Loading ...

Play interactive tourEdit tour

Analysis Report Agreement Transfer Details.exe

Overview

General Information

Sample Name:Agreement Transfer Details.exe
Analysis ID:299674
MD5:54c7ef29fab6bef229e425eca4ecf2ff
SHA1:0594bc4e532575bf0433c17297f8ff3b39339c75
SHA256:5e951126749d16d0caa6f76e7574174d655e40274beabe9d7db5f000db3662ae
Tags:exeGuLoader

Most interesting Screenshot:

Detection

FormBook GuLoader
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Malicious sample detected (through community Yara rule)
Yara detected FormBook
Yara detected Generic Dropper
Yara detected GuLoader
Contains functionality to hide a thread from the debugger
Detected RDTSC dummy instruction sequence (likely for instruction hammering)
Hides threads from debuggers
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Modifies the prolog of user mode functions (user mode inline hooks)
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
Tries to detect Any.run
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to detect virtualization through RDTSC time measurements
Yara detected VB6 Downloader Generic
Checks if the current process is being debugged
Contains functionality for execution timing, often used to detect debuggers
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to call native functions
Contains functionality to query CPU information (cpuid)
Contains functionality to read the PEB
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Enables debug privileges
Found inlined nop instructions (likely shell or obfuscated code)
Found potential string decryption / allocating functions
May sleep (evasive loops) to hinder dynamic analysis
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Uses a Windows Living Off The Land Binaries (LOL bins)
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

Startup

  • System is w10x64
  • Agreement Transfer Details.exe (PID: 1012 cmdline: 'C:\Users\user\Desktop\Agreement Transfer Details.exe' MD5: 54C7EF29FAB6BEF229E425ECA4ECF2FF)
    • Agreement Transfer Details.exe (PID: 348 cmdline: 'C:\Users\user\Desktop\Agreement Transfer Details.exe' MD5: 54C7EF29FAB6BEF229E425ECA4ECF2FF)
      • explorer.exe (PID: 3440 cmdline: MD5: AD5296B280E8F522A8A897C96BAB0E1D)
        • cmstp.exe (PID: 6988 cmdline: C:\Windows\SysWOW64\cmstp.exe MD5: 4833E65ED211C7F118D4A11E6FB58A09)
          • cmd.exe (PID: 4676 cmdline: /c del 'C:\Users\user\Desktop\Agreement Transfer Details.exe' MD5: F3BDBE3BB6F734E357235F4D5898582D)
            • conhost.exe (PID: 4544 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
  • cleanup

Malware Configuration

No configs have been found

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
0000000C.00000002.612190497.0000000004D60000.00000040.00000001.sdmpJoeSecurity_FormBookYara detected FormBookJoe Security
    0000000C.00000002.612190497.0000000004D60000.00000040.00000001.sdmpFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
    • 0x98e8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
    • 0x9b52:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
    • 0x15675:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
    • 0x15161:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
    • 0x15777:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
    • 0x158ef:$sequence_4: 5D C3 8D 50 7C 80 FA 07
    • 0xa56a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
    • 0x143dc:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
    • 0xb263:$sequence_7: 66 89 0C 02 5B 8B E5 5D
    • 0x1b317:$sequence_8: 3C 54 74 04 3C 74 75 F4
    • 0x1c31a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
    0000000C.00000002.612190497.0000000004D60000.00000040.00000001.sdmpFormbookdetect Formbook in memoryJPCERT/CC Incident Response Group
    • 0x183f9:$sqlite3step: 68 34 1C 7B E1
    • 0x1850c:$sqlite3step: 68 34 1C 7B E1
    • 0x18428:$sqlite3text: 68 38 2A 90 C5
    • 0x1854d:$sqlite3text: 68 38 2A 90 C5
    • 0x1843b:$sqlite3blob: 68 53 D8 7F 8C
    • 0x18563:$sqlite3blob: 68 53 D8 7F 8C
    00000002.00000002.446148479.00000000000A0000.00000040.00000001.sdmpJoeSecurity_FormBookYara detected FormBookJoe Security
      00000002.00000002.446148479.00000000000A0000.00000040.00000001.sdmpFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
      • 0x98e8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
      • 0x9b52:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
      • 0x15675:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
      • 0x15161:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
      • 0x15777:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
      • 0x158ef:$sequence_4: 5D C3 8D 50 7C 80 FA 07
      • 0xa56a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
      • 0x143dc:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
      • 0xb263:$sequence_7: 66 89 0C 02 5B 8B E5 5D
      • 0x1b317:$sequence_8: 3C 54 74 04 3C 74 75 F4
      • 0x1c31a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
      Click to see the 19 entries

      Sigma Overview

      No Sigma rule has matched

      Signature Overview

      Click to jump to signature section

      Show All Signature Results

      AV Detection:

      barindex
      Yara detected FormBookShow sources
      Source: Yara matchFile source: 0000000C.00000002.612190497.0000000004D60000.00000040.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000002.00000002.446148479.00000000000A0000.00000040.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 0000000C.00000002.610911212.00000000030B0000.00000040.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000002.00000002.451389234.000000001E150000.00000040.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 0000000C.00000002.612329698.0000000004D90000.00000004.00000001.sdmp, type: MEMORY
      Source: C:\Windows\SysWOW64\cmstp.exeCode function: 4x nop then pop ebx12_2_030B7AFC
      Source: unknownDNS traffic detected: queries for: onedrive.live.com
      Source: Agreement Transfer Details.exe, 00000002.00000003.400834496.00000000009C6000.00000004.00000001.sdmpString found in binary or memory: http://crl3.digicert.com/Omniroot2025.crl0=
      Source: explorer.exe, 00000007.00000000.431505774.000000000B1A6000.00000002.00000001.sdmpString found in binary or memory: http://fontfabrik.com
      Source: Agreement Transfer Details.exe, 00000002.00000003.400834496.00000000009C6000.00000004.00000001.sdmpString found in binary or memory: http://ocsp.digi
      Source: Agreement Transfer Details.exe, 00000002.00000003.400834496.00000000009C6000.00000004.00000001.sdmpString found in binary or memory: http://ocsp.digicert.com0:
      Source: Agreement Transfer Details.exe, 00000002.00000003.400834496.00000000009C6000.00000004.00000001.sdmpString found in binary or memory: http://ocsp.msocsp.com0
      Source: explorer.exe, 00000007.00000000.431505774.000000000B1A6000.00000002.00000001.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
      Source: explorer.exe, 00000007.00000000.405093438.000000000095C000.00000004.00000020.sdmpString found in binary or memory: http://www.autoitscript.com/autoit3/J
      Source: explorer.exe, 00000007.00000000.431505774.000000000B1A6000.00000002.00000001.sdmpString found in binary or memory: http://www.carterandcone.coml
      Source: explorer.exe, 00000007.00000000.431505774.000000000B1A6000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com
      Source: explorer.exe, 00000007.00000000.431505774.000000000B1A6000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers
      Source: explorer.exe, 00000007.00000000.431505774.000000000B1A6000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/?
      Source: explorer.exe, 00000007.00000000.431505774.000000000B1A6000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
      Source: explorer.exe, 00000007.00000000.431505774.000000000B1A6000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/frere-jones.html
      Source: explorer.exe, 00000007.00000000.431505774.000000000B1A6000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers8
      Source: explorer.exe, 00000007.00000000.431505774.000000000B1A6000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers?
      Source: explorer.exe, 00000007.00000000.431505774.000000000B1A6000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designersG
      Source: explorer.exe, 00000007.00000000.431505774.000000000B1A6000.00000002.00000001.sdmpString found in binary or memory: http://www.fonts.com
      Source: explorer.exe, 00000007.00000000.431505774.000000000B1A6000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn
      Source: explorer.exe, 00000007.00000000.431505774.000000000B1A6000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/bThe
      Source: explorer.exe, 00000007.00000000.431505774.000000000B1A6000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/cThe
      Source: explorer.exe, 00000007.00000000.431505774.000000000B1A6000.00000002.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/DPlease
      Source: explorer.exe, 00000007.00000000.431505774.000000000B1A6000.00000002.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
      Source: explorer.exe, 00000007.00000000.431505774.000000000B1A6000.00000002.00000001.sdmpString found in binary or memory: http://www.goodfont.co.kr
      Source: explorer.exe, 00000007.00000000.431505774.000000000B1A6000.00000002.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/
      Source: explorer.exe, 00000007.00000000.431505774.000000000B1A6000.00000002.00000001.sdmpString found in binary or memory: http://www.sajatypeworks.com
      Source: explorer.exe, 00000007.00000000.431505774.000000000B1A6000.00000002.00000001.sdmpString found in binary or memory: http://www.sakkal.com
      Source: explorer.exe, 00000007.00000000.431505774.000000000B1A6000.00000002.00000001.sdmpString found in binary or memory: http://www.sandoll.co.kr
      Source: explorer.exe, 00000007.00000000.431505774.000000000B1A6000.00000002.00000001.sdmpString found in binary or memory: http://www.tiro.com
      Source: explorer.exe, 00000007.00000000.431505774.000000000B1A6000.00000002.00000001.sdmpString found in binary or memory: http://www.typography.netD
      Source: explorer.exe, 00000007.00000000.431505774.000000000B1A6000.00000002.00000001.sdmpString found in binary or memory: http://www.urwpp.deDPlease
      Source: explorer.exe, 00000007.00000000.431505774.000000000B1A6000.00000002.00000001.sdmpString found in binary or memory: http://www.zhongyicts.com.cn
      Source: Agreement Transfer Details.exe, 00000002.00000002.446430909.0000000000968000.00000004.00000020.sdmpString found in binary or memory: https://onedrive.live.com/
      Source: Agreement Transfer Details.exe, Agreement Transfer Details.exe, 00000002.00000003.400956276.00000000009A0000.00000004.00000001.sdmp, Agreement Transfer Details.exe, 00000002.00000002.446507472.00000000009CF000.00000004.00000001.sdmpString found in binary or memory: https://onedrive.live.com/download?cid=432009286F6EA0CF&resid=432009286F6EA0CF%21113&authkey=ANuLa79
      Source: Agreement Transfer Details.exe, 00000002.00000002.446430909.0000000000968000.00000004.00000020.sdmpString found in binary or memory: https://wtskaq.am.files.1drv.com/
      Source: Agreement Transfer Details.exe, 00000002.00000002.446430909.0000000000968000.00000004.00000020.sdmpString found in binary or memory: https://wtskaq.am.files.1drv.com/.
      Source: Agreement Transfer Details.exe, 00000002.00000003.400956276.00000000009A0000.00000004.00000001.sdmp, Agreement Transfer Details.exe, 00000002.00000003.400804737.00000000009A8000.00000004.00000001.sdmpString found in binary or memory: https://wtskaq.am.files.1drv.com/y4m7uy9edlPL1T2WJOSToZ7znkIkZgLDJVECQ5nyrEOgi_Rn-nwbwZL1bLeICgaZdkE
      Source: Agreement Transfer Details.exe, 00000002.00000003.400834496.00000000009C6000.00000004.00000001.sdmpString found in binary or memory: https://www.digicert.com/CPS0
      Source: cmstp.exe, 0000000C.00000002.614555819.00000000059AF000.00000004.00000001.sdmpString found in binary or memory: https://www.jinxirocks.net/tds/?Otxx6B=wZOTDbS8Hx9Tn6&9rh=8u7F8KaKDZa5rLYK30cGdkkANqnn2RTv9XbURC/7f1
      Source: cmstp.exe, 0000000C.00000002.614555819.00000000059AF000.00000004.00000001.sdmpString found in binary or memory: https://www.jinxirocks.net/tds/?Otxx6B=wZOTDbS8Hx9Tn6&9rh=8u7F8KaKDZa5rLYK30cGdkkANqnn2RTv9XbURC

      E-Banking Fraud:

      barindex
      Yara detected FormBookShow sources
      Source: Yara matchFile source: 0000000C.00000002.612190497.0000000004D60000.00000040.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000002.00000002.446148479.00000000000A0000.00000040.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 0000000C.00000002.610911212.00000000030B0000.00000040.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000002.00000002.451389234.000000001E150000.00000040.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 0000000C.00000002.612329698.0000000004D90000.00000004.00000001.sdmp, type: MEMORY

      System Summary:

      barindex
      Malicious sample detected (through community Yara rule)Show sources
      Source: 0000000C.00000002.612190497.0000000004D60000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
      Source: 0000000C.00000002.612190497.0000000004D60000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
      Source: 00000002.00000002.446148479.00000000000A0000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
      Source: 00000002.00000002.446148479.00000000000A0000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
      Source: 0000000C.00000002.611168243.000000000322C000.00000004.00000020.sdmp, type: MEMORYMatched rule: Auto-generated rule - file scan copy.pdf.r11 Author: Florian Roth
      Source: 0000000C.00000002.610911212.00000000030B0000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
      Source: 0000000C.00000002.610911212.00000000030B0000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
      Source: 00000002.00000002.451389234.000000001E150000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
      Source: 00000002.00000002.451389234.000000001E150000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
      Source: 0000000C.00000002.612329698.0000000004D90000.00000004.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
      Source: 0000000C.00000002.612329698.0000000004D90000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
      Source: 0000000C.00000002.614401702.00000000054BF000.00000004.00000001.sdmp, type: MEMORYMatched rule: Auto-generated rule - file scan copy.pdf.r11 Author: Florian Roth
      Source: C:\Users\user\Desktop\Agreement Transfer Details.exeCode function: 0_2_04F71C0C NtSetInformationThread,0_2_04F71C0C
      Source: C:\Users\user\Desktop\Agreement Transfer Details.exeCode function: 0_2_04F701F6 EnumWindows,NtSetInformationThread,0_2_04F701F6
      Source: C:\Users\user\Desktop\Agreement Transfer Details.exeCode function: 0_2_04F715F2 NtWriteVirtualMemory,0_2_04F715F2
      Source: C:\Users\user\Desktop\Agreement Transfer Details.exeCode function: 0_2_04F736B3 NtProtectVirtualMemory,0_2_04F736B3
      Source: C:\Users\user\Desktop\Agreement Transfer Details.exeCode function: 0_2_04F73A98 LoadLibraryA,NtResumeThread,0_2_04F73A98
      Source: C:\Users\user\Desktop\Agreement Transfer Details.exeCode function: 0_2_04F718F7 NtWriteVirtualMemory,0_2_04F718F7
      Source: C:\Users\user\Desktop\Agreement Transfer Details.exeCode function: 0_2_04F70D0B NtWriteVirtualMemory,0_2_04F70D0B
      Source: C:\Users\user\Desktop\Agreement Transfer Details.exeCode function: 0_2_04F73AFE NtResumeThread,0_2_04F73AFE
      Source: C:\Users\user\Desktop\Agreement Transfer Details.exeCode function: 0_2_04F73AE2 NtResumeThread,0_2_04F73AE2
      Source: C:\Users\user\Desktop\Agreement Transfer Details.exeCode function: 0_2_04F702EF NtSetInformationThread,0_2_04F702EF
      Source: C:\Users\user\Desktop\Agreement Transfer Details.exeCode function: 0_2_04F712CD NtSetInformationThread,0_2_04F712CD
      Source: C:\Users\user\Desktop\Agreement Transfer Details.exeCode function: 0_2_04F73ABB NtResumeThread,0_2_04F73ABB
      Source: C:\Users\user\Desktop\Agreement Transfer Details.exeCode function: 0_2_04F73A9E NtResumeThread,0_2_04F73A9E
      Source: C:\Users\user\Desktop\Agreement Transfer Details.exeCode function: 0_2_04F7027B NtSetInformationThread,0_2_04F7027B
      Source: C:\Users\user\Desktop\Agreement Transfer Details.exeCode function: 0_2_04F73A79 NtResumeThread,0_2_04F73A79
      Source: C:\Users\user\Desktop\Agreement Transfer Details.exeCode function: 0_2_04F7164A NtWriteVirtualMemory,0_2_04F7164A
      Source: C:\Users\user\Desktop\Agreement Transfer Details.exeCode function: 0_2_04F717F8 NtWriteVirtualMemory,0_2_04F717F8
      Source: C:\Users\user\Desktop\Agreement Transfer Details.exeCode function: 0_2_04F73BD7 NtResumeThread,0_2_04F73BD7
      Source: C:\Users\user\Desktop\Agreement Transfer Details.exeCode function: 0_2_04F71F8E NtWriteVirtualMemory,0_2_04F71F8E
      Source: C:\Users\user\Desktop\Agreement Transfer Details.exeCode function: 0_2_04F71708 NtWriteVirtualMemory,0_2_04F71708
      Source: C:\Users\user\Desktop\Agreement Transfer Details.exeCode function: 2_2_1E3E9660 NtAllocateVirtualMemory,LdrInitializeThunk,2_2_1E3E9660
      Source: C:\Users\user\Desktop\Agreement Transfer Details.exeCode function: 2_2_1E3E96E0 NtFreeVirtualMemory,LdrInitializeThunk,2_2_1E3E96E0
      Source: C:\Users\user\Desktop\Agreement Transfer Details.exeCode function: 2_2_1E3E9710 NtQueryInformationToken,LdrInitializeThunk,2_2_1E3E9710
      Source: C:\Users\user\Desktop\Agreement Transfer Details.exeCode function: 2_2_1E3E97A0 NtUnmapViewOfSection,LdrInitializeThunk,2_2_1E3E97A0
      Source: C:\Users\user\Desktop\Agreement Transfer Details.exeCode function: 2_2_1E3E9780 NtMapViewOfSection,LdrInitializeThunk,2_2_1E3E9780
      Source: C:\Users\user\Desktop\Agreement Transfer Details.exeCode function: 2_2_1E3E9540 NtReadFile,LdrInitializeThunk,2_2_1E3E9540
      Source: C:\Users\user\Desktop\Agreement Transfer Details.exeCode function: 2_2_1E3E95D0 NtClose,LdrInitializeThunk,2_2_1E3E95D0
      Source: C:\Users\user\Desktop\Agreement Transfer Details.exeCode function: 2_2_1E3E9A20 NtResumeThread,LdrInitializeThunk,2_2_1E3E9A20
      Source: C:\Users\user\Desktop\Agreement Transfer Details.exeCode function: 2_2_1E3E9A00 NtProtectVirtualMemory,LdrInitializeThunk,2_2_1E3E9A00
      Source: C:\Users\user\Desktop\Agreement Transfer Details.exeCode function: 2_2_1E3E9A50 NtCreateFile,LdrInitializeThunk,2_2_1E3E9A50
      Source: C:\Users\user\Desktop\Agreement Transfer Details.exeCode function: 2_2_1E3E9860 NtQuerySystemInformation,LdrInitializeThunk,2_2_1E3E9860
      Source: C:\Users\user\Desktop\Agreement Transfer Details.exeCode function: 2_2_1E3E9840 NtDelayExecution,LdrInitializeThunk,2_2_1E3E9840
      Source: C:\Users\user\Desktop\Agreement Transfer Details.exeCode function: 2_2_1E3E98F0 NtReadVirtualMemory,LdrInitializeThunk,2_2_1E3E98F0
      Source: C:\Users\user\Desktop\Agreement Transfer Details.exeCode function: 2_2_1E3E9910 NtAdjustPrivilegesToken,LdrInitializeThunk,2_2_1E3E9910
      Source: C:\Users\user\Desktop\Agreement Transfer Details.exeCode function: 2_2_1E3E99A0 NtCreateSection,LdrInitializeThunk,2_2_1E3E99A0
      Source: C:\Users\user\Desktop\Agreement Transfer Details.exeCode function: 2_2_1E3E9610 NtEnumerateValueKey,2_2_1E3E9610
      Source: C:\Users\user\Desktop\Agreement Transfer Details.exeCode function: 2_2_1E3E9670 NtQueryInformationProcess,2_2_1E3E9670
      Source: C:\Users\user\Desktop\Agreement Transfer Details.exeCode function: 2_2_1E3E9650 NtQueryValueKey,2_2_1E3E9650
      Source: C:\Users\user\Desktop\Agreement Transfer Details.exeCode function: 2_2_1E3E96D0 NtCreateKey,2_2_1E3E96D0
      Source: C:\Users\user\Desktop\Agreement Transfer Details.exeCode function: 2_2_1E3E9730 NtQueryVirtualMemory,2_2_1E3E9730
      Source: C:\Users\user\Desktop\Agreement Transfer Details.exeCode function: 2_2_1E3EA710 NtOpenProcessToken,2_2_1E3EA710
      Source: C:\Users\user\Desktop\Agreement Transfer Details.exeCode function: 2_2_1E3EA770 NtOpenThread,2_2_1E3EA770
      Source: C:\Users\user\Desktop\Agreement Transfer Details.exeCode function: 2_2_1E3E9770 NtSetInformationFile,2_2_1E3E9770
      Source: C:\Users\user\Desktop\Agreement Transfer Details.exeCode function: 2_2_1E3E9760 NtOpenProcess,2_2_1E3E9760
      Source: C:\Users\user\Desktop\Agreement Transfer Details.exeCode function: 2_2_1E3E9FE0 NtCreateMutant,2_2_1E3E9FE0
      Source: C:\Users\user\Desktop\Agreement Transfer Details.exeCode function: 2_2_1E3EAD30 NtSetContextThread,2_2_1E3EAD30
      Source: C:\Users\user\Desktop\Agreement Transfer Details.exeCode function: 2_2_1E3E9520 NtWaitForSingleObject,2_2_1E3E9520
      Source: C:\Users\user\Desktop\Agreement Transfer Details.exeCode function: 2_2_1E3E9560 NtWriteFile,2_2_1E3E9560
      Source: C:\Users\user\Desktop\Agreement Transfer Details.exeCode function: 2_2_1E3E95F0 NtQueryInformationFile,2_2_1E3E95F0
      Source: C:\Users\user\Desktop\Agreement Transfer Details.exeCode function: 2_2_1E3E9A10 NtQuerySection,2_2_1E3E9A10
      Source: C:\Users\user\Desktop\Agreement Transfer Details.exeCode function: 2_2_1E3E9A80 NtOpenDirectoryObject,2_2_1E3E9A80
      Source: C:\Users\user\Desktop\Agreement Transfer Details.exeCode function: 2_2_1E3E9B00 NtSetValueKey,2_2_1E3E9B00
      Source: C:\Users\user\Desktop\Agreement Transfer Details.exeCode function: 2_2_1E3EA3B0 NtGetContextThread,2_2_1E3EA3B0
      Source: C:\Users\user\Desktop\Agreement Transfer Details.exeCode function: 2_2_1E3E9820 NtEnumerateKey,2_2_1E3E9820
      Source: C:\Users\user\Desktop\Agreement Transfer Details.exeCode function: 2_2_1E3EB040 NtSuspendThread,2_2_1E3EB040
      Source: C:\Users\user\Desktop\Agreement Transfer Details.exeCode function: 2_2_1E3E98A0 NtWriteVirtualMemory,2_2_1E3E98A0
      Source: C:\Users\user\Desktop\Agreement Transfer Details.exeCode function: 2_2_1E3E9950 NtQueueApcThread,2_2_1E3E9950
      Source: C:\Users\user\Desktop\Agreement Transfer Details.exeCode function: 2_2_1E3E99D0 NtCreateProcessEx,2_2_1E3E99D0
      Source: C:\Users\user\Desktop\Agreement Transfer Details.exeCode function: 2_2_00561C0C NtSetInformationThread,2_2_00561C0C
      Source: C:\Users\user\Desktop\Agreement Transfer Details.exeCode function: 2_2_005601F6 EnumWindows,NtSetInformationThread,2_2_005601F6
      Source: C:\Users\user\Desktop\Agreement Transfer Details.exeCode function: 2_2_005612CD NtSetInformationThread,Sleep,TerminateThread,2_2_005612CD
      Source: C:\Users\user\Desktop\Agreement Transfer Details.exeCode function: 2_2_00563A98 LoadLibraryA,NtSetInformationThread,2_2_00563A98
      Source: C:\Users\user\Desktop\Agreement Transfer Details.exeCode function: 2_2_005636B3 NtProtectVirtualMemory,2_2_005636B3
      Source: C:\Users\user\Desktop\Agreement Transfer Details.exeCode function: 2_2_0056027B NtSetInformationThread,2_2_0056027B
      Source: C:\Users\user\Desktop\Agreement Transfer Details.exeCode function: 2_2_00563A79 NtSetInformationThread,2_2_00563A79
      Source: C:\Users\user\Desktop\Agreement Transfer Details.exeCode function: 2_2_00563AFE NtSetInformationThread,2_2_00563AFE
      Source: C:\Users\user\Desktop\Agreement Transfer Details.exeCode function: 2_2_00563AE2 NtSetInformationThread,2_2_00563AE2
      Source: C:\Users\user\Desktop\Agreement Transfer Details.exeCode function: 2_2_005602EF NtSetInformationThread,2_2_005602EF
      Source: C:\Users\user\Desktop\Agreement Transfer Details.exeCode function: 2_2_00563A9E NtSetInformationThread,2_2_00563A9E
      Source: C:\Users\user\Desktop\Agreement Transfer Details.exeCode function: 2_2_00563ABB NtSetInformationThread,2_2_00563ABB
      Source: C:\Users\user\Desktop\Agreement Transfer Details.exeCode function: 2_2_00563BD7 NtSetInformationThread,2_2_00563BD7
      Source: C:\Windows\SysWOW64\cmstp.exeCode function: 12_2_04FF95D0 NtClose,LdrInitializeThunk,12_2_04FF95D0
      Source: C:\Windows\SysWOW64\cmstp.exeCode function: 12_2_04FF9540 NtReadFile,LdrInitializeThunk,12_2_04FF9540
      Source: C:\Windows\SysWOW64\cmstp.exeCode function: 12_2_04FF96E0 NtFreeVirtualMemory,LdrInitializeThunk,12_2_04FF96E0
      Source: C:\Windows\SysWOW64\cmstp.exeCode function: 12_2_04FF96D0 NtCreateKey,LdrInitializeThunk,12_2_04FF96D0
      Source: C:\Windows\SysWOW64\cmstp.exeCode function: 12_2_04FF9660 NtAllocateVirtualMemory,LdrInitializeThunk,12_2_04FF9660
      Source: C:\Windows\SysWOW64\cmstp.exeCode function: 12_2_04FF9650 NtQueryValueKey,LdrInitializeThunk,12_2_04FF9650
      Source: C:\Windows\SysWOW64\cmstp.exeCode function: 12_2_04FF9FE0 NtCreateMutant,LdrInitializeThunk,12_2_04FF9FE0
      Source: C:\Windows\SysWOW64\cmstp.exeCode function: 12_2_04FF9780 NtMapViewOfSection,LdrInitializeThunk,12_2_04FF9780
      Source: C:\Windows\SysWOW64\cmstp.exeCode function: 12_2_04FF9710 NtQueryInformationToken,LdrInitializeThunk,12_2_04FF9710
      Source: C:\Windows\SysWOW64\cmstp.exeCode function: 12_2_04FF9860 NtQuerySystemInformation,LdrInitializeThunk,12_2_04FF9860
      Source: C:\Windows\SysWOW64\cmstp.exeCode function: 12_2_04FF9840 NtDelayExecution,LdrInitializeThunk,12_2_04FF9840
      Source: C:\Windows\SysWOW64\cmstp.exeCode function: 12_2_04FF99A0 NtCreateSection,LdrInitializeThunk,12_2_04FF99A0
      Source: C:\Windows\SysWOW64\cmstp.exeCode function: 12_2_04FF9910 NtAdjustPrivilegesToken,LdrInitializeThunk,12_2_04FF9910
      Source: C:\Windows\SysWOW64\cmstp.exeCode function: 12_2_04FF9A50 NtCreateFile,LdrInitializeThunk,12_2_04FF9A50
      Source: C:\Windows\SysWOW64\cmstp.exeCode function: 12_2_04FF95F0 NtQueryInformationFile,12_2_04FF95F0
      Source: C:\Windows\SysWOW64\cmstp.exeCode function: 12_2_04FF9560 NtWriteFile,12_2_04FF9560
      Source: C:\Windows\SysWOW64\cmstp.exeCode function: 12_2_04FFAD30 NtSetContextThread,12_2_04FFAD30
      Source: C:\Windows\SysWOW64\cmstp.exeCode function: 12_2_04FF9520 NtWaitForSingleObject,12_2_04FF9520
      Source: C:\Windows\SysWOW64\cmstp.exeCode function: 12_2_04FF9670 NtQueryInformationProcess,12_2_04FF9670
      Source: C:\Windows\SysWOW64\cmstp.exeCode function: 12_2_04FF9610 NtEnumerateValueKey,12_2_04FF9610
      Source: C:\Windows\SysWOW64\cmstp.exeCode function: 12_2_04FF97A0 NtUnmapViewOfSection,12_2_04FF97A0
      Source: C:\Windows\SysWOW64\cmstp.exeCode function: 12_2_04FF9770 NtSetInformationFile,12_2_04FF9770
      Source: C:\Windows\SysWOW64\cmstp.exeCode function: 12_2_04FFA770 NtOpenThread,12_2_04FFA770
      Source: C:\Windows\SysWOW64\cmstp.exeCode function: 12_2_04FF9760 NtOpenProcess,12_2_04FF9760
      Source: C:\Windows\SysWOW64\cmstp.exeCode function: 12_2_04FF9730 NtQueryVirtualMemory,12_2_04FF9730
      Source: C:\Windows\SysWOW64\cmstp.exeCode function: 12_2_04FFA710 NtOpenProcessToken,12_2_04FFA710
      Source: C:\Windows\SysWOW64\cmstp.exeCode function: 12_2_04FF98F0 NtReadVirtualMemory,12_2_04FF98F0
      Source: C:\Windows\SysWOW64\cmstp.exeCode function: 12_2_04FF98A0 NtWriteVirtualMemory,12_2_04FF98A0
      Source: C:\Windows\SysWOW64\cmstp.exeCode function: 12_2_04FFB040 NtSuspendThread,12_2_04FFB040
      Source: C:\Windows\SysWOW64\cmstp.exeCode function: 12_2_04FF9820 NtEnumerateKey,12_2_04FF9820
      Source: C:\Windows\SysWOW64\cmstp.exeCode function: 12_2_04FF99D0 NtCreateProcessEx,12_2_04FF99D0
      Source: C:\Windows\SysWOW64\cmstp.exeCode function: 12_2_04FF9950 NtQueueApcThread,12_2_04FF9950
      Source: C:\Windows\SysWOW64\cmstp.exeCode function: 12_2_04FF9A80 NtOpenDirectoryObject,12_2_04FF9A80
      Source: C:\Windows\SysWOW64\cmstp.exeCode function: 12_2_04FF9A20 NtResumeThread,12_2_04FF9A20
      Source: C:\Windows\SysWOW64\cmstp.exeCode function: 12_2_04FF9A10 NtQuerySection,12_2_04FF9A10
      Source: C:\Windows\SysWOW64\cmstp.exeCode function: 12_2_04FF9A00 NtProtectVirtualMemory,12_2_04FF9A00
      Source: C:\Windows\SysWOW64\cmstp.exeCode function: 12_2_04FFA3B0 NtGetContextThread,12_2_04FFA3B0
      Source: C:\Windows\SysWOW64\cmstp.exeCode function: 12_2_04FF9B00 NtSetValueKey,12_2_04FF9B00
      Source: C:\Windows\SysWOW64\cmstp.exeCode function: 12_2_030C9F30 NtAllocateVirtualMemory,12_2_030C9F30
      Source: C:\Windows\SysWOW64\cmstp.exeCode function: 12_2_030C9E00 NtReadFile,12_2_030C9E00
      Source: C:\Windows\SysWOW64\cmstp.exeCode function: 12_2_030C9E80 NtClose,12_2_030C9E80
      Source: C:\Windows\SysWOW64\cmstp.exeCode function: 12_2_030C9D50 NtCreateFile,12_2_030C9D50
      Source: C:\Windows\SysWOW64\cmstp.exeCode function: 12_2_030C9F2B NtAllocateVirtualMemory,12_2_030C9F2B
      Source: C:\Windows\SysWOW64\cmstp.exeCode function: 12_2_030C9D4A NtCreateFile,12_2_030C9D4A
      Source: C:\Users\user\Desktop\Agreement Transfer Details.exeCode function: 0_2_0040183B0_2_0040183B
      Source: C:\Users\user\Desktop\Agreement Transfer Details.exeCode function: 0_2_004018750_2_00401875
      Source: C:\Users\user\Desktop\Agreement Transfer Details.exeCode function: 0_2_00407CDE0_2_00407CDE
      Source: C:\Users\user\Desktop\Agreement Transfer Details.exeCode function: 0_2_004018BD0_2_004018BD
      Source: C:\Users\user\Desktop\Agreement Transfer Details.exeCode function: 0_2_00407D2B0_2_00407D2B
      Source: C:\Users\user\Desktop\Agreement Transfer Details.exeCode function: 0_2_00407AEF0_2_00407AEF
      Source: C:\Users\user\Desktop\Agreement Transfer Details.exeCode function: 2_2_1E3C6E302_2_1E3C6E30
      Source: C:\Users\user\Desktop\Agreement Transfer Details.exeCode function: 2_2_1E46D6162_2_1E46D616
      Source: C:\Users\user\Desktop\Agreement Transfer Details.exeCode function: 2_2_1E472EF72_2_1E472EF7
      Source: C:\Users\user\Desktop\Agreement Transfer Details.exeCode function: 2_2_1E471FF12_2_1E471FF1
      Source: C:\Users\user\Desktop\Agreement Transfer Details.exeCode function: 2_2_1E46D4662_2_1E46D466
      Source: C:\Users\user\Desktop\Agreement Transfer Details.exeCode function: 2_2_1E3B841F2_2_1E3B841F
      Source: C:\Users\user\Desktop\Agreement Transfer Details.exeCode function: 2_2_1E471D552_2_1E471D55
      Source: C:\Users\user\Desktop\Agreement Transfer Details.exeCode function: 2_2_1E3A0D202_2_1E3A0D20
      Source: C:\Users\user\Desktop\Agreement Transfer Details.exeCode function: 2_2_1E472D072_2_1E472D07
      Source: C:\Users\user\Desktop\Agreement Transfer Details.exeCode function: 2_2_1E4725DD2_2_1E4725DD
      Source: C:\Users\user\Desktop\Agreement Transfer Details.exeCode function: 2_2_1E3D25812_2_1E3D2581
      Source: C:\Users\user\Desktop\Agreement Transfer Details.exeCode function: 2_2_1E3BD5E02_2_1E3BD5E0
      Source: C:\Users\user\Desktop\Agreement Transfer Details.exeCode function: 2_2_1E4722AE2_2_1E4722AE
      Source: C:\Users\user\Desktop\Agreement Transfer Details.exeCode function: 2_2_1E472B282_2_1E472B28
      Source: C:\Users\user\Desktop\Agreement Transfer Details.exeCode function: 2_2_1E3DEBB02_2_1E3DEBB0
      Source: C:\Users\user\Desktop\Agreement Transfer Details.exeCode function: 2_2_1E46DBD22_2_1E46DBD2
      Source: C:\Users\user\Desktop\Agreement Transfer Details.exeCode function: 2_2_1E4610022_2_1E461002
      Source: C:\Users\user\Desktop\Agreement Transfer Details.exeCode function: 2_2_1E3D20A02_2_1E3D20A0
      Source: C:\Users\user\Desktop\Agreement Transfer Details.exeCode function: 2_2_1E3BB0902_2_1E3BB090
      Source: C:\Users\user\Desktop\Agreement Transfer Details.exeCode function: 2_2_1E4728EC2_2_1E4728EC
      Source: C:\Users\user\Desktop\Agreement Transfer Details.exeCode function: 2_2_1E4720A82_2_1E4720A8
      Source: C:\Users\user\Desktop\Agreement Transfer Details.exeCode function: 2_2_1E3C41202_2_1E3C4120
      Source: C:\Users\user\Desktop\Agreement Transfer Details.exeCode function: 2_2_1E3AF9002_2_1E3AF900
      Source: C:\Windows\SysWOW64\cmstp.exeCode function: 12_2_05082D0712_2_05082D07
      Source: C:\Windows\SysWOW64\cmstp.exeCode function: 12_2_05081D5512_2_05081D55
      Source: C:\Windows\SysWOW64\cmstp.exeCode function: 12_2_05072D8212_2_05072D82
      Source: C:\Windows\SysWOW64\cmstp.exeCode function: 12_2_050825DD12_2_050825DD
      Source: C:\Windows\SysWOW64\cmstp.exeCode function: 12_2_04FC841F12_2_04FC841F
      Source: C:\Windows\SysWOW64\cmstp.exeCode function: 12_2_04FCD5E012_2_04FCD5E0
      Source: C:\Windows\SysWOW64\cmstp.exeCode function: 12_2_0507D46612_2_0507D466
      Source: C:\Windows\SysWOW64\cmstp.exeCode function: 12_2_04FE258112_2_04FE2581
      Source: C:\Windows\SysWOW64\cmstp.exeCode function: 12_2_0507449612_2_05074496
      Source: C:\Windows\SysWOW64\cmstp.exeCode function: 12_2_04FB0D2012_2_04FB0D20
      Source: C:\Windows\SysWOW64\cmstp.exeCode function: 12_2_0508DFCE12_2_0508DFCE
      Source: C:\Windows\SysWOW64\cmstp.exeCode function: 12_2_04FD6E3012_2_04FD6E30
      Source: C:\Windows\SysWOW64\cmstp.exeCode function: 12_2_05081FF112_2_05081FF1
      Source: C:\Windows\SysWOW64\cmstp.exeCode function: 12_2_0507D61612_2_0507D616
      Source: C:\Windows\SysWOW64\cmstp.exeCode function: 12_2_05082EF712_2_05082EF7
      Source: C:\Windows\SysWOW64\cmstp.exeCode function: 12_2_04FE20A012_2_04FE20A0
      Source: C:\Windows\SysWOW64\cmstp.exeCode function: 12_2_04FCB09012_2_04FCB090
      Source: C:\Windows\SysWOW64\cmstp.exeCode function: 12_2_04FDA83012_2_04FDA830
      Source: C:\Windows\SysWOW64\cmstp.exeCode function: 12_2_0507100212_2_05071002
      Source: C:\Windows\SysWOW64\cmstp.exeCode function: 12_2_0508E82412_2_0508E824
      Source: C:\Windows\SysWOW64\cmstp.exeCode function: 12_2_04FD99BF12_2_04FD99BF
      Source: C:\Windows\SysWOW64\cmstp.exeCode function: 12_2_050820A812_2_050820A8
      Source: C:\Windows\SysWOW64\cmstp.exeCode function: 12_2_04FD412012_2_04FD4120
      Source: C:\Windows\SysWOW64\cmstp.exeCode function: 12_2_050828EC12_2_050828EC
      Source: C:\Windows\SysWOW64\cmstp.exeCode function: 12_2_04FBF90012_2_04FBF900
      Source: C:\Windows\SysWOW64\cmstp.exeCode function: 12_2_05082B2812_2_05082B28
      Source: C:\Windows\SysWOW64\cmstp.exeCode function: 12_2_0507DBD212_2_0507DBD2
      Source: C:\Windows\SysWOW64\cmstp.exeCode function: 12_2_050703DA12_2_050703DA
      Source: C:\Windows\SysWOW64\cmstp.exeCode function: 12_2_050623E312_2_050623E3
      Source: C:\Windows\SysWOW64\cmstp.exeCode function: 12_2_04FEABD812_2_04FEABD8
      Source: C:\Windows\SysWOW64\cmstp.exeCode function: 12_2_0506FA2B12_2_0506FA2B
      Source: C:\Windows\SysWOW64\cmstp.exeCode function: 12_2_04FEEBB012_2_04FEEBB0
      Source: C:\Windows\SysWOW64\cmstp.exeCode function: 12_2_050822AE12_2_050822AE
      Source: C:\Windows\SysWOW64\cmstp.exeCode function: 12_2_04FDAB4012_2_04FDAB40
      Source: C:\Windows\SysWOW64\cmstp.exeCode function: 12_2_05074AEF12_2_05074AEF
      Source: C:\Windows\SysWOW64\cmstp.exeCode function: 12_2_04FDA30912_2_04FDA309
      Source: C:\Windows\SysWOW64\cmstp.exeCode function: 12_2_030CE22312_2_030CE223
      Source: C:\Windows\SysWOW64\cmstp.exeCode function: 12_2_030CD23412_2_030CD234
      Source: C:\Windows\SysWOW64\cmstp.exeCode function: 12_2_030CD80B12_2_030CD80B
      Source: C:\Windows\SysWOW64\cmstp.exeCode function: 12_2_030CCF9612_2_030CCF96
      Source: C:\Windows\SysWOW64\cmstp.exeCode function: 12_2_030CDFBC12_2_030CDFBC
      Source: C:\Windows\SysWOW64\cmstp.exeCode function: 12_2_030B2FB012_2_030B2FB0
      Source: C:\Windows\SysWOW64\cmstp.exeCode function: 12_2_030CE61912_2_030CE619
      Source: C:\Windows\SysWOW64\cmstp.exeCode function: 12_2_030B9E2D12_2_030B9E2D
      Source: C:\Windows\SysWOW64\cmstp.exeCode function: 12_2_030B9E3012_2_030B9E30
      Source: C:\Windows\SysWOW64\cmstp.exeCode function: 12_2_030CDE4012_2_030CDE40
      Source: C:\Windows\SysWOW64\cmstp.exeCode function: 12_2_030B2D8912_2_030B2D89
      Source: C:\Windows\SysWOW64\cmstp.exeCode function: 12_2_030B2D9012_2_030B2D90
      Source: C:\Users\user\Desktop\Agreement Transfer Details.exeCode function: String function: 1E3AB150 appears 35 times
      Source: C:\Windows\SysWOW64\cmstp.exeCode function: String function: 04FBB150 appears 133 times
      Source: Agreement Transfer Details.exe, 00000000.00000002.363523163.0000000002190000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameYODELLINGUNPLANEDENTERORRHEAREDBAYS.exeFE2X vs Agreement Transfer Details.exe
      Source: Agreement Transfer Details.exe, 00000000.00000002.363489657.0000000002090000.00000002.00000001.sdmpBinary or memory string: OriginalFilenameuser32j% vs Agreement Transfer Details.exe
      Source: Agreement Transfer Details.exe, 00000000.00000000.341381845.000000000040C000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameYODELLINGUNPLANEDENTERORRHEAREDBAYS.exe vs Agreement Transfer Details.exe
      Source: Agreement Transfer Details.exe, 00000002.00000002.458626220.000000001E49F000.00000040.00000001.sdmpBinary or memory string: OriginalFilenamentdll.dllj% vs Agreement Transfer Details.exe
      Source: Agreement Transfer Details.exe, 00000002.00000002.446172661.00000000000D0000.00000040.00000001.sdmpBinary or memory string: OriginalFilenameCMSTP.EXE` vs Agreement Transfer Details.exe
      Source: Agreement Transfer Details.exe, 00000002.00000002.450733433.000000001DEF0000.00000002.00000001.sdmpBinary or memory string: OriginalFilenameCRYPT32.DLL.MUIj% vs Agreement Transfer Details.exe
      Source: Agreement Transfer Details.exe, 00000002.00000000.362510066.000000000040C000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameYODELLINGUNPLANEDENTERORRHEAREDBAYS.exe vs Agreement Transfer Details.exe
      Source: Agreement Transfer Details.exe, 00000002.00000002.450634791.000000001DDA0000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamemswsock.dll.muij% vs Agreement Transfer Details.exe
      Source: Agreement Transfer Details.exeBinary or memory string: OriginalFilenameYODELLINGUNPLANEDENTERORRHEAREDBAYS.exe vs Agreement Transfer Details.exe
      Source: unknownProcess created: C:\Windows\SysWOW64\cmstp.exe C:\Windows\SysWOW64\cmstp.exe
      Source: 0000000C.00000002.612190497.0000000004D60000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
      Source: 0000000C.00000002.612190497.0000000004D60000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
      Source: 00000002.00000002.446148479.00000000000A0000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
      Source: 00000002.00000002.446148479.00000000000A0000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
      Source: 0000000C.00000002.611168243.000000000322C000.00000004.00000020.sdmp, type: MEMORYMatched rule: LokiBot_Dropper_Packed_R11_Feb18 date = 2018-02-14, hash1 = 3b248d40fd7acb839cc592def1ed7652734e0e5ef93368be3c36c042883a3029, author = Florian Roth, description = Auto-generated rule - file scan copy.pdf.r11, reference = https://app.any.run/tasks/401df4d9-098b-4fd0-86e0-7a52ce6ddbf5, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 0000000C.00000002.610911212.00000000030B0000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
      Source: 0000000C.00000002.610911212.00000000030B0000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
      Source: 00000002.00000002.451389234.000000001E150000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
      Source: 00000002.00000002.451389234.000000001E150000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
      Source: 0000000C.00000002.612329698.0000000004D90000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
      Source: 0000000C.00000002.612329698.0000000004D90000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
      Source: 0000000C.00000002.614401702.00000000054BF000.00000004.00000001.sdmp, type: MEMORYMatched rule: LokiBot_Dropper_Packed_R11_Feb18 date = 2018-02-14, hash1 = 3b248d40fd7acb839cc592def1ed7652734e0e5ef93368be3c36c042883a3029, author = Florian Roth, description = Auto-generated rule - file scan copy.pdf.r11, reference = https://app.any.run/tasks/401df4d9-098b-4fd0-86e0-7a52ce6ddbf5, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: classification engineClassification label: mal100.troj.spyw.evad.winEXE@7/0@4/0
      Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4544:120:WilError_01
      Source: C:\Users\user\Desktop\Agreement Transfer Details.exeFile created: C:\Users\user\AppData\Local\Temp\~DFDCB44D32DD7EA971.TMPJump to behavior
      Source: Agreement Transfer Details.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
      Source: C:\Users\user\Desktop\Agreement Transfer Details.exeSection loaded: C:\Windows\SysWOW64\msvbvm60.dllJump to behavior
      Source: C:\Users\user\Desktop\Agreement Transfer Details.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
      Source: C:\Users\user\Desktop\Agreement Transfer Details.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
      Source: C:\Users\user\Desktop\Agreement Transfer Details.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
      Source: C:\Users\user\Desktop\Agreement Transfer Details.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
      Source: C:\Users\user\Desktop\Agreement Transfer Details.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
      Source: C:\Windows\explorer.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
      Source: C:\Windows\explorer.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
      Source: unknownProcess created: C:\Users\user\Desktop\Agreement Transfer Details.exe 'C:\Users\user\Desktop\Agreement Transfer Details.exe'
      Source: unknownProcess created: C:\Users\user\Desktop\Agreement Transfer Details.exe 'C:\Users\user\Desktop\Agreement Transfer Details.exe'
      Source: unknownProcess created: C:\Windows\SysWOW64\cmstp.exe C:\Windows\SysWOW64\cmstp.exe
      Source: unknownProcess created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Users\user\Desktop\Agreement Transfer Details.exe'
      Source: unknownProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      Source: C:\Users\user\Desktop\Agreement Transfer Details.exeProcess created: C:\Users\user\Desktop\Agreement Transfer Details.exe 'C:\Users\user\Desktop\Agreement Transfer Details.exe' Jump to behavior
      Source: C:\Windows\SysWOW64\cmstp.exeProcess created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Users\user\Desktop\Agreement Transfer Details.exe'Jump to behavior
      Source: C:\Windows\explorer.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{6C3EE638-B588-4D7D-B30A-E7E36759305D}\InprocServer32Jump to behavior
      Source: Binary string: cmstp.pdbGCTL source: Agreement Transfer Details.exe, 00000002.00000002.446172661.00000000000D0000.00000040.00000001.sdmp
      Source: Binary string: wscui.pdbUGP source: explorer.exe, 00000007.00000000.427887976.0000000007CA0000.00000002.00000001.sdmp
      Source: Binary string: wntdll.pdbUGP source: Agreement Transfer Details.exe, 00000002.00000002.458626220.000000001E49F000.00000040.00000001.sdmp, cmstp.exe, 0000000C.00000002.613208127.00000000050AF000.00000040.00000001.sdmp
      Source: Binary string: wntdll.pdb source: Agreement Transfer Details.exe, cmstp.exe
      Source: Binary string: cmstp.pdb source: Agreement Transfer Details.exe, 00000002.00000002.446172661.00000000000D0000.00000040.00000001.sdmp
      Source: Binary string: wscui.pdb source: explorer.exe, 00000007.00000000.427887976.0000000007CA0000.00000002.00000001.sdmp

      Data Obfuscation:

      barindex
      Yara detected GuLoaderShow sources
      Source: Yara matchFile source: 00000002.00000002.446227784.0000000000560000.00000040.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: Process Memory Space: Agreement Transfer Details.exe PID: 1012, type: MEMORY
      Source: Yara matchFile source: Process Memory Space: Agreement Transfer Details.exe PID: 348, type: MEMORY
      Yara detected VB6 Downloader GenericShow sources
      Source: Yara matchFile source: Process Memory Space: Agreement Transfer Details.exe PID: 1012, type: MEMORY
      Source: Yara matchFile source: Process Memory Space: Agreement Transfer Details.exe PID: 348, type: MEMORY
      Source: C:\Users\user\Desktop\Agreement Transfer Details.exeCode function: 0_2_004044FF push CA990756h; ret 0_2_00404504
      Source: C:\Users\user\Desktop\Agreement Transfer Details.exeCode function: 0_2_004045FF push CA990756h; ret 0_2_00404604
      Source: C:\Users\user\Desktop\Agreement Transfer Details.exeCode function: 0_2_00405329 push esp; ret 0_2_004052CC
      Source: C:\Users\user\Desktop\Agreement Transfer Details.exeCode function: 0_2_00405332 push esp; ret 0_2_004052CC
      Source: C:\Users\user\Desktop\Agreement Transfer Details.exeCode function: 0_2_00404FF9 push cs; retf 0_2_00405095
      Source: C:\Users\user\Desktop\Agreement Transfer Details.exeCode function: 2_2_1E3FD0D1 push ecx; ret 2_2_1E3FD0E4
      Source: C:\Windows\SysWOW64\cmstp.exeCode function: 12_2_0500D0D1 push ecx; ret 12_2_0500D0E4
      Source: C:\Windows\SysWOW64\cmstp.exeCode function: 12_2_030C6A5E push ds; ret 12_2_030C6A5F
      Source: C:\Windows\SysWOW64\cmstp.exeCode function: 12_2_030C691E push eax; ret 12_2_030C691F
      Source: C:\Windows\SysWOW64\cmstp.exeCode function: 12_2_030CCF5C push eax; ret 12_2_030CCF62
      Source: C:\Windows\SysWOW64\cmstp.exeCode function: 12_2_030C761D push 72A11B81h; iretd 12_2_030C7623
      Source: C:\Windows\SysWOW64\cmstp.exeCode function: 12_2_030C7624 push ebp; ret 12_2_030C762E
      Source: C:\Windows\SysWOW64\cmstp.exeCode function: 12_2_030CBE68 push ss; ret 12_2_030CBE6C
      Source: C:\Windows\SysWOW64\cmstp.exeCode function: 12_2_030CCEA5 push eax; ret 12_2_030CCEF8
      Source: C:\Windows\SysWOW64\cmstp.exeCode function: 12_2_030CCEFB push eax; ret 12_2_030CCF62
      Source: C:\Windows\SysWOW64\cmstp.exeCode function: 12_2_030CCEF2 push eax; ret 12_2_030CCEF8
      Source: C:\Windows\SysWOW64\cmstp.exeCode function: 12_2_030CE46B push edi; retf 12_2_030CE46C
      Source: initial sampleStatic PE information: section name: .text entropy: 6.90004364967

      Hooking and other Techniques for Hiding and Protection:

      barindex
      Modifies the prolog of user mode functions (user mode inline hooks)Show sources
      Source: explorer.exeUser mode code has changed: module: user32.dll function: PeekMessageA new code: 0x48 0x8B 0xB8 0x83 0x3E 0xE8
      Source: C:\Users\user\Desktop\Agreement Transfer Details.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\Agreement Transfer Details.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\Agreement Transfer Details.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\Agreement Transfer Details.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\Agreement Transfer Details.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\Agreement Transfer Details.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\Agreement Transfer Details.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\cmstp.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\cmd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

      Malware Analysis System Evasion:

      barindex
      Detected RDTSC dummy instruction sequence (likely for instruction hammering)Show sources
      Source: C:\Users\user\Desktop\Agreement Transfer Details.exeRDTSC instruction interceptor: First address: 0000000004F730B6 second address: 0000000004F730B6 instructions: 0x00000000 rdtsc 0x00000002 mov eax, 00000001h 0x00000007 cpuid 0x00000009 popad 0x0000000a call 00007F1D8C8EFCE8h 0x0000000f lfence 0x00000012 mov edx, dword ptr [7FFE0014h] 0x00000018 lfence 0x0000001b ret 0x0000001c sub edx, esi 0x0000001e ret 0x0000001f test dl, al 0x00000021 pop ecx 0x00000022 jmp 00007F1D8C8EFCFAh 0x00000024 cmp ch, ah 0x00000026 add edi, edx 0x00000028 dec ecx 0x00000029 test bh, bh 0x0000002b cmp ecx, 00000000h 0x0000002e jne 00007F1D8C8EFCB1h 0x00000030 push ecx 0x00000031 test ecx, ecx 0x00000033 call 00007F1D8C8EFD22h 0x00000038 call 00007F1D8C8EFCFAh 0x0000003d lfence 0x00000040 mov edx, dword ptr [7FFE0014h] 0x00000046 lfence 0x00000049 ret 0x0000004a mov esi, edx 0x0000004c pushad 0x0000004d rdtsc
      Tries to detect Any.runShow sources
      Source: C:\Users\user\Desktop\Agreement Transfer Details.exeFile opened: C:\Program Files\Qemu-ga\qemu-ga.exeJump to behavior
      Source: C:\Users\user\Desktop\Agreement Transfer Details.exeFile opened: C:\Program Files\qga\qga.exeJump to behavior
      Source: C:\Users\user\Desktop\Agreement Transfer Details.exeFile opened: C:\Program Files\Qemu-ga\qemu-ga.exeJump to behavior
      Source: C:\Users\user\Desktop\Agreement Transfer Details.exeFile opened: C:\Program Files\qga\qga.exeJump to behavior
      Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)Show sources
      Source: Agreement Transfer Details.exeBinary or memory string: C:\PROGRAM FILES\QEMU-GA\QEMU-GA.EXE
      Tries to detect virtualization through RDTSC time measurementsShow sources
      Source: C:\Users\user\Desktop\Agreement Transfer Details.exeRDTSC instruction interceptor: First address: 0000000004F730B6 second address: 0000000004F730B6 instructions: 0x00000000 rdtsc 0x00000002 mov eax, 00000001h 0x00000007 cpuid 0x00000009 popad 0x0000000a call 00007F1D8C8EFCE8h 0x0000000f lfence 0x00000012 mov edx, dword ptr [7FFE0014h] 0x00000018 lfence 0x0000001b ret 0x0000001c sub edx, esi 0x0000001e ret 0x0000001f test dl, al 0x00000021 pop ecx 0x00000022 jmp 00007F1D8C8EFCFAh 0x00000024 cmp ch, ah 0x00000026 add edi, edx 0x00000028 dec ecx 0x00000029 test bh, bh 0x0000002b cmp ecx, 00000000h 0x0000002e jne 00007F1D8C8EFCB1h 0x00000030 push ecx 0x00000031 test ecx, ecx 0x00000033 call 00007F1D8C8EFD22h 0x00000038 call 00007F1D8C8EFCFAh 0x0000003d lfence 0x00000040 mov edx, dword ptr [7FFE0014h] 0x00000046 lfence 0x00000049 ret 0x0000004a mov esi, edx 0x0000004c pushad 0x0000004d rdtsc
      Source: C:\Users\user\Desktop\Agreement Transfer Details.exeRDTSC instruction interceptor: First address: 0000000004F730D8 second address: 0000000004F730D8 instructions: 0x00000000 rdtsc 0x00000002 lfence 0x00000005 shl edx, 20h 0x00000008 or edx, eax 0x0000000a ret 0x0000000b mov esi, edx 0x0000000d pushad 0x0000000e mov eax, 00000001h 0x00000013 cpuid 0x00000015 bt ecx, 1Fh 0x00000019 jc 00007F1D8C8DE395h 0x0000001f popad 0x00000020 call 00007F1D8C8DE217h 0x00000025 lfence 0x00000028 rdtsc
      Source: C:\Users\user\Desktop\Agreement Transfer Details.exeRDTSC instruction interceptor: First address: 00000000005630D8 second address: 00000000005630D8 instructions: 0x00000000 rdtsc 0x00000002 lfence 0x00000005 shl edx, 20h 0x00000008 or edx, eax 0x0000000a ret 0x0000000b mov esi, edx 0x0000000d pushad 0x0000000e mov eax, 00000001h 0x00000013 cpuid 0x00000015 bt ecx, 1Fh 0x00000019 jc 00007F1D8C8EFEE5h 0x0000001f popad 0x00000020 call 00007F1D8C8EFD67h 0x00000025 lfence 0x00000028 rdtsc
      Source: C:\Users\user\Desktop\Agreement Transfer Details.exeRDTSC instruction interceptor: First address: 0000000000562E63 second address: 0000000000562E63 instructions: 0x00000000 rdtsc 0x00000002 popad 0x00000003 xor bx, ax 0x00000006 cmp bx, 5A4Dh 0x0000000b je 00007F1D8C8DE198h 0x0000000d inc cx 0x0000000f jmp 00007F1D8C8DE16Bh 0x00000011 mov eax, dword ptr [ebp+64h] 0x00000014 mov bx, word ptr [edx+00010040h] 0x0000001b mov ax, word ptr [eax] 0x0000001e xor ax, cx 0x00000021 pushad 0x00000022 mov edi, 00000080h 0x00000027 rdtsc
      Source: C:\Users\user\Desktop\Agreement Transfer Details.exeRDTSC instruction interceptor: First address: 00000000004098E4 second address: 00000000004098EA instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
      Source: C:\Users\user\Desktop\Agreement Transfer Details.exeRDTSC instruction interceptor: First address: 0000000000409B4E second address: 0000000000409B54 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
      Source: C:\Windows\SysWOW64\cmstp.exeRDTSC instruction interceptor: First address: 00000000030B98E4 second address: 00000000030B98EA instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
      Source: C:\Windows\SysWOW64\cmstp.exeRDTSC instruction interceptor: First address: 00000000030B9B4E second address: 00000000030B9B54 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
      Source: C:\Users\user\Desktop\Agreement Transfer Details.exeCode function: 0_2_04F730D5 rdtsc 0_2_04F730D5
      Source: C:\Windows\explorer.exe TID: 5712Thread sleep time: -52000s >= -30000sJump to behavior
      Source: C:\Windows\SysWOW64\cmstp.exe TID: 6996Thread sleep time: -45000s >= -30000sJump to behavior
      Source: C:\Windows\explorer.exeLast function: Thread delayed
      Source: C:\Windows\explorer.exeLast function: Thread delayed
      Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
      Source: explorer.exe, 00000007.00000000.430437765.00000000083EB000.00000004.00000001.sdmpBinary or memory string: VMware SATA CD00dRom0
      Source: explorer.exe, 00000007.00000000.430544564.0000000008430000.00000004.00000001.sdmpBinary or memory string: SCSI\Disk&Ven_VMware&Prod_Virtual_disk\5&1ec51bf7&0&000000
      Source: explorer.exe, 00000007.00000000.422540142.0000000005D50000.00000002.00000001.sdmpBinary or memory string: A Virtual Machine could not be started because Hyper-V is not installed.
      Source: explorer.exe, 00000007.00000000.423760647.00000000063F6000.00000004.00000001.sdmpBinary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}
      Source: explorer.exe, 00000007.00000000.430437765.00000000083EB000.00000004.00000001.sdmpBinary or memory string: VMware SATA CD00
      Source: explorer.exe, 00000007.00000000.423760647.00000000063F6000.00000004.00000001.sdmpBinary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}
      Source: Agreement Transfer Details.exe, 00000002.00000003.400804737.00000000009A8000.00000004.00000001.sdmpBinary or memory string: Hyper-V RAW
      Source: explorer.exe, 00000007.00000000.428841743.00000000082E2000.00000004.00000001.sdmpBinary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}>
      Source: explorer.exe, 00000007.00000000.422540142.0000000005D50000.00000002.00000001.sdmpBinary or memory string: A communication protocol error has occurred between the Hyper-V Host and Guest Compute Service.
      Source: Agreement Transfer Details.exeBinary or memory string: C:\Program Files\Qemu-ga\qemu-ga.exe
      Source: explorer.exe, 00000007.00000000.422540142.0000000005D50000.00000002.00000001.sdmpBinary or memory string: The communication protocol version between the Hyper-V Host and Guest Compute Services is not supported.
      Source: explorer.exe, 00000007.00000000.428841743.00000000082E2000.00000004.00000001.sdmpBinary or memory string: SCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\5&280b647&0&000000
      Source: explorer.exe, 00000007.00000000.430544564.0000000008430000.00000004.00000001.sdmpBinary or memory string: SCSI\CDROM&VEN_NECVMWAR&PROD_VMWARE_SATA_CD00\5&280B647&0&000000-;
      Source: Agreement Transfer Details.exe, 00000002.00000002.446430909.0000000000968000.00000004.00000020.sdmpBinary or memory string: Hyper-V RAWX^
      Source: Agreement Transfer Details.exe, 00000002.00000003.400804737.00000000009A8000.00000004.00000001.sdmpBinary or memory string: Hyper-V RAWen-USnL
      Source: explorer.exe, 00000007.00000000.405093438.000000000095C000.00000004.00000020.sdmpBinary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}G
      Source: explorer.exe, 00000007.00000000.422540142.0000000005D50000.00000002.00000001.sdmpBinary or memory string: An unknown internal message was received by the Hyper-V Compute Service.
      Source: C:\Users\user\Desktop\Agreement Transfer Details.exeProcess information queried: ProcessInformationJump to behavior

      Anti Debugging:

      barindex
      Contains functionality to hide a thread from the debuggerShow sources
      Source: C:\Users\user\Desktop\Agreement Transfer Details.exeCode function: 0_2_04F71C0C NtSetInformationThread 000000FE,00000011,00000000,00000000,00000000,00000000,00000000,00000000,?,00000000,000000000_2_04F71C0C
      Hides threads from debuggersShow sources
      Source: C:\Users\user\Desktop\Agreement Transfer Details.exeThread information set: HideFromDebuggerJump to behavior
      Source: C:\Users\user\Desktop\Agreement Transfer Details.exeThread information set: HideFromDebuggerJump to behavior
      Source: C:\Users\user\Desktop\Agreement Transfer Details.exeThread information set: HideFromDebuggerJump to behavior
      Source: C:\Users\user\Desktop\Agreement Transfer Details.exeProcess queried: DebugPortJump to behavior
      Source: C:\Users\user\Desktop\Agreement Transfer Details.exeProcess queried: DebugPortJump to behavior
      Source: C:\Users\user\Desktop\Agreement Transfer Details.exeProcess queried: DebugPortJump to behavior
      Source: C:\Windows\SysWOW64\cmstp.exeProcess queried: DebugPortJump to behavior
      Source: C:\Users\user\Desktop\Agreement Transfer Details.exeCode function: 0_2_04F730D5 rdtsc 0_2_04F730D5
      Source: C:\Users\user\Desktop\Agreement Transfer Details.exeCode function: 2_2_1E3E967A LdrInitializeThunk,2_2_1E3E967A
      Source: C:\Users\user\Desktop\Agreement Transfer Details.exeCode function: 0_2_04F72C5F mov eax, dword ptr fs:[00000030h]0_2_04F72C5F
      Source: C:\Users\user\Desktop\Agreement Transfer Details.exeCode function: 0_2_04F72EF4 mov eax, dword ptr fs:[00000030h]0_2_04F72EF4
      Source: C:\Users\user\Desktop\Agreement Transfer Details.exeCode function: 0_2_04F712CD mov eax, dword ptr fs:[00000030h]0_2_04F712CD
      Source: C:\Users\user\Desktop\Agreement Transfer Details.exeCode function: 0_2_04F71AB5 mov eax, dword ptr fs:[00000030h]0_2_04F71AB5
      Source: C:\Users\user\Desktop\Agreement Transfer Details.exeCode function: 0_2_04F70E04 mov eax, dword ptr fs:[00000030h]0_2_04F70E04
      Source: C:\Users\user\Desktop\Agreement Transfer Details.exeCode function: 0_2_04F7339C mov eax, dword ptr fs:[00000030h]0_2_04F7339C
      Source: C:\Users\user\Desktop\Agreement Transfer Details.exeCode function: 2_2_1E46AE44 mov eax, dword ptr fs:[00000030h]2_2_1E46AE44
      Source: C:\Users\user\Desktop\Agreement Transfer Details.exeCode function: 2_2_1E46AE44 mov eax, dword ptr fs:[00000030h]2_2_1E46AE44
      Source: C:\Users\user\Desktop\Agreement Transfer Details.exeCode function: 2_2_1E3AE620 mov eax, dword ptr fs:[00000030h]2_2_1E3AE620
      Source: C:\Users\user\Desktop\Agreement Transfer Details.exeCode function: 2_2_1E3DA61C mov eax, dword ptr fs:[00000030h]2_2_1E3DA61C
      Source: C:\Users\user\Desktop\Agreement Transfer Details.exeCode function: 2_2_1E3DA61C mov eax, dword ptr fs:[00000030h]2_2_1E3DA61C
      Source: C:\Users\user\Desktop\Agreement Transfer Details.exeCode function: 2_2_1E3AC600 mov eax, dword ptr fs:[00000030h]2_2_1E3AC600
      Source: C:\Users\user\Desktop\Agreement Transfer Details.exeCode function: 2_2_1E3AC600 mov eax, dword ptr fs:[00000030h]2_2_1E3AC600
      Source: C:\Users\user\Desktop\Agreement Transfer Details.exeCode function: 2_2_1E3AC600 mov eax, dword ptr fs:[00000030h]2_2_1E3AC600
      Source: C:\Users\user\Desktop\Agreement Transfer Details.exeCode function: 2_2_1E3D8E00 mov eax, dword ptr fs:[00000030h]2_2_1E3D8E00
      Source: C:\Users\user\Desktop\Agreement Transfer Details.exeCode function: 2_2_1E461608 mov eax, dword ptr fs:[00000030h]2_2_1E461608
      Source: C:\Users\user\Desktop\Agreement Transfer Details.exeCode function: 2_2_1E3CAE73 mov eax, dword ptr fs:[00000030h]2_2_1E3CAE73
      Source: C:\Users\user\Desktop\Agreement Transfer Details.exeCode function: 2_2_1E3CAE73 mov eax, dword ptr fs:[00000030h]2_2_1E3CAE73
      Source: C:\Users\user\Desktop\Agreement Transfer Details.exeCode function: 2_2_1E3CAE73 mov eax, dword ptr fs:[00000030h]2_2_1E3CAE73
      Source: C:\Users\user\Desktop\Agreement Transfer Details.exeCode function: 2_2_1E3CAE73 mov eax, dword ptr fs:[00000030h]2_2_1E3CAE73
      Source: C:\Users\user\Desktop\Agreement Transfer Details.exeCode function: 2_2_1E3CAE73 mov eax, dword ptr fs:[00000030h]2_2_1E3CAE73
      Source: C:\Users\user\Desktop\Agreement Transfer Details.exeCode function: 2_2_1E3B766D mov eax, dword ptr fs:[00000030h]2_2_1E3B766D
      Source: C:\Users\user\Desktop\Agreement Transfer Details.exeCode function: 2_2_1E45FE3F mov eax, dword ptr fs:[00000030h]2_2_1E45FE3F
      Source: C:\Users\user\Desktop\Agreement Transfer Details.exeCode function: 2_2_1E3B7E41 mov eax, dword ptr fs:[00000030h]2_2_1E3B7E41
      Source: C:\Users\user\Desktop\Agreement Transfer Details.exeCode function: 2_2_1E3B7E41 mov eax, dword ptr fs:[00000030h]2_2_1E3B7E41
      Source: C:\Users\user\Desktop\Agreement Transfer Details.exeCode function: 2_2_1E3B7E41 mov eax, dword ptr fs:[00000030h]2_2_1E3B7E41
      Source: C:\Users\user\Desktop\Agreement Transfer Details.exeCode function: 2_2_1E3B7E41 mov eax, dword ptr fs:[00000030h]2_2_1E3B7E41
      Source: C:\Users\user\Desktop\Agreement Transfer Details.exeCode function: 2_2_1E3B7E41 mov eax, dword ptr fs:[00000030h]2_2_1E3B7E41
      Source: C:\Users\user\Desktop\Agreement Transfer Details.exeCode function: 2_2_1E3B7E41 mov eax, dword ptr fs:[00000030h]2_2_1E3B7E41
      Source: C:\Users\user\Desktop\Agreement Transfer Details.exeCode function: 2_2_1E45FEC0 mov eax, dword ptr fs:[00000030h]2_2_1E45FEC0
      Source: C:\Users\user\Desktop\Agreement Transfer Details.exeCode function: 2_2_1E478ED6 mov eax, dword ptr fs:[00000030h]2_2_1E478ED6
      Source: C:\Users\user\Desktop\Agreement Transfer Details.exeCode function: 2_2_1E43FE87 mov eax, dword ptr fs:[00000030h]2_2_1E43FE87
      Source: C:\Users\user\Desktop\Agreement Transfer Details.exeCode function: 2_2_1E3B76E2 mov eax, dword ptr fs:[00000030h]2_2_1E3B76E2
      Source: C:\Users\user\Desktop\Agreement Transfer Details.exeCode function: 2_2_1E3D16E0 mov ecx, dword ptr fs:[00000030h]2_2_1E3D16E0
      Source: C:\Users\user\Desktop\Agreement Transfer Details.exeCode function: 2_2_1E470EA5 mov eax, dword ptr fs:[00000030h]2_2_1E470EA5
      Source: C:\Users\user\Desktop\Agreement Transfer Details.exeCode function: 2_2_1E470EA5 mov eax, dword ptr fs:[00000030h]2_2_1E470EA5
      Source: C:\Users\user\Desktop\Agreement Transfer Details.exeCode function: 2_2_1E470EA5 mov eax, dword ptr fs:[00000030h]2_2_1E470EA5
      Source: C:\Users\user\Desktop\Agreement Transfer Details.exeCode function: 2_2_1E4246A7 mov eax, dword ptr fs:[00000030h]2_2_1E4246A7
      Source: C:\Users\user\Desktop\Agreement Transfer Details.exeCode function: 2_2_1E3D36CC mov eax, dword ptr fs:[00000030h]2_2_1E3D36CC
      Source: C:\Users\user\Desktop\Agreement Transfer Details.exeCode function: 2_2_1E3E8EC7 mov eax, dword ptr fs:[00000030h]2_2_1E3E8EC7
      Source: C:\Users\user\Desktop\Agreement Transfer Details.exeCode function: 2_2_1E3DE730 mov eax, dword ptr fs:[00000030h]2_2_1E3DE730
      Source: C:\Users\user\Desktop\Agreement Transfer Details.exeCode function: 2_2_1E3A4F2E mov eax, dword ptr fs:[00000030h]2_2_1E3A4F2E
      Source: C:\Users\user\Desktop\Agreement Transfer Details.exeCode function: 2_2_1E3A4F2E mov eax, dword ptr fs:[00000030h]2_2_1E3A4F2E
      Source: C:\Users\user\Desktop\Agreement Transfer Details.exeCode function: 2_2_1E3CF716 mov eax, dword ptr fs:[00000030h]2_2_1E3CF716
      Source: C:\Users\user\Desktop\Agreement Transfer Details.exeCode function: 2_2_1E478F6A mov eax, dword ptr fs:[00000030h]2_2_1E478F6A
      Source: C:\Users\user\Desktop\Agreement Transfer Details.exeCode function: 2_2_1E3DA70E mov eax, dword ptr fs:[00000030h]2_2_1E3DA70E
      Source: C:\Users\user\Desktop\Agreement Transfer Details.exeCode function: 2_2_1E3DA70E mov eax, dword ptr fs:[00000030h]2_2_1E3DA70E
      Source: C:\Users\user\Desktop\Agreement Transfer Details.exeCode function: 2_2_1E47070D mov eax, dword ptr fs:[00000030h]2_2_1E47070D
      Source: C:\Users\user\Desktop\Agreement Transfer Details.exeCode function: 2_2_1E47070D mov eax, dword ptr fs:[00000030h]2_2_1E47070D
      Source: C:\Users\user\Desktop\Agreement Transfer Details.exeCode function: 2_2_1E43FF10 mov eax, dword ptr fs:[00000030h]2_2_1E43FF10
      Source: C:\Users\user\Desktop\Agreement Transfer Details.exeCode function: 2_2_1E43FF10 mov eax, dword ptr fs:[00000030h]2_2_1E43FF10
      Source: C:\Users\user\Desktop\Agreement Transfer Details.exeCode function: 2_2_1E3BFF60 mov eax, dword ptr fs:[00000030h]2_2_1E3BFF60
      Source: C:\Users\user\Desktop\Agreement Transfer Details.exeCode function: 2_2_1E3BEF40 mov eax, dword ptr fs:[00000030h]2_2_1E3BEF40
      Source: C:\Users\user\Desktop\Agreement Transfer Details.exeCode function: 2_2_1E3B8794 mov eax, dword ptr fs:[00000030h]2_2_1E3B8794
      Source: C:\Users\user\Desktop\Agreement Transfer Details.exeCode function: 2_2_1E3E37F5 mov eax, dword ptr fs:[00000030h]2_2_1E3E37F5
      Source: C:\Users\user\Desktop\Agreement Transfer Details.exeCode function: 2_2_1E427794 mov eax, dword ptr fs:[00000030h]2_2_1E427794
      Source: C:\Users\user\Desktop\Agreement Transfer Details.exeCode function: 2_2_1E427794 mov eax, dword ptr fs:[00000030h]2_2_1E427794
      Source: C:\Users\user\Desktop\Agreement Transfer Details.exeCode function: 2_2_1E427794 mov eax, dword ptr fs:[00000030h]2_2_1E427794
      Source: C:\Users\user\Desktop\Agreement Transfer Details.exeCode function: 2_2_1E3DBC2C mov eax, dword ptr fs:[00000030h]2_2_1E3DBC2C
      Source: C:\Users\user\Desktop\Agreement Transfer Details.exeCode function: 2_2_1E43C450 mov eax, dword ptr fs:[00000030h]2_2_1E43C450
      Source: C:\Users\user\Desktop\Agreement Transfer Details.exeCode function: 2_2_1E43C450 mov eax, dword ptr fs:[00000030h]2_2_1E43C450
      Source: C:\Users\user\Desktop\Agreement Transfer Details.exeCode function: 2_2_1E461C06 mov eax, dword ptr fs:[00000030h]2_2_1E461C06
      Source: C:\Users\user\Desktop\Agreement Transfer Details.exeCode function: 2_2_1E461C06 mov eax, dword ptr fs:[00000030h]2_2_1E461C06
      Source: C:\Users\user\Desktop\Agreement Transfer Details.exeCode function: 2_2_1E461C06 mov eax, dword ptr fs:[00000030h]2_2_1E461C06
      Source: C:\Users\user\Desktop\Agreement Transfer Details.exeCode function: 2_2_1E461C06 mov eax, dword ptr fs:[00000030h]2_2_1E461C06
      Source: C:\Users\user\Desktop\Agreement Transfer Details.exeCode function: 2_2_1E461C06 mov eax, dword ptr fs:[00000030h]2_2_1E461C06
      Source: C:\Users\user\Desktop\Agreement Transfer Details.exeCode function: 2_2_1E461C06 mov eax, dword ptr fs:[00000030h]2_2_1E461C06
      Source: C:\Users\user\Desktop\Agreement Transfer Details.exeCode function: 2_2_1E461C06 mov eax, dword ptr fs:[00000030h]2_2_1E461C06
      Source: C:\Users\user\Desktop\Agreement Transfer Details.exeCode function: 2_2_1E461C06 mov eax, dword ptr fs:[00000030h]2_2_1E461C06
      Source: C:\Users\user\Desktop\Agreement Transfer Details.exeCode function: 2_2_1E461C06 mov eax, dword ptr fs:[00000030h]2_2_1E461C06
      Source: C:\Users\user\Desktop\Agreement Transfer Details.exeCode function: 2_2_1E461C06 mov eax, dword ptr fs:[00000030h]2_2_1E461C06
      Source: C:\Users\user\Desktop\Agreement Transfer Details.exeCode function: 2_2_1E461C06 mov eax, dword ptr fs:[00000030h]2_2_1E461C06
      Source: C:\Users\user\Desktop\Agreement Transfer Details.exeCode function: 2_2_1E461C06 mov eax, dword ptr fs:[00000030h]2_2_1E461C06
      Source: C:\Users\user\Desktop\Agreement Transfer Details.exeCode function: 2_2_1E461C06 mov eax, dword ptr fs:[00000030h]2_2_1E461C06
      Source: C:\Users\user\Desktop\Agreement Transfer Details.exeCode function: 2_2_1E461C06 mov eax, dword ptr fs:[00000030h]2_2_1E461C06
      Source: C:\Users\user\Desktop\Agreement Transfer Details.exeCode function: 2_2_1E426C0A mov eax, dword ptr fs:[00000030h]2_2_1E426C0A
      Source: C:\Users\user\Desktop\Agreement Transfer Details.exeCode function: 2_2_1E426C0A mov eax, dword ptr fs:[00000030h]2_2_1E426C0A
      Source: C:\Users\user\Desktop\Agreement Transfer Details.exeCode function: 2_2_1E426C0A mov eax, dword ptr fs:[00000030h]2_2_1E426C0A
      Source: C:\Users\user\Desktop\Agreement Transfer Details.exeCode function: 2_2_1E426C0A mov eax, dword ptr fs:[00000030h]2_2_1E426C0A
      Source: C:\Users\user\Desktop\Agreement Transfer Details.exeCode function: 2_2_1E47740D mov eax, dword ptr fs:[00000030h]2_2_1E47740D
      Source: C:\Users\user\Desktop\Agreement Transfer Details.exeCode function: 2_2_1E47740D mov eax, dword ptr fs:[00000030h]2_2_1E47740D
      Source: C:\Users\user\Desktop\Agreement Transfer Details.exeCode function: 2_2_1E47740D mov eax, dword ptr fs:[00000030h]2_2_1E47740D
      Source: C:\Users\user\Desktop\Agreement Transfer Details.exeCode function: 2_2_1E3C746D mov eax, dword ptr fs:[00000030h]2_2_1E3C746D
      Source: C:\Users\user\Desktop\Agreement Transfer Details.exeCode function: 2_2_1E3DA44B mov eax, dword ptr fs:[00000030h]2_2_1E3DA44B
      Source: C:\Users\user\Desktop\Agreement Transfer Details.exeCode function: 2_2_1E478CD6 mov eax, dword ptr fs:[00000030h]2_2_1E478CD6
      Source: C:\Users\user\Desktop\Agreement Transfer Details.exeCode function: 2_2_1E3B849B mov eax, dword ptr fs:[00000030h]2_2_1E3B849B
      Source: C:\Users\user\Desktop\Agreement Transfer Details.exeCode function: 2_2_1E426CF0 mov eax, dword ptr fs:[00000030h]2_2_1E426CF0
      Source: C:\Users\user\Desktop\Agreement Transfer Details.exeCode function: 2_2_1E426CF0 mov eax, dword ptr fs:[00000030h]2_2_1E426CF0
      Source: C:\Users\user\Desktop\Agreement Transfer Details.exeCode function: 2_2_1E426CF0 mov eax, dword ptr fs:[00000030h]2_2_1E426CF0
      Source: C:\Users\user\Desktop\Agreement Transfer Details.exeCode function: 2_2_1E4614FB mov eax, dword ptr fs:[00000030h]2_2_1E4614FB
      Source: C:\Users\user\Desktop\Agreement Transfer Details.exeCode function: 2_2_1E423540 mov eax, dword ptr fs:[00000030h]2_2_1E423540
      Source: C:\Users\user\Desktop\Agreement Transfer Details.exeCode function: 2_2_1E3D4D3B mov eax, dword ptr fs:[00000030h]2_2_1E3D4D3B
      Source: C:\Users\user\Desktop\Agreement Transfer Details.exeCode function: 2_2_1E3D4D3B mov eax, dword ptr fs:[00000030h]2_2_1E3D4D3B
      Source: C:\Users\user\Desktop\Agreement Transfer Details.exeCode function: 2_2_1E3D4D3B mov eax, dword ptr fs:[00000030h]2_2_1E3D4D3B
      Source: C:\Users\user\Desktop\Agreement Transfer Details.exeCode function: 2_2_1E3AAD30 mov eax, dword ptr fs:[00000030h]2_2_1E3AAD30
      Source: C:\Users\user\Desktop\Agreement Transfer Details.exeCode function: 2_2_1E3B3D34 mov eax, dword ptr fs:[00000030h]2_2_1E3B3D34
      Source: C:\Users\user\Desktop\Agreement Transfer Details.exeCode function: 2_2_1E3B3D34 mov eax, dword ptr fs:[00000030h]2_2_1E3B3D34
      Source: C:\Users\user\Desktop\Agreement Transfer Details.exeCode function: 2_2_1E3B3D34 mov eax, dword ptr fs:[00000030h]2_2_1E3B3D34
      Source: C:\Users\user\Desktop\Agreement Transfer Details.exeCode function: 2_2_1E3B3D34 mov eax, dword ptr fs:[00000030h]2_2_1E3B3D34
      Source: C:\Users\user\Desktop\Agreement Transfer Details.exeCode function: 2_2_1E3B3D34 mov eax, dword ptr fs:[00000030h]2_2_1E3B3D34
      Source: C:\Users\user\Desktop\Agreement Transfer Details.exeCode function: 2_2_1E3B3D34 mov eax, dword ptr fs:[00000030h]2_2_1E3B3D34
      Source: C:\Users\user\Desktop\Agreement Transfer Details.exeCode function: 2_2_1E3B3D34 mov eax, dword ptr fs:[00000030h]2_2_1E3B3D34
      Source: C:\Users\user\Desktop\Agreement Transfer Details.exeCode function: 2_2_1E3B3D34 mov eax, dword ptr fs:[00000030h]2_2_1E3B3D34
      Source: C:\Users\user\Desktop\Agreement Transfer Details.exeCode function: 2_2_1E3B3D34 mov eax, dword ptr fs:[00000030h]2_2_1E3B3D34
      Source: C:\Users\user\Desktop\Agreement Transfer Details.exeCode function: 2_2_1E3B3D34 mov eax, dword ptr fs:[00000030h]2_2_1E3B3D34
      Source: C:\Users\user\Desktop\Agreement Transfer Details.exeCode function: 2_2_1E3B3D34 mov eax, dword ptr fs:[00000030h]2_2_1E3B3D34
      Source: C:\Users\user\Desktop\Agreement Transfer Details.exeCode function: 2_2_1E3B3D34 mov eax, dword ptr fs:[00000030h]2_2_1E3B3D34
      Source: C:\Users\user\Desktop\Agreement Transfer Details.exeCode function: 2_2_1E3B3D34 mov eax, dword ptr fs:[00000030h]2_2_1E3B3D34
      Source: C:\Users\user\Desktop\Agreement Transfer Details.exeCode function: 2_2_1E3CC577 mov eax, dword ptr fs:[00000030h]2_2_1E3CC577
      Source: C:\Users\user\Desktop\Agreement Transfer Details.exeCode function: 2_2_1E3CC577 mov eax, dword ptr fs:[00000030h]2_2_1E3CC577
      Source: C:\Users\user\Desktop\Agreement Transfer Details.exeCode function: 2_2_1E3C7D50 mov eax, dword ptr fs:[00000030h]2_2_1E3C7D50
      Source: C:\Users\user\Desktop\Agreement Transfer Details.exeCode function: 2_2_1E478D34 mov eax, dword ptr fs:[00000030h]2_2_1E478D34
      Source: C:\Users\user\Desktop\Agreement Transfer Details.exeCode function: 2_2_1E42A537 mov eax, dword ptr fs:[00000030h]2_2_1E42A537
      Source: C:\Users\user\Desktop\Agreement Transfer Details.exeCode function: 2_2_1E3E3D43 mov eax, dword ptr fs:[00000030h]2_2_1E3E3D43
      Source: C:\Users\user\Desktop\Agreement Transfer Details.exeCode function: 2_2_1E46E539 mov eax, dword ptr fs:[00000030h]2_2_1E46E539
      Source: C:\Users\user\Desktop\Agreement Transfer Details.exeCode function: 2_2_1E3D1DB5 mov eax, dword ptr fs:[00000030h]2_2_1E3D1DB5
      Source: C:\Users\user\Desktop\Agreement Transfer Details.exeCode function: 2_2_1E3D1DB5 mov eax, dword ptr fs:[00000030h]2_2_1E3D1DB5
      Source: C:\Users\user\Desktop\Agreement Transfer Details.exeCode function: 2_2_1E3D1DB5 mov eax, dword ptr fs:[00000030h]2_2_1E3D1DB5
      Source: C:\Users\user\Desktop\Agreement Transfer Details.exeCode function: 2_2_1E426DC9 mov eax, dword ptr fs:[00000030h]2_2_1E426DC9
      Source: C:\Users\user\Desktop\Agreement Transfer Details.exeCode function: 2_2_1E426DC9 mov eax, dword ptr fs:[00000030h]2_2_1E426DC9
      Source: C:\Users\user\Desktop\Agreement Transfer Details.exeCode function: 2_2_1E426DC9 mov eax, dword ptr fs:[00000030h]2_2_1E426DC9
      Source: C:\Users\user\Desktop\Agreement Transfer Details.exeCode function: 2_2_1E426DC9 mov ecx, dword ptr fs:[00000030h]2_2_1E426DC9
      Source: C:\Users\user\Desktop\Agreement Transfer Details.exeCode function: 2_2_1E426DC9 mov eax, dword ptr fs:[00000030h]2_2_1E426DC9
      Source: C:\Users\user\Desktop\Agreement Transfer Details.exeCode function: 2_2_1E426DC9 mov eax, dword ptr fs:[00000030h]2_2_1E426DC9
      Source: C:\Users\user\Desktop\Agreement Transfer Details.exeCode function: 2_2_1E3D35A1 mov eax, dword ptr fs:[00000030h]2_2_1E3D35A1
      Source: C:\Users\user\Desktop\Agreement Transfer Details.exeCode function: 2_2_1E46FDE2 mov eax, dword ptr fs:[00000030h]2_2_1E46FDE2
      Source: C:\Users\user\Desktop\Agreement Transfer Details.exeCode function: 2_2_1E46FDE2 mov eax, dword ptr fs:[00000030h]2_2_1E46FDE2
      Source: C:\Users\user\Desktop\Agreement Transfer Details.exeCode function: 2_2_1E46FDE2 mov eax, dword ptr fs:[00000030h]2_2_1E46FDE2
      Source: C:\Users\user\Desktop\Agreement Transfer Details.exeCode function: 2_2_1E46FDE2 mov eax, dword ptr fs:[00000030h]2_2_1E46FDE2
      Source: C:\Users\user\Desktop\Agreement Transfer Details.exeCode function: 2_2_1E3DFD9B mov eax, dword ptr fs:[00000030h]2_2_1E3DFD9B
      Source: C:\Users\user\Desktop\Agreement Transfer Details.exeCode function: 2_2_1E3DFD9B mov eax, dword ptr fs:[00000030h]2_2_1E3DFD9B
      Source: C:\Users\user\Desktop\Agreement Transfer Details.exeCode function: 2_2_1E3A2D8A mov eax, dword ptr fs:[00000030h]2_2_1E3A2D8A
      Source: C:\Users\user\Desktop\Agreement Transfer Details.exeCode function: 2_2_1E3A2D8A mov eax, dword ptr fs:[00000030h]2_2_1E3A2D8A
      Source: C:\Users\user\Desktop\Agreement Transfer Details.exeCode function: 2_2_1E3A2D8A mov eax, dword ptr fs:[00000030h]2_2_1E3A2D8A
      Source: C:\Users\user\Desktop\Agreement Transfer Details.exeCode function: 2_2_1E3A2D8A mov eax, dword ptr fs:[00000030h]2_2_1E3A2D8A
      Source: C:\Users\user\Desktop\Agreement Transfer Details.exeCode function: 2_2_1E3A2D8A mov eax, dword ptr fs:[00000030h]2_2_1E3A2D8A
      Source: C:\Users\user\Desktop\Agreement Transfer Details.exeCode function: 2_2_1E458DF1 mov eax, dword ptr fs:[00000030h]2_2_1E458DF1
      Source: C:\Users\user\Desktop\Agreement Transfer Details.exeCode function: 2_2_1E3D2581 mov eax, dword ptr fs:[00000030h]2_2_1E3D2581
      Source: C:\Users\user\Desktop\Agreement Transfer Details.exeCode function: 2_2_1E3D2581 mov eax, dword ptr fs:[00000030h]2_2_1E3D2581
      Source: C:\Users\user\Desktop\Agreement Transfer Details.exeCode function: 2_2_1E3D2581 mov eax, dword ptr fs:[00000030h]2_2_1E3D2581
      Source: C:\Users\user\Desktop\Agreement Transfer Details.exeCode function: 2_2_1E3D2581 mov eax, dword ptr fs:[00000030h]2_2_1E3D2581
      Source: C:\Users\user\Desktop\Agreement Transfer Details.exeCode function: 2_2_1E3BD5E0 mov eax, dword ptr fs:[00000030h]2_2_1E3BD5E0
      Source: C:\Users\user\Desktop\Agreement Transfer Details.exeCode function: 2_2_1E3BD5E0 mov eax, dword ptr fs:[00000030h]2_2_1E3BD5E0
      Source: C:\Users\user\Desktop\Agreement Transfer Details.exeCode function: 2_2_1E4705AC mov eax, dword ptr fs:[00000030h]2_2_1E4705AC
      Source: C:\Users\user\Desktop\Agreement Transfer Details.exeCode function: 2_2_1E4705AC mov eax, dword ptr fs:[00000030h]2_2_1E4705AC
      Source: C:\Users\user\Desktop\Agreement Transfer Details.exeCode function: 2_2_1E3E4A2C mov eax, dword ptr fs:[00000030h]2_2_1E3E4A2C
      Source: C:\Users\user\Desktop\Agreement Transfer Details.exeCode function: 2_2_1E3E4A2C mov eax, dword ptr fs:[00000030h]2_2_1E3E4A2C
      Source: C:\Users\user\Desktop\Agreement Transfer Details.exeCode function: 2_2_1E46EA55 mov eax, dword ptr fs:[00000030h]2_2_1E46EA55
      Source: C:\Users\user\Desktop\Agreement Transfer Details.exeCode function: 2_2_1E434257 mov eax, dword ptr fs:[00000030h]2_2_1E434257
      Source: C:\Users\user\Desktop\Agreement Transfer Details.exeCode function: 2_2_1E3C3A1C mov eax, dword ptr fs:[00000030h]2_2_1E3C3A1C
      Source: C:\Users\user\Desktop\Agreement Transfer Details.exeCode function: 2_2_1E45B260 mov eax, dword ptr fs:[00000030h]2_2_1E45B260
      Source: C:\Users\user\Desktop\Agreement Transfer Details.exeCode function: 2_2_1E45B260 mov eax, dword ptr fs:[00000030h]2_2_1E45B260
      Source: C:\Users\user\Desktop\Agreement Transfer Details.exeCode function: 2_2_1E478A62 mov eax, dword ptr fs:[00000030h]2_2_1E478A62
      Source: C:\Users\user\Desktop\Agreement Transfer Details.exeCode function: 2_2_1E3A5210 mov eax, dword ptr fs:[00000030h]2_2_1E3A5210
      Source: C:\Users\user\Desktop\Agreement Transfer Details.exeCode function: 2_2_1E3A5210 mov ecx, dword ptr fs:[00000030h]2_2_1E3A5210
      Source: C:\Users\user\Desktop\Agreement Transfer Details.exeCode function: 2_2_1E3A5210 mov eax, dword ptr fs:[00000030h]2_2_1E3A5210
      Source: C:\Users\user\Desktop\Agreement Transfer Details.exeCode function: 2_2_1E3A5210 mov eax, dword ptr fs:[00000030h]2_2_1E3A5210
      Source: C:\Users\user\Desktop\Agreement Transfer Details.exeCode function: 2_2_1E3AAA16 mov eax, dword ptr fs:[00000030h]2_2_1E3AAA16
      Source: C:\Users\user\Desktop\Agreement Transfer Details.exeCode function: 2_2_1E3AAA16 mov eax, dword ptr fs:[00000030h]2_2_1E3AAA16
      Source: C:\Users\user\Desktop\Agreement Transfer Details.exeCode function: 2_2_1E3B8A0A mov eax, dword ptr fs:[00000030h]2_2_1E3B8A0A
      Source: C:\Users\user\Desktop\Agreement Transfer Details.exeCode function: 2_2_1E3E927A mov eax, dword ptr fs:[00000030h]2_2_1E3E927A
      Source: C:\Users\user\Desktop\Agreement Transfer Details.exeCode function: 2_2_1E3A9240 mov eax, dword ptr fs:[00000030h]2_2_1E3A9240
      Source: C:\Users\user\Desktop\Agreement Transfer Details.exeCode function: 2_2_1E3A9240 mov eax, dword ptr fs:[00000030h]2_2_1E3A9240
      Source: C:\Users\user\Desktop\Agreement Transfer Details.exeCode function: 2_2_1E3A9240 mov eax, dword ptr fs:[00000030h]2_2_1E3A9240
      Source: C:\Users\user\Desktop\Agreement Transfer Details.exeCode function: 2_2_1E3A9240 mov eax, dword ptr fs:[00000030h]2_2_1E3A9240
      Source: C:\Users\user\Desktop\Agreement Transfer Details.exeCode function: 2_2_1E3BAAB0 mov eax, dword ptr fs:[00000030h]2_2_1E3BAAB0
      Source: C:\Users\user\Desktop\Agreement Transfer Details.exeCode function: 2_2_1E3BAAB0 mov eax, dword ptr fs:[00000030h]2_2_1E3BAAB0
      Source: C:\Users\user\Desktop\Agreement Transfer Details.exeCode function: 2_2_1E3DFAB0 mov eax, dword ptr fs:[00000030h]2_2_1E3DFAB0
      Source: C:\Users\user\Desktop\Agreement Transfer Details.exeCode function: 2_2_1E3A52A5 mov eax, dword ptr fs:[00000030h]2_2_1E3A52A5
      Source: C:\Users\user\Desktop\Agreement Transfer Details.exeCode function: 2_2_1E3A52A5 mov eax, dword ptr fs:[00000030h]2_2_1E3A52A5
      Source: C:\Users\user\Desktop\Agreement Transfer Details.exeCode function: 2_2_1E3A52A5 mov eax, dword ptr fs:[00000030h]2_2_1E3A52A5
      Source: C:\Users\user\Desktop\Agreement Transfer Details.exeCode function: 2_2_1E3A52A5 mov eax, dword ptr fs:[00000030h]2_2_1E3A52A5
      Source: C:\Users\user\Desktop\Agreement Transfer Details.exeCode function: 2_2_1E3A52A5 mov eax, dword ptr fs:[00000030h]2_2_1E3A52A5
      Source: C:\Users\user\Desktop\Agreement Transfer Details.exeCode function: 2_2_1E3DD294 mov eax, dword ptr fs:[00000030h]2_2_1E3DD294
      Source: C:\Users\user\Desktop\Agreement Transfer Details.exeCode function: 2_2_1E3DD294 mov eax, dword ptr fs:[00000030h]2_2_1E3DD294
      Source: C:\Users\user\Desktop\Agreement Transfer Details.exeCode function: 2_2_1E3D2AE4 mov eax, dword ptr fs:[00000030h]2_2_1E3D2AE4
      Source: C:\Users\user\Desktop\Agreement Transfer Details.exeCode function: 2_2_1E3D2ACB mov eax, dword ptr fs:[00000030h]2_2_1E3D2ACB
      Source: C:\Users\user\Desktop\Agreement Transfer Details.exeCode function: 2_2_1E478B58 mov eax, dword ptr fs:[00000030h]2_2_1E478B58
      Source: C:\Users\user\Desktop\Agreement Transfer Details.exeCode function: 2_2_1E3D3B7A mov eax, dword ptr fs:[00000030h]2_2_1E3D3B7A
      Source: C:\Users\user\Desktop\Agreement Transfer Details.exeCode function: 2_2_1E3D3B7A mov eax, dword ptr fs:[00000030h]2_2_1E3D3B7A
      Source: C:\Users\user\Desktop\Agreement Transfer Details.exeCode function: 2_2_1E3ADB60 mov ecx, dword ptr fs:[00000030h]2_2_1E3ADB60
      Source: C:\Users\user\Desktop\Agreement Transfer Details.exeCode function: 2_2_1E46131B mov eax, dword ptr fs:[00000030h]2_2_1E46131B
      Source: C:\Users\user\Desktop\Agreement Transfer Details.exeCode function: 2_2_1E3AF358 mov eax, dword ptr fs:[00000030h]2_2_1E3AF358
      Source: C:\Users\user\Desktop\Agreement Transfer Details.exeCode function: 2_2_1E3ADB40 mov eax, dword ptr fs:[00000030h]2_2_1E3ADB40
      Source: C:\Users\user\Desktop\Agreement Transfer Details.exeCode function: 2_2_1E4253CA mov eax, dword ptr fs:[00000030h]2_2_1E4253CA
      Source: C:\Users\user\Desktop\Agreement Transfer Details.exeCode function: 2_2_1E4253CA mov eax, dword ptr fs:[00000030h]2_2_1E4253CA
      Source: C:\Users\user\Desktop\Agreement Transfer Details.exeCode function: 2_2_1E3D4BAD mov eax, dword ptr fs:[00000030h]2_2_1E3D4BAD
      Source: C:\Users\user\Desktop\Agreement Transfer Details.exeCode function: 2_2_1E3D4BAD mov eax, dword ptr fs:[00000030h]2_2_1E3D4BAD
      Source: C:\Users\user\Desktop\Agreement Transfer Details.exeCode function: 2_2_1E3D4BAD mov eax, dword ptr fs:[00000030h]2_2_1E3D4BAD
      Source: C:\Users\user\Desktop\Agreement Transfer Details.exeCode function: 2_2_1E3D2397 mov eax, dword ptr fs:[00000030h]2_2_1E3D2397
      Source: C:\Users\user\Desktop\Agreement Transfer Details.exeCode function: 2_2_1E3DB390 mov eax, dword ptr fs:[00000030h]2_2_1E3DB390
      Source: C:\Users\user\Desktop\Agreement Transfer Details.exeCode function: 2_2_1E3B1B8F mov eax, dword ptr fs:[00000030h]2_2_1E3B1B8F
      Source: C:\Users\user\Desktop\Agreement Transfer Details.exeCode function: 2_2_1E3B1B8F mov eax, dword ptr fs:[00000030h]2_2_1E3B1B8F
      Source: C:\Users\user\Desktop\Agreement Transfer Details.exeCode function: 2_2_1E45D380 mov ecx, dword ptr fs:[00000030h]2_2_1E45D380
      Source: C:\Users\user\Desktop\Agreement Transfer Details.exeCode function: 2_2_1E46138A mov eax, dword ptr fs:[00000030h]2_2_1E46138A
      Source: C:\Users\user\Desktop\Agreement Transfer Details.exeCode function: 2_2_1E3CDBE9 mov eax, dword ptr fs:[00000030h]2_2_1E3CDBE9
      Source: C:\Users\user\Desktop\Agreement Transfer Details.exeCode function: 2_2_1E3D03E2 mov eax, dword ptr fs:[00000030h]2_2_1E3D03E2
      Source: C:\Users\user\Desktop\Agreement Transfer Details.exeCode function: 2_2_1E3D03E2 mov eax, dword ptr fs:[00000030h]2_2_1E3D03E2
      Source: C:\Users\user\Desktop\Agreement Transfer Details.exeCode function: 2_2_1E3D03E2 mov eax, dword ptr fs:[00000030h]2_2_1E3D03E2
      Source: C:\Users\user\Desktop\Agreement Transfer Details.exeCode function: 2_2_1E3D03E2 mov eax, dword ptr fs:[00000030h]2_2_1E3D03E2
      Source: C:\Users\user\Desktop\Agreement Transfer Details.exeCode function: 2_2_1E3D03E2 mov eax, dword ptr fs:[00000030h]2_2_1E3D03E2
      Source: C:\Users\user\Desktop\Agreement Transfer Details.exeCode function: 2_2_1E3D03E2 mov eax, dword ptr fs:[00000030h]2_2_1E3D03E2
      Source: C:\Users\user\Desktop\Agreement Transfer Details.exeCode function: 2_2_1E475BA5 mov eax, dword ptr fs:[00000030h]2_2_1E475BA5
      Source: C:\Users\user\Desktop\Agreement Transfer Details.exeCode function: 2_2_1E3D002D mov eax, dword ptr fs:[00000030h]2_2_1E3D002D
      Source: C:\Users\user\Desktop\Agreement Transfer Details.exeCode function: 2_2_1E3D002D mov eax, dword ptr fs:[00000030h]2_2_1E3D002D
      Source: C:\Users\user\Desktop\Agreement Transfer Details.exeCode function: 2_2_1E3D002D mov eax, dword ptr fs:[00000030h]2_2_1E3D002D
      Source: C:\Users\user\Desktop\Agreement Transfer Details.exeCode function: 2_2_1E3D002D mov eax, dword ptr fs:[00000030h]2_2_1E3D002D
      Source: C:\Users\user\Desktop\Agreement Transfer Details.exeCode function: 2_2_1E3D002D mov eax, dword ptr fs:[00000030h]2_2_1E3D002D
      Source: C:\Users\user\Desktop\Agreement Transfer Details.exeCode function: 2_2_1E3BB02A mov eax, dword ptr fs:[00000030h]2_2_1E3BB02A
      Source: C:\Users\user\Desktop\Agreement Transfer Details.exeCode function: 2_2_1E3BB02A mov eax, dword ptr fs:[00000030h]2_2_1E3BB02A
      Source: C:\Users\user\Desktop\Agreement Transfer Details.exeCode function: 2_2_1E3BB02A mov eax, dword ptr fs:[00000030h]2_2_1E3BB02A
      Source: C:\Users\user\Desktop\Agreement Transfer Details.exeCode function: 2_2_1E3BB02A mov eax, dword ptr fs:[00000030h]2_2_1E3BB02A
      Source: C:\Users\user\Desktop\Agreement Transfer Details.exeCode function: 2_2_1E471074 mov eax, dword ptr fs:[00000030h]2_2_1E471074
      Source: C:\Users\user\Desktop\Agreement Transfer Details.exeCode function: 2_2_1E462073 mov eax, dword ptr fs:[00000030h]2_2_1E462073
      Source: C:\Users\user\Desktop\Agreement Transfer Details.exeCode function: 2_2_1E474015 mov eax, dword ptr fs:[00000030h]2_2_1E474015
      Source: C:\Users\user\Desktop\Agreement Transfer Details.exeCode function: 2_2_1E474015 mov eax, dword ptr fs:[00000030h]2_2_1E474015
      Source: C:\Users\user\Desktop\Agreement Transfer Details.exeCode function: 2_2_1E427016 mov eax, dword ptr fs:[00000030h]2_2_1E427016
      Source: C:\Users\user\Desktop\Agreement Transfer Details.exeCode function: 2_2_1E427016 mov eax, dword ptr fs:[00000030h]2_2_1E427016
      Source: C:\Users\user\Desktop\Agreement Transfer Details.exeCode function: 2_2_1E427016 mov eax, dword ptr fs:[00000030h]2_2_1E427016
      Source: C:\Users\user\Desktop\Agreement Transfer Details.exeCode function: 2_2_1E3C0050 mov eax, dword ptr fs:[00000030h]2_2_1E3C0050
      Source: C:\Users\user\Desktop\Agreement Transfer Details.exeCode function: 2_2_1E3C0050 mov eax, dword ptr fs:[00000030h]2_2_1E3C0050
      Source: C:\Users\user\Desktop\Agreement Transfer Details.exeCode function: 2_2_1E3DF0BF mov ecx, dword ptr fs:[00000030h]2_2_1E3DF0BF
      Source: C:\Users\user\Desktop\Agreement Transfer Details.exeCode function: 2_2_1E3DF0BF mov eax, dword ptr fs:[00000030h]2_2_1E3DF0BF
      Source: C:\Users\user\Desktop\Agreement Transfer Details.exeCode function: 2_2_1E3DF0BF mov eax, dword ptr fs:[00000030h]2_2_1E3DF0BF
      Source: C:\Users\user\Desktop\Agreement Transfer Details.exeCode function: 2_2_1E3E90AF mov eax, dword ptr fs:[00000030h]2_2_1E3E90AF
      Source: C:\Users\user\Desktop\Agreement Transfer Details.exeCode function: 2_2_1E43B8D0 mov eax, dword ptr fs:[00000030h]2_2_1E43B8D0
      Source: C:\Users\user\Desktop\Agreement Transfer Details.exeCode function: 2_2_1E43B8D0 mov ecx, dword ptr fs:[00000030h]2_2_1E43B8D0
      Source: C:\Users\user\Desktop\Agreement Transfer Details.exeCode function: 2_2_1E43B8D0 mov eax, dword ptr fs:[00000030h]2_2_1E43B8D0
      Source: C:\Users\user\Desktop\Agreement Transfer Details.exeCode function: 2_2_1E43B8D0 mov eax, dword ptr fs:[00000030h]2_2_1E43B8D0
      Source: C:\Users\user\Desktop\Agreement Transfer Details.exeCode function: 2_2_1E43B8D0 mov eax, dword ptr fs:[00000030h]2_2_1E43B8D0
      Source: C:\Users\user\Desktop\Agreement Transfer Details.exeCode function: 2_2_1E43B8D0 mov eax, dword ptr fs:[00000030h]2_2_1E43B8D0
      Source: C:\Users\user\Desktop\Agreement Transfer Details.exeCode function: 2_2_1E3D20A0 mov eax, dword ptr fs:[00000030h]2_2_1E3D20A0
      Source: C:\Users\user\Desktop\Agreement Transfer Details.exeCode function: 2_2_1E3D20A0 mov eax, dword ptr fs:[00000030h]2_2_1E3D20A0
      Source: C:\Users\user\Desktop\Agreement Transfer Details.exeCode function: 2_2_1E3D20A0 mov eax, dword ptr fs:[00000030h]2_2_1E3D20A0
      Source: C:\Users\user\Desktop\Agreement Transfer Details.exeCode function: 2_2_1E3D20A0 mov eax, dword ptr fs:[00000030h]2_2_1E3D20A0
      Source: C:\Users\user\Desktop\Agreement Transfer Details.exeCode function: 2_2_1E3D20A0 mov eax, dword ptr fs:[00000030h]2_2_1E3D20A0
      Source: C:\Users\user\Desktop\Agreement Transfer Details.exeCode function: 2_2_1E3D20A0 mov eax, dword ptr fs:[00000030h]2_2_1E3D20A0
      Source: C:\Users\user\Desktop\Agreement Transfer Details.exeCode function: 2_2_1E3A9080 mov eax, dword ptr fs:[00000030h]2_2_1E3A9080
      Source: C:\Users\user\Desktop\Agreement Transfer Details.exeCode function: 2_2_1E423884 mov eax, dword ptr fs:[00000030h]2_2_1E423884
      Source: C:\Users\user\Desktop\Agreement Transfer Details.exeCode function: 2_2_1E423884 mov eax, dword ptr fs:[00000030h]2_2_1E423884
      Source: C:\Users\user\Desktop\Agreement Transfer Details.exeCode function: 2_2_1E3A58EC mov eax, dword ptr fs:[00000030h]2_2_1E3A58EC
      Source: C:\Users\user\Desktop\Agreement Transfer Details.exeCode function: 2_2_1E3D513A mov eax, dword ptr fs:[00000030h]2_2_1E3D513A
      Source: C:\Users\user\Desktop\Agreement Transfer Details.exeCode function: 2_2_1E3D513A mov eax, dword ptr fs:[00000030h]2_2_1E3D513A
      Source: C:\Users\user\Desktop\Agreement Transfer Details.exeCode function: 2_2_1E3C4120 mov eax, dword ptr fs:[00000030h]2_2_1E3C4120
      Source: C:\Users\user\Desktop\Agreement Transfer Details.exeCode function: 2_2_1E3C4120 mov eax, dword ptr fs:[00000030h]2_2_1E3C4120
      Source: C:\Users\user\Desktop\Agreement Transfer Details.exeCode function: 2_2_1E3C4120 mov eax, dword ptr fs:[00000030h]2_2_1E3C4120
      Source: C:\Users\user\Desktop\Agreement Transfer Details.exeCode function: 2_2_1E3C4120 mov eax, dword ptr fs:[00000030h]2_2_1E3C4120
      Source: C:\Users\user\Desktop\Agreement Transfer Details.exeCode function: 2_2_1E3C4120 mov ecx, dword ptr fs:[00000030h]2_2_1E3C4120
      Source: C:\Users\user\Desktop\Agreement Transfer Details.exeCode function: 2_2_1E3A9100 mov eax, dword ptr fs:[00000030h]2_2_1E3A9100
      Source: C:\Users\user\Desktop\Agreement Transfer Details.exeCode function: 2_2_1E3A9100 mov eax, dword ptr fs:[00000030h]2_2_1E3A9100
      Source: C:\Users\user\Desktop\Agreement Transfer Details.exeCode function: 2_2_1E3A9100 mov eax, dword ptr fs:[00000030h]2_2_1E3A9100
      Source: C:\Users\user\Desktop\Agreement Transfer Details.exeCode function: 2_2_1E3AB171 mov eax, dword ptr fs:[00000030h]2_2_1E3AB171
      Source: C:\Users\user\Desktop\Agreement Transfer Details.exeCode function: 2_2_1E3AB171 mov eax, dword ptr fs:[00000030h]2_2_1E3AB171
      Source: C:\Users\user\Desktop\Agreement Transfer Details.exeCode function: 2_2_1E3AC962 mov eax, dword ptr fs:[00000030h]2_2_1E3AC962
      Source: C:\Users\user\Desktop\Agreement Transfer Details.exeCode function: 2_2_1E3CB944 mov eax, dword ptr fs:[00000030h]2_2_1E3CB944
      Source: C:\Users\user\Desktop\Agreement Transfer Details.exeCode function: 2_2_1E3CB944 mov eax, dword ptr fs:[00000030h]2_2_1E3CB944
      Source: C:\Users\user\Desktop\Agreement Transfer Details.exeCode function: 2_2_1E3D61A0 mov eax, dword ptr fs:[00000030h]2_2_1E3D61A0
      Source: C:\Users\user\Desktop\Agreement Transfer Details.exeCode function: 2_2_1E3D61A0 mov eax, dword ptr fs:[00000030h]2_2_1E3D61A0
      Source: C:\Users\user\Desktop\Agreement Transfer Details.exeCode function: 2_2_1E4341E8 mov eax, dword ptr fs:[00000030h]2_2_1E4341E8
      Source: C:\Users\user\Desktop\Agreement Transfer Details.exeCode function: 2_2_1E3D2990 mov eax, dword ptr fs:[00000030h]2_2_1E3D2990
      Source: C:\Users\user\Desktop\Agreement Transfer Details.exeCode function: 2_2_1E3DA185 mov eax, dword ptr fs:[00000030h]2_2_1E3DA185
      Source: C:\Users\user\Desktop\Agreement Transfer Details.exeCode function: 2_2_1E3CC182 mov eax, dword ptr fs:[00000030h]2_2_1E3CC182
      Source: C:\Users\user\Desktop\Agreement Transfer Details.exeCode function: 2_2_1E3AB1E1 mov eax, dword ptr fs:[00000030h]2_2_1E3AB1E1
      Source: C:\Users\user\Desktop\Agreement Transfer Details.exeCode function: 2_2_1E3AB1E1 mov eax, dword ptr fs:[00000030h]2_2_1E3AB1E1
      Source: C:\Users\user\Desktop\Agreement Transfer Details.exeCode function: 2_2_1E3AB1E1 mov eax, dword ptr fs:[00000030h]2_2_1E3AB1E1
      Source: C:\Users\user\Desktop\Agreement Transfer Details.exeCode function: 2_2_1E4269A6 mov eax, dword ptr fs:[00000030h]2_2_1E4269A6
      Source: C:\Users\user\Desktop\Agreement Transfer Details.exeCode function: 2_2_1E4251BE mov eax, dword ptr fs:[00000030h]2_2_1E4251BE
      Source: C:\Users\user\Desktop\Agreement Transfer Details.exeCode function: 2_2_1E4251BE mov eax, dword ptr fs:[00000030h]2_2_1E4251BE
      Source: C:\Users\user\Desktop\Agreement Transfer Details.exeCode function: 2_2_1E4251BE mov eax, dword ptr fs:[00000030h]2_2_1E4251BE
      Source: C:\Users\user\Desktop\Agreement Transfer Details.exeCode function: 2_2_1E4251BE mov eax, dword ptr fs:[00000030h]2_2_1E4251BE
      Source: C:\Users\user\Desktop\Agreement Transfer Details.exeCode function: 2_2_005612CD mov eax, dword ptr fs:[00000030h]2_2_005612CD
      Source: C:\Users\user\Desktop\Agreement Transfer Details.exeCode function: 2_2_00562C5F mov eax, dword ptr fs:[00000030h]2_2_00562C5F
      Source: C:\Users\user\Desktop\Agreement Transfer Details.exeCode function: 2_2_00560E04 mov eax, dword ptr fs:[00000030h]2_2_00560E04
      Source: C:\Users\user\Desktop\Agreement Transfer Details.exeCode function: 2_2_00562EF4 mov eax, dword ptr fs:[00000030h]2_2_00562EF4
      Source: C:\Users\user\Desktop\Agreement Transfer Details.exeCode function: 2_2_00561AB5 mov eax, dword ptr fs:[00000030h]2_2_00561AB5
      Source: C:\Users\user\Desktop\Agreement Transfer Details.exeCode function: 2_2_0056339C mov eax, dword ptr fs:[00000030h]2_2_0056339C
      Source: C:\Windows\SysWOW64\cmstp.exeCode function: 12_2_0503A537 mov eax, dword ptr fs:[00000030h]12_2_0503A537
      Source: C:\Windows\SysWOW64\cmstp.exeCode function: 12_2_05088D34 mov eax, dword ptr fs:[00000030h]12_2_05088D34
      Source: C:\Windows\SysWOW64\cmstp.exeCode function: 12_2_0507E539 mov eax, dword ptr fs:[00000030h]12_2_0507E539
      Source: C:\Windows\SysWOW64\cmstp.exeCode function: 12_2_05033540 mov eax, dword ptr fs:[00000030h]12_2_05033540
      Source: C:\Windows\SysWOW64\cmstp.exeCode function: 12_2_05063D40 mov eax, dword ptr fs:[00000030h]12_2_05063D40
      Source: C:\Windows\SysWOW64\cmstp.exeCode function: 12_2_04FC849B mov eax, dword ptr fs:[00000030h]12_2_04FC849B
      Source: C:\Windows\SysWOW64\cmstp.exeCode function: 12_2_04FEAC7B mov eax, dword ptr fs:[00000030h]12_2_04FEAC7B
      Source: C:\Windows\SysWOW64\cmstp.exeCode function: 12_2_04FEAC7B mov eax, dword ptr fs:[00000030h]12_2_04FEAC7B
      Source: C:\Windows\SysWOW64\cmstp.exeCode function: 12_2_04FEAC7B mov eax, dword ptr fs:[00000030h]12_2_04FEAC7B
      Source: C:\Windows\SysWOW64\cmstp.exeCode function: 12_2_04FEAC7B mov eax, dword ptr fs:[00000030h]12_2_04FEAC7B
      Source: C:\Windows\SysWOW64\cmstp.exeCode function: 12_2_04FEAC7B mov eax, dword ptr fs:[00000030h]12_2_04FEAC7B
      Source: C:\Windows\SysWOW64\cmstp.exeCode function: 12_2_04FEAC7B mov eax, dword ptr fs:[00000030h]12_2_04FEAC7B
      Source: C:\Windows\SysWOW64\cmstp.exeCode function: 12_2_04FEAC7B mov eax, dword ptr fs:[00000030h]12_2_04FEAC7B
      Source: C:\Windows\SysWOW64\cmstp.exeCode function: 12_2_04FEAC7B mov eax, dword ptr fs:[00000030h]12_2_04FEAC7B
      Source: C:\Windows\SysWOW64\cmstp.exeCode function: 12_2_04FEAC7B mov eax, dword ptr fs:[00000030h]12_2_04FEAC7B
      Source: C:\Windows\SysWOW64\cmstp.exeCode function: 12_2_04FEAC7B mov eax, dword ptr fs:[00000030h]12_2_04FEAC7B
      Source: C:\Windows\SysWOW64\cmstp.exeCode function: 12_2_04FEAC7B mov eax, dword ptr fs:[00000030h]12_2_04FEAC7B
      Source: C:\Windows\SysWOW64\cmstp.exeCode function: 12_2_05072D82 mov eax, dword ptr fs:[00000030h]12_2_05072D82
      Source: C:\Windows\SysWOW64\cmstp.exeCode function: 12_2_05072D82 mov eax, dword ptr fs:[00000030h]12_2_05072D82
      Source: C:\Windows\SysWOW64\cmstp.exeCode function: 12_2_05072D82 mov eax, dword ptr fs:[00000030h]12_2_05072D82
      Source: C:\Windows\SysWOW64\cmstp.exeCode function: 12_2_05072D82 mov eax, dword ptr fs:[00000030h]12_2_05072D82
      Source: C:\Windows\SysWOW64\cmstp.exeCode function: 12_2_05072D82 mov eax, dword ptr fs:[00000030h]12_2_05072D82
      Source: C:\Windows\SysWOW64\cmstp.exeCode function: 12_2_05072D82 mov eax, dword ptr fs:[00000030h]12_2_05072D82
      Source: C:\Windows\SysWOW64\cmstp.exeCode function: 12_2_05072D82 mov eax, dword ptr fs:[00000030h]12_2_05072D82
      Source: C:\Windows\SysWOW64\cmstp.exeCode function: 12_2_04FD746D mov eax, dword ptr fs:[00000030h]12_2_04FD746D
      Source: C:\Windows\SysWOW64\cmstp.exeCode function: 12_2_050805AC mov eax, dword ptr fs:[00000030h]12_2_050805AC
      Source: C:\Windows\SysWOW64\cmstp.exeCode function: 12_2_050805AC mov eax, dword ptr fs:[00000030h]12_2_050805AC
      Source: C:\Windows\SysWOW64\cmstp.exeCode function: 12_2_04FEA44B mov eax, dword ptr fs:[00000030h]12_2_04FEA44B
      Source: C:\Windows\SysWOW64\cmstp.exeCode function: 12_2_05036DC9 mov eax, dword ptr fs:[00000030h]12_2_05036DC9
      Source: C:\Windows\SysWOW64\cmstp.exeCode function: 12_2_05036DC9 mov eax, dword ptr fs:[00000030h]12_2_05036DC9
      Source: C:\Windows\SysWOW64\cmstp.exeCode function: 12_2_05036DC9 mov eax, dword ptr fs:[00000030h]12_2_05036DC9
      Source: C:\Windows\SysWOW64\cmstp.exeCode function: 12_2_05036DC9 mov ecx, dword ptr fs:[00000030h]12_2_05036DC9
      Source: C:\Windows\SysWOW64\cmstp.exeCode function: 12_2_05036DC9 mov eax, dword ptr fs:[00000030h]12_2_05036DC9
      Source: C:\Windows\SysWOW64\cmstp.exeCode function: 12_2_05036DC9 mov eax, dword ptr fs:[00000030h]12_2_05036DC9
      Source: C:\Windows\SysWOW64\cmstp.exeCode function: 12_2_04FEBC2C mov eax, dword ptr fs:[00000030h]12_2_04FEBC2C
      Source: C:\Windows\SysWOW64\cmstp.exeCode function: 12_2_0507FDE2 mov eax, dword ptr fs:[00000030h]12_2_0507FDE2
      Source: C:\Windows\SysWOW64\cmstp.exeCode function: 12_2_0507FDE2 mov eax, dword ptr fs:[00000030h]12_2_0507FDE2
      Source: C:\Windows\SysWOW64\cmstp.exeCode function: 12_2_0507FDE2 mov eax, dword ptr fs:[00000030h]12_2_0507FDE2
      Source: C:\Windows\SysWOW64\cmstp.exeCode function: 12_2_0507FDE2 mov eax, dword ptr fs:[00000030h]12_2_0507FDE2
      Source: C:\Windows\SysWOW64\cmstp.exeCode function: 12_2_05068DF1 mov eax, dword ptr fs:[00000030h]12_2_05068DF1
      Source: C:\Windows\SysWOW64\cmstp.exeCode function: 12_2_05071C06 mov eax, dword ptr fs:[00000030h]12_2_05071C06
      Source: C:\Windows\SysWOW64\cmstp.exeCode function: 12_2_05071C06 mov eax, dword ptr fs:[00000030h]12_2_05071C06
      Source: C:\Windows\SysWOW64\cmstp.exeCode function: 12_2_05071C06 mov eax, dword ptr fs:[00000030h]12_2_05071C06
      Source: C:\Windows\SysWOW64\cmstp.exeCode function: 12_2_05071C06 mov eax, dword ptr fs:[00000030h]12_2_05071C06
      Source: C:\Windows\SysWOW64\cmstp.exeCode function: 12_2_05071C06 mov eax, dword ptr fs:[00000030h]12_2_05071C06
      Source: C:\Windows\SysWOW64\cmstp.exeCode function: 12_2_05071C06 mov eax, dword ptr fs:[00000030h]12_2_05071C06
      Source: C:\Windows\SysWOW64\cmstp.exeCode function: 12_2_05071C06 mov eax, dword ptr fs:[00000030h]12_2_05071C06
      Source: C:\Windows\SysWOW64\cmstp.exeCode function: 12_2_05071C06 mov eax, dword ptr fs:[00000030h]12_2_05071C06
      Source: C:\Windows\SysWOW64\cmstp.exeCode function: 12_2_05071C06 mov eax, dword ptr fs:[00000030h]12_2_05071C06
      Source: C:\Windows\SysWOW64\cmstp.exeCode function: 12_2_05071C06 mov eax, dword ptr fs:[00000030h]12_2_05071C06
      Source: C:\Windows\SysWOW64\cmstp.exeCode function: 12_2_05071C06 mov eax, dword ptr fs:[00000030h]12_2_05071C06
      Source: C:\Windows\SysWOW64\cmstp.exeCode function: 12_2_05071C06 mov eax, dword ptr fs:[00000030h]12_2_05071C06
      Source: C:\Windows\SysWOW64\cmstp.exeCode function: 12_2_05071C06 mov eax, dword ptr fs:[00000030h]12_2_05071C06
      Source: C:\Windows\SysWOW64\cmstp.exeCode function: 12_2_05071C06 mov eax, dword ptr fs:[00000030h]12_2_05071C06
      Source: C:\Windows\SysWOW64\cmstp.exeCode function: 12_2_0508740D mov eax, dword ptr fs:[00000030h]12_2_0508740D
      Source: C:\Windows\SysWOW64\cmstp.exeCode function: 12_2_0508740D mov eax, dword ptr fs:[00000030h]12_2_0508740D
      Source: C:\Windows\SysWOW64\cmstp.exeCode function: 12_2_0508740D mov eax, dword ptr fs:[00000030h]12_2_0508740D
      Source: C:\Windows\SysWOW64\cmstp.exeCode function: 12_2_05036C0A mov eax, dword ptr fs:[00000030h]12_2_05036C0A
      Source: C:\Windows\SysWOW64\cmstp.exeCode function: 12_2_05036C0A mov eax, dword ptr fs:[00000030h]12_2_05036C0A
      Source: C:\Windows\SysWOW64\cmstp.exeCode function: 12_2_05036C0A mov eax, dword ptr fs:[00000030h]12_2_05036C0A
      Source: C:\Windows\SysWOW64\cmstp.exeCode function: 12_2_05036C0A mov eax, dword ptr fs:[00000030h]12_2_05036C0A
      Source: C:\Windows\SysWOW64\cmstp.exeCode function: 12_2_04FCD5E0 mov eax, dword ptr fs:[00000030h]12_2_04FCD5E0
      Source: C:\Windows\SysWOW64\cmstp.exeCode function: 12_2_04FCD5E0 mov eax, dword ptr fs:[00000030h]12_2_04FCD5E0
      Source: C:\Windows\SysWOW64\cmstp.exeCode function: 12_2_04FE1DB5 mov eax, dword ptr fs:[00000030h]12_2_04FE1DB5
      Source: C:\Windows\SysWOW64\cmstp.exeCode function: 12_2_04FE1DB5 mov eax, dword ptr fs:[00000030h]12_2_04FE1DB5
      Source: C:\Windows\SysWOW64\cmstp.exeCode function: 12_2_04FE1DB5 mov eax, dword ptr fs:[00000030h]12_2_04FE1DB5
      Source: C:\Windows\SysWOW64\cmstp.exeCode function: 12_2_0504C450 mov eax, dword ptr fs:[00000030h]12_2_0504C450
      Source: C:\Windows\SysWOW64\cmstp.exeCode function: 12_2_0504C450 mov eax, dword ptr fs:[00000030h]12_2_0504C450
      Source: C:\Windows\SysWOW64\cmstp.exeCode function: 12_2_04FE35A1 mov eax, dword ptr fs:[00000030h]12_2_04FE35A1
      Source: C:\Windows\SysWOW64\cmstp.exeCode function: 12_2_04FEFD9B mov eax, dword ptr fs:[00000030h]12_2_04FEFD9B
      Source: C:\Windows\SysWOW64\cmstp.exeCode function: 12_2_04FEFD9B mov eax, dword ptr fs:[00000030h]12_2_04FEFD9B
      Source: C:\Windows\SysWOW64\cmstp.exeCode function: 12_2_04FB2D8A mov eax, dword ptr fs:[00000030h]12_2_04FB2D8A
      Source: C:\Windows\SysWOW64\cmstp.exeCode function: 12_2_04FB2D8A mov eax, dword ptr fs:[00000030h]12_2_04FB2D8A
      Source: C:\Windows\SysWOW64\cmstp.exeCode function: 12_2_04FB2D8A mov eax, dword ptr fs:[00000030h]12_2_04FB2D8A
      Source: C:\Windows\SysWOW64\cmstp.exeCode function: 12_2_04FB2D8A mov eax, dword ptr fs:[00000030h]12_2_04FB2D8A
      Source: C:\Windows\SysWOW64\cmstp.exeCode function: 12_2_04FB2D8A mov eax, dword ptr fs:[00000030h]12_2_04FB2D8A
      Source: C:\Windows\SysWOW64\cmstp.exeCode function: 12_2_04FE2581 mov eax, dword ptr fs:[00000030h]12_2_04FE2581
      Source: C:\Windows\SysWOW64\cmstp.exeCode function: 12_2_04FE2581 mov eax, dword ptr fs:[00000030h]12_2_04FE2581
      Source: C:\Windows\SysWOW64\cmstp.exeCode function: 12_2_04FE2581 mov eax, dword ptr fs:[00000030h]12_2_04FE2581
      Source: C:\Windows\SysWOW64\cmstp.exeCode function: 12_2_04FE2581 mov eax, dword ptr fs:[00000030h]12_2_04FE2581
      Source: C:\Windows\SysWOW64\cmstp.exeCode function: 12_2_04FDC577 mov eax, dword ptr fs:[00000030h]12_2_04FDC577
      Source: C:\Windows\SysWOW64\cmstp.exeCode function: 12_2_04FDC577 mov eax, dword ptr fs:[00000030h]12_2_04FDC577
      Source: C:\Windows\SysWOW64\cmstp.exeCode function: 12_2_05074496 mov eax, dword ptr fs:[00000030h]12_2_05074496
      Source: C:\Windows\SysWOW64\cmstp.exeCode function: 12_2_05074496 mov eax, dword ptr fs:[00000030h]12_2_05074496
      Source: C:\Windows\SysWOW64\cmstp.exeCode function: 12_2_05074496 mov eax, dword ptr fs:[00000030h]12_2_05074496
      Source: C:\Windows\SysWOW64\cmstp.exeCode function: 12_2_05074496 mov eax, dword ptr fs:[00000030h]12_2_05074496
      Source: C:\Windows\SysWOW64\cmstp.exeCode function: 12_2_05074496 mov eax, dword ptr fs:[00000030h]12_2_05074496
      Source: C:\Windows\SysWOW64\cmstp.exeCode function: 12_2_05074496 mov eax, dword ptr fs:[00000030h]12_2_05074496
      Source: C:\Windows\SysWOW64\cmstp.exeCode function: 12_2_05074496 mov eax, dword ptr fs:[00000030h]12_2_05074496
      Source: C:\Windows\SysWOW64\cmstp.exeCode function: 12_2_05074496 mov eax, dword ptr fs:[00000030h]12_2_05074496
      Source: C:\Windows\SysWOW64\cmstp.exeCode function: 12_2_05074496 mov eax, dword ptr fs:[00000030h]12_2_05074496
      Source: C:\Windows\SysWOW64\cmstp.exeCode function: 12_2_05074496 mov eax, dword ptr fs:[00000030h]12_2_05074496
      Source: C:\Windows\SysWOW64\cmstp.exeCode function: 12_2_05074496 mov eax, dword ptr fs:[00000030h]12_2_05074496
      Source: C:\Windows\SysWOW64\cmstp.exeCode function: 12_2_05074496 mov eax, dword ptr fs:[00000030h]12_2_05074496
      Source: C:\Windows\SysWOW64\cmstp.exeCode function: 12_2_05074496 mov eax, dword ptr fs:[00000030h]12_2_05074496
      Source: C:\Windows\SysWOW64\cmstp.exeCode function: 12_2_04FD7D50 mov eax, dword ptr fs:[00000030h]12_2_04FD7D50
      Source: C:\Windows\SysWOW64\cmstp.exeCode function: 12_2_04FF3D43 mov eax, dword ptr fs:[00000030h]12_2_04FF3D43
      Source: C:\Windows\SysWOW64\cmstp.exeCode function: 12_2_04FE4D3B mov eax, dword ptr fs:[00000030h]12_2_04FE4D3B
      Source: C:\Windows\SysWOW64\cmstp.exeCode function: 12_2_04FE4D3B mov eax, dword ptr fs:[00000030h]12_2_04FE4D3B
      Source: C:\Windows\SysWOW64\cmstp.exeCode function: 12_2_04FE4D3B mov eax, dword ptr fs:[00000030h]12_2_04FE4D3B
      Source: C:\Windows\SysWOW64\cmstp.exeCode function: 12_2_04FC3D34 mov eax, dword ptr fs:[00000030h]12_2_04FC3D34
      Source: C:\Windows\SysWOW64\cmstp.exeCode function: 12_2_04FC3D34 mov eax, dword ptr fs:[00000030h]12_2_04FC3D34
      Source: C:\Windows\SysWOW64\cmstp.exeCode function: 12_2_04FC3D34 mov eax, dword ptr fs:[00000030h]12_2_04FC3D34
      Source: C:\Windows\SysWOW64\cmstp.exeCode function: 12_2_04FC3D34 mov eax, dword ptr fs:[00000030h]12_2_04FC3D34
      Source: C:\Windows\SysWOW64\cmstp.exeCode function: 12_2_04FC3D34 mov eax, dword ptr fs:[00000030h]12_2_04FC3D34
      Source: C:\Windows\SysWOW64\cmstp.exeCode function: 12_2_04FC3D34 mov eax, dword ptr fs:[00000030h]12_2_04FC3D34
      Source: C:\Windows\SysWOW64\cmstp.exeCode function: 12_2_04FC3D34 mov eax, dword ptr fs:[00000030h]12_2_04FC3D34
      Source: C:\Windows\SysWOW64\cmstp.exeCode function: 12_2_04FC3D34 mov eax, dword ptr fs:[00000030h]12_2_04FC3D34
      Source: C:\Windows\SysWOW64\cmstp.exeCode function: 12_2_04FC3D34 mov eax, dword ptr fs:[00000030h]12_2_04FC3D34
      Source: C:\Windows\SysWOW64\cmstp.exeCode function: 12_2_04FC3D34 mov eax, dword ptr fs:[00000030h]12_2_04FC3D34
      Source: C:\Windows\SysWOW64\cmstp.exeCode function: 12_2_04FC3D34 mov eax, dword ptr fs:[00000030h]12_2_04FC3D34
      Source: C:\Windows\SysWOW64\cmstp.exeCode function: 12_2_04FC3D34 mov eax, dword ptr fs:[00000030h]12_2_04FC3D34
      Source: C:\Windows\SysWOW64\cmstp.exeCode function: 12_2_04FC3D34 mov eax, dword ptr fs:[00000030h]12_2_04FC3D34
      Source: C:\Windows\SysWOW64\cmstp.exeCode function: 12_2_04FBAD30 mov eax, dword ptr fs:[00000030h]12_2_04FBAD30
      Source: C:\Windows\SysWOW64\cmstp.exeCode function: 12_2_05088CD6 mov eax, dword ptr fs:[00000030h]12_2_05088CD6
      Source: C:\Windows\SysWOW64\cmstp.exeCode function: 12_2_05036CF0 mov eax, dword ptr fs:[00000030h]12_2_05036CF0
      Source: C:\Windows\SysWOW64\cmstp.exeCode function: 12_2_05036CF0 mov eax, dword ptr fs:[00000030h]12_2_05036CF0
      Source: C:\Windows\SysWOW64\cmstp.exeCode function: 12_2_05036CF0 mov eax, dword ptr fs:[00000030h]12_2_05036CF0
      Source: C:\Windows\SysWOW64\cmstp.exeCode function: 12_2_050714FB mov eax, dword ptr fs:[00000030h]12_2_050714FB
      Source: C:\Windows\SysWOW64\cmstp.exeCode function: 12_2_0508070D mov eax, dword ptr fs:[00000030h]12_2_0508070D
      Source: C:\Windows\SysWOW64\cmstp.exeCode function: 12_2_0508070D mov eax, dword ptr fs:[00000030h]12_2_0508070D
      Source: C:\Windows\SysWOW64\cmstp.exeCode function: 12_2_0504FF10 mov eax, dword ptr fs:[00000030h]12_2_0504FF10
      Source: C:\Windows\SysWOW64\cmstp.exeCode function: 12_2_0504FF10 mov eax, dword ptr fs:[00000030h]12_2_0504FF10
      Source: C:\Windows\SysWOW64\cmstp.exeCode function: 12_2_04FE16E0 mov ecx, dword ptr fs:[00000030h]12_2_04FE16E0
      Source: C:\Windows\SysWOW64\cmstp.exeCode function: 12_2_04FC76E2 mov eax, dword ptr fs:[00000030h]12_2_04FC76E2
      Source: C:\Windows\SysWOW64\cmstp.exeCode function: 12_2_04FE36CC mov eax, dword ptr fs:[00000030h]12_2_04FE36CC
      Source: C:\Windows\SysWOW64\cmstp.exeCode function: 12_2_04FF8EC7 mov eax, dword ptr fs:[00000030h]12_2_04FF8EC7
      Source: C:\Windows\SysWOW64\cmstp.exeCode function: 12_2_05088F6A mov eax, dword ptr fs:[00000030h]12_2_05088F6A
      Source: C:\Windows\SysWOW64\cmstp.exeCode function: 12_2_04FDAE73 mov eax, dword ptr fs:[00000030h]12_2_04FDAE73
      Source: C:\Windows\SysWOW64\cmstp.exeCode function: 12_2_04FDAE73 mov eax, dword ptr fs:[00000030h]12_2_04FDAE73
      Source: C:\Windows\SysWOW64\cmstp.exeCode function: 12_2_04FDAE73 mov eax, dword ptr fs:[00000030h]12_2_04FDAE73
      Source: C:\Windows\SysWOW64\cmstp.exeCode function: 12_2_04FDAE73 mov eax, dword ptr fs:[00000030h]12_2_04FDAE73
      Source: C:\Windows\SysWOW64\cmstp.exeCode function: 12_2_04FDAE73 mov eax, dword ptr fs:[00000030h]12_2_04FDAE73
      Source: C:\Windows\SysWOW64\cmstp.exeCode function: 12_2_04FC766D mov eax, dword ptr fs:[00000030h]12_2_04FC766D
      Source: C:\Windows\SysWOW64\cmstp.exeCode function: 12_2_05037794 mov eax, dword ptr fs:[00000030h]12_2_05037794
      Source: C:\Windows\SysWOW64\cmstp.exeCode function: 12_2_05037794 mov eax, dword ptr fs:[00000030h]12_2_05037794
      Source: C:\Windows\SysWOW64\cmstp.exeCode function: 12_2_05037794 mov eax, dword ptr fs:[00000030h]12_2_05037794
      Source: C:\Windows\SysWOW64\cmstp.exeCode function: 12_2_04FC7E41 mov eax, dword ptr fs:[00000030h]12_2_04FC7E41
      Source: C:\Windows\SysWOW64\cmstp.exeCode function: 12_2_04FC7E41 mov eax, dword ptr fs:[00000030h]12_2_04FC7E41
      Source: C:\Windows\SysWOW64\cmstp.exeCode function: 12_2_04FC7E41 mov eax, dword ptr fs:[00000030h]12_2_04FC7E41
      Source: C:\Windows\SysWOW64\cmstp.exeCode function: 12_2_04FC7E41 mov eax, dword ptr fs:[00000030h]12_2_04FC7E41
      Source: C:\Windows\SysWOW64\cmstp.exeCode function: 12_2_04FC7E41 mov eax, dword ptr fs:[00000030h]12_2_04FC7E41
      Source: C:\Windows\SysWOW64\cmstp.exeCode function: 12_2_04FC7E41 mov eax, dword ptr fs:[00000030h]12_2_04FC7E41
      Source: C:\Windows\SysWOW64\cmstp.exeCode function: 12_2_04FBE620 mov eax, dword ptr fs:[00000030h]12_2_04FBE620
      Source: C:\Windows\SysWOW64\cmstp.exeCode function: 12_2_04FEA61C mov eax, dword ptr fs:[00000030h]12_2_04FEA61C
      Source: C:\Windows\SysWOW64\cmstp.exeCode function: 12_2_04FEA61C mov eax, dword ptr fs:[00000030h]12_2_04FEA61C
      Source: C:\Windows\SysWOW64\cmstp.exeCode function: 12_2_04FBC600 mov eax, dword ptr fs:[00000030h]12_2_04FBC600
      Source: C:\Windows\SysWOW64\cmstp.exeCode function: 12_2_04FBC600 mov eax, dword ptr fs:[00000030h]12_2_04FBC600
      Source: C:\Windows\SysWOW64\cmstp.exeCode function: 12_2_04FBC600 mov eax, dword ptr fs:[00000030h]12_2_04FBC600
      Source: C:\Windows\SysWOW64\cmstp.exeCode function: 12_2_04FE8E00 mov eax, dword ptr fs:[00000030h]12_2_04FE8E00
      Source: C:\Windows\SysWOW64\cmstp.exeCode function: 12_2_04FF37F5 mov eax, dword ptr fs:[00000030h]12_2_04FF37F5
      Source: C:\Windows\SysWOW64\cmstp.exeCode function: 12_2_05071608 mov eax, dword ptr fs:[00000030h]12_2_05071608
      Source: C:\Windows\SysWOW64\cmstp.exeCode function: 12_2_0506FE3F mov eax, dword ptr fs:[00000030h]12_2_0506FE3F
      Source: C:\Windows\SysWOW64\cmstp.exeCode function: 12_2_0507AE44 mov eax, dword ptr fs:[00000030h]12_2_0507AE44
      Source: C:\Windows\SysWOW64\cmstp.exeCode function: 12_2_0507AE44 mov eax, dword ptr fs:[00000030h]12_2_0507AE44
      Source: C:\Windows\SysWOW64\cmstp.exeCode function: 12_2_04FC8794 mov eax, dword ptr fs:[00000030h]12_2_04FC8794
      Source: C:\Windows\SysWOW64\cmstp.exeCode function: 12_2_0504FE87 mov eax, dword ptr fs:[00000030h]12_2_0504FE87
      Source: C:\Windows\SysWOW64\cmstp.exeCode function: 12_2_04FCFF60 mov eax, dword ptr fs:[00000030h]12_2_04FCFF60
      Source: C:\Windows\SysWOW64\cmstp.exeCode function: 12_2_050346A7 mov eax, dword ptr fs:[00000030h]12_2_050346A7
      Source: C:\Windows\SysWOW64\cmstp.exeCode function: 12_2_05080EA5 mov eax, dword ptr fs:[00000030h]12_2_05080EA5
      Source: C:\Windows\SysWOW64\cmstp.exeCode function: 12_2_05080EA5 mov eax, dword ptr fs:[00000030h]12_2_05080EA5
      Source: C:\Windows\SysWOW64\cmstp.exeCode function: 12_2_05080EA5 mov eax, dword ptr fs:[00000030h]12_2_05080EA5
      Source: C:\Windows\SysWOW64\cmstp.exeCode function: 12_2_04FCEF40 mov eax, dword ptr fs:[00000030h]12_2_04FCEF40
      Source: C:\Windows\SysWOW64\cmstp.exeCode function: 12_2_04FDB73D mov eax, dword ptr fs:[00000030h]12_2_04FDB73D
      Source: C:\Windows\SysWOW64\cmstp.exeCode function: 12_2_04FDB73D mov eax, dword ptr fs:[00000030h]12_2_04FDB73D
      Source: C:\Windows\SysWOW64\cmstp.exeCode function: 12_2_0506FEC0 mov eax, dword ptr fs:[00000030h]12_2_0506FEC0
      Source: C:\Windows\SysWOW64\cmstp.exeCode function: 12_2_04FEE730 mov eax, dword ptr fs:[00000030h]12_2_04FEE730
      Source: C:\Windows\SysWOW64\cmstp.exeCode function: 12_2_04FB4F2E mov eax, dword ptr fs:[00000030h]12_2_04FB4F2E
      Source: C:\Windows\SysWOW64\cmstp.exeCode function: 12_2_04FB4F2E mov eax, dword ptr fs:[00000030h]12_2_04FB4F2E
      Source: C:\Windows\SysWOW64\cmstp.exeCode function: 12_2_05088ED6 mov eax, dword ptr fs:[00000030h]12_2_05088ED6
      Source: C:\Windows\SysWOW64\cmstp.exeCode function: 12_2_04FDF716 mov eax, dword ptr fs:[00000030h]12_2_04FDF716
      Source: C:\Windows\SysWOW64\cmstp.exeCode function: 12_2_04FEA70E mov eax, dword ptr fs:[00000030h]12_2_04FEA70E
      Source: C:\Windows\SysWOW64\cmstp.exeCode function: 12_2_04FEA70E mov eax, dword ptr fs:[00000030h]12_2_04FEA70E
      Source: C:\Windows\SysWOW64\cmstp.exeCode function: 12_2_04FB58EC mov eax, dword ptr fs:[00000030h]12_2_04FB58EC
      Source: C:\Windows\SysWOW64\cmstp.exeCode function: 12_2_04FDB8E4 mov eax, dword ptr fs:[00000030h]12_2_04FDB8E4
      Source: C:\Windows\SysWOW64\cmstp.exeCode function: 12_2_04FDB8E4 mov eax, dword ptr fs:[00000030h]12_2_04FDB8E4
      Source: C:\Windows\SysWOW64\cmstp.exeCode function: 12_2_04FB40E1 mov eax, dword ptr fs:[00000030h]12_2_04FB40E1
      Source: C:\Windows\SysWOW64\cmstp.exeCode function: 12_2_04FB40E1 mov eax, dword ptr fs:[00000030h]12_2_04FB40E1
      Source: C:\Windows\SysWOW64\cmstp.exeCode function: 12_2_04FB40E1 mov eax, dword ptr fs:[00000030h]12_2_04FB40E1
      Source: C:\Windows\SysWOW64\cmstp.exeCode function: 12_2_04FEF0BF mov ecx, dword ptr fs:[00000030h]12_2_04FEF0BF
      Source: C:\Windows\SysWOW64\cmstp.exeCode function: 12_2_04FEF0BF mov eax, dword ptr fs:[00000030h]12_2_04FEF0BF
      Source: C:\Windows\SysWOW64\cmstp.exeCode function: 12_2_04FEF0BF mov eax, dword ptr fs:[00000030h]12_2_04FEF0BF
      Source: C:\Windows\SysWOW64\cmstp.exeCode function: 12_2_04FF90AF mov eax, dword ptr fs:[00000030h]12_2_04FF90AF
      Source: C:\Windows\SysWOW64\cmstp.exeCode function: 12_2_04FE20A0 mov eax, dword ptr fs:[00000030h]12_2_04FE20A0
      Source: C:\Windows\SysWOW64\cmstp.exeCode function: 12_2_04FE20A0 mov eax, dword ptr fs:[00000030h]12_2_04FE20A0
      Source: C:\Windows\SysWOW64\cmstp.exeCode function: 12_2_04FE20A0 mov eax, dword ptr fs:[00000030h]12_2_04FE20A0
      Source: C:\Windows\SysWOW64\cmstp.exeCode function: 12_2_04FE20A0 mov eax, dword ptr fs:[00000030h]12_2_04FE20A0
      Source: C:\Windows\SysWOW64\cmstp.exeCode function: 12_2_04FE20A0 mov eax, dword ptr fs:[00000030h]12_2_04FE20A0
      Source: C:\Windows\SysWOW64\cmstp.exeCode function: 12_2_04FE20A0 mov eax, dword ptr fs:[00000030h]12_2_04FE20A0
      Source: C:\Windows\SysWOW64\cmstp.exeCode function: 12_2_04FB9080 mov eax, dword ptr fs:[00000030h]12_2_04FB9080
      Source: C:\Windows\SysWOW64\cmstp.exeCode function: 12_2_050749A4 mov eax, dword ptr fs:[00000030h]12_2_050749A4
      Source: C:\Windows\SysWOW64\cmstp.exeCode function: 12_2_050749A4 mov eax, dword ptr fs:[00000030h]12_2_050749A4
      Source: C:\Windows\SysWOW64\cmstp.exeCode function: 12_2_050749A4 mov eax, dword ptr fs:[00000030h]12_2_050749A4
      Source: C:\Windows\SysWOW64\cmstp.exeCode function: 12_2_050749A4 mov eax, dword ptr fs:[00000030h]12_2_050749A4
      Source: C:\Windows\SysWOW64\cmstp.exeCode function: 12_2_050369A6 mov eax, dword ptr fs:[00000030h]12_2_050369A6
      Source: C:\Windows\SysWOW64\cmstp.exeCode function: 12_2_04FD0050 mov eax, dword ptr fs:[00000030h]12_2_04FD0050
      Source: C:\Windows\SysWOW64\cmstp.exeCode function: 12_2_04FD0050 mov eax, dword ptr fs:[00000030h]12_2_04FD0050
      Source: C:\Windows\SysWOW64\cmstp.exeCode function: 12_2_050351BE mov eax, dword ptr fs:[00000030h]12_2_050351BE
      Source: C:\Windows\SysWOW64\cmstp.exeCode function: 12_2_050351BE mov eax, dword ptr fs:[00000030h]12_2_050351BE
      Source: C:\Windows\SysWOW64\cmstp.exeCode function: 12_2_050351BE mov eax, dword ptr fs:[00000030h]12_2_050351BE
      Source: C:\Windows\SysWOW64\cmstp.exeCode function: 12_2_050351BE mov eax, dword ptr fs:[00000030h]12_2_050351BE
      Source: C:\Windows\SysWOW64\cmstp.exeCode function: 12_2_04FDA830 mov eax, dword ptr fs:[00000030h]12_2_04FDA830
      Source: C:\Windows\SysWOW64\cmstp.exeCode function: 12_2_04FDA830 mov eax, dword ptr fs:[00000030h]12_2_04FDA830
      Source: C:\Windows\SysWOW64\cmstp.exeCode function: 12_2_04FDA830 mov eax, dword ptr fs:[00000030h]12_2_04FDA830
      Source: C:\Windows\SysWOW64\cmstp.exeCode function: 12_2_04FDA830 mov eax, dword ptr fs:[00000030h]12_2_04FDA830
      Source: C:\Windows\SysWOW64\cmstp.exeCode function: 12_2_04FE002D mov eax, dword ptr fs:[00000030h]12_2_04FE002D
      Source: C:\Windows\SysWOW64\cmstp.exeCode function: 12_2_04FE002D mov eax, dword ptr fs:[00000030h]12_2_04FE002D
      Source: C:\Windows\SysWOW64\cmstp.exeCode function: 12_2_04FE002D mov eax, dword ptr fs:[00000030h]12_2_04FE002D
      Source: C:\Windows\SysWOW64\cmstp.exeCode function: 12_2_04FE002D mov eax, dword ptr fs:[00000030h]12_2_04FE002D
      Source: C:\Windows\SysWOW64\cmstp.exeCode function: 12_2_04FE002D mov eax, dword ptr fs:[00000030h]12_2_04FE002D
      Source: C:\Windows\SysWOW64\cmstp.exeCode function: 12_2_04FCB02A mov eax, dword ptr fs:[00000030h]12_2_04FCB02A
      Source: C:\Windows\SysWOW64\cmstp.exeCode function: 12_2_04FCB02A mov eax, dword ptr fs:[00000030h]12_2_04FCB02A
      Source: C:\Windows\SysWOW64\cmstp.exeCode function: 12_2_04FCB02A mov eax, dword ptr fs:[00000030h]12_2_04FCB02A
      Source: C:\Windows\SysWOW64\cmstp.exeCode function: 12_2_04FCB02A mov eax, dword ptr fs:[00000030h]12_2_04FCB02A
      Source: C:\Windows\SysWOW64\cmstp.exeCode function: 12_2_050441E8 mov eax, dword ptr fs:[00000030h]12_2_050441E8
      Source: C:\Windows\SysWOW64\cmstp.exeCode function: 12_2_05037016 mov eax, dword ptr fs:[00000030h]12_2_05037016
      Source: C:\Windows\SysWOW64\cmstp.exeCode function: 12_2_05037016 mov eax, dword ptr fs:[00000030h]12_2_05037016
      Source: C:\Windows\SysWOW64\cmstp.exeCode function: 12_2_05037016 mov eax, dword ptr fs:[00000030h]12_2_05037016
      Source: C:\Windows\SysWOW64\cmstp.exeCode function: 12_2_04FBB1E1 mov eax, dword ptr fs:[00000030h]12_2_04FBB1E1
      Source: C:\Windows\SysWOW64\cmstp.exeCode function: 12_2_04FBB1E1 mov eax, dword ptr fs:[00000030h]12_2_04FBB1E1
      Source: C:\Windows\SysWOW64\cmstp.exeCode function: 12_2_04FBB1E1 mov eax, dword ptr fs:[00000030h]12_2_04FBB1E1
      Source: C:\Windows\SysWOW64\cmstp.exeCode function: 12_2_05084015 mov eax, dword ptr fs:[00000030h]12_2_05084015
      Source: C:\Windows\SysWOW64\cmstp.exeCode function: 12_2_05084015 mov eax, dword ptr fs:[00000030h]12_2_05084015
      Source: C:\Windows\SysWOW64\cmstp.exeCode function: 12_2_04FD99BF mov ecx, dword ptr fs:[00000030h]12_2_04FD99BF
      Source: C:\Users\user\Desktop\Agreement Transfer Details.exeProcess token adjusted: DebugJump to behavior
      Source: C:\Windows\SysWOW64\cmstp.exeProcess token adjusted: DebugJump to behavior

      HIPS / PFW / Operating System Protection Evasion: