code function: 3_2_0044B870
Source: C:\Users\user\Desktop\Request for Quotation.exe	Code function: 3_2_0044081D
Source: C:\Users\user\Desktop\Request for Quotation.exe	Code function: 3_2_00414957
Source: C:\Users\user\Desktop\Request for Quotation.exe	Code function: 3_2_004079EE
Source: C:\Users\user\Desktop\Request for Quotation.exe	Code function: 3_2_00407AEB
Source: C:\Users\user\Desktop\Request for Quotation.exe	Code function: 3_2_0044AA80
Source: C:\Users\user\Desktop\Request for Quotation.exe	Code function: 3_2_00412AA9
Source: C:\Users\user\Desktop\Request for Quotation.exe	Code function: 3_2_00404B74
Source: C:\Users\user\Desktop\Request for Quotation.exe	Code function: 3_2_00404B03
Source: C:\Users\user\Desktop\Request for Quotation.exe	Code function: 3_2_0044BBD8
Source: C:\Users\user\Desktop\Request for Quotation.exe	Code function: 3_2_00404BE5
Source: C:\Users\user\Desktop\Request for Quotation.exe	Code function: 3_2_00404C76
Source: C:\Users\user\Desktop\Request for Quotation.exe	Code function: 3_2_00415CFE
Source: C:\Users\user\Desktop\Request for Quotation.exe	Code function: 3_2_00416D72
Source: C:\Users\user\Desktop\Request for Quotation.exe	Code function: 3_2_00446D30
Source: C:\Users\user\Desktop\Request for Quotation.exe	Code function: 3_2_00446D8B
Source: C:\Users\user\Desktop\Request for Quotation.exe	Code function: 3_2_00406E8F
Source: C:\Users\user\Desktop\Request for Quotation.exe	Code function: 3_1_0044B040
Source: C:\Users\user\Desktop\Request for Quotation.exe	Code function: 3_1_004570B9
Source: C:\Users\user\Desktop\Request for Quotation.exe	Code function: 3_1_004562B5
Source: C:\Users\user\Desktop\Request for Quotation.exe	Code function: 3_1_00476347
Source: C:\Users\user\Desktop\Request for Quotation.exe	Code function: 3_1_00447310
Source: C:\Users\user\Desktop\Request for Quotation.exe	Code function: 3_1_0044A490
Source: C:\Users\user\Desktop\Request for Quotation.exe	Code function: 3_1_0043C560
Source: C:\Users\user\Desktop\Request for Quotation.exe	Code function: 3_1_0044B610
Source: C:\Users\user\Desktop\Request for Quotation.exe	Code function: 3_1_0044D6C0
Source: C:\Users\user\Desktop\Request for Quotation.exe	Code function: 3_1_004476F0
Source: C:\Users\user\Desktop\Request for Quotation.exe	Code function: 3_1_0044B870
Source: C:\Users\user\Desktop\Request for Quotation.exe	Code function: 3_1_00414957
Source: C:\Users\user\Desktop\Request for Quotation.exe	Code function: 3_1_0044090C
Source: C:\Users\user\Desktop\Request for Quotation.exe	Code function: 3_1_00414A78
Source: C:\Users\user\Desktop\Request for Quotation.exe	Code function: 3_1_00412AF9
Source: C:\Users\user\Desktop\Request for Quotation.exe	Code function: 3_1_0044AA80
Source: C:\Users\user\Desktop\Request for Quotation.exe	Code function: 3_1_00412AA9
Source: C:\Users\user\Desktop\Request for Quotation.exe	Code function: 3_1_0044BBD8
Source: C:\Users\user\Desktop\Request for Quotation.exe	Code function: 3_1_00412CD7
Source: C:\Users\user\Desktop\Request for Quotation.exe	Code function: 3_1_00416D72
Source: C:\Users\user\Desktop\Request for Quotation.exe	Code function: 3_1_00446D30
Source: C:\Users\user\Desktop\Request for Quotation.exe	Code function: 3_1_00446D8B
Source: C:\Users\user\Desktop\Request for Quotation.exe	Code function: 3_1_00412E38
Source: C:\Users\user\Desktop\Request for Quotation.exe	Code function: 4_2_004050C2
Source: C:\Users\user\Desktop\Request for Quotation.exe	Code function: 4_2_004014AB
Source: C:\Users\user\Desktop\Request for Quotation.exe	Code function: 4_2_00405133
Source: C:\Users\user\Desktop\Request for Quotation.exe	Code function: 4_2_004051A4
Source: C:\Users\user\Desktop\Request for Quotation.exe	Code function: 4_2_00401246
Source: C:\Users\user\Desktop\Request for Quotation.exe	Code function: 4_2_0040CA46
Source: C:\Users\user\Desktop\Request for Quotation.exe	Code function: 4_2_00405235
Source: C:\Users\user\Desktop\Request for Quotation.exe	Code function: 4_2_004032C8
Source: C:\Users\user\Desktop\Request for Quotation.exe	Code function: 4_2_004222D9
Source: C:\Users\user\Desktop\Request for Quotation.exe	Code function: 4_2_00401689
Source: C:\Users\user\Desktop\Request for Quotation.exe	Code function: 4_2_00402F60
Source: C:\Users\user\Desktop\Request for Quotation.exe	Code function: 4_1_0040CA46
Source: C:\Users\user\Desktop\Request for Quotation.exe	Code function: 4_1_004222D9
Source: C:\Users\user\Desktop\Request for Quotation.exe	Code function: 5_2_0040D044
Source: C:\Users\user\Desktop\Request for Quotation.exe	Code function: 5_2_00405038
Source: C:\Users\user\Desktop\Request for Quotation.exe	Code function: 5_2_004050A9
Source: C:\Users\user\Desktop\Request for Quotation.exe	Code function: 5_2_0040511A
Source: C:\Users\user\Desktop\Request for Quotation.exe	Code function: 5_2_004051AB
Source: C:\Users\user\Desktop\Request for Quotation.exe	Code function: 5_2_004382F3
Source: C:\Users\user\Desktop\Request for Quotation.exe	Code function: 5_2_00430575
Source: C:\Users\user\Desktop\Request for Quotation.exe	Code function: 5_2_0043B671
Source: C:\Users\user\Desktop\Request for Quotation.exe	Code function: 5_2_0041F6CD
Source: C:\Users\user\Desktop\Request for Quotation.exe	Code function: 5_2_004119CF
Source: C:\Users\user\Desktop\Request for Quotation.exe	Code function: 5_2_00439B11
Source: C:\Users\user\Desktop\Request for Quotation.exe	Code function: 5_2_00438E54
Source: C:\Users\user\Desktop\Request for Quotation.exe	Code function: 5_2_00412F67
Source: C:\Users\user\Desktop\Request for Quotation.exe	Code function: 5_2_0043CF18
Source: C:\Users\user\Desktop\Request for Quotation.exe	Code function: 5_1_0041E13A
Source: C:\Users\user\Desktop\Request for Quotation.exe	Code function: 5_1_00422589
Source: C:\Users\user\Desktop\Request for Quotation.exe	Code function: 5_1_0041F6CD
Source: C:\Users\user\Desktop\Request for Quotation.exe	Code function: 5_1_0043CF18

Source: C:\Users\user\Desktop\Request for Quotation.exe	Code function: String function: 0042FE8B appears 44 times
Source: C:\Users\user\Desktop\Request for Quotation.exe	Code function: String function: 00414176 appears 50 times
Source: C:\Users\user\Desktop\Request for Quotation.exe	Code function: String function: 004169A7 appears 196 times
Source: C:\Users\user\Desktop\Request for Quotation.exe	Code function: String function: 004165FF appears 75 times
Source: C:\Users\user\Desktop\Request for Quotation.exe	Code function: String function: 00412627 appears 34 times
Source: C:\Users\user\Desktop\Request for Quotation.exe	Code function: String function: 00413CE8 appears 46 times
Source: C:\Users\user\Desktop\Request for Quotation.exe	Code function: String function: 00413D18 appears 36 times
Source: C:\Users\user\Desktop\Request for Quotation.exe	Code function: String function: 0041203B appears 62 times
Source: C:\Users\user\Desktop\Request for Quotation.exe	Code function: String function: 0044407A appears 37 times
Source: C:\Users\user\Desktop\Request for Quotation.exe	Code function: String function: 00413DCE appears 48 times
Source: C:\Users\user\Desktop\Request for Quotation.exe	Code function: String function: 004124F0 appears 36 times
Source: C:\Users\user\Desktop\Request for Quotation.exe	Code function: String function: 00414060 appears 38 times
Source: C:\Users\user\Desktop\Request for Quotation.exe	Code function: String function: 004440AA appears 60 times
Source: C:\Users\user\Desktop\Request for Quotation.exe	Code function: String function: 004440C8 appears 32 times
Source: C:\Users\user\Desktop\Request for Quotation.exe	Code function: String function: 0044DB70 appears 50 times
Source: C:\Users\user\Desktop\Request for Quotation.exe	Code function: String function: 00412968 appears 176 times
Source: C:\Users\user\Desktop\Request for Quotation.exe	Code function: String function: 00413E72 appears 98 times
Source: C:\Users\user\Desktop\Request for Quotation.exe	Code function: String function: 00421A32 appears 45 times
Source: C:\Users\user\Desktop\Request for Quotation.exe	Code function: String function: 00416760 appears 106 times

Source: Request for Quotation.exe, 00000000.00000003.638628482.0000000002B86000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenamentdll.dllj% vs Request for Quotation.exe
Source: Request for Quotation.exe, 00000000.00000002.642974977.0000000000A40000.00000002.00000001.sdmp	Binary or memory string: OriginalFilenameuser32j% vs Request for Quotation.exe
Source: Request for Quotation.exe, 00000001.00000003.654310142.0000000002A69000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenamemspass.exe8 vs Request for Quotation.exe
Source: Request for Quotation.exe	Binary or memory string: OriginalFileName vs Request for Quotation.exe
Source: Request for Quotation.exe	Binary or memory string: OriginalFilename vs Request for Quotation.exe
Source: Request for Quotation.exe, 00000004.00000001.651818512.000000000041B000.00000040.00020000.sdmp	Binary or memory string: OriginalFilenamemspass.exe8 vs Request for Quotation.exe

Source: Request for Quotation.exe

Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED

Source: 00000001.00000002.903195414.0000000000400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Remcos_1 author = kevoreilly, description = Remcos Payload, cape_type = Remcos Payload
Source: 00000001.00000002.903195414.0000000000400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 00000001.00000001.641497403.0000000000400000.00000040.00020000.sdmp, type: MEMORY	Matched rule: Remcos_1 author = kevoreilly, description = Remcos Payload, cape_type = Remcos Payload
Source: 00000001.00000001.641497403.0000000000400000.00000040.00020000.sdmp, type: MEMORY	Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 00000000.00000002.644079874.0000000002A50000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Remcos_1 author = kevoreilly, description = Remcos Payload, cape_type = Remcos Payload
Source: 00000000.00000002.644079874.0000000002A50000.00000004.00000001.sdmp, type: MEMORY	Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 1.1.Request for Quotation.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Remcos_1 author = kevoreilly, description = Remcos Payload, cape_type = Remcos Payload
Source: 1.1.Request for Quotation.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 1.1.Request for Quotation.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Remcos_1 author = kevoreilly, description = Remcos Payload, cape_type = Remcos Payload
Source: 1.1.Request for Quotation.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 1.2.Request for Quotation.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Remcos_1 author = kevoreilly, description = Remcos Payload, cape_type = Remcos Payload
Source: 1.2.Request for Quotation.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 0.2.Request for Quotation.exe.2a50000.5.raw.unpack, type: UNPACKEDPE	Matched rule: Remcos_1 author = kevoreilly, description = Remcos Payload, cape_type = Remcos Payload
Source: 0.2.Request for Quotation.exe.2a50000.5.raw.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 0.2.Request for Quotation.exe.2a50000.5.unpack, type: UNPACKEDPE	Matched rule: Remcos_1 author = kevoreilly, description = Remcos Payload, cape_type = Remcos Payload
Source: 0.2.Request for Quotation.exe.2a50000.5.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 1.2.Request for Quotation.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Remcos_1 author = kevoreilly, description = Remcos Payload, cape_type = Remcos Payload
Source: 1.2.Request for Quotation.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda

Source: classification engine

Classification label: mal100.phis.troj.spyw.evad.winEXE@9/6@0/2

Source: C:\Users\user\Desktop\Request for Quotation.exe

Code function: 3_2_004182CE GetLastError,FormatMessageW,FormatMessageA,LocalFree,??3@YAXPAX@Z,

Source: C:\Users\user\Desktop\Request for Quotation.exe	Code function: 0_2_00403486 EntryPoint,SetErrorMode,GetVersion,lstrlenA,#17,OleInitialize,SHGetFileInfoA,GetCommandLineA,CharNextA,GetTempPathA,GetTempPathA,GetWindowsDirectoryA,lstrcatA,GetTempPathA,lstrcatA,SetEnvironmentVariableA,SetEnvironmentVariableA,SetEnvironmentVariableA,DeleteFileA,OleUninitialize,ExitProcess,lstrcatA,lstrcatA,lstrcatA,lstrcmpiA,SetCurrentDirectoryA,DeleteFileA,CopyFileA,CloseHandle,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess,
Source: C:\Users\user\Desktop\Request for Quotation.exe	Code function: 1_2_0040EC0F GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,GetLastError,
Source: C:\Users\user\Desktop\Request for Quotation.exe	Code function: 1_1_0040EC0F GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,GetLastError,
Source: C:\Users\user\Desktop\Request for Quotation.exe	Code function: 4_2_00410DE1 GetCurrentProcess,GetLastError,GetProcAddress,GetProcAddress,LookupPrivilegeValueA,GetProcAddress,AdjustTokenPrivileges,FindCloseChangeNotification,
Source: C:\Users\user\Desktop\Request for Quotation.exe	Code function: 4_1_00410DE1 GetCurrentProcess,GetLastError,GetProcAddress,GetProcAddress,LookupPrivilegeValueA,GetProcAddress,AdjustTokenPrivileges,GetLastError,FindCloseChangeNotification,

Source: C:\Users\user\Desktop\Request for Quotation.exe

Code function: 0_2_00404763 GetDlgItem,SetWindowTextA,SHBrowseForFolderA,CoTaskMemFree,lstrcmpiA,lstrcatA,SetDlgItemTextA,GetDiskFreeSpaceA,MulDiv,SetDlgItemTextA,

Source: C:\Users\user\Desktop\Request for Quotation.exe

Code function: 0_2_6EEE4211 CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,

Source: C:\Users\user\Desktop\Request for Quotation.exe

Code function: 0_2_0040216B CoCreateInstance,MultiByteToWideChar,

Source: C:\Users\user\Desktop\Request for Quotation.exe

Code function: 1_2_00409D02 FindResourceA,LoadResource,LockResource,SizeofResource,

Source: C:\Users\user\Desktop\Request for Quotation.exe

Code function: 1_2_00411927 OpenSCManagerW,?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ,OpenServiceW,CloseServiceHandle,ChangeServiceConfigW,CloseServiceHandle,CloseServiceHandle,CloseServiceHandle,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,

Source: C:\Users\user\Desktop\Request for Quotation.exe

File created: C:\Users\user\AppData\Roaming\excel

Jump to behavior

Source: C:\Users\user\Desktop\Request for Quotation.exe

Mutant created: \Sessions\1\BaseNamedObjects\excel-8OHAVR

Source: C:\Users\user\Desktop\Request for Quotation.exe

File created: C:\Users\user\AppData\Local\Temp\nsh7777.tmp

Jump to behavior

Source: Request for Quotation.exe

Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\Request for Quotation.exe

System information queried: HandleInformation

Source: C:\Users\user\Desktop\Request for Quotation.exe

File read: C:\Users\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\Request for Quotation.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Source: Request for Quotation.exe	Binary or memory string: SELECT 'INSERT INTO vacuum_db.' \|\| quote(name) \|\| ' SELECT * FROM main.' \|\| quote(name) \|\| ';' FROM vacuum_db.sqlite_master WHERE name=='sqlite_sequence';
Source: Request for Quotation.exe	Binary or memory string: INSERT INTO %Q.%s VALUES('index',%Q,%Q,#%d,%Q);
Source: Request for Quotation.exe, 00000003.00000002.654150838.0000000000400000.00000040.00000001.sdmp	Binary or memory string: UPDATE %Q.%s SET sql = CASE WHEN type = 'trigger' THEN sqlite_rename_trigger(sql, %Q)ELSE sqlite_rename_table(sql, %Q) END, tbl_name = %Q, name = CASE WHEN type='table' THEN %Q WHEN name LIKE 'sqlite_autoindex%%' AND type='index' THEN 'sqlite_autoindex_' \|\| %Q \|\| substr(name,%d+18) ELSE name END WHERE tbl_name=%Q AND (type='table' OR type='index' OR type='trigger');
Source: Request for Quotation.exe	Binary or memory string: SELECT 'INSERT INTO vacuum_db.' \|\| quote(name) \|\| ' SELECT * FROM main.' \|\| quote(name) \|\| ';'FROM main.sqlite_master WHERE type = 'table' AND name!='sqlite_sequence' AND rootpage>0
Source: Request for Quotation.exe	Binary or memory string: UPDATE "%w".%s SET sql = sqlite_rename_parent(sql, %Q, %Q) WHERE %s;
Source: Request for Quotation.exe	Binary or memory string: UPDATE sqlite_temp_master SET sql = sqlite_rename_trigger(sql, %Q), tbl_name = %Q WHERE %s;
Source: Request for Quotation.exe	Binary or memory string: SELECT 'DELETE FROM vacuum_db.' \|\| quote(name) \|\| ';' FROM vacuum_db.sqlite_master WHERE name='sqlite_sequence'

Source: Request for Quotation.exe	Virustotal: Detection: 27%
Source: Request for Quotation.exe	ReversingLabs: Detection: 21%

Source: C:\Users\user\Desktop\Request for Quotation.exe

File read: C:\Users\user\Desktop\Request for Quotation.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\Request for Quotation.exe 'C:\Users\user\Desktop\Request for Quotation.exe'
Source: unknown	Process created: C:\Users\user\Desktop\Request for Quotation.exe 'C:\Users\user\Desktop\Request for Quotation.exe'
Source: unknown	Process created: C:\Users\user\Desktop\Request for Quotation.exe 'C:\Users\user\Desktop\Request for Quotation.exe' /stext 'C:\Users\user\AppData\Local\Temp\hbieekorpghvpuxbpehxjpq'
Source: unknown	Process created: C:\Users\user\Desktop\Request for Quotation.exe 'C:\Users\user\Desktop\Request for Quotation.exe' /stext 'C:\Users\user\AppData\Local\Temp\rvowfdgtdozazitngptymckjrq'
Source: unknown	Process created: C:\Users\user\Desktop\Request for Quotation.exe 'C:\Users\user\Desktop\Request for Quotation.exe' /stext 'C:\Users\user\AppData\Local\Temp\uptpyvrmrwrfbohrpagsxhxaawaqan'
Source: C:\Users\user\Desktop\Request for Quotation.exe	Process created: C:\Users\user\Desktop\Request for Quotation.exe 'C:\Users\user\Desktop\Request for Quotation.exe'
Source: C:\Users\user\Desktop\Request for Quotation.exe	Process created: C:\Users\user\Desktop\Request for Quotation.exe 'C:\Users\user\Desktop\Request for Quotation.exe' /stext 'C:\Users\user\AppData\Local\Temp\hbieekorpghvpuxbpehxjpq'
Source: C:\Users\user\Desktop\Request for Quotation.exe	Process created: C:\Users\user\Desktop\Request for Quotation.exe 'C:\Users\user\Desktop\Request for Quotation.exe' /stext 'C:\Users\user\AppData\Local\Temp\rvowfdgtdozazitngptymckjrq'
Source: C:\Users\user\Desktop\Request for Quotation.exe	Process created: C:\Users\user\Desktop\Request for Quotation.exe 'C:\Users\user\Desktop\Request for Quotation.exe' /stext 'C:\Users\user\AppData\Local\Temp\uptpyvrmrwrfbohrpagsxhxaawaqan'

Source: C:\Users\user\Desktop\Request for Quotation.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d}\InProcServer32

Source: C:\Users\user\Desktop\Request for Quotation.exe

File opened: C:\Users\user\Desktop\Request for Quotation.cfg

Source: C:\Users\user\Desktop\Request for Quotation.exe

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts

Source: Request for Quotation.exe

Static PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT

Source:	Binary string: wntdll.pdbUGP source: Request for Quotation.exe, 00000000.00000003.638506500.0000000002A70000.00000004.00000001.sdmp
Source:	Binary string: wntdll.pdb source: Request for Quotation.exe, 00000000.00000003.638506500.0000000002A70000.00000004.00000001.sdmp

Data Obfuscation:

Detected unpacking (changes PE section rights)

Show sources

Source: C:\Users\user\Desktop\Request for Quotation.exe	Unpacked PE file: 1.2.Request for Quotation.exe.400000.0.unpack .text:ER;.rdata:R;.data:W;.ndata:W;.rsrc:R; vs .text:ER;.rdata:R;.data:W;.rsrc:R;.reloc:R;
Source: C:\Users\user\Desktop\Request for Quotation.exe	Unpacked PE file: 3.2.Request for Quotation.exe.400000.0.unpack .text:ER;.rdata:R;.data:W;.ndata:W;.rsrc:R; vs .MPRESS1:ER;.MPRESS2:ER;.rsrc:W;
Source: C:\Users\user\Desktop\Request for Quotation.exe	Unpacked PE file: 4.2.Request for Quotation.exe.400000.0.unpack .text:ER;.rdata:R;.data:W;.ndata:W;.rsrc:R; vs .MPRESS1:ER;.MPRESS2:ER;.rsrc:W;
Source: C:\Users\user\Desktop\Request for Quotation.exe	Unpacked PE file: 5.2.Request for Quotation.exe.400000.0.unpack .text:ER;.rdata:R;.data:W;.ndata:W;.rsrc:R; vs .MPRESS1:ER;.MPRESS2:ER;.rsrc:W;

Detected unpacking (overwrites its own PE header)

Show sources

Source: C:\Users\user\Desktop\Request for Quotation.exe

Unpacked PE file: 1.2.Request for Quotation.exe.400000.0.unpack

Source: C:\Users\user\Desktop\Request for Quotation.exe

Code function: 0_2_6F711A98 GlobalAlloc,lstrcpyA,lstrcpyA,GlobalFree,GlobalFree,GlobalFree,GlobalFree,GlobalFree,GlobalFree,lstrcpyA,GetModuleHandleA,LoadLibraryA,GetProcAddress,lstrlenA,

Source: aqx5kku77.dll.0.dr

Static PE information: section name: .code

Source: C:\Users\user\Desktop\Request for Quotation.exe	Code function: 0_2_6F712F60 push eax; ret
Source: C:\Users\user\Desktop\Request for Quotation.exe	Code function: 1_2_00413ED0 push eax; ret
Source: C:\Users\user\Desktop\Request for Quotation.exe	Code function: 1_1_00413ED0 push eax; ret
Source: C:\Users\user\Desktop\Request for Quotation.exe	Code function: 3_2_0044693D push ecx; ret
Source: C:\Users\user\Desktop\Request for Quotation.exe	Code function: 3_2_0044DB70 push eax; ret
Source: C:\Users\user\Desktop\Request for Quotation.exe	Code function: 3_2_0044DB70 push eax; ret
Source: C:\Users\user\Desktop\Request for Quotation.exe	Code function: 3_2_00451D54 push eax; ret
Source: C:\Users\user\Desktop\Request for Quotation.exe	Code function: 3_1_00416794 push ecx; ret
Source: C:\Users\user\Desktop\Request for Quotation.exe	Code function: 3_1_0044693D push ecx; ret
Source: C:\Users\user\Desktop\Request for Quotation.exe	Code function: 3_1_0044DB70 push eax; ret
Source: C:\Users\user\Desktop\Request for Quotation.exe	Code function: 3_1_0044DB70 push eax; ret
Source: C:\Users\user\Desktop\Request for Quotation.exe	Code function: 3_1_00403C9C push ds; retf
Source: C:\Users\user\Desktop\Request for Quotation.exe	Code function: 3_1_00451D54 push eax; ret
Source: C:\Users\user\Desktop\Request for Quotation.exe	Code function: 4_2_00414060 push eax; ret
Source: C:\Users\user\Desktop\Request for Quotation.exe	Code function: 4_2_00414060 push eax; ret
Source: C:\Users\user\Desktop\Request for Quotation.exe	Code function: 4_2_00414039 push ecx; ret
Source: C:\Users\user\Desktop\Request for Quotation.exe	Code function: 4_2_004164EB push 0000006Ah; retf
Source: C:\Users\user\Desktop\Request for Quotation.exe	Code function: 4_2_00416553 push 0000006Ah; retf
Source: C:\Users\user\Desktop\Request for Quotation.exe	Code function: 4_2_00416555 push 0000006Ah; retf
Source: C:\Users\user\Desktop\Request for Quotation.exe	Code function: 4_1_00414060 push eax; ret
Source: C:\Users\user\Desktop\Request for Quotation.exe	Code function: 4_1_00414060 push eax; ret
Source: C:\Users\user\Desktop\Request for Quotation.exe	Code function: 4_1_00414039 push ecx; ret
Source: C:\Users\user\Desktop\Request for Quotation.exe	Code function: 4_1_004164EB push 0000006Ah; retf
Source: C:\Users\user\Desktop\Request for Quotation.exe	Code function: 4_1_00416553 push 0000006Ah; retf
Source: C:\Users\user\Desktop\Request for Quotation.exe	Code function: 4_1_00416555 push 0000006Ah; retf
Source: C:\Users\user\Desktop\Request for Quotation.exe	Code function: 4_1_00407A7A push 368B2BCFh; retn 29E8h
Source: C:\Users\user\Desktop\Request for Quotation.exe	Code function: 5_2_00444355 push ecx; ret
Source: C:\Users\user\Desktop\Request for Quotation.exe	Code function: 5_2_004446D0 push eax; ret
Source: C:\Users\user\Desktop\Request for Quotation.exe	Code function: 5_2_004446D0 push eax; ret
Source: C:\Users\user\Desktop\Request for Quotation.exe	Code function: 5_2_0044AC84 push eax; ret
Source: C:\Users\user\Desktop\Request for Quotation.exe	Code function: 5_1_0040E2C0 pushad ; iretd

Source: initial sample

Static PE information: section name: .data entropy: 7.91187275954

Persistence and Installation Behavior:

Source: C:\Users\user\Desktop\Request for Quotation.exe

Code function: 1_2_0040D4E5 ??8std@@YA_NABV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@PBD@Z,??8std@@YA_NABV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@PBD@Z,?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ,?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ,?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ,URLDownloadToFileW,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ,?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ,ShellExecuteW,??8std@@YA_NABV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@PBD@Z,?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,free,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,

Source: C:\Users\user\Desktop\Request for Quotation.exe	File created: C:\Users\user\AppData\Local\Temp\aqx5kku77.dll			Jump to dropped file
Source: C:\Users\user\Desktop\Request for Quotation.exe	File created: C:\Users\user\AppData\Local\Temp\nsc77A8.tmp\System.dll			Jump to dropped file

Boot Survival:

Source: C:\Users\user\Desktop\Request for Quotation.exe

Code function: 1_2_00411700 OpenSCManagerW,?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ,OpenServiceW,CloseServiceHandle,StartServiceW,CloseServiceHandle,CloseServiceHandle,CloseServiceHandle,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,

Hooking and other Techniques for Hiding and Protection:

Source: C:\Users\user\Desktop\Request for Quotation.exe

Code function: 1_2_00409908 LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetModuleHandleA,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,

Source: C:\Users\user\Desktop\Request for Quotation.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Request for Quotation.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Request for Quotation.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Request for Quotation.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Request for Quotation.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Request for Quotation.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Request for Quotation.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Request for Quotation.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Request for Quotation.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Request for Quotation.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Request for Quotation.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Request for Quotation.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Request for Quotation.exe	Process information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion:

Source: C:\Users\user\Desktop\Request for Quotation.exe

File opened / queried: SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}

Source: C:\Users\user\Desktop\Request for Quotation.exe

Code function: 3_2_0040DD85 memset,CreateFileW,NtQuerySystemInformation,NtQuerySystemInformation,FindCloseChangeNotification,GetCurrentProcessId,_wcsicmp,_wcsicmp,_wcsicmp,OpenProcess,GetCurrentProcess,DuplicateHandle,memset,NtQueryObject,CloseHandle,_wcsicmp,CloseHandle,

Source: C:\Users\user\Desktop\Request for Quotation.exe	Code function: OpenSCManagerA,??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@PBGABV?$allocator@G@1@@Z,??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@ABV?$allocator@G@1@@Z,EnumServicesStatusW,EnumServicesStatusW,GetLastError,malloc,EnumServicesStatusW,??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@PBGABV?$allocator@G@1@@Z,??Hstd@@YA?AV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@PBGABV10@@Z,??Y?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEAAV01@ABV01@@Z,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@PBGABV?$allocator@G@1@@Z,??Hstd@@YA?AV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@PBGABV10@@Z,??Y?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEAAV01@ABV01@@Z,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@PBGABV?$allocator@G@1@@Z,??Hstd@@YA?AV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@ABV10@0@Z,??Y?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEAAV01@ABV01@@Z,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,OpenServiceW,QueryServiceConfigW,GetLastError,malloc,QueryServiceConfigW,??Hstd@@YA?AV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@ABV10@PBG@Z,??Y?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEAAV01@ABV01@@Z,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,??Hstd@@YA?AV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@ABV10@PBG@Z,??Y?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEAAV01@ABV01@@Z,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@PBGABV?$allocator@G@1@@Z,??Hstd@@YA?AV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@PBGABV10@@Z,??Hstd@@YA?AV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@ABV10@PBG@Z,??Y?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEAAV01@ABV01@@Z,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,free,CloseServiceHandle,free,CloseServiceHandle,??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@ABV01@@Z,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,
Source: C:\Users\user\Desktop\Request for Quotation.exe	Code function: OpenSCManagerA,??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@PBGABV?$allocator@G@1@@Z,??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@ABV?$allocator@G@1@@Z,EnumServicesStatusW,EnumServicesStatusW,GetLastError,malloc,EnumServicesStatusW,??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@PBGABV?$allocator@G@1@@Z,??Hstd@@YA?AV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@PBGABV10@@Z,??Y?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEAAV01@ABV01@@Z,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@PBGABV?$allocator@G@1@@Z,??Hstd@@YA?AV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@PBGABV10@@Z,??Y?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEAAV01@ABV01@@Z,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@PBGABV?$allocator@G@1@@Z,??Hstd@@YA?AV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@ABV10@0@Z,??Y?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEAAV01@ABV01@@Z,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,OpenServiceW,QueryServiceConfigW,GetLastError,malloc,QueryServiceConfigW,??Hstd@@YA?AV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@ABV10@PBG@Z,??Y?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEAAV01@ABV01@@Z,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,??Hstd@@YA?AV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@ABV10@PBG@Z,??Y?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEAAV01@ABV01@@Z,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@PBGABV?$allocator@G@1@@Z,??Hstd@@YA?AV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@PBGABV10@@Z,??Hstd@@YA?AV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@ABV10@PBG@Z,??Y?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEAAV01@ABV01@@Z,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,free,CloseServiceHandle,free,CloseServiceHandle,??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@ABV01@@Z,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,

Source: C:\Users\user\Desktop\Request for Quotation.exe

Window / User API: threadDelayed 709

Source: C:\Users\user\Desktop\Request for Quotation.exe TID: 6012	Thread sleep count: 709 > 30
Source: C:\Users\user\Desktop\Request for Quotation.exe TID: 6012	Thread sleep time: -7090000s >= -30000s

Source: C:\Users\user\Desktop\Request for Quotation.exe

Last function: Thread delayed

Source: C:\Users\user\Desktop\Request for Quotation.exe	Code function: 1_2_00405156 GetKeyboardLayout followed by cmp: cmp ax, cx and CTI: je 0040517Bh
Source: C:\Users\user\Desktop\Request for Quotation.exe	Code function: 1_2_00405156 GetKeyboardLayout followed by cmp: cmp ax, dx and CTI: jne 0040517Bh
Source: C:\Users\user\Desktop\Request for Quotation.exe	Code function: 1_1_00405156 GetKeyboardLayout followed by cmp: cmp ax, cx and CTI: je 0040517Bh
Source: C:\Users\user\Desktop\Request for Quotation.exe	Code function: 1_1_00405156 GetKeyboardLayout followed by cmp: cmp ax, dx and CTI: jne 0040517Bh

Source: C:\Users\user\Desktop\Request for Quotation.exe	Code function: 0_2_00405A15 CloseHandle,GetTempPathA,DeleteFileA,lstrcatA,lstrcatA,lstrlenA,FindFirstFileA,FindNextFileA,FindClose,
Source: C:\Users\user\Desktop\Request for Quotation.exe	Code function: 0_2_004065C1 FindFirstFileA,FindClose,
Source: C:\Users\user\Desktop\Request for Quotation.exe	Code function: 0_2_004027A1 FindFirstFileA,
Source: C:\Users\user\Desktop\Request for Quotation.exe	Code function: 1_2_00404C0A wcscmp,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV?$allocator@D@1@@Z,tolower,tolower,?begin@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEPAGXZ,?end@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEPAGXZ,?begin@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEPAGXZ,??Hstd@@YA?AV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@ABV10@PBG@Z,?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ,FindFirstFileW,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,FindNextFileW,wcscmp,wcscmp,wcscmp,??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@PBGABV?$allocator@G@1@@Z,??Hstd@@YA?AV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@ABV10@0@Z,??Hstd@@YA?AV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@ABV10@G@Z,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@ABV01@@Z,??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@ABV01@@Z,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@PBGABV?$allocator@G@1@@Z,tolower,?begin@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEPAGXZ,?end@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEPAGXZ,?begin@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEPAGXZ,?find@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEIABV12@I@Z,?npos@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@2IB,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDIABV?$allocator@D@1@@Z,??4?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@ABV01@@Z,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,FindClose,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,
Source: C:\Users\user\Desktop\Request for Quotation.exe	Code function: 1_2_0040751B Sleep,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV?$allocator@D@1@@Z,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV?$allocator@D@1@@Z,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z,getenv,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@PBDABV10@@Z,??4?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@ABV01@@Z,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@PBD@Z,?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ,FindFirstFileA,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,FindClose,FindNextFileA,FindNextFileA,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@PBD@Z,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@PBD@Z,??4?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@ABV01@@Z,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ,DeleteFileA,GetLastError,FindClose,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z,FindClose,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,
Source: C:\Users\user\Desktop\Request for Quotation.exe	Code function: 1_2_00410586 ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ,?npos@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@2IB,?npos@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@2IB,?substr@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBE?AV12@II@Z,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z,??Hstd@@YA?AV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@ABV10@PBG@Z,??Hstd@@YA?AV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@ABV10@0@Z,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV?$allocator@D@1@@Z,?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ,?data@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ,?size@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEIXZ,?data@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ,?size@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEIXZ,?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ,??4?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@ABV01@@Z,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV?$allocator@D@1@@Z,??Hstd@@YA?AV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@ABV10@PBG@Z,?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ,FindFirstFileW,??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@PBGABV?$allocator@G@1@@Z,??9std@@YA_NABV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@PBG@Z,??9std@@YA_NABV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@PBG@Z,??1?$basic_string@GU?$char_tr
Source: C:\Users\user\Desktop\Request for Quotation.exe	Code function: 1_2_0040728F Sleep,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV?$allocator@D@1@@Z,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV?$allocator@D@1@@Z,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV?$allocator@D@1@@Z,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z,getenv,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@PBDABV10@@Z,??4?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@ABV01@@Z,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@PBD@Z,?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ,FindFirstFileA,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,FindClose,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z,FindNextFileA,FindNextFileA,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@PBD@Z,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@PBD@Z,??4?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@ABV01@@Z,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@PBD@Z,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@PBD@Z,??4?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@ABV01@@Z,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ,DeleteFileA,DeleteFileA,GetLastError,?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ,DeleteFileA,GetLastError,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z,FindClose,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,
Source: C:\Users\user\Desktop\Request for Quotation.exe	Code function: 1_2_0040477E _EH_prolog,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV?$allocator@D@1@@Z,socket,connect,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,_CxxThrowException,?begin@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEPAGXZ,?end@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEPAGXZ,?begin@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEPAGXZ,??Hstd@@YA?AV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@ABV10@PBG@Z,?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ,FindFirstFileW,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z,_CxxThrowException,FindNextFileW,wcscmp,wcscmp,wcscmp,??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@PBGABV?$allocator@G@1@@Z,??Hstd@@YA?AV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@ABV10@0@Z,??Hstd@@YA?AV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@ABV10@PBG@Z,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@ABV01@@Z,??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@ABV01@@Z,_CxxThrowException,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@PBGABV?$allocator@G@1@@Z,?begin@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEPAGXZ,?end@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEPAGXZ,?begin@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEPAGXZ,?find@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEIABV12@I@Z,?npos@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@2IB,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDIABV?$allocator@D@1@@Z,??4?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@ABV01@@Z,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,_CxxThrowException,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,FindClose,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE
Source: C:\Users\user\Desktop\Request for Quotation.exe	Code function: 1_2_00403325 ?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ,FindFirstFileW,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV?$allocator@D@1@@Z,??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@PBGABV?$allocator@G@1@@Z,??9std@@YA_NABV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@PBG@Z,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDIABV?$allocator@D@1@@Z,??4?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@ABV01@@Z,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,FindNextFileW,FindNextFileW,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDIABV?$allocator@D@1@@Z,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z,??4?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@ABV01@@Z,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,
Source: C:\Users\user\Desktop\Request for Quotation.exe	Code function: 1_2_00412BEE wcscpy,wcscpy,wcscat,wcscat,wcscpy,wcscat,FindFirstFileW,wcscpy,RemoveDirectoryW,FindNextFileW,wcscat,RemoveDirectoryW,wcscpy,SetFileAttributesW,DeleteFileW,GetLastError,FindClose,RemoveDirectoryW,FindClose,
Source: C:\Users\user\Desktop\Request for Quotation.exe	Code function: 1_1_00404C0A wcscmp,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV?$allocator@D@1@@Z,tolower,tolower,?begin@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEPAGXZ,?end@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEPAGXZ,?begin@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEPAGXZ,??Hstd@@YA?AV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@ABV10@PBG@Z,?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ,FindFirstFileW,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,FindNextFileW,wcscmp,wcscmp,wcscmp,??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@PBGABV?$allocator@G@1@@Z,??Hstd@@YA?AV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@ABV10@0@Z,??Hstd@@YA?AV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@ABV10@G@Z,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@ABV01@@Z,??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@ABV01@@Z,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@PBGABV?$allocator@G@1@@Z,tolower,?begin@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEPAGXZ,?end@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEPAGXZ,?begin@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEPAGXZ,?find@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEIABV12@I@Z,?npos@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@2IB,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDIABV?$allocator@D@1@@Z,??4?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@ABV01@@Z,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,FindClose,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,
Source: C:\Users\user\Desktop\Request for Quotation.exe	Code function: 1_1_0040751B Sleep,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV?$allocator@D@1@@Z,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV?$allocator@D@1@@Z,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z,getenv,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@PBDABV10@@Z,??4?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@ABV01@@Z,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@PBD@Z,?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ,FindFirstFileA,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,FindClose,FindNextFileA,FindNextFileA,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@PBD@Z,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@PBD@Z,??4?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@ABV01@@Z,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ,DeleteFileA,GetLastError,FindClose,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z,FindClose,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,
Source: C:\Users\user\Desktop\Request for Quotation.exe	Code function: 1_1_00410586 ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ,?npos@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@2IB,?npos@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@2IB,?substr@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBE?AV12@II@Z,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z,??Hstd@@YA?AV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@ABV10@PBG@Z,??Hstd@@YA?AV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@ABV10@0@Z,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV?$allocator@D@1@@Z,?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ,?data@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ,?size@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEIXZ,?data@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ,?size@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEIXZ,?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ,??4?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@ABV01@@Z,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV?$allocator@D@1@@Z,??Hstd@@YA?AV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@ABV10@PBG@Z,?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ,FindFirstFileW,??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@PBGABV?$allocator@G@1@@Z,??9std@@YA_NABV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@PBG@Z,??9std@@YA_NABV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@PBG@Z,??1?$basic_string@GU?$char_tr
Source: C:\Users\user\Desktop\Request for Quotation.exe	Code function: 1_1_0040728F Sleep,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV?$allocator@D@1@@Z,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV?$allocator@D@1@@Z,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV?$allocator@D@1@@Z,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z,getenv,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@PBDABV10@@Z,??4?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@ABV01@@Z,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@PBD@Z,?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ,FindFirstFileA,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,FindClose,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z,FindNextFileA,FindNextFileA,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@PBD@Z,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@PBD@Z,??4?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@ABV01@@Z,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@PBD@Z,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@PBD@Z,??4?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@ABV01@@Z,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ,DeleteFileA,DeleteFileA,GetLastError,?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ,DeleteFileA,GetLastError,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z,FindClose,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,
Source: C:\Users\user\Desktop\Request for Quotation.exe	Code function: 1_1_0040477E _EH_prolog,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV?$allocator@D@1@@Z,#23,#4,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,_CxxThrowException,?begin@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEPAGXZ,?end@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEPAGXZ,?begin@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEPAGXZ,??Hstd@@YA?AV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@ABV10@PBG@Z,?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ,FindFirstFileW,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z,_CxxThrowException,FindNextFileW,wcscmp,wcscmp,wcscmp,??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@PBGABV?$allocator@G@1@@Z,??Hstd@@YA?AV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@ABV10@0@Z,??Hstd@@YA?AV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@ABV10@PBG@Z,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@ABV01@@Z,??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@ABV01@@Z,_CxxThrowException,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@PBGABV?$allocator@G@1@@Z,?begin@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEPAGXZ,?end@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEPAGXZ,?begin@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEPAGXZ,?find@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEIABV12@I@Z,?npos@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@2IB,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDIABV?$allocator@D@1@@Z,??4?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@ABV01@@Z,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,_CxxThrowException,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,FindClose,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,?c_s
Source: C:\Users\user\Desktop\Request for Quotation.exe	Code function: 1_1_00403325 ?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ,FindFirstFileW,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV?$allocator@D@1@@Z,??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@PBGABV?$allocator@G@1@@Z,??9std@@YA_NABV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@PBG@Z,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDIABV?$allocator@D@1@@Z,??4?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@ABV01@@Z,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,FindNextFileW,FindNextFileW,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDIABV?$allocator@D@1@@Z,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z,??4?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@ABV01@@Z,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,
Source: C:\Users\user\Desktop\Request for Quotation.exe	Code function: 1_1_00412BEE wcscpy,wcscpy,wcscat,wcscat,wcscpy,wcscat,FindFirstFileW,wcscpy,RemoveDirectoryW,FindNextFileW,wcscat,RemoveDirectoryW,wcscpy,SetFileAttributesW,DeleteFileW,GetLastError,FindClose,RemoveDirectoryW,FindClose,
Source: C:\Users\user\Desktop\Request for Quotation.exe	Code function: 3_2_0040AE51 FindFirstFileW,FindNextFileW,
Source: C:\Users\user\Desktop\Request for Quotation.exe	Code function: 4_2_00407898 FindFirstFileA,FindNextFileA,strlen,strlen,
Source: C:\Users\user\Desktop\Request for Quotation.exe	Code function: 5_2_00407C87 FindFirstFileA,FindNextFileA,strlen,strlen,

Source: C:\Users\user\Desktop\Request for Quotation.exe

Code function: 3_2_00418981 memset,GetSystemInfo,

Source: Request for Quotation.exe, 00000000.00000002.642779370.0000000000688000.00000004.00000020.sdmp	Binary or memory string: ECVMWar&Prod_VMware_c
Source: Request for Quotation.exe, 00000001.00000002.903364416.0000000000767000.00000004.00000020.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll

Source: C:\Users\user\Desktop\Request for Quotation.exe

Process information queried: ProcessInformation

Anti Debugging:

Source: C:\Users\user\Desktop\Request for Quotation.exe

Code function: 0_2_6F711A98 GlobalAlloc,lstrcpyA,lstrcpyA,GlobalFree,GlobalFree,GlobalFree,GlobalFree,GlobalFree,GlobalFree,lstrcpyA,GetModuleHandleA,LoadLibraryA,GetProcAddress,lstrlenA,

Source: C:\Users\user\Desktop\Request for Quotation.exe	Code function: 0_2_6EEE6B57 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Request for Quotation.exe	Code function: 0_2_6EEE6E07 mov eax, dword ptr fs:[00000030h]

Source: C:\Users\user\Desktop\Request for Quotation.exe

Process token adjusted: Debug

HIPS / PFW / Operating System Protection Evasion:

Contains functionality to inject code into remote processes

Show sources

Source: C:\Users\user\Desktop\Request for Quotation.exe

Code function: 1_2_0040F219 _EH_prolog,CloseHandle,GetModuleHandleA,GetProcAddress,CreateProcessW,VirtualAlloc,GetThreadContext,ReadProcessMemory,NtUnmapViewOfSection,VirtualAllocEx,WriteProcessMemory,WriteProcessMemory,WriteProcessMemory,WriteProcessMemory,SetThreadContext,ResumeThread,

Injects a PE file into a foreign processes

Show sources

Source: C:\Users\user\Desktop\Request for Quotation.exe	Memory written: C:\Users\user\Desktop\Request for Quotation.exe base: 400000 value starts with: 4D5A
Source: C:\Users\user\Desktop\Request for Quotation.exe	Memory written: C:\Users\user\Desktop\Request for Quotation.exe base: 400000 value starts with: 4D5A
Source: C:\Users\user\Desktop\Request for Quotation.exe	Memory written: C:\Users\user\Desktop\Request for Quotation.exe base: 400000 value starts with: 4D5A

Maps a DLL or memory area into another process

Show sources

Source: C:\Users\user\Desktop\Request for Quotation.exe

Section loaded: unknown target: C:\Users\user\Desktop\Request for Quotation.exe protection: execute and read and write

Source: C:\Users\user\Desktop\Request for Quotation.exe	Code function: GetCurrentProcessId,?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ,OpenMutexA,CloseHandle,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z,?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ,OpenProcess,?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV?$allocator@D@1@@Z,?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ,??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@ABV?$allocator@G@1@@Z,??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@PBGABV?$allocator@G@1@@Z,_wgetenv,??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@PBGABV?$allocator@G@1@@Z,??Hstd@@YA?AV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@ABV10@0@Z,??4?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEAAV01@ABV01@@Z,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@PBGABV?$allocator@G@1@@Z,_wgetenv,??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@PBGABV?$allocator@G@1@@Z,??Hstd@@YA?AV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@ABV10@0@Z,??4?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEAAV01@ABV01@@Z,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,??Y?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEAAV01@PBG@Z,?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ,?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z,Sleep,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z,CloseHandle,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ, \svchost.exe
Source: C:\Users\user\Desktop\Request for Quotation.exe	Code function: GetCurrentProcessId,?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ,OpenMutexA,CloseHandle,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z,?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ,OpenProcess,?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV?$allocator@D@1@@Z,?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ,??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@ABV?$allocator@G@1@@Z,??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@PBGABV?$allocator@G@1@@Z,_wgetenv,??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@PBGABV?$allocator@G@1@@Z,??Hstd@@YA?AV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@ABV10@0@Z,??4?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEAAV01@ABV01@@Z,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@PBGABV?$allocator@G@1@@Z,_wgetenv,??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@PBGABV?$allocator@G@1@@Z,??Hstd@@YA?AV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@ABV10@0@Z,??4?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEAAV01@ABV01@@Z,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,??Y?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEAAV01@PBG@Z,?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ,?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z,Sleep,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z,CloseHandle,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ, \svchost.exe

Source: C:\Users\user\Desktop\Request for Quotation.exe

Code function: 1_2_00410145 ??A?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAADI@Z,?npos@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@2IB,?npos@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@2IB,?substr@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBE?AV12@II@Z,??A?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAADI@Z,??A?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAADI@Z,??A?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAADI@Z,StrToIntA,??A?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAADI@Z,??A?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAADI@Z,??A?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAADI@Z,??A?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAADI@Z,??A?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAADI@Z,??A?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAADI@Z,??A?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAADI@Z,??A?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAADI@Z,??A?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAADI@Z,??A?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAADI@Z,??A?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAADI@Z,??A?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAADI@Z,mouse_event,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,

Source: C:\Users\user\Desktop\Request for Quotation.exe	Process created: C:\Users\user\Desktop\Request for Quotation.exe 'C:\Users\user\Desktop\Request for Quotation.exe'
Source: C:\Users\user\Desktop\Request for Quotation.exe	Process created: C:\Users\user\Desktop\Request for Quotation.exe 'C:\Users\user\Desktop\Request for Quotation.exe' /stext 'C:\Users\user\AppData\Local\Temp\hbieekorpghvpuxbpehxjpq'
Source: C:\Users\user\Desktop\Request for Quotation.exe	Process created: C:\Users\user\Desktop\Request for Quotation.exe 'C:\Users\user\Desktop\Request for Quotation.exe' /stext 'C:\Users\user\AppData\Local\Temp\rvowfdgtdozazitngptymckjrq'
Source: C:\Users\user\Desktop\Request for Quotation.exe	Process created: C:\Users\user\Desktop\Request for Quotation.exe 'C:\Users\user\Desktop\Request for Quotation.exe' /stext 'C:\Users\user\AppData\Local\Temp\uptpyvrmrwrfbohrpagsxhxaawaqan'

Source: Request for Quotation.exe, 00000001.00000002.903407196.0000000000DF0000.00000002.00000001.sdmp	Binary or memory string: Program Manager
Source: Request for Quotation.exe, 00000001.00000002.903407196.0000000000DF0000.00000002.00000001.sdmp	Binary or memory string: Shell_TrayWnd
Source: Request for Quotation.exe, 00000001.00000002.903407196.0000000000DF0000.00000002.00000001.sdmp	Binary or memory string: Progman
Source: Request for Quotation.exe, 00000001.00000002.903512779.00000000022F6000.00000004.00000040.sdmp	Binary or memory string: Program Manageranagerz
Source: Request for Quotation.exe, 00000001.00000002.903512779.00000000022F6000.00000004.00000040.sdmp	Binary or memory string: Program Manageranager
Source: logs.dat.1.dr	Binary or memory string: [ Program Manager ]
Source: Request for Quotation.exe, 00000001.00000002.903512779.00000000022F6000.00000004.00000040.sdmp	Binary or memory string: Program Managerinistrator
Source: Request for Quotation.exe, 00000001.00000002.903407196.0000000000DF0000.00000002.00000001.sdmp	Binary or memory string: Progmanlock
Source: Request for Quotation.exe, 00000001.00000002.903598740.0000000002A67000.00000004.00000001.sdmp	Binary or memory string: \|Program Manager\|

Language, Device and Operating System Detection:

Source: C:\Users\user\Desktop\Request for Quotation.exe

Code function: 1_2_004124A0 cpuid

Source: C:\Users\user\Desktop\Request for Quotation.exe	Code function: GetLocaleInfoA,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z,
Source: C:\Users\user\Desktop\Request for Quotation.exe	Code function: GetLocaleInfoA,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z,

Source: C:\Users\user\Desktop\Request for Quotation.exe

Queries volume information: C:\ VolumeInformation

Source: C:\Users\user\Desktop\Request for Quotation.exe

Code function: 1_2_00402580 GetLocalTime,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@PBD@Z,?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ,printf,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,CreateThread,

Source: C:\Users\user\Desktop\Request for Quotation.exe

Code function: 1_2_00412163 GetUserNameW,??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@PBGABV?$allocator@G@1@@Z,??Hstd@@YA?AV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@PBGABV10@@Z,??Hstd@@YA?AV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@ABV10@PBG@Z,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,

Source: C:\Users\user\Desktop\Request for Quotation.exe

Code function: 0_2_00403486 EntryPoint,SetErrorMode,GetVersion,lstrlenA,#17,OleInitialize,SHGetFileInfoA,GetCommandLineA,CharNextA,GetTempPathA,GetTempPathA,GetWindowsDirectoryA,lstrcatA,GetTempPathA,lstrcatA,SetEnvironmentVariableA,SetEnvironmentVariableA,SetEnvironmentVariableA,DeleteFileA,OleUninitialize,ExitProcess,lstrcatA,lstrcatA,lstrcatA,lstrcmpiA,SetCurrentDirectoryA,DeleteFileA,CopyFileA,CloseHandle,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess,

Source: C:\Users\user\Desktop\Request for Quotation.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Stealing of Sensitive Information:

Yara detected Remcos RAT

Show sources

Source: Yara match	File source: 00000001.00000002.903195414.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000001.641497403.0000000000400000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.644079874.0000000002A50000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: Request for Quotation.exe PID: 7164, type: MEMORY
Source: Yara match	File source: Process Memory Space: Request for Quotation.exe PID: 612, type: MEMORY
Source: Yara match	File source: 1.1.Request for Quotation.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.1.Request for Quotation.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.Request for Quotation.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Request for Quotation.exe.2a50000.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Request for Quotation.exe.2a50000.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.Request for Quotation.exe.400000.0.unpack, type: UNPACKEDPE

Contains functionality to steal Chrome passwords or cookies

Show sources

Source: C:\Users\user\Desktop\Request for Quotation.exe	Code function: \AppData\Local\Google\Chrome\User Data\Default\Login Data
Source: C:\Users\user\Desktop\Request for Quotation.exe	Code function: \AppData\Local\Google\Chrome\User Data\Default\Login Data

Contains functionality to steal Firefox passwords or cookies

Show sources

Source: C:\Users\user\Desktop\Request for Quotation.exe	Code function: \AppData\Roaming\Mozilla\Firefox\Profiles\
Source: C:\Users\user\Desktop\Request for Quotation.exe	Code function: \key3.db
Source: C:\Users\user\Desktop\Request for Quotation.exe	Code function: \AppData\Roaming\Mozilla\Firefox\Profiles\
Source: C:\Users\user\Desktop\Request for Quotation.exe	Code function: \key3.db

Tries to harvest and steal browser information (history, passwords, etc)

Show sources

Source: C:\Users\user\Desktop\Request for Quotation.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data
Source: C:\Users\user\Desktop\Request for Quotation.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data

Tries to steal Instant Messenger accounts or passwords

Show sources

Source: C:\Users\user\Desktop\Request for Quotation.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\IdentityCRL\Dynamic Salt
Source: C:\Users\user\Desktop\Request for Quotation.exe	Key opened: HKEY_CURRENT_USER\Software\Google\Google Talk\Accounts
Source: C:\Users\user\Desktop\Request for Quotation.exe	Key opened: HKEY_CURRENT_USER\Software\Paltalk
Source: C:\Users\user\Desktop\Request for Quotation.exe	Key opened: HKEY_CURRENT_USER\Software\Google\Google Talk\Accounts
Source: C:\Users\user\Desktop\Request for Quotation.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\IdentityCRL\Dynamic Salt

Tries to steal Mail credentials (via file access)

Show sources

Source: C:\Users\user\Desktop\Request for Quotation.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts
Source: C:\Users\user\Desktop\Request for Quotation.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles
Source: C:\Users\user\Desktop\Request for Quotation.exe	Key opened: HKEY_CURRENT_USER\Software\IncrediMail\Identities
Source: C:\Users\user\Desktop\Request for Quotation.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows Live Mail

Tries to steal Mail credentials (via file registry)

Show sources

Source: C:\Users\user\Desktop\Request for Quotation.exe	Code function: ESMTPPassword
Source: C:\Users\user\Desktop\Request for Quotation.exe	Code function: _mbscpy,_mbscpy,_mbscpy,_mbscpy,RegCloseKey, PopPassword
Source: C:\Users\user\Desktop\Request for Quotation.exe	Code function: _mbscpy,_mbscpy,_mbscpy,_mbscpy,RegCloseKey, SMTPPassword

Yara detected WebBrowserPassView password recovery tool

Show sources

Source: Yara match

File source: Process Memory Space: Request for Quotation.exe PID: 6188, type: MEMORY

Remote Access Functionality:

Detected Remcos RAT

Show sources

Source: Request for Quotation.exe, 00000000.00000002.644079874.0000000002A50000.00000004.00000001.sdmp	String found in binary or memory: Remcos_Mutex_Inj
Source: Request for Quotation.exe, 00000000.00000002.644079874.0000000002A50000.00000004.00000001.sdmp	String found in binary or memory: \uninstall.vbsexepath\update.vbsCreateObject("Scripting.FileSystemObject").DeleteFile(Wscript.ScriptFullName)\restart.vbsNormalAccess level: Administratorlicence (32 bit) (64 bit)ProductNameInjRemcos_Mutex_InjWDSoftware\licence_code.txt-lShlwapi.dllGetMonitorInfoWEnumDisplayMonitorsuser32EnumDisplayDevicesWSetProcessDEPPolicyShell32IsUserAnAdminGetComputerNameExWkernel32IsWow64Processkernel32.dllGlobalMemoryStatusExGetModuleFileNameExWKernel32.dllPsapi.dllGetModuleFileNameExAProgram Files (x86)\Program Files\1SETTINGS2.7.2 Propth_unencoverridev
Source: Request for Quotation.exe	String found in binary or memory: Remcos_Mutex_Inj
Source: Request for Quotation.exe, 00000001.00000002.903195414.0000000000400000.00000040.00000001.sdmp	String found in binary or memory: \uninstall.vbsexepath\update.vbsCreateObject("Scripting.FileSystemObject").DeleteFile(Wscript.ScriptFullName)\restart.vbsNormalAccess level: Administratorlicence (32 bit) (64 bit)ProductNameInjRemcos_Mutex_InjWDSoftware\licence_code.txt-lShlwapi.dllGetMonitorInfoWEnumDisplayMonitorsuser32EnumDisplayDevicesWSetProcessDEPPolicyShell32IsUserAnAdminGetComputerNameExWkernel32IsWow64Processkernel32.dllGlobalMemoryStatusExGetModuleFileNameExWKernel32.dllPsapi.dllGetModuleFileNameExAProgram Files (x86)\Program Files\1SETTINGS2.7.2 Propth_unencoverridev

Yara detected Remcos RAT

Show sources

Source: Yara match	File source: 00000001.00000002.903195414.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000001.641497403.0000000000400000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.644079874.0000000002A50000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: Request for Quotation.exe PID: 7164, type: MEMORY
Source: Yara match	File source: Process Memory Space: Request for Quotation.exe PID: 612, type: MEMORY
Source: Yara match	File source: 1.1.Request for Quotation.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.1.Request for Quotation.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.Request for Quotation.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Request for Quotation.exe.2a50000.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Request for Quotation.exe.2a50000.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.Request for Quotation.exe.400000.0.unpack, type: UNPACKEDPE

Source: C:\Users\user\Desktop\Request for Quotation.exe	Code function: cmd.exe
Source: C:\Users\user\Desktop\Request for Quotation.exe	Code function: cmd.exe

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts	Native API1	Application Shimming1	Application Shimming1	Deobfuscate/Decode Files or Information1	OS Credential Dumping2	System Time Discovery1	Remote Services	Archive Collected Data1	Exfiltration Over Other Network Medium	Ingress Tool Transfer11	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	System Shutdown/Reboot1
Default Accounts	Command and Scripting Interpreter1	Windows Service1	Access Token Manipulation1	Obfuscated Files or Information3	Input Capture111	Account Discovery1	Remote Desktop Protocol	Data from Local System1	Exfiltration Over Bluetooth	Encrypted Channel2	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	Service Execution2	Logon Script (Windows)	Windows Service1	Software Packing22	Credentials in Registry2	System Service Discovery1	SMB/Windows Admin Shares	Email Collection1	Automated Exfiltration	Non-Standard Port1	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data
Local Accounts	At (Windows)	Logon Script (Mac)	Process Injection322	Masquerading1	Credentials In Files3	File and Directory Discovery3	Distributed Component Object Model	Input Capture111	Scheduled Transfer	Remote Access Software1	SIM Card Swap		Carrier Billing Fraud
Cloud Accounts	Cron	Network Logon Script	Network Logon Script	Virtualization/Sandbox Evasion2	LSA Secrets	System Information Discovery48	SSH	Clipboard Data2	Data Transfer Size Limits	Application Layer Protocol1	Manipulate Device Communication		Manipulate App Store Rankings or Ratings
Replication Through Removable Media	Launchd	Rc.common	Rc.common	Access Token Manipulation1	Cached Domain Credentials	Security Software Discovery21	VNC	GUI Input Capture	Exfiltration Over C2 Channel	Multiband Communication	Jamming or Denial of Service		Abuse Accessibility Features
External Remote Services	Scheduled Task	Startup Items	Startup Items	Process Injection322	DCSync	Virtualization/Sandbox Evasion2	Windows Remote Management	Web Portal Capture	Exfiltration Over Alternative Protocol	Commonly Used Port	Rogue Wi-Fi Access Points		Data Encrypted for Impact
Drive-by Compromise	Command and Scripting Interpreter	Scheduled Task/Job	Scheduled Task/Job	Indicator Removal from Tools	Proc Filesystem	Process Discovery4	Shared Webroot	Credential API Hooking	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Application Layer Protocol	Downgrade to Insecure Protocols		Generate Fraudulent Advertising Revenue
Exploit Public-Facing Application	PowerShell	At (Linux)	At (Linux)	Masquerading	/etc/passwd and /etc/shadow	Application Window Discovery1	Software Deployment Tools	Data Staged	Exfiltration Over Asymmetric Encrypted Non-C2 Protocol	Web Protocols	Rogue Cellular Base Station		Data Destruction
Supply Chain Compromise	AppleScript	At (Windows)	At (Windows)	Invalid Code Signature	Network Sniffing	System Owner/User Discovery1	Taint Shared Content	Local Data Staging	Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol	File Transfer Protocols			Data Encrypted for Impact

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
Request for Quotation.exe	27%	Virustotal		Browse
Request for Quotation.exe	14%	Metadefender		Browse
Request for Quotation.exe	21%	ReversingLabs	Win32.Backdoor.Remcos
Request for Quotation.exe	100%	Joe Sandbox ML

Dropped Files

Source	Detection	Scanner	Link
C:\Users\user\AppData\Local\Temp\aqx5kku77.dll	6%	ReversingLabs
C:\Users\user\AppData\Local\Temp\nsc77A8.tmp\System.dll	0%	Metadefender	Browse
C:\Users\user\AppData\Local\Temp\nsc77A8.tmp\System.dll	0%	ReversingLabs

Unpacked PE Files

Source	Detection	Scanner	Label	Download
3.0.Request for Quotation.exe.400000.0.unpack	100%	Avira	HEUR/AGEN.1130366	Download File
0.2.Request for Quotation.exe.400000.0.unpack	100%	Avira	HEUR/AGEN.1130366	Download File
1.0.Request for Quotation.exe.400000.0.unpack	100%	Avira	HEUR/AGEN.1130366	Download File
4.2.Request for Quotation.exe.400000.0.unpack	100%	Avira	HEUR/AGEN.1116590	Download File
5.0.Request for Quotation.exe.400000.0.unpack	100%	Avira	HEUR/AGEN.1130366	Download File
1.1.Request for Quotation.exe.400000.0.unpack	100%	Avira	BDS/Backdoor.Gen	Download File
5.2.Request for Quotation.exe.400000.0.unpack	100%	Avira	HEUR/AGEN.1116590	Download File
4.0.Request for Quotation.exe.400000.0.unpack	100%	Avira	HEUR/AGEN.1130366	Download File
0.2.Request for Quotation.exe.2a50000.5.unpack	100%	Avira	BDS/Backdoor.Gen	Download File
3.2.Request for Quotation.exe.400000.0.unpack	100%	Avira	HEUR/AGEN.1116566	Download File
0.0.Request for Quotation.exe.400000.0.unpack	100%	Avira	HEUR/AGEN.1130366	Download File
1.2.Request for Quotation.exe.400000.0.unpack	100%	Avira	BDS/Backdoor.Gen	Download File

Domains

No Antivirus matches

URLs

Source	Detection	Scanner	Label
http://www.imvu.comr	0%	Avira URL Cloud	safe
103.89.88.238	0%	Avira URL Cloud	safe
http://www.ebuddy.com	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

No contacted domains info

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
103.89.88.238	true	Avira URL Cloud: safe	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://contextual.media.net/checksync.phphttps://contextual.media.net/medianet.php?cid=8CU157172&cr	Request for Quotation.exe, 00000003.00000003.653713973.00000000022C4000.00000004.00000001.sdmp	false		high
https://login.yahoo.com/config/login	Request for Quotation.exe	false		high
http://www.imvu.comr	Request for Quotation.exe, 00000004.00000002.652481642.0000000000400000.00000040.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://nsis.sf.net/NSIS_Error	Request for Quotation.exe	false		high
http://www.nirsoft.net	Request for Quotation.exe, 00000003.00000002.654097061.0000000000193000.00000004.00000010.sdmp	false		high
http://nsis.sf.net/NSIS_ErrorError	Request for Quotation.exe	false		high
http://www.nirsoft.net/	Request for Quotation.exe, Request for Quotation.exe, 00000005.00000001.652992004.0000000000400000.00000040.00020000.sdmp	false		high
https://contextual.media.net/checksync.php?&vsSync=1&cs=1&hb=1&cv=37&ndec=1&cid=8HBI57XIG&prvid=77%2	Request for Quotation.exe, 00000003.00000003.652133843.00000000022C3000.00000004.00000001.sdmp, Request for Quotation.exe, 00000003.00000003.653713973.00000000022C4000.00000004.00000001.sdmp	false		high
http://www.ebuddy.com	Request for Quotation.exe	false	Avira URL Cloud: safe	unknown
http://www.imvu.com	Request for Quotation.exe	false		high

Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
103.89.88.238	unknown	Viet Nam		135905	VNPT-AS-VNVIETNAMPOSTSANDTELECOMMUNICATIONSGROUPVN	true

Private

IP
192.168.2.1

General Information

Joe Sandbox Version:	31.0.0 Emerald
Analysis ID:	356426
Start date:	23.02.2021
Start time:	07:35:17
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 10m 23s
Hypervisor based Inspection enabled:	false
Report type:	light
Sample file name:	Request for Quotation.exe
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
Number of analysed new started processes analysed:	20
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled HDC enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Detection:	MAL
Classification:	mal100.phis.troj.spyw.evad.winEXE@9/6@0/2
EGA Information:	Failed
HDC Information:	Successful, ratio: 78.9% (good quality ratio 62.7%) Quality average: 62.9% Quality standard deviation: 39.3%
HCA Information:	Successful, ratio: 89% Number of executed functions: 0 Number of non-executed functions: 0
Cookbook Comments:	Adjust boot time Enable AMSI Found application associated with file extension: .exe
Warnings:	Show All Exclude process from analysis (whitelisted): taskhostw.exe, BackgroundTransferHost.exe, backgroundTaskHost.exe, svchost.exe, UsoClient.exe, wuapihost.exe TCP Packets have been reduced to 100 Report creation exceeded maximum time and may have missing disassembly code information. Report size exceeded maximum capacity and may have missing disassembly code. Report size getting too big, too many NtReadVirtualMemory calls found.

Simulations

Behavior and APIs

Time	Type	Description
07:36:03	API Interceptor	1081x Sleep call for process: Request for Quotation.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Link
103.89.88.238	quote.exe	Get hash	malicious	Browse
	Quote.exe	Get hash	malicious	Browse
	Quotation Request.exe	Get hash	malicious	Browse
	payment.exe	Get hash	malicious	Browse
	Quotation(6656).exe	Get hash	malicious	Browse
	swift copy.exe	Get hash	malicious	Browse

Domains

No context

ASN

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
VNPT-AS-VNVIETNAMPOSTSANDTELECOMMUNICATIONSGROUPVN	#U007einvoice#U007eSC00978656.xlsx	Get hash	malicious	Browse	103.99.1.145
	quote.exe	Get hash	malicious	Browse	103.89.88.238
	Our New Order Feb 22 2021 at 2.30_PVV440_PDF.exe	Get hash	malicious	Browse	103.114.107.184
	RFQ Manual Supersucker en Espaol.xlsx	Get hash	malicious	Browse	103.141.138.128
	quotation10204168.dox.xlsx	Get hash	malicious	Browse	103.140.251.164
	notice of arrival.xlsx	Get hash	malicious	Browse	103.147.184.10
	22-2-2021 .xlsx	Get hash	malicious	Browse	103.141.138.118
	Shipping_Document.xlsx	Get hash	malicious	Browse	103.141.138.119
	Remittance copy.xlsx	Get hash	malicious	Browse	103.99.1.145
	CI + PL.xlsx	Get hash	malicious	Browse	103.141.138.121
	RFQ_Enquiry_0002379_.xlsx	Get hash	malicious	Browse	103.141.138.117
	purchase order.exe	Get hash	malicious	Browse	103.151.124.64
	IMAGE21200021118921000.exe	Get hash	malicious	Browse	103.151.123.132
	MV TEAL BULKERS.xlsx	Get hash	malicious	Browse	103.141.138.120
	ForeignRemittance_20210219_USD.xlsx	Get hash	malicious	Browse	103.147.184.10
	HBL VRNA00872.xlsx	Get hash	malicious	Browse	103.125.191.182
	statement.xlsx	Get hash	malicious	Browse	103.99.1.149
	MV SEASPAN EMERALD II.xlsx	Get hash	malicious	Browse	103.141.138.121
	_Doc_Shipment_330393_.xlsx	Get hash	malicious	Browse	103.141.138.117
	HBL VRN0924588.xlsx	Get hash	malicious	Browse	103.140.251.164

JA3 Fingerprints

No context

Dropped Files

Match	Associated Sample Name / URL	SHA 256	Detection	Link
C:\Users\user\AppData\Local\Temp\nsc77A8.tmp\System.dll	#U007einvoice#U007eSC00978656.xlsx	Get hash	malicious	Browse
	Purchase Order___pdf ____________.exe	Get hash	malicious	Browse
	quote.exe	Get hash	malicious	Browse
	Order83930.exe	Get hash	malicious	Browse
	Invoice 6500TH21Y5674.exe	Get hash	malicious	Browse
	Invoice 6500TH21Y5674.exe	Get hash	malicious	Browse
	GPP.exe	Get hash	malicious	Browse
	OrderSuppliesQuote0817916.exe	Get hash	malicious	Browse
	ACCOUNT DETAILS.exe	Get hash	malicious	Browse
	Quotation.com.exe	Get hash	malicious	Browse
	Unterlagen PDF.exe	Get hash	malicious	Browse
	QuotationInvoices.exe	Get hash	malicious	Browse
	PO.exe	Get hash	malicious	Browse
	SecuriteInfo.com.TrojanSpy.MSIL.Agent.22886.exe	Get hash	malicious	Browse
	SecuriteInfo.com.FileRepMalware.24882.exe	Get hash	malicious	Browse
	PDF_doc.exe	Get hash	malicious	Browse
	09000000000000.jar	Get hash	malicious	Browse
	quotation10204168.dox.xlsx	Get hash	malicious	Browse
	notice of arrivalpdf.exe	Get hash	malicious	Browse
	R5BNZ68i0f.exe	Get hash	malicious	Browse

Created / dropped Files

C:\Users\user\AppData\Local\Temp\aqx5kku77.dll Download File
Process:	C:\Users\user\Desktop\Request for Quotation.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	21504
Entropy (8bit):	7.408207836374235
Encrypted:	false
SSDEEP:	384:OOCV5PqjbmDbusFpGZO7gOG4/yr5RdXF82WNbx/9gJTALB+deFk+riSlxV:O1zPmC/uaG46Rq/9gJALB4+t
MD5:	D58BF216C5DA94776AACA50132847A49
SHA1:	4444CBB553381C13409707562CED76CE6525879E
SHA-256:	04870A6CB3CF7B291FA4BB2378B3AEAE921E0C5D220A8420C327D779B7FD2180
SHA-512:	19E7F5EF052AE1195A01A993FC3B2E5DD464299A5E666DAA18132FE7F6264A9F354136CC2F3C90D0B20E7FCDC4BF9F8F55C2D63CB74DF0C6DA6F1FB1610AF4FA
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 6%
Reputation:	low
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$............e.N.e.N.e.N.e.N.e.NI..N.e.N..cN.e.N..gN.e.N..dN.e.N..aN.e.NRich.e.N................PE..L....84`...........!.........L............... ............................................@.........................P$..I.... ..................................d.................................................... ...............................code............................... ....rdata....... ......................@..@.data....@...0...B..................@....rsrc................P..............@..@.reloc...............R..............@..B................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\hbieekorpghvpuxbpehxjpq Download File
Process:	C:\Users\user\Desktop\Request for Quotation.exe
File Type:	Little-endian UTF-16 Unicode text, with no line terminators
Category:	dropped
Size (bytes):	2
Entropy (8bit):	1.0
Encrypted:	false
SSDEEP:	3:Qn:Qn
MD5:	F3B25701FE362EC84616A93A45CE9998
SHA1:	D62636D8CAEC13F04E28442A0A6FA1AFEB024BBB
SHA-256:	B3D510EF04275CA8E698E5B3CBB0ECE3949EF9252F0CDC839E9EE347409A2209
SHA-512:	98C5F56F3DE340690C139E58EB7DAC111979F0D4DFFE9C4B24FF849510F4B6FFA9FD608C0A3DE9AC3C9FD2190F0EFAF715309061490F9755A9BFDF1C54CA0D84
Malicious:	false
Reputation:	high, very likely benign file
Preview:	..

C:\Users\user\AppData\Local\Temp\nsc77A8.tmp\System.dll Download File
Process:	C:\Users\user\Desktop\Request for Quotation.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	11776
Entropy (8bit):	5.855045165595541
Encrypted:	false
SSDEEP:	192:xPtkiQJr7V9r3HcU17S8g1w5xzWxy6j2V7i77blbTc4v:g7VpNo8gmOyRsVc4
MD5:	FCCFF8CB7A1067E23FD2E2B63971A8E1
SHA1:	30E2A9E137C1223A78A0F7B0BF96A1C361976D91
SHA-256:	6FCEA34C8666B06368379C6C402B5321202C11B00889401C743FB96C516C679E
SHA-512:	F4335E84E6F8D70E462A22F1C93D2998673A7616C868177CAC3E8784A3BE1D7D0BB96F2583FA0ED82F4F2B6B8F5D9B33521C279A42E055D80A94B4F3F1791E0C
Malicious:	false
Antivirus:	Antivirus: Metadefender, Detection: 0%, Browse Antivirus: ReversingLabs, Detection: 0%
Joe Sandbox View:	Filename: #U007einvoice#U007eSC00978656.xlsx, Detection: malicious, Browse Filename: Purchase Order___pdf ____________.exe, Detection: malicious, Browse Filename: quote.exe, Detection: malicious, Browse Filename: Order83930.exe, Detection: malicious, Browse Filename: Invoice 6500TH21Y5674.exe, Detection: malicious, Browse Filename: Invoice 6500TH21Y5674.exe, Detection: malicious, Browse Filename: GPP.exe, Detection: malicious, Browse Filename: OrderSuppliesQuote0817916.exe, Detection: malicious, Browse Filename: ACCOUNT DETAILS.exe, Detection: malicious, Browse Filename: Quotation.com.exe, Detection: malicious, Browse Filename: Unterlagen PDF.exe, Detection: malicious, Browse Filename: QuotationInvoices.exe, Detection: malicious, Browse Filename: PO.exe, Detection: malicious, Browse Filename: SecuriteInfo.com.TrojanSpy.MSIL.Agent.22886.exe, Detection: malicious, Browse Filename: SecuriteInfo.com.FileRepMalware.24882.exe, Detection: malicious, Browse Filename: PDF_doc.exe, Detection: malicious, Browse Filename: 09000000000000.jar, Detection: malicious, Browse Filename: quotation10204168.dox.xlsx, Detection: malicious, Browse Filename: notice of arrivalpdf.exe, Detection: malicious, Browse Filename: R5BNZ68i0f.exe, Detection: malicious, Browse
Reputation:	moderate, very likely benign file
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......ir.-.D.-.D.-.D...J..D.-.E.>.D......D.y0t.).D.N1n.,.D..3@.,.D.Rich-.D.........PE..L.....$_...........!..... ..........!).......0...............................`............@..........................2.......0..P............................P.......................................................0..X............................text............ .................. ..`.rdata..c....0.......$..............@..@.data...h....@.......(..............@....reloc..\|....P.....................@..B................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\nsh7778.tmp Download File
Process:	C:\Users\user\Desktop\Request for Quotation.exe
File Type:	data
Category:	dropped
Size (bytes):	167858
Entropy (8bit):	7.8527235413443
Encrypted:	false
SSDEEP:	3072:f/h6lq6XCc3XMkVOx0E/fhZA1lVN1189+pvOCrEfAWUWISphqya8DJNt:f2XCcH9Oe2TA33k+B3rgUWISpmMt
MD5:	9DACD2D5556A613412125B915ACC0A25
SHA1:	E57BA62C9D50A89174C1666F095DEB590B2D4F7B
SHA-256:	E44512128A5ED7778937E92B409D600C2889EE1C6D47582423C46DC411D2F2F2
SHA-512:	04ECBB17A1F333DD33DFCD7F1EFCA692B3787A6D8470C1BFFC70A263BA18E3E3F8437F7AA267407CE03A7004B92E8BB0555F3CB65BFACB664A5A096C70455A75
Malicious:	false
Reputation:	low
Preview:	........,...................$...............................................................................................................................................................................................................................................................J...................j.......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\oqhczwm.b Download File
Process:	C:\Users\user\Desktop\Request for Quotation.exe
File Type:	data
Category:	dropped
Size (bytes):	131072
Entropy (8bit):	7.998518254143225
Encrypted:	true
SSDEEP:	3072:Pc3XMkVOx0E/fhZA1lVN1189+pvOCrEfAWUWISphqya8DI:PcH9Oe2TA33k+B3rgUWISpmx
MD5:	E5F20C3168A73483F3A1619FB349F0D2
SHA1:	92F885A7E1F271335CC4231BF0D4E4F76EA34A62
SHA-256:	347D68209F4E393B9977D0C593727388C34EEE54787A3F77E7F13E39005B616C
SHA-512:	40E42444B382D6F666A8EFAE9EF6635E8E81DD1EEBAF27F4B0DB9C5675C837EAA50AE0B7105AC75103A719563ECA7FF267E3F23DAE0D960465EFC884DECDB10F
Malicious:	false
Reputation:	low
Preview:	.?E....o9.s.E....;.J..L6..S4. ..vp..;.0.....GR.:.tiU.k..i...~.....{..@.XE.....`.?U{..-.N.......Zjpj.....- Z..tPm..zb...D.A../.%`..$(X#!{.S...E...-.........._..$....?...{ul.)..``.:...........p.....2..:S..l.$.....h...85.>"..+.n....E..:LG..a"..h..<...!q..........e"..mgP..?..{.....xr,......46.k..x....QE..kN.f...kA.;..b..r.P...y....><..k..#.H.7A.g. ]..k.5@..G...OJ..bk..qQk.....2..^.T=..jI...j..H.w1.(.<..R.v..{5.yl~.4o...9._~.P......)....0.ex...gx]x..s>........}...?._.....f...B}.@..K=...,.kF..CK....n.v.r)..z(o(G0...U..)Y...NE..M..c.....P........O..#.0ec..ODK...........d.t...0.A./-...T..f.s.....^.....W..T....,?...WS..)..h.h..@\|8><$....L?0L....h.(..\n...i.&.......p...,.$..e.....\......M...%....mXUz1d....<.....@......T....Y,d.-d.5.......#V...3.N.!....g.\..)f=.J.l..-...f.....-..7..\|\|...hPc3.R.b.xJ..X{g...cG..X.o..L7..X.F...r0......4.~x....c.je)OvSNGK...w\|...#z.4......9.".9......JcP/.'S]...R..i........ro\..rh.+..A.,Sl......Nh#.$..h@3..4.c

C:\Users\user\AppData\Roaming\excel\logs.dat Download File
Process:	C:\Users\user\Desktop\Request for Quotation.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	74
Entropy (8bit):	4.673971569609487
Encrypted:	false
SSDEEP:	3:ttUHS4fWT9t8rA4RXMRPHv31aeo:tmFfbXqdHv3IP
MD5:	0073BB44B36B49586AF77FC9862DC123
SHA1:	E58E4867FEE6C88C8D161AAE1250C01D4066EE95
SHA-256:	6CFC8BC39002CDFF5F6CD53EB3E783EC612D3548E37270C04A84132180C8A60C
SHA-512:	1BC4F93CB13F9C9345FEA4479490BF9DD9F0B629C86199D773F312927A909C3F4EA76B9A1CF39AFE349B456E8AFA35628351AC8D485D420E7365AFF1EA170C9B
Malicious:	false
Reputation:	low
Preview:	..[2021/02/23 07:36:03 Offline Keylogger Started]....[ Program Manager ]..

Static File Info

General
File type:	PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive
Entropy (8bit):	7.415276485535663
TrID:	Win32 Executable (generic) a (10002005/4) 99.96% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	Request for Quotation.exe
File size:	246893
MD5:	ae4bd6c5a7eaa50704d43d6054fc5dbd
SHA1:	ab597cfc0433999f2032c56fe2c9e17081bcab46
SHA256:	8e51354c8b2f461ab0cfb92409bc45bf4e06ae244080513e2d6224dc22f47771
SHA512:	b7b0b772a5e9e969f3d5389c1c12f053a5b3a7aa774fffa3a2dac8903df09a2a6b9d242a4f1fb63602d7581226ec647be44139d27aacd82dbec6242bcd3bab43
SSDEEP:	6144:M11Q0SiA9hfCmuW9e2TA3Hk+B3rUUWISpATi:ziIfCmuWE20kMUISpAO
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........1)..PG..PG..PG._...PG..PF.IPG._...PG..sw..PG..VA..PG.Rich.PG.........PE..L..._.$_.................f...L.......4............@

File Icon


Icon Hash:	f0f06094c36ee8c2

Static PE Info

General
Entrypoint:	0x403486
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED
DLL Characteristics:	NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
Time Stamp:	0x5F24D75F [Sat Aug 1 02:45:51 2020 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	ea4e67a31ace1a72683a99b80cf37830

Entrypoint Preview

Instruction
sub esp, 00000184h
push ebx
push esi
push edi
xor ebx, ebx
push 00008001h
mov dword ptr [esp+18h], ebx
mov dword ptr [esp+10h], 0040A130h
mov dword ptr [esp+20h], ebx
mov byte ptr [esp+14h], 00000020h
call dword ptr [004080B0h]
call dword ptr [004080C0h]
and eax, BFFFFFFFh
cmp ax, 00000006h
mov dword ptr [0042F44Ch], eax
je 00007F0B98DA98F3h
push ebx
call 00007F0B98DACA6Eh
cmp eax, ebx
je 00007F0B98DA98E9h
push 00000C00h
call eax
mov esi, 004082A0h
push esi
call 00007F0B98DAC9EAh
push esi
call dword ptr [004080B8h]
lea esi, dword ptr [esi+eax+01h]
cmp byte ptr [esi], bl
jne 00007F0B98DA98CDh
push 0000000Bh
call 00007F0B98DACA42h
push 00000009h
call 00007F0B98DACA3Bh
push 00000007h
mov dword ptr [0042F444h], eax
call 00007F0B98DACA2Fh
cmp eax, ebx
je 00007F0B98DA98F1h
push 0000001Eh
call eax
test eax, eax
je 00007F0B98DA98E9h
or byte ptr [0042F44Fh], 00000040h
push ebp
call dword ptr [00408038h]
push ebx
call dword ptr [00408288h]
mov dword ptr [0042F518h], eax
push ebx
lea eax, dword ptr [esp+38h]
push 00000160h
push eax
push ebx
push 00429878h
call dword ptr [0040816Ch]
push 0040A1ECh

Rich Headers

Programming Language:

[EXP] VC++ 6.0 SP5 build 8804

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x8544	0xa0	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x38000	0xdc50	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x0	0x0
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x8000	0x29c	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x65ad	0x6600	False	0.675628063725	data	6.48593060343	IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
.rdata	0x8000	0x1380	0x1400	False	0.4634765625	data	5.26110074066	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0xa000	0x25558	0x600	False	0.470052083333	data	4.21916068772	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
.ndata	0x30000	0x8000	0x0	False	0	empty	0.0	IMAGE_SCN_MEM_WRITE, IMAGE_SCN_CNT_UNINITIALIZED_DATA, IMAGE_SCN_MEM_READ
.rsrc	0x38000	0xdc50	0xde00	False	0.0953160191441	data	3.75209988336	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country
RT_ICON	0x381d8	0xd228	data
RT_DIALOG	0x45400	0x100	data	English	United States
RT_DIALOG	0x45500	0x11c	data	English	United States
RT_DIALOG	0x4561c	0x60	data	English	United States
RT_GROUP_ICON	0x4567c	0x14	data
RT_VERSION	0x45690	0x280	data	English	United States
RT_MANIFEST	0x45910	0x340	XML 1.0 document, ASCII text, with very long lines, with no line terminators	English	United States

Imports

DLL	Import
ADVAPI32.dll	RegCreateKeyExA, RegEnumKeyA, RegQueryValueExA, RegSetValueExA, RegCloseKey, RegDeleteValueA, RegDeleteKeyA, AdjustTokenPrivileges, LookupPrivilegeValueA, OpenProcessToken, SetFileSecurityA, RegOpenKeyExA, RegEnumValueA
SHELL32.dll	SHGetFileInfoA, SHFileOperationA, SHGetPathFromIDListA, ShellExecuteExA, SHGetSpecialFolderLocation, SHBrowseForFolderA
ole32.dll	IIDFromString, OleInitialize, OleUninitialize, CoCreateInstance, CoTaskMemFree
COMCTL32.dll	ImageList_Create, ImageList_Destroy, ImageList_AddMasked
USER32.dll	SetClipboardData, CharPrevA, CallWindowProcA, PeekMessageA, DispatchMessageA, MessageBoxIndirectA, GetDlgItemTextA, SetDlgItemTextA, GetSystemMetrics, CreatePopupMenu, AppendMenuA, TrackPopupMenu, FillRect, EmptyClipboard, LoadCursorA, GetMessagePos, CheckDlgButton, GetSysColor, SetCursor, GetWindowLongA, SetClassLongA, SetWindowPos, IsWindowEnabled, GetWindowRect, GetSystemMenu, EnableMenuItem, RegisterClassA, ScreenToClient, EndDialog, GetClassInfoA, SystemParametersInfoA, CreateWindowExA, ExitWindowsEx, DialogBoxParamA, CharNextA, SetTimer, DestroyWindow, CreateDialogParamA, SetForegroundWindow, SetWindowTextA, PostQuitMessage, SendMessageTimeoutA, ShowWindow, wsprintfA, GetDlgItem, FindWindowExA, IsWindow, GetDC, SetWindowLongA, LoadImageA, InvalidateRect, ReleaseDC, EnableWindow, BeginPaint, SendMessageA, DefWindowProcA, DrawTextA, GetClientRect, EndPaint, IsWindowVisible, CloseClipboard, OpenClipboard
GDI32.dll	SetBkMode, SetBkColor, GetDeviceCaps, CreateFontIndirectA, CreateBrushIndirect, DeleteObject, SetTextColor, SelectObject
KERNEL32.dll	GetExitCodeProcess, WaitForSingleObject, GetProcAddress, GetSystemDirectoryA, WideCharToMultiByte, MoveFileExA, GetTempFileNameA, RemoveDirectoryA, WriteFile, CreateDirectoryA, GetLastError, CreateProcessA, GlobalLock, GlobalUnlock, CreateThread, lstrcpynA, SetErrorMode, GetDiskFreeSpaceA, lstrlenA, GetCommandLineA, GetVersion, GetWindowsDirectoryA, SetEnvironmentVariableA, GetTempPathA, CopyFileA, GetCurrentProcess, ExitProcess, GetModuleFileNameA, GetFileSize, ReadFile, GetTickCount, Sleep, CreateFileA, GetFileAttributesA, SetCurrentDirectoryA, SetFileAttributesA, GetFullPathNameA, GetShortPathNameA, MoveFileA, CompareFileTime, SetFileTime, SearchPathA, lstrcmpiA, lstrcmpA, CloseHandle, GlobalFree, GlobalAlloc, ExpandEnvironmentStringsA, LoadLibraryExA, FreeLibrary, lstrcpyA, lstrcatA, FindClose, MultiByteToWideChar, WritePrivateProfileStringA, GetPrivateProfileStringA, SetFilePointer, GetModuleHandleA, FindNextFileA, FindFirstFileA, DeleteFileA, MulDiv

Version Infos

Description	Data
LegalCopyright	Copyright adroit
FileVersion	83.34.3.56
CompanyName	ironing
LegalTrademarks	Dagoman
Comments	diamond in the rough
ProductName	sarita devi
FileDescription	mons pubis
Translation	0x0409 0x04e4

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	United States

Network Behavior

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Feb 23, 2021 07:36:04.512733936 CET	49726	4299	192.168.2.4	103.89.88.238
Feb 23, 2021 07:36:04.737149000 CET	4299	49726	103.89.88.238	192.168.2.4
Feb 23, 2021 07:36:04.737268925 CET	49726	4299	192.168.2.4	103.89.88.238
Feb 23, 2021 07:36:04.739273071 CET	49726	4299	192.168.2.4	103.89.88.238
Feb 23, 2021 07:36:05.015842915 CET	4299	49726	103.89.88.238	192.168.2.4
Feb 23, 2021 07:36:05.016155958 CET	4299	49726	103.89.88.238	192.168.2.4
Feb 23, 2021 07:36:05.020406008 CET	49726	4299	192.168.2.4	103.89.88.238
Feb 23, 2021 07:36:05.248426914 CET	4299	49726	103.89.88.238	192.168.2.4
Feb 23, 2021 07:36:05.256908894 CET	49728	4299	192.168.2.4	103.89.88.238
Feb 23, 2021 07:36:05.296231031 CET	49726	4299	192.168.2.4	103.89.88.238
Feb 23, 2021 07:36:05.512660980 CET	4299	49728	103.89.88.238	192.168.2.4
Feb 23, 2021 07:36:05.513061047 CET	49728	4299	192.168.2.4	103.89.88.238
Feb 23, 2021 07:36:05.513075113 CET	49728	4299	192.168.2.4	103.89.88.238
Feb 23, 2021 07:36:05.784974098 CET	4299	49728	103.89.88.238	192.168.2.4
Feb 23, 2021 07:36:05.785022020 CET	4299	49728	103.89.88.238	192.168.2.4
Feb 23, 2021 07:36:05.785065889 CET	4299	49728	103.89.88.238	192.168.2.4
Feb 23, 2021 07:36:05.785105944 CET	4299	49728	103.89.88.238	192.168.2.4
Feb 23, 2021 07:36:05.785306931 CET	49728	4299	192.168.2.4	103.89.88.238
Feb 23, 2021 07:36:05.785340071 CET	49728	4299	192.168.2.4	103.89.88.238
Feb 23, 2021 07:36:06.035861015 CET	4299	49728	103.89.88.238	192.168.2.4
Feb 23, 2021 07:36:06.035887957 CET	4299	49728	103.89.88.238	192.168.2.4
Feb 23, 2021 07:36:06.035904884 CET	4299	49728	103.89.88.238	192.168.2.4
Feb 23, 2021 07:36:06.035921097 CET	4299	49728	103.89.88.238	192.168.2.4
Feb 23, 2021 07:36:06.035942078 CET	4299	49728	103.89.88.238	192.168.2.4
Feb 23, 2021 07:36:06.035959959 CET	4299	49728	103.89.88.238	192.168.2.4
Feb 23, 2021 07:36:06.035964966 CET	49728	4299	192.168.2.4	103.89.88.238
Feb 23, 2021 07:36:06.035975933 CET	4299	49728	103.89.88.238	192.168.2.4
Feb 23, 2021 07:36:06.035993099 CET	4299	49728	103.89.88.238	192.168.2.4
Feb 23, 2021 07:36:06.036060095 CET	49728	4299	192.168.2.4	103.89.88.238
Feb 23, 2021 07:36:06.282720089 CET	4299	49728	103.89.88.238	192.168.2.4
Feb 23, 2021 07:36:06.282752037 CET	4299	49728	103.89.88.238	192.168.2.4
Feb 23, 2021 07:36:06.282772064 CET	4299	49728	103.89.88.238	192.168.2.4
Feb 23, 2021 07:36:06.282793045 CET	4299	49728	103.89.88.238	192.168.2.4
Feb 23, 2021 07:36:06.282813072 CET	4299	49728	103.89.88.238	192.168.2.4
Feb 23, 2021 07:36:06.282830000 CET	4299	49728	103.89.88.238	192.168.2.4
Feb 23, 2021 07:36:06.282845020 CET	4299	49728	103.89.88.238	192.168.2.4
Feb 23, 2021 07:36:06.282855034 CET	49728	4299	192.168.2.4	103.89.88.238
Feb 23, 2021 07:36:06.282870054 CET	4299	49728	103.89.88.238	192.168.2.4
Feb 23, 2021 07:36:06.282882929 CET	49728	4299	192.168.2.4	103.89.88.238
Feb 23, 2021 07:36:06.282892942 CET	4299	49728	103.89.88.238	192.168.2.4
Feb 23, 2021 07:36:06.282912970 CET	49728	4299	192.168.2.4	103.89.88.238
Feb 23, 2021 07:36:06.282913923 CET	4299	49728	103.89.88.238	192.168.2.4
Feb 23, 2021 07:36:06.282936096 CET	4299	49728	103.89.88.238	192.168.2.4
Feb 23, 2021 07:36:06.282953024 CET	49728	4299	192.168.2.4	103.89.88.238
Feb 23, 2021 07:36:06.282958031 CET	4299	49728	103.89.88.238	192.168.2.4
Feb 23, 2021 07:36:06.282979012 CET	4299	49728	103.89.88.238	192.168.2.4
Feb 23, 2021 07:36:06.283000946 CET	4299	49728	103.89.88.238	192.168.2.4
Feb 23, 2021 07:36:06.283004045 CET	49728	4299	192.168.2.4	103.89.88.238
Feb 23, 2021 07:36:06.283046007 CET	49728	4299	192.168.2.4	103.89.88.238
Feb 23, 2021 07:36:06.519969940 CET	4299	49728	103.89.88.238	192.168.2.4
Feb 23, 2021 07:36:06.520035028 CET	4299	49728	103.89.88.238	192.168.2.4
Feb 23, 2021 07:36:06.520073891 CET	4299	49728	103.89.88.238	192.168.2.4
Feb 23, 2021 07:36:06.520106077 CET	49728	4299	192.168.2.4	103.89.88.238
Feb 23, 2021 07:36:06.520113945 CET	4299	49728	103.89.88.238	192.168.2.4
Feb 23, 2021 07:36:06.520152092 CET	4299	49728	103.89.88.238	192.168.2.4
Feb 23, 2021 07:36:06.520163059 CET	49728	4299	192.168.2.4	103.89.88.238
Feb 23, 2021 07:36:06.520189047 CET	4299	49728	103.89.88.238	192.168.2.4
Feb 23, 2021 07:36:06.520229101 CET	4299	49728	103.89.88.238	192.168.2.4
Feb 23, 2021 07:36:06.520251989 CET	49728	4299	192.168.2.4	103.89.88.238
Feb 23, 2021 07:36:06.520267963 CET	4299	49728	103.89.88.238	192.168.2.4
Feb 23, 2021 07:36:06.520314932 CET	4299	49728	103.89.88.238	192.168.2.4
Feb 23, 2021 07:36:06.520358086 CET	4299	49728	103.89.88.238	192.168.2.4
Feb 23, 2021 07:36:06.520363092 CET	49728	4299	192.168.2.4	103.89.88.238
Feb 23, 2021 07:36:06.520395994 CET	4299	49728	103.89.88.238	192.168.2.4
Feb 23, 2021 07:36:06.520405054 CET	49728	4299	192.168.2.4	103.89.88.238
Feb 23, 2021 07:36:06.520433903 CET	4299	49728	103.89.88.238	192.168.2.4
Feb 23, 2021 07:36:06.520473957 CET	4299	49728	103.89.88.238	192.168.2.4
Feb 23, 2021 07:36:06.520487070 CET	49728	4299	192.168.2.4	103.89.88.238
Feb 23, 2021 07:36:06.520514011 CET	4299	49728	103.89.88.238	192.168.2.4
Feb 23, 2021 07:36:06.520553112 CET	4299	49728	103.89.88.238	192.168.2.4
Feb 23, 2021 07:36:06.520579100 CET	49728	4299	192.168.2.4	103.89.88.238
Feb 23, 2021 07:36:06.520589113 CET	4299	49728	103.89.88.238	192.168.2.4
Feb 23, 2021 07:36:06.520632982 CET	49728	4299	192.168.2.4	103.89.88.238
Feb 23, 2021 07:36:06.520637035 CET	4299	49728	103.89.88.238	192.168.2.4
Feb 23, 2021 07:36:06.520678997 CET	4299	49728	103.89.88.238	192.168.2.4
Feb 23, 2021 07:36:06.520715952 CET	4299	49728	103.89.88.238	192.168.2.4
Feb 23, 2021 07:36:06.520726919 CET	49728	4299	192.168.2.4	103.89.88.238
Feb 23, 2021 07:36:06.520755053 CET	4299	49728	103.89.88.238	192.168.2.4
Feb 23, 2021 07:36:06.520792007 CET	4299	49728	103.89.88.238	192.168.2.4
Feb 23, 2021 07:36:06.520802975 CET	49728	4299	192.168.2.4	103.89.88.238
Feb 23, 2021 07:36:06.520828009 CET	4299	49728	103.89.88.238	192.168.2.4
Feb 23, 2021 07:36:06.520869017 CET	4299	49728	103.89.88.238	192.168.2.4
Feb 23, 2021 07:36:06.520874977 CET	49728	4299	192.168.2.4	103.89.88.238
Feb 23, 2021 07:36:06.520905972 CET	4299	49728	103.89.88.238	192.168.2.4
Feb 23, 2021 07:36:06.520953894 CET	4299	49728	103.89.88.238	192.168.2.4
Feb 23, 2021 07:36:06.520961046 CET	49728	4299	192.168.2.4	103.89.88.238
Feb 23, 2021 07:36:06.520996094 CET	4299	49728	103.89.88.238	192.168.2.4
Feb 23, 2021 07:36:06.521034002 CET	4299	49728	103.89.88.238	192.168.2.4
Feb 23, 2021 07:36:06.521044016 CET	49728	4299	192.168.2.4	103.89.88.238
Feb 23, 2021 07:36:06.521074057 CET	4299	49728	103.89.88.238	192.168.2.4
Feb 23, 2021 07:36:06.521131039 CET	49728	4299	192.168.2.4	103.89.88.238
Feb 23, 2021 07:36:06.763292074 CET	4299	49728	103.89.88.238	192.168.2.4
Feb 23, 2021 07:36:06.763318062 CET	4299	49728	103.89.88.238	192.168.2.4
Feb 23, 2021 07:36:06.763334990 CET	4299	49728	103.89.88.238	192.168.2.4
Feb 23, 2021 07:36:06.763353109 CET	4299	49728	103.89.88.238	192.168.2.4
Feb 23, 2021 07:36:06.763369083 CET	4299	49728	103.89.88.238	192.168.2.4
Feb 23, 2021 07:36:06.763390064 CET	4299	49728	103.89.88.238	192.168.2.4
Feb 23, 2021 07:36:06.763407946 CET	4299	49728	103.89.88.238	192.168.2.4
Feb 23, 2021 07:36:06.763416052 CET	49728	4299	192.168.2.4	103.89.88.238
Feb 23, 2021 07:36:06.763425112 CET	4299	49728	103.89.88.238	192.168.2.4

Code Manipulations

Statistics

Behavior

Click to jump to process

System Behavior

Analysis Process: Request for Quotation.exe PID: 7164 Parent PID: 5892

General

Start time:	07:36:00
Start date:	23/02/2021
Path:	C:\Users\user\Desktop\Request for Quotation.exe
Wow64 process (32bit):	true
Commandline:	'C:\Users\user\Desktop\Request for Quotation.exe'
Imagebase:	0x400000
File size:	246893 bytes
MD5 hash:	AE4BD6C5A7EAA50704D43D6054FC5DBD
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 00000000.00000002.644079874.0000000002A50000.00000004.00000001.sdmp, Author: Joe Security Rule: Remcos_1, Description: Remcos Payload, Source: 00000000.00000002.644079874.0000000002A50000.00000004.00000001.sdmp, Author: kevoreilly Rule: REMCOS_RAT_variants, Description: unknown, Source: 00000000.00000002.644079874.0000000002A50000.00000004.00000001.sdmp, Author: unknown
Reputation:	low

Analysis Process: Request for Quotation.exe PID: 612 Parent PID: 7164

General

Start time:	07:36:01
Start date:	23/02/2021
Path:	C:\Users\user\Desktop\Request for Quotation.exe
Wow64 process (32bit):	true
Commandline:	'C:\Users\user\Desktop\Request for Quotation.exe'
Imagebase:	0x400000
File size:	246893 bytes
MD5 hash:	AE4BD6C5A7EAA50704D43D6054FC5DBD
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 00000001.00000002.903195414.0000000000400000.00000040.00000001.sdmp, Author: Joe Security Rule: Remcos_1, Description: Remcos Payload, Source: 00000001.00000002.903195414.0000000000400000.00000040.00000001.sdmp, Author: kevoreilly Rule: REMCOS_RAT_variants, Description: unknown, Source: 00000001.00000002.903195414.0000000000400000.00000040.00000001.sdmp, Author: unknown Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 00000001.00000001.641497403.0000000000400000.00000040.00020000.sdmp, Author: Joe Security Rule: Remcos_1, Description: Remcos Payload, Source: 00000001.00000001.641497403.0000000000400000.00000040.00020000.sdmp, Author: kevoreilly Rule: REMCOS_RAT_variants, Description: unknown, Source: 00000001.00000001.641497403.0000000000400000.00000040.00020000.sdmp, Author: unknown
Reputation:	low

Analysis Process: Request for Quotation.exe PID: 6188 Parent PID: 612

General

Start time:	07:36:07
Start date:	23/02/2021
Path:	C:\Users\user\Desktop\Request for Quotation.exe
Wow64 process (32bit):	true
Commandline:	'C:\Users\user\Desktop\Request for Quotation.exe' /stext 'C:\Users\user\AppData\Local\Temp\hbieekorpghvpuxbpehxjpq'
Imagebase:	0x400000
File size:	246893 bytes
MD5 hash:	AE4BD6C5A7EAA50704D43D6054FC5DBD
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low

Analysis Process: Request for Quotation.exe PID: 6424 Parent PID: 612

General

Start time:	07:36:07
Start date:	23/02/2021
Path:	C:\Users\user\Desktop\Request for Quotation.exe
Wow64 process (32bit):	true
Commandline:	'C:\Users\user\Desktop\Request for Quotation.exe' /stext 'C:\Users\user\AppData\Local\Temp\rvowfdgtdozazitngptymckjrq'
Imagebase:	0x400000
File size:	246893 bytes
MD5 hash:	AE4BD6C5A7EAA50704D43D6054FC5DBD
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low

Analysis Process: Request for Quotation.exe PID: 5692 Parent PID: 612

General

Start time:	07:36:08
Start date:	23/02/2021
Path:	C:\Users\user\Desktop\Request for Quotation.exe
Wow64 process (32bit):	true
Commandline:	'C:\Users\user\Desktop\Request for Quotation.exe' /stext 'C:\Users\user\AppData\Local\Temp\uptpyvrmrwrfbohrpagsxhxaawaqan'
Imagebase:	0x400000
File size:	246893 bytes
MD5 hash:	AE4BD6C5A7EAA50704D43D6054FC5DBD
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low

Disassembly

Code Analysis

Reset < >

Description:	Adversaries may directly interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	API monitoring, Loaded DLLs, Process monitoring, System calls
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries. These interfaces and languages provide ways of interacting with computer systems and are a common feature across many different platforms. Most systems come with some built-in command-line interface and scripting capabilities, for example, macOS and Linux distributions include some flavor of Unix Shell while Windows installations include the Windows Command Shell and PowerShell .
Tactics:	Execution
Data Sources:	PowerShell logs, Process command-line parameters, Process monitoring, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse the Windows service control manager to execute malicious commands or payloads. The Windows service control manager ( `services.exe` ) is an interface to manage and manipulate services.The service control manager is accessible to users via GUI components as well as system utilities such as `sc.exe` and Net .
Tactics:	Execution
Data Sources:	Process command-line parameters, Process monitoring, Windows Registry
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may establish persistence and/or elevate privileges by executing malicious content triggered by application shims. The Microsoft Windows Application Compatibility Infrastructure/Framework (Application Shim) was created to allow for backward compatibility of software as the operating system codebase changes over time. For example, the application shimming feature allows developers to apply fixes to applications (without rewriting code) that were created for Windows XP so that it will work with Windows 10.
Tactics:	Persistence, Privilege Escalation
Data Sources:	Process command-line parameters, Process monitoring, Windows Registry
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may create or modify Windows services to repeatedly execute malicious payloads as part of persistence. When Windows boots up, it starts programs or applications called services that perform background system functions.Windows service configuration information, including the file path to the service's executable or recovery programs/commands, is stored in the Windows Registry. Service configurations can be modified using utilities such as sc.exe and Reg .
Tactics:	Persistence, Privilege Escalation
Data Sources:	API monitoring, File monitoring, Process command-line parameters, Process monitoring, Windows Registry, Windows event logs
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify access tokens to operate under a different user or system security context to perform actions and bypass access controls. Windows uses access tokens to determine the ownership of a running process. A user can manipulate access tokens to make a running process appear as though it is the child of a different process or belongs to someone other than the user that started the process. When this occurs, the process also takes on the security context associated with the new token.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, Access tokens, Authentication logs, Process command-line parameters, Process monitoring, Windows event logs
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, DLL monitoring, File monitoring, Named Pipes, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, Email gateway, Environment variable, File monitoring, Malware reverse engineering, Network intrusion detection system, Network protocol analysis, Process command-line parameters, Process monitoring, Process use of network, SSL/TLS inspection, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata
Platforms:	macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to dump credentials to obtain account login and credential material, normally in the form of a hash or a clear text password, from the operating system and software. Credentials can then be used to perform Lateral Movement and access restricted information.
Tactics:	Credential Access
Data Sources:	API monitoring, PowerShell logs, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. Credential API Hooking ) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. Web Portal Capture ).
Tactics:	Collection, Credential Access
Data Sources:	API monitoring, Binary file metadata, DLL monitoring, Kernel drivers, Loaded DLLs, PowerShell logs, Process command-line parameters, Process monitoring, User interface, Windows Registry, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search the Registry on compromised systems for insecurely stored credentials. The Windows Registry stores configuration information that can be used by the system or other programs. Adversaries may query the Registry looking for credentials and passwords that have been stored for use by other programs or services. Sometimes these credentials are used for automatic logons.
Tactics:	Credential Access
Data Sources:	Process command-line parameters, Process monitoring, Windows Registry
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search local file systems and remote file shares for files containing insecurely stored credentials. These can be files created by users to store their own credentials, shared credential stores for a group of individuals, configuration files containing passwords for a system or service, or source code/binary files containing embedded passwords.
Tactics:	Credential Access
Data Sources:	File monitoring, Process command-line parameters
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of accounts on a system or within an environment. This information can help adversaries determine which accounts exist to aid in follow-on behavior.
Tactics:	Discovery
Data Sources:	API monitoring, Azure activity logs, Office 365 account logs, Process command-line parameters, Process monitoring
Platforms:	AWS, Azure, Azure AD, GCP, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may try to get information about registered services. Commands that may obtain information about services using operating system utilities are "sc," "tasklist /svc" using Tasklist , and "net start" using Net , but adversaries may also use other tools as well. Adversaries may use the information from System Service Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Process command-line parameters, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading ...

Warning!

Analysis Report Request for Quotation.exe

Overview

General Information

Detection

Signatures

Classification

Startup

Malware Configuration

Threatname: Remcos

Yara Overview

Memory Dumps

Unpacked PEs

Sigma Overview

Signature Overview

AV Detection:

Cryptography:

Compliance:

Spreading:

Networking:

Key, Mouse, Clipboard, Microphone and Screen Capturing:

E-Banking Fraud:

System Summary:

Data Obfuscation:

Persistence and Installation Behavior:

Boot Survival:

Hooking and other Techniques for Hiding and Protection:

Malware Analysis System Evasion:

Anti Debugging:

HIPS / PFW / Operating System Protection Evasion:

Language, Device and Operating System Detection:

Stealing of Sensitive Information:

Remote Access Functionality:

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

Contacted IPs

Public

Private

General Information

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASN

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Rich Headers

Data Directories

Sections

Resources

Imports

Version Infos

Possible Origin

Network Behavior

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to identify the primary user, currently logged in user, set of users that commonly uses a system, or whether a user is actively using the system. They may do this, for example, by retrieving account usernames or by using OS Credential Dumping . The information may be collected in a number of different ways using other Discovery techniques, because user and username details are prevalent throughout a system and include running process ownership, file/directory ownership, session information, and system logs. Adversaries may use the information from [System Owner/User Discovery](https://attack.mitre.org/techniques/T1033) during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search local system sources, such as file systems or local databases, to find files of interest and sensitive data prior to Exfiltration.
Tactics:	Collection
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may target user email to collect sensitive information. Emails may contain sensitive data, including trade secrets or personal information, that can prove valuable to adversaries. Adversaries can collect or forward email from mail servers or clients.
Tactics:	Collection
Data Sources:	Authentication logs, Email gateway, File monitoring, Mail server, Office 365 trace logs, Process monitoring, Process use of network
Platforms:	Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may collect data stored in the clipboard from users copying information within or between applications.
Tactics:	Collection
Data Sources:	API monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Files may be copied from an external adversary controlled system through the command and control channel to bring tools into the victim network or through alternate protocols with another tool such as FTP. Files can also be copied over on Mac and Linux with native tools like scp, rsync, and sftp.
Tactics:	Command and Control
Data Sources:	File monitoring, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process command-line parameters, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Malware reverse engineering, Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network, SSL/TLS inspection
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using a protocol and port paring that are typically not associated. For example, HTTPS over port 8088or port 587as opposed to the traditional port 443. Adversaries may make changes to the standard port used by a protocol to bypass filtering or muddle analysis/parsing of network data.
Tactics:	Command and Control
Data Sources:	Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre