Joe Sandbox Cloud Basic Analysis Report

Loading ...

Play interactive tourEdit tour

Analysis Report SAUDI ARAMCO Tender Documents - BOQ and ITB.exe

Overview

General Information

Sample Name:SAUDI ARAMCO Tender Documents - BOQ and ITB.exe
Analysis ID:432708
MD5:d482d04bd4113f1f9f08e39bca4a3f27
SHA1:783f25f265c34681ffca9e5c8ac5bebecc71bbc6
SHA256:9973c00cf203198a16d3d897fa85d46896f04ea9d58b23917eaea32a3de4d5e4
Tags:exe
Infos:

Most interesting Screenshot:

Detection

AgentTesla
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Found malware configuration
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Yara detected AgentTesla
Yara detected AgentTesla
Yara detected AntiVM3
.NET source code contains potential unpacker
.NET source code contains very large array initializations
Initial sample is a PE file and has a suspicious name
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Sigma detected: Suspicious Process Start Without DLL
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to steal Mail credentials (via file access)
Uses schtasks.exe or at.exe to add and modify task schedules
Writes to foreign memory regions
Antivirus or Machine Learning detection for unpacked file
Contains capabilities to detect virtual machines
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Creates processes with suspicious names
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Drops PE files
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found inlined nop instructions (likely shell or obfuscated code)
Found potential string decryption / allocating functions
IP address seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Uses 32bit PE files
Uses SMTP (mail sending)
Uses code obfuscation techniques (call, push, ret)
Yara detected Credential Stealer

Classification

Process Tree

  • System is w10x64
  • SAUDI ARAMCO Tender Documents - BOQ and ITB.exe (PID: 6556 cmdline: 'C:\Users\user\Desktop\SAUDI ARAMCO Tender Documents - BOQ and ITB.exe' MD5: D482D04BD4113F1F9F08E39BCA4A3F27)
    • schtasks.exe (PID: 6824 cmdline: 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\sXNiyYIFndkxd' /XML 'C:\Users\user\AppData\Local\Temp\tmp2894.tmp' MD5: 15FF7D8324231381BAD48A052F85DF04)
      • conhost.exe (PID: 6836 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • RegSvcs.exe (PID: 6904 cmdline: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe MD5: 2867A3817C9245F7CF518524DFD18F28)
  • cleanup

Malware Configuration

Threatname: Agenttesla

{"Exfil Mode": "SMTP", "SMTP Info": "admin@dangotesugars.com08102186737CEOus2.smtp.mailhostbox.com"}

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000001.00000002.370688660.00000000041A9000.00000004.00000001.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
    00000001.00000002.370688660.00000000041A9000.00000004.00000001.sdmpJoeSecurity_AgentTesla_2Yara detected AgentTeslaJoe Security
      00000005.00000000.367493021.0000000000402000.00000040.00000001.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
        00000005.00000000.367493021.0000000000402000.00000040.00000001.sdmpJoeSecurity_AgentTesla_2Yara detected AgentTeslaJoe Security
          00000001.00000002.369670905.00000000031E1000.00000004.00000001.sdmpJoeSecurity_AntiVM_3Yara detected AntiVM_3Joe Security
            Click to see the 8 entries

            Unpacked PEs

            SourceRuleDescriptionAuthorStrings
            5.0.RegSvcs.exe.400000.0.unpackJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
              5.0.RegSvcs.exe.400000.0.unpackJoeSecurity_AgentTesla_2Yara detected AgentTeslaJoe Security
                1.2.SAUDI ARAMCO Tender Documents - BOQ and ITB.exe.43a6a70.1.unpackJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
                  1.2.SAUDI ARAMCO Tender Documents - BOQ and ITB.exe.43a6a70.1.unpackJoeSecurity_AgentTesla_2Yara detected AgentTeslaJoe Security
                    5.2.RegSvcs.exe.400000.0.unpackJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
                      Click to see the 5 entries

                      Sigma Overview

                      System Summary:

                      barindex
                      Sigma detected: Suspicious Process Start Without DLLShow sources
                      Source: Process startedAuthor: Florian Roth: Data: Command: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe, CommandLine: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe, CommandLine|base64offset|contains: , Image: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe, NewProcessName: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe, OriginalFileName: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe, ParentCommandLine: 'C:\Users\user\Desktop\SAUDI ARAMCO Tender Documents - BOQ and ITB.exe' , ParentImage: C:\Users\user\Desktop\SAUDI ARAMCO Tender Documents - BOQ and ITB.exe, ParentProcessId: 6556, ProcessCommandLine: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe, ProcessId: 6904
                      Sigma detected: Possible Applocker BypassShow sources
                      Source: Process startedAuthor: juju4: Data: Command: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe, CommandLine: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe, CommandLine|base64offset|contains: , Image: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe, NewProcessName: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe, OriginalFileName: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe, ParentCommandLine: 'C:\Users\user\Desktop\SAUDI ARAMCO Tender Documents - BOQ and ITB.exe' , ParentImage: C:\Users\user\Desktop\SAUDI ARAMCO Tender Documents - BOQ and ITB.exe, ParentProcessId: 6556, ProcessCommandLine: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe, ProcessId: 6904

                      Signature Overview

                      Click to jump to signature section

                      Show All Signature Results

                      AV Detection:

                      barindex
                      Found malware configurationShow sources
                      Source: 00000005.00000002.602052323.0000000002CC1000.00000004.00000001.sdmpMalware Configuration Extractor: Agenttesla {"Exfil Mode": "SMTP", "SMTP Info": "admin@dangotesugars.com08102186737CEOus2.smtp.mailhostbox.com"}
                      Multi AV Scanner detection for dropped fileShow sources
                      Source: C:\Users\user\AppData\Roaming\sXNiyYIFndkxd.exeReversingLabs: Detection: 15%
                      Multi AV Scanner detection for submitted fileShow sources
                      Source: SAUDI ARAMCO Tender Documents - BOQ and ITB.exeVirustotal: Detection: 30%Perma Link
                      Source: SAUDI ARAMCO Tender Documents - BOQ and ITB.exeReversingLabs: Detection: 15%
                      Machine Learning detection for dropped fileShow sources
                      Source: C:\Users\user\AppData\Roaming\sXNiyYIFndkxd.exeJoe Sandbox ML: detected
                      Machine Learning detection for sampleShow sources
                      Source: SAUDI ARAMCO Tender Documents - BOQ and ITB.exeJoe Sandbox ML: detected
                      Source: 5.0.RegSvcs.exe.400000.0.unpackAvira: Label: TR/Spy.Gen8
                      Source: 5.2.RegSvcs.exe.400000.0.unpackAvira: Label: TR/Spy.Gen8
                      Source: SAUDI ARAMCO Tender Documents - BOQ and ITB.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
                      Source: SAUDI ARAMCO Tender Documents - BOQ and ITB.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
                      Source: Binary string: C:\Users\Administrator\Desktop\Client\Temp\XobOtjQJOq\src\obj\x86\Debug\RegistryValueOptions.pdb< source: SAUDI ARAMCO Tender Documents - BOQ and ITB.exe
                      Source: Binary string: C:\Users\Administrator\Desktop\Client\Temp\XobOtjQJOq\src\obj\x86\Debug\RegistryValueOptions.pdb source: SAUDI ARAMCO Tender Documents - BOQ and ITB.exe
                      Source: C:\Users\user\Desktop\SAUDI ARAMCO Tender Documents - BOQ and ITB.exeCode function: 4x nop then mov dword ptr [ebp-18h], 00000000h
                      Source: global trafficTCP traffic: 192.168.2.6:49756 -> 208.91.199.223:587
                      Source: Joe Sandbox ViewIP Address: 208.91.199.223 208.91.199.223
                      Source: global trafficTCP traffic: 192.168.2.6:49756 -> 208.91.199.223:587
                      Source: unknownDNS traffic detected: queries for: us2.smtp.mailhostbox.com
                      Source: RegSvcs.exe, 00000005.00000002.602052323.0000000002CC1000.00000004.00000001.sdmpString found in binary or memory: http://127.0.0.1:HTTP/1.1
                      Source: RegSvcs.exe, 00000005.00000002.602052323.0000000002CC1000.00000004.00000001.sdmpString found in binary or memory: http://DynDns.comDynDNS
                      Source: RegSvcs.exe, 00000005.00000002.603275086.0000000003029000.00000004.00000001.sdmpString found in binary or memory: http://crt.sectigo.com/SectigoRSADomainValidationSecureServerCA.crt0#
                      Source: SAUDI ARAMCO Tender Documents - BOQ and ITB.exe, 00000001.00000002.374301405.0000000006280000.00000002.00000001.sdmpString found in binary or memory: http://fontfabrik.com
                      Source: RegSvcs.exe, 00000005.00000002.603275086.0000000003029000.00000004.00000001.sdmpString found in binary or memory: http://ocsp.sectigo.com0A
                      Source: SAUDI ARAMCO Tender Documents - BOQ and ITB.exe, 00000001.00000002.369600695.00000000031A1000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
                      Source: RegSvcs.exe, 00000005.00000002.603275086.0000000003029000.00000004.00000001.sdmpString found in binary or memory: http://us2.smtp.mailhostbox.com
                      Source: SAUDI ARAMCO Tender Documents - BOQ and ITB.exe, 00000001.00000002.374301405.0000000006280000.00000002.00000001.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
                      Source: SAUDI ARAMCO Tender Documents - BOQ and ITB.exe, 00000001.00000002.374301405.0000000006280000.00000002.00000001.sdmpString found in binary or memory: http://www.carterandcone.coml
                      Source: SAUDI ARAMCO Tender Documents - BOQ and ITB.exe, 00000001.00000002.374301405.0000000006280000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com
                      Source: SAUDI ARAMCO Tender Documents - BOQ and ITB.exe, 00000001.00000002.374301405.0000000006280000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers
                      Source: SAUDI ARAMCO Tender Documents - BOQ and ITB.exe, 00000001.00000002.374301405.0000000006280000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/?
                      Source: SAUDI ARAMCO Tender Documents - BOQ and ITB.exe, 00000001.00000002.374301405.0000000006280000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
                      Source: SAUDI ARAMCO Tender Documents - BOQ and ITB.exe, 00000001.00000002.374301405.0000000006280000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/frere-jones.html
                      Source: SAUDI ARAMCO Tender Documents - BOQ and ITB.exe, 00000001.00000002.374301405.0000000006280000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers8
                      Source: SAUDI ARAMCO Tender Documents - BOQ and ITB.exe, 00000001.00000002.374301405.0000000006280000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers?
                      Source: SAUDI ARAMCO Tender Documents - BOQ and ITB.exe, 00000001.00000002.374301405.0000000006280000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designersG
                      Source: SAUDI ARAMCO Tender Documents - BOQ and ITB.exe, 00000001.00000002.374301405.0000000006280000.00000002.00000001.sdmpString found in binary or memory: http://www.fonts.com
                      Source: SAUDI ARAMCO Tender Documents - BOQ and ITB.exe, 00000001.00000002.374301405.0000000006280000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn
                      Source: SAUDI ARAMCO Tender Documents - BOQ and ITB.exe, 00000001.00000002.374301405.0000000006280000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/bThe
                      Source: SAUDI ARAMCO Tender Documents - BOQ and ITB.exe, 00000001.00000002.374301405.0000000006280000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/cThe
                      Source: SAUDI ARAMCO Tender Documents - BOQ and ITB.exe, 00000001.00000002.374301405.0000000006280000.00000002.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/DPlease
                      Source: SAUDI ARAMCO Tender Documents - BOQ and ITB.exe, 00000001.00000002.374301405.0000000006280000.00000002.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
                      Source: SAUDI ARAMCO Tender Documents - BOQ and ITB.exe, 00000001.00000002.374301405.0000000006280000.00000002.00000001.sdmpString found in binary or memory: http://www.goodfont.co.kr
                      Source: SAUDI ARAMCO Tender Documents - BOQ and ITB.exe, 00000001.00000002.374301405.0000000006280000.00000002.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/
                      Source: SAUDI ARAMCO Tender Documents - BOQ and ITB.exe, 00000001.00000002.374301405.0000000006280000.00000002.00000001.sdmpString found in binary or memory: http://www.sajatypeworks.com
                      Source: SAUDI ARAMCO Tender Documents - BOQ and ITB.exe, 00000001.00000002.374301405.0000000006280000.00000002.00000001.sdmpString found in binary or memory: http://www.sakkal.com
                      Source: SAUDI ARAMCO Tender Documents - BOQ and ITB.exe, 00000001.00000002.374301405.0000000006280000.00000002.00000001.sdmpString found in binary or memory: http://www.sandoll.co.kr
                      Source: SAUDI ARAMCO Tender Documents - BOQ and ITB.exe, 00000001.00000002.374301405.0000000006280000.00000002.00000001.sdmpString found in binary or memory: http://www.tiro.com
                      Source: SAUDI ARAMCO Tender Documents - BOQ and ITB.exe, 00000001.00000002.374301405.0000000006280000.00000002.00000001.sdmpString found in binary or memory: http://www.typography.netD
                      Source: SAUDI ARAMCO Tender Documents - BOQ and ITB.exe, 00000001.00000002.374301405.0000000006280000.00000002.00000001.sdmpString found in binary or memory: http://www.urwpp.deDPlease
                      Source: SAUDI ARAMCO Tender Documents - BOQ and ITB.exe, 00000001.00000002.374301405.0000000006280000.00000002.00000001.sdmpString found in binary or memory: http://www.zhongyicts.com.cn
                      Source: RegSvcs.exe, 00000005.00000002.602052323.0000000002CC1000.00000004.00000001.sdmpString found in binary or memory: http://xaqngD.com
                      Source: RegSvcs.exe, 00000005.00000002.602052323.0000000002CC1000.00000004.00000001.sdmpString found in binary or memory: https://Tw98FI5QiWYWE4R7ojW.com
                      Source: RegSvcs.exe, 00000005.00000002.602052323.0000000002CC1000.00000004.00000001.sdmpString found in binary or memory: https://api.ipify.org%$
                      Source: RegSvcs.exe, 00000005.00000002.602052323.0000000002CC1000.00000004.00000001.sdmpString found in binary or memory: https://api.ipify.org%GETMozilla/5.0
                      Source: RegSvcs.exe, 00000005.00000002.603275086.0000000003029000.00000004.00000001.sdmpString found in binary or memory: https://sectigo.com/CPS0
                      Source: SAUDI ARAMCO Tender Documents - BOQ and ITB.exe, 00000001.00000002.369670905.00000000031E1000.00000004.00000001.sdmpString found in binary or memory: https://stackpath.bootstrapcdn.com/bootstrap/4.5.0/css/bootstrap.min.css
                      Source: SAUDI ARAMCO Tender Documents - BOQ and ITB.exe, 00000001.00000002.370688660.00000000041A9000.00000004.00000001.sdmp, RegSvcs.exe, 00000005.00000000.367493021.0000000000402000.00000040.00000001.sdmpString found in binary or memory: https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip
                      Source: RegSvcs.exe, 00000005.00000002.602052323.0000000002CC1000.00000004.00000001.sdmpString found in binary or memory: https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%ha

                      System Summary:

                      barindex
                      .NET source code contains very large array initializationsShow sources
                      Source: 5.0.RegSvcs.exe.400000.0.unpack, u003cPrivateImplementationDetailsu003eu007b4FF9C728u002d7C57u002d40C2u002dBE9Cu002d6335DB58B1AFu007d/B8E47775u002d22E9u002d4EE8u002d9FD7u002d974F8284310E.csLarge array initialization: .cctor: array initializer size 11966
                      Source: 5.2.RegSvcs.exe.400000.0.unpack, u003cPrivateImplementationDetailsu003eu007b4FF9C728u002d7C57u002d40C2u002dBE9Cu002d6335DB58B1AFu007d/B8E47775u002d22E9u002d4EE8u002d9FD7u002d974F8284310E.csLarge array initialization: .cctor: array initializer size 11966
                      Initial sample is a PE file and has a suspicious nameShow sources
                      Source: initial sampleStatic PE information: Filename: SAUDI ARAMCO Tender Documents - BOQ and ITB.exe
                      Source: C:\Users\user\Desktop\SAUDI ARAMCO Tender Documents - BOQ and ITB.exeCode function: 1_2_0313C2B0
                      Source: C:\Users\user\Desktop\SAUDI ARAMCO Tender Documents - BOQ and ITB.exeCode function: 1_2_03139970
                      Source: C:\Users\user\Desktop\SAUDI ARAMCO Tender Documents - BOQ and ITB.exeCode function: 1_2_09257A60
                      Source: C:\Users\user\Desktop\SAUDI ARAMCO Tender Documents - BOQ and ITB.exeCode function: 1_2_0925ACD0
                      Source: C:\Users\user\Desktop\SAUDI ARAMCO Tender Documents - BOQ and ITB.exeCode function: 1_2_0925BFF8
                      Source: C:\Users\user\Desktop\SAUDI ARAMCO Tender Documents - BOQ and ITB.exeCode function: 1_2_0925CEF8
                      Source: C:\Users\user\Desktop\SAUDI ARAMCO Tender Documents - BOQ and ITB.exeCode function: 1_2_0925B578
                      Source: C:\Users\user\Desktop\SAUDI ARAMCO Tender Documents - BOQ and ITB.exeCode function: 1_2_0925E900
                      Source: C:\Users\user\Desktop\SAUDI ARAMCO Tender Documents - BOQ and ITB.exeCode function: 1_2_09257A51
                      Source: C:\Users\user\Desktop\SAUDI ARAMCO Tender Documents - BOQ and ITB.exeCode function: 1_2_0925AFB0
                      Source: C:\Users\user\Desktop\SAUDI ARAMCO Tender Documents - BOQ and ITB.exeCode function: 1_2_0925EFC8
                      Source: C:\Users\user\Desktop\SAUDI ARAMCO Tender Documents - BOQ and ITB.exeCode function: 1_2_0925F1E8
                      Source: C:\Users\user\Desktop\SAUDI ARAMCO Tender Documents - BOQ and ITB.exeCode function: 1_2_09250006
                      Source: C:\Users\user\Desktop\SAUDI ARAMCO Tender Documents - BOQ and ITB.exeCode function: 1_2_09250040
                      Source: C:\Users\user\Desktop\SAUDI ARAMCO Tender Documents - BOQ and ITB.exeCode function: 1_2_0925A0E1
                      Source: C:\Users\user\Desktop\SAUDI ARAMCO Tender Documents - BOQ and ITB.exeCode function: 1_2_0925F428
                      Source: C:\Users\user\Desktop\SAUDI ARAMCO Tender Documents - BOQ and ITB.exeCode function: 1_2_092574A0
                      Source: C:\Users\user\Desktop\SAUDI ARAMCO Tender Documents - BOQ and ITB.exeCode function: 1_2_092574B0
                      Source: C:\Users\user\Desktop\SAUDI ARAMCO Tender Documents - BOQ and ITB.exeCode function: 1_2_0E808650
                      Source: C:\Users\user\Desktop\SAUDI ARAMCO Tender Documents - BOQ and ITB.exeCode function: 1_2_0E809420
                      Source: C:\Users\user\Desktop\SAUDI ARAMCO Tender Documents - BOQ and ITB.exeCode function: 1_2_0E80CC78
                      Source: C:\Users\user\Desktop\SAUDI ARAMCO Tender Documents - BOQ and ITB.exeCode function: 1_2_0E808D80
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 5_2_00F0EDB0
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 5_2_00F04180
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 5_2_00F0CD80
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 5_2_00F042DD
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 5_2_00F09F28
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 5_2_00F0AE00
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 5_2_015646A0
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 5_2_01563D50
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 5_2_01564672
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 5_2_01564690
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 5_2_0156D2E0
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 5_2_06066C60
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 5_2_06067530
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 5_2_060690F0
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 5_2_06066918
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 5_2_060624B0
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: String function: 0606BED8 appears 46 times
                      Source: SAUDI ARAMCO Tender Documents - BOQ and ITB.exe, 00000001.00000002.370688660.00000000041A9000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameKygo.dll* vs SAUDI ARAMCO Tender Documents - BOQ and ITB.exe
                      Source: SAUDI ARAMCO Tender Documents - BOQ and ITB.exe, 00000001.00000002.370688660.00000000041A9000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameDSASignature.dll@ vs SAUDI ARAMCO Tender Documents - BOQ and ITB.exe
                      Source: SAUDI ARAMCO Tender Documents - BOQ and ITB.exe, 00000001.00000002.370688660.00000000041A9000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameWvRNvQqDKFGGvAlWFhquDEcwrJemX.exe4 vs SAUDI ARAMCO Tender Documents - BOQ and ITB.exe
                      Source: SAUDI ARAMCO Tender Documents - BOQ and ITB.exe, 00000001.00000002.377690232.000000000ED90000.00000002.00000001.sdmpBinary or memory string: System.OriginalFileName vs SAUDI ARAMCO Tender Documents - BOQ and ITB.exe
                      Source: SAUDI ARAMCO Tender Documents - BOQ and ITB.exe, 00000001.00000002.368738849.0000000000ED2000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameRegistryValueOptions.exeZ vs SAUDI ARAMCO Tender Documents - BOQ and ITB.exe
                      Source: SAUDI ARAMCO Tender Documents - BOQ and ITB.exe, 00000001.00000002.376636365.00000000090B0000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamemscorrc.dllT vs SAUDI ARAMCO Tender Documents - BOQ and ITB.exe
                      Source: SAUDI ARAMCO Tender Documents - BOQ and ITB.exe, 00000001.00000002.378103149.000000000EE80000.00000002.00000001.sdmpBinary or memory string: originalfilename vs SAUDI ARAMCO Tender Documents - BOQ and ITB.exe
                      Source: SAUDI ARAMCO Tender Documents - BOQ and ITB.exe, 00000001.00000002.378103149.000000000EE80000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamepropsys.dll.mui@ vs SAUDI ARAMCO Tender Documents - BOQ and ITB.exe
                      Source: SAUDI ARAMCO Tender Documents - BOQ and ITB.exeBinary or memory string: OriginalFilenameRegistryValueOptions.exeZ vs SAUDI ARAMCO Tender Documents - BOQ and ITB.exe
                      Source: SAUDI ARAMCO Tender Documents - BOQ and ITB.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
                      Source: SAUDI ARAMCO Tender Documents - BOQ and ITB.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                      Source: sXNiyYIFndkxd.exe.1.drStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                      Source: 5.0.RegSvcs.exe.400000.0.unpack, A/b2.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
                      Source: 5.0.RegSvcs.exe.400000.0.unpack, A/b2.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
                      Source: 5.2.RegSvcs.exe.400000.0.unpack, A/b2.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
                      Source: 5.2.RegSvcs.exe.400000.0.unpack, A/b2.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
                      Source: classification engineClassification label: mal100.troj.spyw.evad.winEXE@6/5@2/1
                      Source: C:\Users\user\Desktop\SAUDI ARAMCO Tender Documents - BOQ and ITB.exeFile created: C:\Users\user\AppData\Roaming\sXNiyYIFndkxd.exeJump to behavior
                      Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6836:120:WilError_01
                      Source: C:\Users\user\Desktop\SAUDI ARAMCO Tender Documents - BOQ and ITB.exeMutant created: \Sessions\1\BaseNamedObjects\jGmaaFOdSHSnPJ
                      Source: C:\Users\user\Desktop\SAUDI ARAMCO Tender Documents - BOQ and ITB.exeFile created: C:\Users\user\AppData\Local\Temp\tmp2894.tmpJump to behavior
                      Source: SAUDI ARAMCO Tender Documents - BOQ and ITB.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                      Source: C:\Users\user\Desktop\SAUDI ARAMCO Tender Documents - BOQ and ITB.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                      Source: C:\Users\user\Desktop\SAUDI ARAMCO Tender Documents - BOQ and ITB.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
                      Source: C:\Users\user\Desktop\SAUDI ARAMCO Tender Documents - BOQ and ITB.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                      Source: SAUDI ARAMCO Tender Documents - BOQ and ITB.exe, 00000001.00000002.369670905.00000000031E1000.00000004.00000001.sdmpBinary or memory string: Select * from Clientes WHERE id=@id;;
                      Source: SAUDI ARAMCO Tender Documents - BOQ and ITB.exe, 00000001.00000002.369670905.00000000031E1000.00000004.00000001.sdmpBinary or memory string: Select * from Aluguel Erro ao listar Banco sql-Aluguel.INSERT INTO Aluguel VALUES(@clienteID, @data);
                      Source: SAUDI ARAMCO Tender Documents - BOQ and ITB.exe, 00000001.00000002.369670905.00000000031E1000.00000004.00000001.sdmpBinary or memory string: Select * from SecurityLogonType WHERE id=@id;
                      Source: SAUDI ARAMCO Tender Documents - BOQ and ITB.exe, 00000001.00000002.369670905.00000000031E1000.00000004.00000001.sdmpBinary or memory string: Select * from SecurityLogonType WHERE modelo=@modelo;
                      Source: SAUDI ARAMCO Tender Documents - BOQ and ITB.exe, 00000001.00000002.369670905.00000000031E1000.00000004.00000001.sdmpBinary or memory string: INSERT INTO Itens_Aluguel VALUES(@aluguelID, @aviaoID, @validade);
                      Source: SAUDI ARAMCO Tender Documents - BOQ and ITB.exe, 00000001.00000002.369670905.00000000031E1000.00000004.00000001.sdmpBinary or memory string: Insert into Clientes values (@nome, @cpf, @rg, @cidade, @endereco, @uf, @telefone);
                      Source: SAUDI ARAMCO Tender Documents - BOQ and ITB.exe, 00000001.00000002.369670905.00000000031E1000.00000004.00000001.sdmpBinary or memory string: INSERT INTO Aluguel VALUES(@clienteID, @data);
                      Source: SAUDI ARAMCO Tender Documents - BOQ and ITB.exe, 00000001.00000002.369670905.00000000031E1000.00000004.00000001.sdmpBinary or memory string: INSERT INTO SecurityLogonType VALUES(@modelo, @fabricante, @ano, @cor);
                      Source: SAUDI ARAMCO Tender Documents - BOQ and ITB.exe, 00000001.00000002.369670905.00000000031E1000.00000004.00000001.sdmpBinary or memory string: Select * from SecurityLogonType*Erro ao listar Banco sql-SecurityLogonType,Select * from SecurityLogonType WHERE id=@id;Select * from SecurityLogonType WHERE (modelo LIKE @modelo)
                      Source: SAUDI ARAMCO Tender Documents - BOQ and ITB.exeVirustotal: Detection: 30%
                      Source: SAUDI ARAMCO Tender Documents - BOQ and ITB.exeReversingLabs: Detection: 15%
                      Source: C:\Users\user\Desktop\SAUDI ARAMCO Tender Documents - BOQ and ITB.exeFile read: C:\Users\user\Desktop\SAUDI ARAMCO Tender Documents - BOQ and ITB.exeJump to behavior
                      Source: unknownProcess created: C:\Users\user\Desktop\SAUDI ARAMCO Tender Documents - BOQ and ITB.exe 'C:\Users\user\Desktop\SAUDI ARAMCO Tender Documents - BOQ and ITB.exe'
                      Source: C:\Users\user\Desktop\SAUDI ARAMCO Tender Documents - BOQ and ITB.exeProcess created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\sXNiyYIFndkxd' /XML 'C:\Users\user\AppData\Local\Temp\tmp2894.tmp'
                      Source: C:\Windows\SysWOW64\schtasks.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                      Source: C:\Users\user\Desktop\SAUDI ARAMCO Tender Documents - BOQ and ITB.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
                      Source: C:\Users\user\Desktop\SAUDI ARAMCO Tender Documents - BOQ and ITB.exeProcess created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\sXNiyYIFndkxd' /XML 'C:\Users\user\AppData\Local\Temp\tmp2894.tmp'
                      Source: C:\Users\user\Desktop\SAUDI ARAMCO Tender Documents - BOQ and ITB.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
                      Source: C:\Users\user\Desktop\SAUDI ARAMCO Tender Documents - BOQ and ITB.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{95E15D0A-66E6-93D9-C53C-76E6219D3341}\InProcServer32
                      Source: C:\Users\user\Desktop\SAUDI ARAMCO Tender Documents - BOQ and ITB.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676
                      Source: SAUDI ARAMCO Tender Documents - BOQ and ITB.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
                      Source: SAUDI ARAMCO Tender Documents - BOQ and ITB.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
                      Source: SAUDI ARAMCO Tender Documents - BOQ and ITB.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
                      Source: Binary string: C:\Users\Administrator\Desktop\Client\Temp\XobOtjQJOq\src\obj\x86\Debug\RegistryValueOptions.pdb< source: SAUDI ARAMCO Tender Documents - BOQ and ITB.exe
                      Source: Binary string: C:\Users\Administrator\Desktop\Client\Temp\XobOtjQJOq\src\obj\x86\Debug\RegistryValueOptions.pdb source: SAUDI ARAMCO Tender Documents - BOQ and ITB.exe

                      Data Obfuscation:

                      barindex
                      .NET source code contains potential unpackerShow sources
                      Source: SAUDI ARAMCO Tender Documents - BOQ and ITB.exe, Aspiring_Rookie/DebuggableAttribute.cs.Net Code: FillRecta System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
                      Source: sXNiyYIFndkxd.exe.1.dr, Aspiring_Rookie/DebuggableAttribute.cs.Net Code: FillRecta System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
                      Source: 1.0.SAUDI ARAMCO Tender Documents - BOQ and ITB.exe.de0000.0.unpack, Aspiring_Rookie/DebuggableAttribute.cs.Net Code: FillRecta System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
                      Source: 1.2.SAUDI ARAMCO Tender Documents - BOQ and ITB.exe.de0000.0.unpack, Aspiring_Rookie/DebuggableAttribute.cs.Net Code: FillRecta System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 5_3_05E0A011 push eax; retf
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 5_2_00F0888A push 8BFFFFFFh; retf
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 5_2_0606A61F push es; iretd
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 5_2_0606ED73 push eax; ret
                      Source: initial sampleStatic PE information: section name: .text entropy: 7.86709142883
                      Source: initial sampleStatic PE information: section name: .text entropy: 7.86709142883
                      Source: C:\Users\user\Desktop\SAUDI ARAMCO Tender Documents - BOQ and ITB.exeFile created: \saudi aramco tender documents - boq and itb.exe
                      Source: C:\Users\user\Desktop\SAUDI ARAMCO Tender Documents - BOQ and ITB.exeFile created: \saudi aramco tender documents - boq and itb.exe
                      Source: C:\Users\user\Desktop\SAUDI ARAMCO Tender Documents - BOQ and ITB.exeFile created: \saudi aramco tender documents - boq and itb.exe
                      Source: C:\Users\user\Desktop\SAUDI ARAMCO Tender Documents - BOQ and ITB.exeFile created: \saudi aramco tender documents - boq and itb.exe
                      Source: C:\Users\user\Desktop\SAUDI ARAMCO Tender Documents - BOQ and ITB.exeFile created: C:\Users\user\AppData\Roaming\sXNiyYIFndkxd.exeJump to dropped file

                      Boot Survival:

                      barindex
                      Uses schtasks.exe or at.exe to add and modify task schedulesShow sources
                      Source: C:\Users\user\Desktop\SAUDI ARAMCO Tender Documents - BOQ and ITB.exeProcess created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\sXNiyYIFndkxd' /XML 'C:\Users\user\AppData\Local\Temp\tmp2894.tmp'
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeRegistry key monitored for changes: HKEY_CURRENT_USER_Classes
                      Source: C:\Users\user\Desktop\SAUDI ARAMCO Tender Documents - BOQ and ITB.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\SAUDI ARAMCO Tender Documents - BOQ and ITB.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\SAUDI ARAMCO Tender Documents - BOQ and ITB.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\SAUDI ARAMCO Tender Documents - BOQ and ITB.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\SAUDI ARAMCO Tender Documents - BOQ and ITB.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\SAUDI ARAMCO Tender Documents - BOQ and ITB.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\SAUDI ARAMCO Tender Documents - BOQ and ITB.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\SAUDI ARAMCO Tender Documents - BOQ and ITB.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\SAUDI ARAMCO Tender Documents - BOQ and ITB.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\SAUDI ARAMCO Tender Documents - BOQ and ITB.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\SAUDI ARAMCO Tender Documents - BOQ and ITB.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\SAUDI ARAMCO Tender Documents - BOQ and ITB.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\SAUDI ARAMCO Tender Documents - BOQ and ITB.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\SAUDI ARAMCO Tender Documents - BOQ and ITB.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\SAUDI ARAMCO Tender Documents - BOQ and ITB.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\SAUDI ARAMCO Tender Documents - BOQ and ITB.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\SAUDI ARAMCO Tender Documents - BOQ and ITB.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\SAUDI ARAMCO Tender Documents - BOQ and ITB.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\SAUDI ARAMCO Tender Documents - BOQ and ITB.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\SAUDI ARAMCO Tender Documents - BOQ and ITB.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\SAUDI ARAMCO Tender Documents - BOQ and ITB.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\SAUDI ARAMCO Tender Documents - BOQ and ITB.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\SAUDI ARAMCO Tender Documents - BOQ and ITB.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\SAUDI ARAMCO Tender Documents - BOQ and ITB.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\SAUDI ARAMCO Tender Documents - BOQ and ITB.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\SAUDI ARAMCO Tender Documents - BOQ and ITB.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\SAUDI ARAMCO Tender Documents - BOQ and ITB.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\SAUDI ARAMCO Tender Documents - BOQ and ITB.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\SAUDI ARAMCO Tender Documents - BOQ and ITB.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\SAUDI ARAMCO Tender Documents - BOQ and ITB.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\SAUDI ARAMCO Tender Documents - BOQ and ITB.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\SAUDI ARAMCO Tender Documents - BOQ and ITB.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\SAUDI ARAMCO Tender Documents - BOQ and ITB.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\SAUDI ARAMCO Tender Documents - BOQ and ITB.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\SAUDI ARAMCO Tender Documents - BOQ and ITB.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\SAUDI ARAMCO Tender Documents - BOQ and ITB.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\SAUDI ARAMCO Tender Documents - BOQ and ITB.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\SAUDI ARAMCO Tender Documents - BOQ and ITB.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\SAUDI ARAMCO Tender Documents - BOQ and ITB.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX

                      Malware Analysis System Evasion:

                      barindex
                      Yara detected AntiVM3Show sources
                      Source: Yara matchFile source: 00000001.00000002.369670905.00000000031E1000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: SAUDI ARAMCO Tender Documents - BOQ and ITB.exe PID: 6556, type: MEMORY
                      Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)Show sources
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
                      Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)Show sources
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration
                      Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)Show sources
                      Source: SAUDI ARAMCO Tender Documents - BOQ and ITB.exe, 00000001.00000002.369670905.00000000031E1000.00000004.00000001.sdmpBinary or memory string: WINE_GET_UNIX_FILE_NAME
                      Source: SAUDI ARAMCO Tender Documents - BOQ and ITB.exe, 00000001.00000002.369670905.00000000031E1000.00000004.00000001.sdmpBinary or memory string: SBIEDLL.DLL
                      Source: C:\Users\user\Desktop\SAUDI ARAMCO Tender Documents - BOQ and ITB.exeFile opened / queried: SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
                      Source: C:\Users\user\Desktop\SAUDI ARAMCO Tender Documents - BOQ and ITB.exeThread delayed: delay time: 922337203685477
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 922337203685477
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWindow / User API: threadDelayed 1927
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWindow / User API: threadDelayed 7912
                      Source: C:\Users\user\Desktop\SAUDI ARAMCO Tender Documents - BOQ and ITB.exe TID: 6560Thread sleep time: -102923s >= -30000s
                      Source: C:\Users\user\Desktop\SAUDI ARAMCO Tender Documents - BOQ and ITB.exe TID: 6604Thread sleep time: -922337203685477s >= -30000s
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                      Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                      Source: C:\Users\user\Desktop\SAUDI ARAMCO Tender Documents - BOQ and ITB.exeThread delayed: delay time: 102923
                      Source: C:\Users\user\Desktop\SAUDI ARAMCO Tender Documents - BOQ and ITB.exeThread delayed: delay time: 922337203685477
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 922337203685477
                      Source: RegSvcs.exe, 00000005.00000002.607253583.0000000005F00000.00000002.00000001.sdmpBinary or memory string: A Virtual Machine could not be started because Hyper-V is not installed.
                      Source: SAUDI ARAMCO Tender Documents - BOQ and ITB.exe, 00000001.00000002.369670905.00000000031E1000.00000004.00000001.sdmpBinary or memory string: vmware
                      Source: RegSvcs.exe, 00000005.00000002.607086422.0000000005E05000.00000004.00000001.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllT"
                      Source: SAUDI ARAMCO Tender Documents - BOQ and ITB.exe, 00000001.00000002.369670905.00000000031E1000.00000004.00000001.sdmpBinary or memory string: C:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
                      Source: SAUDI ARAMCO Tender Documents - BOQ and ITB.exe, 00000001.00000002.369670905.00000000031E1000.00000004.00000001.sdmpBinary or memory string: SOFTWARE\VMware, Inc.\VMware Tools
                      Source: SAUDI ARAMCO Tender Documents - BOQ and ITB.exe, 00000001.00000002.369670905.00000000031E1000.00000004.00000001.sdmpBinary or memory string: VMware SVGA II!Add-MpPreference -ExclusionPath "
                      Source: SAUDI ARAMCO Tender Documents - BOQ and ITB.exe, 00000001.00000002.369670905.00000000031E1000.00000004.00000001.sdmpBinary or memory string: VMWARE
                      Source: SAUDI ARAMCO Tender Documents - BOQ and ITB.exe, 00000001.00000002.369670905.00000000031E1000.00000004.00000001.sdmpBinary or memory string: InstallPath%C:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
                      Source: RegSvcs.exe, 00000005.00000002.607253583.0000000005F00000.00000002.00000001.sdmpBinary or memory string: A communication protocol error has occurred between the Hyper-V Host and Guest Compute Service.
                      Source: RegSvcs.exe, 00000005.00000002.607253583.0000000005F00000.00000002.00000001.sdmpBinary or memory string: The communication protocol version between the Hyper-V Host and Guest Compute Services is not supported.
                      Source: SAUDI ARAMCO Tender Documents - BOQ and ITB.exe, 00000001.00000002.369670905.00000000031E1000.00000004.00000001.sdmpBinary or memory string: VMWARE"SOFTWARE\VMware, Inc.\VMware ToolsLHARDWARE\DEVICEMAP\Scsi\Scsi Port 1\Scsi Bus 0\Target Id 0\Logical Unit Id 0LHARDWARE\DEVICEMAP\Scsi\Scsi Port 2\Scsi Bus 0\Target Id 0\Logical Unit Id 0'SYSTEM\ControlSet001\Services\Disk\Enum
                      Source: SAUDI ARAMCO Tender Documents - BOQ and ITB.exe, 00000001.00000002.369670905.00000000031E1000.00000004.00000001.sdmpBinary or memory string: VMware SVGA II
                      Source: SAUDI ARAMCO Tender Documents - BOQ and ITB.exe, 00000001.00000002.369670905.00000000031E1000.00000004.00000001.sdmpBinary or memory string: vmwareNSYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000
                      Source: RegSvcs.exe, 00000005.00000002.607253583.0000000005F00000.00000002.00000001.sdmpBinary or memory string: An unknown internal message was received by the Hyper-V Compute Service.
                      Source: C:\Users\user\Desktop\SAUDI ARAMCO Tender Documents - BOQ and ITB.exeProcess information queried: ProcessInformation
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 5_2_00F01328 LdrInitializeThunk,
                      Source: C:\Users\user\Desktop\SAUDI ARAMCO Tender Documents - BOQ and ITB.exeProcess token adjusted: Debug
                      Source: C:\Users\user\Desktop\SAUDI ARAMCO Tender Documents - BOQ and ITB.exeMemory allocated: page read and write | page guard

                      HIPS / PFW / Operating System Protection Evasion:

                      barindex
                      Injects a PE file into a foreign processesShow sources
                      Source: C:\Users\user\Desktop\SAUDI ARAMCO Tender Documents - BOQ and ITB.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 400000 value starts with: 4D5A
                      Writes to foreign memory regionsShow sources
                      Source: C:\Users\user\Desktop\SAUDI ARAMCO Tender Documents - BOQ and ITB.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 400000
                      Source: C:\Users\user\Desktop\SAUDI ARAMCO Tender Documents - BOQ and ITB.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 402000
                      Source: C:\Users\user\Desktop\SAUDI ARAMCO Tender Documents - BOQ and ITB.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 438000
                      Source: C:\Users\user\Desktop\SAUDI ARAMCO Tender Documents - BOQ and ITB.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 43A000
                      Source: C:\Users\user\Desktop\SAUDI ARAMCO Tender Documents - BOQ and ITB.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: C94008
                      Source: C:\Users\user\Desktop\SAUDI ARAMCO Tender Documents - BOQ and ITB.exeProcess created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\sXNiyYIFndkxd' /XML 'C:\Users\user\AppData\Local\Temp\tmp2894.tmp'
                      Source: C:\Users\user\Desktop\SAUDI ARAMCO Tender Documents - BOQ and ITB.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
                      Source: RegSvcs.exe, 00000005.00000002.601979809.00000000017A0000.00000002.00000001.sdmpBinary or memory string: Shell_TrayWnd
                      Source: RegSvcs.exe, 00000005.00000002.601979809.00000000017A0000.00000002.00000001.sdmpBinary or memory string: Progman
                      Source: RegSvcs.exe, 00000005.00000002.601979809.00000000017A0000.00000002.00000001.sdmpBinary or memory string: &Program Manager
                      Source: RegSvcs.exe, 00000005.00000002.601979809.00000000017A0000.00000002.00000001.sdmpBinary or memory string: Progmanlock
                      Source: C:\Users\user\Desktop\SAUDI ARAMCO Tender Documents - BOQ and ITB.exeQueries volume information: C:\Users\user\Desktop\SAUDI ARAMCO Tender Documents - BOQ and ITB.exe VolumeInformation
                      Source: C:\Users\user\Desktop\SAUDI ARAMCO Tender Documents - BOQ and ITB.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
                      Source: C:\Users\user\Desktop\SAUDI ARAMCO Tender Documents - BOQ and ITB.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
                      Source: C:\Users\user\Desktop\SAUDI ARAMCO Tender Documents - BOQ and ITB.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
                      Source: C:\Users\user\Desktop\SAUDI ARAMCO Tender Documents - BOQ and ITB.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
                      Source: C:\Users\user\Desktop\SAUDI ARAMCO Tender Documents - BOQ and ITB.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Runtime.Remoting\v4.0_4.0.0.0__b77a5c561934e089\System.Runtime.Remoting.dll VolumeInformation
                      Source: C:\Users\user\Desktop\SAUDI ARAMCO Tender Documents - BOQ and ITB.exeQueries volume information: C:\Windows\Fonts\arial.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\SAUDI ARAMCO Tender Documents - BOQ and ITB.exeQueries volume information: C:\Windows\Fonts\ariali.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\SAUDI ARAMCO Tender Documents - BOQ and ITB.exeQueries volume information: C:\Windows\Fonts\arialbd.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\SAUDI ARAMCO Tender Documents - BOQ and ITB.exeQueries volume information: C:\Windows\Fonts\arialbi.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\SAUDI ARAMCO Tender Documents - BOQ and ITB.exeQueries volume information: C:\Windows\Fonts\ARIALN.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\SAUDI ARAMCO Tender Documents - BOQ and ITB.exeQueries volume information: C:\Windows\Fonts\ariblk.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\SAUDI ARAMCO Tender Documents - BOQ and ITB.exeQueries volume information: C:\Windows\Fonts\ARIALNI.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\SAUDI ARAMCO Tender Documents - BOQ and ITB.exeQueries volume information: C:\Windows\Fonts\ARIALNB.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\SAUDI ARAMCO Tender Documents - BOQ and ITB.exeQueries volume information: C:\Windows\Fonts\ARIALNBI.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\SAUDI ARAMCO Tender Documents - BOQ and ITB.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\SAUDI ARAMCO Tender Documents - BOQ and ITB.exeQueries volume information: C:\Windows\Fonts\calibri.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\SAUDI ARAMCO Tender Documents - BOQ and ITB.exeQueries volume information: C:\Windows\Fonts\calibril.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\SAUDI ARAMCO Tender Documents - BOQ and ITB.exeQueries volume information: C:\Windows\Fonts\calibrii.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\SAUDI ARAMCO Tender Documents - BOQ and ITB.exeQueries volume information: C:\Windows\Fonts\calibrili.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\SAUDI ARAMCO Tender Documents - BOQ and ITB.exeQueries volume information: C:\Windows\Fonts\calibrib.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\SAUDI ARAMCO Tender Documents - BOQ and ITB.exeQueries volume information: C:\Windows\Fonts\calibriz.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\SAUDI ARAMCO Tender Documents - BOQ and ITB.exeQueries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformation
                      Source: C:\Users\user\Desktop\SAUDI ARAMCO Tender Documents - BOQ and ITB.exeQueries volume information: C:\Windows\Fonts\cambriai.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\SAUDI ARAMCO Tender Documents - BOQ and ITB.exeQueries volume information: C:\Windows\Fonts\cambriab.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\SAUDI ARAMCO Tender Documents - BOQ and ITB.exeQueries volume information: C:\Windows\Fonts\cambriaz.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\SAUDI ARAMCO Tender Documents - BOQ and ITB.exeQueries volume information: C:\Windows\Fonts\Candara.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\SAUDI ARAMCO Tender Documents - BOQ and ITB.exeQueries volume information: C:\Windows\Fonts\Candarai.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\SAUDI ARAMCO Tender Documents - BOQ and ITB.exeQueries volume information: C:\Windows\Fonts\Candarab.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\SAUDI ARAMCO Tender Documents - BOQ and ITB.exeQueries volume information: C:\Windows\Fonts\Candaraz.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\SAUDI ARAMCO Tender Documents - BOQ and ITB.exeQueries volume information: C:\Windows\Fonts\comic.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\SAUDI ARAMCO Tender Documents - BOQ and ITB.exeQueries volume information: C:\Windows\Fonts\comici.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\SAUDI ARAMCO Tender Documents - BOQ and ITB.exeQueries volume information: C:\Windows\Fonts\comicbd.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\SAUDI ARAMCO Tender Documents - BOQ and ITB.exeQueries volume information: C:\Windows\Fonts\comicz.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\SAUDI ARAMCO Tender Documents - BOQ and ITB.exeQueries volume information: C:\Windows\Fonts\consola.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\SAUDI ARAMCO Tender Documents - BOQ and ITB.exeQueries volume information: C:\Windows\Fonts\consolai.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\SAUDI ARAMCO Tender Documents - BOQ and ITB.exeQueries volume information: C:\Windows\Fonts\consolab.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\SAUDI ARAMCO Tender Documents - BOQ and ITB.exeQueries volume information: C:\Windows\Fonts\consolaz.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\SAUDI ARAMCO Tender Documents - BOQ and ITB.exeQueries volume information: C:\Windows\Fonts\constan.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\SAUDI ARAMCO Tender Documents - BOQ and ITB.exeQueries volume information: C:\Windows\Fonts\constani.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\SAUDI ARAMCO Tender Documents - BOQ and ITB.exeQueries volume information: C:\Windows\Fonts\constanb.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\SAUDI ARAMCO Tender Documents - BOQ and ITB.exeQueries volume information: C:\Windows\Fonts\constanz.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\SAUDI ARAMCO Tender Documents - BOQ and ITB.exeQueries volume information: C:\Windows\Fonts\corbel.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\SAUDI ARAMCO Tender Documents - BOQ and ITB.exeQueries volume information: C:\Windows\Fonts\corbeli.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\SAUDI ARAMCO Tender Documents - BOQ and ITB.exeQueries volume information: C:\Windows\Fonts\corbelb.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\SAUDI ARAMCO Tender Documents - BOQ and ITB.exeQueries volume information: C:\Windows\Fonts\corbelz.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\SAUDI ARAMCO Tender Documents - BOQ and ITB.exeQueries volume information: C:\Windows\Fonts\cour.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\SAUDI ARAMCO Tender Documents - BOQ and ITB.exeQueries volume information: C:\Windows\Fonts\couri.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\SAUDI ARAMCO Tender Documents - BOQ and ITB.exeQueries volume information: C:\Windows\Fonts\courbd.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\SAUDI ARAMCO Tender Documents - BOQ and ITB.exeQueries volume information: C:\Windows\Fonts\courbi.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\SAUDI ARAMCO Tender Documents - BOQ and ITB.exeQueries volume information: C:\Windows\Fonts\ebrima.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\SAUDI ARAMCO Tender Documents - BOQ and ITB.exeQueries volume information: C:\Windows\Fonts\ebrimabd.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\SAUDI ARAMCO Tender Documents - BOQ and ITB.exeQueries volume information: C:\Windows\Fonts\framd.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\SAUDI ARAMCO Tender Documents - BOQ and ITB.exeQueries volume information: C:\Windows\Fonts\FRADM.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\SAUDI ARAMCO Tender Documents - BOQ and ITB.exeQueries volume information: C:\Windows\Fonts\framdit.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\SAUDI ARAMCO Tender Documents - BOQ and ITB.exeQueries volume information: C:\Windows\Fonts\FRADMIT.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\SAUDI ARAMCO Tender Documents - BOQ and ITB.exeQueries volume information: C:\Windows\Fonts\FRAMDCN.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\SAUDI ARAMCO Tender Documents - BOQ and ITB.exeQueries volume information: C:\Windows\Fonts\FRADMCN.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\SAUDI ARAMCO Tender Documents - BOQ and ITB.exeQueries volume information: C:\Windows\Fonts\FRAHV.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\SAUDI ARAMCO Tender Documents - BOQ and ITB.exeQueries volume information: C:\Windows\Fonts\FRAHVIT.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\SAUDI ARAMCO Tender Documents - BOQ and ITB.exeQueries volume information: C:\Windows\Fonts\Gabriola.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\SAUDI ARAMCO Tender Documents - BOQ and ITB.exeQueries volume information: C:\Windows\Fonts\gadugi.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\SAUDI ARAMCO Tender Documents - BOQ and ITB.exeQueries volume information: C:\Windows\Fonts\gadugib.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\SAUDI ARAMCO Tender Documents - BOQ and ITB.exeQueries volume information: C:\Windows\Fonts\georgia.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\SAUDI ARAMCO Tender Documents - BOQ and ITB.exeQueries volume information: C:\Windows\Fonts\georgiai.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\SAUDI ARAMCO Tender Documents - BOQ and ITB.exeQueries volume information: C:\Windows\Fonts\georgiab.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\SAUDI ARAMCO Tender Documents - BOQ and ITB.exeQueries volume information: C:\Windows\Fonts\georgiaz.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\SAUDI ARAMCO Tender Documents - BOQ and ITB.exeQueries volume information: C:\Windows\Fonts\impact.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\SAUDI ARAMCO Tender Documents - BOQ and ITB.exeQueries volume information: C:\Windows\Fonts\Inkfree.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\SAUDI ARAMCO Tender Documents - BOQ and ITB.exeQueries volume information: C:\Windows\Fonts\javatext.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\SAUDI ARAMCO Tender Documents - BOQ and ITB.exeQueries volume information: C:\Windows\Fonts\LeelawUI.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\SAUDI ARAMCO Tender Documents - BOQ and ITB.exeQueries volume information: C:\Windows\Fonts\LeelUIsl.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\SAUDI ARAMCO Tender Documents - BOQ and ITB.exeQueries volume information: C:\Windows\Fonts\LeelaUIb.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\SAUDI ARAMCO Tender Documents - BOQ and ITB.exeQueries volume information: C:\Windows\Fonts\lucon.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\SAUDI ARAMCO Tender Documents - BOQ and ITB.exeQueries volume information: C:\Windows\Fonts\l_10646.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\SAUDI ARAMCO Tender Documents - BOQ and ITB.exeQueries volume information: C:\Windows\Fonts\malgun.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\SAUDI ARAMCO Tender Documents - BOQ and ITB.exeQueries volume information: C:\Windows\Fonts\malgunsl.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\SAUDI ARAMCO Tender Documents - BOQ and ITB.exeQueries volume information: C:\Windows\Fonts\malgunbd.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\SAUDI ARAMCO Tender Documents - BOQ and ITB.exeQueries volume information: C:\Windows\Fonts\himalaya.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\SAUDI ARAMCO Tender Documents - BOQ and ITB.exeQueries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformation
                      Source: C:\Users\user\Desktop\SAUDI ARAMCO Tender Documents - BOQ and ITB.exeQueries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformation
                      Source: C:\Users\user\Desktop\SAUDI ARAMCO Tender Documents - BOQ and ITB.exeQueries volume information: C:\Windows\Fonts\msjhbd.ttc VolumeInformation
                      Source: C:\Users\user\Desktop\SAUDI ARAMCO Tender Documents - BOQ and ITB.exeQueries volume information: C:\Windows\Fonts\ntailu.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\SAUDI ARAMCO Tender Documents - BOQ and ITB.exeQueries volume information: C:\Windows\Fonts\ntailub.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\SAUDI ARAMCO Tender Documents - BOQ and ITB.exeQueries volume information: C:\Windows\Fonts\phagspa.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\SAUDI ARAMCO Tender Documents - BOQ and ITB.exeQueries volume information: C:\Windows\Fonts\phagspab.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\SAUDI ARAMCO Tender Documents - BOQ and ITB.exeQueries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\SAUDI ARAMCO Tender Documents - BOQ and ITB.exeQueries volume information: C:\Windows\Fonts\taile.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\SAUDI ARAMCO Tender Documents - BOQ and ITB.exeQueries volume information: C:\Windows\Fonts\taileb.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\SAUDI ARAMCO Tender Documents - BOQ and ITB.exeQueries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformation
                      Source: C:\Users\user\Desktop\SAUDI ARAMCO Tender Documents - BOQ and ITB.exeQueries volume information: C:\Windows\Fonts\msyhl.ttc VolumeInformation
                      Source: C:\Users\user\Desktop\SAUDI ARAMCO Tender Documents - BOQ and ITB.exeQueries volume information: C:\Windows\Fonts\msyhbd.ttc VolumeInformation
                      Source: C:\Users\user\Desktop\SAUDI ARAMCO Tender Documents - BOQ and ITB.exeQueries volume information: C:\Windows\Fonts\msyi.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\SAUDI ARAMCO Tender Documents - BOQ and ITB.exeQueries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformation
                      Source: C:\Users\user\Desktop\SAUDI ARAMCO Tender Documents - BOQ and ITB.exeQueries volume information: C:\Windows\Fonts\monbaiti.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\SAUDI ARAMCO Tender Documents - BOQ and ITB.exeQueries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformation
                      Source: C:\Users\user\Desktop\SAUDI ARAMCO Tender Documents - BOQ and ITB.exeQueries volume information: C:\Windows\Fonts\mvboli.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\SAUDI ARAMCO Tender Documents - BOQ and ITB.exeQueries volume information: C:\Windows\Fonts\mmrtext.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\SAUDI ARAMCO Tender Documents - BOQ and ITB.exeQueries volume information: C:\Windows\Fonts\mmrtextb.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\SAUDI ARAMCO Tender Documents - BOQ and ITB.exeQueries volume information: C:\Windows\Fonts\Nirmala.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\SAUDI ARAMCO Tender Documents - BOQ and ITB.exeQueries volume information: C:\Windows\Fonts\NirmalaS.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\SAUDI ARAMCO Tender Documents - BOQ and ITB.exeQueries volume information: C:\Windows\Fonts\NirmalaB.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\SAUDI ARAMCO Tender Documents - BOQ and ITB.exeQueries volume information: C:\Windows\Fonts\pala.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\SAUDI ARAMCO Tender Documents - BOQ and ITB.exeQueries volume information: C:\Windows\Fonts\palai.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\SAUDI ARAMCO Tender Documents - BOQ and ITB.exeQueries volume information: C:\Windows\Fonts\palab.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\SAUDI ARAMCO Tender Documents - BOQ and ITB.exeQueries volume information: C:\Windows\Fonts\palabi.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\SAUDI ARAMCO Tender Documents - BOQ and ITB.exeQueries volume information: C:\Windows\Fonts\segoepr.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\SAUDI ARAMCO Tender Documents - BOQ and ITB.exeQueries volume information: C:\Windows\Fonts\segoeprb.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\SAUDI ARAMCO Tender Documents - BOQ and ITB.exeQueries volume information: C:\Windows\Fonts\segoesc.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\SAUDI ARAMCO Tender Documents - BOQ and ITB.exeQueries volume information: C:\Windows\Fonts\segoescb.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\SAUDI ARAMCO Tender Documents - BOQ and ITB.exeQueries volume information: C:\Windows\Fonts\seguiemj.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\SAUDI ARAMCO Tender Documents - BOQ and ITB.exeQueries volume information: C:\Windows\Fonts\seguihis.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\SAUDI ARAMCO Tender Documents - BOQ and ITB.exeQueries volume information: C:\Windows\Fonts\seguisym.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\SAUDI ARAMCO Tender Documents - BOQ and ITB.exeQueries volume information: C:\Windows\Fonts\simsun.ttc VolumeInformation
                      Source: C:\Users\user\Desktop\SAUDI ARAMCO Tender Documents - BOQ and ITB.exeQueries volume information: C:\Windows\Fonts\simsunb.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\SAUDI ARAMCO Tender Documents - BOQ and ITB.exeQueries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformation
                      Source: C:\Users\user\Desktop\SAUDI ARAMCO Tender Documents - BOQ and ITB.exeQueries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformation
                      Source: C:\Users\user\Desktop\SAUDI ARAMCO Tender Documents - BOQ and ITB.exeQueries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformation
                      Source: C:\Users\user\Desktop\SAUDI ARAMCO Tender Documents - BOQ and ITB.exeQueries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformation
                      Source: C:\Users\user\Desktop\SAUDI ARAMCO Tender Documents - BOQ and ITB.exeQueries volume information: C:\Windows\Fonts\sylfaen.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\SAUDI ARAMCO Tender Documents - BOQ and ITB.exeQueries volume information: C:\Windows\Fonts\symbol.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\SAUDI ARAMCO Tender Documents - BOQ and ITB.exeQueries volume information: C:\Windows\Fonts\tahoma.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\SAUDI ARAMCO Tender Documents - BOQ and ITB.exeQueries volume information: C:\Windows\Fonts\tahomabd.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\SAUDI ARAMCO Tender Documents - BOQ and ITB.exeQueries volume information: C:\Windows\Fonts\trebuc.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\SAUDI ARAMCO Tender Documents - BOQ and ITB.exeQueries volume information: C:\Windows\Fonts\trebucit.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\SAUDI ARAMCO Tender Documents - BOQ and ITB.exeQueries volume information: C:\Windows\Fonts\trebucbd.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\SAUDI ARAMCO Tender Documents - BOQ and ITB.exeQueries volume information: C:\Windows\Fonts\trebucbi.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\SAUDI ARAMCO Tender Documents - BOQ and ITB.exeQueries volume information: C:\Windows\Fonts\verdana.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\SAUDI ARAMCO Tender Documents - BOQ and ITB.exeQueries volume information: C:\Windows\Fonts\verdanai.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\SAUDI ARAMCO Tender Documents - BOQ and ITB.exeQueries volume information: C:\Windows\Fonts\verdanab.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\SAUDI ARAMCO Tender Documents - BOQ and ITB.exeQueries volume information: C:\Windows\Fonts\verdanaz.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\SAUDI ARAMCO Tender Documents - BOQ and ITB.exeQueries volume information: C:\Windows\Fonts\webdings.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\SAUDI ARAMCO Tender Documents - BOQ and ITB.exeQueries volume information: C:\Windows\Fonts\wingding.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\SAUDI ARAMCO Tender Documents - BOQ and ITB.exeQueries volume information: C:\Windows\Fonts\YuGothR.ttc VolumeInformation
                      Source: C:\Users\user\Desktop\SAUDI ARAMCO Tender Documents - BOQ and ITB.exeQueries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformation
                      Source: C:\Users\user\Desktop\SAUDI ARAMCO Tender Documents - BOQ and ITB.exeQueries volume information: C:\Windows\Fonts\YuGothL.ttc VolumeInformation
                      Source: C:\Users\user\Desktop\SAUDI ARAMCO Tender Documents - BOQ and ITB.exeQueries volume information: C:\Windows\Fonts\YuGothB.ttc VolumeInformation
                      Source: C:\Users\user\Desktop\SAUDI ARAMCO Tender Documents - BOQ and ITB.exeQueries volume information: C:\Windows\Fonts\holomdl2.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\SAUDI ARAMCO Tender Documents - BOQ and ITB.exeQueries volume information: C:\Windows\Fonts\CENTURY.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\SAUDI ARAMCO Tender Documents - BOQ and ITB.exeQueries volume information: C:\Windows\Fonts\LEELAWAD.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\SAUDI ARAMCO Tender Documents - BOQ and ITB.exeQueries volume information: C:\Windows\Fonts\LEELAWDB.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\SAUDI ARAMCO Tender Documents - BOQ and ITB.exeQueries volume information: C:\Windows\Fonts\MSUIGHUR.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\SAUDI ARAMCO Tender Documents - BOQ and ITB.exeQueries volume information: C:\Windows\Fonts\MSUIGHUB.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\SAUDI ARAMCO Tender Documents - BOQ and ITB.exeQueries volume information: C:\Windows\Fonts\WINGDNG2.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\SAUDI ARAMCO Tender Documents - BOQ and ITB.exeQueries volume information: C:\Windows\Fonts\WINGDNG3.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\SAUDI ARAMCO Tender Documents - BOQ and ITB.exeQueries volume information: C:\Windows\Fonts\TEMPSITC.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\SAUDI ARAMCO Tender Documents - BOQ and ITB.exeQueries volume information: C:\Windows\Fonts\PRISTINA.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\SAUDI ARAMCO Tender Documents - BOQ and ITB.exeQueries volume information: C:\Windows\Fonts\PAPYRUS.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\SAUDI ARAMCO Tender Documents - BOQ and ITB.exeQueries volume information: C:\Windows\Fonts\MISTRAL.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\SAUDI ARAMCO Tender Documents - BOQ and ITB.exeQueries volume information: C:\Windows\Fonts\LHANDW.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\SAUDI ARAMCO Tender Documents - BOQ and ITB.exeQueries volume information: C:\Windows\Fonts\ITCKRIST.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\SAUDI ARAMCO Tender Documents - BOQ and ITB.exeQueries volume information: C:\Windows\Fonts\JUICE___.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\SAUDI ARAMCO Tender Documents - BOQ and ITB.exeQueries volume information: C:\Windows\Fonts\FRSCRIPT.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\SAUDI ARAMCO Tender Documents - BOQ and ITB.exeQueries volume information: C:\Windows\Fonts\FREESCPT.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\SAUDI ARAMCO Tender Documents - BOQ and ITB.exeQueries volume information: C:\Windows\Fonts\BRADHITC.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\SAUDI ARAMCO Tender Documents - BOQ and ITB.exeQueries volume information: C:\Windows\Fonts\OUTLOOK.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\SAUDI ARAMCO Tender Documents - BOQ and ITB.exeQueries volume information: C:\Windows\Fonts\BKANT.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\SAUDI ARAMCO Tender Documents - BOQ and ITB.exeQueries volume information: C:\Windows\Fonts\ANTQUAI.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\SAUDI ARAMCO Tender Documents - BOQ and ITB.exeQueries volume information: C:\Windows\Fonts\ANTQUAB.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\SAUDI ARAMCO Tender Documents - BOQ and ITB.exeQueries volume information: C:\Windows\Fonts\ANTQUABI.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\SAUDI ARAMCO Tender Documents - BOQ and ITB.exeQueries volume information: C:\Windows\Fonts\GARA.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\SAUDI ARAMCO Tender Documents - BOQ and ITB.exeQueries volume information: C:\Windows\Fonts\GARAIT.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\SAUDI ARAMCO Tender Documents - BOQ and ITB.exeQueries volume information: C:\Windows\Fonts\GARABD.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\SAUDI ARAMCO Tender Documents - BOQ and ITB.exeQueries volume information: C:\Windows\Fonts\MTCORSVA.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\SAUDI ARAMCO Tender Documents - BOQ and ITB.exeQueries volume information: C:\Windows\Fonts\GOTHIC.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\SAUDI ARAMCO Tender Documents - BOQ and ITB.exeQueries volume information: C:\Windows\Fonts\GOTHICI.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\SAUDI ARAMCO Tender Documents - BOQ and ITB.exeQueries volume information: C:\Windows\Fonts\GOTHICB.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\SAUDI ARAMCO Tender Documents - BOQ and ITB.exeQueries volume information: C:\Windows\Fonts\GOTHICBI.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\SAUDI ARAMCO Tender Documents - BOQ and ITB.exeQueries volume information: C:\Windows\Fonts\ALGER.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\SAUDI ARAMCO Tender Documents - BOQ and ITB.exeQueries volume information: C:\Windows\Fonts\BASKVILL.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\SAUDI ARAMCO Tender Documents - BOQ and ITB.exeQueries volume information: C:\Windows\Fonts\BAUHS93.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\SAUDI ARAMCO Tender Documents - BOQ and ITB.exeQueries volume information: C:\Windows\Fonts\BELL.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\SAUDI ARAMCO Tender Documents - BOQ and ITB.exeQueries volume information: C:\Windows\Fonts\BELLI.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\SAUDI ARAMCO Tender Documents - BOQ and ITB.exeQueries volume information: C:\Windows\Fonts\BELLB.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\SAUDI ARAMCO Tender Documents - BOQ and ITB.exeQueries volume information: C:\Windows\Fonts\BRLNSR.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\SAUDI ARAMCO Tender Documents - BOQ and ITB.exeQueries volume information: C:\Windows\Fonts\BRLNSDB.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\SAUDI ARAMCO Tender Documents - BOQ and ITB.exeQueries volume information: C:\Windows\Fonts\BRLNSB.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\SAUDI ARAMCO Tender Documents - BOQ and ITB.exeQueries volume information: C:\Windows\Fonts\BERNHC.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\SAUDI ARAMCO Tender Documents - BOQ and ITB.exeQueries volume information: C:\Windows\Fonts\BOD_PSTC.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\SAUDI ARAMCO Tender Documents - BOQ and ITB.exeQueries volume information: C:\Windows\Fonts\BRITANIC.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\SAUDI ARAMCO Tender Documents - BOQ and ITB.exeQueries volume information: C:\Windows\Fonts\BROADW.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\SAUDI ARAMCO Tender Documents - BOQ and ITB.exeQueries volume information: C:\Windows\Fonts\BRUSHSCI.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\SAUDI ARAMCO Tender Documents - BOQ and ITB.exeQueries volume information: C:\Windows\Fonts\CALIFR.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\SAUDI ARAMCO Tender Documents - BOQ and ITB.exeQueries volume information: C:\Windows\Fonts\CALIFI.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\SAUDI ARAMCO Tender Documents - BOQ and ITB.exeQueries volume information: C:\Windows\Fonts\CALIFB.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\SAUDI ARAMCO Tender Documents - BOQ and ITB.exeQueries volume information: C:\Windows\Fonts\CENTAUR.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\SAUDI ARAMCO Tender Documents - BOQ and ITB.exeQueries volume information: C:\Windows\Fonts\CHILLER.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\SAUDI ARAMCO Tender Documents - BOQ and ITB.exeQueries volume information: C:\Windows\Fonts\COLONNA.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\SAUDI ARAMCO Tender Documents - BOQ and ITB.exeQueries volume information: C:\Windows\Fonts\COOPBL.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\SAUDI ARAMCO Tender Documents - BOQ and ITB.exeQueries volume information: C:\Windows\Fonts\FTLTLT.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\SAUDI ARAMCO Tender Documents - BOQ and ITB.exeQueries volume information: C:\Windows\Fonts\HARLOWSI.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\SAUDI ARAMCO Tender Documents - BOQ and ITB.exeQueries volume information: C:\Windows\Fonts\HARNGTON.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\SAUDI ARAMCO Tender Documents - BOQ and ITB.exeQueries volume information: C:\Windows\Fonts\HTOWERT.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\SAUDI ARAMCO Tender Documents - BOQ and ITB.exeQueries volume information: C:\Windows\Fonts\HTOWERTI.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\SAUDI ARAMCO Tender Documents - BOQ and ITB.exeQueries volume information: C:\Windows\Fonts\JOKERMAN.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\SAUDI ARAMCO Tender Documents - BOQ and ITB.exeQueries volume information: C:\Windows\Fonts\KUNSTLER.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\SAUDI ARAMCO Tender Documents - BOQ and ITB.exeQueries volume information: C:\Windows\Fonts\LBRITE.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\SAUDI ARAMCO Tender Documents - BOQ and ITB.exeQueries volume information: C:\Windows\Fonts\LBRITED.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\SAUDI ARAMCO Tender Documents - BOQ and ITB.exeQueries volume information: C:\Windows\Fonts\LBRITEI.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\SAUDI ARAMCO Tender Documents - BOQ and ITB.exeQueries volume information: C:\Windows\Fonts\LBRITEDI.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\SAUDI ARAMCO Tender Documents - BOQ and ITB.exeQueries volume information: C:\Windows\Fonts\LCALLIG.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\SAUDI ARAMCO Tender Documents - BOQ and ITB.exeQueries volume information: C:\Windows\Fonts\LFAX.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\SAUDI ARAMCO Tender Documents - BOQ and ITB.exeQueries volume information: C:\Windows\Fonts\LFAXD.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\SAUDI ARAMCO Tender Documents - BOQ and ITB.exeQueries volume information: C:\Windows\Fonts\LFAXI.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\SAUDI ARAMCO Tender Documents - BOQ and ITB.exeQueries volume information: C:\Windows\Fonts\LFAXDI.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\SAUDI ARAMCO Tender Documents - BOQ and ITB.exeQueries volume information: C:\Windows\Fonts\MAGNETOB.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\SAUDI ARAMCO Tender Documents - BOQ and ITB.exeQueries volume information: C:\Windows\Fonts\MATURASC.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\SAUDI ARAMCO Tender Documents - BOQ and ITB.exeQueries volume information: C:\Windows\Fonts\MOD20.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\SAUDI ARAMCO Tender Documents - BOQ and ITB.exeQueries volume information: C:\Windows\Fonts\NIAGENG.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\SAUDI ARAMCO Tender Documents - BOQ and ITB.exeQueries volume information: C:\Windows\Fonts\NIAGSOL.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\SAUDI ARAMCO Tender Documents - BOQ and ITB.exeQueries volume information: C:\Windows\Fonts\OLDENGL.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\SAUDI ARAMCO Tender Documents - BOQ and ITB.exeQueries volume information: C:\Windows\Fonts\ONYX.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\SAUDI ARAMCO Tender Documents - BOQ and ITB.exeQueries volume information: C:\Windows\Fonts\PARCHM.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\SAUDI ARAMCO Tender Documents - BOQ and ITB.exeQueries volume information: C:\Windows\Fonts\PLAYBILL.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\SAUDI ARAMCO Tender Documents - BOQ and ITB.exeQueries volume information: C:\Windows\Fonts\POORICH.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\SAUDI ARAMCO Tender Documents - BOQ and ITB.exeQueries volume information: C:\Windows\Fonts\RAVIE.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\SAUDI ARAMCO Tender Documents - BOQ and ITB.exeQueries volume information: C:\Windows\Fonts\INFROMAN.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\SAUDI ARAMCO Tender Documents - BOQ and ITB.exeQueries volume information: C:\Windows\Fonts\SHOWG.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\SAUDI ARAMCO Tender Documents - BOQ and ITB.exeQueries volume information: C:\Windows\Fonts\SNAP____.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\SAUDI ARAMCO Tender Documents - BOQ and ITB.exeQueries volume information: C:\Windows\Fonts\STENCIL.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\SAUDI ARAMCO Tender Documents - BOQ and ITB.exeQueries volume information: C:\Windows\Fonts\VINERITC.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\SAUDI ARAMCO Tender Documents - BOQ and ITB.exeQueries volume information: C:\Windows\Fonts\VIVALDII.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\SAUDI ARAMCO Tender Documents - BOQ and ITB.exeQueries volume information: C:\Windows\Fonts\VLADIMIR.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\SAUDI ARAMCO Tender Documents - BOQ and ITB.exeQueries volume information: C:\Windows\Fonts\LATINWD.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\SAUDI ARAMCO Tender Documents - BOQ and ITB.exeQueries volume information: C:\Windows\Fonts\TCM_____.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\SAUDI ARAMCO Tender Documents - BOQ and ITB.exeQueries volume information: C:\Windows\Fonts\TCMI____.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\SAUDI ARAMCO Tender Documents - BOQ and ITB.exeQueries volume information: C:\Windows\Fonts\TCB_____.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\SAUDI ARAMCO Tender Documents - BOQ and ITB.exeQueries volume information: C:\Windows\Fonts\TCBI____.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\SAUDI ARAMCO Tender Documents - BOQ and ITB.exeQueries volume information: C:\Windows\Fonts\TCCM____.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\SAUDI ARAMCO Tender Documents - BOQ and ITB.exeQueries volume information: C:\Windows\Fonts\TCCB____.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\SAUDI ARAMCO Tender Documents - BOQ and ITB.exeQueries volume information: C:\Windows\Fonts\TCCEB.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\SAUDI ARAMCO Tender Documents - BOQ and ITB.exeQueries volume information: C:\Windows\Fonts\SCRIPTBL.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\SAUDI ARAMCO Tender Documents - BOQ and ITB.exeQueries volume information: C:\Windows\Fonts\ROCK.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\SAUDI ARAMCO Tender Documents - BOQ and ITB.exeQueries volume information: C:\Windows\Fonts\ROCKI.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\SAUDI ARAMCO Tender Documents - BOQ and ITB.exeQueries volume information: C:\Windows\Fonts\ROCKB.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\SAUDI ARAMCO Tender Documents - BOQ and ITB.exeQueries volume information: C:\Windows\Fonts\ROCKEB.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\SAUDI ARAMCO Tender Documents - BOQ and ITB.exeQueries volume information: C:\Windows\Fonts\ROCKBI.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\SAUDI ARAMCO Tender Documents - BOQ and ITB.exeQueries volume information: C:\Windows\Fonts\ROCC____.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\SAUDI ARAMCO Tender Documents - BOQ and ITB.exeQueries volume information: C:\Windows\Fonts\ROCCB___.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\SAUDI ARAMCO Tender Documents - BOQ and ITB.exeQueries volume information: C:\Windows\Fonts\RAGE.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\SAUDI ARAMCO Tender Documents - BOQ and ITB.exeQueries volume information: C:\Windows\Fonts\PERTILI.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\SAUDI ARAMCO Tender Documents - BOQ and ITB.exeQueries volume information: C:\Windows\Fonts\PERTIBD.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\SAUDI ARAMCO Tender Documents - BOQ and ITB.exeQueries volume information: C:\Windows\Fonts\PER_____.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\SAUDI ARAMCO Tender Documents - BOQ and ITB.exeQueries volume information: C:\Windows\Fonts\PERI____.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\SAUDI ARAMCO Tender Documents - BOQ and ITB.exeQueries volume information: C:\Windows\Fonts\PERB____.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\SAUDI ARAMCO Tender Documents - BOQ and ITB.exeQueries volume information: C:\Windows\Fonts\PERBI___.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\SAUDI ARAMCO Tender Documents - BOQ and ITB.exeQueries volume information: C:\Windows\Fonts\PALSCRI.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\SAUDI ARAMCO Tender Documents - BOQ and ITB.exeQueries volume information: C:\Windows\Fonts\OCRAEXT.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\SAUDI ARAMCO Tender Documents - BOQ and ITB.exeQueries volume information: C:\Windows\Fonts\MAIAN.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\SAUDI ARAMCO Tender Documents - BOQ and ITB.exeQueries volume information: C:\Windows\Fonts\LTYPE.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\SAUDI ARAMCO Tender Documents - BOQ and ITB.exeQueries volume information: C:\Windows\Fonts\LTYPEO.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\SAUDI ARAMCO Tender Documents - BOQ and ITB.exeQueries volume information: C:\Windows\Fonts\LTYPEB.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\SAUDI ARAMCO Tender Documents - BOQ and ITB.exeQueries volume information: C:\Windows\Fonts\LTYPEBO.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\SAUDI ARAMCO Tender Documents - BOQ and ITB.exeQueries volume information: C:\Windows\Fonts\LSANS.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\SAUDI ARAMCO Tender Documents - BOQ and ITB.exeQueries volume information: C:\Windows\Fonts\LSANSD.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\SAUDI ARAMCO Tender Documents - BOQ and ITB.exeQueries volume information: C:\Windows\Fonts\LSANSI.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\SAUDI ARAMCO Tender Documents - BOQ and ITB.exeQueries volume information: C:\Windows\Fonts\LSANSDI.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\SAUDI ARAMCO Tender Documents - BOQ and ITB.exeQueries volume information: C:\Windows\Fonts\IMPRISHA.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\SAUDI ARAMCO Tender Documents - BOQ and ITB.exeQueries volume information: C:\Windows\Fonts\HATTEN.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\SAUDI ARAMCO Tender Documents - BOQ and ITB.exeQueries volume information: C:\Windows\Fonts\GOUDYSTO.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\SAUDI ARAMCO Tender Documents - BOQ and ITB.exeQueries volume information: C:\Windows\Fonts\GOUDOS.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\SAUDI ARAMCO Tender Documents - BOQ and ITB.exeQueries volume information: C:\Windows\Fonts\GOUDOSI.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\SAUDI ARAMCO Tender Documents - BOQ and ITB.exeQueries volume information: C:\Windows\Fonts\GOUDOSB.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\SAUDI ARAMCO Tender Documents - BOQ and ITB.exeQueries volume information: C:\Windows\Fonts\GLECB.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\SAUDI ARAMCO Tender Documents - BOQ and ITB.exeQueries volume information: C:\Windows\Fonts\GIL_____.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\SAUDI ARAMCO Tender Documents - BOQ and ITB.exeQueries volume information: C:\Windows\Fonts\GILI____.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\SAUDI ARAMCO Tender Documents - BOQ and ITB.exeQueries volume information: C:\Windows\Fonts\GILB____.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\SAUDI ARAMCO Tender Documents - BOQ and ITB.exeQueries volume information: C:\Windows\Fonts\GILBI___.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\SAUDI ARAMCO Tender Documents - BOQ and ITB.exeQueries volume information: C:\Windows\Fonts\GILC____.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\SAUDI ARAMCO Tender Documents - BOQ and ITB.exeQueries volume information: C:\Windows\Fonts\GLSNECB.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\SAUDI ARAMCO Tender Documents - BOQ and ITB.exeQueries volume information: C:\Windows\Fonts\GIGI.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\SAUDI ARAMCO Tender Documents - BOQ and ITB.exeQueries volume information: C:\Windows\Fonts\FRABK.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\SAUDI ARAMCO Tender Documents - BOQ and ITB.exeQueries volume information: C:\Windows\Fonts\FRABKIT.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\SAUDI ARAMCO Tender Documents - BOQ and ITB.exeQueries volume information: C:\Windows\Fonts\FORTE.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\SAUDI ARAMCO Tender Documents - BOQ and ITB.exeQueries volume information: C:\Windows\Fonts\FELIXTI.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\SAUDI ARAMCO Tender Documents - BOQ and ITB.exeQueries volume information: C:\Windows\Fonts\ERASMD.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\SAUDI ARAMCO Tender Documents - BOQ and ITB.exeQueries volume information: C:\Windows\Fonts\ERASLGHT.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\SAUDI ARAMCO Tender Documents - BOQ and ITB.exeQueries volume information: C:\Windows\Fonts\ERASDEMI.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\SAUDI ARAMCO Tender Documents - BOQ and ITB.exeQueries volume information: C:\Windows\Fonts\ERASBD.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\SAUDI ARAMCO Tender Documents - BOQ and ITB.exeQueries volume information: C:\Windows\Fonts\ENGR.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\SAUDI ARAMCO Tender Documents - BOQ and ITB.exeQueries volume information: C:\Windows\Fonts\ELEPHNT.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\SAUDI ARAMCO Tender Documents - BOQ and ITB.exeQueries volume information: C:\Windows\Fonts\ELEPHNTI.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\SAUDI ARAMCO Tender Documents - BOQ and ITB.exeQueries volume information: C:\Windows\Fonts\ITCEDSCR.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\SAUDI ARAMCO Tender Documents - BOQ and ITB.exeQueries volume information: C:\Windows\Fonts\CURLZ___.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\SAUDI ARAMCO Tender Documents - BOQ and ITB.exeQueries volume information: C:\Windows\Fonts\COPRGTL.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\SAUDI ARAMCO Tender Documents - BOQ and ITB.exeQueries volume information: C:\Windows\Fonts\COPRGTB.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\SAUDI ARAMCO Tender Documents - BOQ and ITB.exeQueries volume information: C:\Windows\Fonts\CENSCBK.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\SAUDI ARAMCO Tender Documents - BOQ and ITB.exeQueries volume information: C:\Windows\Fonts\SCHLBKI.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\SAUDI ARAMCO Tender Documents - BOQ and ITB.exeQueries volume information: C:\Windows\Fonts\SCHLBKB.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\SAUDI ARAMCO Tender Documents - BOQ and ITB.exeQueries volume information: C:\Windows\Fonts\SCHLBKBI.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\SAUDI ARAMCO Tender Documents - BOQ and ITB.exeQueries volume information: C:\Windows\Fonts\CASTELAR.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\SAUDI ARAMCO Tender Documents - BOQ and ITB.exeQueries volume information: C:\Windows\Fonts\CALIST.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\SAUDI ARAMCO Tender Documents - BOQ and ITB.exeQueries volume information: C:\Windows\Fonts\CALISTI.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\SAUDI ARAMCO Tender Documents - BOQ and ITB.exeQueries volume information: C:\Windows\Fonts\CALISTB.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\SAUDI ARAMCO Tender Documents - BOQ and ITB.exeQueries volume information: C:\Windows\Fonts\CALISTBI.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\SAUDI ARAMCO Tender Documents - BOQ and ITB.exeQueries volume information: C:\Windows\Fonts\BOOKOS.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\SAUDI ARAMCO Tender Documents - BOQ and ITB.exeQueries volume information: C:\Windows\Fonts\BOOKOSB.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\SAUDI ARAMCO Tender Documents - BOQ and ITB.exeQueries volume information: C:\Windows\Fonts\BOOKOSI.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\SAUDI ARAMCO Tender Documents - BOQ and ITB.exeQueries volume information: C:\Windows\Fonts\BOOKOSBI.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\SAUDI ARAMCO Tender Documents - BOQ and ITB.exeQueries volume information: C:\Windows\Fonts\BOD_R.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\SAUDI ARAMCO Tender Documents - BOQ and ITB.exeQueries volume information: C:\Windows\Fonts\BOD_I.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\SAUDI ARAMCO Tender Documents - BOQ and ITB.exeQueries volume information: C:\Windows\Fonts\BOD_B.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\SAUDI ARAMCO Tender Documents - BOQ and ITB.exeQueries volume information: C:\Windows\Fonts\BOD_BI.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\SAUDI ARAMCO Tender Documents - BOQ and ITB.exeQueries volume information: C:\Windows\Fonts\BOD_CR.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\SAUDI ARAMCO Tender Documents - BOQ and ITB.exeQueries volume information: C:\Windows\Fonts\BOD_BLAR.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\SAUDI ARAMCO Tender Documents - BOQ and ITB.exeQueries volume information: C:\Windows\Fonts\BOD_CI.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\SAUDI ARAMCO Tender Documents - BOQ and ITB.exeQueries volume information: C:\Windows\Fonts\BOD_CB.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\SAUDI ARAMCO Tender Documents - BOQ and ITB.exeQueries volume information: C:\Windows\Fonts\BOD_BLAI.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\SAUDI ARAMCO Tender Documents - BOQ and ITB.exeQueries volume information: C:\Windows\Fonts\BOD_CBI.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\SAUDI ARAMCO Tender Documents - BOQ and ITB.exeQueries volume information: C:\Windows\Fonts\ITCBLKAD.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\SAUDI ARAMCO Tender Documents - BOQ and ITB.exeQueries volume information: C:\Windows\Fonts\ARLRDBD.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\SAUDI ARAMCO Tender Documents - BOQ and ITB.exeQueries volume information: C:\Windows\Fonts\AGENCYR.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\SAUDI ARAMCO Tender Documents - BOQ and ITB.exeQueries volume information: C:\Windows\Fonts\AGENCYB.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\SAUDI ARAMCO Tender Documents - BOQ and ITB.exeQueries volume information: C:\Windows\Fonts\BSSYM7.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\SAUDI ARAMCO Tender Documents - BOQ and ITB.exeQueries volume information: C:\Windows\Fonts\REFSAN.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\SAUDI ARAMCO Tender Documents - BOQ and ITB.exeQueries volume information: C:\Windows\Fonts\REFSPCL.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\SAUDI ARAMCO Tender Documents - BOQ and ITB.exeQueries volume information: C:\Windows\Fonts\MTEXTRA.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\SAUDI ARAMCO Tender Documents - BOQ and ITB.exeQueries volume information: C:\Windows\Fonts\marlett.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\SAUDI ARAMCO Tender Documents - BOQ and ITB.exeQueries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe VolumeInformation
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 5_2_060663F4 GetUserNameW,
                      Source: C:\Users\user\Desktop\SAUDI ARAMCO Tender Documents - BOQ and ITB.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

                      Stealing of Sensitive Information:

                      barindex
                      Yara detected AgentTeslaShow sources
                      Source: Yara matchFile source: 00000001.00000002.370688660.00000000041A9000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000005.00000000.367493021.0000000000402000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000005.00000002.600007572.0000000000402000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 5.0.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 1.2.SAUDI ARAMCO Tender Documents - BOQ and ITB.exe.43a6a70.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 5.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 1.2.SAUDI ARAMCO Tender Documents - BOQ and ITB.exe.43a6a70.1.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 1.2.SAUDI ARAMCO Tender Documents - BOQ and ITB.exe.42883f0.2.raw.unpack, type: UNPACKEDPE
                      Yara detected AgentTeslaShow sources
                      Source: Yara matchFile source: 00000001.00000002.370688660.00000000041A9000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000005.00000000.367493021.0000000000402000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000005.00000002.600007572.0000000000402000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000005.00000002.602052323.0000000002CC1000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: RegSvcs.exe PID: 6904, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: SAUDI ARAMCO Tender Documents - BOQ and ITB.exe PID: 6556, type: MEMORY
                      Source: Yara matchFile source: 5.0.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 1.2.SAUDI ARAMCO Tender Documents - BOQ and ITB.exe.43a6a70.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 5.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 1.2.SAUDI ARAMCO Tender Documents - BOQ and ITB.exe.43a6a70.1.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 1.2.SAUDI ARAMCO Tender Documents - BOQ and ITB.exe.42883f0.2.raw.unpack, type: UNPACKEDPE
                      Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)Show sources
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeKey opened: HKEY_CURRENT_USER\SOFTWARE\Martin Prikryl\WinSCP 2\Sessions
                      Tries to harvest and steal browser information (history, passwords, etc)Show sources
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Cookies
                      Tries to harvest and steal ftp login credentialsShow sources
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile opened: C:\Users\user\AppData\Roaming\FileZilla\recentservers.xml
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile opened: C:\Users\user\AppData\Roaming\SmartFTP\Client 2.0\Favorites\Quick Connect\
                      Tries to steal Mail credentials (via file access)Show sources
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeKey opened: HKEY_CURRENT_USER\Software\IncrediMail\Identities
                      Source: Yara matchFile source: 00000005.00000002.602052323.0000000002CC1000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: RegSvcs.exe PID: 6904, type: MEMORY

                      Remote Access Functionality:

                      barindex
                      Yara detected AgentTeslaShow sources
                      Source: Yara matchFile source: 00000001.00000002.370688660.00000000041A9000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000005.00000000.367493021.0000000000402000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000005.00000002.600007572.0000000000402000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 5.0.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 1.2.SAUDI ARAMCO Tender Documents - BOQ and ITB.exe.43a6a70.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 5.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 1.2.SAUDI ARAMCO Tender Documents - BOQ and ITB.exe.43a6a70.1.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 1.2.SAUDI ARAMCO Tender Documents - BOQ and ITB.exe.42883f0.2.raw.unpack, type: UNPACKEDPE
                      Yara detected AgentTeslaShow sources
                      Source: Yara matchFile source: 00000001.00000002.370688660.00000000041A9000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000005.00000000.367493021.0000000000402000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000005.00000002.600007572.0000000000402000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000005.00000002.602052323.0000000002CC1000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: RegSvcs.exe PID: 6904, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: SAUDI ARAMCO Tender Documents - BOQ and ITB.exe PID: 6556, type: MEMORY
                      Source: Yara matchFile source: 5.0.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 1.2.SAUDI ARAMCO Tender Documents - BOQ and ITB.exe.43a6a70.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 5.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 1.2.SAUDI ARAMCO Tender Documents - BOQ and ITB.exe.43a6a70.1.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 1.2.SAUDI ARAMCO Tender Documents - BOQ and ITB.exe.42883f0.2.raw.unpack, type: UNPACKEDPE

                      Mitre Att&ck Matrix

                      Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
                      Valid AccountsWindows Management Instrumentation211Scheduled Task/Job1Process Injection212Disable or Modify Tools1OS Credential Dumping2Account Discovery1Remote ServicesArchive Collected Data11Exfiltration Over Other Network MediumEncrypted Channel1Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
                      Default AccountsScheduled Task/Job1Boot or Logon Initialization ScriptsScheduled Task/Job1Deobfuscate/Decode Files or Information11Credentials in Registry1File and Directory Discovery1Remote Desktop ProtocolData from Local System2Exfiltration Over BluetoothNon-Standard Port1Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
                      Domain AccountsAt (Linux)Logon Script (Windows)Logon Script (Windows)Obfuscated Files or Information4Security Account ManagerSystem Information Discovery114SMB/Windows Admin SharesEmail Collection1Automated ExfiltrationNon-Application Layer Protocol1Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
                      Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)Software Packing13NTDSQuery Registry1Distributed Component Object ModelInput CaptureScheduled TransferApplication Layer Protocol11SIM Card SwapCarrier Billing Fraud
                      Cloud AccountsCronNetwork Logon ScriptNetwork Logon ScriptMasquerading1LSA SecretsSecurity Software Discovery321SSHKeyloggingData Transfer Size LimitsFallback ChannelsManipulate Device CommunicationManipulate App Store Rankings or Ratings
                      Replication Through Removable MediaLaunchdRc.commonRc.commonVirtualization/Sandbox Evasion141Cached Domain CredentialsProcess Discovery2VNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features
                      External Remote ServicesScheduled TaskStartup ItemsStartup ItemsProcess Injection212DCSyncVirtualization/Sandbox Evasion141Windows Remote ManagementWeb Portal CaptureExfiltration Over Alternative ProtocolCommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact
                      Drive-by CompromiseCommand and Scripting InterpreterScheduled Task/JobScheduled Task/JobIndicator Removal from ToolsProc FilesystemApplication Window Discovery1Shared WebrootCredential API HookingExfiltration Over Symmetric Encrypted Non-C2 ProtocolApplication Layer ProtocolDowngrade to Insecure ProtocolsGenerate Fraudulent Advertising Revenue
                      Exploit Public-Facing ApplicationPowerShellAt (Linux)At (Linux)Masquerading/etc/passwd and /etc/shadowSystem Owner/User Discovery1Software Deployment ToolsData StagedExfiltration Over Asymmetric Encrypted Non-C2 ProtocolWeb ProtocolsRogue Cellular Base StationData Destruction
                      Supply Chain CompromiseAppleScriptAt (Windows)At (Windows)Invalid Code SignatureNetwork SniffingRemote System Discovery1Taint Shared ContentLocal Data StagingExfiltration Over Unencrypted/Obfuscated Non-C2 ProtocolFile Transfer ProtocolsData Encrypted for Impact

                      Behavior Graph

                      Hide Legend

                      Legend:

                      • Process
                      • Signature
                      • Created File
                      • DNS/IP Info
                      • Is Dropped
                      • Is Windows Process
                      • Number of created Registry Values
                      • Number of created Files
                      • Visual Basic
                      • Delphi
                      • Java
                      • .Net C# or VB.NET
                      • C, C++ or other language
                      • Is malicious
                      • Internet

                      Screenshots

                      Thumbnails

                      This section contains all screenshots as thumbnails, including those not shown in the slideshow.

                      windows-stand

                      Antivirus, Machine Learning and Genetic Malware Detection

                      Initial Sample

                      SourceDetectionScannerLabelLink
                      SAUDI ARAMCO Tender Documents - BOQ and ITB.exe30%VirustotalBrowse
                      SAUDI ARAMCO Tender Documents - BOQ and ITB.exe15%ReversingLabsByteCode-MSIL.Spyware.Negasteal
                      SAUDI ARAMCO Tender Documents - BOQ and ITB.exe100%Joe Sandbox ML

                      Dropped Files

                      SourceDetectionScannerLabelLink
                      C:\Users\user\AppData\Roaming\sXNiyYIFndkxd.exe100%Joe Sandbox ML
                      C:\Users\user\AppData\Roaming\sXNiyYIFndkxd.exe15%ReversingLabsByteCode-MSIL.Spyware.Negasteal

                      Unpacked PE Files

                      SourceDetectionScannerLabelLinkDownload
                      5.0.RegSvcs.exe.400000.0.unpack100%AviraTR/Spy.Gen8Download File
                      5.2.RegSvcs.exe.400000.0.unpack100%AviraTR/Spy.Gen8Download File

                      Domains

                      No Antivirus matches

                      URLs

                      SourceDetectionScannerLabelLink
                      http://crt.sectigo.com/SectigoRSADomainValidationSecureServerCA.crt0#0%URL Reputationsafe
                      http://crt.sectigo.com/SectigoRSADomainValidationSecureServerCA.crt0#0%URL Reputationsafe
                      http://crt.sectigo.com/SectigoRSADomainValidationSecureServerCA.crt0#0%URL Reputationsafe
                      http://crt.sectigo.com/SectigoRSADomainValidationSecureServerCA.crt0#0%URL Reputationsafe
                      http://127.0.0.1:HTTP/1.10%Avira URL Cloudsafe
                      http://DynDns.comDynDNS0%URL Reputationsafe
                      http://DynDns.comDynDNS0%URL Reputationsafe
                      http://DynDns.comDynDNS0%URL Reputationsafe
                      http://DynDns.comDynDNS0%URL Reputationsafe
                      https://sectigo.com/CPS00%URL Reputationsafe
                      https://sectigo.com/CPS00%URL Reputationsafe
                      https://sectigo.com/CPS00%URL Reputationsafe
                      https://sectigo.com/CPS00%URL Reputationsafe
                      http://www.founder.com.cn/cn/bThe0%URL Reputationsafe
                      http://www.founder.com.cn/cn/bThe0%URL Reputationsafe
                      http://www.founder.com.cn/cn/bThe0%URL Reputationsafe
                      http://www.founder.com.cn/cn/bThe0%URL Reputationsafe
                      https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%ha0%URL Reputationsafe
                      https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%ha0%URL Reputationsafe
                      https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%ha0%URL Reputationsafe
                      https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%ha0%URL Reputationsafe
                      http://www.tiro.com0%URL Reputationsafe
                      http://www.tiro.com0%URL Reputationsafe
                      http://www.tiro.com0%URL Reputationsafe
                      http://www.tiro.com0%URL Reputationsafe
                      http://www.goodfont.co.kr0%URL Reputationsafe
                      http://www.goodfont.co.kr0%URL Reputationsafe
                      http://www.goodfont.co.kr0%URL Reputationsafe
                      http://www.goodfont.co.kr0%URL Reputationsafe
                      https://Tw98FI5QiWYWE4R7ojW.com0%Avira URL Cloudsafe
                      https://api.ipify.org%$0%Avira URL Cloudsafe
                      http://www.carterandcone.coml0%URL Reputationsafe
                      http://www.carterandcone.coml0%URL Reputationsafe
                      http://www.carterandcone.coml0%URL Reputationsafe
                      http://www.sajatypeworks.com0%URL Reputationsafe
                      http://www.sajatypeworks.com0%URL Reputationsafe
                      http://www.sajatypeworks.com0%URL Reputationsafe
                      http://www.typography.netD0%URL Reputationsafe
                      http://www.typography.netD0%URL Reputationsafe
                      http://www.typography.netD0%URL Reputationsafe
                      http://www.founder.com.cn/cn/cThe0%URL Reputationsafe
                      http://www.founder.com.cn/cn/cThe0%URL Reputationsafe
                      http://www.founder.com.cn/cn/cThe0%URL Reputationsafe
                      http://www.galapagosdesign.com/staff/dennis.htm0%URL Reputationsafe
                      http://www.galapagosdesign.com/staff/dennis.htm0%URL Reputationsafe
                      http://www.galapagosdesign.com/staff/dennis.htm0%URL Reputationsafe
                      http://fontfabrik.com0%URL Reputationsafe
                      http://fontfabrik.com0%URL Reputationsafe
                      http://fontfabrik.com0%URL Reputationsafe
                      http://www.founder.com.cn/cn0%URL Reputationsafe
                      http://www.founder.com.cn/cn0%URL Reputationsafe
                      http://www.founder.com.cn/cn0%URL Reputationsafe
                      http://www.jiyu-kobo.co.jp/0%URL Reputationsafe
                      http://www.jiyu-kobo.co.jp/0%URL Reputationsafe
                      http://www.jiyu-kobo.co.jp/0%URL Reputationsafe
                      http://www.galapagosdesign.com/DPlease0%URL Reputationsafe
                      http://www.galapagosdesign.com/DPlease0%URL Reputationsafe
                      http://www.galapagosdesign.com/DPlease0%URL Reputationsafe
                      http://ocsp.sectigo.com0A0%URL Reputationsafe
                      http://ocsp.sectigo.com0A0%URL Reputationsafe
                      http://ocsp.sectigo.com0A0%URL Reputationsafe
                      https://api.ipify.org%GETMozilla/5.00%URL Reputationsafe
                      https://api.ipify.org%GETMozilla/5.00%URL Reputationsafe
                      https://api.ipify.org%GETMozilla/5.00%URL Reputationsafe
                      http://www.sandoll.co.kr0%URL Reputationsafe
                      http://www.sandoll.co.kr0%URL Reputationsafe
                      http://www.sandoll.co.kr0%URL Reputationsafe
                      http://xaqngD.com0%Avira URL Cloudsafe
                      http://www.urwpp.deDPlease0%URL Reputationsafe
                      http://www.urwpp.deDPlease0%URL Reputationsafe
                      http://www.urwpp.deDPlease0%URL Reputationsafe
                      http://www.zhongyicts.com.cn0%URL Reputationsafe
                      http://www.zhongyicts.com.cn0%URL Reputationsafe
                      http://www.zhongyicts.com.cn0%URL Reputationsafe
                      http://www.sakkal.com0%URL Reputationsafe
                      http://www.sakkal.com0%URL Reputationsafe
                      http://www.sakkal.com0%URL Reputationsafe
                      https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip0%URL Reputationsafe
                      https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip0%URL Reputationsafe
                      https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip0%URL Reputationsafe

                      Domains and IPs

                      Contacted Domains

                      NameIPActiveMaliciousAntivirus DetectionReputation
                      us2.smtp.mailhostbox.com
                      		208.91.199.223
                      		truefalse
                        		high

                        URLs from Memory and Binaries

                        NameSourceMaliciousAntivirus DetectionReputation
                        http://crt.sectigo.com/SectigoRSADomainValidationSecureServerCA.crt0#RegSvcs.exe, 00000005.00000002.603275086.0000000003029000.00000004.00000001.sdmpfalse
                        • URL Reputation: safe
                        • URL Reputation: safe
                        • URL Reputation: safe
                        • URL Reputation: safe
                        		unknown
                        http://127.0.0.1:HTTP/1.1RegSvcs.exe, 00000005.00000002.602052323.0000000002CC1000.00000004.00000001.sdmpfalse
                        • Avira URL Cloud: safe
                        		low
                        http://www.apache.org/licenses/LICENSE-2.0SAUDI ARAMCO Tender Documents - BOQ and ITB.exe, 00000001.00000002.374301405.0000000006280000.00000002.00000001.sdmpfalse
                          		high
                          http://www.fontbureau.comSAUDI ARAMCO Tender Documents - BOQ and ITB.exe, 00000001.00000002.374301405.0000000006280000.00000002.00000001.sdmpfalse
                            		high
                            http://www.fontbureau.com/designersGSAUDI ARAMCO Tender Documents - BOQ and ITB.exe, 00000001.00000002.374301405.0000000006280000.00000002.00000001.sdmpfalse
                              		high
                              http://DynDns.comDynDNSRegSvcs.exe, 00000005.00000002.602052323.0000000002CC1000.00000004.00000001.sdmpfalse
                              • URL Reputation: safe
                              • URL Reputation: safe
                              • URL Reputation: safe
                              • URL Reputation: safe
                              		unknown
                              https://sectigo.com/CPS0RegSvcs.exe, 00000005.00000002.603275086.0000000003029000.00000004.00000001.sdmpfalse
                              • URL Reputation: safe
                              • URL Reputation: safe
                              • URL Reputation: safe
                              • URL Reputation: safe
                              		unknown
                              http://www.fontbureau.com/designers/?SAUDI ARAMCO Tender Documents - BOQ and ITB.exe, 00000001.00000002.374301405.0000000006280000.00000002.00000001.sdmpfalse
                                		high
                                http://www.founder.com.cn/cn/bTheSAUDI ARAMCO Tender Documents - BOQ and ITB.exe, 00000001.00000002.374301405.0000000006280000.00000002.00000001.sdmpfalse
                                • URL Reputation: safe
                                • URL Reputation: safe
                                • URL Reputation: safe
                                • URL Reputation: safe
                                		unknown
                                http://us2.smtp.mailhostbox.comRegSvcs.exe, 00000005.00000002.603275086.0000000003029000.00000004.00000001.sdmpfalse
                                  		high
                                  https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%haRegSvcs.exe, 00000005.00000002.602052323.0000000002CC1000.00000004.00000001.sdmpfalse
                                  • URL Reputation: safe
                                  • URL Reputation: safe
                                  • URL Reputation: safe
                                  • URL Reputation: safe
                                  		unknown
                                  http://www.fontbureau.com/designers?SAUDI ARAMCO Tender Documents - BOQ and ITB.exe, 00000001.00000002.374301405.0000000006280000.00000002.00000001.sdmpfalse
                                    		high
                                    http://www.tiro.comSAUDI ARAMCO Tender Documents - BOQ and ITB.exe, 00000001.00000002.374301405.0000000006280000.00000002.00000001.sdmpfalse
                                    • URL Reputation: safe
                                    • URL Reputation: safe
                                    • URL Reputation: safe
                                    • URL Reputation: safe
                                    		unknown
                                    http://www.fontbureau.com/designersSAUDI ARAMCO Tender Documents - BOQ and ITB.exe, 00000001.00000002.374301405.0000000006280000.00000002.00000001.sdmpfalse
                                      		high
                                      http://www.goodfont.co.krSAUDI ARAMCO Tender Documents - BOQ and ITB.exe, 00000001.00000002.374301405.0000000006280000.00000002.00000001.sdmpfalse
                                      • URL Reputation: safe
                                      • URL Reputation: safe
                                      • URL Reputation: safe
                                      • URL Reputation: safe
                                      		unknown
                                      https://Tw98FI5QiWYWE4R7ojW.comRegSvcs.exe, 00000005.00000002.602052323.0000000002CC1000.00000004.00000001.sdmpfalse
                                      • Avira URL Cloud: safe
                                      		unknown
                                      https://stackpath.bootstrapcdn.com/bootstrap/4.5.0/css/bootstrap.min.cssSAUDI ARAMCO Tender Documents - BOQ and ITB.exe, 00000001.00000002.369670905.00000000031E1000.00000004.00000001.sdmpfalse
                                        		high
                                        https://api.ipify.org%$RegSvcs.exe, 00000005.00000002.602052323.0000000002CC1000.00000004.00000001.sdmpfalse
                                        • Avira URL Cloud: safe
                                        		low
                                        http://www.carterandcone.comlSAUDI ARAMCO Tender Documents - BOQ and ITB.exe, 00000001.00000002.374301405.0000000006280000.00000002.00000001.sdmpfalse
                                        • URL Reputation: safe
                                        • URL Reputation: safe
                                        • URL Reputation: safe
                                        		unknown
                                        http://www.sajatypeworks.comSAUDI ARAMCO Tender Documents - BOQ and ITB.exe, 00000001.00000002.374301405.0000000006280000.00000002.00000001.sdmpfalse
                                        • URL Reputation: safe
                                        • URL Reputation: safe
                                        • URL Reputation: safe
                                        		unknown
                                        http://www.typography.netDSAUDI ARAMCO Tender Documents - BOQ and ITB.exe, 00000001.00000002.374301405.0000000006280000.00000002.00000001.sdmpfalse
                                        • URL Reputation: safe
                                        • URL Reputation: safe
                                        • URL Reputation: safe
                                        		unknown
                                        http://www.fontbureau.com/designers/cabarga.htmlNSAUDI ARAMCO Tender Documents - BOQ and ITB.exe, 00000001.00000002.374301405.0000000006280000.00000002.00000001.sdmpfalse
                                          		high
                                          http://www.founder.com.cn/cn/cTheSAUDI ARAMCO Tender Documents - BOQ and ITB.exe, 00000001.00000002.374301405.0000000006280000.00000002.00000001.sdmpfalse
                                          • URL Reputation: safe
                                          • URL Reputation: safe
                                          • URL Reputation: safe
                                          		unknown
                                          http://www.galapagosdesign.com/staff/dennis.htmSAUDI ARAMCO Tender Documents - BOQ and ITB.exe, 00000001.00000002.374301405.0000000006280000.00000002.00000001.sdmpfalse
                                          • URL Reputation: safe
                                          • URL Reputation: safe
                                          • URL Reputation: safe
                                          		unknown
                                          http://fontfabrik.comSAUDI ARAMCO Tender Documents - BOQ and ITB.exe, 00000001.00000002.374301405.0000000006280000.00000002.00000001.sdmpfalse
                                          • URL Reputation: safe
                                          • URL Reputation: safe
                                          • URL Reputation: safe
                                          		unknown
                                          http://www.founder.com.cn/cnSAUDI ARAMCO Tender Documents - BOQ and ITB.exe, 00000001.00000002.374301405.0000000006280000.00000002.00000001.sdmpfalse
                                          • URL Reputation: safe
                                          • URL Reputation: safe
                                          • URL Reputation: safe
                                          		unknown
                                          http://www.fontbureau.com/designers/frere-jones.htmlSAUDI ARAMCO Tender Documents - BOQ and ITB.exe, 00000001.00000002.374301405.0000000006280000.00000002.00000001.sdmpfalse
                                            		high
                                            http://www.jiyu-kobo.co.jp/SAUDI ARAMCO Tender Documents - BOQ and ITB.exe, 00000001.00000002.374301405.0000000006280000.00000002.00000001.sdmpfalse
                                            • URL Reputation: safe
                                            • URL Reputation: safe
                                            • URL Reputation: safe
                                            		unknown
                                            http://www.galapagosdesign.com/DPleaseSAUDI ARAMCO Tender Documents - BOQ and ITB.exe, 00000001.00000002.374301405.0000000006280000.00000002.00000001.sdmpfalse
                                            • URL Reputation: safe
                                            • URL Reputation: safe
                                            • URL Reputation: safe
                                            		unknown
                                            http://www.fontbureau.com/designers8SAUDI ARAMCO Tender Documents - BOQ and ITB.exe, 00000001.00000002.374301405.0000000006280000.00000002.00000001.sdmpfalse
                                              		high
                                              http://ocsp.sectigo.com0ARegSvcs.exe, 00000005.00000002.603275086.0000000003029000.00000004.00000001.sdmpfalse
                                              • URL Reputation: safe
                                              • URL Reputation: safe
                                              • URL Reputation: safe
                                              		unknown
                                              https://api.ipify.org%GETMozilla/5.0RegSvcs.exe, 00000005.00000002.602052323.0000000002CC1000.00000004.00000001.sdmpfalse
                                              • URL Reputation: safe
                                              • URL Reputation: safe
                                              • URL Reputation: safe
                                              		low
                                              http://www.fonts.comSAUDI ARAMCO Tender Documents - BOQ and ITB.exe, 00000001.00000002.374301405.0000000006280000.00000002.00000001.sdmpfalse
                                                		high
                                                http://www.sandoll.co.krSAUDI ARAMCO Tender Documents - BOQ and ITB.exe, 00000001.00000002.374301405.0000000006280000.00000002.00000001.sdmpfalse
                                                • URL Reputation: safe
                                                • URL Reputation: safe
                                                • URL Reputation: safe
                                                		unknown
                                                http://xaqngD.comRegSvcs.exe, 00000005.00000002.602052323.0000000002CC1000.00000004.00000001.sdmpfalse
                                                • Avira URL Cloud: safe
                                                		unknown
                                                http://www.urwpp.deDPleaseSAUDI ARAMCO Tender Documents - BOQ and ITB.exe, 00000001.00000002.374301405.0000000006280000.00000002.00000001.sdmpfalse
                                                • URL Reputation: safe
                                                • URL Reputation: safe
                                                • URL Reputation: safe
                                                		unknown
                                                http://www.zhongyicts.com.cnSAUDI ARAMCO Tender Documents - BOQ and ITB.exe, 00000001.00000002.374301405.0000000006280000.00000002.00000001.sdmpfalse
                                                • URL Reputation: safe
                                                • URL Reputation: safe
                                                • URL Reputation: safe
                                                		unknown
                                                http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameSAUDI ARAMCO Tender Documents - BOQ and ITB.exe, 00000001.00000002.369600695.00000000031A1000.00000004.00000001.sdmpfalse
                                                  		high
                                                  http://www.sakkal.comSAUDI ARAMCO Tender Documents - BOQ and ITB.exe, 00000001.00000002.374301405.0000000006280000.00000002.00000001.sdmpfalse
                                                  • URL Reputation: safe
                                                  • URL Reputation: safe
                                                  • URL Reputation: safe
                                                  		unknown
                                                  https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zipSAUDI ARAMCO Tender Documents - BOQ and ITB.exe, 00000001.00000002.370688660.00000000041A9000.00000004.00000001.sdmp, RegSvcs.exe, 00000005.00000000.367493021.0000000000402000.00000040.00000001.sdmpfalse
                                                  • URL Reputation: safe
                                                  • URL Reputation: safe
                                                  • URL Reputation: safe
                                                  		unknown

                                                  Contacted IPs

                                                  • No. of IPs < 25%
                                                  • 25% < No. of IPs < 50%
                                                  • 50% < No. of IPs < 75%
                                                  • 75% < No. of IPs

                                                  Public

                                                  IPDomainCountryFlagASNASN NameMalicious
                                                  208.91.199.223
                                                  		us2.smtp.mailhostbox.comUnited States
                                                  		394695PUBLIC-DOMAIN-REGISTRYUSfalse

                                                  General Information

                                                  Joe Sandbox Version:32.0.0 Black Diamond
                                                  Analysis ID:432708
                                                  Start date:10.06.2021
                                                  Start time:17:30:18
                                                  Joe Sandbox Product:CloudBasic
                                                  Overall analysis duration:0h 9m 18s
                                                  Hypervisor based Inspection enabled:false
                                                  Report type:light
                                                  Sample file name:SAUDI ARAMCO Tender Documents - BOQ and ITB.exe
                                                  Cookbook file name:default.jbs
                                                  Analysis system description:Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
                                                  Number of analysed new started processes analysed:21
                                                  Number of new started drivers analysed:0
                                                  Number of existing processes analysed:0
                                                  Number of existing drivers analysed:0
                                                  Number of injected processes analysed:0
                                                  Technologies:
                                                  • HCA enabled
                                                  • EGA enabled
                                                  • HDC enabled
                                                  • AMSI enabled
                                                  Analysis Mode:default
                                                  Analysis stop reason:Timeout
                                                  Detection:MAL
                                                  Classification:mal100.troj.spyw.evad.winEXE@6/5@2/1
                                                  EGA Information:Failed
                                                  HDC Information:Failed
                                                  HCA Information:
                                                  • Successful, ratio: 97%
                                                  • Number of executed functions: 0
                                                  • Number of non-executed functions: 0
                                                  Cookbook Comments:
                                                  • Adjust boot time
                                                  • Enable AMSI
                                                  • Found application associated with file extension: .exe
                                                  Warnings:
                                                  Show All
                                                  • Exclude process from analysis (whitelisted): MpCmdRun.exe, audiodg.exe, BackgroundTransferHost.exe, WMIADAP.exe, backgroundTaskHost.exe, conhost.exe, svchost.exe, wuapihost.exe
                                                  • Excluded IPs from analysis (whitelisted): 104.43.139.144, 52.255.188.83, 92.122.145.220, 168.61.161.212, 13.64.90.137, 20.82.210.154, 2.20.142.209, 2.20.142.210, 51.103.5.159, 20.72.88.19, 20.54.26.129, 92.122.213.194, 92.122.213.247, 184.30.24.56
                                                  • Excluded domains from analysis (whitelisted): au.download.windowsupdate.com.edgesuite.net, store-images.s-microsoft.com-c.edgekey.net, iris-de-prod-azsc-neu-b.northeurope.cloudapp.azure.com, a1449.dscg2.akamai.net, fs-wildcard.microsoft.com.edgekey.net, fs-wildcard.microsoft.com.edgekey.net.globalredir.akadns.net, arc.msn.com, consumerrp-displaycatalog-aks2eap-europe.md.mp.microsoft.com.akadns.net, vip1-par02p.wns.notify.trafficmanager.net, eus2-consumerrp-displaycatalog-aks2aks-useast.md.mp.microsoft.com.akadns.net, e12564.dspb.akamaiedge.net, wns.notify.trafficmanager.net, audownload.windowsupdate.nsatc.net, arc.trafficmanager.net, displaycatalog.mp.microsoft.com, watson.telemetry.microsoft.com, img-prod-cms-rt-microsoft-com.akamaized.net, prod.fs.microsoft.com.akadns.net, au-bg-shim.trafficmanager.net, skypedataprdcolwus17.cloudapp.net, client.wns.windows.com, fs.microsoft.com, displaycatalog-rp-europe.md.mp.microsoft.com.akadns.net, ris-prod.trafficmanager.net, skypedataprdcolcus17.cloudapp.net, ctldl.windowsupdate.com, e1723.g.akamaiedge.net, skypedataprdcolcus16.cloudapp.net, a767.dscg3.akamai.net, consumerrp-displaycatalog-aks2aks-europe.md.mp.microsoft.com.akadns.net, ris.api.iris.microsoft.com, skypedataprdcoleus17.cloudapp.net, store-images.s-microsoft.com, blobcollector.events.data.trafficmanager.net, displaycatalog-rp.md.mp.microsoft.com.akadns.net
                                                  • Not all processes where analyzed, report is missing behavior information
                                                  • Report size getting too big, too many NtAllocateVirtualMemory calls found.
                                                  • Report size getting too big, too many NtOpenKeyEx calls found.
                                                  • Report size getting too big, too many NtProtectVirtualMemory calls found.
                                                  • Report size getting too big, too many NtQueryValueKey calls found.

                                                  Simulations

                                                  Behavior and APIs

                                                  TimeTypeDescription
                                                  17:31:18API Interceptor1x Sleep call for process: SAUDI ARAMCO Tender Documents - BOQ and ITB.exe modified
                                                  17:31:38API Interceptor670x Sleep call for process: RegSvcs.exe modified

                                                  Joe Sandbox View / Context

                                                  IPs

                                                  MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                                  208.91.199.2230PyeqVfoHGFVl2r.exeGet hashmaliciousBrowse
                                                    Urgent Contract Order GH78566484,pdf.exeGet hashmaliciousBrowse
                                                      ekrrUChjXvng9Vr.exeGet hashmaliciousBrowse
                                                        order 4806125050.xlsxGet hashmaliciousBrowse
                                                          BP4w3lADAPfOKmI.exeGet hashmaliciousBrowse
                                                            PO -TXGU5022187.xlsxGet hashmaliciousBrowse
                                                              FXDmHIiz25.exeGet hashmaliciousBrowse
                                                                Urgent Contract Order GH7856648,pdf.exeGet hashmaliciousBrowse
                                                                  003BC09180600189.exeGet hashmaliciousBrowse
                                                                    SecuriteInfo.com.Scr.Malcodegdn30.30554.exeGet hashmaliciousBrowse
                                                                      MOQ FOB ORDER_________.exeGet hashmaliciousBrowse
                                                                        YR1eBxhF96.exeGet hashmaliciousBrowse
                                                                          Quote SEQTE00311701.xlsxGet hashmaliciousBrowse
                                                                            sqQyO37l3c.exeGet hashmaliciousBrowse
                                                                              Urgent RFQ_AP65425652_032421,pdf.exeGet hashmaliciousBrowse
                                                                                INVOICE FOR PAYMENT_pdf____________________________________________.exeGet hashmaliciousBrowse
                                                                                  MOQ FOB ORDER.exeGet hashmaliciousBrowse
                                                                                    Txw9tCLc1Q.exeGet hashmaliciousBrowse
                                                                                      E8aAJC09lVhRGbK.exeGet hashmaliciousBrowse
                                                                                        payment confirmation copy.exeGet hashmaliciousBrowse

                                                                                          Domains

                                                                                          MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                                                                          us2.smtp.mailhostbox.com0PyeqVfoHGFVl2r.exeGet hashmaliciousBrowse
                                                                                          • 208.91.199.223
                                                                                          SecuriteInfo.com.MachineLearning.Anomalous.97.15449.exeGet hashmaliciousBrowse
                                                                                          • 208.91.198.143
                                                                                          lFccIK78FD.exeGet hashmaliciousBrowse
                                                                                          • 208.91.198.143
                                                                                          Urgent Contract Order GH78566484,pdf.exeGet hashmaliciousBrowse
                                                                                          • 208.91.199.225
                                                                                          MOQ FOB ORDER.exeGet hashmaliciousBrowse
                                                                                          • 208.91.199.225
                                                                                          JK6Ul6IKioPWJ6Y.exeGet hashmaliciousBrowse
                                                                                          • 208.91.198.143
                                                                                          ekrrUChjXvng9Vr.exeGet hashmaliciousBrowse
                                                                                          • 208.91.199.223
                                                                                          SecuriteInfo.com.Trojan.PackedNET.832.15445.exeGet hashmaliciousBrowse
                                                                                          • 208.91.198.143
                                                                                          order 4806125050.xlsxGet hashmaliciousBrowse
                                                                                          • 208.91.198.143
                                                                                          SecuriteInfo.com.Trojan.PackedNET.831.28325.exeGet hashmaliciousBrowse
                                                                                          • 208.91.199.225
                                                                                          G8mumaTxk5kFdBG.exeGet hashmaliciousBrowse
                                                                                          • 208.91.198.143
                                                                                          Trial order 20210609.exeGet hashmaliciousBrowse
                                                                                          • 208.91.199.224
                                                                                          BP4w3lADAPfOKmI.exeGet hashmaliciousBrowse
                                                                                          • 208.91.199.223
                                                                                          4It7P3KCyYHUWHU.exeGet hashmaliciousBrowse
                                                                                          • 208.91.199.225
                                                                                          PO -TXGU5022187.xlsxGet hashmaliciousBrowse
                                                                                          • 208.91.199.223
                                                                                          Bestil 5039066002128.exeGet hashmaliciousBrowse
                                                                                          • 208.91.199.224
                                                                                          COMPANY DOCUMENTS.exeGet hashmaliciousBrowse
                                                                                          • 208.91.199.225
                                                                                          FXDmHIiz25.exeGet hashmaliciousBrowse
                                                                                          • 208.91.199.223
                                                                                          Urgent Contract Order GH7856648,pdf.exeGet hashmaliciousBrowse
                                                                                          • 208.91.198.143
                                                                                          SecuriteInfo.com.Trojan.MalPack.ADC.15816.exeGet hashmaliciousBrowse
                                                                                          • 208.91.198.143

                                                                                          ASN

                                                                                          MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                                                                          PUBLIC-DOMAIN-REGISTRYUS0PyeqVfoHGFVl2r.exeGet hashmaliciousBrowse
                                                                                          • 208.91.199.223
                                                                                          #U260e#Ufe0f Zeppelin.com AudioMessage_259-55.HTMGet hashmaliciousBrowse
                                                                                          • 207.174.212.247
                                                                                          SecuriteInfo.com.MachineLearning.Anomalous.97.15449.exeGet hashmaliciousBrowse
                                                                                          • 208.91.198.143
                                                                                          lFccIK78FD.exeGet hashmaliciousBrowse
                                                                                          • 208.91.198.143
                                                                                          Order10 06 2021.docGet hashmaliciousBrowse
                                                                                          • 162.215.241.145
                                                                                          PO187439.exeGet hashmaliciousBrowse
                                                                                          • 119.18.54.126
                                                                                          Urgent Contract Order GH78566484,pdf.exeGet hashmaliciousBrowse
                                                                                          • 208.91.199.223
                                                                                          MOQ FOB ORDER.exeGet hashmaliciousBrowse
                                                                                          • 208.91.199.225
                                                                                          JK6Ul6IKioPWJ6Y.exeGet hashmaliciousBrowse
                                                                                          • 208.91.198.143
                                                                                          ekrrUChjXvng9Vr.exeGet hashmaliciousBrowse
                                                                                          • 208.91.199.223
                                                                                          SecuriteInfo.com.Trojan.PackedNET.832.15445.exeGet hashmaliciousBrowse
                                                                                          • 208.91.198.143
                                                                                          order 4806125050.xlsxGet hashmaliciousBrowse
                                                                                          • 208.91.199.223
                                                                                          Bank Swift.docGet hashmaliciousBrowse
                                                                                          • 162.215.241.145
                                                                                          SecuriteInfo.com.Trojan.PackedNET.831.28325.exeGet hashmaliciousBrowse
                                                                                          • 208.91.199.225
                                                                                          Trial order 20210609.exeGet hashmaliciousBrowse
                                                                                          • 208.91.199.224
                                                                                          BP4w3lADAPfOKmI.exeGet hashmaliciousBrowse
                                                                                          • 208.91.199.223
                                                                                          4It7P3KCyYHUWHU.exeGet hashmaliciousBrowse
                                                                                          • 208.91.199.225
                                                                                          PO -TXGU5022187.xlsxGet hashmaliciousBrowse
                                                                                          • 208.91.199.223
                                                                                          Bestil 5039066002128.exeGet hashmaliciousBrowse
                                                                                          • 208.91.199.224
                                                                                          Doc2000120201.xlsGet hashmaliciousBrowse
                                                                                          • 103.21.59.173

                                                                                          JA3 Fingerprints

                                                                                          No context

                                                                                          Dropped Files

                                                                                          No context

                                                                                          Created / dropped Files

                                                                                          C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\SAUDI ARAMCO Tender Documents - BOQ and ITB.exe.log
                                                                                          Process:C:\Users\user\Desktop\SAUDI ARAMCO Tender Documents - BOQ and ITB.exe
                                                                                          File Type:ASCII text, with CRLF line terminators
                                                                                          Category:modified
                                                                                          Size (bytes):1314
                                                                                          Entropy (8bit):5.350128552078965
                                                                                          Encrypted:false
                                                                                          SSDEEP:24:MLU84jE4K5E4Ks2E1qE4qXKDE4KhK3VZ9pKhPKIE4oKFKHKoZAE4Kzr7FE4sAmEw:MgvjHK5HKXE1qHiYHKhQnoPtHoxHhAHR
                                                                                          MD5:1DC1A2DCC9EFAA84EABF4F6D6066565B
                                                                                          SHA1:B7FCF805B6DD8DE815EA9BC089BD99F1E617F4E9
                                                                                          SHA-256:28D63442C17BF19558655C88A635CB3C3FF1BAD1CCD9784090B9749A7E71FCEF
                                                                                          SHA-512:95DD7E2AB0884A3EFD9E26033B337D1F97DDF9A8E9E9C4C32187DCD40622D8B1AC8CCDBA12A70A6B9075DF5E7F68DF2F8FBA4AB33DB4576BE9806B8E191802B7
                                                                                          Malicious:true
                                                                                          Reputation:high, very likely benign file
                                                                                          Preview: 1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"Microsoft.VisualBasic, Version=10.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\4f0a7eefa3cd3e0ba98b5ebddbbc72e6\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\f1d8480152e0da9a60ad49c6d16a3b6d\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\8d67d92724ba494b6c7fd089d6f25b48\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a
                                                                                          C:\Users\user\AppData\Local\Temp\tmp2894.tmp
                                                                                          Process:C:\Users\user\Desktop\SAUDI ARAMCO Tender Documents - BOQ and ITB.exe
                                                                                          File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                                                                          Category:dropped
                                                                                          Size (bytes):1658
                                                                                          Entropy (8bit):5.165150822696325
                                                                                          Encrypted:false
                                                                                          SSDEEP:24:2dH4+SEqC/S7h2ulNMFp2O/rlMhEMjnGpwjpIgUYODOLD9RJh7h8gKB3+Otn:cbha7JlNQV/rydbz9I3YODOLNdq3n
                                                                                          MD5:3D4A4232313A8C77051BC8881B947A49
                                                                                          SHA1:56E98C5408F3D45EC82B03C3CCF511C8A972AE49
                                                                                          SHA-256:7124E726CC2893A43A14639936466452A4656D461D34F5C41EADA3F5B22E4EAE
                                                                                          SHA-512:43A7C2FCD3B29B73986215E72BF6E68E62D6EA94D2693C7A990A89076352DCBFD71FBA96DEC0991D306153603EE513BDDDA8361C7D41280045AC2325C0F5FB98
                                                                                          Malicious:true
                                                                                          Reputation:low
                                                                                          Preview: <?xml version="1.0" encoding="UTF-16"?>..<Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">.. <RegistrationInfo>.. <Date>2014-10-25T14:27:44.8929027</Date>.. <Author>computer\user</Author>.. </RegistrationInfo>.. <Triggers>.. <LogonTrigger>.. <Enabled>true</Enabled>.. <UserId>computer\user</UserId>.. </LogonTrigger>.. <RegistrationTrigger>.. <Enabled>false</Enabled>.. </RegistrationTrigger>.. </Triggers>.. <Principals>.. <Principal id="Author">.. <UserId>computer\user</UserId>.. <LogonType>InteractiveToken</LogonType>.. <RunLevel>LeastPrivilege</RunLevel>.. </Principal>.. </Principals>.. <Settings>.. <MultipleInstancesPolicy>StopExisting</MultipleInstancesPolicy>.. <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>.. <StopIfGoingOnBatteries>true</StopIfGoingOnBatteries>.. <AllowHardTerminate>false</AllowHardTerminate>.. <StartWhenAvail
                                                                                          C:\Users\user\AppData\Roaming\djtasvra.svm\Chrome\Default\Cookies
                                                                                          Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
                                                                                          File Type:SQLite 3.x database, last written using SQLite version 3032001
                                                                                          Category:dropped
                                                                                          Size (bytes):20480
                                                                                          Entropy (8bit):0.6951152985249047
                                                                                          Encrypted:false
                                                                                          SSDEEP:24:TLbJLbXaFpEO5bNmISHn06UwcQPx5fBopIvJn2QOYiUG3PaVrX:T5LLOpEO5J/Kn7U1uBopIvZXC/alX
                                                                                          MD5:EA7F9615D77815B5FFF7C15179C6C560
                                                                                          SHA1:3D1D0BAC6633344E2B6592464EBB957D0D8DD48F
                                                                                          SHA-256:A5D1ABB57C516F4B3DF3D18950AD1319BA1A63F9A39785F8F0EACE0A482CAB17
                                                                                          SHA-512:9C818471F69758BD4884FDB9B543211C9E1EE832AC29C2C5A0377C412454E8C745FB3F38FF6E3853AE365D04933C0EC55A46DDA60580D244B308F92C57258C98
                                                                                          Malicious:false
                                                                                          Reputation:moderate, very likely benign file
                                                                                          Preview: SQLite format 3......@ ..........................................................................C....... ..g... .8....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
                                                                                          C:\Users\user\AppData\Roaming\sXNiyYIFndkxd.exe
                                                                                          Process:C:\Users\user\Desktop\SAUDI ARAMCO Tender Documents - BOQ and ITB.exe
                                                                                          File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                          Category:dropped
                                                                                          Size (bytes):979968
                                                                                          Entropy (8bit):7.860191369488232
                                                                                          Encrypted:false
                                                                                          SSDEEP:12288:zMRIOXqxYM9iIfFKfffFZgK5tRevE7I/JUKg1PEGdvGM62zn1XuyvqwcgabMNLYE:YtDtRPI/Ff152z8iq9gVnNeBUdt
                                                                                          MD5:D482D04BD4113F1F9F08E39BCA4A3F27
                                                                                          SHA1:783F25F265C34681FFCA9E5C8AC5BEBECC71BBC6
                                                                                          SHA-256:9973C00CF203198A16D3D897FA85D46896F04EA9D58B23917EAEA32A3DE4D5E4
                                                                                          SHA-512:A5E65F1145AF4FDF8E0BD57602918F31EF80E2E9061BEDA08DEDB9E3CDDDF7A8C704FA968B9BF809AD53AD60B14796DB7590C71D5FEC12ED54BC3B5F1F939287
                                                                                          Malicious:true
                                                                                          Antivirus:
                                                                                          • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                                          • Antivirus: ReversingLabs, Detection: 15%
                                                                                          Reputation:low
                                                                                          Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...\..`..............P.............f.... ... ....@.. .......................`............@.....................................O.... .......................@....................................................... ............... ..H............text...l.... ...................... ..`.rsrc........ ......................@..@.reloc.......@......................@..B................H.......H........T..p...........<X...............................................0............(!...(".........(.....o#....*.....................($......(%......(&......('......((....*N..(....o....()....*&..(*....*.s+........s,........s-........s.........s/........*....0...........~....o0....+..*.0...........~....o1....+..*.0...........~....o2....+..*.0...........~....o3....+..*.0...........~....o4....+..*&..(5....*...0..<........~.....(6.....,!r...p.....(7...o8...s9............~.....
                                                                                          C:\Users\user\AppData\Roaming\sXNiyYIFndkxd.exe:Zone.Identifier
                                                                                          Process:C:\Users\user\Desktop\SAUDI ARAMCO Tender Documents - BOQ and ITB.exe
                                                                                          File Type:ASCII text, with CRLF line terminators
                                                                                          Category:dropped
                                                                                          Size (bytes):26
                                                                                          Entropy (8bit):3.95006375643621
                                                                                          Encrypted:false
                                                                                          SSDEEP:3:ggPYV:rPYV
                                                                                          MD5:187F488E27DB4AF347237FE461A079AD
                                                                                          SHA1:6693BA299EC1881249D59262276A0D2CB21F8E64
                                                                                          SHA-256:255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
                                                                                          SHA-512:89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
                                                                                          Malicious:true
                                                                                          Reputation:high, very likely benign file
                                                                                          Preview: [ZoneTransfer]....ZoneId=0

                                                                                          Static File Info

                                                                                          General

                                                                                          File type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                          Entropy (8bit):7.860191369488232
                                                                                          TrID:
                                                                                          • Win32 Executable (generic) Net Framework (10011505/4) 49.80%
                                                                                          • Win32 Executable (generic) a (10002005/4) 49.75%
                                                                                          • Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36%
                                                                                          • Windows Screen Saver (13104/52) 0.07%
                                                                                          • Generic Win/DOS Executable (2004/3) 0.01%
                                                                                          File name:SAUDI ARAMCO Tender Documents - BOQ and ITB.exe
                                                                                          File size:979968
                                                                                          MD5:d482d04bd4113f1f9f08e39bca4a3f27
                                                                                          SHA1:783f25f265c34681ffca9e5c8ac5bebecc71bbc6
                                                                                          SHA256:9973c00cf203198a16d3d897fa85d46896f04ea9d58b23917eaea32a3de4d5e4
                                                                                          SHA512:a5e65f1145af4fdf8e0bd57602918f31ef80e2e9061beda08dedb9e3cdddf7a8c704fa968b9bf809ad53ad60b14796db7590c71d5fec12ed54bc3b5f1f939287
                                                                                          SSDEEP:12288:zMRIOXqxYM9iIfFKfffFZgK5tRevE7I/JUKg1PEGdvGM62zn1XuyvqwcgabMNLYE:YtDtRPI/Ff152z8iq9gVnNeBUdt
                                                                                          File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...\..`..............P.............f.... ... ....@.. .......................`............@................................

                                                                                          File Icon

                                                                                          Icon Hash:00828e8e8686b000

                                                                                          Static PE Info

                                                                                          General

                                                                                          Entrypoint:0x4f0766
                                                                                          Entrypoint Section:.text
                                                                                          Digitally signed:false
                                                                                          Imagebase:0x400000
                                                                                          Subsystem:windows gui
                                                                                          Image File Characteristics:32BIT_MACHINE, EXECUTABLE_IMAGE
                                                                                          DLL Characteristics:NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
                                                                                          Time Stamp:0x60C1CE5C [Thu Jun 10 08:33:32 2021 UTC]
                                                                                          TLS Callbacks:
                                                                                          CLR (.Net) Version:v4.0.30319
                                                                                          OS Version Major:4
                                                                                          OS Version Minor:0
                                                                                          File Version Major:4
                                                                                          File Version Minor:0
                                                                                          Subsystem Version Major:4
                                                                                          Subsystem Version Minor:0
                                                                                          Import Hash:f34d5f2d4577ed6d9ceec516c1f5a744

                                                                                          Entrypoint Preview

                                                                                          Instruction
                                                                                          jmp dword ptr [00402000h]
                                                                                          add byte ptr [eax], al
                                                                                          add byte ptr [eax], al
                                                                                          add byte ptr [eax], al
                                                                                          add byte ptr [eax], al
                                                                                          add byte ptr [eax], al
                                                                                          add byte ptr [eax], al
                                                                                          add byte ptr [eax], al
                                                                                          add byte ptr [eax], al
                                                                                          add byte ptr [eax], al
                                                                                          add byte ptr [eax], al
                                                                                          add byte ptr [eax], al
                                                                                          add byte ptr [eax], al
                                                                                          add byte ptr [eax], al
                                                                                          add byte ptr [eax], al
                                                                                          add byte ptr [eax], al
                                                                                          add byte ptr [eax], al
                                                                                          add byte ptr [eax], al
                                                                                          add byte ptr [eax], al
                                                                                          add byte ptr [eax], al
                                                                                          add byte ptr [eax], al
                                                                                          add byte ptr [eax], al
                                                                                          add byte ptr [eax], al
                                                                                          add byte ptr [eax], al
                                                                                          add byte ptr [eax], al
                                                                                          add byte ptr [eax], al
                                                                                          add byte ptr [eax], al
                                                                                          add byte ptr [eax], al
                                                                                          add byte ptr [eax], al
                                                                                          add byte ptr [eax], al
                                                                                          add byte ptr [eax], al
                                                                                          add byte ptr [eax], al
                                                                                          add byte ptr [eax], al
                                                                                          add byte ptr [eax], al
                                                                                          add byte ptr [eax], al
                                                                                          add byte ptr [eax], al
                                                                                          add byte ptr [eax], al
                                                                                          add byte ptr [eax], al
                                                                                          add byte ptr [eax], al
                                                                                          add byte ptr [eax], al
                                                                                          add byte ptr [eax], al
                                                                                          add byte ptr [eax], al
                                                                                          add byte ptr [eax], al
                                                                                          add byte ptr [eax], al
                                                                                          add byte ptr [eax], al
                                                                                          add byte ptr [eax], al
                                                                                          add byte ptr [eax], al
                                                                                          add byte ptr [eax], al
                                                                                          add byte ptr [eax], al
                                                                                          add byte ptr [eax], al
                                                                                          add byte ptr [eax], al
                                                                                          add byte ptr [eax], al
                                                                                          add byte ptr [eax], al
                                                                                          add byte ptr [eax], al
                                                                                          add byte ptr [eax], al
                                                                                          add byte ptr [eax], al
                                                                                          add byte ptr [eax], al
                                                                                          add byte ptr [eax], al
                                                                                          add byte ptr [eax], al
                                                                                          add byte ptr [eax], al
                                                                                          add byte ptr [eax], al
                                                                                          add byte ptr [eax], al
                                                                                          add byte ptr [eax], al
                                                                                          add byte ptr [eax], al
                                                                                          add byte ptr [eax], al
                                                                                          add byte ptr [eax], al
                                                                                          add byte ptr [eax], al
                                                                                          add byte ptr [eax], al
                                                                                          add byte ptr [eax], al
                                                                                          add byte ptr [eax], al
                                                                                          add byte ptr [eax], al
                                                                                          add byte ptr [eax], al
                                                                                          add byte ptr [eax], al
                                                                                          add byte ptr [eax], al
                                                                                          add byte ptr [eax], al
                                                                                          add byte ptr [eax], al
                                                                                          add byte ptr [eax], al
                                                                                          add byte ptr [eax], al
                                                                                          add byte ptr [eax], al
                                                                                          add byte ptr [eax], al
                                                                                          add byte ptr [eax], al
                                                                                          add byte ptr [eax], al
                                                                                          add byte ptr [eax], al
                                                                                          add byte ptr [eax], al
                                                                                          add byte ptr [eax], al
                                                                                          add byte ptr [eax], al
                                                                                          add byte ptr [eax], al
                                                                                          add byte ptr [eax], al
                                                                                          add byte ptr [eax], al
                                                                                          add byte ptr [eax], al
                                                                                          add byte ptr [eax], al
                                                                                          add byte ptr [eax], al
                                                                                          add byte ptr [eax], al
                                                                                          add byte ptr [eax], al
                                                                                          add byte ptr [eax], al
                                                                                          add byte ptr [eax], al
                                                                                          add byte ptr [eax], al
                                                                                          add byte ptr [eax], al

                                                                                          Data Directories

                                                                                          NameVirtual AddressVirtual Size Is in Section
                                                                                          IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                                                          IMAGE_DIRECTORY_ENTRY_IMPORT0xf07140x4f.text
                                                                                          IMAGE_DIRECTORY_ENTRY_RESOURCE0xf20000x680.rsrc
                                                                                          IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                                                          IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                                                                          IMAGE_DIRECTORY_ENTRY_BASERELOC0xf40000xc.reloc
                                                                                          IMAGE_DIRECTORY_ENTRY_DEBUG0xf05dc0x1c.text
                                                                                          IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                                                          IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                                                          IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                                                                          IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                                                                          IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                                                          IMAGE_DIRECTORY_ENTRY_IAT0x20000x8.text
                                                                                          IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                                                          IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x20080x48.text
                                                                                          IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                                                          Sections

                                                                                          NameVirtual AddressVirtual SizeRaw SizeXored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                                                          .text0x20000xee76c0xee800False0.881842079403data7.86709142883IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                                                                                          .rsrc0xf20000x6800x800False0.34423828125data3.58292180879IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                                          .reloc0xf40000xc0x200False0.044921875data0.0815394123432IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                                                                                          Resources

                                                                                          NameRVASizeTypeLanguageCountry
                                                                                          RT_VERSION0xf20900x3f0SysEx File - OctavePlateau
                                                                                          RT_MANIFEST0xf24900x1eaXML 1.0 document, UTF-8 Unicode (with BOM) text, with CRLF line terminators

                                                                                          Imports

                                                                                          DLLImport
                                                                                          mscoree.dll_CorExeMain

                                                                                          Version Infos

                                                                                          DescriptionData
                                                                                          Translation0x0000 0x04b0
                                                                                          LegalCopyrightCopyright Sutton Grammar School 2015
                                                                                          Assembly Version1.0.0.0
                                                                                          InternalNameRegistryValueOptions.exe
                                                                                          FileVersion1.0.0.0
                                                                                          CompanyNameSutton Grammar School
                                                                                          LegalTrademarks
                                                                                          Comments
                                                                                          ProductNameAspiring Rookie - Basketball
                                                                                          ProductVersion1.0.0.0
                                                                                          FileDescriptionAspiring Rookie - Basketball
                                                                                          OriginalFilenameRegistryValueOptions.exe

                                                                                          Network Behavior

                                                                                          Network Port Distribution

                                                                                          TCP Packets

                                                                                          TimestampSource PortDest PortSource IPDest IP
                                                                                          Jun 10, 2021 17:33:10.479696035 CEST49756587192.168.2.6208.91.199.223
                                                                                          Jun 10, 2021 17:33:10.650477886 CEST58749756208.91.199.223192.168.2.6
                                                                                          Jun 10, 2021 17:33:10.650916100 CEST49756587192.168.2.6208.91.199.223
                                                                                          Jun 10, 2021 17:33:10.976522923 CEST58749756208.91.199.223192.168.2.6
                                                                                          Jun 10, 2021 17:33:10.976864100 CEST49756587192.168.2.6208.91.199.223
                                                                                          Jun 10, 2021 17:33:11.146600008 CEST58749756208.91.199.223192.168.2.6
                                                                                          Jun 10, 2021 17:33:11.146632910 CEST58749756208.91.199.223192.168.2.6
                                                                                          Jun 10, 2021 17:33:11.146975994 CEST49756587192.168.2.6208.91.199.223
                                                                                          Jun 10, 2021 17:33:11.316747904 CEST58749756208.91.199.223192.168.2.6
                                                                                          Jun 10, 2021 17:33:11.377764940 CEST49756587192.168.2.6208.91.199.223
                                                                                          Jun 10, 2021 17:33:11.390568972 CEST49756587192.168.2.6208.91.199.223
                                                                                          Jun 10, 2021 17:33:11.560448885 CEST58749756208.91.199.223192.168.2.6
                                                                                          Jun 10, 2021 17:33:11.560492039 CEST58749756208.91.199.223192.168.2.6
                                                                                          Jun 10, 2021 17:33:11.560516119 CEST58749756208.91.199.223192.168.2.6
                                                                                          Jun 10, 2021 17:33:11.560534000 CEST58749756208.91.199.223192.168.2.6
                                                                                          Jun 10, 2021 17:33:11.560560942 CEST58749756208.91.199.223192.168.2.6
                                                                                          Jun 10, 2021 17:33:11.560617924 CEST49756587192.168.2.6208.91.199.223
                                                                                          Jun 10, 2021 17:33:11.612189054 CEST49756587192.168.2.6208.91.199.223
                                                                                          Jun 10, 2021 17:33:11.730477095 CEST58749756208.91.199.223192.168.2.6
                                                                                          Jun 10, 2021 17:33:11.737428904 CEST49756587192.168.2.6208.91.199.223
                                                                                          Jun 10, 2021 17:33:11.911520004 CEST58749756208.91.199.223192.168.2.6
                                                                                          Jun 10, 2021 17:33:11.955981016 CEST49756587192.168.2.6208.91.199.223
                                                                                          Jun 10, 2021 17:33:12.303128004 CEST49756587192.168.2.6208.91.199.223
                                                                                          Jun 10, 2021 17:33:12.473335028 CEST58749756208.91.199.223192.168.2.6
                                                                                          Jun 10, 2021 17:33:12.475898981 CEST49756587192.168.2.6208.91.199.223
                                                                                          Jun 10, 2021 17:33:12.648720980 CEST58749756208.91.199.223192.168.2.6
                                                                                          Jun 10, 2021 17:33:12.649444103 CEST49756587192.168.2.6208.91.199.223
                                                                                          Jun 10, 2021 17:33:12.821443081 CEST58749756208.91.199.223192.168.2.6
                                                                                          Jun 10, 2021 17:33:12.822817087 CEST49756587192.168.2.6208.91.199.223
                                                                                          Jun 10, 2021 17:33:12.993475914 CEST58749756208.91.199.223192.168.2.6
                                                                                          Jun 10, 2021 17:33:12.994048119 CEST49756587192.168.2.6208.91.199.223
                                                                                          Jun 10, 2021 17:33:13.173991919 CEST58749756208.91.199.223192.168.2.6
                                                                                          Jun 10, 2021 17:33:13.174715996 CEST49756587192.168.2.6208.91.199.223
                                                                                          Jun 10, 2021 17:33:13.345331907 CEST58749756208.91.199.223192.168.2.6
                                                                                          Jun 10, 2021 17:33:13.346647978 CEST49756587192.168.2.6208.91.199.223
                                                                                          Jun 10, 2021 17:33:13.346919060 CEST49756587192.168.2.6208.91.199.223
                                                                                          Jun 10, 2021 17:33:13.347495079 CEST49756587192.168.2.6208.91.199.223
                                                                                          Jun 10, 2021 17:33:13.347585917 CEST49756587192.168.2.6208.91.199.223
                                                                                          Jun 10, 2021 17:33:13.518923044 CEST58749756208.91.199.223192.168.2.6
                                                                                          Jun 10, 2021 17:33:13.519177914 CEST58749756208.91.199.223192.168.2.6
                                                                                          Jun 10, 2021 17:33:13.618015051 CEST58749756208.91.199.223192.168.2.6
                                                                                          Jun 10, 2021 17:33:13.659260988 CEST49756587192.168.2.6208.91.199.223
                                                                                          Jun 10, 2021 17:33:15.134013891 CEST49756587192.168.2.6208.91.199.223
                                                                                          Jun 10, 2021 17:33:15.304059982 CEST58749756208.91.199.223192.168.2.6
                                                                                          Jun 10, 2021 17:33:15.304088116 CEST58749756208.91.199.223192.168.2.6
                                                                                          Jun 10, 2021 17:33:15.304160118 CEST49756587192.168.2.6208.91.199.223
                                                                                          Jun 10, 2021 17:33:15.515398979 CEST49756587192.168.2.6208.91.199.223
                                                                                          Jun 10, 2021 17:33:16.027684927 CEST49757587192.168.2.6208.91.199.223
                                                                                          Jun 10, 2021 17:33:16.197911978 CEST58749757208.91.199.223192.168.2.6
                                                                                          Jun 10, 2021 17:33:16.198132038 CEST49757587192.168.2.6208.91.199.223
                                                                                          Jun 10, 2021 17:33:16.371243954 CEST58749757208.91.199.223192.168.2.6
                                                                                          Jun 10, 2021 17:33:16.371661901 CEST49757587192.168.2.6208.91.199.223
                                                                                          Jun 10, 2021 17:33:16.541378021 CEST58749757208.91.199.223192.168.2.6
                                                                                          Jun 10, 2021 17:33:16.541405916 CEST58749757208.91.199.223192.168.2.6
                                                                                          Jun 10, 2021 17:33:16.541645050 CEST49757587192.168.2.6208.91.199.223
                                                                                          Jun 10, 2021 17:33:16.711458921 CEST58749757208.91.199.223192.168.2.6
                                                                                          Jun 10, 2021 17:33:16.711849928 CEST49757587192.168.2.6208.91.199.223
                                                                                          Jun 10, 2021 17:33:16.883419991 CEST58749757208.91.199.223192.168.2.6
                                                                                          Jun 10, 2021 17:33:16.883455038 CEST58749757208.91.199.223192.168.2.6
                                                                                          Jun 10, 2021 17:33:16.883476973 CEST58749757208.91.199.223192.168.2.6
                                                                                          Jun 10, 2021 17:33:16.883491039 CEST58749757208.91.199.223192.168.2.6
                                                                                          Jun 10, 2021 17:33:16.883512020 CEST58749757208.91.199.223192.168.2.6
                                                                                          Jun 10, 2021 17:33:16.883584023 CEST49757587192.168.2.6208.91.199.223
                                                                                          Jun 10, 2021 17:33:16.883625031 CEST49757587192.168.2.6208.91.199.223
                                                                                          Jun 10, 2021 17:33:17.056153059 CEST58749757208.91.199.223192.168.2.6
                                                                                          Jun 10, 2021 17:33:17.057250977 CEST49757587192.168.2.6208.91.199.223
                                                                                          Jun 10, 2021 17:33:17.231990099 CEST58749757208.91.199.223192.168.2.6
                                                                                          Jun 10, 2021 17:33:17.232983112 CEST49757587192.168.2.6208.91.199.223
                                                                                          Jun 10, 2021 17:33:17.402968884 CEST58749757208.91.199.223192.168.2.6
                                                                                          Jun 10, 2021 17:33:17.403321981 CEST49757587192.168.2.6208.91.199.223
                                                                                          Jun 10, 2021 17:33:17.574265957 CEST58749757208.91.199.223192.168.2.6
                                                                                          Jun 10, 2021 17:33:17.574795008 CEST49757587192.168.2.6208.91.199.223
                                                                                          Jun 10, 2021 17:33:17.746846914 CEST58749757208.91.199.223192.168.2.6
                                                                                          Jun 10, 2021 17:33:17.747157097 CEST49757587192.168.2.6208.91.199.223
                                                                                          Jun 10, 2021 17:33:17.918132067 CEST58749757208.91.199.223192.168.2.6
                                                                                          Jun 10, 2021 17:33:17.920967102 CEST49757587192.168.2.6208.91.199.223
                                                                                          Jun 10, 2021 17:33:18.099750042 CEST58749757208.91.199.223192.168.2.6
                                                                                          Jun 10, 2021 17:33:18.103147030 CEST49757587192.168.2.6208.91.199.223
                                                                                          Jun 10, 2021 17:33:18.273401022 CEST58749757208.91.199.223192.168.2.6
                                                                                          Jun 10, 2021 17:33:18.275242090 CEST49757587192.168.2.6208.91.199.223
                                                                                          Jun 10, 2021 17:33:18.275263071 CEST49757587192.168.2.6208.91.199.223
                                                                                          Jun 10, 2021 17:33:18.275304079 CEST49757587192.168.2.6208.91.199.223
                                                                                          Jun 10, 2021 17:33:18.275405884 CEST49757587192.168.2.6208.91.199.223
                                                                                          Jun 10, 2021 17:33:18.275486946 CEST49757587192.168.2.6208.91.199.223
                                                                                          Jun 10, 2021 17:33:18.275499105 CEST49757587192.168.2.6208.91.199.223
                                                                                          Jun 10, 2021 17:33:18.275679111 CEST49757587192.168.2.6208.91.199.223
                                                                                          Jun 10, 2021 17:33:18.275696993 CEST49757587192.168.2.6208.91.199.223
                                                                                          Jun 10, 2021 17:33:18.446731091 CEST58749757208.91.199.223192.168.2.6
                                                                                          Jun 10, 2021 17:33:18.446763039 CEST58749757208.91.199.223192.168.2.6
                                                                                          Jun 10, 2021 17:33:18.446875095 CEST58749757208.91.199.223192.168.2.6
                                                                                          Jun 10, 2021 17:33:18.550154924 CEST58749757208.91.199.223192.168.2.6
                                                                                          Jun 10, 2021 17:33:18.600295067 CEST49757587192.168.2.6208.91.199.223

                                                                                          UDP Packets

                                                                                          TimestampSource PortDest PortSource IPDest IP
                                                                                          Jun 10, 2021 17:31:02.454706907 CEST4944853192.168.2.68.8.8.8
                                                                                          Jun 10, 2021 17:31:02.507204056 CEST53494488.8.8.8192.168.2.6
                                                                                          Jun 10, 2021 17:31:03.388907909 CEST6034253192.168.2.68.8.8.8
                                                                                          Jun 10, 2021 17:31:03.439327002 CEST53603428.8.8.8192.168.2.6
                                                                                          Jun 10, 2021 17:31:03.515969038 CEST6134653192.168.2.68.8.8.8
                                                                                          Jun 10, 2021 17:31:03.575881958 CEST53613468.8.8.8192.168.2.6
                                                                                          Jun 10, 2021 17:31:04.163563013 CEST5177453192.168.2.68.8.8.8
                                                                                          Jun 10, 2021 17:31:04.213637114 CEST53517748.8.8.8192.168.2.6
                                                                                          Jun 10, 2021 17:31:05.071180105 CEST5602353192.168.2.68.8.8.8
                                                                                          Jun 10, 2021 17:31:05.121479034 CEST53560238.8.8.8192.168.2.6
                                                                                          Jun 10, 2021 17:31:05.872792006 CEST5838453192.168.2.68.8.8.8
                                                                                          Jun 10, 2021 17:31:05.923058987 CEST53583848.8.8.8192.168.2.6
                                                                                          Jun 10, 2021 17:31:06.869925976 CEST6026153192.168.2.68.8.8.8
                                                                                          Jun 10, 2021 17:31:06.920420885 CEST53602618.8.8.8192.168.2.6
                                                                                          Jun 10, 2021 17:31:07.955598116 CEST5606153192.168.2.68.8.8.8
                                                                                          Jun 10, 2021 17:31:08.008680105 CEST53560618.8.8.8192.168.2.6
                                                                                          Jun 10, 2021 17:31:09.124854088 CEST5833653192.168.2.68.8.8.8
                                                                                          Jun 10, 2021 17:31:09.183629990 CEST53583368.8.8.8192.168.2.6
                                                                                          Jun 10, 2021 17:31:09.926561117 CEST5378153192.168.2.68.8.8.8
                                                                                          Jun 10, 2021 17:31:09.977077961 CEST53537818.8.8.8192.168.2.6
                                                                                          Jun 10, 2021 17:31:10.834800005 CEST5406453192.168.2.68.8.8.8
                                                                                          Jun 10, 2021 17:31:10.885247946 CEST53540648.8.8.8192.168.2.6
                                                                                          Jun 10, 2021 17:31:12.394650936 CEST5281153192.168.2.68.8.8.8
                                                                                          Jun 10, 2021 17:31:12.446430922 CEST53528118.8.8.8192.168.2.6
                                                                                          Jun 10, 2021 17:31:13.730518103 CEST5529953192.168.2.68.8.8.8
                                                                                          Jun 10, 2021 17:31:13.783741951 CEST53552998.8.8.8192.168.2.6
                                                                                          Jun 10, 2021 17:31:14.656606913 CEST6374553192.168.2.68.8.8.8
                                                                                          Jun 10, 2021 17:31:14.708142042 CEST53637458.8.8.8192.168.2.6
                                                                                          Jun 10, 2021 17:31:15.470185041 CEST5005553192.168.2.68.8.8.8
                                                                                          Jun 10, 2021 17:31:15.523374081 CEST53500558.8.8.8192.168.2.6
                                                                                          Jun 10, 2021 17:31:16.412583113 CEST6137453192.168.2.68.8.8.8
                                                                                          Jun 10, 2021 17:31:16.467366934 CEST53613748.8.8.8192.168.2.6
                                                                                          Jun 10, 2021 17:31:17.370920897 CEST5033953192.168.2.68.8.8.8
                                                                                          Jun 10, 2021 17:31:17.423866987 CEST53503398.8.8.8192.168.2.6
                                                                                          Jun 10, 2021 17:31:18.502713919 CEST6330753192.168.2.68.8.8.8
                                                                                          Jun 10, 2021 17:31:18.557754993 CEST53633078.8.8.8192.168.2.6
                                                                                          Jun 10, 2021 17:31:19.511921883 CEST4969453192.168.2.68.8.8.8
                                                                                          Jun 10, 2021 17:31:19.570600986 CEST53496948.8.8.8192.168.2.6
                                                                                          Jun 10, 2021 17:31:38.596976042 CEST5498253192.168.2.68.8.8.8
                                                                                          Jun 10, 2021 17:31:38.672111988 CEST53549828.8.8.8192.168.2.6
                                                                                          Jun 10, 2021 17:31:57.697578907 CEST5001053192.168.2.68.8.8.8
                                                                                          Jun 10, 2021 17:31:57.758120060 CEST53500108.8.8.8192.168.2.6
                                                                                          Jun 10, 2021 17:31:59.005544901 CEST6371853192.168.2.68.8.8.8
                                                                                          Jun 10, 2021 17:31:59.065460920 CEST53637188.8.8.8192.168.2.6
                                                                                          Jun 10, 2021 17:31:59.138434887 CEST6211653192.168.2.68.8.8.8
                                                                                          Jun 10, 2021 17:31:59.200548887 CEST53621168.8.8.8192.168.2.6
                                                                                          Jun 10, 2021 17:31:59.669686079 CEST6381653192.168.2.68.8.8.8
                                                                                          Jun 10, 2021 17:31:59.728132010 CEST53638168.8.8.8192.168.2.6
                                                                                          Jun 10, 2021 17:32:00.213629961 CEST5501453192.168.2.68.8.8.8
                                                                                          Jun 10, 2021 17:32:00.272160053 CEST53550148.8.8.8192.168.2.6
                                                                                          Jun 10, 2021 17:32:01.232726097 CEST6220853192.168.2.68.8.8.8
                                                                                          Jun 10, 2021 17:32:01.292577982 CEST53622088.8.8.8192.168.2.6
                                                                                          Jun 10, 2021 17:32:02.512305975 CEST5757453192.168.2.68.8.8.8
                                                                                          Jun 10, 2021 17:32:02.562861919 CEST53575748.8.8.8192.168.2.6
                                                                                          Jun 10, 2021 17:32:03.533533096 CEST5181853192.168.2.68.8.8.8
                                                                                          Jun 10, 2021 17:32:03.586412907 CEST53518188.8.8.8192.168.2.6
                                                                                          Jun 10, 2021 17:32:04.535249949 CEST5662853192.168.2.68.8.8.8
                                                                                          Jun 10, 2021 17:32:04.575356960 CEST6077853192.168.2.68.8.8.8
                                                                                          Jun 10, 2021 17:32:04.599773884 CEST53566288.8.8.8192.168.2.6
                                                                                          Jun 10, 2021 17:32:04.637058020 CEST53607788.8.8.8192.168.2.6
                                                                                          Jun 10, 2021 17:32:05.478972912 CEST5379953192.168.2.68.8.8.8
                                                                                          Jun 10, 2021 17:32:05.529314995 CEST53537998.8.8.8192.168.2.6
                                                                                          Jun 10, 2021 17:32:07.022960901 CEST5468353192.168.2.68.8.8.8
                                                                                          Jun 10, 2021 17:32:07.084357977 CEST53546838.8.8.8192.168.2.6
                                                                                          Jun 10, 2021 17:32:08.825927973 CEST5932953192.168.2.68.8.8.8
                                                                                          Jun 10, 2021 17:32:08.880645990 CEST53593298.8.8.8192.168.2.6
                                                                                          Jun 10, 2021 17:32:10.282305956 CEST6402153192.168.2.68.8.8.8
                                                                                          Jun 10, 2021 17:32:10.336668968 CEST53640218.8.8.8192.168.2.6
                                                                                          Jun 10, 2021 17:32:36.095303059 CEST5612953192.168.2.68.8.8.8
                                                                                          Jun 10, 2021 17:32:36.156645060 CEST53561298.8.8.8192.168.2.6
                                                                                          Jun 10, 2021 17:32:36.544816971 CEST5817753192.168.2.68.8.8.8
                                                                                          Jun 10, 2021 17:32:36.603729963 CEST53581778.8.8.8192.168.2.6
                                                                                          Jun 10, 2021 17:32:40.335472107 CEST5070053192.168.2.68.8.8.8
                                                                                          Jun 10, 2021 17:32:40.400543928 CEST53507008.8.8.8192.168.2.6
                                                                                          Jun 10, 2021 17:33:00.480405092 CEST5406953192.168.2.68.8.8.8
                                                                                          Jun 10, 2021 17:33:00.542309046 CEST53540698.8.8.8192.168.2.6
                                                                                          Jun 10, 2021 17:33:10.290950060 CEST6117853192.168.2.68.8.8.8
                                                                                          Jun 10, 2021 17:33:10.355426073 CEST53611788.8.8.8192.168.2.6
                                                                                          Jun 10, 2021 17:33:15.963887930 CEST5701753192.168.2.68.8.8.8
                                                                                          Jun 10, 2021 17:33:16.025271893 CEST53570178.8.8.8192.168.2.6

                                                                                          DNS Queries

                                                                                          TimestampSource IPDest IPTrans IDOP CodeNameTypeClass
                                                                                          Jun 10, 2021 17:33:10.290950060 CEST192.168.2.68.8.8.80xb231Standard query (0)us2.smtp.mailhostbox.comA (IP address)IN (0x0001)
                                                                                          Jun 10, 2021 17:33:15.963887930 CEST192.168.2.68.8.8.80x3f46Standard query (0)us2.smtp.mailhostbox.comA (IP address)IN (0x0001)

                                                                                          DNS Answers

                                                                                          TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClass
                                                                                          Jun 10, 2021 17:33:10.355426073 CEST8.8.8.8192.168.2.60xb231No error (0)us2.smtp.mailhostbox.com208.91.199.223A (IP address)IN (0x0001)
                                                                                          Jun 10, 2021 17:33:10.355426073 CEST8.8.8.8192.168.2.60xb231No error (0)us2.smtp.mailhostbox.com208.91.199.225A (IP address)IN (0x0001)
                                                                                          Jun 10, 2021 17:33:10.355426073 CEST8.8.8.8192.168.2.60xb231No error (0)us2.smtp.mailhostbox.com208.91.198.143A (IP address)IN (0x0001)
                                                                                          Jun 10, 2021 17:33:10.355426073 CEST8.8.8.8192.168.2.60xb231No error (0)us2.smtp.mailhostbox.com208.91.199.224A (IP address)IN (0x0001)
                                                                                          Jun 10, 2021 17:33:16.025271893 CEST8.8.8.8192.168.2.60x3f46No error (0)us2.smtp.mailhostbox.com208.91.199.223A (IP address)IN (0x0001)
                                                                                          Jun 10, 2021 17:33:16.025271893 CEST8.8.8.8192.168.2.60x3f46No error (0)us2.smtp.mailhostbox.com208.91.199.225A (IP address)IN (0x0001)
                                                                                          Jun 10, 2021 17:33:16.025271893 CEST8.8.8.8192.168.2.60x3f46No error (0)us2.smtp.mailhostbox.com208.91.198.143A (IP address)IN (0x0001)
                                                                                          Jun 10, 2021 17:33:16.025271893 CEST8.8.8.8192.168.2.60x3f46No error (0)us2.smtp.mailhostbox.com208.91.199.224A (IP address)IN (0x0001)

                                                                                          SMTP Packets

                                                                                          TimestampSource PortDest PortSource IPDest IPCommands
                                                                                          Jun 10, 2021 17:33:10.976522923 CEST58749756208.91.199.223192.168.2.6220 us2.outbound.mailhostbox.com ESMTP Postfix
                                                                                          Jun 10, 2021 17:33:10.976864100 CEST49756587192.168.2.6208.91.199.223EHLO 651689
                                                                                          Jun 10, 2021 17:33:11.146632910 CEST58749756208.91.199.223192.168.2.6250-us2.outbound.mailhostbox.com
                                                                                          250-PIPELINING
                                                                                          250-SIZE 41648128
                                                                                          250-VRFY
                                                                                          250-ETRN
                                                                                          250-STARTTLS
                                                                                          250-AUTH PLAIN LOGIN
                                                                                          250-AUTH=PLAIN LOGIN
                                                                                          250-ENHANCEDSTATUSCODES
                                                                                          250-8BITMIME
                                                                                          250 DSN
                                                                                          Jun 10, 2021 17:33:11.146975994 CEST49756587192.168.2.6208.91.199.223STARTTLS
                                                                                          Jun 10, 2021 17:33:11.316747904 CEST58749756208.91.199.223192.168.2.6220 2.0.0 Ready to start TLS
                                                                                          Jun 10, 2021 17:33:16.371243954 CEST58749757208.91.199.223192.168.2.6220 us2.outbound.mailhostbox.com ESMTP Postfix
                                                                                          Jun 10, 2021 17:33:16.371661901 CEST49757587192.168.2.6208.91.199.223EHLO 651689
                                                                                          Jun 10, 2021 17:33:16.541405916 CEST58749757208.91.199.223192.168.2.6250-us2.outbound.mailhostbox.com
                                                                                          250-PIPELINING
                                                                                          250-SIZE 41648128
                                                                                          250-VRFY
                                                                                          250-ETRN
                                                                                          250-STARTTLS
                                                                                          250-AUTH PLAIN LOGIN
                                                                                          250-AUTH=PLAIN LOGIN
                                                                                          250-ENHANCEDSTATUSCODES
                                                                                          250-8BITMIME
                                                                                          250 DSN
                                                                                          Jun 10, 2021 17:33:16.541645050 CEST49757587192.168.2.6208.91.199.223STARTTLS
                                                                                          Jun 10, 2021 17:33:16.711458921 CEST58749757208.91.199.223192.168.2.6220 2.0.0 Ready to start TLS

                                                                                          Code Manipulations

                                                                                          Statistics

                                                                                          Behavior

                                                                                          Click to jump to process

                                                                                          System Behavior

                                                                                          Analysis Process: SAUDI ARAMCO Tender Documents - BOQ and ITB.exe PID: 6556 Parent PID: 6088

                                                                                          General

                                                                                          Start time:17:31:09
                                                                                          Start date:10/06/2021
                                                                                          Path:C:\Users\user\Desktop\SAUDI ARAMCO Tender Documents - BOQ and ITB.exe
                                                                                          Wow64 process (32bit):true
                                                                                          Commandline:'C:\Users\user\Desktop\SAUDI ARAMCO Tender Documents - BOQ and ITB.exe'
                                                                                          Imagebase:0xde0000
                                                                                          File size:979968 bytes
                                                                                          MD5 hash:D482D04BD4113F1F9F08E39BCA4A3F27
                                                                                          Has elevated privileges:true
                                                                                          Has administrator privileges:true
                                                                                          Programmed in:.Net C# or VB.NET
                                                                                          Yara matches:
                                                                                          • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000001.00000002.370688660.00000000041A9000.00000004.00000001.sdmp, Author: Joe Security
                                                                                          • Rule: JoeSecurity_AgentTesla_2, Description: Yara detected AgentTesla, Source: 00000001.00000002.370688660.00000000041A9000.00000004.00000001.sdmp, Author: Joe Security
                                                                                          • Rule: JoeSecurity_AntiVM_3, Description: Yara detected AntiVM_3, Source: 00000001.00000002.369670905.00000000031E1000.00000004.00000001.sdmp, Author: Joe Security
                                                                                          Reputation:low

                                                                                          Analysis Process: schtasks.exe PID: 6824 Parent PID: 6556

                                                                                          General

                                                                                          Start time:17:31:22
                                                                                          Start date:10/06/2021
                                                                                          Path:C:\Windows\SysWOW64\schtasks.exe
                                                                                          Wow64 process (32bit):true
                                                                                          Commandline:'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\sXNiyYIFndkxd' /XML 'C:\Users\user\AppData\Local\Temp\tmp2894.tmp'
                                                                                          Imagebase:0xb90000
                                                                                          File size:185856 bytes
                                                                                          MD5 hash:15FF7D8324231381BAD48A052F85DF04
                                                                                          Has elevated privileges:true
                                                                                          Has administrator privileges:true
                                                                                          Programmed in:C, C++ or other language
                                                                                          Reputation:high

                                                                                          Analysis Process: conhost.exe PID: 6836 Parent PID: 6824

                                                                                          General

                                                                                          Start time:17:31:25
                                                                                          Start date:10/06/2021
                                                                                          Path:C:\Windows\System32\conhost.exe
                                                                                          Wow64 process (32bit):false
                                                                                          Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                          Imagebase:0x7ff61de10000
                                                                                          File size:625664 bytes
                                                                                          MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                                                                          Has elevated privileges:true
                                                                                          Has administrator privileges:true
                                                                                          Programmed in:C, C++ or other language
                                                                                          Reputation:high

                                                                                          Analysis Process: RegSvcs.exe PID: 6904 Parent PID: 6556

                                                                                          General

                                                                                          Start time:17:31:27
                                                                                          Start date:10/06/2021
                                                                                          Path:C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
                                                                                          Wow64 process (32bit):true
                                                                                          Commandline:C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
                                                                                          Imagebase:0xa10000
                                                                                          File size:45152 bytes
                                                                                          MD5 hash:2867A3817C9245F7CF518524DFD18F28
                                                                                          Has elevated privileges:true
                                                                                          Has administrator privileges:true
                                                                                          Programmed in:.Net C# or VB.NET
                                                                                          Yara matches:
                                                                                          • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000005.00000000.367493021.0000000000402000.00000040.00000001.sdmp, Author: Joe Security
                                                                                          • Rule: JoeSecurity_AgentTesla_2, Description: Yara detected AgentTesla, Source: 00000005.00000000.367493021.0000000000402000.00000040.00000001.sdmp, Author: Joe Security
                                                                                          • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000005.00000002.600007572.0000000000402000.00000040.00000001.sdmp, Author: Joe Security
                                                                                          • Rule: JoeSecurity_AgentTesla_2, Description: Yara detected AgentTesla, Source: 00000005.00000002.600007572.0000000000402000.00000040.00000001.sdmp, Author: Joe Security
                                                                                          • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000005.00000002.602052323.0000000002CC1000.00000004.00000001.sdmp, Author: Joe Security
                                                                                          • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000005.00000002.602052323.0000000002CC1000.00000004.00000001.sdmp, Author: Joe Security
                                                                                          Reputation:high

                                                                                          Disassembly

                                                                                          Code Analysis

                                                                                          Reset < >