Loading ...

Play interactive tourEdit tour

Analysis Report Request for Quote.exe

Overview

General Information

Sample Name:Request for Quote.exe
Analysis ID:356719
MD5:40cb5c4488fff6e0c040ff45cba91ecf
SHA1:0ea670f7c180a52cd18c0630feea996dbf6dcf77
SHA256:e9910e5698751eadaa69204411cd4cfe896148b60e71687ab0bd741e790d0488
Tags:exe
Infos:

Most interesting Screenshot:

Detection

AgentTesla
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Found malware configuration
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Yara detected AgentTesla
Yara detected AntiVM_3
.NET source code contains very large array initializations
C2 URLs / IPs found in malware configuration
Hides that the sample has been downloaded from the Internet (zone.identifier)
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to steal Mail credentials (via file access)
Antivirus or Machine Learning detection for unpacked file
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains long sleeps (>= 3 min)
Creates a DirectInput object (often for capturing keystrokes)
Creates a process in suspended mode (likely to inject code)
Creates a window with clipboard capturing capabilities
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Drops PE files
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample file is different than original file name gathered from version info
Uses 32bit PE files
Uses SMTP (mail sending)
Uses code obfuscation techniques (call, push, ret)
Yara detected Credential Stealer

Classification

Startup

  • System is w10x64
  • Request for Quote.exe (PID: 2260 cmdline: 'C:\Users\user\Desktop\Request for Quote.exe' MD5: 40CB5C4488FFF6E0C040FF45CBA91ECF)
    • Request for Quote.exe (PID: 6376 cmdline: C:\Users\user\Desktop\Request for Quote.exe MD5: 40CB5C4488FFF6E0C040FF45CBA91ECF)
  • Newapp.exe (PID: 996 cmdline: 'C:\Users\user\AppData\Roaming\Newapp\Newapp.exe' MD5: 40CB5C4488FFF6E0C040FF45CBA91ECF)
    • Newapp.exe (PID: 6400 cmdline: C:\Users\user\AppData\Roaming\Newapp\Newapp.exe MD5: 40CB5C4488FFF6E0C040FF45CBA91ECF)
    • Newapp.exe (PID: 5592 cmdline: C:\Users\user\AppData\Roaming\Newapp\Newapp.exe MD5: 40CB5C4488FFF6E0C040FF45CBA91ECF)
    • Newapp.exe (PID: 5484 cmdline: C:\Users\user\AppData\Roaming\Newapp\Newapp.exe MD5: 40CB5C4488FFF6E0C040FF45CBA91ECF)
    • Newapp.exe (PID: 1188 cmdline: C:\Users\user\AppData\Roaming\Newapp\Newapp.exe MD5: 40CB5C4488FFF6E0C040FF45CBA91ECF)
    • Newapp.exe (PID: 6108 cmdline: C:\Users\user\AppData\Roaming\Newapp\Newapp.exe MD5: 40CB5C4488FFF6E0C040FF45CBA91ECF)
  • Newapp.exe (PID: 6676 cmdline: 'C:\Users\user\AppData\Roaming\Newapp\Newapp.exe' MD5: 40CB5C4488FFF6E0C040FF45CBA91ECF)
  • cleanup

Malware Configuration

Threatname: Agenttesla

{"Username: ": "zaYbvzrtpFoig4F", "URL: ": "http://0hH44dwVeXbULYg.com", "To: ": "jayz@flagmonkey.com.au", "ByHost: ": "mail.flagmonkey.com.au:587", "Password: ": "dB7Urg", "From: ": "jayz@flagmonkey.com.au"}

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000014.00000002.496055035.0000000000402000.00000040.00000001.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
    00000000.00000002.249097967.00000000025B1000.00000004.00000001.sdmpJoeSecurity_AntiVM_3Yara detected AntiVM_3Joe Security
      00000014.00000002.503874782.0000000003431000.00000004.00000001.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
        00000014.00000002.503874782.0000000003431000.00000004.00000001.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
          00000005.00000002.504112296.0000000003061000.00000004.00000001.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
            Click to see the 13 entries

            Unpacked PEs

            SourceRuleDescriptionAuthorStrings
            14.2.Newapp.exe.4a1e1a0.2.raw.unpackJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
              0.2.Request for Quote.exe.3ecf990.3.raw.unpackJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
                0.2.Request for Quote.exe.3ecf990.3.unpackJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
                  5.2.Request for Quote.exe.400000.0.unpackJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
                    14.2.Newapp.exe.4b44450.4.unpackJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
                      Click to see the 5 entries

                      Sigma Overview

                      No Sigma rule has matched

                      Signature Overview

                      Click to jump to signature section

                      Show All Signature Results

                      AV Detection:

                      barindex
                      Found malware configurationShow sources
                      Source: Request for Quote.exe.6376.5.memstrMalware Configuration Extractor: Agenttesla {"Username: ": "zaYbvzrtpFoig4F", "URL: ": "http://0hH44dwVeXbULYg.com", "To: ": "jayz@flagmonkey.com.au", "ByHost: ": "mail.flagmonkey.com.au:587", "Password: ": "dB7Urg", "From: ": "jayz@flagmonkey.com.au"}
                      Multi AV Scanner detection for dropped fileShow sources
                      Source: C:\Users\user\AppData\Roaming\Newapp\Newapp.exeReversingLabs: Detection: 29%
                      Multi AV Scanner detection for submitted fileShow sources
                      Source: Request for Quote.exeVirustotal: Detection: 28%Perma Link
                      Source: Request for Quote.exeReversingLabs: Detection: 17%
                      Machine Learning detection for dropped fileShow sources
                      Source: C:\Users\user\AppData\Roaming\Newapp\Newapp.exeJoe Sandbox ML: detected
                      Machine Learning detection for sampleShow sources
                      Source: Request for Quote.exeJoe Sandbox ML: detected
                      Source: 5.2.Request for Quote.exe.400000.0.unpackAvira: Label: TR/Spy.Gen8
                      Source: 20.2.Newapp.exe.400000.0.unpackAvira: Label: TR/Spy.Gen8

                      Compliance:

                      barindex
                      Detected unpacking (overwrites its own PE header)Show sources
                      Source: C:\Users\user\Desktop\Request for Quote.exeUnpacked PE file: 0.2.Request for Quote.exe.280000.0.unpack
                      Source: C:\Users\user\AppData\Roaming\Newapp\Newapp.exeUnpacked PE file: 14.2.Newapp.exe.a80000.0.unpack
                      Source: C:\Users\user\AppData\Roaming\Newapp\Newapp.exeUnpacked PE file: 21.2.Newapp.exe.3f0000.0.unpack
                      Uses 32bit PE filesShow sources
                      Source: Request for Quote.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
                      Contains modern PE file flags such as dynamic base (ASLR) or NXShow sources
                      Source: Request for Quote.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT

                      Networking:

                      barindex
                      Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)Show sources
                      Source: TrafficSnort IDS: 2030171 ET TROJAN AgentTesla Exfil Via SMTP 192.168.2.5:49740 -> 223.130.27.213:587
                      Source: TrafficSnort IDS: 2030171 ET TROJAN AgentTesla Exfil Via SMTP 192.168.2.5:49741 -> 223.130.27.213:587
                      C2 URLs / IPs found in malware configurationShow sources
                      Source: Malware configuration extractorURLs: http://0hH44dwVeXbULYg.com
                      Source: global trafficTCP traffic: 192.168.2.5:49740 -> 223.130.27.213:587
                      Source: Joe Sandbox ViewASN Name: SYNERGYWHOLESALE-APSYNERGYWHOLESALEPTYLTDAU SYNERGYWHOLESALE-APSYNERGYWHOLESALEPTYLTDAU
                      Source: global trafficTCP traffic: 192.168.2.5:49740 -> 223.130.27.213:587
                      Source: unknownDNS traffic detected: queries for: mail.flagmonkey.com.au
                      Source: Request for Quote.exe, 00000005.00000002.504112296.0000000003061000.00000004.00000001.sdmp, Request for Quote.exe, 00000005.00000002.506806990.000000000332D000.00000004.00000001.sdmp, Request for Quote.exe, 00000005.00000003.469692196.0000000001174000.00000004.00000001.sdmpString found in binary or memory: http://0hH44dwVeXbULYg.com
                      Source: Request for Quote.exe, 00000005.00000002.504112296.0000000003061000.00000004.00000001.sdmp, Newapp.exe, 00000014.00000002.503874782.0000000003431000.00000004.00000001.sdmpString found in binary or memory: http://127.0.0.1:HTTP/1.1
                      Source: Newapp.exe, 00000014.00000002.503874782.0000000003431000.00000004.00000001.sdmpString found in binary or memory: http://DynDns.comDynDNS
                      Source: Request for Quote.exe, 00000005.00000002.506698485.000000000331F000.00000004.00000001.sdmpString found in binary or memory: http://flagmonkey.com.au
                      Source: Request for Quote.exe, 00000000.00000002.253700613.0000000007B40000.00000002.00000001.sdmp, Newapp.exe, 0000000E.00000002.351021009.00000000083F0000.00000002.00000001.sdmp, Newapp.exe, 00000015.00000002.351383146.0000000007DC0000.00000002.00000001.sdmpString found in binary or memory: http://fontfabrik.com
                      Source: Request for Quote.exe, 00000005.00000002.506698485.000000000331F000.00000004.00000001.sdmpString found in binary or memory: http://mail.flagmonkey.com.au
                      Source: Newapp.exe, 00000015.00000002.348199812.000000000291E000.00000004.00000001.sdmpString found in binary or memory: http://qunect.com/download/QuNect.exe
                      Source: Request for Quote.exe, 00000000.00000002.249097967.00000000025B1000.00000004.00000001.sdmp, Newapp.exe, 0000000E.00000002.345433821.000000000303E000.00000004.00000001.sdmp, Newapp.exe, 00000015.00000002.348199812.000000000291E000.00000004.00000001.sdmpString found in binary or memory: http://qunect.com/download/QuNect.exe&Operation
                      Source: Newapp.exe, 00000014.00000002.503874782.0000000003431000.00000004.00000001.sdmpString found in binary or memory: http://uHcRbL.com
                      Source: Request for Quote.exe, 00000000.00000002.249097967.00000000025B1000.00000004.00000001.sdmp, Newapp.exe, 0000000E.00000002.345433821.000000000303E000.00000004.00000001.sdmp, Newapp.exe, 00000015.00000002.348199812.000000000291E000.00000004.00000001.sdmpString found in binary or memory: http://validator.w3.org/check?uri=referer
                      Source: Request for Quote.exe, 00000000.00000002.253700613.0000000007B40000.00000002.00000001.sdmp, Newapp.exe, 0000000E.00000002.351021009.00000000083F0000.00000002.00000001.sdmp, Newapp.exe, 00000015.00000002.351383146.0000000007DC0000.00000002.00000001.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
                      Source: Request for Quote.exe, 00000000.00000003.233620527.0000000007A0C000.00000004.00000001.sdmpString found in binary or memory: http://www.ascendercorp.com/typedesigners.html
                      Source: Request for Quote.exe, 00000000.00000002.253700613.0000000007B40000.00000002.00000001.sdmp, Newapp.exe, 0000000E.00000002.351021009.00000000083F0000.00000002.00000001.sdmp, Newapp.exe, 00000015.00000002.351383146.0000000007DC0000.00000002.00000001.sdmpString found in binary or memory: http://www.carterandcone.coml
                      Source: Request for Quote.exe, 00000000.00000002.253700613.0000000007B40000.00000002.00000001.sdmp, Newapp.exe, 0000000E.00000002.351021009.00000000083F0000.00000002.00000001.sdmp, Newapp.exe, 00000015.00000002.351383146.0000000007DC0000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com
                      Source: Newapp.exe, 00000015.00000002.351383146.0000000007DC0000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers
                      Source: Request for Quote.exe, 00000000.00000003.235651160.0000000007A0E000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers$h
                      Source: Request for Quote.exe, 00000000.00000003.235037233.0000000007A0E000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/
                      Source: Request for Quote.exe, 00000000.00000002.253700613.0000000007B40000.00000002.00000001.sdmp, Newapp.exe, 0000000E.00000002.351021009.00000000083F0000.00000002.00000001.sdmp, Newapp.exe, 00000015.00000002.351383146.0000000007DC0000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/?
                      Source: Request for Quote.exe, 00000000.00000002.253700613.0000000007B40000.00000002.00000001.sdmp, Newapp.exe, 0000000E.00000002.351021009.00000000083F0000.00000002.00000001.sdmp, Newapp.exe, 00000015.00000002.351383146.0000000007DC0000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
                      Source: Request for Quote.exe, 00000000.00000003.235651160.0000000007A0E000.00000004.00000001.sdmp, Request for Quote.exe, 00000000.00000002.253700613.0000000007B40000.00000002.00000001.sdmp, Newapp.exe, 0000000E.00000002.351021009.00000000083F0000.00000002.00000001.sdmp, Newapp.exe, 00000015.00000002.351383146.0000000007DC0000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/frere-jones.html
                      Source: Request for Quote.exe, 00000000.00000003.236228951.0000000007A0E000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers1
                      Source: Request for Quote.exe, 00000000.00000003.235651160.0000000007A0E000.00000004.00000001.sdmp, Request for Quote.exe, 00000000.00000002.253700613.0000000007B40000.00000002.00000001.sdmp, Newapp.exe, 0000000E.00000002.351021009.00000000083F0000.00000002.00000001.sdmp, Newapp.exe, 00000015.00000002.351383146.0000000007DC0000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers8
                      Source: Request for Quote.exe, 00000000.00000002.253700613.0000000007B40000.00000002.00000001.sdmp, Newapp.exe, 0000000E.00000002.351021009.00000000083F0000.00000002.00000001.sdmp, Newapp.exe, 00000015.00000002.351383146.0000000007DC0000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers?
                      Source: Request for Quote.exe, 00000000.00000002.253700613.0000000007B40000.00000002.00000001.sdmp, Newapp.exe, 0000000E.00000002.351021009.00000000083F0000.00000002.00000001.sdmp, Newapp.exe, 00000015.00000002.351383146.0000000007DC0000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designersG
                      Source: Request for Quote.exe, 00000000.00000003.236763631.0000000007A0E000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designersb
                      Source: Request for Quote.exe, 00000000.00000002.253603269.00000000079DA000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.coma
                      Source: Request for Quote.exe, 00000000.00000002.253603269.00000000079DA000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.comrsywa
                      Source: Request for Quote.exe, 00000000.00000002.253700613.0000000007B40000.00000002.00000001.sdmp, Newapp.exe, 0000000E.00000002.351021009.00000000083F0000.00000002.00000001.sdmp, Newapp.exe, 00000015.00000002.351383146.0000000007DC0000.00000002.00000001.sdmpString found in binary or memory: http://www.fonts.com
                      Source: Request for Quote.exe, 00000000.00000002.253700613.0000000007B40000.00000002.00000001.sdmp, Newapp.exe, 0000000E.00000002.351021009.00000000083F0000.00000002.00000001.sdmp, Newapp.exe, 00000015.00000002.351383146.0000000007DC0000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn
                      Source: Request for Quote.exe, 00000000.00000003.232018672.0000000007A00000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn%u
                      Source: Request for Quote.exe, 00000000.00000003.232276547.00000000079FE000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/=v
                      Source: Request for Quote.exe, 00000000.00000002.253700613.0000000007B40000.00000002.00000001.sdmp, Newapp.exe, 0000000E.00000002.351021009.00000000083F0000.00000002.00000001.sdmp, Newapp.exe, 00000015.00000002.351383146.0000000007DC0000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/bThe
                      Source: Request for Quote.exe, 00000000.00000002.253700613.0000000007B40000.00000002.00000001.sdmp, Newapp.exe, 0000000E.00000002.351021009.00000000083F0000.00000002.00000001.sdmp, Newapp.exe, 00000015.00000002.351383146.0000000007DC0000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/cThe
                      Source: Request for Quote.exe, 00000000.00000002.253700613.0000000007B40000.00000002.00000001.sdmp, Newapp.exe, 0000000E.00000002.351021009.00000000083F0000.00000002.00000001.sdmp, Newapp.exe, 00000015.00000002.351383146.0000000007DC0000.00000002.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/DPlease
                      Source: Request for Quote.exe, 00000000.00000003.237763152.0000000007A01000.00000004.00000001.sdmp, Request for Quote.exe, 00000000.00000003.237538687.0000000007A01000.00000004.00000001.sdmp, Request for Quote.exe, 00000000.00000002.253700613.0000000007B40000.00000002.00000001.sdmp, Newapp.exe, 0000000E.00000002.351021009.00000000083F0000.00000002.00000001.sdmp, Newapp.exe, 00000015.00000002.351383146.0000000007DC0000.00000002.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
                      Source: Request for Quote.exe, 00000000.00000002.253700613.0000000007B40000.00000002.00000001.sdmp, Newapp.exe, 0000000E.00000002.351021009.00000000083F0000.00000002.00000001.sdmp, Newapp.exe, 00000015.00000002.351383146.0000000007DC0000.00000002.00000001.sdmpString found in binary or memory: http://www.goodfont.co.kr
                      Source: Request for Quote.exe, 00000000.00000002.253700613.0000000007B40000.00000002.00000001.sdmp, Request for Quote.exe, 00000000.00000003.233085403.00000000079D4000.00000004.00000001.sdmp, Request for Quote.exe, 00000000.00000003.233466028.00000000079D9000.00000004.00000001.sdmp, Newapp.exe, 0000000E.00000002.351021009.00000000083F0000.00000002.00000001.sdmp, Newapp.exe, 00000015.00000002.351383146.0000000007DC0000.00000002.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/
                      Source: Request for Quote.exe, 00000000.00000003.233085403.00000000079D4000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/-
                      Source: Request for Quote.exe, 00000000.00000003.233085403.00000000079D4000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/U
                      Source: Request for Quote.exe, 00000000.00000003.233218699.00000000079DB000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/Y0
                      Source: Request for Quote.exe, 00000000.00000003.233085403.00000000079D4000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/g
                      Source: Request for Quote.exe, 00000000.00000003.233085403.00000000079D4000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/jp/
                      Source: Request for Quote.exe, 00000000.00000003.233466028.00000000079D9000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/jp/U
                      Source: Request for Quote.exe, 00000000.00000003.233085403.00000000079D4000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/jp/n
                      Source: Request for Quote.exe, 00000000.00000003.232949267.00000000079D4000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/n
                      Source: Request for Quote.exe, 00000000.00000003.233085403.00000000079D4000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/x
                      Source: Request for Quote.exe, 00000000.00000003.235244456.0000000007A0E000.00000004.00000001.sdmpString found in binary or memory: http://www.monotype.
                      Source: Request for Quote.exe, 00000000.00000002.253700613.0000000007B40000.00000002.00000001.sdmp, Newapp.exe, 0000000E.00000002.351021009.00000000083F0000.00000002.00000001.sdmp, Newapp.exe, 00000015.00000002.351383146.0000000007DC0000.00000002.00000001.sdmpString found in binary or memory: http://www.sajatypeworks.com
                      Source: Request for Quote.exe, 00000000.00000002.253700613.0000000007B40000.00000002.00000001.sdmp, Newapp.exe, 0000000E.00000002.351021009.00000000083F0000.00000002.00000001.sdmp, Newapp.exe, 00000015.00000002.351383146.0000000007DC0000.00000002.00000001.sdmpString found in binary or memory: http://www.sakkal.com
                      Source: Request for Quote.exe, 00000000.00000002.253700613.0000000007B40000.00000002.00000001.sdmp, Newapp.exe, 0000000E.00000002.351021009.00000000083F0000.00000002.00000001.sdmp, Newapp.exe, 00000015.00000002.351383146.0000000007DC0000.00000002.00000001.sdmpString found in binary or memory: http://www.sandoll.co.kr
                      Source: Newapp.exe, 00000015.00000002.351383146.0000000007DC0000.00000002.00000001.sdmpString found in binary or memory: http://www.tiro.com
                      Source: Request for Quote.exe, 00000000.00000002.253700613.0000000007B40000.00000002.00000001.sdmp, Newapp.exe, 0000000E.00000002.351021009.00000000083F0000.00000002.00000001.sdmp, Newapp.exe, 00000015.00000002.351383146.0000000007DC0000.00000002.00000001.sdmpString found in binary or memory: http://www.typography.netD
                      Source: Request for Quote.exe, 00000000.00000002.253700613.0000000007B40000.00000002.00000001.sdmp, Newapp.exe, 0000000E.00000002.351021009.00000000083F0000.00000002.00000001.sdmp, Newapp.exe, 00000015.00000002.351383146.0000000007DC0000.00000002.00000001.sdmpString found in binary or memory: http://www.urwpp.deDPlease
                      Source: Request for Quote.exe, 00000000.00000002.253700613.0000000007B40000.00000002.00000001.sdmp, Newapp.exe, 0000000E.00000002.351021009.00000000083F0000.00000002.00000001.sdmp, Newapp.exe, 00000015.00000002.351383146.0000000007DC0000.00000002.00000001.sdmpString found in binary or memory: http://www.zhongyicts.com.cn
                      Source: Request for Quote.exe, 00000005.00000002.504112296.0000000003061000.00000004.00000001.sdmpString found in binary or memory: https://api.ipify.org%$
                      Source: Newapp.exe, 00000014.00000002.503874782.0000000003431000.00000004.00000001.sdmpString found in binary or memory: https://api.ipify.org%GETMozilla/5.0
                      Source: Request for Quote.exe, 00000000.00000002.249097967.00000000025B1000.00000004.00000001.sdmp, Newapp.exe, 0000000E.00000002.345433821.000000000303E000.00000004.00000001.sdmpString found in binary or memory: https://stackpath.bootstrapcdn.com/bootstrap/4.5.0/css/bootstrap.min.css
                      Source: Request for Quote.exe, 00000000.00000002.249616180.0000000003DB9000.00000004.00000001.sdmp, Request for Quote.exe, 00000005.00000002.495978831.0000000000402000.00000040.00000001.sdmp, Newapp.exe, 0000000E.00000002.346647833.0000000004839000.00000004.00000001.sdmp, Newapp.exe, 00000014.00000002.496055035.0000000000402000.00000040.00000001.sdmpString found in binary or memory: https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip
                      Source: Request for Quote.exe, 00000005.00000002.504112296.0000000003061000.00000004.00000001.sdmp, Newapp.exe, 00000014.00000002.503874782.0000000003431000.00000004.00000001.sdmpString found in binary or memory: https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%ha
                      Source: Newapp.exe, 0000000E.00000002.343532586.0000000001178000.00000004.00000020.sdmpBinary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>
                      Source: C:\Users\user\Desktop\Request for Quote.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                      Source: C:\Users\user\AppData\Roaming\Newapp\Newapp.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior

                      System Summary:

                      barindex
                      .NET source code contains very large array initializationsShow sources
                      Source: 20.2.Newapp.exe.400000.0.unpack, u003cPrivateImplementationDetailsu003eu007b55CF6D69u002d4E5Du002d4D68u002d8E88u002dF08D6C6E8534u007d/u0032F84C677u002d560Eu002d4E76u002d8A12u002d7C63DA2EDA80.csLarge array initialization: .cctor: array initializer size 11991
                      Source: C:\Users\user\Desktop\Request for Quote.exeCode function: 0_2_025910280_2_02591028
                      Source: C:\Users\user\Desktop\Request for Quote.exeCode function: 0_2_025921680_2_02592168
                      Source: C:\Users\user\Desktop\Request for Quote.exeCode function: 0_2_025917D00_2_025917D0
                      Source: C:\Users\user\Desktop\Request for Quote.exeCode function: 0_2_02592FE00_2_02592FE0
                      Source: C:\Users\user\Desktop\Request for Quote.exeCode function: 0_2_0259EC500_2_0259EC50
                      Source: C:\Users\user\Desktop\Request for Quote.exeCode function: 0_2_025953180_2_02595318
                      Source: C:\Users\user\Desktop\Request for Quote.exeCode function: 0_2_025953080_2_02595308
                      Source: C:\Users\user\Desktop\Request for Quote.exeCode function: 0_2_025950C80_2_025950C8
                      Source: C:\Users\user\Desktop\Request for Quote.exeCode function: 0_2_025950B90_2_025950B9
                      Source: C:\Users\user\Desktop\Request for Quote.exeCode function: 0_2_025957980_2_02595798
                      Source: C:\Users\user\Desktop\Request for Quote.exeCode function: 0_2_025904D20_2_025904D2
                      Source: C:\Users\user\Desktop\Request for Quote.exeCode function: 0_2_025955900_2_02595590
                      Source: C:\Users\user\Desktop\Request for Quote.exeCode function: 0_2_025955810_2_02595581
                      Source: C:\Users\user\Desktop\Request for Quote.exeCode function: 0_2_02594A500_2_02594A50
                      Source: C:\Users\user\Desktop\Request for Quote.exeCode function: 0_2_02594A600_2_02594A60
                      Source: C:\Users\user\Desktop\Request for Quote.exeCode function: 0_2_02593E900_2_02593E90
                      Source: C:\Users\user\Desktop\Request for Quote.exeCode function: 0_2_02593EA00_2_02593EA0
                      Source: C:\Users\user\Desktop\Request for Quote.exeCode function: 0_2_02590F210_2_02590F21
                      Source: C:\Users\user\Desktop\Request for Quote.exeCode function: 0_2_02592F9A0_2_02592F9A
                      Source: C:\Users\user\Desktop\Request for Quote.exeCode function: 0_2_02590F880_2_02590F88
                      Source: C:\Users\user\Desktop\Request for Quote.exeCode function: 0_2_045D0FC00_2_045D0FC0
                      Source: C:\Users\user\Desktop\Request for Quote.exeCode function: 0_2_045D35E80_2_045D35E8
                      Source: C:\Users\user\Desktop\Request for Quote.exeCode function: 0_2_045D3C480_2_045D3C48
                      Source: C:\Users\user\Desktop\Request for Quote.exeCode function: 0_2_045D00400_2_045D0040
                      Source: C:\Users\user\Desktop\Request for Quote.exeCode function: 0_2_045D00060_2_045D0006
                      Source: C:\Users\user\Desktop\Request for Quote.exeCode function: 0_2_0A9842F00_2_0A9842F0
                      Source: C:\Users\user\Desktop\Request for Quote.exeCode function: 0_2_0A984BB00_2_0A984BB0
                      Source: C:\Users\user\Desktop\Request for Quote.exeCode function: 0_2_0A984BC00_2_0A984BC0
                      Source: C:\Users\user\Desktop\Request for Quote.exeCode function: 0_2_0A9843000_2_0A984300
                      Source: C:\Users\user\Desktop\Request for Quote.exeCode function: 0_2_0AB932380_2_0AB93238
                      Source: C:\Users\user\Desktop\Request for Quote.exeCode function: 0_2_0AB9782E0_2_0AB9782E
                      Source: C:\Users\user\Desktop\Request for Quote.exeCode function: 0_2_0AB93E880_2_0AB93E88
                      Source: C:\Users\user\Desktop\Request for Quote.exeCode function: 0_2_0AB95DE80_2_0AB95DE8
                      Source: C:\Users\user\Desktop\Request for Quote.exeCode function: 0_2_0AB95DD80_2_0AB95DD8
                      Source: C:\Users\user\Desktop\Request for Quote.exeCode function: 0_2_0AB9C3F00_2_0AB9C3F0
                      Source: C:\Users\user\Desktop\Request for Quote.exeCode function: 5_2_014169105_2_01416910
                      Source: C:\Users\user\Desktop\Request for Quote.exeCode function: 5_2_014161D85_2_014161D8
                      Source: C:\Users\user\Desktop\Request for Quote.exeCode function: 5_2_01415BA05_2_01415BA0
                      Source: C:\Users\user\Desktop\Request for Quote.exeCode function: 5_2_0142822C5_2_0142822C
                      Source: C:\Users\user\Desktop\Request for Quote.exeCode function: 5_2_0142EBD85_2_0142EBD8
                      Source: C:\Users\user\Desktop\Request for Quote.exeCode function: 5_2_014399A05_2_014399A0
                      Source: C:\Users\user\Desktop\Request for Quote.exeCode function: 5_2_014360805_2_01436080
                      Source: C:\Users\user\Desktop\Request for Quote.exeCode function: 5_2_0143EAE85_2_0143EAE8
                      Source: C:\Users\user\Desktop\Request for Quote.exeCode function: 5_2_014305865_2_01430586
                      Source: C:\Users\user\Desktop\Request for Quote.exeCode function: 5_2_0143C6685_2_0143C668
                      Source: C:\Users\user\Desktop\Request for Quote.exeCode function: 5_2_014371B05_2_014371B0
                      Source: C:\Users\user\Desktop\Request for Quote.exeCode function: 5_2_0143F5C05_2_0143F5C0
                      Source: C:\Users\user\AppData\Roaming\Newapp\Newapp.exeCode function: 14_2_0157217814_2_01572178
                      Source: C:\Users\user\AppData\Roaming\Newapp\Newapp.exeCode function: 14_2_0157102814_2_01571028
                      Source: C:\Users\user\AppData\Roaming\Newapp\Newapp.exeCode function: 14_2_015717E014_2_015717E0
                      Source: C:\Users\user\AppData\Roaming\Newapp\Newapp.exeCode function: 14_2_0157EC5014_2_0157EC50
                      Source: C:\Users\user\AppData\Roaming\Newapp\Newapp.exeCode function: 14_2_01572FE014_2_01572FE0
                      Source: C:\Users\user\AppData\Roaming\Newapp\Newapp.exeCode function: 14_2_0157216814_2_01572168
                      Source: C:\Users\user\AppData\Roaming\Newapp\Newapp.exeCode function: 14_2_015750C814_2_015750C8
                      Source: C:\Users\user\AppData\Roaming\Newapp\Newapp.exeCode function: 14_2_015750B914_2_015750B9
                      Source: C:\Users\user\AppData\Roaming\Newapp\Newapp.exeCode function: 14_2_0157531814_2_01575318
                      Source: C:\Users\user\AppData\Roaming\Newapp\Newapp.exeCode function: 14_2_0157530814_2_01575308
                      Source: C:\Users\user\AppData\Roaming\Newapp\Newapp.exeCode function: 14_2_0157559014_2_01575590
                      Source: C:\Users\user\AppData\Roaming\Newapp\Newapp.exeCode function: 14_2_0157558114_2_01575581
                      Source: C:\Users\user\AppData\Roaming\Newapp\Newapp.exeCode function: 14_2_015704D214_2_015704D2
                      Source: C:\Users\user\AppData\Roaming\Newapp\Newapp.exeCode function: 14_2_015704E014_2_015704E0
                      Source: C:\Users\user\AppData\Roaming\Newapp\Newapp.exeCode function: 14_2_015717D014_2_015717D0
                      Source: C:\Users\user\AppData\Roaming\Newapp\Newapp.exeCode function: 14_2_0157579814_2_01575798
                      Source: C:\Users\user\AppData\Roaming\Newapp\Newapp.exeCode function: 14_2_015757A814_2_015757A8
                      Source: C:\Users\user\AppData\Roaming\Newapp\Newapp.exeCode function: 14_2_01574A5014_2_01574A50
                      Source: C:\Users\user\AppData\Roaming\Newapp\Newapp.exeCode function: 14_2_01574A6014_2_01574A60
                      Source: C:\Users\user\AppData\Roaming\Newapp\Newapp.exeCode function: 14_2_01574D6814_2_01574D68
                      Source: C:\Users\user\AppData\Roaming\Newapp\Newapp.exeCode function: 14_2_01570F2114_2_01570F21
                      Source: C:\Users\user\AppData\Roaming\Newapp\Newapp.exeCode function: 14_2_01572F9A14_2_01572F9A
                      Source: C:\Users\user\AppData\Roaming\Newapp\Newapp.exeCode function: 14_2_01570F8814_2_01570F88
                      Source: C:\Users\user\AppData\Roaming\Newapp\Newapp.exeCode function: 14_2_01573E9014_2_01573E90
                      Source: C:\Users\user\AppData\Roaming\Newapp\Newapp.exeCode function: 14_2_01573EA014_2_01573EA0
                      Source: C:\Users\user\AppData\Roaming\Newapp\Newapp.exeCode function: 14_2_02FDFC6814_2_02FDFC68
                      Source: C:\Users\user\AppData\Roaming\Newapp\Newapp.exeCode function: 14_2_02FD82D014_2_02FD82D0
                      Source: C:\Users\user\AppData\Roaming\Newapp\Newapp.exeCode function: 14_2_02FDA0B014_2_02FDA0B0
                      Source: C:\Users\user\AppData\Roaming\Newapp\Newapp.exeCode function: 14_2_02FDA0A114_2_02FDA0A1
                      Source: C:\Users\user\AppData\Roaming\Newapp\Newapp.exeCode function: 14_2_02FDC7B814_2_02FDC7B8
                      Source: C:\Users\user\AppData\Roaming\Newapp\Newapp.exeCode function: 14_2_02FDC7A914_2_02FDC7A9
                      Source: C:\Users\user\AppData\Roaming\Newapp\Newapp.exeCode function: 14_2_02FD873014_2_02FD8730
                      Source: C:\Users\user\AppData\Roaming\Newapp\Newapp.exeCode function: 14_2_02FD8B4814_2_02FD8B48
                      Source: C:\Users\user\AppData\Roaming\Newapp\Newapp.exeCode function: 14_2_02FD8B3814_2_02FD8B38
                      Source: C:\Users\user\AppData\Roaming\Newapp\Newapp.exeCode function: 14_2_02FDCE3014_2_02FDCE30
                      Source: C:\Users\user\AppData\Roaming\Newapp\Newapp.exeCode function: 14_2_02FDCDF814_2_02FDCDF8
                      Source: C:\Users\user\AppData\Roaming\Newapp\Newapp.exeCode function: 14_2_0967C35014_2_0967C350
                      Source: C:\Users\user\AppData\Roaming\Newapp\Newapp.exeCode function: 14_2_0967782E14_2_0967782E
                      Source: C:\Users\user\AppData\Roaming\Newapp\Newapp.exeCode function: 14_2_09675DE814_2_09675DE8
                      Source: C:\Users\user\AppData\Roaming\Newapp\Newapp.exeCode function: 14_2_09675DDB14_2_09675DDB
                      Source: C:\Users\user\AppData\Roaming\Newapp\Newapp.exeCode function: 14_2_09673F8814_2_09673F88
                      Source: C:\Users\user\AppData\Roaming\Newapp\Newapp.exeCode function: 14_2_0970104814_2_09701048
                      Source: C:\Users\user\AppData\Roaming\Newapp\Newapp.exeCode function: 14_2_0970004014_2_09700040
                      Source: C:\Users\user\AppData\Roaming\Newapp\Newapp.exeCode function: 14_2_0970001614_2_09700016
                      Source: C:\Users\user\AppData\Roaming\Newapp\Newapp.exeCode function: 20_2_019B486020_2_019B4860
                      Source: C:\Users\user\AppData\Roaming\Newapp\Newapp.exeCode function: 20_2_019B479020_2_019B4790
                      Source: C:\Users\user\AppData\Roaming\Newapp\Newapp.exeCode function: 20_2_019BDBC020_2_019BDBC0
                      Source: Request for Quote.exeBinary or memory string: OriginalFilename vs Request for Quote.exe
                      Source: Request for Quote.exe, 00000000.00000002.249097967.00000000025B1000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameAsyncState.dllF vs Request for Quote.exe
                      Source: Request for Quote.exe, 00000000.00000002.249097967.00000000025B1000.00000004.00000001.sdmpBinary or memory string: OriginalFilenamedoOqGWMpIYencJvzbUkLaMlQGw.exe4 vs Request for Quote.exe
                      Source: Request for Quote.exe, 00000000.00000002.255811808.000000000ABA0000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameLegacyPathHandling.dllN vs Request for Quote.exe
                      Source: Request for Quote.exe, 00000000.00000000.227538059.0000000000282000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameOpFlags.exe< vs Request for Quote.exe
                      Source: Request for Quote.exe, 00000000.00000002.254880635.000000000A9A0000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamemscorrc.dllT vs Request for Quote.exe
                      Source: Request for Quote.exeBinary or memory string: OriginalFilename vs Request for Quote.exe
                      Source: Request for Quote.exe, 00000005.00000002.497343586.0000000000C42000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameOpFlags.exe< vs Request for Quote.exe
                      Source: Request for Quote.exe, 00000005.00000002.511879488.0000000006390000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamemscorrc.dllT vs Request for Quote.exe
                      Source: Request for Quote.exe, 00000005.00000002.495978831.0000000000402000.00000040.00000001.sdmpBinary or memory string: OriginalFilenamedoOqGWMpIYencJvzbUkLaMlQGw.exe4 vs Request for Quote.exe
                      Source: Request for Quote.exe, 00000005.00000002.498162050.00000000010F8000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameUNKNOWN_FILET vs Request for Quote.exe
                      Source: Request for Quote.exe, 00000005.00000002.502647164.0000000001400000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamewshom.ocx.mui vs Request for Quote.exe
                      Source: Request for Quote.exeBinary or memory string: OriginalFilenameOpFlags.exe< vs Request for Quote.exe
                      Source: Request for Quote.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
                      Source: Request for Quote.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                      Source: Newapp.exe.5.drStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                      Source: 20.2.Newapp.exe.400000.0.unpack, A/b2.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
                      Source: 20.2.Newapp.exe.400000.0.unpack, A/b2.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
                      Source: classification engineClassification label: mal100.troj.spyw.evad.winEXE@15/4@2/1
                      Source: C:\Users\user\Desktop\Request for Quote.exeFile created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\Request for Quote.exe.logJump to behavior
                      Source: Request for Quote.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                      Source: C:\Users\user\Desktop\Request for Quote.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
                      Source: C:\Users\user\Desktop\Request for Quote.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\Newapp\Newapp.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\Newapp\Newapp.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\Newapp\Newapp.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
                      Source: C:\Users\user\Desktop\Request for Quote.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                      Source: C:\Users\user\Desktop\Request for Quote.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                      Source: C:\Users\user\AppData\Roaming\Newapp\Newapp.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                      Source: C:\Users\user\Desktop\Request for Quote.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                      Source: C:\Users\user\Desktop\Request for Quote.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                      Source: C:\Users\user\Desktop\Request for Quote.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                      Source: C:\Users\user\Desktop\Request for Quote.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                      Source: Request for Quote.exe, 00000000.00000002.249097967.00000000025B1000.00000004.00000001.sdmp, Newapp.exe, 0000000E.00000002.345433821.000000000303E000.00000004.00000001.sdmpBinary or memory string: INSERT INTO Itens_Aluguel VALUES(@aluguelID, @aviaoID, @validade);
                      Source: Request for Quote.exe, 00000000.00000002.249097967.00000000025B1000.00000004.00000001.sdmp, Newapp.exe, 0000000E.00000002.345433821.000000000303E000.00000004.00000001.sdmpBinary or memory string: Insert into Clientes values (@nome, @cpf, @rg, @cidade, @endereco, @uf, @telefone);
                      Source: Request for Quote.exeVirustotal: Detection: 28%
                      Source: Request for Quote.exeReversingLabs: Detection: 17%
                      Source: C:\Users\user\Desktop\Request for Quote.exeFile read: C:\Users\user\Desktop\Request for Quote.exeJump to behavior
                      Source: unknownProcess created: C:\Users\user\Desktop\Request for Quote.exe 'C:\Users\user\Desktop\Request for Quote.exe'
                      Source: unknownProcess created: C:\Users\user\Desktop\Request for Quote.exe C:\Users\user\Desktop\Request for Quote.exe
                      Source: unknownProcess created: C:\Users\user\AppData\Roaming\Newapp\Newapp.exe 'C:\Users\user\AppData\Roaming\Newapp\Newapp.exe'
                      Source: unknownProcess created: C:\Users\user\AppData\Roaming\Newapp\Newapp.exe C:\Users\user\AppData\Roaming\Newapp\Newapp.exe
                      Source: unknownProcess created: C:\Users\user\AppData\Roaming\Newapp\Newapp.exe C:\Users\user\AppData\Roaming\Newapp\Newapp.exe
                      Source: unknownProcess created: C:\Users\user\AppData\Roaming\Newapp\Newapp.exe C:\Users\user\AppData\Roaming\Newapp\Newapp.exe
                      Source: unknownProcess created: C:\Users\user\AppData\Roaming\Newapp\Newapp.exe C:\Users\user\AppData\Roaming\Newapp\Newapp.exe
                      Source: unknownProcess created: C:\Users\user\AppData\Roaming\Newapp\Newapp.exe C:\Users\user\AppData\Roaming\Newapp\Newapp.exe
                      Source: unknownProcess created: C:\Users\user\AppData\Roaming\Newapp\Newapp.exe 'C:\Users\user\AppData\Roaming\Newapp\Newapp.exe'
                      Source: C:\Users\user\Desktop\Request for Quote.exeProcess created: C:\Users\user\Desktop\Request for Quote.exe C:\Users\user\Desktop\Request for Quote.exeJump to behavior
                      Source: C:\Users\user\AppData\Roaming\Newapp\Newapp.exeProcess created: C:\Users\user\AppData\Roaming\Newapp\Newapp.exe C:\Users\user\AppData\Roaming\Newapp\Newapp.exeJump to behavior
                      Source: C:\Users\user\AppData\Roaming\Newapp\Newapp.exeProcess created: C:\Users\user\AppData\Roaming\Newapp\Newapp.exe C:\Users\user\AppData\Roaming\Newapp\Newapp.exeJump to behavior
                      Source: C:\Users\user\AppData\Roaming\Newapp\Newapp.exeProcess created: C:\Users\user\AppData\Roaming\Newapp\Newapp.exe C:\Users\user\AppData\Roaming\Newapp\Newapp.exeJump to behavior
                      Source: C:\Users\user\AppData\Roaming\Newapp\Newapp.exeProcess created: C:\Users\user\AppData\Roaming\Newapp\Newapp.exe C:\Users\user\AppData\Roaming\Newapp\Newapp.exeJump to behavior
                      Source: C:\Users\user\AppData\Roaming\Newapp\Newapp.exeProcess created: C:\Users\user\AppData\Roaming\Newapp\Newapp.exe C:\Users\user\AppData\Roaming\Newapp\Newapp.exeJump to behavior
                      Source: C:\Users\user\Desktop\Request for Quote.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{172BDDF8-CEEA-11D1-8B05-00600806D9B6}\InProcServer32Jump to behavior
                      Source: C:\Users\user\Desktop\Request for Quote.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dllJump to behavior
                      Source: C:\Users\user\Desktop\Request for Quote.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676Jump to behavior
                      Source: Request for Quote.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
                      Source: Request for Quote.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT

                      Data Obfuscation:

                      barindex
                      Detected unpacking (changes PE section rights)Show sources
                      Source: C:\Users\user\Desktop\Request for Quote.exeUnpacked PE file: 0.2.Request for Quote.exe.280000.0.unpack .text:ER;.rsrc:R;.reloc:R; vs Unknown_Section0:ER;Unknown_Section1:R;Unknown_Section2:R;
                      Source: C:\Users\user\AppData\Roaming\Newapp\Newapp.exeUnpacked PE file: 14.2.Newapp.exe.a80000.0.unpack .text:ER;.rsrc:R;.reloc:R; vs Unknown_Section0:ER;Unknown_Section1:R;Unknown_Section2:R;
                      Source: C:\Users\user\AppData\Roaming\Newapp\Newapp.exeUnpacked PE file: 21.2.Newapp.exe.3f0000.0.unpack .text:ER;.rsrc:R;.reloc:R; vs Unknown_Section0:ER;Unknown_Section1:R;Unknown_Section2:R;
                      Detected unpacking (overwrites its own PE header)Show sources
                      Source: C:\Users\user\Desktop\Request for Quote.exeUnpacked PE file: 0.2.Request for Quote.exe.280000.0.unpack
                      Source: C:\Users\user\AppData\Roaming\Newapp\Newapp.exeUnpacked PE file: 14.2.Newapp.exe.a80000.0.unpack
                      Source: C:\Users\user\AppData\Roaming\Newapp\Newapp.exeUnpacked PE file: 21.2.Newapp.exe.3f0000.0.unpack
                      Source: C:\Users\user\Desktop\Request for Quote.exeCode function: 0_2_00285464 push 97205ACAh; retf 0_2_00285482
                      Source: C:\Users\user\Desktop\Request for Quote.exeCode function: 0_2_00283F94 push es; ret 0_2_00284004
                      Source: C:\Users\user\Desktop\Request for Quote.exeCode function: 0_2_002852D8 push ecx; retf 0_2_002852DD
                      Source: C:\Users\user\Desktop\Request for Quote.exeCode function: 0_2_00283FD6 push es; ret 0_2_00284004
                      Source: C:\Users\user\Desktop\Request for Quote.exeCode function: 0_2_02596A6E push ecx; retf 0_2_02596A6F
                      Source: C:\Users\user\Desktop\Request for Quote.exeCode function: 0_2_02596D62 push F297BACAh; retf 0_2_02596D67
                      Source: C:\Users\user\Desktop\Request for Quote.exeCode function: 0_2_0AB9AFA0 push eax; ret 0_2_0AB9AFA1
                      Source: C:\Users\user\Desktop\Request for Quote.exeCode function: 5_2_00C43FD6 push es; ret 5_2_00C44004
                      Source: C:\Users\user\Desktop\Request for Quote.exeCode function: 5_2_00C42ED2 push ds; iretd 5_2_00C42EE0
                      Source: C:\Users\user\Desktop\Request for Quote.exeCode function: 5_2_00C452D8 push ecx; retf 5_2_00C452DD
                      Source: C:\Users\user\Desktop\Request for Quote.exeCode function: 5_2_00C42AEB push eax; retf 5_2_00C42AF8
                      Source: C:\Users\user\Desktop\Request for Quote.exeCode function: 5_2_00C43F94 push es; ret 5_2_00C44004
                      Source: C:\Users\user\Desktop\Request for Quote.exeCode function: 5_2_00C45464 push 97205ACAh; retf 5_2_00C45482
                      Source: C:\Users\user\Desktop\Request for Quote.exeCode function: 5_2_00C42E3B push 00000027h; retf 5_2_00C42E46
                      Source: C:\Users\user\Desktop\Request for Quote.exeCode function: 5_2_0141B5F7 push edi; retn 0000h5_2_0141B5F9
                      Source: C:\Users\user\AppData\Roaming\Newapp\Newapp.exeCode function: 14_2_00A83F94 push es; ret 14_2_00A84004
                      Source: C:\Users\user\AppData\Roaming\Newapp\Newapp.exeCode function: 14_2_00A852D8 push ecx; retf 14_2_00A852DD
                      Source: C:\Users\user\AppData\Roaming\Newapp\Newapp.exeCode function: 14_2_00A83FD6 push es; ret 14_2_00A84004
                      Source: C:\Users\user\AppData\Roaming\Newapp\Newapp.exeCode function: 14_2_00A85464 push 97205ACAh; retf 14_2_00A85482
                      Source: C:\Users\user\AppData\Roaming\Newapp\Newapp.exeCode function: 14_2_01576A6E push ecx; retf 14_2_01576A6F
                      Source: C:\Users\user\AppData\Roaming\Newapp\Newapp.exeCode function: 14_2_01576D62 push F297BACAh; retf 14_2_01576D67
                      Source: C:\Users\user\AppData\Roaming\Newapp\Newapp.exeCode function: 14_2_02FD9ED1 push ecx; ret 14_2_02FD9EE5
                      Source: C:\Users\user\AppData\Roaming\Newapp\Newapp.exeCode function: 14_2_02FD5FF4 push eax; iretd 14_2_02FD5FF5
                      Source: C:\Users\user\AppData\Roaming\Newapp\Newapp.exeCode function: 14_2_0967AFA0 push eax; ret 14_2_0967AFA1
                      Source: C:\Users\user\AppData\Roaming\Newapp\Newapp.exeCode function: 14_2_09704145 push FFFFFF8Bh; iretd 14_2_09704147
                      Source: C:\Users\user\AppData\Roaming\Newapp\Newapp.exeCode function: 15_2_00282E3B push 00000027h; retf 15_2_00282E46
                      Source: C:\Users\user\AppData\Roaming\Newapp\Newapp.exeCode function: 15_2_00285464 push 97205ACAh; retf 15_2_00285482
                      Source: C:\Users\user\AppData\Roaming\Newapp\Newapp.exeCode function: 15_2_00283F94 push es; ret 15_2_00284004
                      Source: C:\Users\user\AppData\Roaming\Newapp\Newapp.exeCode function: 15_2_00282AEB push eax; retf 15_2_00282AF8
                      Source: C:\Users\user\AppData\Roaming\Newapp\Newapp.exeCode function: 15_2_002852D8 push ecx; retf 15_2_002852DD
                      Source: C:\Users\user\AppData\Roaming\Newapp\Newapp.exeCode function: 15_2_00282ED2 push ds; iretd 15_2_00282EE0
                      Source: initial sampleStatic PE information: section name: .text entropy: 7.52597216215
                      Source: initial sampleStatic PE information: section name: .text entropy: 7.52597216215
                      Source: C:\Users\user\Desktop\Request for Quote.exeFile created: C:\Users\user\AppData\Roaming\Newapp\Newapp.exeJump to dropped file
                      Source: C:\Users\user\Desktop\Request for Quote.exeRegistry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run NewappJump to behavior
                      Source: C:\Users\user\Desktop\Request for Quote.exeRegistry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run NewappJump to behavior

                      Hooking and other Techniques for Hiding and Protection:

                      bar