Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
ADOC RFQ-WCMS-18097255.exe

Overview

General Information

Sample Name:ADOC RFQ-WCMS-18097255.exe
Analysis ID:764045
MD5:856317033475c7932f8cbf88ec2b7ef8
SHA1:6b24fa54a990477bde13f64144d5d5a1187c40b9
SHA256:15700616b67e3ac2d97cfb221762dca3b2b36cc9d3e1cf7ca8737acc9bb4db84
Tags:exe
Infos:

Detection

AgentTesla
Score:96
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Malicious sample detected (through community Yara rule)
Yara detected AgentTesla
Yara detected AntiVM3
Tries to steal Mail credentials (via file / registry access)
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Machine Learning detection for sample
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Tries to harvest and steal browser information (history, passwords, etc)
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Uses 32bit PE files
Queries the volume information (name, serial number etc) of a device
Yara signature match
May sleep (evasive loops) to hinder dynamic analysis
Uses code obfuscation techniques (call, push, ret)
Detected potential crypto function
Yara detected Credential Stealer
IP address seen in connection with other malware
Contains long sleeps (>= 3 min)
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Sample file is different than original file name gathered from version info
Detected TCP or UDP traffic on non-standard ports
Binary contains a suspicious time stamp
Uses SMTP (mail sending)
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)

Classification

Process Tree

  • System is w10x64
  • ADOC RFQ-WCMS-18097255.exe (PID: 5788 cmdline: C:\Users\user\Desktop\ADOC RFQ-WCMS-18097255.exe MD5: 856317033475C7932F8CBF88EC2B7EF8)
  • cleanup

Malware Configuration

Threatname: Agenttesla

{"Exfil Mode": "SMTP", "Host": "us2.smtp.mailhostbox.com", "Username": "gamzy@freesteelmyst.xyz", "Password": "  JIRUmBO0        "}

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000000.00000002.508080417.0000000002B8E000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
    00000000.00000002.513606305.0000000003C61000.00000004.00000800.00020000.00000000.sdmpWindows_Trojan_AgentTesla_d3ac2b2funknownunknown
    • 0x23760:$a20: get_LastAccessed
    • 0x25885:$a30: set_GuidMasterKey
    • 0x23814:$a33: get_Clipboard
    • 0x23822:$a34: get_Keyboard
    • 0x249cd:$a35: get_ShiftKeyDown
    • 0x249de:$a36: get_AltKeyDown
    • 0x2382f:$a37: get_Password
    • 0x24253:$a38: get_PasswordHash
    • 0x250d6:$a39: get_DefaultCredentials
    00000000.00000002.519041329.0000000007040000.00000004.08000000.00040000.00000000.sdmpMALWARE_Win_AgentTeslaV3AgentTeslaV3 infostealer payloadditekSHen
    • 0x2619e:$s10: logins
    • 0x25cd7:$s11: credential
    • 0x22b94:$g1: get_Clipboard
    • 0x22ba2:$g2: get_Keyboard
    • 0x22baf:$g3: get_Password
    • 0x23d3d:$g4: get_CtrlKeyDown
    • 0x23d4d:$g5: get_ShiftKeyDown
    • 0x23d5e:$g6: get_AltKeyDown
    00000000.00000002.519041329.0000000007040000.00000004.08000000.00040000.00000000.sdmpWindows_Trojan_AgentTesla_d3ac2b2funknownunknown
    • 0x22ae0:$a20: get_LastAccessed
    • 0x24c05:$a30: set_GuidMasterKey
    • 0x22b94:$a33: get_Clipboard
    • 0x22ba2:$a34: get_Keyboard
    • 0x23d4d:$a35: get_ShiftKeyDown
    • 0x23d5e:$a36: get_AltKeyDown
    • 0x22baf:$a37: get_Password
    • 0x235d3:$a38: get_PasswordHash
    • 0x24456:$a39: get_DefaultCredentials
    00000000.00000002.510469030.0000000003881000.00000004.00000800.00020000.00000000.sdmpWindows_Trojan_AgentTesla_d3ac2b2funknownunknown
    • 0x53430:$a20: get_LastAccessed
    • 0x55555:$a30: set_GuidMasterKey
    • 0x534e4:$a33: get_Clipboard
    • 0x534f2:$a34: get_Keyboard
    • 0x5469d:$a35: get_ShiftKeyDown
    • 0x546ae:$a36: get_AltKeyDown
    • 0x534ff:$a37: get_Password
    • 0x53f23:$a38: get_PasswordHash
    • 0x54da6:$a39: get_DefaultCredentials
    Click to see the 7 entries

    Unpacked PEs

    SourceRuleDescriptionAuthorStrings
    0.2.ADOC RFQ-WCMS-18097255.exe.7040000.12.unpackMALWARE_Win_AgentTeslaV3AgentTeslaV3 infostealer payloadditekSHen
    • 0x2439e:$s10: logins
    • 0x23ed7:$s11: credential
    • 0x20d94:$g1: get_Clipboard
    • 0x20da2:$g2: get_Keyboard
    • 0x20daf:$g3: get_Password
    • 0x21f3d:$g4: get_CtrlKeyDown
    • 0x21f4d:$g5: get_ShiftKeyDown
    • 0x21f5e:$g6: get_AltKeyDown
    0.2.ADOC RFQ-WCMS-18097255.exe.7040000.12.unpackWindows_Trojan_AgentTesla_d3ac2b2funknownunknown
    • 0x20ce0:$a20: get_LastAccessed
    • 0x22e05:$a30: set_GuidMasterKey
    • 0x20d94:$a33: get_Clipboard
    • 0x20da2:$a34: get_Keyboard
    • 0x21f4d:$a35: get_ShiftKeyDown
    • 0x21f5e:$a36: get_AltKeyDown
    • 0x20daf:$a37: get_Password
    • 0x217d3:$a38: get_PasswordHash
    • 0x22656:$a39: get_DefaultCredentials
    0.2.ADOC RFQ-WCMS-18097255.exe.3c61c80.6.raw.unpackMALWARE_Win_AgentTeslaV3AgentTeslaV3 infostealer payloadditekSHen
    • 0x2619e:$s10: logins
    • 0x25cd7:$s11: credential
    • 0x22b94:$g1: get_Clipboard
    • 0x22ba2:$g2: get_Keyboard
    • 0x22baf:$g3: get_Password
    • 0x23d3d:$g4: get_CtrlKeyDown
    • 0x23d4d:$g5: get_ShiftKeyDown
    • 0x23d5e:$g6: get_AltKeyDown
    0.2.ADOC RFQ-WCMS-18097255.exe.3c61c80.6.raw.unpackWindows_Trojan_AgentTesla_d3ac2b2funknownunknown
    • 0x22ae0:$a20: get_LastAccessed
    • 0x24c05:$a30: set_GuidMasterKey
    • 0x22b94:$a33: get_Clipboard
    • 0x22ba2:$a34: get_Keyboard
    • 0x23d4d:$a35: get_ShiftKeyDown
    • 0x23d5e:$a36: get_AltKeyDown
    • 0x22baf:$a37: get_Password
    • 0x235d3:$a38: get_PasswordHash
    • 0x24456:$a39: get_DefaultCredentials
    0.2.ADOC RFQ-WCMS-18097255.exe.3889930.3.unpackMALWARE_Win_AgentTeslaV3AgentTeslaV3 infostealer payloadditekSHen
    • 0x4c3be:$s10: logins
    • 0x4bef7:$s11: credential
    • 0x48db4:$g1: get_Clipboard
    • 0x48dc2:$g2: get_Keyboard
    • 0x48dcf:$g3: get_Password
    • 0x49f5d:$g4: get_CtrlKeyDown
    • 0x49f6d:$g5: get_ShiftKeyDown
    • 0x49f7e:$g6: get_AltKeyDown
    Click to see the 21 entries

    Sigma Signatures

    No Sigma rule has matched

    Snort Signatures

    No Snort rule has matched

    Joe Sandbox Signatures

    Click to jump to signature section

    Show All Signature Results

    AV Detection

    barindex
    Machine Learning detection for sample
    Source: ADOC RFQ-WCMS-18097255.exeJoe Sandbox ML: detected
    Source: 0.2.ADOC RFQ-WCMS-18097255.exe.3c61c80.6.unpackMalware Configuration Extractor: Agenttesla {"Exfil Mode": "SMTP", "Host": "us2.smtp.mailhostbox.com", "Username": "gamzy@freesteelmyst.xyz", "Password": " JIRUmBO0 "}
    Source: ADOC RFQ-WCMS-18097255.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
    Source: ADOC RFQ-WCMS-18097255.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
    Source: Joe Sandbox ViewIP Address: 208.91.199.223 208.91.199.223
    Source: global trafficTCP traffic: 192.168.2.3:49698 -> 208.91.199.223:587
    Source: global trafficTCP traffic: 192.168.2.3:49698 -> 208.91.199.223:587
    Source: ADOC RFQ-WCMS-18097255.exe, 00000000.00000002.505811223.0000000002881000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://CtxmCtXtvGR51e3orE.org
    Source: ADOC RFQ-WCMS-18097255.exe, 00000000.00000002.505811223.0000000002881000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://DynDns.comDynDNSnamejidpasswordPsi/Psi
    Source: ADOC RFQ-WCMS-18097255.exe, 00000000.00000002.520037204.0000000009830000.00000004.00000800.00020000.00000000.sdmp, ADOC RFQ-WCMS-18097255.exe, 00000000.00000002.507971659.0000000002B6A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl04
    Source: ADOC RFQ-WCMS-18097255.exe, 00000000.00000002.520037204.0000000009830000.00000004.00000800.00020000.00000000.sdmp, ADOC RFQ-WCMS-18097255.exe, 00000000.00000002.507971659.0000000002B6A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl06
    Source: ADOC RFQ-WCMS-18097255.exe, 00000000.00000002.520037204.0000000009830000.00000004.00000800.00020000.00000000.sdmp, ADOC RFQ-WCMS-18097255.exe, 00000000.00000002.507971659.0000000002B6A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://crt.sectigo.com/SectigoRSADomainValidationSecureServerCA.crt0#
    Source: ADOC RFQ-WCMS-18097255.exe, 00000000.00000002.516330292.0000000006A22000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://fontfabrik.com
    Source: ADOC RFQ-WCMS-18097255.exe, 00000000.00000002.520037204.0000000009830000.00000004.00000800.00020000.00000000.sdmp, ADOC RFQ-WCMS-18097255.exe, 00000000.00000002.507971659.0000000002B6A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://ocsp.comodoca.com0
    Source: ADOC RFQ-WCMS-18097255.exe, 00000000.00000002.520037204.0000000009830000.00000004.00000800.00020000.00000000.sdmp, ADOC RFQ-WCMS-18097255.exe, 00000000.00000002.507971659.0000000002B6A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://ocsp.sectigo.com0A
    Source: ADOC RFQ-WCMS-18097255.exe, 00000000.00000002.507971659.0000000002B6A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://us2.smtp.mailhostbox.com
    Source: ADOC RFQ-WCMS-18097255.exe, 00000000.00000002.516330292.0000000006A22000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
    Source: ADOC RFQ-WCMS-18097255.exe, 00000000.00000002.516330292.0000000006A22000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.carterandcone.coml
    Source: ADOC RFQ-WCMS-18097255.exe, 00000000.00000002.516330292.0000000006A22000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com
    Source: ADOC RFQ-WCMS-18097255.exe, 00000000.00000002.516330292.0000000006A22000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers
    Source: ADOC RFQ-WCMS-18097255.exe, 00000000.00000002.516330292.0000000006A22000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers/?
    Source: ADOC RFQ-WCMS-18097255.exe, 00000000.00000002.516330292.0000000006A22000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
    Source: ADOC RFQ-WCMS-18097255.exe, 00000000.00000002.516330292.0000000006A22000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers/frere-jones.html
    Source: ADOC RFQ-WCMS-18097255.exe, 00000000.00000002.516330292.0000000006A22000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers8
    Source: ADOC RFQ-WCMS-18097255.exe, 00000000.00000002.516330292.0000000006A22000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers?
    Source: ADOC RFQ-WCMS-18097255.exe, 00000000.00000002.516330292.0000000006A22000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designersG
    Source: ADOC RFQ-WCMS-18097255.exe, 00000000.00000002.516330292.0000000006A22000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fonts.com
    Source: ADOC RFQ-WCMS-18097255.exe, 00000000.00000002.516330292.0000000006A22000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.founder.com.cn/cn
    Source: ADOC RFQ-WCMS-18097255.exe, 00000000.00000002.516330292.0000000006A22000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.founder.com.cn/cn/bThe
    Source: ADOC RFQ-WCMS-18097255.exe, 00000000.00000002.516330292.0000000006A22000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.founder.com.cn/cn/cThe
    Source: ADOC RFQ-WCMS-18097255.exe, 00000000.00000002.516330292.0000000006A22000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.galapagosdesign.com/DPlease
    Source: ADOC RFQ-WCMS-18097255.exe, 00000000.00000002.516330292.0000000006A22000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
    Source: ADOC RFQ-WCMS-18097255.exe, 00000000.00000002.516330292.0000000006A22000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.goodfont.co.kr
    Source: ADOC RFQ-WCMS-18097255.exe, 00000000.00000002.516330292.0000000006A22000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/
    Source: ADOC RFQ-WCMS-18097255.exe, 00000000.00000002.516330292.0000000006A22000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.sajatypeworks.com
    Source: ADOC RFQ-WCMS-18097255.exe, 00000000.00000002.516330292.0000000006A22000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.sakkal.com
    Source: ADOC RFQ-WCMS-18097255.exe, 00000000.00000002.516330292.0000000006A22000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.sandoll.co.kr
    Source: ADOC RFQ-WCMS-18097255.exe, 00000000.00000002.516330292.0000000006A22000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.tiro.com
    Source: ADOC RFQ-WCMS-18097255.exe, 00000000.00000002.516330292.0000000006A22000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.typography.netD
    Source: ADOC RFQ-WCMS-18097255.exe, 00000000.00000002.516330292.0000000006A22000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.urwpp.deDPlease
    Source: ADOC RFQ-WCMS-18097255.exe, 00000000.00000002.516330292.0000000006A22000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.zhongyicts.com.cn
    Source: ADOC RFQ-WCMS-18097255.exe, 00000000.00000002.520037204.0000000009830000.00000004.00000800.00020000.00000000.sdmp, ADOC RFQ-WCMS-18097255.exe, 00000000.00000002.507971659.0000000002B6A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://sectigo.com/CPS0
    Source: unknownDNS traffic detected: queries for: us2.smtp.mailhostbox.com

    System Summary

    barindex
    Malicious sample detected (through community Yara rule)
    Source: 0.2.ADOC RFQ-WCMS-18097255.exe.7040000.12.unpack, type: UNPACKEDPEMatched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
    Source: 0.2.ADOC RFQ-WCMS-18097255.exe.7040000.12.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_AgentTesla_d3ac2b2f Author: unknown
    Source: 0.2.ADOC RFQ-WCMS-18097255.exe.3c61c80.6.raw.unpack, type: UNPACKEDPEMatched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
    Source: 0.2.ADOC RFQ-WCMS-18097255.exe.3c61c80.6.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_AgentTesla_d3ac2b2f Author: unknown
    Source: 0.2.ADOC RFQ-WCMS-18097255.exe.3889930.3.unpack, type: UNPACKEDPEMatched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
    Source: 0.2.ADOC RFQ-WCMS-18097255.exe.3889930.3.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_AgentTesla_d3ac2b2f Author: unknown
    Source: 0.2.ADOC RFQ-WCMS-18097255.exe.7040000.12.raw.unpack, type: UNPACKEDPEMatched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
    Source: 0.2.ADOC RFQ-WCMS-18097255.exe.7040000.12.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_AgentTesla_d3ac2b2f Author: unknown
    Source: 0.2.ADOC RFQ-WCMS-18097255.exe.3c61c80.6.unpack, type: UNPACKEDPEMatched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
    Source: 0.2.ADOC RFQ-WCMS-18097255.exe.3c61c80.6.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_AgentTesla_d3ac2b2f Author: unknown
    Source: 0.2.ADOC RFQ-WCMS-18097255.exe.38b1950.2.unpack, type: UNPACKEDPEMatched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
    Source: 0.2.ADOC RFQ-WCMS-18097255.exe.38b1950.2.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_AgentTesla_d3ac2b2f Author: unknown
    Source: 0.2.ADOC RFQ-WCMS-18097255.exe.2a5ddcc.1.raw.unpack, type: UNPACKEDPEMatched rule: Detects executables potentially checking for WinJail sandbox window Author: ditekSHen
    Source: 0.2.ADOC RFQ-WCMS-18097255.exe.2a5ddcc.1.raw.unpack, type: UNPACKEDPEMatched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
    Source: 0.2.ADOC RFQ-WCMS-18097255.exe.3889930.3.raw.unpack, type: UNPACKEDPEMatched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
    Source: 0.2.ADOC RFQ-WCMS-18097255.exe.3889930.3.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_AgentTesla_d3ac2b2f Author: unknown
    Source: 0.2.ADOC RFQ-WCMS-18097255.exe.38b1950.2.raw.unpack, type: UNPACKEDPEMatched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
    Source: 0.2.ADOC RFQ-WCMS-18097255.exe.38b1950.2.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_AgentTesla_d3ac2b2f Author: unknown
    Source: 0.2.ADOC RFQ-WCMS-18097255.exe.2a3096c.0.raw.unpack, type: UNPACKEDPEMatched rule: Detects executables potentially checking for WinJail sandbox window Author: ditekSHen
    Source: 0.2.ADOC RFQ-WCMS-18097255.exe.2a3096c.0.raw.unpack, type: UNPACKEDPEMatched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
    Source: 00000000.00000002.513606305.0000000003C61000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_AgentTesla_d3ac2b2f Author: unknown
    Source: 00000000.00000002.519041329.0000000007040000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
    Source: 00000000.00000002.519041329.0000000007040000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_AgentTesla_d3ac2b2f Author: unknown
    Source: 00000000.00000002.510469030.0000000003881000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_AgentTesla_d3ac2b2f Author: unknown
    Source: Process Memory Space: ADOC RFQ-WCMS-18097255.exe PID: 5788, type: MEMORYSTRMatched rule: Windows_Trojan_AgentTesla_d3ac2b2f Author: unknown
    Source: ADOC RFQ-WCMS-18097255.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
    Source: 0.2.ADOC RFQ-WCMS-18097255.exe.7040000.12.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
    Source: 0.2.ADOC RFQ-WCMS-18097255.exe.7040000.12.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_AgentTesla_d3ac2b2f reference_sample = 65463161760af7ab85f5c475a0f7b1581234a1e714a2c5a555783bdd203f85f4, os = windows, severity = x86, creation_date = 2021-03-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.AgentTesla, fingerprint = cbbb56fe6cd7277ae9595a10e05e2ce535a4e6bf205810be0bbce3a883b6f8bc, id = d3ac2b2f-14fc-4851-8a57-41032e386aeb, last_modified = 2022-06-20
    Source: 0.2.ADOC RFQ-WCMS-18097255.exe.3c61c80.6.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
    Source: 0.2.ADOC RFQ-WCMS-18097255.exe.3c61c80.6.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_AgentTesla_d3ac2b2f reference_sample = 65463161760af7ab85f5c475a0f7b1581234a1e714a2c5a555783bdd203f85f4, os = windows, severity = x86, creation_date = 2021-03-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.AgentTesla, fingerprint = cbbb56fe6cd7277ae9595a10e05e2ce535a4e6bf205810be0bbce3a883b6f8bc, id = d3ac2b2f-14fc-4851-8a57-41032e386aeb, last_modified = 2022-06-20
    Source: 0.2.ADOC RFQ-WCMS-18097255.exe.3889930.3.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
    Source: 0.2.ADOC RFQ-WCMS-18097255.exe.3889930.3.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_AgentTesla_d3ac2b2f reference_sample = 65463161760af7ab85f5c475a0f7b1581234a1e714a2c5a555783bdd203f85f4, os = windows, severity = x86, creation_date = 2021-03-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.AgentTesla, fingerprint = cbbb56fe6cd7277ae9595a10e05e2ce535a4e6bf205810be0bbce3a883b6f8bc, id = d3ac2b2f-14fc-4851-8a57-41032e386aeb, last_modified = 2022-06-20
    Source: 0.2.ADOC RFQ-WCMS-18097255.exe.7040000.12.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
    Source: 0.2.ADOC RFQ-WCMS-18097255.exe.7040000.12.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_AgentTesla_d3ac2b2f reference_sample = 65463161760af7ab85f5c475a0f7b1581234a1e714a2c5a555783bdd203f85f4, os = windows, severity = x86, creation_date = 2021-03-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.AgentTesla, fingerprint = cbbb56fe6cd7277ae9595a10e05e2ce535a4e6bf205810be0bbce3a883b6f8bc, id = d3ac2b2f-14fc-4851-8a57-41032e386aeb, last_modified = 2022-06-20
    Source: 0.2.ADOC RFQ-WCMS-18097255.exe.3c61c80.6.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
    Source: 0.2.ADOC RFQ-WCMS-18097255.exe.3c61c80.6.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_AgentTesla_d3ac2b2f reference_sample = 65463161760af7ab85f5c475a0f7b1581234a1e714a2c5a555783bdd203f85f4, os = windows, severity = x86, creation_date = 2021-03-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.AgentTesla, fingerprint = cbbb56fe6cd7277ae9595a10e05e2ce535a4e6bf205810be0bbce3a883b6f8bc, id = d3ac2b2f-14fc-4851-8a57-41032e386aeb, last_modified = 2022-06-20
    Source: 0.2.ADOC RFQ-WCMS-18097255.exe.38b1950.2.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
    Source: 0.2.ADOC RFQ-WCMS-18097255.exe.38b1950.2.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_AgentTesla_d3ac2b2f reference_sample = 65463161760af7ab85f5c475a0f7b1581234a1e714a2c5a555783bdd203f85f4, os = windows, severity = x86, creation_date = 2021-03-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.AgentTesla, fingerprint = cbbb56fe6cd7277ae9595a10e05e2ce535a4e6bf205810be0bbce3a883b6f8bc, id = d3ac2b2f-14fc-4851-8a57-41032e386aeb, last_modified = 2022-06-20
    Source: 0.2.ADOC RFQ-WCMS-18097255.exe.2a5ddcc.1.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_Anti_OldCopyPaste author = ditekSHen, description = Detects executables potentially checking for WinJail sandbox window
    Source: 0.2.ADOC RFQ-WCMS-18097255.exe.2a5ddcc.1.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
    Source: 0.2.ADOC RFQ-WCMS-18097255.exe.3889930.3.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
    Source: 0.2.ADOC RFQ-WCMS-18097255.exe.3889930.3.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_AgentTesla_d3ac2b2f reference_sample = 65463161760af7ab85f5c475a0f7b1581234a1e714a2c5a555783bdd203f85f4, os = windows, severity = x86, creation_date = 2021-03-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.AgentTesla, fingerprint = cbbb56fe6cd7277ae9595a10e05e2ce535a4e6bf205810be0bbce3a883b6f8bc, id = d3ac2b2f-14fc-4851-8a57-41032e386aeb, last_modified = 2022-06-20
    Source: 0.2.ADOC RFQ-WCMS-18097255.exe.38b1950.2.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
    Source: 0.2.ADOC RFQ-WCMS-18097255.exe.38b1950.2.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_AgentTesla_d3ac2b2f reference_sample = 65463161760af7ab85f5c475a0f7b1581234a1e714a2c5a555783bdd203f85f4, os = windows, severity = x86, creation_date = 2021-03-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.AgentTesla, fingerprint = cbbb56fe6cd7277ae9595a10e05e2ce535a4e6bf205810be0bbce3a883b6f8bc, id = d3ac2b2f-14fc-4851-8a57-41032e386aeb, last_modified = 2022-06-20
    Source: 0.2.ADOC RFQ-WCMS-18097255.exe.2a3096c.0.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_Anti_OldCopyPaste author = ditekSHen, description = Detects executables potentially checking for WinJail sandbox window
    Source: 0.2.ADOC RFQ-WCMS-18097255.exe.2a3096c.0.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
    Source: 00000000.00000002.513606305.0000000003C61000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_AgentTesla_d3ac2b2f reference_sample = 65463161760af7ab85f5c475a0f7b1581234a1e714a2c5a555783bdd203f85f4, os = windows, severity = x86, creation_date = 2021-03-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.AgentTesla, fingerprint = cbbb56fe6cd7277ae9595a10e05e2ce535a4e6bf205810be0bbce3a883b6f8bc, id = d3ac2b2f-14fc-4851-8a57-41032e386aeb, last_modified = 2022-06-20
    Source: 00000000.00000002.519041329.0000000007040000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
    Source: 00000000.00000002.519041329.0000000007040000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_AgentTesla_d3ac2b2f reference_sample = 65463161760af7ab85f5c475a0f7b1581234a1e714a2c5a555783bdd203f85f4, os = windows, severity = x86, creation_date = 2021-03-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.AgentTesla, fingerprint = cbbb56fe6cd7277ae9595a10e05e2ce535a4e6bf205810be0bbce3a883b6f8bc, id = d3ac2b2f-14fc-4851-8a57-41032e386aeb, last_modified = 2022-06-20
    Source: 00000000.00000002.510469030.0000000003881000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_AgentTesla_d3ac2b2f reference_sample = 65463161760af7ab85f5c475a0f7b1581234a1e714a2c5a555783bdd203f85f4, os = windows, severity = x86, creation_date = 2021-03-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.AgentTesla, fingerprint = cbbb56fe6cd7277ae9595a10e05e2ce535a4e6bf205810be0bbce3a883b6f8bc, id = d3ac2b2f-14fc-4851-8a57-41032e386aeb, last_modified = 2022-06-20
    Source: Process Memory Space: ADOC RFQ-WCMS-18097255.exe PID: 5788, type: MEMORYSTRMatched rule: Windows_Trojan_AgentTesla_d3ac2b2f reference_sample = 65463161760af7ab85f5c475a0f7b1581234a1e714a2c5a555783bdd203f85f4, os = windows, severity = x86, creation_date = 2021-03-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.AgentTesla, fingerprint = cbbb56fe6cd7277ae9595a10e05e2ce535a4e6bf205810be0bbce3a883b6f8bc, id = d3ac2b2f-14fc-4851-8a57-41032e386aeb, last_modified = 2022-06-20
    Source: C:\Users\user\Desktop\ADOC RFQ-WCMS-18097255.exeCode function: 0_2_026BE6900_2_026BE690
    Source: C:\Users\user\Desktop\ADOC RFQ-WCMS-18097255.exeCode function: 0_2_026BC2340_2_026BC234
    Source: C:\Users\user\Desktop\ADOC RFQ-WCMS-18097255.exeCode function: 0_2_026BE6800_2_026BE680
    Source: C:\Users\user\Desktop\ADOC RFQ-WCMS-18097255.exeCode function: 0_2_097E9CD00_2_097E9CD0
    Source: C:\Users\user\Desktop\ADOC RFQ-WCMS-18097255.exeCode function: 0_2_097EBC900_2_097EBC90
    Source: C:\Users\user\Desktop\ADOC RFQ-WCMS-18097255.exeCode function: 0_2_097E90B80_2_097E90B8
    Source: C:\Users\user\Desktop\ADOC RFQ-WCMS-18097255.exeCode function: 0_2_097E94000_2_097E9400
    Source: C:\Users\user\Desktop\ADOC RFQ-WCMS-18097255.exeCode function: 0_2_097F00400_2_097F0040
    Source: C:\Users\user\Desktop\ADOC RFQ-WCMS-18097255.exeCode function: 0_2_097F00120_2_097F0012
    Source: ADOC RFQ-WCMS-18097255.exe, 00000000.00000002.513606305.0000000003C61000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilename23d4a2f1-fc83-426a-8c72-0a56a8653dfa.exe4 vs ADOC RFQ-WCMS-18097255.exe
    Source: ADOC RFQ-WCMS-18097255.exe, 00000000.00000000.238484102.00000000005F8000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenameTyTT.exeB vs ADOC RFQ-WCMS-18097255.exe
    Source: ADOC RFQ-WCMS-18097255.exe, 00000000.00000002.518144683.0000000006FA0000.00000004.08000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameInspector.dllN vs ADOC RFQ-WCMS-18097255.exe
    Source: ADOC RFQ-WCMS-18097255.exe, 00000000.00000002.517937105.0000000006F70000.00000004.08000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenamePrecision.dll6 vs ADOC RFQ-WCMS-18097255.exe
    Source: ADOC RFQ-WCMS-18097255.exe, 00000000.00000002.510469030.0000000003881000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilename23d4a2f1-fc83-426a-8c72-0a56a8653dfa.exe4 vs ADOC RFQ-WCMS-18097255.exe
    Source: ADOC RFQ-WCMS-18097255.exe, 00000000.00000002.513808651.0000000003CD5000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameCollins.dll8 vs ADOC RFQ-WCMS-18097255.exe
    Source: ADOC RFQ-WCMS-18097255.exe, 00000000.00000002.519041329.0000000007040000.00000004.08000000.00040000.00000000.sdmpBinary or memory string: OriginalFilename23d4a2f1-fc83-426a-8c72-0a56a8653dfa.exe4 vs ADOC RFQ-WCMS-18097255.exe
    Source: ADOC RFQ-WCMS-18097255.exe, 00000000.00000002.519242545.0000000007200000.00000004.08000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameCollins.dll8 vs ADOC RFQ-WCMS-18097255.exe
    Source: ADOC RFQ-WCMS-18097255.exe, 00000000.00000002.505811223.0000000002881000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenamePrecision.dll6 vs ADOC RFQ-WCMS-18097255.exe
    Source: ADOC RFQ-WCMS-18097255.exe, 00000000.00000002.505811223.0000000002881000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameInspector.dllN vs ADOC RFQ-WCMS-18097255.exe
    Source: ADOC RFQ-WCMS-18097255.exeBinary or memory string: OriginalFilenameTyTT.exeB vs ADOC RFQ-WCMS-18097255.exe
    Source: ADOC RFQ-WCMS-18097255.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
    Source: ADOC RFQ-WCMS-18097255.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
    Source: C:\Users\user\Desktop\ADOC RFQ-WCMS-18097255.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
    Source: C:\Users\user\Desktop\ADOC RFQ-WCMS-18097255.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{172BDDF8-CEEA-11D1-8B05-00600806D9B6}\InProcServer32Jump to behavior
    Source: C:\Users\user\Desktop\ADOC RFQ-WCMS-18097255.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
    Source: C:\Users\user\Desktop\ADOC RFQ-WCMS-18097255.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
    Source: C:\Users\user\Desktop\ADOC RFQ-WCMS-18097255.exeFile created: C:\Users\user\AppData\Local\Temp\tmp7DB0.tmpJump to behavior
    Source: classification engineClassification label: mal96.troj.spyw.evad.winEXE@1/0@1/1
    Source: ADOC RFQ-WCMS-18097255.exeStatic file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.80%
    Source: C:\Users\user\Desktop\ADOC RFQ-WCMS-18097255.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
    Source: C:\Users\user\Desktop\ADOC RFQ-WCMS-18097255.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
    Source: C:\Users\user\Desktop\ADOC RFQ-WCMS-18097255.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
    Source: C:\Users\user\Desktop\ADOC RFQ-WCMS-18097255.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dllJump to behavior
    Source: C:\Users\user\Desktop\ADOC RFQ-WCMS-18097255.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676Jump to behavior
    Source: ADOC RFQ-WCMS-18097255.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
    Source: ADOC RFQ-WCMS-18097255.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
    Source: ADOC RFQ-WCMS-18097255.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
    Source: C:\Users\user\Desktop\ADOC RFQ-WCMS-18097255.exeCode function: 0_2_097EA6E8 push esp; ret 0_2_097EA6E9
    Source: ADOC RFQ-WCMS-18097255.exeStatic PE information: 0xE8FF4486 [Sat Nov 14 13:22:14 2093 UTC]
    Source: initial sampleStatic PE information: section name: .text entropy: 7.556547919849989
    Source: C:\Users\user\Desktop\ADOC RFQ-WCMS-18097255.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\ADOC RFQ-WCMS-18097255.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\ADOC RFQ-WCMS-18097255.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\ADOC RFQ-WCMS-18097255.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\ADOC RFQ-WCMS-18097255.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\ADOC RFQ-WCMS-18097255.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\ADOC RFQ-WCMS-18097255.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\ADOC RFQ-WCMS-18097255.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\ADOC RFQ-WCMS-18097255.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\ADOC RFQ-WCMS-18097255.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\ADOC RFQ-WCMS-18097255.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\ADOC RFQ-WCMS-18097255.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\ADOC RFQ-WCMS-18097255.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\ADOC RFQ-WCMS-18097255.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\ADOC RFQ-WCMS-18097255.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\ADOC RFQ-WCMS-18097255.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\ADOC RFQ-WCMS-18097255.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\ADOC RFQ-WCMS-18097255.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\ADOC RFQ-WCMS-18097255.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\ADOC RFQ-WCMS-18097255.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\ADOC RFQ-WCMS-18097255.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\ADOC RFQ-WCMS-18097255.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\ADOC RFQ-WCMS-18097255.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\ADOC RFQ-WCMS-18097255.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\ADOC RFQ-WCMS-18097255.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\ADOC RFQ-WCMS-18097255.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\ADOC RFQ-WCMS-18097255.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\ADOC RFQ-WCMS-18097255.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\ADOC RFQ-WCMS-18097255.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\ADOC RFQ-WCMS-18097255.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\ADOC RFQ-WCMS-18097255.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\ADOC RFQ-WCMS-18097255.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\ADOC RFQ-WCMS-18097255.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\ADOC RFQ-WCMS-18097255.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\ADOC RFQ-WCMS-18097255.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\ADOC RFQ-WCMS-18097255.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\ADOC RFQ-WCMS-18097255.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\ADOC RFQ-WCMS-18097255.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\ADOC RFQ-WCMS-18097255.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\ADOC RFQ-WCMS-18097255.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\ADOC RFQ-WCMS-18097255.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\ADOC RFQ-WCMS-18097255.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\ADOC RFQ-WCMS-18097255.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\ADOC RFQ-WCMS-18097255.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\ADOC RFQ-WCMS-18097255.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\ADOC RFQ-WCMS-18097255.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\ADOC RFQ-WCMS-18097255.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\ADOC RFQ-WCMS-18097255.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\ADOC RFQ-WCMS-18097255.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\ADOC RFQ-WCMS-18097255.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\ADOC RFQ-WCMS-18097255.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\ADOC RFQ-WCMS-18097255.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\ADOC RFQ-WCMS-18097255.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\ADOC RFQ-WCMS-18097255.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\ADOC RFQ-WCMS-18097255.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\ADOC RFQ-WCMS-18097255.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\ADOC RFQ-WCMS-18097255.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\ADOC RFQ-WCMS-18097255.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\ADOC RFQ-WCMS-18097255.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\ADOC RFQ-WCMS-18097255.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\ADOC RFQ-WCMS-18097255.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\ADOC RFQ-WCMS-18097255.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\ADOC RFQ-WCMS-18097255.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\ADOC RFQ-WCMS-18097255.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\ADOC RFQ-WCMS-18097255.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\ADOC RFQ-WCMS-18097255.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\ADOC RFQ-WCMS-18097255.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

    Malware Analysis System Evasion

    barindex
    Yara detected AntiVM3
    Source: Yara matchFile source: 0.2.ADOC RFQ-WCMS-18097255.exe.2a5ddcc.1.raw.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 0.2.ADOC RFQ-WCMS-18097255.exe.2a3096c.0.raw.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 00000000.00000002.505811223.0000000002881000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
    Source: Yara matchFile source: Process Memory Space: ADOC RFQ-WCMS-18097255.exe PID: 5788, type: MEMORYSTR
    Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
    Source: ADOC RFQ-WCMS-18097255.exe, 00000000.00000002.505811223.0000000002881000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: SBIEDLL.DLL
    Source: ADOC RFQ-WCMS-18097255.exe, 00000000.00000002.505811223.0000000002881000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: KERNEL32.DLL.WINE_GET_UNIX_FILE_NAME
    Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
    Source: C:\Users\user\Desktop\ADOC RFQ-WCMS-18097255.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration
    Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
    Source: C:\Users\user\Desktop\ADOC RFQ-WCMS-18097255.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
    Source: C:\Users\user\Desktop\ADOC RFQ-WCMS-18097255.exe TID: 5836Thread sleep time: -38122s >= -30000sJump to behavior
    Source: C:\Users\user\Desktop\ADOC RFQ-WCMS-18097255.exe TID: 4224Thread sleep time: -3689348814741908s >= -30000sJump to behavior
    Source: C:\Users\user\Desktop\ADOC RFQ-WCMS-18097255.exeThread delayed: delay time: 922337203685477Jump to behavior
    Source: C:\Users\user\Desktop\ADOC RFQ-WCMS-18097255.exeWindow / User API: threadDelayed 9359Jump to behavior
    Source: C:\Users\user\Desktop\ADOC RFQ-WCMS-18097255.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
    Source: C:\Users\user\Desktop\ADOC RFQ-WCMS-18097255.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
    Source: C:\Users\user\Desktop\ADOC RFQ-WCMS-18097255.exeProcess information queried: ProcessInformationJump to behavior
    Source: C:\Users\user\Desktop\ADOC RFQ-WCMS-18097255.exeThread delayed: delay time: 38122Jump to behavior
    Source: C:\Users\user\Desktop\ADOC RFQ-WCMS-18097255.exeThread delayed: delay time: 922337203685477Jump to behavior
    Source: ADOC RFQ-WCMS-18097255.exe, 00000000.00000002.505811223.0000000002881000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: InstallPathJC:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
    Source: ADOC RFQ-WCMS-18097255.exe, 00000000.00000002.505811223.0000000002881000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: vmware
    Source: ADOC RFQ-WCMS-18097255.exe, 00000000.00000002.505811223.0000000002881000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: VMware SVGA II
    Source: ADOC RFQ-WCMS-18097255.exe, 00000000.00000002.520037204.0000000009830000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
    Source: ADOC RFQ-WCMS-18097255.exe, 00000000.00000002.505811223.0000000002881000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: VMWAREDSOFTWARE\VMware, Inc.\VMware Tools
    Source: C:\Users\user\Desktop\ADOC RFQ-WCMS-18097255.exeProcess token adjusted: DebugJump to behavior
    Source: C:\Users\user\Desktop\ADOC RFQ-WCMS-18097255.exeMemory allocated: page read and write | page guardJump to behavior
    Source: C:\Users\user\Desktop\ADOC RFQ-WCMS-18097255.exeQueries volume information: C:\Users\user\Desktop\ADOC RFQ-WCMS-18097255.exe VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\ADOC RFQ-WCMS-18097255.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\ADOC RFQ-WCMS-18097255.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\ADOC RFQ-WCMS-18097255.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\ADOC RFQ-WCMS-18097255.exeQueries volume information: C:\Windows\Fonts\arial.ttf VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\ADOC RFQ-WCMS-18097255.exeQueries volume information: C:\Windows\Fonts\ariali.ttf VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\ADOC RFQ-WCMS-18097255.exeQueries volume information: C:\Windows\Fonts\arialbd.ttf VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\ADOC RFQ-WCMS-18097255.exeQueries volume information: C:\Windows\Fonts\arialbi.ttf VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\ADOC RFQ-WCMS-18097255.exeQueries volume information: C:\Windows\Fonts\ARIALN.TTF VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\ADOC RFQ-WCMS-18097255.exeQueries volume information: C:\Windows\Fonts\ariblk.ttf VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\ADOC RFQ-WCMS-18097255.exeQueries volume information: C:\Windows\Fonts\ARIALNI.TTF VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\ADOC RFQ-WCMS-18097255.exeQueries volume information: C:\Windows\Fonts\ARIALNB.TTF VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\ADOC RFQ-WCMS-18097255.exeQueries volume information: C:\Windows\Fonts\ARIALNBI.TTF VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\ADOC RFQ-WCMS-18097255.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\ADOC RFQ-WCMS-18097255.exeQueries volume information: C:\Windows\Fonts\calibri.ttf VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\ADOC RFQ-WCMS-18097255.exeQueries volume information: C:\Windows\Fonts\calibril.ttf VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\ADOC RFQ-WCMS-18097255.exeQueries volume information: C:\Windows\Fonts\calibrii.ttf VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\ADOC RFQ-WCMS-18097255.exeQueries volume information: C:\Windows\Fonts\calibrili.ttf VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\ADOC RFQ-WCMS-18097255.exeQueries volume information: C:\Windows\Fonts\calibrib.ttf VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\ADOC RFQ-WCMS-18097255.exeQueries volume information: C:\Windows\Fonts\calibriz.ttf VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\ADOC RFQ-WCMS-18097255.exeQueries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\ADOC RFQ-WCMS-18097255.exeQueries volume information: C:\Windows\Fonts\cambriai.ttf VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\ADOC RFQ-WCMS-18097255.exeQueries volume information: C:\Windows\Fonts\cambriab.ttf VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\ADOC RFQ-WCMS-18097255.exeQueries volume information: C:\Windows\Fonts\cambriaz.ttf VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\ADOC RFQ-WCMS-18097255.exeQueries volume information: C:\Windows\Fonts\Candara.ttf VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\ADOC RFQ-WCMS-18097255.exeQueries volume information: C:\Windows\Fonts\Candarai.ttf VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\ADOC RFQ-WCMS-18097255.exeQueries volume information: C:\Windows\Fonts\Candarab.ttf VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\ADOC RFQ-WCMS-18097255.exeQueries volume information: C:\Windows\Fonts\Candaraz.ttf VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\ADOC RFQ-WCMS-18097255.exeQueries volume information: C:\Windows\Fonts\comic.ttf VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\ADOC RFQ-WCMS-18097255.exeQueries volume information: C:\Windows\Fonts\comici.ttf VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\ADOC RFQ-WCMS-18097255.exeQueries volume information: C:\Windows\Fonts\comicbd.ttf VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\ADOC RFQ-WCMS-18097255.exeQueries volume information: C:\Windows\Fonts\comicz.ttf VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\ADOC RFQ-WCMS-18097255.exeQueries volume information: C:\Windows\Fonts\consola.ttf VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\ADOC RFQ-WCMS-18097255.exeQueries volume information: C:\Windows\Fonts\consolai.ttf VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\ADOC RFQ-WCMS-18097255.exeQueries volume information: C:\Windows\Fonts\consolab.ttf VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\ADOC RFQ-WCMS-18097255.exeQueries volume information: C:\Windows\Fonts\consolaz.ttf VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\ADOC RFQ-WCMS-18097255.exeQueries volume information: C:\Windows\Fonts\constan.ttf VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\ADOC RFQ-WCMS-18097255.exeQueries volume information: C:\Windows\Fonts\constani.ttf VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\ADOC RFQ-WCMS-18097255.exeQueries volume information: C:\Windows\Fonts\constanb.ttf VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\ADOC RFQ-WCMS-18097255.exeQueries volume information: C:\Windows\Fonts\constanz.ttf VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\ADOC RFQ-WCMS-18097255.exeQueries volume information: C:\Windows\Fonts\corbel.ttf VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\ADOC RFQ-WCMS-18097255.exeQueries volume information: C:\Windows\Fonts\corbeli.ttf VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\ADOC RFQ-WCMS-18097255.exeQueries volume information: C:\Windows\Fonts\corbelb.ttf VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\ADOC RFQ-WCMS-18097255.exeQueries volume information: C:\Windows\Fonts\corbelz.ttf VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\ADOC RFQ-WCMS-18097255.exeQueries volume information: C:\Windows\Fonts\cour.ttf VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\ADOC RFQ-WCMS-18097255.exeQueries volume information: C:\Windows\Fonts\couri.ttf VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\ADOC RFQ-WCMS-18097255.exeQueries volume information: C:\Windows\Fonts\courbd.ttf VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\ADOC RFQ-WCMS-18097255.exeQueries volume information: C:\Windows\Fonts\courbi.ttf VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\ADOC RFQ-WCMS-18097255.exeQueries volume information: C:\Windows\Fonts\ebrima.ttf VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\ADOC RFQ-WCMS-18097255.exeQueries volume information: C:\Windows\Fonts\ebrimabd.ttf VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\ADOC RFQ-WCMS-18097255.exeQueries volume information: C:\Windows\Fonts\framd.ttf VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\ADOC RFQ-WCMS-18097255.exeQueries volume information: C:\Windows\Fonts\FRADM.TTF VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\ADOC RFQ-WCMS-18097255.exeQueries volume information: C:\Windows\Fonts\framdit.ttf VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\ADOC RFQ-WCMS-18097255.exeQueries volume information: C:\Windows\Fonts\FRADMIT.TTF VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\ADOC RFQ-WCMS-18097255.exeQueries volume information: C:\Windows\Fonts\FRAMDCN.TTF VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\ADOC RFQ-WCMS-18097255.exeQueries volume information: C:\Windows\Fonts\FRADMCN.TTF VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\ADOC RFQ-WCMS-18097255.exeQueries volume information: C:\Windows\Fonts\FRAHV.TTF VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\ADOC RFQ-WCMS-18097255.exeQueries volume information: C:\Windows\Fonts\FRAHVIT.TTF VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\ADOC RFQ-WCMS-18097255.exeQueries volume information: C:\Windows\Fonts\Gabriola.ttf VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\ADOC RFQ-WCMS-18097255.exeQueries volume information: C:\Windows\Fonts\gadugi.ttf VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\ADOC RFQ-WCMS-18097255.exeQueries volume information: C:\Windows\Fonts\gadugib.ttf VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\ADOC RFQ-WCMS-18097255.exeQueries volume information: C:\Windows\Fonts\georgia.ttf VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\ADOC RFQ-WCMS-18097255.exeQueries volume information: C:\Windows\Fonts\georgiai.ttf VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\ADOC RFQ-WCMS-18097255.exeQueries volume information: C:\Windows\Fonts\georgiab.ttf VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\ADOC RFQ-WCMS-18097255.exeQueries volume information: C:\Windows\Fonts\georgiaz.ttf VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\ADOC RFQ-WCMS-18097255.exeQueries volume information: C:\Windows\Fonts\impact.ttf VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\ADOC RFQ-WCMS-18097255.exeQueries volume information: C:\Windows\Fonts\Inkfree.ttf VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\ADOC RFQ-WCMS-18097255.exeQueries volume information: C:\Windows\Fonts\javatext.ttf VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\ADOC RFQ-WCMS-18097255.exeQueries volume information: C:\Windows\Fonts\LeelawUI.ttf VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\ADOC RFQ-WCMS-18097255.exeQueries volume information: C:\Windows\Fonts\LeelUIsl.ttf VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\ADOC RFQ-WCMS-18097255.exeQueries volume information: C:\Windows\Fonts\LeelaUIb.ttf VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\ADOC RFQ-WCMS-18097255.exeQueries volume information: C:\Windows\Fonts\lucon.ttf VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\ADOC RFQ-WCMS-18097255.exeQueries volume information: C:\Windows\Fonts\l_10646.ttf VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\ADOC RFQ-WCMS-18097255.exeQueries volume information: C:\Windows\Fonts\malgun.ttf VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\ADOC RFQ-WCMS-18097255.exeQueries volume information: C:\Windows\Fonts\malgunsl.ttf VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\ADOC RFQ-WCMS-18097255.exeQueries volume information: C:\Windows\Fonts\malgunbd.ttf VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\ADOC RFQ-WCMS-18097255.exeQueries volume information: C:\Windows\Fonts\himalaya.ttf VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\ADOC RFQ-WCMS-18097255.exeQueries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\ADOC RFQ-WCMS-18097255.exeQueries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\ADOC RFQ-WCMS-18097255.exeQueries volume information: C:\Windows\Fonts\msjhbd.ttc VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\ADOC RFQ-WCMS-18097255.exeQueries volume information: C:\Windows\Fonts\ntailu.ttf VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\ADOC RFQ-WCMS-18097255.exeQueries volume information: C:\Windows\Fonts\ntailub.ttf VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\ADOC RFQ-WCMS-18097255.exeQueries volume information: C:\Windows\Fonts\phagspa.ttf VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\ADOC RFQ-WCMS-18097255.exeQueries volume information: C:\Windows\Fonts\phagspab.ttf VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\ADOC RFQ-WCMS-18097255.exeQueries volume information: C:\Windows\Fonts\micross.ttf VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\ADOC RFQ-WCMS-18097255.exeQueries volume information: C:\Windows\Fonts\taile.ttf VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\ADOC RFQ-WCMS-18097255.exeQueries volume information: C:\Windows\Fonts\taileb.ttf VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\ADOC RFQ-WCMS-18097255.exeQueries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\ADOC RFQ-WCMS-18097255.exeQueries volume information: C:\Windows\Fonts\msyhl.ttc VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\ADOC RFQ-WCMS-18097255.exeQueries volume information: C:\Windows\Fonts\msyhbd.ttc VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\ADOC RFQ-WCMS-18097255.exeQueries volume information: C:\Windows\Fonts\msyi.ttf VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\ADOC RFQ-WCMS-18097255.exeQueries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\ADOC RFQ-WCMS-18097255.exeQueries volume information: C:\Windows\Fonts\monbaiti.ttf VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\ADOC RFQ-WCMS-18097255.exeQueries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\ADOC RFQ-WCMS-18097255.exeQueries volume information: C:\Windows\Fonts\mvboli.ttf VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\ADOC RFQ-WCMS-18097255.exeQueries volume information: C:\Windows\Fonts\mmrtext.ttf VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\ADOC RFQ-WCMS-18097255.exeQueries volume information: C:\Windows\Fonts\mmrtextb.ttf VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\ADOC RFQ-WCMS-18097255.exeQueries volume information: C:\Windows\Fonts\Nirmala.ttf VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\ADOC RFQ-WCMS-18097255.exeQueries volume information: C:\Windows\Fonts\NirmalaS.ttf VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\ADOC RFQ-WCMS-18097255.exeQueries volume information: C:\Windows\Fonts\NirmalaB.ttf VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\ADOC RFQ-WCMS-18097255.exeQueries volume information: C:\Windows\Fonts\pala.ttf VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\ADOC RFQ-WCMS-18097255.exeQueries volume information: C:\Windows\Fonts\palai.ttf VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\ADOC RFQ-WCMS-18097255.exeQueries volume information: C:\Windows\Fonts\palab.ttf VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\ADOC RFQ-WCMS-18097255.exeQueries volume information: C:\Windows\Fonts\palabi.ttf VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\ADOC RFQ-WCMS-18097255.exeQueries volume information: C:\Windows\Fonts\segoepr.ttf VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\ADOC RFQ-WCMS-18097255.exeQueries volume information: C:\Windows\Fonts\segoeprb.ttf VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\ADOC RFQ-WCMS-18097255.exeQueries volume information: C:\Windows\Fonts\segoesc.ttf VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\ADOC RFQ-WCMS-18097255.exeQueries volume information: C:\Windows\Fonts\segoescb.ttf VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\ADOC RFQ-WCMS-18097255.exeQueries volume information: C:\Windows\Fonts\segoeuii.ttf VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\ADOC RFQ-WCMS-18097255.exeQueries volume information: C:\Windows\Fonts\seguisli.ttf VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\ADOC RFQ-WCMS-18097255.exeQueries volume information: C:\Windows\Fonts\seguili.ttf VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\ADOC RFQ-WCMS-18097255.exeQueries volume information: C:\Windows\Fonts\seguisbi.ttf VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\ADOC RFQ-WCMS-18097255.exeQueries volume information: C:\Windows\Fonts\segoeuiz.ttf VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\ADOC RFQ-WCMS-18097255.exeQueries volume information: C:\Windows\Fonts\seguibl.ttf VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\ADOC RFQ-WCMS-18097255.exeQueries volume information: C:\Windows\Fonts\seguibli.ttf VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\ADOC RFQ-WCMS-18097255.exeQueries volume information: C:\Windows\Fonts\seguiemj.ttf VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\ADOC RFQ-WCMS-18097255.exeQueries volume information: C:\Windows\Fonts\seguihis.ttf VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\ADOC RFQ-WCMS-18097255.exeQueries volume information: C:\Windows\Fonts\seguisym.ttf VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\ADOC RFQ-WCMS-18097255.exeQueries volume information: C:\Windows\Fonts\simsun.ttc VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\ADOC RFQ-WCMS-18097255.exeQueries volume information: C:\Windows\Fonts\simsunb.ttf VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\ADOC RFQ-WCMS-18097255.exeQueries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\ADOC RFQ-WCMS-18097255.exeQueries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\ADOC RFQ-WCMS-18097255.exeQueries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\ADOC RFQ-WCMS-18097255.exeQueries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\ADOC RFQ-WCMS-18097255.exeQueries volume information: C:\Windows\Fonts\sylfaen.ttf VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\ADOC RFQ-WCMS-18097255.exeQueries volume information: C:\Windows\Fonts\symbol.ttf VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\ADOC RFQ-WCMS-18097255.exeQueries volume information: C:\Windows\Fonts\tahoma.ttf VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\ADOC RFQ-WCMS-18097255.exeQueries volume information: C:\Windows\Fonts\tahomabd.ttf VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\ADOC RFQ-WCMS-18097255.exeQueries volume information: C:\Windows\Fonts\timesi.ttf VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\ADOC RFQ-WCMS-18097255.exeQueries volume information: C:\Windows\Fonts\timesbd.ttf VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\ADOC RFQ-WCMS-18097255.exeQueries volume information: C:\Windows\Fonts\timesbi.ttf VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\ADOC RFQ-WCMS-18097255.exeQueries volume information: C:\Windows\Fonts\trebuc.ttf VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\ADOC RFQ-WCMS-18097255.exeQueries volume information: C:\Windows\Fonts\trebucit.ttf VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\ADOC RFQ-WCMS-18097255.exeQueries volume information: C:\Windows\Fonts\trebucbd.ttf VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\ADOC RFQ-WCMS-18097255.exeQueries volume information: C:\Windows\Fonts\trebucbi.ttf VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\ADOC RFQ-WCMS-18097255.exeQueries volume information: C:\Windows\Fonts\verdana.ttf VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\ADOC RFQ-WCMS-18097255.exeQueries volume information: C:\Windows\Fonts\verdanai.ttf VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\ADOC RFQ-WCMS-18097255.exeQueries volume information: C:\Windows\Fonts\verdanab.ttf VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\ADOC RFQ-WCMS-18097255.exeQueries volume information: C:\Windows\Fonts\verdanaz.ttf VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\ADOC RFQ-WCMS-18097255.exeQueries volume information: C:\Windows\Fonts\webdings.ttf VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\ADOC RFQ-WCMS-18097255.exeQueries volume information: C:\Windows\Fonts\wingding.ttf VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\ADOC RFQ-WCMS-18097255.exeQueries volume information: C:\Windows\Fonts\YuGothR.ttc VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\ADOC RFQ-WCMS-18097255.exeQueries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\ADOC RFQ-WCMS-18097255.exeQueries volume information: C:\Windows\Fonts\YuGothL.ttc VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\ADOC RFQ-WCMS-18097255.exeQueries volume information: C:\Windows\Fonts\YuGothB.ttc VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\ADOC RFQ-WCMS-18097255.exeQueries volume information: C:\Windows\Fonts\holomdl2.ttf VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\ADOC RFQ-WCMS-18097255.exeQueries volume information: C:\Windows\Fonts\CENTURY.TTF VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\ADOC RFQ-WCMS-18097255.exeQueries volume information: C:\Windows\Fonts\LEELAWAD.TTF VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\ADOC RFQ-WCMS-18097255.exeQueries volume information: C:\Windows\Fonts\LEELAWDB.TTF VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\ADOC RFQ-WCMS-18097255.exeQueries volume information: C:\Windows\Fonts\MSUIGHUR.TTF VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\ADOC RFQ-WCMS-18097255.exeQueries volume information: C:\Windows\Fonts\MSUIGHUB.TTF VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\ADOC RFQ-WCMS-18097255.exeQueries volume information: C:\Windows\Fonts\WINGDNG2.TTF VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\ADOC RFQ-WCMS-18097255.exeQueries volume information: C:\Windows\Fonts\WINGDNG3.TTF VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\ADOC RFQ-WCMS-18097255.exeQueries volume information: C:\Windows\Fonts\TEMPSITC.TTF VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\ADOC RFQ-WCMS-18097255.exeQueries volume information: C:\Windows\Fonts\PRISTINA.TTF VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\ADOC RFQ-WCMS-18097255.exeQueries volume information: C:\Windows\Fonts\PAPYRUS.TTF VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\ADOC RFQ-WCMS-18097255.exeQueries volume information: C:\Windows\Fonts\MISTRAL.TTF VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\ADOC RFQ-WCMS-18097255.exeQueries volume information: C:\Windows\Fonts\LHANDW.TTF VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\ADOC RFQ-WCMS-18097255.exeQueries volume information: C:\Windows\Fonts\ITCKRIST.TTF VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\ADOC RFQ-WCMS-18097255.exeQueries volume information: C:\Windows\Fonts\JUICE___.TTF VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\ADOC RFQ-WCMS-18097255.exeQueries volume information: C:\Windows\Fonts\FRSCRIPT.TTF VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\ADOC RFQ-WCMS-18097255.exeQueries volume information: C:\Windows\Fonts\FREESCPT.TTF VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\ADOC RFQ-WCMS-18097255.exeQueries volume information: C:\Windows\Fonts\BRADHITC.TTF VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\ADOC RFQ-WCMS-18097255.exeQueries volume information: C:\Windows\Fonts\OUTLOOK.TTF VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\ADOC RFQ-WCMS-18097255.exeQueries volume information: C:\Windows\Fonts\BKANT.TTF VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\ADOC RFQ-WCMS-18097255.exeQueries volume information: C:\Windows\Fonts\ANTQUAI.TTF VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\ADOC RFQ-WCMS-18097255.exeQueries volume information: C:\Windows\Fonts\ANTQUAB.TTF VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\ADOC RFQ-WCMS-18097255.exeQueries volume information: C:\Windows\Fonts\ANTQUABI.TTF VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\ADOC RFQ-WCMS-18097255.exeQueries volume information: C:\Windows\Fonts\GARA.TTF VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\ADOC RFQ-WCMS-18097255.exeQueries volume information: C:\Windows\Fonts\GARAIT.TTF VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\ADOC RFQ-WCMS-18097255.exeQueries volume information: C:\Windows\Fonts\GARABD.TTF VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\ADOC RFQ-WCMS-18097255.exeQueries volume information: C:\Windows\Fonts\MTCORSVA.TTF VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\ADOC RFQ-WCMS-18097255.exeQueries volume information: C:\Windows\Fonts\GOTHIC.TTF VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\ADOC RFQ-WCMS-18097255.exeQueries volume information: C:\Windows\Fonts\GOTHICI.TTF VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\ADOC RFQ-WCMS-18097255.exeQueries volume information: C:\Windows\Fonts\GOTHICB.TTF VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\ADOC RFQ-WCMS-18097255.exeQueries volume information: C:\Windows\Fonts\GOTHICBI.TTF VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\ADOC RFQ-WCMS-18097255.exeQueries volume information: C:\Windows\Fonts\ALGER.TTF VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\ADOC RFQ-WCMS-18097255.exeQueries volume information: C:\Windows\Fonts\BASKVILL.TTF VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\ADOC RFQ-WCMS-18097255.exeQueries volume information: C:\Windows\Fonts\BAUHS93.TTF VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\ADOC RFQ-WCMS-18097255.exeQueries volume information: C:\Windows\Fonts\BELL.TTF VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\ADOC RFQ-WCMS-18097255.exeQueries volume information: C:\Windows\Fonts\BELLI.TTF VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\ADOC RFQ-WCMS-18097255.exeQueries volume information: C:\Windows\Fonts\BELLB.TTF VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\ADOC RFQ-WCMS-18097255.exeQueries volume information: C:\Windows\Fonts\BRLNSR.TTF VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\ADOC RFQ-WCMS-18097255.exeQueries volume information: C:\Windows\Fonts\BRLNSDB.TTF VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\ADOC RFQ-WCMS-18097255.exeQueries volume information: C:\Windows\Fonts\BRLNSB.TTF VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\ADOC RFQ-WCMS-18097255.exeQueries volume information: C:\Windows\Fonts\BERNHC.TTF VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\ADOC RFQ-WCMS-18097255.exeQueries volume information: C:\Windows\Fonts\BOD_PSTC.TTF VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\ADOC RFQ-WCMS-18097255.exeQueries volume information: C:\Windows\Fonts\BRITANIC.TTF VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\ADOC RFQ-WCMS-18097255.exeQueries volume information: C:\Windows\Fonts\BROADW.TTF VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\ADOC RFQ-WCMS-18097255.exeQueries volume information: C:\Windows\Fonts\BRUSHSCI.TTF VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\ADOC RFQ-WCMS-18097255.exeQueries volume information: C:\Windows\Fonts\CALIFR.TTF VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\ADOC RFQ-WCMS-18097255.exeQueries volume information: C:\Windows\Fonts\CALIFI.TTF VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\ADOC RFQ-WCMS-18097255.exeQueries volume information: C:\Windows\Fonts\CALIFB.TTF VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\ADOC RFQ-WCMS-18097255.exeQueries volume information: C:\Windows\Fonts\CENTAUR.TTF VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\ADOC RFQ-WCMS-18097255.exeQueries volume information: C:\Windows\Fonts\CHILLER.TTF VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\ADOC RFQ-WCMS-18097255.exeQueries volume information: C:\Windows\Fonts\COLONNA.TTF VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\ADOC RFQ-WCMS-18097255.exeQueries volume information: C:\Windows\Fonts\COOPBL.TTF VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\ADOC RFQ-WCMS-18097255.exeQueries volume information: C:\Windows\Fonts\FTLTLT.TTF VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\ADOC RFQ-WCMS-18097255.exeQueries volume information: C:\Windows\Fonts\HARLOWSI.TTF VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\ADOC RFQ-WCMS-18097255.exeQueries volume information: C:\Windows\Fonts\HARNGTON.TTF VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\ADOC RFQ-WCMS-18097255.exeQueries volume information: C:\Windows\Fonts\HTOWERT.TTF VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\ADOC RFQ-WCMS-18097255.exeQueries volume information: C:\Windows\Fonts\HTOWERTI.TTF VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\ADOC RFQ-WCMS-18097255.exeQueries volume information: C:\Windows\Fonts\JOKERMAN.TTF VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\ADOC RFQ-WCMS-18097255.exeQueries volume information: C:\Windows\Fonts\KUNSTLER.TTF VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\ADOC RFQ-WCMS-18097255.exeQueries volume information: C:\Windows\Fonts\LBRITE.TTF VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\ADOC RFQ-WCMS-18097255.exeQueries volume information: C:\Windows\Fonts\LBRITED.TTF VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\ADOC RFQ-WCMS-18097255.exeQueries volume information: C:\Windows\Fonts\LBRITEI.TTF VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\ADOC RFQ-WCMS-18097255.exeQueries volume information: C:\Windows\Fonts\LBRITEDI.TTF VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\ADOC RFQ-WCMS-18097255.exeQueries volume information: C:\Windows\Fonts\LCALLIG.TTF VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\ADOC RFQ-WCMS-18097255.exeQueries volume information: C:\Windows\Fonts\LFAX.TTF VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\ADOC RFQ-WCMS-18097255.exeQueries volume information: C:\Windows\Fonts\LFAXD.TTF VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\ADOC RFQ-WCMS-18097255.exeQueries volume information: C:\Windows\Fonts\LFAXI.TTF VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\ADOC RFQ-WCMS-18097255.exeQueries volume information: C:\Windows\Fonts\LFAXDI.TTF VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\ADOC RFQ-WCMS-18097255.exeQueries volume information: C:\Windows\Fonts\MAGNETOB.TTF VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\ADOC RFQ-WCMS-18097255.exeQueries volume information: C:\Windows\Fonts\MATURASC.TTF VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\ADOC RFQ-WCMS-18097255.exeQueries volume information: C:\Windows\Fonts\MOD20.TTF VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\ADOC RFQ-WCMS-18097255.exeQueries volume information: C:\Windows\Fonts\NIAGENG.TTF VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\ADOC RFQ-WCMS-18097255.exeQueries volume information: C:\Windows\Fonts\NIAGSOL.TTF VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\ADOC RFQ-WCMS-18097255.exeQueries volume information: C:\Windows\Fonts\OLDENGL.TTF VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\ADOC RFQ-WCMS-18097255.exeQueries volume information: C:\Windows\Fonts\ONYX.TTF VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\ADOC RFQ-WCMS-18097255.exeQueries volume information: C:\Windows\Fonts\PARCHM.TTF VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\ADOC RFQ-WCMS-18097255.exeQueries volume information: C:\Windows\Fonts\PLAYBILL.TTF VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\ADOC RFQ-WCMS-18097255.exeQueries volume information: C:\Windows\Fonts\POORICH.TTF VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\ADOC RFQ-WCMS-18097255.exeQueries volume information: C:\Windows\Fonts\RAVIE.TTF VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\ADOC RFQ-WCMS-18097255.exeQueries volume information: C:\Windows\Fonts\INFROMAN.TTF VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\ADOC RFQ-WCMS-18097255.exeQueries volume information: C:\Windows\Fonts\SHOWG.TTF VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\ADOC RFQ-WCMS-18097255.exeQueries volume information: C:\Windows\Fonts\SNAP____.TTF VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\ADOC RFQ-WCMS-18097255.exeQueries volume information: C:\Windows\Fonts\STENCIL.TTF VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\ADOC RFQ-WCMS-18097255.exeQueries volume information: C:\Windows\Fonts\VINERITC.TTF VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\ADOC RFQ-WCMS-18097255.exeQueries volume information: C:\Windows\Fonts\VIVALDII.TTF VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\ADOC RFQ-WCMS-18097255.exeQueries volume information: C:\Windows\Fonts\VLADIMIR.TTF VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\ADOC RFQ-WCMS-18097255.exeQueries volume information: C:\Windows\Fonts\LATINWD.TTF VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\ADOC RFQ-WCMS-18097255.exeQueries volume information: C:\Windows\Fonts\TCM_____.TTF VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\ADOC RFQ-WCMS-18097255.exeQueries volume information: C:\Windows\Fonts\TCMI____.TTF VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\ADOC RFQ-WCMS-18097255.exeQueries volume information: C:\Windows\Fonts\TCB_____.TTF VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\ADOC RFQ-WCMS-18097255.exeQueries volume information: C:\Windows\Fonts\TCBI____.TTF VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\ADOC RFQ-WCMS-18097255.exeQueries volume information: C:\Windows\Fonts\TCCM____.TTF VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\ADOC RFQ-WCMS-18097255.exeQueries volume information: C:\Windows\Fonts\TCCB____.TTF VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\ADOC RFQ-WCMS-18097255.exeQueries volume information: C:\Windows\Fonts\TCCEB.TTF VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\ADOC RFQ-WCMS-18097255.exeQueries volume information: C:\Windows\Fonts\SCRIPTBL.TTF VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\ADOC RFQ-WCMS-18097255.exeQueries volume information: C:\Windows\Fonts\ROCK.TTF VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\ADOC RFQ-WCMS-18097255.exeQueries volume information: C:\Windows\Fonts\ROCKI.TTF VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\ADOC RFQ-WCMS-18097255.exeQueries volume information: C:\Windows\Fonts\ROCKB.TTF VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\ADOC RFQ-WCMS-18097255.exeQueries volume information: C:\Windows\Fonts\ROCKEB.TTF VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\ADOC RFQ-WCMS-18097255.exeQueries volume information: C:\Windows\Fonts\ROCKBI.TTF VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\ADOC RFQ-WCMS-18097255.exeQueries volume information: C:\Windows\Fonts\ROCC____.TTF VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\ADOC RFQ-WCMS-18097255.exeQueries volume information: C:\Windows\Fonts\ROCCB___.TTF VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\ADOC RFQ-WCMS-18097255.exeQueries volume information: C:\Windows\Fonts\RAGE.TTF VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\ADOC RFQ-WCMS-18097255.exeQueries volume information: C:\Windows\Fonts\PERTILI.TTF VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\ADOC RFQ-WCMS-18097255.exeQueries volume information: C:\Windows\Fonts\PERTIBD.TTF VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\ADOC RFQ-WCMS-18097255.exeQueries volume information: C:\Windows\Fonts\PER_____.TTF VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\ADOC RFQ-WCMS-18097255.exeQueries volume information: C:\Windows\Fonts\PERI____.TTF VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\ADOC RFQ-WCMS-18097255.exeQueries volume information: C:\Windows\Fonts\PERB____.TTF VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\ADOC RFQ-WCMS-18097255.exeQueries volume information: C:\Windows\Fonts\PERBI___.TTF VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\ADOC RFQ-WCMS-18097255.exeQueries volume information: C:\Windows\Fonts\PALSCRI.TTF VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\ADOC RFQ-WCMS-18097255.exeQueries volume information: C:\Windows\Fonts\OCRAEXT.TTF VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\ADOC RFQ-WCMS-18097255.exeQueries volume information: C:\Windows\Fonts\MAIAN.TTF VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\ADOC RFQ-WCMS-18097255.exeQueries volume information: C:\Windows\Fonts\LTYPE.TTF VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\ADOC RFQ-WCMS-18097255.exeQueries volume information: C:\Windows\Fonts\LTYPEO.TTF VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\ADOC RFQ-WCMS-18097255.exeQueries volume information: C:\Windows\Fonts\LTYPEB.TTF VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\ADOC RFQ-WCMS-18097255.exeQueries volume information: C:\Windows\Fonts\LTYPEBO.TTF VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\ADOC RFQ-WCMS-18097255.exeQueries volume information: C:\Windows\Fonts\LSANS.TTF VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\ADOC RFQ-WCMS-18097255.exeQueries volume information: C:\Windows\Fonts\LSANSD.TTF VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\ADOC RFQ-WCMS-18097255.exeQueries volume information: C:\Windows\Fonts\LSANSI.TTF VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\ADOC RFQ-WCMS-18097255.exeQueries volume information: C:\Windows\Fonts\LSANSDI.TTF VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\ADOC RFQ-WCMS-18097255.exeQueries volume information: C:\Windows\Fonts\IMPRISHA.TTF VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\ADOC RFQ-WCMS-18097255.exeQueries volume information: C:\Windows\Fonts\HATTEN.TTF VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\ADOC RFQ-WCMS-18097255.exeQueries volume information: C:\Windows\Fonts\GOUDYSTO.TTF VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\ADOC RFQ-WCMS-18097255.exeQueries volume information: C:\Windows\Fonts\GOUDOS.TTF VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\ADOC RFQ-WCMS-18097255.exeQueries volume information: C:\Windows\Fonts\GOUDOSI.TTF VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\ADOC RFQ-WCMS-18097255.exeQueries volume information: C:\Windows\Fonts\GOUDOSB.TTF VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\ADOC RFQ-WCMS-18097255.exeQueries volume information: C:\Windows\Fonts\GLECB.TTF VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\ADOC RFQ-WCMS-18097255.exeQueries volume information: C:\Windows\Fonts\GIL_____.TTF VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\ADOC RFQ-WCMS-18097255.exeQueries volume information: C:\Windows\Fonts\GILI____.TTF VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\ADOC RFQ-WCMS-18097255.exeQueries volume information: C:\Windows\Fonts\GILB____.TTF VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\ADOC RFQ-WCMS-18097255.exeQueries volume information: C:\Windows\Fonts\GILBI___.TTF VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\ADOC RFQ-WCMS-18097255.exeQueries volume information: C:\Windows\Fonts\GILC____.TTF VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\ADOC RFQ-WCMS-18097255.exeQueries volume information: C:\Windows\Fonts\GLSNECB.TTF VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\ADOC RFQ-WCMS-18097255.exeQueries volume information: C:\Windows\Fonts\GIGI.TTF VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\ADOC RFQ-WCMS-18097255.exeQueries volume information: C:\Windows\Fonts\FRABK.TTF VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\ADOC RFQ-WCMS-18097255.exeQueries volume information: C:\Windows\Fonts\FRABKIT.TTF VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\ADOC RFQ-WCMS-18097255.exeQueries volume information: C:\Windows\Fonts\FORTE.TTF VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\ADOC RFQ-WCMS-18097255.exeQueries volume information: C:\Windows\Fonts\FELIXTI.TTF VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\ADOC RFQ-WCMS-18097255.exeQueries volume information: C:\Windows\Fonts\ERASMD.TTF VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\ADOC RFQ-WCMS-18097255.exeQueries volume information: C:\Windows\Fonts\ERASLGHT.TTF VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\ADOC RFQ-WCMS-18097255.exeQueries volume information: C:\Windows\Fonts\ERASDEMI.TTF VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\ADOC RFQ-WCMS-18097255.exeQueries volume information: C:\Windows\Fonts\ERASBD.TTF VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\ADOC RFQ-WCMS-18097255.exeQueries volume information: C:\Windows\Fonts\ENGR.TTF VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\ADOC RFQ-WCMS-18097255.exeQueries volume information: C:\Windows\Fonts\ELEPHNT.TTF VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\ADOC RFQ-WCMS-18097255.exeQueries volume information: C:\Windows\Fonts\ELEPHNTI.TTF VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\ADOC RFQ-WCMS-18097255.exeQueries volume information: C:\Windows\Fonts\ITCEDSCR.TTF VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\ADOC RFQ-WCMS-18097255.exeQueries volume information: C:\Windows\Fonts\CURLZ___.TTF VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\ADOC RFQ-WCMS-18097255.exeQueries volume information: C:\Windows\Fonts\COPRGTL.TTF VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\ADOC RFQ-WCMS-18097255.exeQueries volume information: C:\Windows\Fonts\COPRGTB.TTF VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\ADOC RFQ-WCMS-18097255.exeQueries volume information: C:\Windows\Fonts\CENSCBK.TTF VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\ADOC RFQ-WCMS-18097255.exeQueries volume information: C:\Windows\Fonts\SCHLBKI.TTF VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\ADOC RFQ-WCMS-18097255.exeQueries volume information: C:\Windows\Fonts\SCHLBKB.TTF VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\ADOC RFQ-WCMS-18097255.exeQueries volume information: C:\Windows\Fonts\SCHLBKBI.TTF VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\ADOC RFQ-WCMS-18097255.exeQueries volume information: C:\Windows\Fonts\CASTELAR.TTF VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\ADOC RFQ-WCMS-18097255.exeQueries volume information: C:\Windows\Fonts\CALIST.TTF VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\ADOC RFQ-WCMS-18097255.exeQueries volume information: C:\Windows\Fonts\CALISTI.TTF VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\ADOC RFQ-WCMS-18097255.exeQueries volume information: C:\Windows\Fonts\CALISTB.TTF VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\ADOC RFQ-WCMS-18097255.exeQueries volume information: C:\Windows\Fonts\CALISTBI.TTF VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\ADOC RFQ-WCMS-18097255.exeQueries volume information: C:\Windows\Fonts\BOOKOS.TTF VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\ADOC RFQ-WCMS-18097255.exeQueries volume information: C:\Windows\Fonts\BOOKOSB.TTF VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\ADOC RFQ-WCMS-18097255.exeQueries volume information: C:\Windows\Fonts\BOOKOSI.TTF VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\ADOC RFQ-WCMS-18097255.exeQueries volume information: C:\Windows\Fonts\BOOKOSBI.TTF VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\ADOC RFQ-WCMS-18097255.exeQueries volume information: C:\Windows\Fonts\BOD_R.TTF VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\ADOC RFQ-WCMS-18097255.exeQueries volume information: C:\Windows\Fonts\BOD_I.TTF VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\ADOC RFQ-WCMS-18097255.exeQueries volume information: C:\Windows\Fonts\BOD_B.TTF VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\ADOC RFQ-WCMS-18097255.exeQueries volume information: C:\Windows\Fonts\BOD_BI.TTF VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\ADOC RFQ-WCMS-18097255.exeQueries volume information: C:\Windows\Fonts\BOD_CR.TTF VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\ADOC RFQ-WCMS-18097255.exeQueries volume information: C:\Windows\Fonts\BOD_BLAR.TTF VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\ADOC RFQ-WCMS-18097255.exeQueries volume information: C:\Windows\Fonts\BOD_CI.TTF VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\ADOC RFQ-WCMS-18097255.exeQueries volume information: C:\Windows\Fonts\BOD_CB.TTF VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\ADOC RFQ-WCMS-18097255.exeQueries volume information: C:\Windows\Fonts\BOD_BLAI.TTF VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\ADOC RFQ-WCMS-18097255.exeQueries volume information: C:\Windows\Fonts\BOD_CBI.TTF VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\ADOC RFQ-WCMS-18097255.exeQueries volume information: C:\Windows\Fonts\ITCBLKAD.TTF VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\ADOC RFQ-WCMS-18097255.exeQueries volume information: C:\Windows\Fonts\ARLRDBD.TTF VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\ADOC RFQ-WCMS-18097255.exeQueries volume information: C:\Windows\Fonts\AGENCYR.TTF VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\ADOC RFQ-WCMS-18097255.exeQueries volume information: C:\Windows\Fonts\AGENCYB.TTF VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\ADOC RFQ-WCMS-18097255.exeQueries volume information: C:\Windows\Fonts\BSSYM7.TTF VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\ADOC RFQ-WCMS-18097255.exeQueries volume information: C:\Windows\Fonts\REFSAN.TTF VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\ADOC RFQ-WCMS-18097255.exeQueries volume information: C:\Windows\Fonts\REFSPCL.TTF VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\ADOC RFQ-WCMS-18097255.exeQueries volume information: C:\Windows\Fonts\MTEXTRA.TTF VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\ADOC RFQ-WCMS-18097255.exeQueries volume information: C:\Windows\Fonts\marlett.ttf VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\ADOC RFQ-WCMS-18097255.exeQueries volume information: C:\Windows\Fonts\segoeuii.ttf VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\ADOC RFQ-WCMS-18097255.exeQueries volume information: C:\Windows\Fonts\segoeuiz.ttf VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\ADOC RFQ-WCMS-18097255.exeQueries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\ADOC RFQ-WCMS-18097255.exeQueries volume information: C:\Windows\Fonts\msyhbd.ttc VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\ADOC RFQ-WCMS-18097255.exeQueries volume information: C:\Windows\Fonts\micross.ttf VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\ADOC RFQ-WCMS-18097255.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\ADOC RFQ-WCMS-18097255.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\ADOC RFQ-WCMS-18097255.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\ADOC RFQ-WCMS-18097255.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\ADOC RFQ-WCMS-18097255.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\ADOC RFQ-WCMS-18097255.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\ADOC RFQ-WCMS-18097255.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

    Stealing of Sensitive Information

    barindex
    Yara detected AgentTesla
    Source: Yara matchFile source: 0.2.ADOC RFQ-WCMS-18097255.exe.2a5ddcc.1.raw.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 0.2.ADOC RFQ-WCMS-18097255.exe.2a3096c.0.raw.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 00000000.00000002.508080417.0000000002B8E000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
    Source: Yara matchFile source: 00000000.00000002.505811223.0000000002881000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
    Source: Yara matchFile source: Process Memory Space: ADOC RFQ-WCMS-18097255.exe PID: 5788, type: MEMORYSTR
    Tries to steal Mail credentials (via file / registry access)
    Source: C:\Users\user\Desktop\ADOC RFQ-WCMS-18097255.exeFile opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.iniJump to behavior
    Source: C:\Users\user\Desktop\ADOC RFQ-WCMS-18097255.exeKey opened: HKEY_CURRENT_USER\Software\IncrediMail\IdentitiesJump to behavior
    Source: C:\Users\user\Desktop\ADOC RFQ-WCMS-18097255.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676Jump to behavior
    Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
    Source: C:\Users\user\Desktop\ADOC RFQ-WCMS-18097255.exeKey opened: HKEY_CURRENT_USER\SOFTWARE\Martin Prikryl\WinSCP 2\SessionsJump to behavior
    Tries to harvest and steal ftp login credentials
    Source: C:\Users\user\Desktop\ADOC RFQ-WCMS-18097255.exeFile opened: C:\Users\user\AppData\Roaming\SmartFTP\Client 2.0\Favorites\Quick Connect\Jump to behavior
    Tries to harvest and steal browser information (history, passwords, etc)
    Source: C:\Users\user\Desktop\ADOC RFQ-WCMS-18097255.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.iniJump to behavior
    Source: C:\Users\user\Desktop\ADOC RFQ-WCMS-18097255.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login DataJump to behavior
    Source: Yara matchFile source: 0.2.ADOC RFQ-WCMS-18097255.exe.2a5ddcc.1.raw.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 0.2.ADOC RFQ-WCMS-18097255.exe.2a3096c.0.raw.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 00000000.00000002.505811223.0000000002881000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
    Source: Yara matchFile source: Process Memory Space: ADOC RFQ-WCMS-18097255.exe PID: 5788, type: MEMORYSTR

    Remote Access Functionality

    barindex
    Yara detected AgentTesla
    Source: Yara matchFile source: 0.2.ADOC RFQ-WCMS-18097255.exe.2a5ddcc.1.raw.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 0.2.ADOC RFQ-WCMS-18097255.exe.2a3096c.0.raw.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 00000000.00000002.508080417.0000000002B8E000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
    Source: Yara matchFile source: 00000000.00000002.505811223.0000000002881000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
    Source: Yara matchFile source: Process Memory Space: ADOC RFQ-WCMS-18097255.exe PID: 5788, type: MEMORYSTR

    Mitre Att&ck Matrix

    Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
    Valid Accounts211
    Windows Management Instrumentation    		Path InterceptionPath Interception1
    Disable or Modify Tools    		2
    OS Credential Dumping    		211
    Security Software Discovery    		Remote Services1
    Email Collection    		Exfiltration Over Other Network Medium1
    Encrypted Channel    		Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
    Default AccountsScheduled Task/JobBoot or Logon Initialization ScriptsBoot or Logon Initialization Scripts131
    Virtualization/Sandbox Evasion    		1
    Credentials in Registry    		1
    Process Discovery    		Remote Desktop Protocol1
    Archive Collected Data    		Exfiltration Over Bluetooth1
    Non-Standard Port    		Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
    Domain AccountsAt (Linux)Logon Script (Windows)Logon Script (Windows)2
    Obfuscated Files or Information    		Security Account Manager131
    Virtualization/Sandbox Evasion    		SMB/Windows Admin Shares2
    Data from Local System    		Automated Exfiltration1
    Non-Application Layer Protocol    		Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
    Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)2
    Software Packing    		NTDS1
    Application Window Discovery    		Distributed Component Object ModelInput CaptureScheduled Transfer11
    Application Layer Protocol    		SIM Card SwapCarrier Billing Fraud
    Cloud AccountsCronNetwork Logon ScriptNetwork Logon Script1
    Timestomp    		LSA Secrets1
    Remote System Discovery    		SSHKeyloggingData Transfer Size LimitsFallback ChannelsManipulate Device CommunicationManipulate App Store Rankings or Ratings
    Replication Through Removable MediaLaunchdRc.commonRc.commonSteganographyCached Domain Credentials114
    System Information Discovery    		VNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features

    Behavior Graph

    Hide Legend

    Legend:

    • Process
    • Signature
    • Created File
    • DNS/IP Info
    • Is Dropped
    • Is Windows Process
    • Number of created Registry Values
    • Number of created Files
    • Visual Basic
    • Delphi
    • Java
    • .Net C# or VB.NET
    • C, C++ or other language
    • Is malicious
    • Internet

    Screenshots

    Thumbnails

    This section contains all screenshots as thumbnails, including those not shown in the slideshow.


    windows-stand

    Antivirus, Machine Learning and Genetic Malware Detection

    Initial Sample

    SourceDetectionScannerLabelLink
    ADOC RFQ-WCMS-18097255.exe100%Joe Sandbox ML

    Dropped Files

    No Antivirus matches

    Unpacked PE Files

    No Antivirus matches

    Domains

    No Antivirus matches

    URLs

    SourceDetectionScannerLabelLink
    http://crt.sectigo.com/SectigoRSADomainValidationSecureServerCA.crt0#0%URL Reputationsafe
    https://sectigo.com/CPS00%URL Reputationsafe
    http://www.founder.com.cn/cn/bThe0%URL Reputationsafe
    http://www.tiro.com0%URL Reputationsafe
    http://www.goodfont.co.kr0%URL Reputationsafe
    http://www.carterandcone.coml0%URL Reputationsafe
    http://www.sajatypeworks.com0%URL Reputationsafe
    http://www.typography.netD0%URL Reputationsafe
    http://www.founder.com.cn/cn/cThe0%URL Reputationsafe
    http://www.galapagosdesign.com/staff/dennis.htm0%URL Reputationsafe
    http://fontfabrik.com0%URL Reputationsafe
    http://www.founder.com.cn/cn0%URL Reputationsafe
    http://www.jiyu-kobo.co.jp/0%URL Reputationsafe
    http://DynDns.comDynDNSnamejidpasswordPsi/Psi0%URL Reputationsafe
    http://www.galapagosdesign.com/DPlease0%URL Reputationsafe
    http://ocsp.sectigo.com0A0%URL Reputationsafe
    http://www.sandoll.co.kr0%URL Reputationsafe
    http://www.urwpp.deDPlease0%URL Reputationsafe
    http://www.zhongyicts.com.cn0%URL Reputationsafe
    http://www.sakkal.com0%URL Reputationsafe
    http://www.sakkal.com0%URL Reputationsafe
    http://CtxmCtXtvGR51e3orE.org0%Avira URL Cloudsafe

    Domains and IPs

    Contacted Domains

    NameIPActiveMaliciousAntivirus DetectionReputation
    us2.smtp.mailhostbox.com
    		208.91.199.223
    		truefalse
      		high

      URLs from Memory and Binaries

      NameSourceMaliciousAntivirus DetectionReputation
      http://crt.sectigo.com/SectigoRSADomainValidationSecureServerCA.crt0#ADOC RFQ-WCMS-18097255.exe, 00000000.00000002.520037204.0000000009830000.00000004.00000800.00020000.00000000.sdmp, ADOC RFQ-WCMS-18097255.exe, 00000000.00000002.507971659.0000000002B6A000.00000004.00000800.00020000.00000000.sdmpfalse
      • URL Reputation: safe
      		unknown
      http://www.apache.org/licenses/LICENSE-2.0ADOC RFQ-WCMS-18097255.exe, 00000000.00000002.516330292.0000000006A22000.00000004.00000800.00020000.00000000.sdmpfalse
        		high
        http://www.fontbureau.comADOC RFQ-WCMS-18097255.exe, 00000000.00000002.516330292.0000000006A22000.00000004.00000800.00020000.00000000.sdmpfalse
          		high
          http://www.fontbureau.com/designersGADOC RFQ-WCMS-18097255.exe, 00000000.00000002.516330292.0000000006A22000.00000004.00000800.00020000.00000000.sdmpfalse
            		high
            https://sectigo.com/CPS0ADOC RFQ-WCMS-18097255.exe, 00000000.00000002.520037204.0000000009830000.00000004.00000800.00020000.00000000.sdmp, ADOC RFQ-WCMS-18097255.exe, 00000000.00000002.507971659.0000000002B6A000.00000004.00000800.00020000.00000000.sdmpfalse
            • URL Reputation: safe
            		unknown
            http://www.fontbureau.com/designers/?ADOC RFQ-WCMS-18097255.exe, 00000000.00000002.516330292.0000000006A22000.00000004.00000800.00020000.00000000.sdmpfalse
              		high
              http://www.founder.com.cn/cn/bTheADOC RFQ-WCMS-18097255.exe, 00000000.00000002.516330292.0000000006A22000.00000004.00000800.00020000.00000000.sdmpfalse
              • URL Reputation: safe
              		unknown
              http://us2.smtp.mailhostbox.comADOC RFQ-WCMS-18097255.exe, 00000000.00000002.507971659.0000000002B6A000.00000004.00000800.00020000.00000000.sdmpfalse
                		high
                http://CtxmCtXtvGR51e3orE.orgADOC RFQ-WCMS-18097255.exe, 00000000.00000002.505811223.0000000002881000.00000004.00000800.00020000.00000000.sdmpfalse
                • Avira URL Cloud: safe
                		unknown
                http://www.fontbureau.com/designers?ADOC RFQ-WCMS-18097255.exe, 00000000.00000002.516330292.0000000006A22000.00000004.00000800.00020000.00000000.sdmpfalse
                  		high
                  http://www.tiro.comADOC RFQ-WCMS-18097255.exe, 00000000.00000002.516330292.0000000006A22000.00000004.00000800.00020000.00000000.sdmpfalse
                  • URL Reputation: safe
                  		unknown
                  http://www.fontbureau.com/designersADOC RFQ-WCMS-18097255.exe, 00000000.00000002.516330292.0000000006A22000.00000004.00000800.00020000.00000000.sdmpfalse
                    		high
                    http://www.goodfont.co.krADOC RFQ-WCMS-18097255.exe, 00000000.00000002.516330292.0000000006A22000.00000004.00000800.00020000.00000000.sdmpfalse
                    • URL Reputation: safe
                    		unknown
                    http://www.carterandcone.comlADOC RFQ-WCMS-18097255.exe, 00000000.00000002.516330292.0000000006A22000.00000004.00000800.00020000.00000000.sdmpfalse
                    • URL Reputation: safe
                    		unknown
                    http://www.sajatypeworks.comADOC RFQ-WCMS-18097255.exe, 00000000.00000002.516330292.0000000006A22000.00000004.00000800.00020000.00000000.sdmpfalse
                    • URL Reputation: safe
                    		unknown
                    http://www.typography.netDADOC RFQ-WCMS-18097255.exe, 00000000.00000002.516330292.0000000006A22000.00000004.00000800.00020000.00000000.sdmpfalse
                    • URL Reputation: safe
                    		unknown
                    http://www.fontbureau.com/designers/cabarga.htmlNADOC RFQ-WCMS-18097255.exe, 00000000.00000002.516330292.0000000006A22000.00000004.00000800.00020000.00000000.sdmpfalse
                      		high
                      http://www.founder.com.cn/cn/cTheADOC RFQ-WCMS-18097255.exe, 00000000.00000002.516330292.0000000006A22000.00000004.00000800.00020000.00000000.sdmpfalse
                      • URL Reputation: safe
                      		unknown
                      http://www.galapagosdesign.com/staff/dennis.htmADOC RFQ-WCMS-18097255.exe, 00000000.00000002.516330292.0000000006A22000.00000004.00000800.00020000.00000000.sdmpfalse
                      • URL Reputation: safe
                      		unknown
                      http://fontfabrik.comADOC RFQ-WCMS-18097255.exe, 00000000.00000002.516330292.0000000006A22000.00000004.00000800.00020000.00000000.sdmpfalse
                      • URL Reputation: safe
                      		unknown
                      http://www.founder.com.cn/cnADOC RFQ-WCMS-18097255.exe, 00000000.00000002.516330292.0000000006A22000.00000004.00000800.00020000.00000000.sdmpfalse
                      • URL Reputation: safe
                      		unknown
                      http://www.fontbureau.com/designers/frere-jones.htmlADOC RFQ-WCMS-18097255.exe, 00000000.00000002.516330292.0000000006A22000.00000004.00000800.00020000.00000000.sdmpfalse
                        		high
                        http://www.jiyu-kobo.co.jp/ADOC RFQ-WCMS-18097255.exe, 00000000.00000002.516330292.0000000006A22000.00000004.00000800.00020000.00000000.sdmpfalse
                        • URL Reputation: safe
                        		unknown
                        http://DynDns.comDynDNSnamejidpasswordPsi/PsiADOC RFQ-WCMS-18097255.exe, 00000000.00000002.505811223.0000000002881000.00000004.00000800.00020000.00000000.sdmpfalse
                        • URL Reputation: safe
                        		unknown
                        http://www.galapagosdesign.com/DPleaseADOC RFQ-WCMS-18097255.exe, 00000000.00000002.516330292.0000000006A22000.00000004.00000800.00020000.00000000.sdmpfalse
                        • URL Reputation: safe
                        		unknown
                        http://www.fontbureau.com/designers8ADOC RFQ-WCMS-18097255.exe, 00000000.00000002.516330292.0000000006A22000.00000004.00000800.00020000.00000000.sdmpfalse
                          		high
                          http://ocsp.sectigo.com0AADOC RFQ-WCMS-18097255.exe, 00000000.00000002.520037204.0000000009830000.00000004.00000800.00020000.00000000.sdmp, ADOC RFQ-WCMS-18097255.exe, 00000000.00000002.507971659.0000000002B6A000.00000004.00000800.00020000.00000000.sdmpfalse
                          • URL Reputation: safe
                          		unknown
                          http://www.fonts.comADOC RFQ-WCMS-18097255.exe, 00000000.00000002.516330292.0000000006A22000.00000004.00000800.00020000.00000000.sdmpfalse
                            		high
                            http://www.sandoll.co.krADOC RFQ-WCMS-18097255.exe, 00000000.00000002.516330292.0000000006A22000.00000004.00000800.00020000.00000000.sdmpfalse
                            • URL Reputation: safe
                            		unknown
                            http://www.urwpp.deDPleaseADOC RFQ-WCMS-18097255.exe, 00000000.00000002.516330292.0000000006A22000.00000004.00000800.00020000.00000000.sdmpfalse
                            • URL Reputation: safe
                            		unknown
                            http://www.zhongyicts.com.cnADOC RFQ-WCMS-18097255.exe, 00000000.00000002.516330292.0000000006A22000.00000004.00000800.00020000.00000000.sdmpfalse
                            • URL Reputation: safe
                            		unknown
                            http://www.sakkal.comADOC RFQ-WCMS-18097255.exe, 00000000.00000002.516330292.0000000006A22000.00000004.00000800.00020000.00000000.sdmpfalse
                            • URL Reputation: safe
                            • URL Reputation: safe
                            		unknown

                            World Map of Contacted IPs

                            • No. of IPs < 25%
                            • 25% < No. of IPs < 50%
                            • 50% < No. of IPs < 75%
                            • 75% < No. of IPs

                            Public IPs

                            IPDomainCountryFlagASNASN NameMalicious
                            208.91.199.223
                            		us2.smtp.mailhostbox.comUnited States
                            		394695PUBLIC-DOMAIN-REGISTRYUSfalse

                            General Information

                            Joe Sandbox Version:36.0.0 Rainbow Opal
                            Analysis ID:764045
                            Start date and time:2022-12-09 11:04:13 +01:00
                            Joe Sandbox Product:CloudBasic
                            Overall analysis duration:0h 6m 19s
                            Hypervisor based Inspection enabled:false
                            Report type:full
                            Sample file name:ADOC RFQ-WCMS-18097255.exe
                            Cookbook file name:default.jbs
                            Analysis system description:Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 104, IE 11, Adobe Reader DC 19, Java 8 Update 211
                            Number of analysed new started processes analysed:12
                            Number of new started drivers analysed:0
                            Number of existing processes analysed:0
                            Number of existing drivers analysed:0
                            Number of injected processes analysed:0
                            Technologies:
                            • HCA enabled
                            • EGA enabled
                            • HDC enabled
                            • AMSI enabled
                            Analysis Mode:default
                            Analysis stop reason:Timeout
                            Detection:MAL
                            Classification:mal96.troj.spyw.evad.winEXE@1/0@1/1
                            EGA Information:
                            • Successful, ratio: 100%
                            HDC Information:Failed
                            HCA Information:
                            • Successful, ratio: 94%
                            • Number of executed functions: 70
                            • Number of non-executed functions: 4
                            Cookbook Comments:
                            • Found application associated with file extension: .exe

                            Warnings

                            • Exclude process from analysis (whitelisted): MpCmdRun.exe, SgrmBroker.exe, conhost.exe, svchost.exe
                            • Excluded domains from analysis (whitelisted): fs.microsoft.com
                            • Not all processes where analyzed, report is missing behavior information
                            • Report size getting too big, too many NtAllocateVirtualMemory calls found.
                            • Report size getting too big, too many NtOpenKeyEx calls found.
                            • Report size getting too big, too many NtProtectVirtualMemory calls found.
                            • Report size getting too big, too many NtQueryValueKey calls found.

                            Simulations

                            Behavior and APIs

                            TimeTypeDescription
                            11:05:12API Interceptor753x Sleep call for process: ADOC RFQ-WCMS-18097255.exe modified

                            Joe Sandbox View / Context

                            IPs

                            MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                            208.91.199.223RFQXtotalXtunisiaXdecXorder.exeGet hashmaliciousBrowse
                              yrOohUsrFW.exeGet hashmaliciousBrowse
                                03QOTqpGng.exeGet hashmaliciousBrowse
                                  PO-1607201158.exeGet hashmaliciousBrowse
                                    PI#20221015AU32# pdf.exeGet hashmaliciousBrowse
                                      SHIPPING DOCUMENTS pdf.exeGet hashmaliciousBrowse
                                        ORDERFT-PO-0276-22 & PO pdf.exeGet hashmaliciousBrowse
                                          rA1SyRXvg3.exeGet hashmaliciousBrowse
                                            TTXCopy22112022.xlsGet hashmaliciousBrowse
                                              PO N#U00b0CF004303.jsGet hashmaliciousBrowse
                                                SecuriteInfo.com.Trojan.Packed2.44634.5278.3215.exeGet hashmaliciousBrowse
                                                  crypt now.exeGet hashmaliciousBrowse
                                                    a0.exeGet hashmaliciousBrowse
                                                      FRT QUOTES 1Z296A378642577590.xlsGet hashmaliciousBrowse
                                                        TBwfu2izGb.exeGet hashmaliciousBrowse
                                                          New offer quotation 22.11.14.xlsGet hashmaliciousBrowse
                                                            Freight Invoice_pdf.exeGet hashmaliciousBrowse
                                                              Purchase order220911.exeGet hashmaliciousBrowse
                                                                S38ouHEY44.exeGet hashmaliciousBrowse
                                                                  Freight Invoice_pdf.exeGet hashmaliciousBrowse

                                                                    Domains

                                                                    MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                                                    us2.smtp.mailhostbox.comRFQ-PL2022.exeGet hashmaliciousBrowse
                                                                    • 208.91.199.224
                                                                    SecuriteInfo.com.Win32.RATX-gen.17380.26116.exeGet hashmaliciousBrowse
                                                                    • 208.91.198.143
                                                                    DHL_AWB 467734820.exeGet hashmaliciousBrowse
                                                                    • 208.91.199.224
                                                                    RFQXtotalXtunisiaXdecXorder.exeGet hashmaliciousBrowse
                                                                    • 208.91.199.223
                                                                    yrOohUsrFW.exeGet hashmaliciousBrowse
                                                                    • 208.91.199.223
                                                                    cvke2yortZ.exeGet hashmaliciousBrowse
                                                                    • 208.91.198.143
                                                                    03QOTqpGng.exeGet hashmaliciousBrowse
                                                                    • 208.91.199.223
                                                                    PO_4500003061 signed copy.exeGet hashmaliciousBrowse
                                                                    • 208.91.199.224
                                                                    URGENT ORDER.exeGet hashmaliciousBrowse
                                                                    • 208.91.199.224
                                                                    Request for Commercial Offer - NGL 700800 Compressor Station Expansion.exeGet hashmaliciousBrowse
                                                                    • 208.91.199.224
                                                                    PO-1607201158.exeGet hashmaliciousBrowse
                                                                    • 208.91.199.223
                                                                    PO#20221205INV32# pdf.exeGet hashmaliciousBrowse
                                                                    • 208.91.198.143
                                                                    SecuriteInfo.com.Win32.HacktoolX-gen.28418.13356.exeGet hashmaliciousBrowse
                                                                    • 208.91.199.224
                                                                    SecuriteInfo.com.Win32.PWSX-gen.22479.27738.exeGet hashmaliciousBrowse
                                                                    • 208.91.198.143
                                                                    SecuriteInfo.com.Win32.PWSX-gen.31379.2381.exeGet hashmaliciousBrowse
                                                                    • 208.91.199.225
                                                                    LPO-17-006AD.jsGet hashmaliciousBrowse
                                                                    • 208.91.198.143
                                                                    PI#20221015AU32# pdf.exeGet hashmaliciousBrowse
                                                                    • 208.91.199.223
                                                                    Enclosed Payment Details.exeGet hashmaliciousBrowse
                                                                    • 208.91.199.224
                                                                    SHIPMENT DOC.exeGet hashmaliciousBrowse
                                                                    • 208.91.199.224
                                                                    SecuriteInfo.com.Win32.PWSX-gen.5830.11178.exeGet hashmaliciousBrowse
                                                                    • 208.91.199.225

                                                                    ASNs

                                                                    MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                                                    PUBLIC-DOMAIN-REGISTRYUShttps://npxone-1212a1.hub.arcgis.com/Get hashmaliciousBrowse
                                                                    • 162.222.227.139
                                                                    PAYMENT ADVICE 2022-06-12.exeGet hashmaliciousBrowse
                                                                    • 204.11.58.189
                                                                    RFQ-PL2022.exeGet hashmaliciousBrowse
                                                                    • 208.91.199.224
                                                                    SecuriteInfo.com.Win32.RATX-gen.17380.26116.exeGet hashmaliciousBrowse
                                                                    • 208.91.199.224
                                                                    DHL_AWB 467734820.exeGet hashmaliciousBrowse
                                                                    • 208.91.199.224
                                                                    RFQXtotalXtunisiaXdecXorder.exeGet hashmaliciousBrowse
                                                                    • 208.91.199.223
                                                                    Policy Document.htmlGet hashmaliciousBrowse
                                                                    • 103.53.40.134
                                                                    PorRkzvol2.exeGet hashmaliciousBrowse
                                                                    • 208.91.199.89
                                                                    FPR_2223.htmlGet hashmaliciousBrowse
                                                                    • 111.118.212.38
                                                                    yrOohUsrFW.exeGet hashmaliciousBrowse
                                                                    • 208.91.199.223
                                                                    https://saqazi.com/lu/index.php?TCSUENREOTC=7Get hashmaliciousBrowse
                                                                    • 204.11.59.91
                                                                    cvke2yortZ.exeGet hashmaliciousBrowse
                                                                    • 208.91.198.143
                                                                    03QOTqpGng.exeGet hashmaliciousBrowse
                                                                    • 208.91.199.223
                                                                    RFQ-01.300.TRGVH.jsGet hashmaliciousBrowse
                                                                    • 119.18.55.197
                                                                    PO_4500003061 signed copy.exeGet hashmaliciousBrowse
                                                                    • 208.91.199.224
                                                                    URGENT ORDER.exeGet hashmaliciousBrowse
                                                                    • 208.91.199.224
                                                                    Request for Commercial Offer - NGL 700800 Compressor Station Expansion.exeGet hashmaliciousBrowse
                                                                    • 208.91.199.224
                                                                    PO-1607201158.exeGet hashmaliciousBrowse
                                                                    • 208.91.199.223
                                                                    OVERDUE PAYMENT LIST.exeGet hashmaliciousBrowse
                                                                    • 208.91.199.89
                                                                    SecuriteInfo.com.Win32.DropperX-gen.15791.8940.exeGet hashmaliciousBrowse
                                                                    • 43.225.54.100

                                                                    JA3 Fingerprints

                                                                    No context

                                                                    Dropped Files

                                                                    No context

                                                                    Created / dropped Files

                                                                    No created / dropped files found

                                                                    Static File Info

                                                                    General

                                                                    File type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                    Entropy (8bit):7.555023841660244
                                                                    TrID:
                                                                    • Win32 Executable (generic) Net Framework (10011505/4) 49.80%
                                                                    • Win32 Executable (generic) a (10002005/4) 49.75%
                                                                    • Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36%
                                                                    • Windows Screen Saver (13104/52) 0.07%
                                                                    • Generic Win/DOS Executable (2004/3) 0.01%
                                                                    File name:ADOC RFQ-WCMS-18097255.exe
                                                                    File size:1003520
                                                                    MD5:856317033475c7932f8cbf88ec2b7ef8
                                                                    SHA1:6b24fa54a990477bde13f64144d5d5a1187c40b9
                                                                    SHA256:15700616b67e3ac2d97cfb221762dca3b2b36cc9d3e1cf7ca8737acc9bb4db84
                                                                    SHA512:58231da8dfb1eec9d94841ef9d5474d64e13f31365d517eecc28f17c71851762a383b8a7837db446e7fb17aaa546d8728ef36e2425683fc07536fa330bc89f6f
                                                                    SSDEEP:12288:b1fhB01+YyFwG5JKp5ctm1V63em1nHATF+JRS1TWRfg3ZpFL:b1fhC1Jy95JKLf63eDqxIJpF
                                                                    TLSH:0E257DD5ABF2A026F48F72522418369DDC35BD43774BE19667723B4082D48FFB6A8483
                                                                    File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....D................0..H..........~f... ........@.. ....................................@................................

                                                                    File Icon

                                                                    Icon Hash:00828e8e8686b000

                                                                    Static PE Info

                                                                    General

                                                                    Entrypoint:0x4f667e
                                                                    Entrypoint Section:.text
                                                                    Digitally signed:false
                                                                    Imagebase:0x400000
                                                                    Subsystem:windows gui
                                                                    Image File Characteristics:EXECUTABLE_IMAGE, 32BIT_MACHINE
                                                                    DLL Characteristics:DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                                                                    Time Stamp:0xE8FF4486 [Sat Nov 14 13:22:14 2093 UTC]
                                                                    TLS Callbacks:
                                                                    CLR (.Net) Version:
                                                                    OS Version Major:4
                                                                    OS Version Minor:0
                                                                    File Version Major:4
                                                                    File Version Minor:0
                                                                    Subsystem Version Major:4
                                                                    Subsystem Version Minor:0
                                                                    Import Hash:f34d5f2d4577ed6d9ceec516c1f5a744

                                                                    Entrypoint Preview

                                                                    Instruction
                                                                    jmp dword ptr [00402000h]
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al

                                                                    Data Directories

                                                                    NameVirtual AddressVirtual Size Is in Section
                                                                    IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                                    IMAGE_DIRECTORY_ENTRY_IMPORT0xf662c0x4f.text
                                                                    IMAGE_DIRECTORY_ENTRY_RESOURCE0xf80000x398.rsrc
                                                                    IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                                    IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                                                    IMAGE_DIRECTORY_ENTRY_BASERELOC0xfa0000xc.reloc
                                                                    IMAGE_DIRECTORY_ENTRY_DEBUG0xf66100x1c.text
                                                                    IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                                    IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                                    IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                                                    IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                                                    IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                                    IMAGE_DIRECTORY_ENTRY_IAT0x20000x8.text
                                                                    IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                                    IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x20080x48.text
                                                                    IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                                    Sections

                                                                    NameVirtual AddressVirtual SizeRaw SizeXored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                                    .text0x20000xf46840xf4800False0.8147017590107362data7.556547919849989IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                                                    .rsrc0xf80000x3980x400False0.3828125data2.924448333381374IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                    .reloc0xfa0000xc0x200False0.044921875data0.10191042566270775IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                                                                    Resources

                                                                    NameRVASizeTypeLanguageCountry
                                                                    RT_VERSION0xf80580x33cdata

                                                                    Imports

                                                                    DLLImport
                                                                    mscoree.dll_CorExeMain

                                                                    Network Behavior

                                                                    Network Port Distribution

                                                                    TCP Packets

                                                                    TimestampSource PortDest PortSource IPDest IP
                                                                    Dec 9, 2022 11:05:30.268661022 CET49698587192.168.2.3208.91.199.223
                                                                    Dec 9, 2022 11:05:30.435899973 CET58749698208.91.199.223192.168.2.3
                                                                    Dec 9, 2022 11:05:30.436017036 CET49698587192.168.2.3208.91.199.223
                                                                    Dec 9, 2022 11:05:30.991494894 CET58749698208.91.199.223192.168.2.3
                                                                    Dec 9, 2022 11:05:30.991981030 CET49698587192.168.2.3208.91.199.223
                                                                    Dec 9, 2022 11:05:31.160293102 CET58749698208.91.199.223192.168.2.3
                                                                    Dec 9, 2022 11:05:31.160362959 CET58749698208.91.199.223192.168.2.3
                                                                    Dec 9, 2022 11:05:31.160856962 CET49698587192.168.2.3208.91.199.223
                                                                    Dec 9, 2022 11:05:31.328228951 CET58749698208.91.199.223192.168.2.3
                                                                    Dec 9, 2022 11:05:31.418936968 CET49698587192.168.2.3208.91.199.223
                                                                    Dec 9, 2022 11:05:31.586025000 CET58749698208.91.199.223192.168.2.3
                                                                    Dec 9, 2022 11:05:31.586055040 CET58749698208.91.199.223192.168.2.3
                                                                    Dec 9, 2022 11:05:31.586244106 CET49698587192.168.2.3208.91.199.223
                                                                    Dec 9, 2022 11:05:31.586386919 CET58749698208.91.199.223192.168.2.3
                                                                    Dec 9, 2022 11:05:31.586409092 CET58749698208.91.199.223192.168.2.3
                                                                    Dec 9, 2022 11:05:31.586472988 CET49698587192.168.2.3208.91.199.223
                                                                    Dec 9, 2022 11:05:31.588968992 CET58749698208.91.199.223192.168.2.3
                                                                    Dec 9, 2022 11:05:31.657943964 CET49698587192.168.2.3208.91.199.223
                                                                    Dec 9, 2022 11:05:31.753552914 CET58749698208.91.199.223192.168.2.3
                                                                    Dec 9, 2022 11:05:31.791228056 CET49698587192.168.2.3208.91.199.223
                                                                    Dec 9, 2022 11:05:31.958822012 CET58749698208.91.199.223192.168.2.3
                                                                    Dec 9, 2022 11:05:32.002902031 CET49698587192.168.2.3208.91.199.223
                                                                    Dec 9, 2022 11:05:32.138349056 CET49698587192.168.2.3208.91.199.223
                                                                    Dec 9, 2022 11:05:32.306432962 CET58749698208.91.199.223192.168.2.3
                                                                    Dec 9, 2022 11:05:32.310359001 CET49698587192.168.2.3208.91.199.223
                                                                    Dec 9, 2022 11:05:32.480194092 CET58749698208.91.199.223192.168.2.3
                                                                    Dec 9, 2022 11:05:32.481578112 CET49698587192.168.2.3208.91.199.223
                                                                    Dec 9, 2022 11:05:32.654700994 CET58749698208.91.199.223192.168.2.3
                                                                    Dec 9, 2022 11:05:32.655360937 CET49698587192.168.2.3208.91.199.223
                                                                    Dec 9, 2022 11:05:32.825046062 CET58749698208.91.199.223192.168.2.3
                                                                    Dec 9, 2022 11:05:32.825598955 CET49698587192.168.2.3208.91.199.223
                                                                    Dec 9, 2022 11:05:33.015599966 CET58749698208.91.199.223192.168.2.3
                                                                    Dec 9, 2022 11:05:33.017049074 CET49698587192.168.2.3208.91.199.223
                                                                    Dec 9, 2022 11:05:33.185446978 CET58749698208.91.199.223192.168.2.3
                                                                    Dec 9, 2022 11:05:33.187422991 CET49698587192.168.2.3208.91.199.223
                                                                    Dec 9, 2022 11:05:33.187670946 CET49698587192.168.2.3208.91.199.223
                                                                    Dec 9, 2022 11:05:33.188152075 CET49698587192.168.2.3208.91.199.223
                                                                    Dec 9, 2022 11:05:33.188152075 CET49698587192.168.2.3208.91.199.223
                                                                    Dec 9, 2022 11:05:33.354585886 CET58749698208.91.199.223192.168.2.3
                                                                    Dec 9, 2022 11:05:33.355048895 CET58749698208.91.199.223192.168.2.3
                                                                    Dec 9, 2022 11:05:33.483477116 CET58749698208.91.199.223192.168.2.3
                                                                    Dec 9, 2022 11:05:33.535815001 CET49698587192.168.2.3208.91.199.223
                                                                    Dec 9, 2022 11:07:10.197741032 CET49698587192.168.2.3208.91.199.223
                                                                    Dec 9, 2022 11:07:10.365978003 CET58749698208.91.199.223192.168.2.3
                                                                    Dec 9, 2022 11:07:10.366503000 CET58749698208.91.199.223192.168.2.3
                                                                    Dec 9, 2022 11:07:10.366581917 CET49698587192.168.2.3208.91.199.223
                                                                    Dec 9, 2022 11:07:10.368838072 CET49698587192.168.2.3208.91.199.223

                                                                    UDP Packets

                                                                    TimestampSource PortDest PortSource IPDest IP
                                                                    Dec 9, 2022 11:05:30.229001999 CET6270453192.168.2.38.8.8.8
                                                                    Dec 9, 2022 11:05:30.248526096 CET53627048.8.8.8192.168.2.3

                                                                    DNS Queries

                                                                    TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                                                    Dec 9, 2022 11:05:30.229001999 CET192.168.2.38.8.8.80xe412Standard query (0)us2.smtp.mailhostbox.comA (IP address)IN (0x0001)false

                                                                    DNS Answers

                                                                    TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                                                    Dec 9, 2022 11:05:30.248526096 CET8.8.8.8192.168.2.30xe412No error (0)us2.smtp.mailhostbox.com208.91.199.223A (IP address)IN (0x0001)false
                                                                    Dec 9, 2022 11:05:30.248526096 CET8.8.8.8192.168.2.30xe412No error (0)us2.smtp.mailhostbox.com208.91.198.143A (IP address)IN (0x0001)false
                                                                    Dec 9, 2022 11:05:30.248526096 CET8.8.8.8192.168.2.30xe412No error (0)us2.smtp.mailhostbox.com208.91.199.224A (IP address)IN (0x0001)false
                                                                    Dec 9, 2022 11:05:30.248526096 CET8.8.8.8192.168.2.30xe412No error (0)us2.smtp.mailhostbox.com208.91.199.225A (IP address)IN (0x0001)false

                                                                    SMTP Packets

                                                                    TimestampSource PortDest PortSource IPDest IPCommands
                                                                    Dec 9, 2022 11:05:30.991494894 CET58749698208.91.199.223192.168.2.3220 us2.outbound.mailhostbox.com ESMTP Postfix
                                                                    Dec 9, 2022 11:05:30.991981030 CET49698587192.168.2.3208.91.199.223EHLO 960781
                                                                    Dec 9, 2022 11:05:31.160362959 CET58749698208.91.199.223192.168.2.3250-us2.outbound.mailhostbox.com
                                                                    250-PIPELINING
                                                                    250-SIZE 41648128
                                                                    250-VRFY
                                                                    250-ETRN
                                                                    250-STARTTLS
                                                                    250-AUTH PLAIN LOGIN
                                                                    250-AUTH=PLAIN LOGIN
                                                                    250-ENHANCEDSTATUSCODES
                                                                    250-8BITMIME
                                                                    250-DSN
                                                                    250 CHUNKING
                                                                    Dec 9, 2022 11:05:31.160856962 CET49698587192.168.2.3208.91.199.223STARTTLS
                                                                    Dec 9, 2022 11:05:31.328228951 CET58749698208.91.199.223192.168.2.3220 2.0.0 Ready to start TLS

                                                                    Statistics

                                                                    CPU Usage

                                                                    Click to jump to process

                                                                    Memory Usage

                                                                    Click to jump to process

                                                                    High Level Behavior Distribution

                                                                    Click to dive into process behavior distribution

                                                                    System Behavior

                                                                    General

                                                                    Target ID:0
                                                                    Start time:11:05:03
                                                                    Start date:09/12/2022
                                                                    Path:C:\Users\user\Desktop\ADOC RFQ-WCMS-18097255.exe
                                                                    Wow64 process (32bit):true
                                                                    Commandline:C:\Users\user\Desktop\ADOC RFQ-WCMS-18097255.exe
                                                                    Imagebase:0x500000
                                                                    File size:1003520 bytes
                                                                    MD5 hash:856317033475C7932F8CBF88EC2B7EF8
                                                                    Has elevated privileges:true
                                                                    Has administrator privileges:true
                                                                    Programmed in:.Net C# or VB.NET
                                                                    Yara matches:
                                                                    • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000000.00000002.508080417.0000000002B8E000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                    • Rule: Windows_Trojan_AgentTesla_d3ac2b2f, Description: unknown, Source: 00000000.00000002.513606305.0000000003C61000.00000004.00000800.00020000.00000000.sdmp, Author: unknown
                                                                    • Rule: MALWARE_Win_AgentTeslaV3, Description: AgentTeslaV3 infostealer payload, Source: 00000000.00000002.519041329.0000000007040000.00000004.08000000.00040000.00000000.sdmp, Author: ditekSHen
                                                                    • Rule: Windows_Trojan_AgentTesla_d3ac2b2f, Description: unknown, Source: 00000000.00000002.519041329.0000000007040000.00000004.08000000.00040000.00000000.sdmp, Author: unknown
                                                                    • Rule: Windows_Trojan_AgentTesla_d3ac2b2f, Description: unknown, Source: 00000000.00000002.510469030.0000000003881000.00000004.00000800.00020000.00000000.sdmp, Author: unknown
                                                                    • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000000.00000002.505811223.0000000002881000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                    • Rule: JoeSecurity_AntiVM_3, Description: Yara detected AntiVM_3, Source: 00000000.00000002.505811223.0000000002881000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                    • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000000.00000002.505811223.0000000002881000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                    Reputation:low

                                                                    Disassembly

                                                                    Reset < >

                                                                      Execution Graph

                                                                      Execution Coverage:15.7%
                                                                      Dynamic/Decrypted Code Coverage:100%
                                                                      Signature Coverage:0%
                                                                      Total number of Nodes:128
                                                                      Total number of Limit Nodes:5
                                                                      execution_graph 25912 97eeaac 25913 97eeaba KiUserExceptionDispatcher 25912->25913 25915 97ef147 25913->25915 25942 97eea8b KiUserExceptionDispatcher 25943 97eeaaa KiUserExceptionDispatcher 25942->25943 25945 97ef147 25943->25945 25920 26bb7b0 25921 26bb816 25920->25921 25925 26bb963 25921->25925 25928 26bb970 25921->25928 25922 26bb8c5 25931 26ba1d4 25925->25931 25929 26ba1d4 DuplicateHandle 25928->25929 25930 26bb99e 25928->25930 25929->25930 25930->25922 25932 26bb9d8 DuplicateHandle 25931->25932 25933 26bb99e 25932->25933 25933->25922 25950 26b40d0 25951 26b40e2 25950->25951 25952 26b40ee 25951->25952 25956 26b41e0 25951->25956 25961 26b3c64 25952->25961 25954 26b410d 25957 26b4205 25956->25957 25965 26b42e0 25957->25965 25969 26b42d0 25957->25969 25962 26b3c6f 25961->25962 25977 26b5834 25962->25977 25964 26b6aaa 25964->25954 25967 26b4307 25965->25967 25966 26b43e4 25966->25966 25967->25966 25973 26b3e40 25967->25973 25971 26b4307 25969->25971 25970 26b43e4 25970->25970 25971->25970 25972 26b3e40 CreateActCtxA 25971->25972 25972->25970 25974 26b5370 CreateActCtxA 25973->25974 25976 26b5433 25974->25976 25978 26b583f 25977->25978 25981 26b5854 25978->25981 25980 26b6b55 25980->25964 25982 26b585f 25981->25982 25985 26b5884 25982->25985 25984 26b6c3a 25984->25980 25986 26b588f 25985->25986 25989 26b58b4 25986->25989 25988 26b6d2a 25988->25984 25990 26b58bf 25989->25990 25991 26b71e9 25990->25991 25999 26b748f 25990->25999 25993 26b743e 25991->25993 26005 26b93b8 25991->26005 26008 26b93b7 25991->26008 25992 26b747c 25992->25988 25993->25992 26011 26bb4e8 25993->26011 26017 26bb4d8 25993->26017 26000 26b746e 25999->26000 26002 26b7493 25999->26002 26001 26b747c 26000->26001 26003 26bb4e8 4 API calls 26000->26003 26004 26bb4d8 4 API calls 26000->26004 26001->25991 26002->25991 26003->26001 26004->26001 26023 26b94b0 26005->26023 26006 26b93c7 26006->25993 26009 26b93c7 26008->26009 26010 26b94b0 2 API calls 26008->26010 26009->25993 26010->26009 26012 26bb509 26011->26012 26013 26bb52d 26012->26013 26043 26bb655 26012->26043 26048 26bb698 26012->26048 26052 26bb689 26012->26052 26013->25992 26018 26bb509 26017->26018 26019 26bb52d 26018->26019 26020 26bb689 4 API calls 26018->26020 26021 26bb698 4 API calls 26018->26021 26022 26bb655 4 API calls 26018->26022 26019->25992 26020->26019 26021->26019 26022->26019 26024 26b94c3 26023->26024 26025 26b94db 26024->26025 26031 26b9738 26024->26031 26035 26b9733 26024->26035 26025->26006 26026 26b96d8 GetModuleHandleW 26028 26b9705 26026->26028 26027 26b94d3 26027->26025 26027->26026 26028->26006 26032 26b974c 26031->26032 26033 26b9771 26032->26033 26039 26b8820 26032->26039 26033->26027 26036 26b974c 26035->26036 26037 26b9771 26036->26037 26038 26b8820 LoadLibraryExW 26036->26038 26037->26027 26038->26037 26040 26b9918 LoadLibraryExW 26039->26040 26042 26b9991 26040->26042 26042->26033 26044 26bb66b 26043->26044 26045 26bb6b3 26043->26045 26044->26013 26046 26bb6df 26045->26046 26056 26ba14c 26045->26056 26046->26013 26049 26bb6a5 26048->26049 26050 26bb6df 26049->26050 26051 26ba14c 4 API calls 26049->26051 26050->26013 26051->26050 26053 26bb6a5 26052->26053 26054 26ba14c 4 API calls 26053->26054 26055 26bb6df 26053->26055 26054->26055 26055->26013 26057 26ba157 26056->26057 26059 26bc3d8 26057->26059 26060 26bbf74 26057->26060 26061 26bbf7f 26060->26061 26062 26b58b4 4 API calls 26061->26062 26063 26bc447 26061->26063 26062->26063 26067 26be1c8 26063->26067 26076 26be1b8 26063->26076 26064 26bc480 26064->26059 26069 26be1f9 26067->26069 26071 26be2ea 26067->26071 26068 26be205 26068->26064 26069->26068 26074 26be648 LoadLibraryExW GetModuleHandleW 26069->26074 26075 26be637 LoadLibraryExW GetModuleHandleW 26069->26075 26070 26be245 26072 26bf008 CreateWindowExW CreateWindowExW 26070->26072 26073 26bf010 CreateWindowExW CreateWindowExW 26070->26073 26071->26064 26072->26071 26073->26071 26074->26070 26075->26070 26077 26be1c8 26076->26077 26078 26be205 26077->26078 26082 26be648 LoadLibraryExW GetModuleHandleW 26077->26082 26083 26be637 LoadLibraryExW GetModuleHandleW 26077->26083 26078->26064 26079 26be245 26080 26bf008 CreateWindowExW CreateWindowExW 26079->26080 26081 26bf010 CreateWindowExW CreateWindowExW 26079->26081 26080->26078 26081->26078 26082->26079 26083->26079 26088 97e4ec0 26089 97e4ede 26088->26089 26092 97e2c64 26089->26092 26091 97e4f15 26093 97e69e0 LoadLibraryA 26092->26093 26095 97e6abc 26093->26095

                                                                      Executed Functions

                                                                      Function 097EBC90 Relevance: .3, Instructions: 341COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.519858275.00000000097E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 097E0000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_97e0000_ADOC RFQ-WCMS-18097255.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: 54cbe37338ecc337fa38b4d303617804954b209be426ed7489f75de1c148991f
                                                                      • Instruction ID: 118aebc07319869d867f63a5b961e89af7afb4a35b0b0e3162a717177f977e97
                                                                      • Opcode Fuzzy Hash: 54cbe37338ecc337fa38b4d303617804954b209be426ed7489f75de1c148991f
                                                                      • Instruction Fuzzy Hash: 5CD18D71E002098FCB14DFA9C484AAEFBF2FF88314F15856AE515AB351DB74AD46CB90
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 026BE690 Relevance: .3, Instructions: 315COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.505529751.00000000026B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 026B0000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_26b0000_ADOC RFQ-WCMS-18097255.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: bf33520ae8c4f455ac770c608e658611e017221e77d5b240981f86ad5f7f4989
                                                                      • Instruction ID: 9cbb3a5ca7ff8f75c080cb451131a6b763adfa2b3d22e7f9a91866aed5c2ce1e
                                                                      • Opcode Fuzzy Hash: bf33520ae8c4f455ac770c608e658611e017221e77d5b240981f86ad5f7f4989
                                                                      • Instruction Fuzzy Hash: 7312B5F9C917468AD310CF65F49C2893BA1B74532AFD06B08D2A12BAD1D7BE117ACF44
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 097E9CD0 Relevance: .3, Instructions: 266COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.519858275.00000000097E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 097E0000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_97e0000_ADOC RFQ-WCMS-18097255.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: d69f2996ae9d684ae4cf38512262d54107d3a8ea946b27c4d555f542b80beb8f
                                                                      • Instruction ID: 4a3501cc5c6a833963f97e7c06da55f60fdac4bceb921dcb0be6190e1f854be3
                                                                      • Opcode Fuzzy Hash: d69f2996ae9d684ae4cf38512262d54107d3a8ea946b27c4d555f542b80beb8f
                                                                      • Instruction Fuzzy Hash: 7FB16E72E00619CFDB14CFA9C8817DDBBF2BF88754F248529E919E7294EB749841CB81
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 097E90B8 Relevance: .2, Instructions: 238COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.519858275.00000000097E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 097E0000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_97e0000_ADOC RFQ-WCMS-18097255.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: 618a4378f1e3e5d336a93c33716f67663cca0cb68b0ea98b22260703f3ea2466
                                                                      • Instruction ID: 103722e9bdc396c2299e2c01045900de316314d5a373e8e9ff2dc77147f5ed8a
                                                                      • Opcode Fuzzy Hash: 618a4378f1e3e5d336a93c33716f67663cca0cb68b0ea98b22260703f3ea2466
                                                                      • Instruction Fuzzy Hash: 4C914A72E00209DFDF14CFA9C8857EEBBF6AF88714F148129E915A7294DB749885CB81
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 026BE680 Relevance: .2, Instructions: 222COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.505529751.00000000026B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 026B0000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_26b0000_ADOC RFQ-WCMS-18097255.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: c89f463ff67071734266250b15354f16498110e123559098b3f1bc98d7cc12b7
                                                                      • Instruction ID: f630240afada0419b9cd1e7eac8153edd154d618123c6584f80937fba0b72e5f
                                                                      • Opcode Fuzzy Hash: c89f463ff67071734266250b15354f16498110e123559098b3f1bc98d7cc12b7
                                                                      • Instruction Fuzzy Hash: DCC129B9C917468AD710CF65E89C2893B71BB8532AFD06B08D2612B6D1D7BE107ACF44
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 097EEA8B Relevance: 3.3, APIs: 2, Instructions: 290COMMON
                                                                      Download Yara Rule

                                                                      Control-flow Graph

                                                                      • Executed
                                                                      • Not Executed
                                                                      control_flow_graph 0 97eea8b-97ef1f5 KiUserExceptionDispatcher * 2 111 97ef1fb-97ef22e 0->111
                                                                      APIs
                                                                      • KiUserExceptionDispatcher.NTDLL ref: 097EEA8B
                                                                      • KiUserExceptionDispatcher.NTDLL ref: 097EF135
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.519858275.00000000097E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 097E0000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_97e0000_ADOC RFQ-WCMS-18097255.jbxd
                                                                      Similarity
                                                                      • API ID: DispatcherExceptionUser
                                                                      • String ID:
                                                                      • API String ID: 6842923-0
                                                                      • Opcode ID: 586e36db327c3022f8bad55d5f3b742b13c5f1ec9b29d07228788b6bf9737733
                                                                      • Instruction ID: 064fab9a9f6bf6846b5aede6a73a64e9cb0aeec60f3921081836695a03372543
                                                                      • Opcode Fuzzy Hash: 586e36db327c3022f8bad55d5f3b742b13c5f1ec9b29d07228788b6bf9737733
                                                                      • Instruction Fuzzy Hash: EAC1E176A01218CFD754DB78E849B59B3F2BF8C255F1081A9E50AD33A4DB399D81CF21
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 097EEAAC Relevance: 1.8, APIs: 1, Instructions: 286COMMON
                                                                      Download Yara Rule

                                                                      Control-flow Graph

                                                                      • Executed
                                                                      • Not Executed
                                                                      control_flow_graph 114 97eeaac-97ef1f5 KiUserExceptionDispatcher 226 97ef1fb-97ef22e 114->226
                                                                      APIs
                                                                      • KiUserExceptionDispatcher.NTDLL ref: 097EF135
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.519858275.00000000097E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 097E0000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_97e0000_ADOC RFQ-WCMS-18097255.jbxd
                                                                      Similarity
                                                                      • API ID: DispatcherExceptionUser
                                                                      • String ID:
                                                                      • API String ID: 6842923-0
                                                                      • Opcode ID: 1390427173f198aab7336dd49d189a1a7afb4eb2d703d7ccda70bd9da3651299
                                                                      • Instruction ID: 60e798faae72fbbcaa5ba601b032a7e9e110cc5f4cc973810ad26f2f340fe605
                                                                      • Opcode Fuzzy Hash: 1390427173f198aab7336dd49d189a1a7afb4eb2d703d7ccda70bd9da3651299
                                                                      • Instruction Fuzzy Hash: 31C1E176A01218CFD754EB78E849B59B3F2BF8C255F1081A9E50AD33A4DB399D81CF21
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 097EEAE6 Relevance: 1.8, APIs: 1, Instructions: 277COMMON
                                                                      Download Yara Rule

                                                                      Control-flow Graph

                                                                      • Executed
                                                                      • Not Executed
                                                                      control_flow_graph 229 97eeae6-97ef1f5 KiUserExceptionDispatcher 338 97ef1fb-97ef22e 229->338
                                                                      APIs
                                                                      • KiUserExceptionDispatcher.NTDLL ref: 097EF135
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.519858275.00000000097E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 097E0000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_97e0000_ADOC RFQ-WCMS-18097255.jbxd
                                                                      Similarity
                                                                      • API ID: DispatcherExceptionUser
                                                                      • String ID:
                                                                      • API String ID: 6842923-0
                                                                      • Opcode ID: 29ae15d153ad3828946a00f083c4de9a5f82025c80f5dddb43c0c54fdaeadf8d
                                                                      • Instruction ID: 1d22a44bbeb3027a096aba7dc476f56973e3846ef829a55410d46178a9d4d63d
                                                                      • Opcode Fuzzy Hash: 29ae15d153ad3828946a00f083c4de9a5f82025c80f5dddb43c0c54fdaeadf8d
                                                                      • Instruction Fuzzy Hash: 72C1E176A01218CFD754EB78E849B59B3F2BF8C255F1081A9E50AD33A4DB399D81CF21
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 097EEB20 Relevance: 1.8, APIs: 1, Instructions: 268COMMON
                                                                      Download Yara Rule

                                                                      Control-flow Graph

                                                                      • Executed
                                                                      • Not Executed
                                                                      control_flow_graph 341 97eeb20-97ef1f5 KiUserExceptionDispatcher 447 97ef1fb-97ef22e 341->447
                                                                      APIs
                                                                      • KiUserExceptionDispatcher.NTDLL ref: 097EF135
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.519858275.00000000097E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 097E0000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_97e0000_ADOC RFQ-WCMS-18097255.jbxd
                                                                      Similarity
                                                                      • API ID: DispatcherExceptionUser
                                                                      • String ID:
                                                                      • API String ID: 6842923-0
                                                                      • Opcode ID: 7b5f50a1b702efa67214b296272c5f8d1034de2400ccd13bb980836426d10a96
                                                                      • Instruction ID: f95f5bb2172759435818607ad48e00e60be48ceff2ff12b58da0d9e16329a1e9
                                                                      • Opcode Fuzzy Hash: 7b5f50a1b702efa67214b296272c5f8d1034de2400ccd13bb980836426d10a96
                                                                      • Instruction Fuzzy Hash: D8B1F176A01218CFD754EB78E849B59B3F2BF8C255F1081A9E50AD33A0DB399D81CF21
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 026BFCC0 Relevance: 1.8, APIs: 1, Instructions: 260COMMON
                                                                      Download Yara Rule

                                                                      Control-flow Graph

                                                                      • Executed
                                                                      • Not Executed
                                                                      control_flow_graph 450 26bfcc0-26bfdcf 451 26bfdd1-26bfdf8 call 26bdedc 450->451 452 26bfe05-26bfe7e 450->452 456 26bfdfd-26bfdfe 451->456 454 26bfe89-26bfe90 452->454 455 26bfe80-26bfe86 452->455 457 26bfe9b-26bff3a CreateWindowExW 454->457 458 26bfe92-26bfe98 454->458 455->454 460 26bff3c-26bff42 457->460 461 26bff43-26bff7b 457->461 458->457 460->461 465 26bff88 461->465 466 26bff7d-26bff80 461->466 467 26bff89 465->467 466->465 467->467
                                                                      APIs
                                                                      • CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 026BFF2A
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.505529751.00000000026B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 026B0000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_26b0000_ADOC RFQ-WCMS-18097255.jbxd
                                                                      Similarity
                                                                      • API ID: CreateWindow
                                                                      • String ID:
                                                                      • API String ID: 716092398-0
                                                                      • Opcode ID: 1eb3d9564f6fe0b5325c994ccd74954038878ef2440e1d4fb87191e974847415
                                                                      • Instruction ID: 00e176de15a194dfc29de54ecc15144f43ce72f99dc1f8687dc0ebedfb267c92
                                                                      • Opcode Fuzzy Hash: 1eb3d9564f6fe0b5325c994ccd74954038878ef2440e1d4fb87191e974847415
                                                                      • Instruction Fuzzy Hash: 29919CB1C093899FDB06CFA5C8949CDBFB1FF4A300F2A819AE444AB262D7345956CF51
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 097EEB5A Relevance: 1.8, APIs: 1, Instructions: 259COMMON
                                                                      Download Yara Rule

                                                                      Control-flow Graph

                                                                      • Executed
                                                                      • Not Executed
                                                                      control_flow_graph 468 97eeb5a-97ef1f5 KiUserExceptionDispatcher 571 97ef1fb-97ef22e 468->571
                                                                      APIs
                                                                      • KiUserExceptionDispatcher.NTDLL ref: 097EF135
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.519858275.00000000097E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 097E0000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_97e0000_ADOC RFQ-WCMS-18097255.jbxd
                                                                      Similarity
                                                                      • API ID: DispatcherExceptionUser
                                                                      • String ID:
                                                                      • API String ID: 6842923-0
                                                                      • Opcode ID: 7b15b3d59d9a4e1d860c2bd38cf092eff55e07796bd46e1533e9ef9a8f6adc46
                                                                      • Instruction ID: 053027aaf77ceb11ee7cb504f60765d58684a6bc47c34a41dad94c56f53e8524
                                                                      • Opcode Fuzzy Hash: 7b15b3d59d9a4e1d860c2bd38cf092eff55e07796bd46e1533e9ef9a8f6adc46
                                                                      • Instruction Fuzzy Hash: FAB1F276A01218CFD754EB78E849B59B3F2BF8C255F1081A9E50AD33A0DB399D81CF21
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 097EEB94 Relevance: 1.8, APIs: 1, Instructions: 250COMMON
                                                                      Download Yara Rule

                                                                      Control-flow Graph

                                                                      • Executed
                                                                      • Not Executed
                                                                      control_flow_graph 574 97eeb94-97eeba2 576 97eeba8-97eebad 574->576 578 97eebb3-97eebc1 576->578 579 97eebcc-97eebe7 578->579 581 97eebed-97eebfb 579->581 582 97eec06-97eec21 581->582 584 97eec27-97eec35 582->584 585 97eec40-97eec5b 584->585 587 97eec61-97eec75 585->587 588 97eec80-97eec9b 587->588 590 97eeca1-97eecaf 588->590 591 97eecba-97eecd5 590->591 593 97eecdb-97eece9 591->593 594 97eecf4-97eed0f 593->594 596 97eed15-97eed23 594->596 597 97eed2e-97eed49 596->597 599 97eed4f-97eed5d 597->599 600 97eed68-97eed83 599->600 602 97eed89-97eedce 600->602 606 97eedd9-97eedf1 602->606 608 97eedf7-97eee05 606->608 609 97eee10-97eee28 608->609 611 97eee2e-97eee42 609->611 612 97eee4d-97eee65 611->612 614 97eee6b-97eee73 612->614 615 97eee7a-97eee92 614->615 617 97eee98-97eeea0 615->617 618 97eeea7-97eeebf 617->618 620 97eeec5-97eeecd 618->620 621 97eeed4-97eeeec 620->621 623 97eeef2-97eeefa 621->623 624 97eef01-97eef19 623->624 626 97eef1f-97eef27 624->626 627 97eef2e-97eef46 626->627 629 97eef4c-97eef54 627->629 630 97eef5b-97eef73 629->630 632 97eef79-97eef81 630->632 633 97eef88-97eefa0 632->633 635 97eefa6-97eefae 633->635 636 97eefb5-97eefcd 635->636 638 97eefd3-97eefdb 636->638 639 97eefe2-97eeffa 638->639 641 97ef000-97ef008 639->641 642 97ef00f-97ef027 641->642 644 97ef02d-97ef035 642->644 645 97ef03c-97ef054 644->645 647 97ef05a-97ef062 645->647 648 97ef069-97ef081 647->648 650 97ef087-97ef08f 648->650 651 97ef096-97ef0ae 650->651 653 97ef0b4-97ef0bc 651->653 654 97ef0c3-97ef0db 653->654 656 97ef0e1-97ef0e9 654->656 657 97ef0f0-97ef108 656->657 659 97ef10e-97ef116 657->659 660 97ef11d-97ef13d KiUserExceptionDispatcher 659->660 662 97ef147-97ef14f 660->662 663 97ef156-97ef16e 662->663 665 97ef174-97ef17c 663->665 666 97ef183-97ef19b 665->666 668 97ef1a1-97ef1a9 666->668 669 97ef1b0-97ef1c8 668->669 671 97ef1ce-97ef1d6 669->671 672 97ef1dd-97ef1f5 671->672 674 97ef1fb-97ef22e 672->674
                                                                      APIs
                                                                      • KiUserExceptionDispatcher.NTDLL ref: 097EF135
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.519858275.00000000097E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 097E0000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_97e0000_ADOC RFQ-WCMS-18097255.jbxd
                                                                      Similarity
                                                                      • API ID: DispatcherExceptionUser
                                                                      • String ID:
                                                                      • API String ID: 6842923-0
                                                                      • Opcode ID: 90e04879d63de9514596e728f88b4d514413e732e87ed77cbf046c1c1f83bf0b
                                                                      • Instruction ID: c3718c13e3bf716912c22f6efe30903586cb9d2e590e51a0e06e94d619dc5246
                                                                      • Opcode Fuzzy Hash: 90e04879d63de9514596e728f88b4d514413e732e87ed77cbf046c1c1f83bf0b
                                                                      • Instruction Fuzzy Hash: 76A10276A01218CFD754EB78E849B59B3F2BF8C255F1081A9E50AD33A0DB399D81CF21
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 097EEBCE Relevance: 1.7, APIs: 1, Instructions: 241COMMON
                                                                      Download Yara Rule

                                                                      Control-flow Graph

                                                                      • Executed
                                                                      • Not Executed
                                                                      control_flow_graph 677 97eebce-97eebdc 679 97eebe2-97eebe7 677->679 681 97eebed-97eebfb 679->681 682 97eec06-97eec21 681->682 684 97eec27-97eec35 682->684 685 97eec40-97eec5b 684->685 687 97eec61-97eec75 685->687 688 97eec80-97eec9b 687->688 690 97eeca1-97eecaf 688->690 691 97eecba-97eecd5 690->691 693 97eecdb-97eece9 691->693 694 97eecf4-97eed0f 693->694 696 97eed15-97eed23 694->696 697 97eed2e-97eed49 696->697 699 97eed4f-97eed5d 697->699 700 97eed68-97eed83 699->700 702 97eed89-97eedce 700->702 706 97eedd9-97eedf1 702->706 708 97eedf7-97eee05 706->708 709 97eee10-97eee28 708->709 711 97eee2e-97eee42 709->711 712 97eee4d-97eee65 711->712 714 97eee6b-97eee73 712->714 715 97eee7a-97eee92 714->715 717 97eee98-97eeea0 715->717 718 97eeea7-97eeebf 717->718 720 97eeec5-97eeecd 718->720 721 97eeed4-97eeeec 720->721 723 97eeef2-97eeefa 721->723 724 97eef01-97eef19 723->724 726 97eef1f-97eef27 724->726 727 97eef2e-97eef46 726->727 729 97eef4c-97eef54 727->729 730 97eef5b-97eef73 729->730 732 97eef79-97eef81 730->732 733 97eef88-97eefa0 732->733 735 97eefa6-97eefae 733->735 736 97eefb5-97eefcd 735->736 738 97eefd3-97eefdb 736->738 739 97eefe2-97eeffa 738->739 741 97ef000-97ef008 739->741 742 97ef00f-97ef027 741->742 744 97ef02d-97ef035 742->744 745 97ef03c-97ef054 744->745 747 97ef05a-97ef062 745->747 748 97ef069-97ef081 747->748 750 97ef087-97ef08f 748->750 751 97ef096-97ef0ae 750->751 753 97ef0b4-97ef0bc 751->753 754 97ef0c3-97ef0db 753->754 756 97ef0e1-97ef0e9 754->756 757 97ef0f0-97ef108 756->757 759 97ef10e-97ef116 757->759 760 97ef11d-97ef13d KiUserExceptionDispatcher 759->760 762 97ef147-97ef14f 760->762 763 97ef156-97ef16e 762->763 765 97ef174-97ef17c 763->765 766 97ef183-97ef19b 765->766 768 97ef1a1-97ef1a9 766->768 769 97ef1b0-97ef1c8 768->769 771 97ef1ce-97ef1d6 769->771 772 97ef1dd-97ef1f5 771->772 774 97ef1fb-97ef22e 772->774
                                                                      APIs
                                                                      • KiUserExceptionDispatcher.NTDLL ref: 097EF135
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.519858275.00000000097E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 097E0000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_97e0000_ADOC RFQ-WCMS-18097255.jbxd
                                                                      Similarity
                                                                      • API ID: DispatcherExceptionUser
                                                                      • String ID:
                                                                      • API String ID: 6842923-0
                                                                      • Opcode ID: e004bd22274541990624d8369f5c70d3d9dac3cf033f0370c0d95a7d0dcd78e7
                                                                      • Instruction ID: 8c4029e82f919b527fcc0ee32a0b0e893e5fe76c419b0fe269b89092180e8e66
                                                                      • Opcode Fuzzy Hash: e004bd22274541990624d8369f5c70d3d9dac3cf033f0370c0d95a7d0dcd78e7
                                                                      • Instruction Fuzzy Hash: 7CA11376A01218CFD754EB78E849B59B3F2BF8C255F1081A9E50AD33A0DB399D81CF21
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 097EEC08 Relevance: 1.7, APIs: 1, Instructions: 232COMMON
                                                                      Download Yara Rule

                                                                      Control-flow Graph

                                                                      • Executed
                                                                      • Not Executed
                                                                      control_flow_graph 777 97eec08-97ef1f5 KiUserExceptionDispatcher 871 97ef1fb-97ef22e 777->871
                                                                      APIs
                                                                      • KiUserExceptionDispatcher.NTDLL ref: 097EF135
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.519858275.00000000097E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 097E0000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_97e0000_ADOC RFQ-WCMS-18097255.jbxd
                                                                      Similarity
                                                                      • API ID: DispatcherExceptionUser
                                                                      • String ID:
                                                                      • API String ID: 6842923-0
                                                                      • Opcode ID: 26a8f1b9a27326025de00b7e1b763a8e38b224bd37816615b493e8a060d45f92
                                                                      • Instruction ID: 8a0da04b6bcfeb61dcb594cfbf64b72576cfb5e46060367d06e7b561b2c22c54
                                                                      • Opcode Fuzzy Hash: 26a8f1b9a27326025de00b7e1b763a8e38b224bd37816615b493e8a060d45f92
                                                                      • Instruction Fuzzy Hash: F1A11676A01218CFD754EB78E849B59B3F2BF88255F1081A9E50AD33A0DF399D81CF21
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 097EEC42 Relevance: 1.7, APIs: 1, Instructions: 223COMMON
                                                                      Download Yara Rule

                                                                      Control-flow Graph

                                                                      • Executed
                                                                      • Not Executed
                                                                      control_flow_graph 874 97eec42-97ef1f5 KiUserExceptionDispatcher 965 97ef1fb-97ef22e 874->965
                                                                      APIs
                                                                      • KiUserExceptionDispatcher.NTDLL ref: 097EF135
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.519858275.00000000097E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 097E0000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_97e0000_ADOC RFQ-WCMS-18097255.jbxd
                                                                      Similarity
                                                                      • API ID: DispatcherExceptionUser
                                                                      • String ID:
                                                                      • API String ID: 6842923-0
                                                                      • Opcode ID: 2b1a933ace94240cfe7cc69673ca07fcaf8469dee6c1b4353d99be16187ae002
                                                                      • Instruction ID: a75181fe6f74d33a29a6e6c91e40bb59b917976cacbaf9dce52d99c1d335675e
                                                                      • Opcode Fuzzy Hash: 2b1a933ace94240cfe7cc69673ca07fcaf8469dee6c1b4353d99be16187ae002
                                                                      • Instruction Fuzzy Hash: C3911776A01218CFD754EB78E849B59B3F2BF88255F1085A9E50AD33A0DF399D81CF21
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 097EEC82 Relevance: 1.7, APIs: 1, Instructions: 213COMMON
                                                                      Download Yara Rule

                                                                      Control-flow Graph

                                                                      • Executed
                                                                      • Not Executed
                                                                      control_flow_graph 968 97eec82-97eec90 970 97eec96-97eec9b 968->970 972 97eeca1-97eecaf 970->972 973 97eecba-97eecd5 972->973 975 97eecdb-97eece9 973->975 976 97eecf4-97eed0f 975->976 978 97eed15-97eed23 976->978 979 97eed2e-97eed49 978->979 981 97eed4f-97eed5d 979->981 982 97eed68-97eed83 981->982 984 97eed89-97eedce 982->984 988 97eedd9-97eedf1 984->988 990 97eedf7-97eee05 988->990 991 97eee10-97eee28 990->991 993 97eee2e-97eee42 991->993 994 97eee4d-97eee65 993->994 996 97eee6b-97eee73 994->996 997 97eee7a-97eee92 996->997 999 97eee98-97eeea0 997->999 1000 97eeea7-97eeebf 999->1000 1002 97eeec5-97eeecd 1000->1002 1003 97eeed4-97eeeec 1002->1003 1005 97eeef2-97eeefa 1003->1005 1006 97eef01-97eef19 1005->1006 1008 97eef1f-97eef27 1006->1008 1009 97eef2e-97eef46 1008->1009 1011 97eef4c-97eef54 1009->1011 1012 97eef5b-97eef73 1011->1012 1014 97eef79-97eef81 1012->1014 1015 97eef88-97eefa0 1014->1015 1017 97eefa6-97eefae 1015->1017 1018 97eefb5-97eefcd 1017->1018 1020 97eefd3-97eefdb 1018->1020 1021 97eefe2-97eeffa 1020->1021 1023 97ef000-97ef008 1021->1023 1024 97ef00f-97ef027 1023->1024 1026 97ef02d-97ef035 1024->1026 1027 97ef03c-97ef054 1026->1027 1029 97ef05a-97ef062 1027->1029 1030 97ef069-97ef081 1029->1030 1032 97ef087-97ef08f 1030->1032 1033 97ef096-97ef0ae 1032->1033 1035 97ef0b4-97ef0bc 1033->1035 1036 97ef0c3-97ef0db 1035->1036 1038 97ef0e1-97ef0e9 1036->1038 1039 97ef0f0-97ef108 1038->1039 1041 97ef10e-97ef116 1039->1041 1042 97ef11d-97ef13d KiUserExceptionDispatcher 1041->1042 1044 97ef147-97ef14f 1042->1044 1045 97ef156-97ef16e 1044->1045 1047 97ef174-97ef17c 1045->1047 1048 97ef183-97ef19b 1047->1048 1050 97ef1a1-97ef1a9 1048->1050 1051 97ef1b0-97ef1c8 1050->1051 1053 97ef1ce-97ef1d6 1051->1053 1054 97ef1dd-97ef1f5 1053->1054 1056 97ef1fb-97ef22e 1054->1056
                                                                      APIs
                                                                      • KiUserExceptionDispatcher.NTDLL ref: 097EF135
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.519858275.00000000097E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 097E0000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_97e0000_ADOC RFQ-WCMS-18097255.jbxd
                                                                      Similarity
                                                                      • API ID: DispatcherExceptionUser
                                                                      • String ID:
                                                                      • API String ID: 6842923-0
                                                                      • Opcode ID: 8476fe2989113d5a76d789d532b59fe8edfc103eb22a8b24f148f3843e8543d3
                                                                      • Instruction ID: 77fd67a8221f638e81a06aa1df33ff3b8e54cb1296c55da38a7d381c5e8a163e
                                                                      • Opcode Fuzzy Hash: 8476fe2989113d5a76d789d532b59fe8edfc103eb22a8b24f148f3843e8543d3
                                                                      • Instruction Fuzzy Hash: 55911876A01219CFD754EB78E849B5973F2BF88256F1085A9E50AC33A0DF399D81CF21
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 097EECBC Relevance: 1.7, APIs: 1, Instructions: 204COMMON
                                                                      Download Yara Rule

                                                                      Control-flow Graph

                                                                      • Executed
                                                                      • Not Executed
                                                                      control_flow_graph 1059 97eecbc-97eecca 1061 97eecd0-97eecd5 1059->1061 1063 97eecdb-97eece9 1061->1063 1064 97eecf4-97eed0f 1063->1064 1066 97eed15-97eed23 1064->1066 1067 97eed2e-97eed49 1066->1067 1069 97eed4f-97eed5d 1067->1069 1070 97eed68-97eed83 1069->1070 1072 97eed89-97eedce 1070->1072 1076 97eedd9-97eedf1 1072->1076 1078 97eedf7-97eee05 1076->1078 1079 97eee10-97eee28 1078->1079 1081 97eee2e-97eee42 1079->1081 1082 97eee4d-97eee65 1081->1082 1084 97eee6b-97eee73 1082->1084 1085 97eee7a-97eee92 1084->1085 1087 97eee98-97eeea0 1085->1087 1088 97eeea7-97eeebf 1087->1088 1090 97eeec5-97eeecd 1088->1090 1091 97eeed4-97eeeec 1090->1091 1093 97eeef2-97eeefa 1091->1093 1094 97eef01-97eef19 1093->1094 1096 97eef1f-97eef27 1094->1096 1097 97eef2e-97eef46 1096->1097 1099 97eef4c-97eef54 1097->1099 1100 97eef5b-97eef73 1099->1100 1102 97eef79-97eef81 1100->1102 1103 97eef88-97eefa0 1102->1103 1105 97eefa6-97eefae 1103->1105 1106 97eefb5-97eefcd 1105->1106 1108 97eefd3-97eefdb 1106->1108 1109 97eefe2-97eeffa 1108->1109 1111 97ef000-97ef008 1109->1111 1112 97ef00f-97ef027 1111->1112 1114 97ef02d-97ef035 1112->1114 1115 97ef03c-97ef054 1114->1115 1117 97ef05a-97ef062 1115->1117 1118 97ef069-97ef081 1117->1118 1120 97ef087-97ef08f 1118->1120 1121 97ef096-97ef0ae 1120->1121 1123 97ef0b4-97ef0bc 1121->1123 1124 97ef0c3-97ef0db 1123->1124 1126 97ef0e1-97ef0e9 1124->1126 1127 97ef0f0-97ef108 1126->1127 1129 97ef10e-97ef116 1127->1129 1130 97ef11d-97ef13d KiUserExceptionDispatcher 1129->1130 1132 97ef147-97ef14f 1130->1132 1133 97ef156-97ef16e 1132->1133 1135 97ef174-97ef17c 1133->1135 1136 97ef183-97ef19b 1135->1136 1138 97ef1a1-97ef1a9 1136->1138 1139 97ef1b0-97ef1c8 1138->1139 1141 97ef1ce-97ef1d6 1139->1141 1142 97ef1dd-97ef1f5 1141->1142 1144 97ef1fb-97ef22e 1142->1144
                                                                      APIs
                                                                      • KiUserExceptionDispatcher.NTDLL ref: 097EF135
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.519858275.00000000097E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 097E0000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_97e0000_ADOC RFQ-WCMS-18097255.jbxd
                                                                      Similarity
                                                                      • API ID: DispatcherExceptionUser
                                                                      • String ID:
                                                                      • API String ID: 6842923-0
                                                                      • Opcode ID: 51c1bb869e8addb768f94d24b060040478bf2e14140de8fa4b2955c6ee93357f
                                                                      • Instruction ID: 3ddd7d049e00429a85dce3c2ea171223be03ec52b4704de2f1afa449975762a6
                                                                      • Opcode Fuzzy Hash: 51c1bb869e8addb768f94d24b060040478bf2e14140de8fa4b2955c6ee93357f
                                                                      • Instruction Fuzzy Hash: 09812776A01219CFD754EB78E849B5973F2BF88256F1085A9E50AC33A0DF399C81CF21
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 026B94B0 Relevance: 1.7, APIs: 1, Instructions: 195COMMON
                                                                      Download Yara Rule

                                                                      Control-flow Graph

                                                                      • Executed
                                                                      • Not Executed
                                                                      control_flow_graph 1147 26b94b0-26b94c5 call 26b7194 1150 26b94db-26b94df 1147->1150 1151 26b94c7 1147->1151 1152 26b94f3-26b9534 1150->1152 1153 26b94e1-26b94eb 1150->1153 1202 26b94cd call 26b9738 1151->1202 1203 26b94cd call 26b9733 1151->1203 1158 26b9541-26b954f 1152->1158 1159 26b9536-26b953e 1152->1159 1153->1152 1154 26b94d3-26b94d5 1154->1150 1155 26b9610-26b9669 1154->1155 1193 26b966b-26b968d 1155->1193 1161 26b9573-26b9575 1158->1161 1162 26b9551-26b9556 1158->1162 1159->1158 1165 26b9578-26b957f 1161->1165 1163 26b9558-26b955f call 26b87c8 1162->1163 1164 26b9561 1162->1164 1167 26b9563-26b9571 1163->1167 1164->1167 1168 26b958c-26b9593 1165->1168 1169 26b9581-26b9589 1165->1169 1167->1165 1172 26b95a0-26b95a9 call 26b87d8 1168->1172 1173 26b9595-26b959d 1168->1173 1169->1168 1178 26b95ab-26b95b3 1172->1178 1179 26b95b6-26b95bb 1172->1179 1173->1172 1178->1179 1180 26b95d9-26b95dd 1179->1180 1181 26b95bd-26b95c4 1179->1181 1185 26b95e3-26b95e6 1180->1185 1181->1180 1182 26b95c6-26b95d6 call 26b87e8 call 26b87f8 1181->1182 1182->1180 1188 26b9609-26b960f 1185->1188 1189 26b95e8-26b9606 1185->1189 1189->1188 1196 26b968f-26b96d0 1193->1196 1197 26b96d8-26b9703 GetModuleHandleW 1196->1197 1198 26b96d2-26b96d5 1196->1198 1199 26b970c-26b9720 1197->1199 1200 26b9705-26b970b 1197->1200 1198->1197 1200->1199 1202->1154 1203->1154
                                                                      APIs
                                                                      • GetModuleHandleW.KERNEL32(00000000), ref: 026B96F6
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.505529751.00000000026B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 026B0000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_26b0000_ADOC RFQ-WCMS-18097255.jbxd
                                                                      Similarity
                                                                      • API ID: HandleModule
                                                                      • String ID:
                                                                      • API String ID: 4139908857-0
                                                                      • Opcode ID: 1d46fc1f89808b07c11297471be754f52e040ec206b2c2289ff11408163787fa
                                                                      • Instruction ID: 0a49a387210aa1b988fca56adb3201e941dc27175d010563ea9f04f4cd8652dd
                                                                      • Opcode Fuzzy Hash: 1d46fc1f89808b07c11297471be754f52e040ec206b2c2289ff11408163787fa
                                                                      • Instruction Fuzzy Hash: 84712071A01B058FEB25DF2AD08479ABBF5BF88304F10892ED54A97B50EB34E845CF91
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 097EECF6 Relevance: 1.7, APIs: 1, Instructions: 195COMMON
                                                                      Download Yara Rule

                                                                      Control-flow Graph

                                                                      • Executed
                                                                      • Not Executed
                                                                      control_flow_graph 1204 97eecf6-97ef1f5 KiUserExceptionDispatcher 1286 97ef1fb-97ef22e 1204->1286
                                                                      APIs
                                                                      • KiUserExceptionDispatcher.NTDLL ref: 097EF135
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.519858275.00000000097E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 097E0000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_97e0000_ADOC RFQ-WCMS-18097255.jbxd
                                                                      Similarity
                                                                      • API ID: DispatcherExceptionUser
                                                                      • String ID:
                                                                      • API String ID: 6842923-0
                                                                      • Opcode ID: 72baa95ab8db25820f50df99e5b5da75840adb13ab895f3848d17c096b18cfd4
                                                                      • Instruction ID: c1b25db162f38ce9f4dcda100bfb5423b5b685dc562047f04aa3a301fd8df3ff
                                                                      • Opcode Fuzzy Hash: 72baa95ab8db25820f50df99e5b5da75840adb13ab895f3848d17c096b18cfd4
                                                                      • Instruction Fuzzy Hash: B8811676A01219CFD754EB78E849B5973F2BF89256F1085A9E50AC33A0DF399C81CF21
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 097EED30 Relevance: 1.7, APIs: 1, Instructions: 186COMMON
                                                                      Download Yara Rule

                                                                      Control-flow Graph

                                                                      • Executed
                                                                      • Not Executed
                                                                      control_flow_graph 1289 97eed30-97ef1f5 KiUserExceptionDispatcher 1368 97ef1fb-97ef22e 1289->1368
                                                                      APIs
                                                                      • KiUserExceptionDispatcher.NTDLL ref: 097EF135
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.519858275.00000000097E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 097E0000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_97e0000_ADOC RFQ-WCMS-18097255.jbxd
                                                                      Similarity
                                                                      • API ID: DispatcherExceptionUser
                                                                      • String ID:
                                                                      • API String ID: 6842923-0
                                                                      • Opcode ID: 3f68c23d6973c88fcd842b955ba424860f948cdd6d6f085d23b820e9bfb25e84
                                                                      • Instruction ID: 8cd64cfe22344ec4ff1e94b29bd0c71f83da38cde14938b90076404e0abd73e8
                                                                      • Opcode Fuzzy Hash: 3f68c23d6973c88fcd842b955ba424860f948cdd6d6f085d23b820e9bfb25e84
                                                                      • Instruction Fuzzy Hash: D3712876A01218CFD754EB78E849B5973F2BF89256F1045A9E50A83390DF3A9C81CF21
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 097EED6A Relevance: 1.7, APIs: 1, Instructions: 177COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • KiUserExceptionDispatcher.NTDLL ref: 097EF135
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.519858275.00000000097E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 097E0000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_97e0000_ADOC RFQ-WCMS-18097255.jbxd
                                                                      Similarity
                                                                      • API ID: DispatcherExceptionUser
                                                                      • String ID:
                                                                      • API String ID: 6842923-0
                                                                      • Opcode ID: f6464f24f1eb6486029765cf00a6244f52a144a05602c9424efe99ff5272fd6d
                                                                      • Instruction ID: 84bedea66482114cddb17081ea5aa2af5b651e314fb75eb4cde7f86a2aca33cd
                                                                      • Opcode Fuzzy Hash: f6464f24f1eb6486029765cf00a6244f52a144a05602c9424efe99ff5272fd6d
                                                                      • Instruction Fuzzy Hash: 39712776A01219CFD754EB78E849B5973F2BF89356F1045A9E50A833A0DF3A9C81CF21
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 097EEDA4 Relevance: 1.7, APIs: 1, Instructions: 168COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • KiUserExceptionDispatcher.NTDLL ref: 097EF135
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.519858275.00000000097E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 097E0000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_97e0000_ADOC RFQ-WCMS-18097255.jbxd
                                                                      Similarity
                                                                      • API ID: DispatcherExceptionUser
                                                                      • String ID:
                                                                      • API String ID: 6842923-0
                                                                      • Opcode ID: 9f31518aa2ae06ea6fac572bd84dedde4f63975cd60b9425ba44838285835b9c
                                                                      • Instruction ID: 6726ee9b34632c12754496961236afc45c50ab3564fa440fb19d83995adf1cdd
                                                                      • Opcode Fuzzy Hash: 9f31518aa2ae06ea6fac572bd84dedde4f63975cd60b9425ba44838285835b9c
                                                                      • Instruction Fuzzy Hash: 5A613876A01258CFD754AB78E849B5873F2BF8935AF1045B9E50A83390DF3A9C81CF21
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 097EEDDB Relevance: 1.7, APIs: 1, Instructions: 159COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • KiUserExceptionDispatcher.NTDLL ref: 097EF135
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.519858275.00000000097E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 097E0000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_97e0000_ADOC RFQ-WCMS-18097255.jbxd
                                                                      Similarity
                                                                      • API ID: DispatcherExceptionUser
                                                                      • String ID:
                                                                      • API String ID: 6842923-0
                                                                      • Opcode ID: de071d7eb5e22bebf54be219775046607b83e0619502e6e7aa4b4df8de731be9
                                                                      • Instruction ID: b1f2a2febe9cf01fb2820f331a1b157f5a20968f69e70654e88f6bc5f8599568
                                                                      • Opcode Fuzzy Hash: de071d7eb5e22bebf54be219775046607b83e0619502e6e7aa4b4df8de731be9
                                                                      • Instruction Fuzzy Hash: E1613936A01259CFD754AB78E809B5873B2BF8935AF1044B9E50B83390DF3A8C81CF21
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 097EEE12 Relevance: 1.6, APIs: 1, Instructions: 150COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • KiUserExceptionDispatcher.NTDLL ref: 097EF135
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.519858275.00000000097E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 097E0000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_97e0000_ADOC RFQ-WCMS-18097255.jbxd
                                                                      Similarity
                                                                      • API ID: DispatcherExceptionUser
                                                                      • String ID:
                                                                      • API String ID: 6842923-0
                                                                      • Opcode ID: bbb8b673a6d56569736225d5f1251b5fd3caa30eb1ed1cddc4147180d383538d
                                                                      • Instruction ID: 6a34d9fea7f6217ca9da0f66b832bb15b11ff68704be3137031f3fa0e9588b9b
                                                                      • Opcode Fuzzy Hash: bbb8b673a6d56569736225d5f1251b5fd3caa30eb1ed1cddc4147180d383538d
                                                                      • Instruction Fuzzy Hash: F8511B76A01259CFD754AB78E819B5873B2BF4935AF1045B9E50B83750DF3A8C81CF21
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 097EEE4F Relevance: 1.6, APIs: 1, Instructions: 140COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • KiUserExceptionDispatcher.NTDLL ref: 097EF135
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.519858275.00000000097E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 097E0000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_97e0000_ADOC RFQ-WCMS-18097255.jbxd
                                                                      Similarity
                                                                      • API ID: DispatcherExceptionUser
                                                                      • String ID:
                                                                      • API String ID: 6842923-0
                                                                      • Opcode ID: ae9cef076077b3f0048f2487c7e47117ce25528ac0efa3219f1e39ca059a9736
                                                                      • Instruction ID: 5056fb23756b76ad0d971d3225f97bd9e8a614f67c442f49bdcb84cc5233ce38
                                                                      • Opcode Fuzzy Hash: ae9cef076077b3f0048f2487c7e47117ce25528ac0efa3219f1e39ca059a9736
                                                                      • Instruction Fuzzy Hash: 34512B32A02259CFD754AB78E81975873B2BF4935AF1045B9E50783750CF3A8C82CF61
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 097EEE7C Relevance: 1.6, APIs: 1, Instructions: 134COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • KiUserExceptionDispatcher.NTDLL ref: 097EF135
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.519858275.00000000097E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 097E0000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_97e0000_ADOC RFQ-WCMS-18097255.jbxd
                                                                      Similarity
                                                                      • API ID: DispatcherExceptionUser
                                                                      • String ID:
                                                                      • API String ID: 6842923-0
                                                                      • Opcode ID: c99b8f5f04d3770f82f1b826175ca34ecbd4ca04345eab575740abb29d870eb0
                                                                      • Instruction ID: 9626a1a5acf86cf167f90ac2ff7bc11c4ca5dd62cca6feaeac22dc9cf916ba6f
                                                                      • Opcode Fuzzy Hash: c99b8f5f04d3770f82f1b826175ca34ecbd4ca04345eab575740abb29d870eb0
                                                                      • Instruction Fuzzy Hash: EB511B32A01259CFD754AB78E81975873B2BF4935AF1045B9E50B83790DF3A8C82CF61
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 026BDEC0 Relevance: 1.6, APIs: 1, Instructions: 130COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.505529751.00000000026B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 026B0000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_26b0000_ADOC RFQ-WCMS-18097255.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: 56e768655fd26f16098446e9af75a2611d956e7cb3ee32fae87c1bfa067cfd47
                                                                      • Instruction ID: 027a556ffb8fddbcd2d62b62ece68639558b0247eaf54536a25aa9631a7c74d2
                                                                      • Opcode Fuzzy Hash: 56e768655fd26f16098446e9af75a2611d956e7cb3ee32fae87c1bfa067cfd47
                                                                      • Instruction Fuzzy Hash: 0E5103B1C043489FDB15CFAAD884ADEBFB5FF49314F24852AE409AB211D7749986CF90
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 097EEEA9 Relevance: 1.6, APIs: 1, Instructions: 128COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • KiUserExceptionDispatcher.NTDLL ref: 097EF135
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.519858275.00000000097E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 097E0000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_97e0000_ADOC RFQ-WCMS-18097255.jbxd
                                                                      Similarity
                                                                      • API ID: DispatcherExceptionUser
                                                                      • String ID:
                                                                      • API String ID: 6842923-0
                                                                      • Opcode ID: bd768df9817b48037c8b643a9c9c35d8ec173573f405b233f358939a16979aff
                                                                      • Instruction ID: c2efacfd3567d39b5188f3fa358bfc8c159f2128a94643180f5b0ba72bebb7d5
                                                                      • Opcode Fuzzy Hash: bd768df9817b48037c8b643a9c9c35d8ec173573f405b233f358939a16979aff
                                                                      • Instruction Fuzzy Hash: 1C510B36A01259CFD754AB78E81975873B2BF4935AF5044B9E50B83750DF3A8C82CF61
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 097EEED6 Relevance: 1.6, APIs: 1, Instructions: 122COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • KiUserExceptionDispatcher.NTDLL ref: 097EF135
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.519858275.00000000097E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 097E0000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_97e0000_ADOC RFQ-WCMS-18097255.jbxd
                                                                      Similarity
                                                                      • API ID: DispatcherExceptionUser
                                                                      • String ID:
                                                                      • API String ID: 6842923-0
                                                                      • Opcode ID: a3f5f27bddf19e615a2bc624fee6b052ebc332771038c3deb1d4db9702da43a2
                                                                      • Instruction ID: aa53be99726f2fb3da578d1a8691c16d00e1ca2fd399bd5910bde3f04c2fb690
                                                                      • Opcode Fuzzy Hash: a3f5f27bddf19e615a2bc624fee6b052ebc332771038c3deb1d4db9702da43a2
                                                                      • Instruction Fuzzy Hash: B1511C32A01259CFD754AB78E81975873B2BF4935AF1044B9D50B83750DF3A8C82CF61
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 026BFE0C Relevance: 1.6, APIs: 1, Instructions: 117COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 026BFF2A
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.505529751.00000000026B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 026B0000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_26b0000_ADOC RFQ-WCMS-18097255.jbxd
                                                                      Similarity
                                                                      • API ID: CreateWindow
                                                                      • String ID:
                                                                      • API String ID: 716092398-0
                                                                      • Opcode ID: cc264dcf7af913e11e742f8128f190e678704ff5666a955f193eadd6b33e2f47
                                                                      • Instruction ID: d13501ee51aa4075aefd4ac27a8c1f76d4ead43062489816c19bef408964c16c
                                                                      • Opcode Fuzzy Hash: cc264dcf7af913e11e742f8128f190e678704ff5666a955f193eadd6b33e2f47
                                                                      • Instruction Fuzzy Hash: 8051D0B1D00309DFDB15CFA9C884ADEBFB5BF48314F24822AE419AB250D7749985CF90
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 026BDEDC Relevance: 1.6, APIs: 1, Instructions: 116COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 026BFF2A
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.505529751.00000000026B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 026B0000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_26b0000_ADOC RFQ-WCMS-18097255.jbxd
                                                                      Similarity
                                                                      • API ID: CreateWindow
                                                                      • String ID:
                                                                      • API String ID: 716092398-0
                                                                      • Opcode ID: 773ce039c2ec1366d225f4305f85b807c9fbbf59d2895dea60008bd2aa535531
                                                                      • Instruction ID: ac3c8b9733ced8ad688c9e615e7f430cccfd7644e46050e8a3c3068b8e3081c3
                                                                      • Opcode Fuzzy Hash: 773ce039c2ec1366d225f4305f85b807c9fbbf59d2895dea60008bd2aa535531
                                                                      • Instruction Fuzzy Hash: B751C3B5D10309DFDB15CFA9D884ADEBBB5FF48314F24812AE419AB210D7749985CF90
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 097EEF03 Relevance: 1.6, APIs: 1, Instructions: 116COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • KiUserExceptionDispatcher.NTDLL ref: 097EF135
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.519858275.00000000097E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 097E0000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_97e0000_ADOC RFQ-WCMS-18097255.jbxd
                                                                      Similarity
                                                                      • API ID: DispatcherExceptionUser
                                                                      • String ID:
                                                                      • API String ID: 6842923-0
                                                                      • Opcode ID: 1ced46dd98f2cb82c95e389c50580d455bff4dab7ed199a503847af011806198
                                                                      • Instruction ID: 202647cd9a720263243b4b07cc9bdb9cdc59fb9854d29e6dda8c317ec8a74988
                                                                      • Opcode Fuzzy Hash: 1ced46dd98f2cb82c95e389c50580d455bff4dab7ed199a503847af011806198
                                                                      • Instruction Fuzzy Hash: C1411C32A02259CFD754AB78E81975873B2BF4935AF1044B9D50B83750DF3A8C82CF61
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 097EEF30 Relevance: 1.6, APIs: 1, Instructions: 110COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • KiUserExceptionDispatcher.NTDLL ref: 097EF135
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.519858275.00000000097E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 097E0000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_97e0000_ADOC RFQ-WCMS-18097255.jbxd
                                                                      Similarity
                                                                      • API ID: DispatcherExceptionUser
                                                                      • String ID:
                                                                      • API String ID: 6842923-0
                                                                      • Opcode ID: 6e53d8709366fd5e6649ae0f4e357f051edf9d9a77f62266e1cc2b36f1d844f9
                                                                      • Instruction ID: b47aac33a910a0dbec2616655ddb9467aff463f57de522cb3282b4d00cd145d6
                                                                      • Opcode Fuzzy Hash: 6e53d8709366fd5e6649ae0f4e357f051edf9d9a77f62266e1cc2b36f1d844f9
                                                                      • Instruction Fuzzy Hash: 14411C32A01259CFD754AB78E81975873B2BF49356F1044B9D50B83750DF3A8C82CF61
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 097EEF5D Relevance: 1.6, APIs: 1, Instructions: 104COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • KiUserExceptionDispatcher.NTDLL ref: 097EF135
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.519858275.00000000097E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 097E0000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_97e0000_ADOC RFQ-WCMS-18097255.jbxd
                                                                      Similarity
                                                                      • API ID: DispatcherExceptionUser
                                                                      • String ID:
                                                                      • API String ID: 6842923-0
                                                                      • Opcode ID: e418302f8be1e22f4328c1fb66bc353e5fb304d4df5605e7c7fdc908e3e2e6c4
                                                                      • Instruction ID: f17d8a75f868b7367df63f7e9d4cab565ad6fad08b6d57b3f1c482007edf32f1
                                                                      • Opcode Fuzzy Hash: e418302f8be1e22f4328c1fb66bc353e5fb304d4df5605e7c7fdc908e3e2e6c4
                                                                      • Instruction Fuzzy Hash: F0411A32A01259CFC754AB78E81975873B2BF8935AF1044B9D50B83790DF3A8C82CF61
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 097EEF8A Relevance: 1.6, APIs: 1, Instructions: 98COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • KiUserExceptionDispatcher.NTDLL ref: 097EF135
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.519858275.00000000097E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 097E0000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_97e0000_ADOC RFQ-WCMS-18097255.jbxd
                                                                      Similarity
                                                                      • API ID: DispatcherExceptionUser
                                                                      • String ID:
                                                                      • API String ID: 6842923-0
                                                                      • Opcode ID: 86fa45d68cd6c115c9e9164efc4ccdc98542cd9dd65c5379dd71b4078f7ed731
                                                                      • Instruction ID: eb181a9fb9f315a99bee76a0500c9b2c1172003ad0452da697e9139f3762bd54
                                                                      • Opcode Fuzzy Hash: 86fa45d68cd6c115c9e9164efc4ccdc98542cd9dd65c5379dd71b4078f7ed731
                                                                      • Instruction Fuzzy Hash: 40410A76A01259CFD754AB78E81975973B2BF8935AF1040B9D50783690DF3A8C81CF61
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 026B5364 Relevance: 1.6, APIs: 1, Instructions: 96COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • CreateActCtxA.KERNEL32(?), ref: 026B5421
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.505529751.00000000026B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 026B0000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_26b0000_ADOC RFQ-WCMS-18097255.jbxd
                                                                      Similarity
                                                                      • API ID: Create
                                                                      • String ID:
                                                                      • API String ID: 2289755597-0
                                                                      • Opcode ID: 9780369afa01585c91f8c257ad6e604f7f88d98feb920b0be0ecf14c6bea8f4e
                                                                      • Instruction ID: 6692523a724c6255473ff58e297211f4cf1aa51867b5fa0173a0bcd56e9e7156
                                                                      • Opcode Fuzzy Hash: 9780369afa01585c91f8c257ad6e604f7f88d98feb920b0be0ecf14c6bea8f4e
                                                                      • Instruction Fuzzy Hash: B84102B1C04229CFEB24DFA5C9447CDBBB1BF88308F60806AD409BB250DBB56946CF91
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 026B3E40 Relevance: 1.6, APIs: 1, Instructions: 96COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • CreateActCtxA.KERNEL32(?), ref: 026B5421
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.505529751.00000000026B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 026B0000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_26b0000_ADOC RFQ-WCMS-18097255.jbxd
                                                                      Similarity
                                                                      • API ID: Create
                                                                      • String ID:
                                                                      • API String ID: 2289755597-0
                                                                      • Opcode ID: b95312b1ef6c5f3cf07544ad366d6e18eb2d6b42effcf8af881bf4c437ebe70d
                                                                      • Instruction ID: 34a0806294f2bd8da24fb5a26c58caa4dcb64732d9649ad8e7d98f1cc52a9713
                                                                      • Opcode Fuzzy Hash: b95312b1ef6c5f3cf07544ad366d6e18eb2d6b42effcf8af881bf4c437ebe70d
                                                                      • Instruction Fuzzy Hash: 8F41E271C04619CFEB25DFA9C944BCEBBB5BF48308F50806AD409BB251DBB56986CF90
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 097EEFB7 Relevance: 1.6, APIs: 1, Instructions: 92COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • KiUserExceptionDispatcher.NTDLL ref: 097EF135
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.519858275.00000000097E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 097E0000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_97e0000_ADOC RFQ-WCMS-18097255.jbxd
                                                                      Similarity
                                                                      • API ID: DispatcherExceptionUser
                                                                      • String ID:
                                                                      • API String ID: 6842923-0
                                                                      • Opcode ID: ae4501887184c3a88f4e01a81de0bf8da854a33d21a0161ec6fa927e3a015536
                                                                      • Instruction ID: 9be47380d2d74b2309ed1636b0631f47a0c16afacf3871af34e60c79177e4528
                                                                      • Opcode Fuzzy Hash: ae4501887184c3a88f4e01a81de0bf8da854a33d21a0161ec6fa927e3a015536
                                                                      • Instruction Fuzzy Hash: DC311B76A02259CFD714AB78E81975D73B2BF89356F1040B9D50783650DF3A8D81CF61
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 097E69D4 Relevance: 1.6, APIs: 1, Instructions: 91libraryCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.519858275.00000000097E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 097E0000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_97e0000_ADOC RFQ-WCMS-18097255.jbxd
                                                                      Similarity
                                                                      • API ID: LibraryLoad
                                                                      • String ID:
                                                                      • API String ID: 1029625771-0
                                                                      • Opcode ID: 0cfdbfbf58fcf5bf6061e5edcceb1ae39dd1780f357f8b9b6cfbcf6a613f3604
                                                                      • Instruction ID: 5e566a13bc8dc54c5b81c7a7249513121bae635ac2172454b74f31722fe2a18e
                                                                      • Opcode Fuzzy Hash: 0cfdbfbf58fcf5bf6061e5edcceb1ae39dd1780f357f8b9b6cfbcf6a613f3604
                                                                      • Instruction Fuzzy Hash: E33136B5D00659DFDB14CFA9C896B9EBFF1BB18314F14812AE816AB380D7749841CF92
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 097E2C64 Relevance: 1.6, APIs: 1, Instructions: 89libraryCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.519858275.00000000097E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 097E0000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_97e0000_ADOC RFQ-WCMS-18097255.jbxd
                                                                      Similarity
                                                                      • API ID: LibraryLoad
                                                                      • String ID:
                                                                      • API String ID: 1029625771-0
                                                                      • Opcode ID: 9372a0846be27e1eb2fb6594c16c5f04e95438f3093c8e4568be2731281a0c82
                                                                      • Instruction ID: fbc7d9955db704317c64128f9be2329a4e243358d1ae4688209f369b4525d378
                                                                      • Opcode Fuzzy Hash: 9372a0846be27e1eb2fb6594c16c5f04e95438f3093c8e4568be2731281a0c82
                                                                      • Instruction Fuzzy Hash: 613134B5D00649DFDB14DFA9C886B9EBBF1BB18314F14812AE816EB340D7749841CF91
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 097EEFE4 Relevance: 1.6, APIs: 1, Instructions: 86COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • KiUserExceptionDispatcher.NTDLL ref: 097EF135
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.519858275.00000000097E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 097E0000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_97e0000_ADOC RFQ-WCMS-18097255.jbxd
                                                                      Similarity
                                                                      • API ID: DispatcherExceptionUser
                                                                      • String ID:
                                                                      • API String ID: 6842923-0
                                                                      • Opcode ID: ae69814246b2dd8761ec6fe0ac43e3f09b8e5d89ef820258c3e230ed20d66516
                                                                      • Instruction ID: 53fa5c614ce04632ba84f070e1af5897effd49d51749f9e9b89a1f762d3db253
                                                                      • Opcode Fuzzy Hash: ae69814246b2dd8761ec6fe0ac43e3f09b8e5d89ef820258c3e230ed20d66516
                                                                      • Instruction Fuzzy Hash: 9F311A76A01259CFD714AB78E81976D73B2BF8935AF1040B9D50B83690DF3A8C81CF61
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 097EF011 Relevance: 1.6, APIs: 1, Instructions: 80COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • KiUserExceptionDispatcher.NTDLL ref: 097EF135
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.519858275.00000000097E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 097E0000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_97e0000_ADOC RFQ-WCMS-18097255.jbxd
                                                                      Similarity
                                                                      • API ID: DispatcherExceptionUser
                                                                      • String ID:
                                                                      • API String ID: 6842923-0
                                                                      • Opcode ID: 079a81a68d61cb38a4e8da1f5a4945c4b59f9f0e75281b0169b4cb925791887f
                                                                      • Instruction ID: d20ea5c8e1fd956686d32a8c97e415d04424ede19fb104353a5d116ab25feb48
                                                                      • Opcode Fuzzy Hash: 079a81a68d61cb38a4e8da1f5a4945c4b59f9f0e75281b0169b4cb925791887f
                                                                      • Instruction Fuzzy Hash: 29312B76A01259CFC714AB78E80975D73B2BF8935AF1040B9D50B83690DF3A8C82CF61
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 097EF03E Relevance: 1.6, APIs: 1, Instructions: 74COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • KiUserExceptionDispatcher.NTDLL ref: 097EF135
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.519858275.00000000097E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 097E0000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_97e0000_ADOC RFQ-WCMS-18097255.jbxd
                                                                      Similarity
                                                                      • API ID: DispatcherExceptionUser
                                                                      • String ID:
                                                                      • API String ID: 6842923-0
                                                                      • Opcode ID: 8a44e563129f28e66a02e38b1bf2fd29b1d4480222a204b9281620e0df214712
                                                                      • Instruction ID: d81ea8881bfba29b6279f62cb1e984212e938756bccf7eb044adc8358c181bcb
                                                                      • Opcode Fuzzy Hash: 8a44e563129f28e66a02e38b1bf2fd29b1d4480222a204b9281620e0df214712
                                                                      • Instruction Fuzzy Hash: 98311C72A01259CFD714AB78E80975D77B2BF8935AF1040B9D50B83690DF3A8D81CF61
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 097EF06B Relevance: 1.6, APIs: 1, Instructions: 68COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • KiUserExceptionDispatcher.NTDLL ref: 097EF135
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.519858275.00000000097E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 097E0000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_97e0000_ADOC RFQ-WCMS-18097255.jbxd
                                                                      Similarity
                                                                      • API ID: DispatcherExceptionUser
                                                                      • String ID:
                                                                      • API String ID: 6842923-0
                                                                      • Opcode ID: e2bfe86df6746a4c941cef6951bd65c924f778ca4d5c3b8e50c5db8d66763797
                                                                      • Instruction ID: 446aeb67db4198ea51b4e57026b20f5c60581d87f942f6415826c4b3dab700e5
                                                                      • Opcode Fuzzy Hash: e2bfe86df6746a4c941cef6951bd65c924f778ca4d5c3b8e50c5db8d66763797
                                                                      • Instruction Fuzzy Hash: F121FC76A02259CFD714AB78E80975D73B2BF8935AF1041B9D50B83690DF3A8D81CF61
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 026BA1D4 Relevance: 1.6, APIs: 1, Instructions: 65COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?,?,?,?,026BB99E,?,?,?,?,?), ref: 026BBA5F
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.505529751.00000000026B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 026B0000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_26b0000_ADOC RFQ-WCMS-18097255.jbxd
                                                                      Similarity
                                                                      • API ID: DuplicateHandle
                                                                      • String ID:
                                                                      • API String ID: 3793708945-0
                                                                      • Opcode ID: 7d764fc631d68fce3b1132c238dc8a3c7e11e44d5e5f7eb0dfb9d2dc7a5ba1a8
                                                                      • Instruction ID: 7ae08ef129847c95bc0a1ef9651c22612ef81a18e0b563e0d41e9dd80d2090ef
                                                                      • Opcode Fuzzy Hash: 7d764fc631d68fce3b1132c238dc8a3c7e11e44d5e5f7eb0dfb9d2dc7a5ba1a8
                                                                      • Instruction Fuzzy Hash: 8621E3B5D00209AFDB10CFAAD584AEEBFF8EB48324F14845AE915A3310D374A954CFA1
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 026BB9D0 Relevance: 1.6, APIs: 1, Instructions: 62COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?,?,?,?,026BB99E,?,?,?,?,?), ref: 026BBA5F
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.505529751.00000000026B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 026B0000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_26b0000_ADOC RFQ-WCMS-18097255.jbxd
                                                                      Similarity
                                                                      • API ID: DuplicateHandle
                                                                      • String ID:
                                                                      • API String ID: 3793708945-0
                                                                      • Opcode ID: 4d98359d3051abeea2f4b3026eb3b59884ed07fe71df43f660f2a749e1c0c548
                                                                      • Instruction ID: b9c11c3339b04c110c7da9f65ed3476a2f017699b60039028307abd50ffcf0a1
                                                                      • Opcode Fuzzy Hash: 4d98359d3051abeea2f4b3026eb3b59884ed07fe71df43f660f2a749e1c0c548
                                                                      • Instruction Fuzzy Hash: 6221EEB5D00219DFDB00CFAAD584AEEBBF5FB48324F14841AE954A3210D778A954CFA1
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 097EF098 Relevance: 1.6, APIs: 1, Instructions: 62COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • KiUserExceptionDispatcher.NTDLL ref: 097EF135
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.519858275.00000000097E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 097E0000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_97e0000_ADOC RFQ-WCMS-18097255.jbxd
                                                                      Similarity
                                                                      • API ID: DispatcherExceptionUser
                                                                      • String ID:
                                                                      • API String ID: 6842923-0
                                                                      • Opcode ID: 407f9df28f3e8e21fe93cc055d7cf1daebe96578bb14b684148a66718e634fa7
                                                                      • Instruction ID: dda21f7cd6404e3d23a208c2bdbb808e1e68b5151c556ff0a975125734125b2f
                                                                      • Opcode Fuzzy Hash: 407f9df28f3e8e21fe93cc055d7cf1daebe96578bb14b684148a66718e634fa7
                                                                      • Instruction Fuzzy Hash: DB210B76A01259CFD714AB78E80975D73B2BF8935AF1041B9E50B83690DF3A8D82CF61
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 097EF0C5 Relevance: 1.6, APIs: 1, Instructions: 56COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • KiUserExceptionDispatcher.NTDLL ref: 097EF135
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.519858275.00000000097E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 097E0000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_97e0000_ADOC RFQ-WCMS-18097255.jbxd
                                                                      Similarity
                                                                      • API ID: DispatcherExceptionUser
                                                                      • String ID:
                                                                      • API String ID: 6842923-0
                                                                      • Opcode ID: 7b0aad9ae93b8f25197e5f6d7856aa757a792eb1c89357b6ccaa6601c894c99a
                                                                      • Instruction ID: 982775297a119720178b32e9f55ff3e2b07d9537c25b7e37c6832d5e99a217bd
                                                                      • Opcode Fuzzy Hash: 7b0aad9ae93b8f25197e5f6d7856aa757a792eb1c89357b6ccaa6601c894c99a
                                                                      • Instruction Fuzzy Hash: 5B11F976A01259CFD714AB78E80975D73B2BF8925AF1041B9E50B83650DF3A8D41CF61
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 026B8820 Relevance: 1.6, APIs: 1, Instructions: 55libraryCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • LoadLibraryExW.KERNEL32(00000000,00000000,?,?,?,?,00000000,?,026B9771,00000800,00000000,00000000), ref: 026B9982
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.505529751.00000000026B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 026B0000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_26b0000_ADOC RFQ-WCMS-18097255.jbxd
                                                                      Similarity
                                                                      • API ID: LibraryLoad
                                                                      • String ID:
                                                                      • API String ID: 1029625771-0
                                                                      • Opcode ID: d5b4c2449d9ce8b8ee161937a1cd471b43d0121181eac4205f0feb9782bef836
                                                                      • Instruction ID: 1ff28b00fa33471aa1480e2b4fd1344bc9765d1b526c5ff4282223b46d9c2bc1
                                                                      • Opcode Fuzzy Hash: d5b4c2449d9ce8b8ee161937a1cd471b43d0121181eac4205f0feb9782bef836
                                                                      • Instruction Fuzzy Hash: AE1103B69002599FDB10DF9AD484BDEFBF8EF88324F04842EE915A7600C374A545CFA1
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 026B9913 Relevance: 1.6, APIs: 1, Instructions: 54libraryCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • LoadLibraryExW.KERNEL32(00000000,00000000,?,?,?,?,00000000,?,026B9771,00000800,00000000,00000000), ref: 026B9982
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.505529751.00000000026B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 026B0000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_26b0000_ADOC RFQ-WCMS-18097255.jbxd
                                                                      Similarity
                                                                      • API ID: LibraryLoad
                                                                      • String ID:
                                                                      • API String ID: 1029625771-0
                                                                      • Opcode ID: bd37faf36d9a493df4522f59afd1e12c7a339789f8ea9d6923f9999c289657cd
                                                                      • Instruction ID: f4b10893794dbc0808c0c23e9556b64e83ff6dab29bb13c259710e4dfd9fa441
                                                                      • Opcode Fuzzy Hash: bd37faf36d9a493df4522f59afd1e12c7a339789f8ea9d6923f9999c289657cd
                                                                      • Instruction Fuzzy Hash: BE1112B6D012098FDB10CF9AD484BDEFBF4EF88324F14842AD559A7200C375A546CFA1
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 097EF0F2 Relevance: 1.6, APIs: 1, Instructions: 50COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • KiUserExceptionDispatcher.NTDLL ref: 097EF135
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.519858275.00000000097E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 097E0000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_97e0000_ADOC RFQ-WCMS-18097255.jbxd
                                                                      Similarity
                                                                      • API ID: DispatcherExceptionUser
                                                                      • String ID:
                                                                      • API String ID: 6842923-0
                                                                      • Opcode ID: f45ce649c5929dda0042a2b2778a81bfab5c55650137aa7f98a81dc948b97c0a
                                                                      • Instruction ID: a083d767e5b12f064ba91dc599ed155887fecc333945211e140451c7efb08d6e
                                                                      • Opcode Fuzzy Hash: f45ce649c5929dda0042a2b2778a81bfab5c55650137aa7f98a81dc948b97c0a
                                                                      • Instruction Fuzzy Hash: 10113A32A01219CFD714AB78F80975C73B2BF89256F1040B9E50A83650DF3A8C81CF61
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 026B9690 Relevance: 1.5, APIs: 1, Instructions: 47COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • GetModuleHandleW.KERNEL32(00000000), ref: 026B96F6
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.505529751.00000000026B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 026B0000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_26b0000_ADOC RFQ-WCMS-18097255.jbxd
                                                                      Similarity
                                                                      • API ID: HandleModule
                                                                      • String ID:
                                                                      • API String ID: 4139908857-0
                                                                      • Opcode ID: 7989397d33005afb911bf2ea47bd6a624d9b6b27982258506d19118fbd719c29
                                                                      • Instruction ID: 0284b26beb652603d5aa6c1ae50e584d1a005ee031a0ced33e9cbf11cf84641f
                                                                      • Opcode Fuzzy Hash: 7989397d33005afb911bf2ea47bd6a624d9b6b27982258506d19118fbd719c29
                                                                      • Instruction Fuzzy Hash: A21102B5C012498FDB10CF9AC444BDEFBF4AF88324F14846AD429A7600D374A545CFA1
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 097EF11F Relevance: 1.5, APIs: 1, Instructions: 44COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • KiUserExceptionDispatcher.NTDLL ref: 097EF135
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.519858275.00000000097E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 097E0000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_97e0000_ADOC RFQ-WCMS-18097255.jbxd
                                                                      Similarity
                                                                      • API ID: DispatcherExceptionUser
                                                                      • String ID:
                                                                      • API String ID: 6842923-0
                                                                      • Opcode ID: d3abdbdb2085d3e5bfba2bd6fb1364d00e3554ebc863d2b90ab9d5b4f992845e
                                                                      • Instruction ID: 602c738fa2069d9e3c0449677a68771f572de7c9bb4a06d5d67f1c980768a553
                                                                      • Opcode Fuzzy Hash: d3abdbdb2085d3e5bfba2bd6fb1364d00e3554ebc863d2b90ab9d5b4f992845e
                                                                      • Instruction Fuzzy Hash: 07011776A02218CFD714AB78F80976C73B2BF8925AF1041B9E50A83650DF3A8D81CF61
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 097F177E Relevance: 1.3, Strings: 1, Instructions: 28COMMON
                                                                      Download Yara Rule
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.519900778.00000000097F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 097F0000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_97f0000_ADOC RFQ-WCMS-18097255.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID: n
                                                                      • API String ID: 0-2013832146
                                                                      • Opcode ID: ede7290747da6179724b908dea8a7dd382d138c7bf90b6a0fba63b8c96755d97
                                                                      • Instruction ID: 55d61692da2a5905d50ca858e69a4c7001792c095fba0a75978b8ff30567b3b5
                                                                      • Opcode Fuzzy Hash: ede7290747da6179724b908dea8a7dd382d138c7bf90b6a0fba63b8c96755d97
                                                                      • Instruction Fuzzy Hash: 17013D78901668CFDBA0DF24DC9979EBBB1BB89302F0186D5E409A2290DB751AD4CF04
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 097F7A80 Relevance: .1, Instructions: 69COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.519900778.00000000097F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 097F0000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_97f0000_ADOC RFQ-WCMS-18097255.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: 99e6d44ed2ca96b03f3be9fb40f3d6b5f65c561fea9d173d9e19f2dfa1ee58f7
                                                                      • Instruction ID: c8734dfe992903fb12be18bb50ddd9c61211d42820895cbf40c0b34bc79fb31d
                                                                      • Opcode Fuzzy Hash: 99e6d44ed2ca96b03f3be9fb40f3d6b5f65c561fea9d173d9e19f2dfa1ee58f7
                                                                      • Instruction Fuzzy Hash: 5321D675E042199FCB04DFA8D495ADEBBB1FF49310F01816AE905B7360DB34A940CF90
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 097F92F8 Relevance: .1, Instructions: 66COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.519900778.00000000097F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 097F0000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_97f0000_ADOC RFQ-WCMS-18097255.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: 7a335d9fcfa85b21ad038877436a0d01a2a07fab40f2398db23af28855be5930
                                                                      • Instruction ID: 268009ff32a382e365c0380f412c681979762071da7dc0d8dca7190c559f7954
                                                                      • Opcode Fuzzy Hash: 7a335d9fcfa85b21ad038877436a0d01a2a07fab40f2398db23af28855be5930
                                                                      • Instruction Fuzzy Hash: 9B211571E04209DFCB14DFAAD445AAEBBB1BF88304F1181A9D614A7384D7389986CF81
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 097F9208 Relevance: .1, Instructions: 55COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.519900778.00000000097F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 097F0000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_97f0000_ADOC RFQ-WCMS-18097255.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: 78448052e18d6d1a7202884c03c306e6701e3b4a9bdf81ca2bbadfea1526ddba
                                                                      • Instruction ID: 5b00bb7b52b458891e6ac76a40cff03bdcad232cf7c007e80e5b27abcedb17f2
                                                                      • Opcode Fuzzy Hash: 78448052e18d6d1a7202884c03c306e6701e3b4a9bdf81ca2bbadfea1526ddba
                                                                      • Instruction Fuzzy Hash: 14112535E08219CBCF18DFA5D451AFEBBF6BF89350F109029DA05B7354DB345A418BA2
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 097F6840 Relevance: .0, Instructions: 21COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.519900778.00000000097F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 097F0000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_97f0000_ADOC RFQ-WCMS-18097255.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: 4aadbab9ea9472071c701852eba74d898173e460553c2de76252bcfbdc356fdf
                                                                      • Instruction ID: f6aca6f0cb3f4734b332c6d545a96d2cb4c1d1fc7adb788154b6c6fa814cfa08
                                                                      • Opcode Fuzzy Hash: 4aadbab9ea9472071c701852eba74d898173e460553c2de76252bcfbdc356fdf
                                                                      • Instruction Fuzzy Hash: F8E0C234D0520CEFCB54EFA8E445A9DBBB1FB48310F10C1A9A854A2314D7345A50DF41
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 097F6448 Relevance: .0, Instructions: 20COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.519900778.00000000097F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 097F0000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_97f0000_ADOC RFQ-WCMS-18097255.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: 125f7542420ea18af7ce09764e009596f231ea16915278de0c63499f58ad561a
                                                                      • Instruction ID: 5ea70fbaf0a12bd8497359996b6fc0792186e163e3d5b1d8c86ebdbc1291133c
                                                                      • Opcode Fuzzy Hash: 125f7542420ea18af7ce09764e009596f231ea16915278de0c63499f58ad561a
                                                                      • Instruction Fuzzy Hash: B8E0E574E05208EFCB40EFA8D445A9DFBF0FB48310F1081AAE808A7310D635AA40CF40
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 097FFA28 Relevance: .0, Instructions: 20COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.519900778.00000000097F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 097F0000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_97f0000_ADOC RFQ-WCMS-18097255.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: f65677f410c2f1e387ee803ae08bad35aa35d0bb8f145f62e5c0ce51dd54007a
                                                                      • Instruction ID: b1cdd0cee15616819697780fda260f1f8ca30b07f08f42824eba97c11735438b
                                                                      • Opcode Fuzzy Hash: f65677f410c2f1e387ee803ae08bad35aa35d0bb8f145f62e5c0ce51dd54007a
                                                                      • Instruction Fuzzy Hash: ABE0E570D05208EFCB14EFA8D44169DBBB4FB48300F1081A9D804A2310D7395A90DF84
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 097FF3E0 Relevance: .0, Instructions: 20COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.519900778.00000000097F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 097F0000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_97f0000_ADOC RFQ-WCMS-18097255.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: f65677f410c2f1e387ee803ae08bad35aa35d0bb8f145f62e5c0ce51dd54007a
                                                                      • Instruction ID: 12b791420e22e8d0436ca3b3f9be498875545235596420c731af0998abf57c8e
                                                                      • Opcode Fuzzy Hash: f65677f410c2f1e387ee803ae08bad35aa35d0bb8f145f62e5c0ce51dd54007a
                                                                      • Instruction Fuzzy Hash: 5BE0E570D05208EFCB54DFA8D44169DBBB4FB48300F1081A9D814A2350D7395A94DF84
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 097FF040 Relevance: .0, Instructions: 19COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.519900778.00000000097F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 097F0000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_97f0000_ADOC RFQ-WCMS-18097255.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: 074fd64395d60b40be81ba4cee7d2cfcac5d7f206464dc49c45bb3c26fa43d84
                                                                      • Instruction ID: 9fc39575ab9f433508e7b026bfb8e625f5464e11ac124faf2a0e9fa69f519c21
                                                                      • Opcode Fuzzy Hash: 074fd64395d60b40be81ba4cee7d2cfcac5d7f206464dc49c45bb3c26fa43d84
                                                                      • Instruction Fuzzy Hash: CBE01230D0520CEFCB54EFA8E04429DBBB0FB48304F1081AAD818A3304EB395A41CF80
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 097F6400 Relevance: .0, Instructions: 19COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.519900778.00000000097F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 097F0000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_97f0000_ADOC RFQ-WCMS-18097255.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: fdfe722ef9bdfa96052540d5d2816377321e8d99271c5dcc1e6cd4116cb14015
                                                                      • Instruction ID: 5228769756135332715495a154756e937753be6d006b32926a4b6f9f8389dfc3
                                                                      • Opcode Fuzzy Hash: fdfe722ef9bdfa96052540d5d2816377321e8d99271c5dcc1e6cd4116cb14015
                                                                      • Instruction Fuzzy Hash: 2AE01A74D04208EFCB40EFA8E54969DFBF0FB48300F10C1AA9918A3350D734AA41CF81
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 097F63B8 Relevance: .0, Instructions: 19COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.519900778.00000000097F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 097F0000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_97f0000_ADOC RFQ-WCMS-18097255.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: dd94d548e23fd9a12909d6bbaed00f5637d790ebf59b313ca18581ea14c91871
                                                                      • Instruction ID: bdf2819cfaf1b85369edb901127288f0377dfd877f8b4544a958f4f09aeb0294
                                                                      • Opcode Fuzzy Hash: dd94d548e23fd9a12909d6bbaed00f5637d790ebf59b313ca18581ea14c91871
                                                                      • Instruction Fuzzy Hash: 44E01A70D0520CEFCB14DFA8E04529DFBB4FB48300F5081A9D904A3300D739AA41CF41
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 097FF188 Relevance: .0, Instructions: 19COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.519900778.00000000097F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 097F0000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_97f0000_ADOC RFQ-WCMS-18097255.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: 637f46f3e6cc7efb0b3371dd6c19c1cf87b22f24372d58f08c02a0d5f95f9220
                                                                      • Instruction ID: bdaacf5cf982c1846b2ad52ef104974ae706c0337e0a8deb7f6e5f95f2992e66
                                                                      • Opcode Fuzzy Hash: 637f46f3e6cc7efb0b3371dd6c19c1cf87b22f24372d58f08c02a0d5f95f9220
                                                                      • Instruction Fuzzy Hash: 10E04F34905208EFCB04DF94D44495DBFB5FF09311F10C198F94427320C731AA50DB44
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 097FF0E0 Relevance: .0, Instructions: 18COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.519900778.00000000097F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 097F0000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_97f0000_ADOC RFQ-WCMS-18097255.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: 7346a3c42b2879aa55e5610bed51fed4770b0573efcac37bbd1a3dace1e111cc
                                                                      • Instruction ID: 5b3cbff49d476fe3fb9f33e1447dcc955d0566f5ea539ab1575c2aa42de1598a
                                                                      • Opcode Fuzzy Hash: 7346a3c42b2879aa55e5610bed51fed4770b0573efcac37bbd1a3dace1e111cc
                                                                      • Instruction Fuzzy Hash: 7EE012B1D00209DFC740EFA9C905A5EBBF4AB08200F1085AAC018E7311EBB086008F90
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 097F9168 Relevance: .0, Instructions: 17COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.519900778.00000000097F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 097F0000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_97f0000_ADOC RFQ-WCMS-18097255.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: 704b9adc40b50599a18af2114f2c860f6089f909a19c05507d3b7bfb53a3ec03
                                                                      • Instruction ID: 0367f0504bda03f4a5955b98e821a7927f1c427fd7d9160c688d9e4d5b743f65
                                                                      • Opcode Fuzzy Hash: 704b9adc40b50599a18af2114f2c860f6089f909a19c05507d3b7bfb53a3ec03
                                                                      • Instruction Fuzzy Hash: 73E0E230D25208EFCB40EFA8E44A69DFFB4BB48201F2041A9A908A3344EA345A90CB81
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 097FF250 Relevance: .0, Instructions: 17COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.519900778.00000000097F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 097F0000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_97f0000_ADOC RFQ-WCMS-18097255.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: e90a936759e06494aec92ccf840caaa4817e3f345ad8e71d281275ee9128754e
                                                                      • Instruction ID: 19c857fdb2695e89d44808db5680ee50d0460fcea01d873b66e36debe5ac6ccc
                                                                      • Opcode Fuzzy Hash: e90a936759e06494aec92ccf840caaa4817e3f345ad8e71d281275ee9128754e
                                                                      • Instruction Fuzzy Hash: 7AE01734D15208EFCB40EFB8E58A69DBFF4FB08201F6041A9D908E3340EB346A90CB51
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 097FF9B8 Relevance: .0, Instructions: 17COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.519900778.00000000097F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 097F0000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_97f0000_ADOC RFQ-WCMS-18097255.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: 37377aa03f8863cf1add3dc424cb9041b0daa2fbb328ea66c0fd4496ecd736c6
                                                                      • Instruction ID: f9d4c7705d6b97c874bc1b0f2f8a841f6e8c4dd487315dfb809d4696c2b3b9ca
                                                                      • Opcode Fuzzy Hash: 37377aa03f8863cf1add3dc424cb9041b0daa2fbb328ea66c0fd4496ecd736c6
                                                                      • Instruction Fuzzy Hash: 85D01730D1620CEFCB40EFB8E4857DDBBB4AB09204F2041AA9948A3340EB305A84CB55
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 097FFE78 Relevance: .0, Instructions: 10COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.519900778.00000000097F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 097F0000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_97f0000_ADOC RFQ-WCMS-18097255.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: b079d51a42137a9d9c1d035caa0860db44e7811594bc0883573fa51534755483
                                                                      • Instruction ID: fe20c52fcacb27c42c7e238bd9cd7d1dee4351db91b4548ffade349cf97a4d07
                                                                      • Opcode Fuzzy Hash: b079d51a42137a9d9c1d035caa0860db44e7811594bc0883573fa51534755483
                                                                      • Instruction Fuzzy Hash: EEC012300A024ACBC3042BA8FA0E0283BA9AB58303B000034E806801649E2C2880CA26
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Non-executed Functions

                                                                      Function 097E9400 Relevance: .3, Instructions: 281COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.519858275.00000000097E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 097E0000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_97e0000_ADOC RFQ-WCMS-18097255.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: 8bae44066ce311124cc7f1479923ad0e14d6c0bb424040b53b4beacc4b773646
                                                                      • Instruction ID: 2b972682cf5f33ee76017e051645fff45f89b519bd4ceaf085547189d41ab32b
                                                                      • Opcode Fuzzy Hash: 8bae44066ce311124cc7f1479923ad0e14d6c0bb424040b53b4beacc4b773646
                                                                      • Instruction Fuzzy Hash: 17B14C72E00609CFDB10CFA9C9857DEBBF2AF88358F148129E915E7294EB749845CB91
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 026BC234 Relevance: .3, Instructions: 265COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.505529751.00000000026B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 026B0000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_26b0000_ADOC RFQ-WCMS-18097255.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: 433a8a307261e6bd62bcd6484d487f9fcb2846ca86dbb17d581f8e41a2410b82
                                                                      • Instruction ID: f3170e127c0a50bd82eecd94c78ed9d93080ce97a2c60967f0cf93aae4125776
                                                                      • Opcode Fuzzy Hash: 433a8a307261e6bd62bcd6484d487f9fcb2846ca86dbb17d581f8e41a2410b82
                                                                      • Instruction Fuzzy Hash: D4A16D32E0061A8FCF06DFB5C8845DEB7B2FF89304B15856AE805BB261EB71A945CF40
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 097F0012 Relevance: .1, Instructions: 108COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.519900778.00000000097F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 097F0000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_97f0000_ADOC RFQ-WCMS-18097255.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: cea71128a21eb1bc18c9bab957b70615d797253c58f7a1d9fd0da34912a34eaa
                                                                      • Instruction ID: c87912d4573eb715f4c14b4ca26342da7da9cdd29a932a584d30d99d528546aa
                                                                      • Opcode Fuzzy Hash: cea71128a21eb1bc18c9bab957b70615d797253c58f7a1d9fd0da34912a34eaa
                                                                      • Instruction Fuzzy Hash: 0D4173B2D056588BEB1CCF6B8C5428DFAF3AFC9200F18C1BAD40CAB265EB3505528F55
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 097F0040 Relevance: .1, Instructions: 102COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.519900778.00000000097F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 097F0000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_97f0000_ADOC RFQ-WCMS-18097255.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: 75b57681f43fa0caa72e1ae70214e49a2cceb7447945c09b51bb512d03bf2fec
                                                                      • Instruction ID: b3163b7ee33efd4ea202f47b246e17fb00ac7555d1235c7e3a5118fb131d91ab
                                                                      • Opcode Fuzzy Hash: 75b57681f43fa0caa72e1ae70214e49a2cceb7447945c09b51bb512d03bf2fec
                                                                      • Instruction Fuzzy Hash: D9415E72E056188BEB1CCF6B8C5068EFAF3BFC9300F18C1BA950DAA255EB3109518F54
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%