Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
ADOC RFQ-WCMS-18097255.exe

Overview

General Information

Sample Name:ADOC RFQ-WCMS-18097255.exe
Analysis ID:764045
MD5:856317033475c7932f8cbf88ec2b7ef8
SHA1:6b24fa54a990477bde13f64144d5d5a1187c40b9
SHA256:15700616b67e3ac2d97cfb221762dca3b2b36cc9d3e1cf7ca8737acc9bb4db84
Tags:exe
Infos:

Detection

AgentTesla
Score:96
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Malicious sample detected (through community Yara rule)
Yara detected AgentTesla
Yara detected AntiVM3
Tries to steal Mail credentials (via file / registry access)
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Machine Learning detection for sample
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Tries to harvest and steal browser information (history, passwords, etc)
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Uses 32bit PE files
Queries the volume information (name, serial number etc) of a device
Yara signature match
May sleep (evasive loops) to hinder dynamic analysis
Uses code obfuscation techniques (call, push, ret)
Detected potential crypto function
Yara detected Credential Stealer
IP address seen in connection with other malware
Contains long sleeps (>= 3 min)
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Sample file is different than original file name gathered from version info
Detected TCP or UDP traffic on non-standard ports
Binary contains a suspicious time stamp
Uses SMTP (mail sending)
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)

Classification

  • System is w10x64
  • ADOC RFQ-WCMS-18097255.exe (PID: 5788 cmdline: C:\Users\user\Desktop\ADOC RFQ-WCMS-18097255.exe MD5: 856317033475C7932F8CBF88EC2B7EF8)
  • cleanup
{"Exfil Mode": "SMTP", "Host": "us2.smtp.mailhostbox.com", "Username": "gamzy@freesteelmyst.xyz", "Password": "  JIRUmBO0        "}
SourceRuleDescriptionAuthorStrings
00000000.00000002.508080417.0000000002B8E000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
    00000000.00000002.513606305.0000000003C61000.00000004.00000800.00020000.00000000.sdmpWindows_Trojan_AgentTesla_d3ac2b2funknownunknown
    • 0x23760:$a20: get_LastAccessed
    • 0x25885:$a30: set_GuidMasterKey
    • 0x23814:$a33: get_Clipboard
    • 0x23822:$a34: get_Keyboard
    • 0x249cd:$a35: get_ShiftKeyDown
    • 0x249de:$a36: get_AltKeyDown
    • 0x2382f:$a37: get_Password
    • 0x24253:$a38: get_PasswordHash
    • 0x250d6:$a39: get_DefaultCredentials
    00000000.00000002.519041329.0000000007040000.00000004.08000000.00040000.00000000.sdmpMALWARE_Win_AgentTeslaV3AgentTeslaV3 infostealer payloadditekSHen
    • 0x2619e:$s10: logins
    • 0x25cd7:$s11: credential
    • 0x22b94:$g1: get_Clipboard
    • 0x22ba2:$g2: get_Keyboard
    • 0x22baf:$g3: get_Password
    • 0x23d3d:$g4: get_CtrlKeyDown
    • 0x23d4d:$g5: get_ShiftKeyDown
    • 0x23d5e:$g6: get_AltKeyDown
    00000000.00000002.519041329.0000000007040000.00000004.08000000.00040000.00000000.sdmpWindows_Trojan_AgentTesla_d3ac2b2funknownunknown
    • 0x22ae0:$a20: get_LastAccessed
    • 0x24c05:$a30: set_GuidMasterKey
    • 0x22b94:$a33: get_Clipboard
    • 0x22ba2:$a34: get_Keyboard
    • 0x23d4d:$a35: get_ShiftKeyDown
    • 0x23d5e:$a36: get_AltKeyDown
    • 0x22baf:$a37: get_Password
    • 0x235d3:$a38: get_PasswordHash
    • 0x24456:$a39: get_DefaultCredentials
    00000000.00000002.510469030.0000000003881000.00000004.00000800.00020000.00000000.sdmpWindows_Trojan_AgentTesla_d3ac2b2funknownunknown
    • 0x53430:$a20: get_LastAccessed
    • 0x55555:$a30: set_GuidMasterKey
    • 0x534e4:$a33: get_Clipboard
    • 0x534f2:$a34: get_Keyboard
    • 0x5469d:$a35: get_ShiftKeyDown
    • 0x546ae:$a36: get_AltKeyDown
    • 0x534ff:$a37: get_Password
    • 0x53f23:$a38: get_PasswordHash
    • 0x54da6:$a39: get_DefaultCredentials
    Click to see the 7 entries
    SourceRuleDescriptionAuthorStrings
    0.2.ADOC RFQ-WCMS-18097255.exe.7040000.12.unpackMALWARE_Win_AgentTeslaV3AgentTeslaV3 infostealer payloadditekSHen
    • 0x2439e:$s10: logins
    • 0x23ed7:$s11: credential
    • 0x20d94:$g1: get_Clipboard
    • 0x20da2:$g2: get_Keyboard
    • 0x20daf:$g3: get_Password
    • 0x21f3d:$g4: get_CtrlKeyDown
    • 0x21f4d:$g5: get_ShiftKeyDown
    • 0x21f5e:$g6: get_AltKeyDown
    0.2.ADOC RFQ-WCMS-18097255.exe.7040000.12.unpackWindows_Trojan_AgentTesla_d3ac2b2funknownunknown
    • 0x20ce0:$a20: get_LastAccessed
    • 0x22e05:$a30: set_GuidMasterKey
    • 0x20d94:$a33: get_Clipboard
    • 0x20da2:$a34: get_Keyboard
    • 0x21f4d:$a35: get_ShiftKeyDown
    • 0x21f5e:$a36: get_AltKeyDown
    • 0x20daf:$a37: get_Password
    • 0x217d3:$a38: get_PasswordHash
    • 0x22656:$a39: get_DefaultCredentials
    0.2.ADOC RFQ-WCMS-18097255.exe.3c61c80.6.raw.unpackMALWARE_Win_AgentTeslaV3AgentTeslaV3 infostealer payloadditekSHen
    • 0x2619e:$s10: logins
    • 0x25cd7:$s11: credential
    • 0x22b94:$g1: get_Clipboard
    • 0x22ba2:$g2: get_Keyboard
    • 0x22baf:$g3: get_Password
    • 0x23d3d:$g4: get_CtrlKeyDown
    • 0x23d4d:$g5: get_ShiftKeyDown
    • 0x23d5e:$g6: get_AltKeyDown
    0.2.ADOC RFQ-WCMS-18097255.exe.3c61c80.6.raw.unpackWindows_Trojan_AgentTesla_d3ac2b2funknownunknown
    • 0x22ae0:$a20: get_LastAccessed
    • 0x24c05:$a30: set_GuidMasterKey
    • 0x22b94:$a33: get_Clipboard
    • 0x22ba2:$a34: get_Keyboard
    • 0x23d4d:$a35: get_ShiftKeyDown
    • 0x23d5e:$a36: get_AltKeyDown
    • 0x22baf:$a37: get_Password
    • 0x235d3:$a38: get_PasswordHash
    • 0x24456:$a39: get_DefaultCredentials
    0.2.ADOC RFQ-WCMS-18097255.exe.3889930.3.unpackMALWARE_Win_AgentTeslaV3AgentTeslaV3 infostealer payloadditekSHen
    • 0x4c3be:$s10: logins
    • 0x4bef7:$s11: credential
    • 0x48db4:$g1: get_Clipboard
    • 0x48dc2:$g2: get_Keyboard
    • 0x48dcf:$g3: get_Password
    • 0x49f5d:$g4: get_CtrlKeyDown
    • 0x49f6d:$g5: get_ShiftKeyDown
    • 0x49f7e:$g6: get_AltKeyDown
    Click to see the 21 entries
    No Sigma rule has matched
    No Snort rule has matched

    Click to jump to signature section

    Show All Signature Results

    AV Detection

    barindex
    Source: ADOC RFQ-WCMS-18097255.exeJoe Sandbox ML: detected
    Source: 0.2.ADOC RFQ-WCMS-18097255.exe.3c61c80.6.unpackMalware Configuration Extractor: Agenttesla {"Exfil Mode": "SMTP", "Host": "us2.smtp.mailhostbox.com", "Username": "gamzy@freesteelmyst.xyz", "Password": " JIRUmBO0 "}
    Source: ADOC RFQ-WCMS-18097255.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
    Source: ADOC RFQ-WCMS-18097255.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
    Source: Joe Sandbox ViewIP Address: 208.91.199.223 208.91.199.223
    Source: global trafficTCP traffic: 192.168.2.3:49698 -> 208.91.199.223:587
    Source: global trafficTCP traffic: 192.168.2.3:49698 -> 208.91.199.223:587
    Source: ADOC RFQ-WCMS-18097255.exe, 00000000.00000002.505811223.0000000002881000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://CtxmCtXtvGR51e3orE.org
    Source: ADOC RFQ-WCMS-18097255.exe, 00000000.00000002.505811223.0000000002881000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://DynDns.comDynDNSnamejidpasswordPsi/Psi
    Source: ADOC RFQ-WCMS-18097255.exe, 00000000.00000002.520037204.0000000009830000.00000004.00000800.00020000.00000000.sdmp, ADOC RFQ-WCMS-18097255.exe, 00000000.00000002.507971659.0000000002B6A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl04
    Source: ADOC RFQ-WCMS-18097255.exe, 00000000.00000002.520037204.0000000009830000.00000004.00000800.00020000.00000000.sdmp, ADOC RFQ-WCMS-18097255.exe, 00000000.00000002.507971659.0000000002B6A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl06
    Source: ADOC RFQ-WCMS-18097255.exe, 00000000.00000002.520037204.0000000009830000.00000004.00000800.00020000.00000000.sdmp, ADOC RFQ-WCMS-18097255.exe, 00000000.00000002.507971659.0000000002B6A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://crt.sectigo.com/SectigoRSADomainValidationSecureServerCA.crt0#
    Source: ADOC RFQ-WCMS-18097255.exe, 00000000.00000002.516330292.0000000006A22000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://fontfabrik.com
    Source: ADOC RFQ-WCMS-18097255.exe, 00000000.00000002.520037204.0000000009830000.00000004.00000800.00020000.00000000.sdmp, ADOC RFQ-WCMS-18097255.exe, 00000000.00000002.507971659.0000000002B6A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://ocsp.comodoca.com0
    Source: ADOC RFQ-WCMS-18097255.exe, 00000000.00000002.520037204.0000000009830000.00000004.00000800.00020000.00000000.sdmp, ADOC RFQ-WCMS-18097255.exe, 00000000.00000002.507971659.0000000002B6A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://ocsp.sectigo.com0A
    Source: ADOC RFQ-WCMS-18097255.exe, 00000000.00000002.507971659.0000000002B6A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://us2.smtp.mailhostbox.com
    Source: ADOC RFQ-WCMS-18097255.exe, 00000000.00000002.516330292.0000000006A22000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
    Source: ADOC RFQ-WCMS-18097255.exe, 00000000.00000002.516330292.0000000006A22000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.carterandcone.coml
    Source: ADOC RFQ-WCMS-18097255.exe, 00000000.00000002.516330292.0000000006A22000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com
    Source: ADOC RFQ-WCMS-18097255.exe, 00000000.00000002.516330292.0000000006A22000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers
    Source: ADOC RFQ-WCMS-18097255.exe, 00000000.00000002.516330292.0000000006A22000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers/?
    Source: ADOC RFQ-WCMS-18097255.exe, 00000000.00000002.516330292.0000000006A22000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
    Source: ADOC RFQ-WCMS-18097255.exe, 00000000.00000002.516330292.0000000006A22000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers/frere-jones.html
    Source: ADOC RFQ-WCMS-18097255.exe, 00000000.00000002.516330292.0000000006A22000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers8
    Source: ADOC RFQ-WCMS-18097255.exe, 00000000.00000002.516330292.0000000006A22000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers?
    Source: ADOC RFQ-WCMS-18097255.exe, 00000000.00000002.516330292.0000000006A22000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designersG
    Source: ADOC RFQ-WCMS-18097255.exe, 00000000.00000002.516330292.0000000006A22000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fonts.com
    Source: ADOC RFQ-WCMS-18097255.exe, 00000000.00000002.516330292.0000000006A22000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.founder.com.cn/cn
    Source: ADOC RFQ-WCMS-18097255.exe, 00000000.00000002.516330292.0000000006A22000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.founder.com.cn/cn/bThe
    Source: ADOC RFQ-WCMS-18097255.exe, 00000000.00000002.516330292.0000000006A22000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.founder.com.cn/cn/cThe
    Source: ADOC RFQ-WCMS-18097255.exe, 00000000.00000002.516330292.0000000006A22000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.galapagosdesign.com/DPlease
    Source: ADOC RFQ-WCMS-18097255.exe, 00000000.00000002.516330292.0000000006A22000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
    Source: ADOC RFQ-WCMS-18097255.exe, 00000000.00000002.516330292.0000000006A22000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.goodfont.co.kr
    Source: ADOC RFQ-WCMS-18097255.exe, 00000000.00000002.516330292.0000000006A22000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/
    Source: ADOC RFQ-WCMS-18097255.exe, 00000000.00000002.516330292.0000000006A22000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.sajatypeworks.com
    Source: ADOC RFQ-WCMS-18097255.exe, 00000000.00000002.516330292.0000000006A22000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.sakkal.com
    Source: ADOC RFQ-WCMS-18097255.exe, 00000000.00000002.516330292.0000000006A22000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.sandoll.co.kr
    Source: ADOC RFQ-WCMS-18097255.exe, 00000000.00000002.516330292.0000000006A22000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.tiro.com
    Source: ADOC RFQ-WCMS-18097255.exe, 00000000.00000002.516330292.0000000006A22000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.typography.netD
    Source: ADOC RFQ-WCMS-18097255.exe, 00000000.00000002.516330292.0000000006A22000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.urwpp.deDPlease
    Source: ADOC RFQ-WCMS-18097255.exe, 00000000.00000002.516330292.0000000006A22000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.zhongyicts.com.cn
    Source: ADOC RFQ-WCMS-18097255.exe, 00000000.00000002.520037204.0000000009830000.00000004.00000800.00020000.00000000.sdmp, ADOC RFQ-WCMS-18097255.exe, 00000000.00000002.507971659.0000000002B6A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://sectigo.com/CPS0
    Source: unknownDNS traffic detected: queries for: us2.smtp.mailhostbox.com

    System Summary

    barindex
    Source: 0.2.ADOC RFQ-WCMS-18097255.exe.7040000.12.unpack, type: UNPACKEDPEMatched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
    Source: 0.2.ADOC RFQ-WCMS-18097255.exe.7040000.12.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_AgentTesla_d3ac2b2f Author: unknown
    Source: 0.2.ADOC RFQ-WCMS-18097255.exe.3c61c80.6.raw.unpack, type: UNPACKEDPEMatched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
    Source: 0.2.ADOC RFQ-WCMS-18097255.exe.3c61c80.6.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_AgentTesla_d3ac2b2f Author: unknown
    Source: 0.2.ADOC RFQ-WCMS-18097255.exe.3889930.3.unpack, type: UNPACKEDPEMatched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
    Source: 0.2.ADOC RFQ-WCMS-18097255.exe.3889930.3.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_AgentTesla_d3ac2b2f Author: unknown
    Source: 0.2.ADOC RFQ-WCMS-18097255.exe.7040000.12.raw.unpack, type: UNPACKEDPEMatched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
    Source: 0.2.ADOC RFQ-WCMS-18097255.exe.7040000.12.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_AgentTesla_d3ac2b2f Author: unknown
    Source: 0.2.ADOC RFQ-WCMS-18097255.exe.3c61c80.6.unpack, type: UNPACKEDPEMatched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
    Source: 0.2.ADOC RFQ-WCMS-18097255.exe.3c61c80.6.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_AgentTesla_d3ac2b2f Author: unknown
    Source: 0.2.ADOC RFQ-WCMS-18097255.exe.38b1950.2.unpack, type: UNPACKEDPEMatched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
    Source: 0.2.ADOC RFQ-WCMS-18097255.exe.38b1950.2.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_AgentTesla_d3ac2b2f Author: unknown
    Source: 0.2.ADOC RFQ-WCMS-18097255.exe.2a5ddcc.1.raw.unpack, type: UNPACKEDPEMatched rule: Detects executables potentially checking for WinJail sandbox window Author: ditekSHen
    Source: 0.2.ADOC RFQ-WCMS-18097255.exe.2a5ddcc.1.raw.unpack, type: UNPACKEDPEMatched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
    Source: 0.2.ADOC RFQ-WCMS-18097255.exe.3889930.3.raw.unpack, type: UNPACKEDPEMatched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
    Source: 0.2.ADOC RFQ-WCMS-18097255.exe.3889930.3.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_AgentTesla_d3ac2b2f Author: unknown
    Source: 0.2.ADOC RFQ-WCMS-18097255.exe.38b1950.2.raw.unpack, type: UNPACKEDPEMatched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
    Source: 0.2.ADOC RFQ-WCMS-18097255.exe.38b1950.2.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_AgentTesla_d3ac2b2f Author: unknown
    Source: 0.2.ADOC RFQ-WCMS-18097255.exe.2a3096c.0.raw.unpack, type: UNPACKEDPEMatched rule: Detects executables potentially checking for WinJail sandbox window Author: ditekSHen
    Source: 0.2.ADOC RFQ-WCMS-18097255.exe.2a3096c.0.raw.unpack, type: UNPACKEDPEMatched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
    Source: 00000000.00000002.513606305.0000000003C61000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_AgentTesla_d3ac2b2f Author: unknown
    Source: 00000000.00000002.519041329.0000000007040000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
    Source: 00000000.00000002.519041329.0000000007040000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_AgentTesla_d3ac2b2f Author: unknown
    Source: 00000000.00000002.510469030.0000000003881000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_AgentTesla_d3ac2b2f Author: unknown
    Source: Process Memory Space: ADOC RFQ-WCMS-18097255.exe PID: 5788, type: MEMORYSTRMatched rule: Windows_Trojan_AgentTesla_d3ac2b2f Author: unknown
    Source: ADOC RFQ-WCMS-18097255.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
    Source: 0.2.ADOC RFQ-WCMS-18097255.exe.7040000.12.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
    Source: 0.2.ADOC RFQ-WCMS-18097255.exe.7040000.12.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_AgentTesla_d3ac2b2f reference_sample = 65463161760af7ab85f5c475a0f7b1581234a1e714a2c5a555783bdd203f85f4, os = windows, severity = x86, creation_date = 2021-03-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.AgentTesla, fingerprint = cbbb56fe6cd7277ae9595a10e05e2ce535a4e6bf205810be0bbce3a883b6f8bc, id = d3ac2b2f-14fc-4851-8a57-41032e386aeb, last_modified = 2022-06-20
    Source: 0.2.ADOC RFQ-WCMS-18097255.exe.3c61c80.6.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
    Source: 0.2.ADOC RFQ-WCMS-18097255.exe.3c61c80.6.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_AgentTesla_d3ac2b2f reference_sample = 65463161760af7ab85f5c475a0f7b1581234a1e714a2c5a555783bdd203f85f4, os = windows, severity = x86, creation_date = 2021-03-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.AgentTesla, fingerprint = cbbb56fe6cd7277ae9595a10e05e2ce535a4e6bf205810be0bbce3a883b6f8bc, id = d3ac2b2f-14fc-4851-8a57-41032e386aeb, last_modified = 2022-06-20
    Source: 0.2.ADOC RFQ-WCMS-18097255.exe.3889930.3.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
    Source: 0.2.ADOC RFQ-WCMS-18097255.exe.3889930.3.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_AgentTesla_d3ac2b2f reference_sample = 65463161760af7ab85f5c475a0f7b1581234a1e714a2c5a555783bdd203f85f4, os = windows, severity = x86, creation_date = 2021-03-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.AgentTesla, fingerprint = cbbb56fe6cd7277ae9595a10e05e2ce535a4e6bf205810be0bbce3a883b6f8bc, id = d3ac2b2f-14fc-4851-8a57-41032e386aeb, last_modified = 2022-06-20
    Source: 0.2.ADOC RFQ-WCMS-18097255.exe.7040000.12.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
    Source: 0.2.ADOC RFQ-WCMS-18097255.exe.7040000.12.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_AgentTesla_d3ac2b2f reference_sample = 65463161760af7ab85f5c475a0f7b1581234a1e714a2c5a555783bdd203f85f4, os = windows, severity = x86, creation_date = 2021-03-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.AgentTesla, fingerprint = cbbb56fe6cd7277ae9595a10e05e2ce535a4e6bf205810be0bbce3a883b6f8bc, id = d3ac2b2f-14fc-4851-8a57-41032e386aeb, last_modified = 2022-06-20
    Source: 0.2.ADOC RFQ-WCMS-18097255.exe.3c61c80.6.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
    Source: 0.2.ADOC RFQ-WCMS-18097255.exe.3c61c80.6.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_AgentTesla_d3ac2b2f reference_sample = 65463161760af7ab85f5c475a0f7b1581234a1e714a2c5a555783bdd203f85f4, os = windows, severity = x86, creation_date = 2021-03-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.AgentTesla, fingerprint = cbbb56fe6cd7277ae9595a10e05e2ce535a4e6bf205810be0bbce3a883b6f8bc, id = d3ac2b2f-14fc-4851-8a57-41032e386aeb, last_modified = 2022-06-20
    Source: 0.2.ADOC RFQ-WCMS-18097255.exe.38b1950.2.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
    Source: 0.2.ADOC RFQ-WCMS-18097255.exe.38b1950.2.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_AgentTesla_d3ac2b2f reference_sample = 65463161760af7ab85f5c475a0f7b1581234a1e714a2c5a555783bdd203f85f4, os = windows, severity = x86, creation_date = 2021-03-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.AgentTesla, fingerprint = cbbb56fe6cd7277ae9595a10e05e2ce535a4e6bf205810be0bbce3a883b6f8bc, id = d3ac2b2f-14fc-4851-8a57-41032e386aeb, last_modified = 2022-06-20
    Source: 0.2.ADOC RFQ-WCMS-18097255.exe.2a5ddcc.1.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_Anti_OldCopyPaste author = ditekSHen, description = Detects executables potentially checking for WinJail sandbox window
    Source: 0.2.ADOC RFQ-WCMS-18097255.exe.2a5ddcc.1.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
    Source: 0.2.ADOC RFQ-WCMS-18097255.exe.3889930.3.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
    Source: 0.2.ADOC RFQ-WCMS-18097255.exe.3889930.3.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_AgentTesla_d3ac2b2f reference_sample = 65463161760af7ab85f5c475a0f7b1581234a1e714a2c5a555783bdd203f85f4, os = windows, severity = x86, creation_date = 2021-03-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.AgentTesla, fingerprint = cbbb56fe6cd7277ae9595a10e05e2ce535a4e6bf205810be0bbce3a883b6f8bc, id = d3ac2b2f-14fc-4851-8a57-41032e386aeb, last_modified = 2022-06-20
    Source: 0.2.ADOC RFQ-WCMS-18097255.exe.38b1950.2.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
    Source: 0.2.ADOC RFQ-WCMS-18097255.exe.38b1950.2.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_AgentTesla_d3ac2b2f reference_sample = 65463161760af7ab85f5c475a0f7b1581234a1e714a2c5a555783bdd203f85f4, os = windows, severity = x86, creation_date = 2021-03-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.AgentTesla, fingerprint = cbbb56fe6cd7277ae9595a10e05e2ce535a4e6bf205810be0bbce3a883b6f8bc, id = d3ac2b2f-14fc-4851-8a57-41032e386aeb, last_modified = 2022-06-20
    Source: 0.2.ADOC RFQ-WCMS-18097255.exe.2a3096c.0.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_Anti_OldCopyPaste author = ditekSHen, description = Detects executables potentially checking for WinJail sandbox window
    Source: 0.2.ADOC RFQ-WCMS-18097255.exe.2a3096c.0.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
    Source: 00000000.00000002.513606305.0000000003C61000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_AgentTesla_d3ac2b2f reference_sample = 65463161760af7ab85f5c475a0f7b1581234a1e714a2c5a555783bdd203f85f4, os = windows, severity = x86, creation_date = 2021-03-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.AgentTesla, fingerprint = cbbb56fe6cd7277ae9595a10e05e2ce535a4e6bf205810be0bbce3a883b6f8bc, id = d3ac2b2f-14fc-4851-8a57-41032e386aeb, last_modified = 2022-06-20
    Source: 00000000.00000002.519041329.0000000007040000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
    Source: 00000000.00000002.519041329.0000000007040000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_AgentTesla_d3ac2b2f reference_sample = 65463161760af7ab85f5c475a0f7b1581234a1e714a2c5a555783bdd203f85f4, os = windows, severity = x86, creation_date = 2021-03-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.AgentTesla, fingerprint = cbbb56fe6cd7277ae9595a10e05e2ce535a4e6bf205810be0bbce3a883b6f8bc, id = d3ac2b2f-14fc-4851-8a57-41032e386aeb, last_modified = 2022-06-20
    Source: 00000000.00000002.510469030.0000000003881000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_AgentTesla_d3ac2b2f reference_sample = 65463161760af7ab85f5c475a0f7b1581234a1e714a2c5a555783bdd203f85f4, os = windows, severity = x86, creation_date = 2021-03-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.AgentTesla, fingerprint = cbbb56fe6cd7277ae9595a10e05e2ce535a4e6bf205810be0bbce3a883b6f8bc, id = d3ac2b2f-14fc-4851-8a57-41032e386aeb, last_modified = 2022-06-20
    Source: Process Memory Space: ADOC RFQ-WCMS-18097255.exe PID: 5788, type: MEMORYSTRMatched rule: Windows_Trojan_AgentTesla_d3ac2b2f reference_sample = 65463161760af7ab85f5c475a0f7b1581234a1e714a2c5a555783bdd203f85f4, os = windows, severity = x86, creation_date = 2021-03-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.AgentTesla, fingerprint = cbbb56fe6cd7277ae9595a10e05e2ce535a4e6bf205810be0bbce3a883b6f8bc, id = d3ac2b2f-14fc-4851-8a57-41032e386aeb, last_modified = 2022-06-20
    Source: C:\Users\user\Desktop\ADOC RFQ-WCMS-18097255.exeCode function: 0_2_026BE690
    Source: C:\Users\user\Desktop\ADOC RFQ-WCMS-18097255.exeCode function: 0_2_026BC234
    Source: C:\Users\user\Desktop\ADOC RFQ-WCMS-18097255.exeCode function: 0_2_026BE680
    Source: C:\Users\user\Desktop\ADOC RFQ-WCMS-18097255.exeCode function: 0_2_097E9CD0
    Source: C:\Users\user\Desktop\ADOC RFQ-WCMS-18097255.exeCode function: 0_2_097EBC90
    Source: C:\Users\user\Desktop\ADOC RFQ-WCMS-18097255.exeCode function: 0_2_097E90B8
    Source: C:\Users\user\Desktop\ADOC RFQ-WCMS-18097255.exeCode function: 0_2_097E9400
    Source: C:\Users\user\Desktop\ADOC RFQ-WCMS-18097255.exeCode function: 0_2_097F0040
    Source: C:\Users\user\Desktop\ADOC RFQ-WCMS-18097255.exeCode function: 0_2_097F0012
    Source: ADOC RFQ-WCMS-18097255.exe, 00000000.00000002.513606305.0000000003C61000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilename23d4a2f1-fc83-426a-8c72-0a56a8653dfa.exe4 vs ADOC RFQ-WCMS-18097255.exe
    Source: ADOC RFQ-WCMS-18097255.exe, 00000000.00000000.238484102.00000000005F8000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenameTyTT.exeB vs ADOC RFQ-WCMS-18097255.exe
    Source: ADOC RFQ-WCMS-18097255.exe, 00000000.00000002.518144683.0000000006FA0000.00000004.08000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameInspector.dllN vs ADOC RFQ-WCMS-18097255.exe
    Source: ADOC RFQ-WCMS-18097255.exe, 00000000.00000002.517937105.0000000006F70000.00000004.08000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenamePrecision.dll6 vs ADOC RFQ-WCMS-18097255.exe
    Source: ADOC RFQ-WCMS-18097255.exe, 00000000.00000002.510469030.0000000003881000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilename23d4a2f1-fc83-426a-8c72-0a56a8653dfa.exe4 vs ADOC RFQ-WCMS-18097255.exe
    Source: ADOC RFQ-WCMS-18097255.exe, 00000000.00000002.513808651.0000000003CD5000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameCollins.dll8 vs ADOC RFQ-WCMS-18097255.exe
    Source: ADOC RFQ-WCMS-18097255.exe, 00000000.00000002.519041329.0000000007040000.00000004.08000000.00040000.00000000.sdmpBinary or memory string: OriginalFilename23d4a2f1-fc83-426a-8c72-0a56a8653dfa.exe4 vs ADOC RFQ-WCMS-18097255.exe
    Source: ADOC RFQ-WCMS-18097255.exe, 00000000.00000002.519242545.0000000007200000.00000004.08000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameCollins.dll8 vs ADOC RFQ-WCMS-18097255.exe
    Source: ADOC RFQ-WCMS-18097255.exe, 00000000.00000002.505811223.0000000002881000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenamePrecision.dll6 vs ADOC RFQ-WCMS-18097255.exe
    Source: ADOC RFQ-WCMS-18097255.exe, 00000000.00000002.505811223.0000000002881000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameInspector.dllN vs ADOC RFQ-WCMS-18097255.exe
    Source: ADOC RFQ-WCMS-18097255.exeBinary or memory string: OriginalFilenameTyTT.exeB vs ADOC RFQ-WCMS-18097255.exe
    Source: ADOC RFQ-WCMS-18097255.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
    Source: ADOC RFQ-WCMS-18097255.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
    Source: C:\Users\user\Desktop\ADOC RFQ-WCMS-18097255.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers
    Source: C:\Users\user\Desktop\ADOC RFQ-WCMS-18097255.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{172BDDF8-CEEA-11D1-8B05-00600806D9B6}\InProcServer32
    Source: C:\Users\user\Desktop\ADOC RFQ-WCMS-18097255.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
    Source: C:\Users\user\Desktop\ADOC RFQ-WCMS-18097255.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
    Source: C:\Users\user\Desktop\ADOC RFQ-WCMS-18097255.exeFile created: C:\Users\user\AppData\Local\Temp\tmp7DB0.tmpJump to behavior
    Source: classification engineClassification label: mal96.troj.spyw.evad.winEXE@1/0@1/1
    Source: ADOC RFQ-WCMS-18097255.exeStatic file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.80%
    Source: C:\Users\user\Desktop\ADOC RFQ-WCMS-18097255.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
    Source: C:\Users\user\Desktop\ADOC RFQ-WCMS-18097255.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
    Source: C:\Users\user\Desktop\ADOC RFQ-WCMS-18097255.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
    Source: C:\Users\user\Desktop\ADOC RFQ-WCMS-18097255.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll
    Source: C:\Users\user\Desktop\ADOC RFQ-WCMS-18097255.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676
    Source: ADOC RFQ-WCMS-18097255.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
    Source: ADOC RFQ-WCMS-18097255.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
    Source: ADOC RFQ-WCMS-18097255.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
    Source: C:\Users\user\Desktop\ADOC RFQ-WCMS-18097255.exeCode function: 0_2_097EA6E8 push esp; ret
    Source: ADOC RFQ-WCMS-18097255.exeStatic PE information: 0xE8FF4486 [Sat Nov 14 13:22:14 2093 UTC]
    Source: initial sampleStatic PE information: section name: .text entropy: 7.556547919849989
    Source: C:\Users\user\Desktop\ADOC RFQ-WCMS-18097255.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\Desktop\ADOC RFQ-WCMS-18097255.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\Desktop\ADOC RFQ-WCMS-18097255.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\Desktop\ADOC RFQ-WCMS-18097255.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\Desktop\ADOC RFQ-WCMS-18097255.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\Desktop\ADOC RFQ-WCMS-18097255.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\Desktop\ADOC RFQ-WCMS-18097255.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\Desktop\ADOC RFQ-WCMS-18097255.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\Desktop\ADOC RFQ-WCMS-18097255.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\Desktop\ADOC RFQ-WCMS-18097255.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\Desktop\ADOC RFQ-WCMS-18097255.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\Desktop\ADOC RFQ-WCMS-18097255.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\Desktop\ADOC RFQ-WCMS-18097255.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\Desktop\ADOC RFQ-WCMS-18097255.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\Desktop\ADOC RFQ-WCMS-18097255.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\Desktop\ADOC RFQ-WCMS-18097255.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\Desktop\ADOC RFQ-WCMS-18097255.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\Desktop\ADOC RFQ-WCMS-18097255.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\Desktop\ADOC RFQ-WCMS-18097255.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\Desktop\ADOC RFQ-WCMS-18097255.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\Desktop\ADOC RFQ-WCMS-18097255.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\Desktop\ADOC RFQ-WCMS-18097255.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\Desktop\ADOC RFQ-WCMS-18097255.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\Desktop\ADOC RFQ-WCMS-18097255.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\Desktop\ADOC RFQ-WCMS-18097255.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\Desktop\ADOC RFQ-WCMS-18097255.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\Desktop\ADOC RFQ-WCMS-18097255.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\Desktop\ADOC RFQ-WCMS-18097255.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\Desktop\ADOC RFQ-WCMS-18097255.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\Desktop\ADOC RFQ-WCMS-18097255.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\Desktop\ADOC RFQ-WCMS-18097255.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\Desktop\ADOC RFQ-WCMS-18097255.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\Desktop\ADOC RFQ-WCMS-18097255.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\Desktop\ADOC RFQ-WCMS-18097255.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\Desktop\ADOC RFQ-WCMS-18097255.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\Desktop\ADOC RFQ-WCMS-18097255.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\Desktop\ADOC RFQ-WCMS-18097255.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\Desktop\ADOC RFQ-WCMS-18097255.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\Desktop\ADOC RFQ-WCMS-18097255.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\Desktop\ADOC RFQ-WCMS-18097255.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\Desktop\ADOC RFQ-WCMS-18097255.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\Desktop\ADOC RFQ-WCMS-18097255.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\Desktop\ADOC RFQ-WCMS-18097255.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\Desktop\ADOC RFQ-WCMS-18097255.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\Desktop\ADOC RFQ-WCMS-18097255.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\Desktop\ADOC RFQ-WCMS-18097255.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\Desktop\ADOC RFQ-WCMS-18097255.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\Desktop\ADOC RFQ-WCMS-18097255.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\Desktop\ADOC RFQ-WCMS-18097255.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\Desktop\ADOC RFQ-WCMS-18097255.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\Desktop\ADOC RFQ-WCMS-18097255.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\Desktop\ADOC RFQ-WCMS-18097255.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\Desktop\ADOC RFQ-WCMS-18097255.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\Desktop\ADOC RFQ-WCMS-18097255.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\Desktop\ADOC RFQ-WCMS-18097255.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\Desktop\ADOC RFQ-WCMS-18097255.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\Desktop\ADOC RFQ-WCMS-18097255.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\Desktop\ADOC RFQ-WCMS-18097255.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\Desktop\ADOC RFQ-WCMS-18097255.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\Desktop\ADOC RFQ-WCMS-18097255.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\Desktop\ADOC RFQ-WCMS-18097255.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\Desktop\ADOC RFQ-WCMS-18097255.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\Desktop\ADOC RFQ-WCMS-18097255.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\Desktop\ADOC RFQ-WCMS-18097255.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\Desktop\ADOC RFQ-WCMS-18097255.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\Desktop\ADOC RFQ-WCMS-18097255.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\Desktop\ADOC RFQ-WCMS-18097255.exeProcess information set: NOOPENFILEERRORBOX

    Malware Analysis System Evasion

    barindex
    Source: Yara matchFile source: 0.2.ADOC RFQ-WCMS-18097255.exe.2a5ddcc.1.raw.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 0.2.ADOC RFQ-WCMS-18097255.exe.2a3096c.0.raw.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 00000000.00000002.505811223.0000000002881000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
    Source: Yara matchFile source: Process Memory Space: ADOC RFQ-WCMS-18097255.exe PID: 5788, type: MEMORYSTR
    Source: ADOC RFQ-WCMS-18097255.exe, 00000000.00000002.505811223.0000000002881000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: SBIEDLL.DLL
    Source: ADOC RFQ-WCMS-18097255.exe, 00000000.00000002.505811223.0000000002881000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: KERNEL32.DLL.WINE_GET_UNIX_FILE_NAME
    Source: C:\Users\user\Desktop\ADOC RFQ-WCMS-18097255.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration
    Source: C:\Users\user\Desktop\ADOC RFQ-WCMS-18097255.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
    Source: C:\Users\user\Desktop\ADOC RFQ-WCMS-18097255.exe TID: 5836Thread sleep time: -38122s >= -30000s
    Source: C:\Users\user\Desktop\ADOC RFQ-WCMS-18097255.exe TID: 4224Thread sleep time: -3689348814741908s >= -30000s
    Source: C:\Users\user\Desktop\ADOC RFQ-WCMS-18097255.exeThread delayed: delay time: 922337203685477
    Source: C:\Users\user\Desktop\ADOC RFQ-WCMS-18097255.exeWindow / User API: threadDelayed 9359
    Source: C:\Users\user\Desktop\ADOC RFQ-WCMS-18097255.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
    Source: C:\Users\user\Desktop\ADOC RFQ-WCMS-18097255.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
    Source: C:\Users\user\Desktop\ADOC RFQ-WCMS-18097255.exeProcess information queried: ProcessInformation
    Source: C:\Users\user\Desktop\ADOC RFQ-WCMS-18097255.exeThread delayed: delay time: 38122
    Source: C:\Users\user\Desktop\ADOC RFQ-WCMS-18097255.exeThread delayed: delay time: 922337203685477
    Source: ADOC RFQ-WCMS-18097255.exe, 00000000.00000002.505811223.0000000002881000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: InstallPathJC:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
    Source: ADOC RFQ-WCMS-18097255.exe, 00000000.00000002.505811223.0000000002881000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: vmware
    Source: ADOC RFQ-WCMS-18097255.exe, 00000000.00000002.505811223.0000000002881000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: VMware SVGA II
    Source: ADOC RFQ-WCMS-18097255.exe, 00000000.00000002.520037204.0000000009830000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
    Source: ADOC RFQ-WCMS-18097255.exe, 00000000.00000002.505811223.0000000002881000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: VMWAREDSOFTWARE\VMware, Inc.\VMware Tools
    Source: C:\Users\user\Desktop\ADOC RFQ-WCMS-18097255.exeProcess token adjusted: Debug
    Source: C:\Users\user\Desktop\ADOC RFQ-WCMS-18097255.exeMemory allocated: page read and write | page guard
    Source: C:\Users\user\Desktop\ADOC RFQ-WCMS-18097255.exeQueries volume information: C:\Users\user\Desktop\ADOC RFQ-WCMS-18097255.exe VolumeInformation
    Source: C:\Users\user\Desktop\ADOC RFQ-WCMS-18097255.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
    Source: C:\Users\user\Desktop\ADOC RFQ-WCMS-18097255.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
    Source: C:\Users\user\Desktop\ADOC RFQ-WCMS-18097255.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
    Source: C:\Users\user\Desktop\ADOC RFQ-WCMS-18097255.exeQueries volume information: C:\Windows\Fonts\arial.ttf VolumeInformation
    Source: C:\Users\user\Desktop\ADOC RFQ-WCMS-18097255.exeQueries volume information: C:\Windows\Fonts\ariali.ttf VolumeInformation
    Source: C:\Users\user\Desktop\ADOC RFQ-WCMS-18097255.exeQueries volume information: C:\Windows\Fonts\arialbd.ttf VolumeInformation
    Source: C:\Users\user\Desktop\ADOC RFQ-WCMS-18097255.exeQueries volume information: C:\Windows\Fonts\arialbi.ttf VolumeInformation
    Source: C:\Users\user\Desktop\ADOC RFQ-WCMS-18097255.exeQueries volume information: C:\Windows\Fonts\ARIALN.TTF VolumeInformation
    Source: C:\Users\user\Desktop\ADOC RFQ-WCMS-18097255.exeQueries volume information: C:\Windows\Fonts\ariblk.ttf VolumeInformation
    Source: C:\Users\user\Desktop\ADOC RFQ-WCMS-18097255.exeQueries volume information: C:\Windows\Fonts\ARIALNI.TTF VolumeInformation
    Source: C:\Users\user\Desktop\ADOC RFQ-WCMS-18097255.exeQueries volume information: C:\Windows\Fonts\ARIALNB.TTF VolumeInformation
    Source: C:\Users\user\Desktop\ADOC RFQ-WCMS-18097255.exeQueries volume information: C:\Windows\Fonts\ARIALNBI.TTF VolumeInformation
    Source: C:\Users\user\Desktop\ADOC RFQ-WCMS-18097255.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation
    Source: C:\Users\user\Desktop\ADOC RFQ-WCMS-18097255.exeQueries volume information: C:\Windows\Fonts\calibri.ttf VolumeInformation
    Source: C:\Users\user\Desktop\ADOC RFQ-WCMS-18097255.exeQueries volume information: C:\Windows\Fonts\calibril.ttf VolumeInformation
    Source: C:\Users\user\Desktop\ADOC RFQ-WCMS-18097255.exeQueries volume information: C:\Windows\Fonts\calibrii.ttf VolumeInformation
    Source: C:\Users\user\Desktop\ADOC RFQ-WCMS-18097255.exeQueries volume information: C:\Windows\Fonts\calibrili.ttf VolumeInformation
    Source: C:\Users\user\Desktop\ADOC RFQ-WCMS-18097255.exeQueries volume information: C:\Windows\Fonts\calibrib.ttf VolumeInformation
    Source: C:\Users\user\Desktop\ADOC RFQ-WCMS-18097255.exeQueries volume information: C:\Windows\Fonts\calibriz.ttf VolumeInformation
    Source: C:\Users\user\Desktop\ADOC RFQ-WCMS-18097255.exeQueries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformation
    Source: C:\Users\user\Desktop\ADOC RFQ-WCMS-18097255.exeQueries volume information: C:\Windows\Fonts\cambriai.ttf VolumeInformation
    Source: C:\Users\user\Desktop\ADOC RFQ-WCMS-18097255.exeQueries volume information: C:\Windows\Fonts\cambriab.ttf VolumeInformation
    Source: C:\Users\user\Desktop\ADOC RFQ-WCMS-18097255.exeQueries volume information: C:\Windows\Fonts\cambriaz.ttf VolumeInformation
    Source: C:\Users\user\Desktop\ADOC RFQ-WCMS-18097255.exeQueries volume information: C:\Windows\Fonts\Candara.ttf VolumeInformation
    Source: C:\Users\user\Desktop\ADOC RFQ-WCMS-18097255.exeQueries volume information: C:\Windows\Fonts\Candarai.ttf VolumeInformation
    Source: C:\Users\user\Desktop\ADOC RFQ-WCMS-18097255.exeQueries volume information: C:\Windows\Fonts\Candarab.ttf VolumeInformation
    Source: C:\Users\user\Desktop\ADOC RFQ-WCMS-18097255.exeQueries volume information: C:\Windows\Fonts\Candaraz.ttf VolumeInformation
    Source: C:\Users\user\Desktop\ADOC RFQ-WCMS-18097255.exeQueries volume information: C:\Windows\Fonts\comic.ttf VolumeInformation
    Source: C:\Users\user\Desktop\ADOC RFQ-WCMS-18097255.exeQueries volume information: C:\Windows\Fonts\comici.ttf VolumeInformation
    Source: C:\Users\user\Desktop\ADOC RFQ-WCMS-18097255.exeQueries volume information: C:\Windows\Fonts\comicbd.ttf VolumeInformation
    Source: C:\Users\user\Desktop\ADOC RFQ-WCMS-18097255.exeQueries volume information: C:\Windows\Fonts\comicz.ttf VolumeInformation
    Source: C:\Users\user\Desktop\ADOC RFQ-WCMS-18097255.exeQueries volume information: C:\Windows\Fonts\consola.ttf VolumeInformation
    Source: C:\Users\user\Desktop\ADOC RFQ-WCMS-18097255.exeQueries volume information: C:\Windows\Fonts\consolai.ttf VolumeInformation
    Source: C:\Users\user\Desktop\ADOC RFQ-WCMS-18097255.exeQueries volume information: C:\Windows\Fonts\consolab.ttf VolumeInformation
    Source: C:\Users\user\Desktop\ADOC RFQ-WCMS-18097255.exeQueries volume information: C:\Windows\Fonts\consolaz.ttf VolumeInformation
    Source: C:\Users\user\Desktop\ADOC RFQ-WCMS-18097255.exeQueries volume information: C:\Windows\Fonts\constan.ttf VolumeInformation
    Source: C:\Users\user\Desktop\ADOC RFQ-WCMS-18097255.exeQueries volume information: C:\Windows\Fonts\constani.ttf VolumeInformation
    Source: C:\Users\user\Desktop\ADOC RFQ-WCMS-18097255.exeQueries volume information: C:\Windows\Fonts\constanb.ttf VolumeInformation
    Source: C:\Users\user\Desktop\ADOC RFQ-WCMS-18097255.exeQueries volume information: C:\Windows\Fonts\constanz.ttf VolumeInformation
    Source: C:\Users\user\Desktop\ADOC RFQ-WCMS-18097255.exeQueries volume information: C:\Windows\Fonts\corbel.ttf VolumeInformation
    Source: C:\Users\user\Desktop\ADOC RFQ-WCMS-18097255.exeQueries volume information: C:\Windows\Fonts\corbeli.ttf VolumeInformation
    Source: C:\Users\user\Desktop\ADOC RFQ-WCMS-18097255.exeQueries volume information: C:\Windows\Fonts\corbelb.ttf VolumeInformation
    Source: C:\Users\user\Desktop\ADOC RFQ-WCMS-18097255.exeQueries volume information: C:\Windows\Fonts\corbelz.ttf VolumeInformation
    Source: C:\Users\user\Desktop\ADOC RFQ-WCMS-18097255.exeQueries volume information: C:\Windows\Fonts\cour.ttf VolumeInformation
    Source: C:\Users\user\Desktop\ADOC RFQ-WCMS-18097255.exeQueries volume information: C:\Windows\Fonts\couri.ttf VolumeInformation
    Source: C:\Users\user\Desktop\ADOC RFQ-WCMS-18097255.exeQueries volume information: C:\Windows\Fonts\courbd.ttf VolumeInformation
    Source: C:\Users\user\Desktop\ADOC RFQ-WCMS-18097255.exeQueries volume information: C:\Windows\Fonts\courbi.ttf VolumeInformation
    Source: C:\Users\user\Desktop\ADOC RFQ-WCMS-18097255.exeQueries volume information: C:\Windows\Fonts\ebrima.ttf VolumeInformation
    Source: C:\Users\user\Desktop\ADOC RFQ-WCMS-18097255.exeQueries volume information: C:\Windows\Fonts\ebrimabd.ttf VolumeInformation
    Source: C:\Users\user\Desktop\ADOC RFQ-WCMS-18097255.exeQueries volume information: C:\Windows\Fonts\framd.ttf VolumeInformation
    Source: C:\Users\user\Desktop\ADOC RFQ-WCMS-18097255.exeQueries volume information: C:\Windows\Fonts\FRADM.TTF VolumeInformation
    Source: C:\Users\user\Desktop\ADOC RFQ-WCMS-18097255.exeQueries volume information: C:\Windows\Fonts\framdit.ttf VolumeInformation
    Source: C:\Users\user\Desktop\ADOC RFQ-WCMS-18097255.exeQueries volume information: C:\Windows\Fonts\FRADMIT.TTF VolumeInformation
    Source: C:\Users\user\Desktop\ADOC RFQ-WCMS-18097255.exeQueries volume information: C:\Windows\Fonts\FRAMDCN.TTF VolumeInformation
    Source: C:\Users\user\Desktop\ADOC RFQ-WCMS-18097255.exeQueries volume information: C:\Windows\Fonts\FRADMCN.TTF VolumeInformation
    Source: C:\Users\user\Desktop\ADOC RFQ-WCMS-18097255.exeQueries volume information: C:\Windows\Fonts\FRAHV.TTF VolumeInformation
    Source: C:\Users\user\Desktop\ADOC RFQ-WCMS-18097255.exeQueries volume information: C:\Windows\Fonts\FRAHVIT.TTF VolumeInformation
    Source: C:\Users\user\Desktop\ADOC RFQ-WCMS-18097255.exeQueries volume information: C:\Windows\Fonts\Gabriola.ttf VolumeInformation
    Source: C:\Users\user\Desktop\ADOC RFQ-WCMS-18097255.exeQueries volume information: C:\Windows\Fonts\gadugi.ttf VolumeInformation
    Source: C:\Users\user\Desktop\ADOC RFQ-WCMS-18097255.exeQueries volume information: C:\Windows\Fonts\gadugib.ttf VolumeInformation
    Source: C:\Users\user\Desktop\ADOC RFQ-WCMS-18097255.exeQueries volume information: C:\Windows\Fonts\georgia.ttf VolumeInformation
    Source: C:\Users\user\Desktop\ADOC RFQ-WCMS-18097255.exeQueries volume information: C:\Windows\Fonts\georgiai.ttf VolumeInformation
    Source: C:\Users\user\Desktop\ADOC RFQ-WCMS-18097255.exeQueries volume information: C:\Windows\Fonts\georgiab.ttf VolumeInformation
    Source: C:\Users\user\Desktop\ADOC RFQ-WCMS-18097255.exeQueries volume information: C:\Windows\Fonts\georgiaz.ttf VolumeInformation
    Source: C:\Users\user\Desktop\ADOC RFQ-WCMS-18097255.exeQueries volume information: C:\Windows\Fonts\impact.ttf VolumeInformation
    Source: C:\Users\user\Desktop\ADOC RFQ-WCMS-18097255.exeQueries volume information: C:\Windows\Fonts\Inkfree.ttf VolumeInformation
    Source: C:\Users\user\Desktop\ADOC RFQ-WCMS-18097255.exeQueries volume information: C:\Windows\Fonts\javatext.ttf VolumeInformation
    Source: C:\Users\user\Desktop\ADOC RFQ-WCMS-18097255.exeQueries volume information: C:\Windows\Fonts\LeelawUI.ttf VolumeInformation
    Source: C:\Users\user\Desktop\ADOC RFQ-WCMS-18097255.exeQueries volume information: C:\Windows\Fonts\LeelUIsl.ttf VolumeInformation
    Source: C:\Users\user\Desktop\ADOC RFQ-WCMS-18097255.exeQueries volume information: C:\Windows\Fonts\LeelaUIb.ttf VolumeInformation
    Source: C:\Users\user\Desktop\ADOC RFQ-WCMS-18097255.exeQueries volume information: C:\Windows\Fonts\lucon.ttf VolumeInformation
    Source: C:\Users\user\Desktop\ADOC RFQ-WCMS-18097255.exeQueries volume information: C:\Windows\Fonts\l_10646.ttf VolumeInformation
    Source: C:\Users\user\Desktop\ADOC RFQ-WCMS-18097255.exeQueries volume information: C:\Windows\Fonts\malgun.ttf VolumeInformation
    Source: C:\Users\user\Desktop\ADOC RFQ-WCMS-18097255.exeQueries volume information: C:\Windows\Fonts\malgunsl.ttf VolumeInformation
    Source: C:\Users\user\Desktop\ADOC RFQ-WCMS-18097255.exeQueries volume information: C:\Windows\Fonts\malgunbd.ttf VolumeInformation
    Source: C:\Users\user\Desktop\ADOC RFQ-WCMS-18097255.exeQueries volume information: C:\Windows\Fonts\himalaya.ttf VolumeInformation
    Source: C:\Users\user\Desktop\ADOC RFQ-WCMS-18097255.exeQueries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformation
    Source: C:\Users\user\Desktop\ADOC RFQ-WCMS-18097255.exeQueries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformation
    Source: C:\Users\user\Desktop\ADOC RFQ-WCMS-18097255.exeQueries volume information: C:\Windows\Fonts\msjhbd.ttc VolumeInformation
    Source: C:\Users\user\Desktop\ADOC RFQ-WCMS-18097255.exeQueries volume information: C:\Windows\Fonts\ntailu.ttf VolumeInformation
    Source: C:\Users\user\Desktop\ADOC RFQ-WCMS-18097255.exeQueries volume information: C:\Windows\Fonts\ntailub.ttf VolumeInformation
    Source: C:\Users\user\Desktop\ADOC RFQ-WCMS-18097255.exeQueries volume information: C:\Windows\Fonts\phagspa.ttf VolumeInformation
    Source: C:\Users\user\Desktop\ADOC RFQ-WCMS-18097255.exeQueries volume information: C:\Windows\Fonts\phagspab.ttf VolumeInformation
    Source: C:\Users\user\Desktop\ADOC RFQ-WCMS-18097255.exeQueries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation
    Source: C:\Users\user\Desktop\ADOC RFQ-WCMS-18097255.exeQueries volume information: C:\Windows\Fonts\taile.ttf VolumeInformation
    Source: C:\Users\user\Desktop\ADOC RFQ-WCMS-18097255.exeQueries volume information: C:\Windows\Fonts\taileb.ttf VolumeInformation
    Source: C:\Users\user\Desktop\ADOC RFQ-WCMS-18097255.exeQueries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformation
    Source: C:\Users\user\Desktop\ADOC RFQ-WCMS-18097255.exeQueries volume information: C:\Windows\Fonts\msyhl.ttc VolumeInformation
    Source: C:\Users\user\Desktop\ADOC RFQ-WCMS-18097255.exeQueries volume information: C:\Windows\Fonts\msyhbd.ttc VolumeInformation
    Source: C:\Users\user\Desktop\ADOC RFQ-WCMS-18097255.exeQueries volume information: C:\Windows\Fonts\msyi.ttf VolumeInformation
    Source: C:\Users\user\Desktop\ADOC RFQ-WCMS-18097255.exeQueries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformation
    Source: C:\Users\user\Desktop\ADOC RFQ-WCMS-18097255.exeQueries volume information: C:\Windows\Fonts\monbaiti.ttf VolumeInformation
    Source: C:\Users\user\Desktop\ADOC RFQ-WCMS-18097255.exeQueries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformation
    Source: C:\Users\user\Desktop\ADOC RFQ-WCMS-18097255.exeQueries volume information: C:\Windows\Fonts\mvboli.ttf VolumeInformation
    Source: C:\Users\user\Desktop\ADOC RFQ-WCMS-18097255.exeQueries volume information: C:\Windows\Fonts\mmrtext.ttf VolumeInformation
    Source: C:\Users\user\Desktop\ADOC RFQ-WCMS-18097255.exeQueries volume information: C:\Windows\Fonts\mmrtextb.ttf VolumeInformation
    Source: C:\Users\user\Desktop\ADOC RFQ-WCMS-18097255.exeQueries volume information: C:\Windows\Fonts\Nirmala.ttf VolumeInformation
    Source: C:\Users\user\Desktop\ADOC RFQ-WCMS-18097255.exeQueries volume information: C:\Windows\Fonts\NirmalaS.ttf VolumeInformation
    Source: C:\Users\user\Desktop\ADOC RFQ-WCMS-18097255.exeQueries volume information: C:\Windows\Fonts\NirmalaB.ttf VolumeInformation
    Source: C:\Users\user\Desktop\ADOC RFQ-WCMS-18097255.exeQueries volume information: C:\Windows\Fonts\pala.ttf VolumeInformation
    Source: C:\Users\user\Desktop\ADOC RFQ-WCMS-18097255.exeQueries volume information: C:\Windows\Fonts\palai.ttf VolumeInformation
    Source: C:\Users\user\Desktop\ADOC RFQ-WCMS-18097255.exeQueries volume information: C:\Windows\Fonts\palab.ttf VolumeInformation
    Source: C:\Users\user\Desktop\ADOC RFQ-WCMS-18097255.exeQueries volume information: C:\Windows\Fonts\palabi.ttf VolumeInformation
    Source: C:\Users\user\Desktop\ADOC RFQ-WCMS-18097255.exeQueries volume information: C:\Windows\Fonts\segoepr.ttf VolumeInformation
    Source: C:\Users\user\Desktop\ADOC RFQ-WCMS-18097255.exeQueries volume information: C:\Windows\Fonts\segoeprb.ttf VolumeInformation
    Source: C:\Users\user\Desktop\ADOC RFQ-WCMS-18097255.exeQueries volume information: C:\Windows\Fonts\segoesc.ttf VolumeInformation
    Source: C:\Users\user\Desktop\ADOC RFQ-WCMS-18097255.exeQueries volume information: C:\Windows\Fonts\segoescb.ttf VolumeInformation
    Source: C:\Users\user\Desktop\ADOC RFQ-WCMS-18097255.exeQueries volume information: C:\Windows\Fonts\segoeuii.ttf VolumeInformation
    Source: C:\Users\user\Desktop\ADOC RFQ-WCMS-18097255.exeQueries volume information: C:\Windows\Fonts\seguisli.ttf VolumeInformation
    Source: C:\Users\user\Desktop\ADOC RFQ-WCMS-18097255.exeQueries volume information: C:\Windows\Fonts\seguili.ttf VolumeInformation
    Source: C:\Users\user\Desktop\ADOC RFQ-WCMS-18097255.exeQueries volume information: C:\Windows\Fonts\seguisbi.ttf VolumeInformation
    Source: C:\Users\user\Desktop\ADOC RFQ-WCMS-18097255.exeQueries volume information: C:\Windows\Fonts\segoeuiz.ttf VolumeInformation
    Source: C:\Users\user\Desktop\ADOC RFQ-WCMS-18097255.exeQueries volume information: C:\Windows\Fonts\seguibl.ttf VolumeInformation
    Source: C:\Users\user\Desktop\ADOC RFQ-WCMS-18097255.exeQueries volume information: C:\Windows\Fonts\seguibli.ttf VolumeInformation
    Source: C:\Users\user\Desktop\ADOC RFQ-WCMS-18097255.exeQueries volume information: C:\Windows\Fonts\seguiemj.ttf VolumeInformation
    Source: C:\Users\user\Desktop\ADOC RFQ-WCMS-18097255.exeQueries volume information: C:\Windows\Fonts\seguihis.ttf VolumeInformation
    Source: C:\Users\user\Desktop\ADOC RFQ-WCMS-18097255.exeQueries volume information: C:\Windows\Fonts\seguisym.ttf VolumeInformation
    Source: C:\Users\user\Desktop\ADOC RFQ-WCMS-18097255.exeQueries volume information: C:\Windows\Fonts\simsun.ttc VolumeInformation
    Source: C:\Users\user\Desktop\ADOC RFQ-WCMS-18097255.exeQueries volume information: C:\Windows\Fonts\simsunb.ttf VolumeInformation
    Source: C:\Users\user\Desktop\ADOC RFQ-WCMS-18097255.exeQueries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformation
    Source: C:\Users\user\Desktop\ADOC RFQ-WCMS-18097255.exeQueries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformation
    Source: C:\Users\user\Desktop\ADOC RFQ-WCMS-18097255.exeQueries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformation
    Source: C:\Users\user\Desktop\ADOC RFQ-WCMS-18097255.exeQueries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformation
    Source: C:\Users\user\Desktop\ADOC RFQ-WCMS-18097255.exeQueries volume information: C:\Windows\Fonts\sylfaen.ttf VolumeInformation
    Source: C:\Users\user\Desktop\ADOC RFQ-WCMS-18097255.exeQueries volume information: C:\Windows\Fonts\symbol.ttf VolumeInformation
    Source: C:\Users\user\Desktop\ADOC RFQ-WCMS-18097255.exeQueries volume information: C:\Windows\Fonts\tahoma.ttf VolumeInformation
    Source: C:\Users\user\Desktop\ADOC RFQ-WCMS-18097255.exeQueries volume information: C:\Windows\Fonts\tahomabd.ttf VolumeInformation
    Source: C:\Users\user\Desktop\ADOC RFQ-WCMS-18097255.exeQueries volume information: C:\Windows\Fonts\timesi.ttf VolumeInformation
    Source: C:\Users\user\Desktop\ADOC RFQ-WCMS-18097255.exeQueries volume information: C:\Windows\Fonts\timesbd.ttf VolumeInformation
    Source: C:\Users\user\Desktop\ADOC RFQ-WCMS-18097255.exeQueries volume information: C:\Windows\Fonts\timesbi.ttf VolumeInformation
    Source: C:\Users\user\Desktop\ADOC RFQ-WCMS-18097255.exeQueries volume information: C:\Windows\Fonts\trebuc.ttf VolumeInformation
    Source: C:\Users\user\Desktop\ADOC RFQ-WCMS-18097255.exeQueries volume information: C:\Windows\Fonts\trebucit.ttf VolumeInformation
    Source: C:\Users\user\Desktop\ADOC RFQ-WCMS-18097255.exeQueries volume information: C:\Windows\Fonts\trebucbd.ttf VolumeInformation
    Source: C:\Users\user\Desktop\ADOC RFQ-WCMS-18097255.exeQueries volume information: C:\Windows\Fonts\trebucbi.ttf VolumeInformation
    Source: C:\Users\user\Desktop\ADOC RFQ-WCMS-18097255.exeQueries volume information: C:\Windows\Fonts\verdana.ttf VolumeInformation
    Source: C:\Users\user\Desktop\ADOC RFQ-WCMS-18097255.exeQueries volume information: C:\Windows\Fonts\verdanai.ttf VolumeInformation
    Source: C:\Users\user\Desktop\ADOC RFQ-WCMS-18097255.exeQueries volume information: C:\Windows\Fonts\verdanab.ttf VolumeInformation
    Source: C:\Users\user\Desktop\ADOC RFQ-WCMS-18097255.exeQueries volume information: C:\Windows\Fonts\verdanaz.ttf VolumeInformation
    Source: C:\Users\user\Desktop\ADOC RFQ-WCMS-18097255.exeQueries volume information: C:\Windows\Fonts\webdings.ttf VolumeInformation
    Source: C:\Users\user\Desktop\ADOC RFQ-WCMS-18097255.exeQueries volume information: C:\Windows\Fonts\wingding.ttf VolumeInformation
    Source: C:\Users\user\Desktop\ADOC RFQ-WCMS-18097255.exeQueries volume information: C:\Windows\Fonts\YuGothR.ttc VolumeInformation
    Source: C:\Users\user\Desktop\ADOC RFQ-WCMS-18097255.exeQueries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformation
    Source: C:\Users\user\Desktop\ADOC RFQ-WCMS-18097255.exeQueries volume information: C:\Windows\Fonts\YuGothL.ttc VolumeInformation
    Source: C:\Users\user\Desktop\ADOC RFQ-WCMS-18097255.exeQueries volume information: C:\Windows\Fonts\YuGothB.ttc VolumeInformation
    Source: C:\Users\user\Desktop\ADOC RFQ-WCMS-18097255.exeQueries volume information: C:\Windows\Fonts\holomdl2.ttf VolumeInformation
    Source: C:\Users\user\Desktop\ADOC RFQ-WCMS-18097255.exeQueries volume information: C:\Windows\Fonts\CENTURY.TTF VolumeInformation
    Source: C:\Users\user\Desktop\ADOC RFQ-WCMS-18097255.exeQueries volume information: C:\Windows\Fonts\LEELAWAD.TTF VolumeInformation
    Source: C:\Users\user\Desktop\ADOC RFQ-WCMS-18097255.exeQueries volume information: C:\Windows\Fonts\LEELAWDB.TTF VolumeInformation
    Source: C:\Users\user\Desktop\ADOC RFQ-WCMS-18097255.exeQueries volume information: C:\Windows\Fonts\MSUIGHUR.TTF VolumeInformation
    Source: C:\Users\user\Desktop\ADOC RFQ-WCMS-18097255.exeQueries volume information: C:\Windows\Fonts\MSUIGHUB.TTF VolumeInformation
    Source: C:\Users\user\Desktop\ADOC RFQ-WCMS-18097255.exeQueries volume information: C:\Windows\Fonts\WINGDNG2.TTF VolumeInformation
    Source: C:\Users\user\Desktop\ADOC RFQ-WCMS-18097255.exeQueries volume information: C:\Windows\Fonts\WINGDNG3.TTF VolumeInformation
    Source: C:\Users\user\Desktop\ADOC RFQ-WCMS-18097255.exeQueries volume information: C:\Windows\Fonts\TEMPSITC.TTF VolumeInformation
    Source: C:\Users\user\Desktop\ADOC RFQ-WCMS-18097255.exeQueries volume information: C:\Windows\Fonts\PRISTINA.TTF VolumeInformation
    Source: C:\Users\user\Desktop\ADOC RFQ-WCMS-18097255.exeQueries volume information: C:\Windows\Fonts\PAPYRUS.TTF VolumeInformation
    Source: C:\Users\user\Desktop\ADOC RFQ-WCMS-18097255.exeQueries volume information: C:\Windows\Fonts\MISTRAL.TTF VolumeInformation
    Source: C:\Users\user\Desktop\ADOC RFQ-WCMS-18097255.exeQueries volume information: C:\Windows\Fonts\LHANDW.TTF VolumeInformation
    Source: C:\Users\user\Desktop\ADOC RFQ-WCMS-18097255.exeQueries volume information: C:\Windows\Fonts\ITCKRIST.TTF VolumeInformation
    Source: C:\Users\user\Desktop\ADOC RFQ-WCMS-18097255.exeQueries volume information: C:\Windows\Fonts\JUICE___.TTF VolumeInformation
    Source: C:\Users\user\Desktop\ADOC RFQ-WCMS-18097255.exeQueries volume information: C:\Windows\Fonts\FRSCRIPT.TTF VolumeInformation
    Source: C:\Users\user\Desktop\ADOC RFQ-WCMS-18097255.exeQueries volume information: C:\Windows\Fonts\FREESCPT.TTF VolumeInformation
    Source: C:\Users\user\Desktop\ADOC RFQ-WCMS-18097255.exeQueries volume information: C:\Windows\Fonts\BRADHITC.TTF VolumeInformation
    Source: C:\Users\user\Desktop\ADOC RFQ-WCMS-18097255.exeQueries volume information: C:\Windows\Fonts\OUTLOOK.TTF VolumeInformation
    Source: C:\Users\user\Desktop\ADOC RFQ-WCMS-18097255.exeQueries volume information: C:\Windows\Fonts\BKANT.TTF VolumeInformation
    Source: C:\Users\user\Desktop\ADOC RFQ-WCMS-18097255.exeQueries volume information: C:\Windows\Fonts\ANTQUAI.TTF VolumeInformation
    Source: C:\Users\user\Desktop\ADOC RFQ-WCMS-18097255.exeQueries volume information: C:\Windows\Fonts\ANTQUAB.TTF VolumeInformation
    Source: C:\Users\user\Desktop\ADOC RFQ-WCMS-18097255.exeQueries volume information: C:\Windows\Fonts\ANTQUABI.TTF VolumeInformation
    Source: C:\Users\user\Desktop\ADOC RFQ-WCMS-18097255.exeQueries volume information: C:\Windows\Fonts\GARA.TTF VolumeInformation
    Source: C:\Users\user\Desktop\ADOC RFQ-WCMS-18097255.exeQueries volume information: C:\Windows\Fonts\GARAIT.TTF VolumeInformation
    Source: C:\Users\user\Desktop\ADOC RFQ-WCMS-18097255.exeQueries volume information: C:\Windows\Fonts\GARABD.TTF VolumeInformation
    Source: C:\Users\user\Desktop\ADOC RFQ-WCMS-18097255.exeQueries volume information: C:\Windows\Fonts\MTCORSVA.TTF VolumeInformation
    Source: C:\Users\user\Desktop\ADOC RFQ-WCMS-18097255.exeQueries volume information: C:\Windows\Fonts\GOTHIC.TTF VolumeInformation
    Source: C:\Users\user\Desktop\ADOC RFQ-WCMS-18097255.exeQueries volume information: C:\Windows\Fonts\GOTHICI.TTF VolumeInformation
    Source: C:\Users\user\Desktop\ADOC RFQ-WCMS-18097255.exeQueries volume information: C:\Windows\Fonts\GOTHICB.TTF VolumeInformation
    Source: C:\Users\user\Desktop\ADOC RFQ-WCMS-18097255.exeQueries volume information: C:\Windows\Fonts\GOTHICBI.TTF VolumeInformation
    Source: C:\Users\user\Desktop\ADOC RFQ-WCMS-18097255.exeQueries volume information: C:\Windows\Fonts\ALGER.TTF VolumeInformation
    Source: C:\Users\user\Desktop\ADOC RFQ-WCMS-18097255.exeQueries volume information: C:\Windows\Fonts\BASKVILL.TTF VolumeInformation
    Source: C:\Users\user\Desktop\ADOC RFQ-WCMS-18097255.exeQueries volume information: C:\Windows\Fonts\BAUHS93.TTF VolumeInformation
    Source: C:\Users\user\Desktop\ADOC RFQ-WCMS-18097255.exeQueries volume information: C:\Windows\Fonts\BELL.TTF VolumeInformation
    Source: C:\Users\user\Desktop\ADOC RFQ-WCMS-18097255.exeQueries volume information: C:\Windows\Fonts\BELLI.TTF VolumeInformation
    Source: C:\Users\user\Desktop\ADOC RFQ-WCMS-18097255.exeQueries volume information: C:\Windows\Fonts\BELLB.TTF VolumeInformation
    Source: C:\Users\user\Desktop\ADOC RFQ-WCMS-18097255.exeQueries volume information: C:\Windows\Fonts\BRLNSR.TTF VolumeInformation
    Source: C:\Users\user\Desktop\ADOC RFQ-WCMS-18097255.exeQueries volume information: C:\Windows\Fonts\BRLNSDB.TTF VolumeInformation
    Source: C:\Users\user\Desktop\ADOC RFQ-WCMS-18097255.exeQueries volume information: C:\Windows\Fonts\BRLNSB.TTF VolumeInformation
    Source: C:\Users\user\Desktop\ADOC RFQ-WCMS-18097255.exeQueries volume information: C:\Windows\Fonts\BERNHC.TTF VolumeInformation
    Source: C:\Users\user\Desktop\ADOC RFQ-WCMS-18097255.exeQueries volume information: C:\Windows\Fonts\BOD_PSTC.TTF VolumeInformation
    Source: C:\Users\user\Desktop\ADOC RFQ-WCMS-18097255.exeQueries volume information: C:\Windows\Fonts\BRITANIC.TTF VolumeInformation
    Source: C:\Users\user\Desktop\ADOC RFQ-WCMS-18097255.exeQueries volume information: C:\Windows\Fonts\BROADW.TTF VolumeInformation
    Source: C:\Users\user\Desktop\ADOC RFQ-WCMS-18097255.exeQueries volume information: C:\Windows\Fonts\BRUSHSCI.TTF VolumeInformation
    Source: C:\Users\user\Desktop\ADOC RFQ-WCMS-18097255.exeQueries volume information: C:\Windows\Fonts\CALIFR.TTF VolumeInformation
    Source: C:\Users\user\Desktop\ADOC RFQ-WCMS-18097255.exeQueries volume information: C:\Windows\Fonts\CALIFI.TTF VolumeInformation
    Source: C:\Users\user\Desktop\ADOC RFQ-WCMS-18097255.exeQueries volume information: C:\Windows\Fonts\CALIFB.TTF VolumeInformation
    Source: C:\Users\user\Desktop\ADOC RFQ-WCMS-18097255.exeQueries volume information: C:\Windows\Fonts\CENTAUR.TTF VolumeInformation
    Source: C:\Users\user\Desktop\ADOC RFQ-WCMS-18097255.exeQueries volume information: C:\Windows\Fonts\CHILLER.TTF VolumeInformation
    Source: C:\Users\user\Desktop\ADOC RFQ-WCMS-18097255.exeQueries volume information: C:\Windows\Fonts\COLONNA.TTF VolumeInformation
    Source: C:\Users\user\Desktop\ADOC RFQ-WCMS-18097255.exeQueries volume information: C:\Windows\Fonts\COOPBL.TTF VolumeInformation
    Source: C:\Users\user\Desktop\ADOC RFQ-WCMS-18097255.exeQueries volume information: C:\Windows\Fonts\FTLTLT.TTF VolumeInformation
    Source: C:\Users\user\Desktop\ADOC RFQ-WCMS-18097255.exeQueries volume information: C:\Windows\Fonts\HARLOWSI.TTF VolumeInformation
    Source: C:\Users\user\Desktop\ADOC RFQ-WCMS-18097255.exeQueries volume information: C:\Windows\Fonts\HARNGTON.TTF VolumeInformation
    Source: C:\Users\user\Desktop\ADOC RFQ-WCMS-18097255.exeQueries volume information: C:\Windows\Fonts\HTOWERT.TTF VolumeInformation
    Source: C:\Users\user\Desktop\ADOC RFQ-WCMS-18097255.exeQueries volume information: C:\Windows\Fonts\HTOWERTI.TTF VolumeInformation
    Source: C:\Users\user\Desktop\ADOC RFQ-WCMS-18097255.exeQueries volume information: C:\Windows\Fonts\JOKERMAN.TTF VolumeInformation
    Source: C:\Users\user\Desktop\ADOC RFQ-WCMS-18097255.exeQueries volume information: C:\Windows\Fonts\KUNSTLER.TTF VolumeInformation
    Source: C:\Users\user\Desktop\ADOC RFQ-WCMS-18097255.exeQueries volume information: C:\Windows\Fonts\LBRITE.TTF VolumeInformation
    Source: C:\Users\user\Desktop\ADOC RFQ-WCMS-18097255.exeQueries volume information: C:\Windows\Fonts\LBRITED.TTF VolumeInformation
    Source: C:\Users\user\Desktop\ADOC RFQ-WCMS-18097255.exeQueries volume information: C:\Windows\Fonts\LBRITEI.TTF VolumeInformation
    Source: C:\Users\user\Desktop\ADOC RFQ-WCMS-18097255.exeQueries volume information: C:\Windows\Fonts\LBRITEDI.TTF VolumeInformation
    Source: C:\Users\user\Desktop\ADOC RFQ-WCMS-18097255.exeQueries volume information: C:\Windows\Fonts\LCALLIG.TTF VolumeInformation
    Source: C:\Users\user\Desktop\ADOC RFQ-WCMS-18097255.exeQueries volume information: C:\Windows\Fonts\LFAX.TTF VolumeInformation
    Source: C:\Users\user\Desktop\ADOC RFQ-WCMS-18097255.exeQueries volume information: C:\Windows\Fonts\LFAXD.TTF VolumeInformation
    Source: C:\Users\user\Desktop\ADOC RFQ-WCMS-18097255.exeQueries volume information: C:\Windows\Fonts\LFAXI.TTF VolumeInformation
    Source: C:\Users\user\Desktop\ADOC RFQ-WCMS-18097255.exeQueries volume information: C:\Windows\Fonts\LFAXDI.TTF VolumeInformation
    Source: C:\Users\user\Desktop\ADOC RFQ-WCMS-18097255.exeQueries volume information: C:\Windows\Fonts\MAGNETOB.TTF VolumeInformation
    Source: C:\Users\user\Desktop\ADOC RFQ-WCMS-18097255.exeQueries volume information: C:\Windows\Fonts\MATURASC.TTF VolumeInformation
    Source: C:\Users\user\Desktop\ADOC RFQ-WCMS-18097255.exeQueries volume information: C:\Windows\Fonts\MOD20.TTF VolumeInformation
    Source: C:\Users\user\Desktop\ADOC RFQ-WCMS-18097255.exeQueries volume information: C:\Windows\Fonts\NIAGENG.TTF VolumeInformation
    Source: C:\Users\user\Desktop\ADOC RFQ-WCMS-18097255.exeQueries volume information: C:\Windows\Fonts\NIAGSOL.TTF VolumeInformation
    Source: C:\Users\user\Desktop\ADOC RFQ-WCMS-18097255.exeQueries volume information: C:\Windows\Fonts\OLDENGL.TTF VolumeInformation
    Source: C:\Users\user\Desktop\ADOC RFQ-WCMS-18097255.exeQueries volume information: C:\Windows\Fonts\ONYX.TTF VolumeInformation
    Source: C:\Users\user\Desktop\ADOC RFQ-WCMS-18097255.exeQueries volume information: C:\Windows\Fonts\PARCHM.TTF VolumeInformation
    Source: C:\Users\user\Desktop\ADOC RFQ-WCMS-18097255.exeQueries volume information: C:\Windows\Fonts\PLAYBILL.TTF VolumeInformation
    Source: C:\Users\user\Desktop\ADOC RFQ-WCMS-18097255.exeQueries volume information: C:\Windows\Fonts\POORICH.TTF VolumeInformation
    Source: C:\Users\user\Desktop\ADOC RFQ-WCMS-18097255.exeQueries volume information: C:\Windows\Fonts\RAVIE.TTF VolumeInformation
    Source: C:\Users\user\Desktop\ADOC RFQ-WCMS-18097255.exeQueries volume information: C:\Windows\Fonts\INFROMAN.TTF VolumeInformation
    Source: C:\Users\user\Desktop\ADOC RFQ-WCMS-18097255.exeQueries volume information: C:\Windows\Fonts\SHOWG.TTF VolumeInformation
    Source: C:\Users\user\Desktop\ADOC RFQ-WCMS-18097255.exeQueries volume information: C:\Windows\Fonts\SNAP____.TTF VolumeInformation
    Source: C:\Users\user\Desktop\ADOC RFQ-WCMS-18097255.exeQueries volume information: C:\Windows\Fonts\STENCIL.TTF VolumeInformation
    Source: C:\Users\user\Desktop\ADOC RFQ-WCMS-18097255.exeQueries volume information: C:\Windows\Fonts\VINERITC.TTF VolumeInformation
    Source: C:\Users\user\Desktop\ADOC RFQ-WCMS-18097255.exeQueries volume information: C:\Windows\Fonts\VIVALDII.TTF VolumeInformation
    Source: C:\Users\user\Desktop\ADOC RFQ-WCMS-18097255.exeQueries volume information: C:\Windows\Fonts\VLADIMIR.TTF VolumeInformation
    Source: C:\Users\user\Desktop\ADOC RFQ-WCMS-18097255.exeQueries volume information: C:\Windows\Fonts\LATINWD.TTF VolumeInformation
    Source: C:\Users\user\Desktop\ADOC RFQ-WCMS-18097255.exeQueries volume information: C:\Windows\Fonts\TCM_____.TTF VolumeInformation
    Source: C:\Users\user\Desktop\ADOC RFQ-WCMS-18097255.exeQueries volume information: C:\Windows\Fonts\TCMI____.TTF VolumeInformation
    Source: C:\Users\user\Desktop\ADOC RFQ-WCMS-18097255.exeQueries volume information: C:\Windows\Fonts\TCB_____.TTF VolumeInformation
    Source: C:\Users\user\Desktop\ADOC RFQ-WCMS-18097255.exeQueries volume information: C:\Windows\Fonts\TCBI____.TTF VolumeInformation
    Source: C:\Users\user\Desktop\ADOC RFQ-WCMS-18097255.exeQueries volume information: C:\Windows\Fonts\TCCM____.TTF VolumeInformation
    Source: C:\Users\user\Desktop\ADOC RFQ-WCMS-18097255.exeQueries volume information: C:\Windows\Fonts\TCCB____.TTF VolumeInformation
    Source: C:\Users\user\Desktop\ADOC RFQ-WCMS-18097255.exeQueries volume information: C:\Windows\Fonts\TCCEB.TTF VolumeInformation
    Source: C:\Users\user\Desktop\ADOC RFQ-WCMS-18097255.exeQueries volume information: C:\Windows\Fonts\SCRIPTBL.TTF VolumeInformation
    Source: C:\Users\user\Desktop\ADOC RFQ-WCMS-18097255.exeQueries volume information: C:\Windows\Fonts\ROCK.TTF VolumeInformation
    Source: C:\Users\user\Desktop\ADOC RFQ-WCMS-18097255.exeQueries volume information: C:\Windows\Fonts\ROCKI.TTF VolumeInformation
    Source: C:\Users\user\Desktop\ADOC RFQ-WCMS-18097255.exeQueries volume information: C:\Windows\Fonts\ROCKB.TTF VolumeInformation
    Source: C:\Users\user\Desktop\ADOC RFQ-WCMS-18097255.exeQueries volume information: C:\Windows\Fonts\ROCKEB.TTF VolumeInformation
    Source: C:\Users\user\Desktop\ADOC RFQ-WCMS-18097255.exeQueries volume information: C:\Windows\Fonts\ROCKBI.TTF VolumeInformation
    Source: C:\Users\user\Desktop\ADOC RFQ-WCMS-18097255.exeQueries volume information: C:\Windows\Fonts\ROCC____.TTF VolumeInformation
    Source: C:\Users\user\Desktop\ADOC RFQ-WCMS-18097255.exeQueries volume information: C:\Windows\Fonts\ROCCB___.TTF VolumeInformation
    Source: C:\Users\user\Desktop\ADOC RFQ-WCMS-18097255.exeQueries volume information: C:\Windows\Fonts\RAGE.TTF VolumeInformation
    Source: C:\Users\user\Desktop\ADOC RFQ-WCMS-18097255.exeQueries volume information: C:\Windows\Fonts\PERTILI.TTF VolumeInformation
    Source: C:\Users\user\Desktop\ADOC RFQ-WCMS-18097255.exeQueries volume information: C:\Windows\Fonts\PERTIBD.TTF VolumeInformation
    Source: C:\Users\user\Desktop\ADOC RFQ-WCMS-18097255.exeQueries volume information: C:\Windows\Fonts\PER_____.TTF VolumeInformation
    Source: C:\Users\user\Desktop\ADOC RFQ-WCMS-18097255.exeQueries volume information: C:\Windows\Fonts\PERI____.TTF VolumeInformation
    Source: C:\Users\user\Desktop\ADOC RFQ-WCMS-18097255.exeQueries volume information: C:\Windows\Fonts\PERB____.TTF VolumeInformation
    Source: C:\Users\user\Desktop\ADOC RFQ-WCMS-18097255.exeQueries volume information: C:\Windows\Fonts\PERBI___.TTF VolumeInformation
    Source: C:\Users\user\Desktop\ADOC RFQ-WCMS-18097255.exeQueries volume information: C:\Windows\Fonts\PALSCRI.TTF VolumeInformation
    Source: C:\Users\user\Desktop\ADOC RFQ-WCMS-18097255.exeQueries volume information: C:\Windows\Fonts\OCRAEXT.TTF VolumeInformation
    Source: C:\Users\user\Desktop\ADOC RFQ-WCMS-18097255.exeQueries volume information: C:\Windows\Fonts\MAIAN.TTF VolumeInformation
    Source: C:\Users\user\Desktop\ADOC RFQ-WCMS-18097255.exeQueries volume information: C:\Windows\Fonts\LTYPE.TTF VolumeInformation
    Source: C:\Users\user\Desktop\ADOC RFQ-WCMS-18097255.exeQueries volume information: C:\Windows\Fonts\LTYPEO.TTF VolumeInformation
    Source: C:\Users\user\Desktop\ADOC RFQ-WCMS-18097255.exeQueries volume information: C:\Windows\Fonts\LTYPEB.TTF VolumeInformation
    Source: C:\Users\user\Desktop\ADOC RFQ-WCMS-18097255.exeQueries volume information: C:\Windows\Fonts\LTYPEBO.TTF VolumeInformation
    Source: C:\Users\user\Desktop\ADOC RFQ-WCMS-18097255.exeQueries volume information: C:\Windows\Fonts\LSANS.TTF VolumeInformation
    Source: C:\Users\user\Desktop\ADOC RFQ-WCMS-18097255.exeQueries volume information: C:\Windows\Fonts\LSANSD.TTF VolumeInformation
    Source: C:\Users\user\Desktop\ADOC RFQ-WCMS-18097255.exeQueries volume information: C:\Windows\Fonts\LSANSI.TTF VolumeInformation
    Source: C:\Users\user\Desktop\ADOC RFQ-WCMS-18097255.exeQueries volume information: C:\Windows\Fonts\LSANSDI.TTF VolumeInformation
    Source: C:\Users\user\Desktop\ADOC RFQ-WCMS-18097255.exeQueries volume information: C:\Windows\Fonts\IMPRISHA.TTF VolumeInformation
    Source: C:\Users\user\Desktop\ADOC RFQ-WCMS-18097255.exeQueries volume information: C:\Windows\Fonts\HATTEN.TTF VolumeInformation
    Source: C:\Users\user\Desktop\ADOC RFQ-WCMS-18097255.exeQueries volume information: C:\Windows\Fonts\GOUDYSTO.TTF VolumeInformation
    Source: C:\Users\user\Desktop\ADOC RFQ-WCMS-18097255.exeQueries volume information: C:\Windows\Fonts\GOUDOS.TTF VolumeInformation
    Source: C:\Users\user\Desktop\ADOC RFQ-WCMS-18097255.exeQueries volume information: C:\Windows\Fonts\GOUDOSI.TTF VolumeInformation
    Source: C:\Users\user\Desktop\ADOC RFQ-WCMS-18097255.exeQueries volume information: C:\Windows\Fonts\GOUDOSB.TTF VolumeInformation
    Source: C:\Users\user\Desktop\ADOC RFQ-WCMS-18097255.exeQueries volume information: C:\Windows\Fonts\GLECB.TTF VolumeInformation
    Source: C:\Users\user\Desktop\ADOC RFQ-WCMS-18097255.exeQueries volume information: C:\Windows\Fonts\GIL_____.TTF VolumeInformation
    Source: C:\Users\user\Desktop\ADOC RFQ-WCMS-18097255.exeQueries volume information: C:\Windows\Fonts\GILI____.TTF VolumeInformation
    Source: C:\Users\user\Desktop\ADOC RFQ-WCMS-18097255.exeQueries volume information: C:\Windows\Fonts\GILB____.TTF VolumeInformation
    Source: C:\Users\user\Desktop\ADOC RFQ-WCMS-18097255.exeQueries volume information: C:\Windows\Fonts\GILBI___.TTF VolumeInformation
    Source: C:\Users\user\Desktop\ADOC RFQ-WCMS-18097255.exeQueries volume information: C:\Windows\Fonts\GILC____.TTF VolumeInformation
    Source: C:\Users\user\Desktop\ADOC RFQ-WCMS-18097255.exeQueries volume information: C:\Windows\Fonts\GLSNECB.TTF VolumeInformation
    Source: C:\Users\user\Desktop\ADOC RFQ-WCMS-18097255.exeQueries volume information: C:\Windows\Fonts\GIGI.TTF VolumeInformation
    Source: C:\Users\user\Desktop\ADOC RFQ-WCMS-18097255.exeQueries volume information: C:\Windows\Fonts\FRABK.TTF VolumeInformation
    Source: C:\Users\user\Desktop\ADOC RFQ-WCMS-18097255.exeQueries volume information: C:\Windows\Fonts\FRABKIT.TTF VolumeInformation
    Source: C:\Users\user\Desktop\ADOC RFQ-WCMS-18097255.exeQueries volume information: C:\Windows\Fonts\FORTE.TTF VolumeInformation
    Source: C:\Users\user\Desktop\ADOC RFQ-WCMS-18097255.exeQueries volume information: C:\Windows\Fonts\FELIXTI.TTF VolumeInformation
    Source: C:\Users\user\Desktop\ADOC RFQ-WCMS-18097255.exeQueries volume information: C:\Windows\Fonts\ERASMD.TTF VolumeInformation
    Source: C:\Users\user\Desktop\ADOC RFQ-WCMS-18097255.exeQueries volume information: C:\Windows\Fonts\ERASLGHT.TTF VolumeInformation
    Source: C:\Users\user\Desktop\ADOC RFQ-WCMS-18097255.exeQueries volume information: C:\Windows\Fonts\ERASDEMI.TTF VolumeInformation
    Source: C:\Users\user\Desktop\ADOC RFQ-WCMS-18097255.exeQueries volume information: C:\Windows\Fonts\ERASBD.TTF VolumeInformation
    Source: C:\Users\user\Desktop\ADOC RFQ-WCMS-18097255.exeQueries volume information: C:\Windows\Fonts\ENGR.TTF VolumeInformation
    Source: C:\Users\user\Desktop\ADOC RFQ-WCMS-18097255.exeQueries volume information: C:\Windows\Fonts\ELEPHNT.TTF VolumeInformation
    Source: C:\Users\user\Desktop\ADOC RFQ-WCMS-18097255.exeQueries volume information: C:\Windows\Fonts\ELEPHNTI.TTF VolumeInformation
    Source: C:\Users\user\Desktop\ADOC RFQ-WCMS-18097255.exeQueries volume information: C:\Windows\Fonts\ITCEDSCR.TTF VolumeInformation
    Source: C:\Users\user\Desktop\ADOC RFQ-WCMS-18097255.exeQueries volume information: C:\Windows\Fonts\CURLZ___.TTF VolumeInformation
    Source: C:\Users\user\Desktop\ADOC RFQ-WCMS-18097255.exeQueries volume information: C:\Windows\Fonts\COPRGTL.TTF VolumeInformation
    Source: C:\Users\user\Desktop\ADOC RFQ-WCMS-18097255.exeQueries volume information: C:\Windows\Fonts\COPRGTB.TTF VolumeInformation
    Source: C:\Users\user\Desktop\ADOC RFQ-WCMS-18097255.exeQueries volume information: C:\Windows\Fonts\CENSCBK.TTF VolumeInformation
    Source: C:\Users\user\Desktop\ADOC RFQ-WCMS-18097255.exeQueries volume information: C:\Windows\Fonts\SCHLBKI.TTF VolumeInformation
    Source: C:\Users\user\Desktop\ADOC RFQ-WCMS-18097255.exeQueries volume information: C:\Windows\Fonts\SCHLBKB.TTF VolumeInformation
    Source: C:\Users\user\Desktop\ADOC RFQ-WCMS-18097255.exeQueries volume information: C:\Windows\Fonts\SCHLBKBI.TTF VolumeInformation
    Source: C:\Users\user\Desktop\ADOC RFQ-WCMS-18097255.exeQueries volume information: C:\Windows\Fonts\CASTELAR.TTF VolumeInformation
    Source: C:\Users\user\Desktop\ADOC RFQ-WCMS-18097255.exeQueries volume information: C:\Windows\Fonts\CALIST.TTF VolumeInformation
    Source: C:\Users\user\Desktop\ADOC RFQ-WCMS-18097255.exeQueries volume information: C:\Windows\Fonts\CALISTI.TTF VolumeInformation
    Source: C:\Users\user\Desktop\ADOC RFQ-WCMS-18097255.exeQueries volume information: C:\Windows\Fonts\CALISTB.TTF VolumeInformation
    Source: C:\Users\user\Desktop\ADOC RFQ-WCMS-18097255.exeQueries volume information: C:\Windows\Fonts\CALISTBI.TTF VolumeInformation
    Source: C:\Users\user\Desktop\ADOC RFQ-WCMS-18097255.exeQueries volume information: C:\Windows\Fonts\BOOKOS.TTF VolumeInformation
    Source: C:\Users\user\Desktop\ADOC RFQ-WCMS-18097255.exeQueries volume information: C:\Windows\Fonts\BOOKOSB.TTF VolumeInformation
    Source: C:\Users\user\Desktop\ADOC RFQ-WCMS-18097255.exeQueries volume information: C:\Windows\Fonts\BOOKOSI.TTF VolumeInformation
    Source: C:\Users\user\Desktop\ADOC RFQ-WCMS-18097255.exeQueries volume information: C:\Windows\Fonts\BOOKOSBI.TTF VolumeInformation
    Source: C:\Users\user\Desktop\ADOC RFQ-WCMS-18097255.exeQueries volume information: C:\Windows\Fonts\BOD_R.TTF VolumeInformation
    Source: C:\Users\user\Desktop\ADOC RFQ-WCMS-18097255.exeQueries volume information: C:\Windows\Fonts\BOD_I.TTF VolumeInformation
    Source: C:\Users\user\Desktop\ADOC RFQ-WCMS-18097255.exeQueries volume information: C:\Windows\Fonts\BOD_B.TTF VolumeInformation
    Source: C:\Users\user\Desktop\ADOC RFQ-WCMS-18097255.exeQueries volume information: C:\Windows\Fonts\BOD_BI.TTF VolumeInformation
    Source: C:\Users\user\Desktop\ADOC RFQ-WCMS-18097255.exeQueries volume information: C:\Windows\Fonts\BOD_CR.TTF VolumeInformation
    Source: C:\Users\user\Desktop\ADOC RFQ-WCMS-18097255.exeQueries volume information: C:\Windows\Fonts\BOD_BLAR.TTF VolumeInformation
    Source: C:\Users\user\Desktop\ADOC RFQ-WCMS-18097255.exeQueries volume information: C:\Windows\Fonts\BOD_CI.TTF VolumeInformation
    Source: C:\Users\user\Desktop\ADOC RFQ-WCMS-18097255.exeQueries volume information: C:\Windows\Fonts\BOD_CB.TTF VolumeInformation
    Source: C:\Users\user\Desktop\ADOC RFQ-WCMS-18097255.exeQueries volume information: C:\Windows\Fonts\BOD_BLAI.TTF VolumeInformation
    Source: C:\Users\user\Desktop\ADOC RFQ-WCMS-18097255.exeQueries volume information: C:\Windows\Fonts\BOD_CBI.TTF VolumeInformation
    Source: C:\Users\user\Desktop\ADOC RFQ-WCMS-18097255.exeQueries volume information: C:\Windows\Fonts\ITCBLKAD.TTF VolumeInformation
    Source: C:\Users\user\Desktop\ADOC RFQ-WCMS-18097255.exeQueries volume information: C:\Windows\Fonts\ARLRDBD.TTF VolumeInformation
    Source: C:\Users\user\Desktop\ADOC RFQ-WCMS-18097255.exeQueries volume information: C:\Windows\Fonts\AGENCYR.TTF VolumeInformation
    Source: C:\Users\user\Desktop\ADOC RFQ-WCMS-18097255.exeQueries volume information: C:\Windows\Fonts\AGENCYB.TTF VolumeInformation
    Source: C:\Users\user\Desktop\ADOC RFQ-WCMS-18097255.exeQueries volume information: C:\Windows\Fonts\BSSYM7.TTF VolumeInformation
    Source: C:\Users\user\Desktop\ADOC RFQ-WCMS-18097255.exeQueries volume information: C:\Windows\Fonts\REFSAN.TTF VolumeInformation
    Source: C:\Users\user\Desktop\ADOC RFQ-WCMS-18097255.exeQueries volume information: C:\Windows\Fonts\REFSPCL.TTF VolumeInformation
    Source: C:\Users\user\Desktop\ADOC RFQ-WCMS-18097255.exeQueries volume information: C:\Windows\Fonts\MTEXTRA.TTF VolumeInformation
    Source: C:\Users\user\Desktop\ADOC RFQ-WCMS-18097255.exeQueries volume information: C:\Windows\Fonts\marlett.ttf VolumeInformation
    Source: C:\Users\user\Desktop\ADOC RFQ-WCMS-18097255.exeQueries volume information: C:\Windows\Fonts\segoeuii.ttf VolumeInformation
    Source: C:\Users\user\Desktop\ADOC RFQ-WCMS-18097255.exeQueries volume information: C:\Windows\Fonts\segoeuiz.ttf VolumeInformation
    Source: C:\Users\user\Desktop\ADOC RFQ-WCMS-18097255.exeQueries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformation
    Source: C:\Users\user\Desktop\ADOC RFQ-WCMS-18097255.exeQueries volume information: C:\Windows\Fonts\msyhbd.ttc VolumeInformation
    Source: C:\Users\user\Desktop\ADOC RFQ-WCMS-18097255.exeQueries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation
    Source: C:\Users\user\Desktop\ADOC RFQ-WCMS-18097255.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
    Source: C:\Users\user\Desktop\ADOC RFQ-WCMS-18097255.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation
    Source: C:\Users\user\Desktop\ADOC RFQ-WCMS-18097255.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation
    Source: C:\Users\user\Desktop\ADOC RFQ-WCMS-18097255.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation
    Source: C:\Users\user\Desktop\ADOC RFQ-WCMS-18097255.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation
    Source: C:\Users\user\Desktop\ADOC RFQ-WCMS-18097255.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation
    Source: C:\Users\user\Desktop\ADOC RFQ-WCMS-18097255.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

    Stealing of Sensitive Information

    barindex
    Source: Yara matchFile source: 0.2.ADOC RFQ-WCMS-18097255.exe.2a5ddcc.1.raw.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 0.2.ADOC RFQ-WCMS-18097255.exe.2a3096c.0.raw.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 00000000.00000002.508080417.0000000002B8E000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
    Source: Yara matchFile source: 00000000.00000002.505811223.0000000002881000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
    Source: Yara matchFile source: Process Memory Space: ADOC RFQ-WCMS-18097255.exe PID: 5788, type: MEMORYSTR
    Source: C:\Users\user\Desktop\ADOC RFQ-WCMS-18097255.exeFile opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini
    Source: C:\Users\user\Desktop\ADOC RFQ-WCMS-18097255.exeKey opened: HKEY_CURRENT_USER\Software\IncrediMail\Identities
    Source: C:\Users\user\Desktop\ADOC RFQ-WCMS-18097255.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676
    Source: C:\Users\user\Desktop\ADOC RFQ-WCMS-18097255.exeKey opened: HKEY_CURRENT_USER\SOFTWARE\Martin Prikryl\WinSCP 2\Sessions
    Source: C:\Users\user\Desktop\ADOC RFQ-WCMS-18097255.exeFile opened: C:\Users\user\AppData\Roaming\SmartFTP\Client 2.0\Favorites\Quick Connect\
    Source: C:\Users\user\Desktop\ADOC RFQ-WCMS-18097255.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini
    Source: C:\Users\user\Desktop\ADOC RFQ-WCMS-18097255.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data
    Source: Yara matchFile source: 0.2.ADOC RFQ-WCMS-18097255.exe.2a5ddcc.1.raw.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 0.2.ADOC RFQ-WCMS-18097255.exe.2a3096c.0.raw.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 00000000.00000002.505811223.0000000002881000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
    Source: Yara matchFile source: Process Memory Space: ADOC RFQ-WCMS-18097255.exe PID: 5788, type: MEMORYSTR

    Remote Access Functionality

    barindex
    Source: Yara matchFile source: 0.2.ADOC RFQ-WCMS-18097255.exe.2a5ddcc.1.raw.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 0.2.ADOC RFQ-WCMS-18097255.exe.2a3096c.0.raw.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 00000000.00000002.508080417.0000000002B8E000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
    Source: Yara matchFile source: 00000000.00000002.505811223.0000000002881000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
    Source: Yara matchFile source: Process Memory Space: ADOC RFQ-WCMS-18097255.exe PID: 5788, type: MEMORYSTR
    Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
    Valid Accounts211
    Windows Management Instrumentation
    Path InterceptionPath Interception1
    Disable or Modify Tools
    2
    OS Credential Dumping
    211
    Security Software Discovery
    Remote Services1
    Email Collection
    Exfiltration Over Other Network Medium1
    Encrypted Channel
    Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
    Default AccountsScheduled Task/JobBoot or Logon Initialization ScriptsBoot or Logon Initialization Scripts131
    Virtualization/Sandbox Evasion
    1
    Credentials in Registry
    1
    Process Discovery
    Remote Desktop Protocol1
    Archive Collected Data
    Exfiltration Over Bluetooth1
    Non-Standard Port
    Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
    Domain AccountsAt (Linux)Logon Script (Windows)Logon Script (Windows)2
    Obfuscated Files or Information
    Security Account Manager131
    Virtualization/Sandbox Evasion
    SMB/Windows Admin Shares2
    Data from Local System
    Automated Exfiltration1
    Non-Application Layer Protocol
    Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
    Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)2
    Software Packing
    NTDS1
    Application Window Discovery
    Distributed Component Object ModelInput CaptureScheduled Transfer11
    Application Layer Protocol
    SIM Card SwapCarrier Billing Fraud
    Cloud AccountsCronNetwork Logon ScriptNetwork Logon Script1
    Timestomp
    LSA Secrets1
    Remote System Discovery
    SSHKeyloggingData Transfer Size LimitsFallback ChannelsManipulate Device CommunicationManipulate App Store Rankings or Ratings
    Replication Through Removable MediaLaunchdRc.commonRc.commonSteganographyCached Domain Credentials114
    System Information Discovery
    VNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features

    This section contains all screenshots as thumbnails, including those not shown in the slideshow.


    windows-stand
    SourceDetectionScannerLabelLink
    ADOC RFQ-WCMS-18097255.exe100%Joe Sandbox ML
    No Antivirus matches
    No Antivirus matches
    No Antivirus matches
    SourceDetectionScannerLabelLink
    http://crt.sectigo.com/SectigoRSADomainValidationSecureServerCA.crt0#0%URL Reputationsafe
    https://sectigo.com/CPS00%URL Reputationsafe
    http://www.founder.com.cn/cn/bThe0%URL Reputationsafe
    http://www.tiro.com0%URL Reputationsafe
    http://www.goodfont.co.kr0%URL Reputationsafe
    http://www.carterandcone.coml0%URL Reputationsafe
    http://www.sajatypeworks.com0%URL Reputationsafe
    http://www.typography.netD0%URL Reputationsafe
    http://www.founder.com.cn/cn/cThe0%URL Reputationsafe
    http://www.galapagosdesign.com/staff/dennis.htm0%URL Reputationsafe
    http://fontfabrik.com0%URL Reputationsafe
    http://www.founder.com.cn/cn0%URL Reputationsafe
    http://www.jiyu-kobo.co.jp/0%URL Reputationsafe
    http://DynDns.comDynDNSnamejidpasswordPsi/Psi0%URL Reputationsafe
    http://www.galapagosdesign.com/DPlease0%URL Reputationsafe
    http://ocsp.sectigo.com0A0%URL Reputationsafe
    http://www.sandoll.co.kr0%URL Reputationsafe
    http://www.urwpp.deDPlease0%URL Reputationsafe
    http://www.zhongyicts.com.cn0%URL Reputationsafe
    http://www.sakkal.com0%URL Reputationsafe
    http://www.sakkal.com0%URL Reputationsafe
    http://CtxmCtXtvGR51e3orE.org0%Avira URL Cloudsafe
    NameIPActiveMaliciousAntivirus DetectionReputation
    us2.smtp.mailhostbox.com
    208.91.199.223
    truefalse
      high
      NameSourceMaliciousAntivirus DetectionReputation
      http://crt.sectigo.com/SectigoRSADomainValidationSecureServerCA.crt0#ADOC RFQ-WCMS-18097255.exe, 00000000.00000002.520037204.0000000009830000.00000004.00000800.00020000.00000000.sdmp, ADOC RFQ-WCMS-18097255.exe, 00000000.00000002.507971659.0000000002B6A000.00000004.00000800.00020000.00000000.sdmpfalse
      • URL Reputation: safe
      unknown
      http://www.apache.org/licenses/LICENSE-2.0ADOC RFQ-WCMS-18097255.exe, 00000000.00000002.516330292.0000000006A22000.00000004.00000800.00020000.00000000.sdmpfalse
        high
        http://www.fontbureau.comADOC RFQ-WCMS-18097255.exe, 00000000.00000002.516330292.0000000006A22000.00000004.00000800.00020000.00000000.sdmpfalse
          high
          http://www.fontbureau.com/designersGADOC RFQ-WCMS-18097255.exe, 00000000.00000002.516330292.0000000006A22000.00000004.00000800.00020000.00000000.sdmpfalse
            high
            https://sectigo.com/CPS0ADOC RFQ-WCMS-18097255.exe, 00000000.00000002.520037204.0000000009830000.00000004.00000800.00020000.00000000.sdmp, ADOC RFQ-WCMS-18097255.exe, 00000000.00000002.507971659.0000000002B6A000.00000004.00000800.00020000.00000000.sdmpfalse
            • URL Reputation: safe
            unknown
            http://www.fontbureau.com/designers/?ADOC RFQ-WCMS-18097255.exe, 00000000.00000002.516330292.0000000006A22000.00000004.00000800.00020000.00000000.sdmpfalse
              high
              http://www.founder.com.cn/cn/bTheADOC RFQ-WCMS-18097255.exe, 00000000.00000002.516330292.0000000006A22000.00000004.00000800.00020000.00000000.sdmpfalse
              • URL Reputation: safe
              unknown
              http://us2.smtp.mailhostbox.comADOC RFQ-WCMS-18097255.exe, 00000000.00000002.507971659.0000000002B6A000.00000004.00000800.00020000.00000000.sdmpfalse
                high
                http://CtxmCtXtvGR51e3orE.orgADOC RFQ-WCMS-18097255.exe, 00000000.00000002.505811223.0000000002881000.00000004.00000800.00020000.00000000.sdmpfalse
                • Avira URL Cloud: safe
                unknown
                http://www.fontbureau.com/designers?ADOC RFQ-WCMS-18097255.exe, 00000000.00000002.516330292.0000000006A22000.00000004.00000800.00020000.00000000.sdmpfalse
                  high
                  http://www.tiro.comADOC RFQ-WCMS-18097255.exe, 00000000.00000002.516330292.0000000006A22000.00000004.00000800.00020000.00000000.sdmpfalse
                  • URL Reputation: safe
                  unknown
                  http://www.fontbureau.com/designersADOC RFQ-WCMS-18097255.exe, 00000000.00000002.516330292.0000000006A22000.00000004.00000800.00020000.00000000.sdmpfalse
                    high
                    http://www.goodfont.co.krADOC RFQ-WCMS-18097255.exe, 00000000.00000002.516330292.0000000006A22000.00000004.00000800.00020000.00000000.sdmpfalse
                    • URL Reputation: safe
                    unknown
                    http://www.carterandcone.comlADOC RFQ-WCMS-18097255.exe, 00000000.00000002.516330292.0000000006A22000.00000004.00000800.00020000.00000000.sdmpfalse
                    • URL Reputation: safe
                    unknown
                    http://www.sajatypeworks.comADOC RFQ-WCMS-18097255.exe, 00000000.00000002.516330292.0000000006A22000.00000004.00000800.00020000.00000000.sdmpfalse
                    • URL Reputation: safe
                    unknown
                    http://www.typography.netDADOC RFQ-WCMS-18097255.exe, 00000000.00000002.516330292.0000000006A22000.00000004.00000800.00020000.00000000.sdmpfalse
                    • URL Reputation: safe
                    unknown
                    http://www.fontbureau.com/designers/cabarga.htmlNADOC RFQ-WCMS-18097255.exe, 00000000.00000002.516330292.0000000006A22000.00000004.00000800.00020000.00000000.sdmpfalse
                      high
                      http://www.founder.com.cn/cn/cTheADOC RFQ-WCMS-18097255.exe, 00000000.00000002.516330292.0000000006A22000.00000004.00000800.00020000.00000000.sdmpfalse
                      • URL Reputation: safe
                      unknown
                      http://www.galapagosdesign.com/staff/dennis.htmADOC RFQ-WCMS-18097255.exe, 00000000.00000002.516330292.0000000006A22000.00000004.00000800.00020000.00000000.sdmpfalse
                      • URL Reputation: safe
                      unknown
                      http://fontfabrik.comADOC RFQ-WCMS-18097255.exe, 00000000.00000002.516330292.0000000006A22000.00000004.00000800.00020000.00000000.sdmpfalse
                      • URL Reputation: safe
                      unknown
                      http://www.founder.com.cn/cnADOC RFQ-WCMS-18097255.exe, 00000000.00000002.516330292.0000000006A22000.00000004.00000800.00020000.00000000.sdmpfalse
                      • URL Reputation: safe
                      unknown
                      http://www.fontbureau.com/designers/frere-jones.htmlADOC RFQ-WCMS-18097255.exe, 00000000.00000002.516330292.0000000006A22000.00000004.00000800.00020000.00000000.sdmpfalse
                        high
                        http://www.jiyu-kobo.co.jp/ADOC RFQ-WCMS-18097255.exe, 00000000.00000002.516330292.0000000006A22000.00000004.00000800.00020000.00000000.sdmpfalse
                        • URL Reputation: safe
                        unknown
                        http://DynDns.comDynDNSnamejidpasswordPsi/PsiADOC RFQ-WCMS-18097255.exe, 00000000.00000002.505811223.0000000002881000.00000004.00000800.00020000.00000000.sdmpfalse
                        • URL Reputation: safe
                        unknown
                        http://www.galapagosdesign.com/DPleaseADOC RFQ-WCMS-18097255.exe, 00000000.00000002.516330292.0000000006A22000.00000004.00000800.00020000.00000000.sdmpfalse
                        • URL Reputation: safe
                        unknown
                        http://www.fontbureau.com/designers8ADOC RFQ-WCMS-18097255.exe, 00000000.00000002.516330292.0000000006A22000.00000004.00000800.00020000.00000000.sdmpfalse
                          high
                          http://ocsp.sectigo.com0AADOC RFQ-WCMS-18097255.exe, 00000000.00000002.520037204.0000000009830000.00000004.00000800.00020000.00000000.sdmp, ADOC RFQ-WCMS-18097255.exe, 00000000.00000002.507971659.0000000002B6A000.00000004.00000800.00020000.00000000.sdmpfalse
                          • URL Reputation: safe
                          unknown
                          http://www.fonts.comADOC RFQ-WCMS-18097255.exe, 00000000.00000002.516330292.0000000006A22000.00000004.00000800.00020000.00000000.sdmpfalse
                            high
                            http://www.sandoll.co.krADOC RFQ-WCMS-18097255.exe, 00000000.00000002.516330292.0000000006A22000.00000004.00000800.00020000.00000000.sdmpfalse
                            • URL Reputation: safe
                            unknown
                            http://www.urwpp.deDPleaseADOC RFQ-WCMS-18097255.exe, 00000000.00000002.516330292.0000000006A22000.00000004.00000800.00020000.00000000.sdmpfalse
                            • URL Reputation: safe
                            unknown
                            http://www.zhongyicts.com.cnADOC RFQ-WCMS-18097255.exe, 00000000.00000002.516330292.0000000006A22000.00000004.00000800.00020000.00000000.sdmpfalse
                            • URL Reputation: safe
                            unknown
                            http://www.sakkal.comADOC RFQ-WCMS-18097255.exe, 00000000.00000002.516330292.0000000006A22000.00000004.00000800.00020000.00000000.sdmpfalse
                            • URL Reputation: safe
                            • URL Reputation: safe
                            unknown
                            • No. of IPs < 25%
                            • 25% < No. of IPs < 50%
                            • 50% < No. of IPs < 75%
                            • 75% < No. of IPs
                            IPDomainCountryFlagASNASN NameMalicious
                            208.91.199.223
                            us2.smtp.mailhostbox.comUnited States
                            394695PUBLIC-DOMAIN-REGISTRYUSfalse
                            Joe Sandbox Version:36.0.0 Rainbow Opal
                            Analysis ID:764045
                            Start date and time:2022-12-09 11:04:13 +01:00
                            Joe Sandbox Product:CloudBasic
                            Overall analysis duration:0h 6m 19s
                            Hypervisor based Inspection enabled:false
                            Report type:light
                            Sample file name:ADOC RFQ-WCMS-18097255.exe
                            Cookbook file name:default.jbs
                            Analysis system description:Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 104, IE 11, Adobe Reader DC 19, Java 8 Update 211
                            Number of analysed new started processes analysed:12
                            Number of new started drivers analysed:0
                            Number of existing processes analysed:0
                            Number of existing drivers analysed:0
                            Number of injected processes analysed:0
                            Technologies:
                            • HCA enabled
                            • EGA enabled
                            • HDC enabled
                            • AMSI enabled
                            Analysis Mode:default
                            Analysis stop reason:Timeout
                            Detection:MAL
                            Classification:mal96.troj.spyw.evad.winEXE@1/0@1/1
                            EGA Information:
                            • Successful, ratio: 100%
                            HDC Information:Failed
                            HCA Information:
                            • Successful, ratio: 94%
                            • Number of executed functions: 0
                            • Number of non-executed functions: 0
                            Cookbook Comments:
                            • Found application associated with file extension: .exe
                            • Exclude process from analysis (whitelisted): MpCmdRun.exe, SgrmBroker.exe, conhost.exe, svchost.exe
                            • Excluded domains from analysis (whitelisted): fs.microsoft.com
                            • Not all processes where analyzed, report is missing behavior information
                            • Report size getting too big, too many NtAllocateVirtualMemory calls found.
                            • Report size getting too big, too many NtOpenKeyEx calls found.
                            • Report size getting too big, too many NtProtectVirtualMemory calls found.
                            • Report size getting too big, too many NtQueryValueKey calls found.
                            TimeTypeDescription
                            11:05:12API Interceptor753x Sleep call for process: ADOC RFQ-WCMS-18097255.exe modified
                            No context
                            No context
                            No context
                            No context
                            No context
                            No created / dropped files found
                            File type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                            Entropy (8bit):7.555023841660244
                            TrID:
                            • Win32 Executable (generic) Net Framework (10011505/4) 49.80%
                            • Win32 Executable (generic) a (10002005/4) 49.75%
                            • Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36%
                            • Windows Screen Saver (13104/52) 0.07%
                            • Generic Win/DOS Executable (2004/3) 0.01%
                            File name:ADOC RFQ-WCMS-18097255.exe
                            File size:1003520
                            MD5:856317033475c7932f8cbf88ec2b7ef8
                            SHA1:6b24fa54a990477bde13f64144d5d5a1187c40b9
                            SHA256:15700616b67e3ac2d97cfb221762dca3b2b36cc9d3e1cf7ca8737acc9bb4db84
                            SHA512:58231da8dfb1eec9d94841ef9d5474d64e13f31365d517eecc28f17c71851762a383b8a7837db446e7fb17aaa546d8728ef36e2425683fc07536fa330bc89f6f
                            SSDEEP:12288:b1fhB01+YyFwG5JKp5ctm1V63em1nHATF+JRS1TWRfg3ZpFL:b1fhC1Jy95JKLf63eDqxIJpF
                            TLSH:0E257DD5ABF2A026F48F72522418369DDC35BD43774BE19667723B4082D48FFB6A8483
                            File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....D................0..H..........~f... ........@.. ....................................@................................
                            Icon Hash:00828e8e8686b000
                            Entrypoint:0x4f667e
                            Entrypoint Section:.text
                            Digitally signed:false
                            Imagebase:0x400000
                            Subsystem:windows gui
                            Image File Characteristics:EXECUTABLE_IMAGE, 32BIT_MACHINE
                            DLL Characteristics:DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                            Time Stamp:0xE8FF4486 [Sat Nov 14 13:22:14 2093 UTC]
                            TLS Callbacks:
                            CLR (.Net) Version:
                            OS Version Major:4
                            OS Version Minor:0
                            File Version Major:4
                            File Version Minor:0
                            Subsystem Version Major:4
                            Subsystem Version Minor:0
                            Import Hash:f34d5f2d4577ed6d9ceec516c1f5a744
                            Instruction
                            jmp dword ptr [00402000h]
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            NameVirtual AddressVirtual Size Is in Section
                            IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                            IMAGE_DIRECTORY_ENTRY_IMPORT0xf662c0x4f.text
                            IMAGE_DIRECTORY_ENTRY_RESOURCE0xf80000x398.rsrc
                            IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                            IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                            IMAGE_DIRECTORY_ENTRY_BASERELOC0xfa0000xc.reloc
                            IMAGE_DIRECTORY_ENTRY_DEBUG0xf66100x1c.text
                            IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                            IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                            IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                            IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                            IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                            IMAGE_DIRECTORY_ENTRY_IAT0x20000x8.text
                            IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                            IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x20080x48.text
                            IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0
                            NameVirtual AddressVirtual SizeRaw SizeXored PEZLIB ComplexityFile TypeEntropyCharacteristics
                            .text0x20000xf46840xf4800False0.8147017590107362data7.556547919849989IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                            .rsrc0xf80000x3980x400False0.3828125data2.924448333381374IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                            .reloc0xfa0000xc0x200False0.044921875data0.10191042566270775IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ
                            NameRVASizeTypeLanguageCountry
                            RT_VERSION0xf80580x33cdata
                            DLLImport
                            mscoree.dll_CorExeMain
                            TimestampSource PortDest PortSource IPDest IP
                            Dec 9, 2022 11:05:30.268661022 CET49698587192.168.2.3208.91.199.223
                            Dec 9, 2022 11:05:30.435899973 CET58749698208.91.199.223192.168.2.3
                            Dec 9, 2022 11:05:30.436017036 CET49698587192.168.2.3208.91.199.223
                            Dec 9, 2022 11:05:30.991494894 CET58749698208.91.199.223192.168.2.3
                            Dec 9, 2022 11:05:30.991981030 CET49698587192.168.2.3208.91.199.223
                            Dec 9, 2022 11:05:31.160293102 CET58749698208.91.199.223192.168.2.3
                            Dec 9, 2022 11:05:31.160362959 CET58749698208.91.199.223192.168.2.3
                            Dec 9, 2022 11:05:31.160856962 CET49698587192.168.2.3208.91.199.223
                            Dec 9, 2022 11:05:31.328228951 CET58749698208.91.199.223192.168.2.3
                            Dec 9, 2022 11:05:31.418936968 CET49698587192.168.2.3208.91.199.223
                            Dec 9, 2022 11:05:31.586025000 CET58749698208.91.199.223192.168.2.3
                            Dec 9, 2022 11:05:31.586055040 CET58749698208.91.199.223192.168.2.3
                            Dec 9, 2022 11:05:31.586244106 CET49698587192.168.2.3208.91.199.223
                            Dec 9, 2022 11:05:31.586386919 CET58749698208.91.199.223192.168.2.3
                            Dec 9, 2022 11:05:31.586409092 CET58749698208.91.199.223192.168.2.3
                            Dec 9, 2022 11:05:31.586472988 CET49698587192.168.2.3208.91.199.223
                            Dec 9, 2022 11:05:31.588968992 CET58749698208.91.199.223192.168.2.3
                            Dec 9, 2022 11:05:31.657943964 CET49698587192.168.2.3208.91.199.223
                            Dec 9, 2022 11:05:31.753552914 CET58749698208.91.199.223192.168.2.3
                            Dec 9, 2022 11:05:31.791228056 CET49698587192.168.2.3208.91.199.223
                            Dec 9, 2022 11:05:31.958822012 CET58749698208.91.199.223192.168.2.3
                            Dec 9, 2022 11:05:32.002902031 CET49698587192.168.2.3208.91.199.223
                            Dec 9, 2022 11:05:32.138349056 CET49698587192.168.2.3208.91.199.223
                            Dec 9, 2022 11:05:32.306432962 CET58749698208.91.199.223192.168.2.3
                            Dec 9, 2022 11:05:32.310359001 CET49698587192.168.2.3208.91.199.223
                            Dec 9, 2022 11:05:32.480194092 CET58749698208.91.199.223192.168.2.3
                            Dec 9, 2022 11:05:32.481578112 CET49698587192.168.2.3208.91.199.223
                            Dec 9, 2022 11:05:32.654700994 CET58749698208.91.199.223192.168.2.3
                            Dec 9, 2022 11:05:32.655360937 CET49698587192.168.2.3208.91.199.223
                            Dec 9, 2022 11:05:32.825046062 CET58749698208.91.199.223192.168.2.3
                            Dec 9, 2022 11:05:32.825598955 CET49698587192.168.2.3208.91.199.223
                            Dec 9, 2022 11:05:33.015599966 CET58749698208.91.199.223192.168.2.3
                            Dec 9, 2022 11:05:33.017049074 CET49698587192.168.2.3208.91.199.223
                            Dec 9, 2022 11:05:33.185446978 CET58749698208.91.199.223192.168.2.3
                            Dec 9, 2022 11:05:33.187422991 CET49698587192.168.2.3208.91.199.223
                            Dec 9, 2022 11:05:33.187670946 CET49698587192.168.2.3208.91.199.223
                            Dec 9, 2022 11:05:33.188152075 CET49698587192.168.2.3208.91.199.223
                            Dec 9, 2022 11:05:33.188152075 CET49698587192.168.2.3208.91.199.223
                            Dec 9, 2022 11:05:33.354585886 CET58749698208.91.199.223192.168.2.3
                            Dec 9, 2022 11:05:33.355048895 CET58749698208.91.199.223192.168.2.3
                            Dec 9, 2022 11:05:33.483477116 CET58749698208.91.199.223192.168.2.3
                            Dec 9, 2022 11:05:33.535815001 CET49698587192.168.2.3208.91.199.223
                            Dec 9, 2022 11:07:10.197741032 CET49698587192.168.2.3208.91.199.223
                            Dec 9, 2022 11:07:10.365978003 CET58749698208.91.199.223192.168.2.3
                            Dec 9, 2022 11:07:10.366503000 CET58749698208.91.199.223192.168.2.3
                            Dec 9, 2022 11:07:10.366581917 CET49698587192.168.2.3208.91.199.223
                            Dec 9, 2022 11:07:10.368838072 CET49698587192.168.2.3208.91.199.223
                            TimestampSource PortDest PortSource IPDest IP
                            Dec 9, 2022 11:05:30.229001999 CET6270453192.168.2.38.8.8.8
                            Dec 9, 2022 11:05:30.248526096 CET53627048.8.8.8192.168.2.3
                            TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                            Dec 9, 2022 11:05:30.229001999 CET192.168.2.38.8.8.80xe412Standard query (0)us2.smtp.mailhostbox.comA (IP address)IN (0x0001)false
                            TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                            Dec 9, 2022 11:05:30.248526096 CET8.8.8.8192.168.2.30xe412No error (0)us2.smtp.mailhostbox.com208.91.199.223A (IP address)IN (0x0001)false
                            Dec 9, 2022 11:05:30.248526096 CET8.8.8.8192.168.2.30xe412No error (0)us2.smtp.mailhostbox.com208.91.198.143A (IP address)IN (0x0001)false
                            Dec 9, 2022 11:05:30.248526096 CET8.8.8.8192.168.2.30xe412No error (0)us2.smtp.mailhostbox.com208.91.199.224A (IP address)IN (0x0001)false
                            Dec 9, 2022 11:05:30.248526096 CET8.8.8.8192.168.2.30xe412No error (0)us2.smtp.mailhostbox.com208.91.199.225A (IP address)IN (0x0001)false
                            TimestampSource PortDest PortSource IPDest IPCommands
                            Dec 9, 2022 11:05:30.991494894 CET58749698208.91.199.223192.168.2.3220 us2.outbound.mailhostbox.com ESMTP Postfix
                            Dec 9, 2022 11:05:30.991981030 CET49698587192.168.2.3208.91.199.223EHLO 960781
                            Dec 9, 2022 11:05:31.160362959 CET58749698208.91.199.223192.168.2.3250-us2.outbound.mailhostbox.com
                            250-PIPELINING
                            250-SIZE 41648128
                            250-VRFY
                            250-ETRN
                            250-STARTTLS
                            250-AUTH PLAIN LOGIN
                            250-AUTH=PLAIN LOGIN
                            250-ENHANCEDSTATUSCODES
                            250-8BITMIME
                            250-DSN
                            250 CHUNKING
                            Dec 9, 2022 11:05:31.160856962 CET49698587192.168.2.3208.91.199.223STARTTLS
                            Dec 9, 2022 11:05:31.328228951 CET58749698208.91.199.223192.168.2.3220 2.0.0 Ready to start TLS
                            No statistics
                            Target ID:0
                            Start time:11:05:03
                            Start date:09/12/2022
                            Path:C:\Users\user\Desktop\ADOC RFQ-WCMS-18097255.exe
                            Wow64 process (32bit):true
                            Commandline:C:\Users\user\Desktop\ADOC RFQ-WCMS-18097255.exe
                            Imagebase:0x500000
                            File size:1003520 bytes
                            MD5 hash:856317033475C7932F8CBF88EC2B7EF8
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:.Net C# or VB.NET
                            Yara matches:
                            • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000000.00000002.508080417.0000000002B8E000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                            • Rule: Windows_Trojan_AgentTesla_d3ac2b2f, Description: unknown, Source: 00000000.00000002.513606305.0000000003C61000.00000004.00000800.00020000.00000000.sdmp, Author: unknown
                            • Rule: MALWARE_Win_AgentTeslaV3, Description: AgentTeslaV3 infostealer payload, Source: 00000000.00000002.519041329.0000000007040000.00000004.08000000.00040000.00000000.sdmp, Author: ditekSHen
                            • Rule: Windows_Trojan_AgentTesla_d3ac2b2f, Description: unknown, Source: 00000000.00000002.519041329.0000000007040000.00000004.08000000.00040000.00000000.sdmp, Author: unknown
                            • Rule: Windows_Trojan_AgentTesla_d3ac2b2f, Description: unknown, Source: 00000000.00000002.510469030.0000000003881000.00000004.00000800.00020000.00000000.sdmp, Author: unknown
                            • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000000.00000002.505811223.0000000002881000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                            • Rule: JoeSecurity_AntiVM_3, Description: Yara detected AntiVM_3, Source: 00000000.00000002.505811223.0000000002881000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                            • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000000.00000002.505811223.0000000002881000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                            Reputation:low

                            No disassembly