Analysis Report Contract Agreement.exe

Overview

General Information

Sample Name: Contract Agreement.exe
Analysis ID: 385426
MD5: 75612f2e3922d80afe14068c3a510c99
SHA1: ade818e1272e6131c504273ca678ff805d01d41d
SHA256: 913b12686b62bfbaa6cd0169c2b37bb2d06d095335f3ac14047ec49d3a755b2d
Tags: Formbook
Infos:

Most interesting Screenshot:

Detection

FormBook
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Detected unpacking (changes PE section rights)
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
System process connects to network (likely due to code injection or exploit)
Yara detected FormBook
C2 URLs / IPs found in malware configuration
Contains functionality to prevent local Windows debugging
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Modifies the prolog of user mode functions (user mode inline hooks)
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
Tries to detect virtualization through RDTSC time measurements
Antivirus or Machine Learning detection for unpacked file
Checks if the current process is being debugged
Contains capabilities to detect virtual machines
Contains functionality for execution timing, often used to detect debuggers
Contains functionality for read data from the clipboard
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to call native functions
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to dynamically determine API calls
Contains functionality to read the PEB
Contains functionality to shutdown / reboot the system
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Drops PE files
Enables debug privileges
Found inlined nop instructions (likely shell or obfuscated code)
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
PE file contains sections with non-standard names
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Uses 32bit PE files
Uses a Windows Living Off The Land Binaries (LOL bins)
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

AV Detection:

barindex
Found malware configuration
Source: 00000004.00000002.907184797.00000000004C0000.00000004.00000001.sdmp Malware Configuration Extractor: FormBook {"C2 list": ["www.middlehambooks.com/klf/"], "decoy": ["podcastyourvote.com", "northernlsx.com", "guide4idiots.com", "artebythesea.com", "sapanyc.com", "livinoutthedreamsco.com", "thepowersinyou.com", "protocolmodern.com", "holdergear.com", "betteringthehumanexperience.xyz", "agnostec.com", "royermaldonado.com", "wealthtruckingco.com", "artcode-software.com", "microsoftpods.com", "identityofplace.com", "algoritas.com", "grandpaurbanfarm.net", "zahidibr.com", "flawlessdrinking.com", "amymako.com", "tinymodeldiana.com", "restoremyorigin.com", "gyrostoyou.com", "boiler-portal.com", "aprilmarieclaire.com", "midollan.com", "finestfaux.com", "lownak.com", "okque.com", "woodandresin.club", "benficalovers.com", "fangyu5827.com", "tententacleshydro.com", "oouuweee.com", "sgsnit.com", "fairisnotfair.com", "shpwmy.com", "238olive.com", "4515a.com", "frontrangetechnologies.com", "v-travelclub.com", "supportserverhotline23.info", "snowandmotion.com", "colinboycemp.net", "yowoit.com", "neopivot.com", "singlebarrel.net", "esdras-almeida.com", "contecoliving.com", "doctorsdietgulfport.com", "issue72-paypal.com", "pubgfrut.com", "constipationhub.com", "themodernspiritualgoddess.com", "qzhongkong.com", "bizcert360.com", "nashvillegems.com", "barryteeling.com", "wzocflfor.com", "mirrorsmarbella.com", "nyariorganics.com", "packtmall.com", "100973671.review"]}
Multi AV Scanner detection for submitted file
Source: Contract Agreement.exe ReversingLabs: Detection: 20%
Yara detected FormBook
Source: Yara match File source: 00000004.00000002.907184797.00000000004C0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000002.687663466.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000002.907519885.0000000002BA0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000002.687843865.00000000008E0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000001.648606618.0000000000400000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000002.687826261.00000000008B0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.652649547.000000001EDA0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0.2.Contract Agreement.exe.1eda0000.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.1.Contract Agreement.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.1.Contract Agreement.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.2.Contract Agreement.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.2.Contract Agreement.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.Contract Agreement.exe.1eda0000.2.raw.unpack, type: UNPACKEDPE
Antivirus or Machine Learning detection for unpacked file
Source: 0.2.Contract Agreement.exe.1eda0000.2.unpack Avira: Label: TR/Crypt.ZPACK.Gen
Source: 1.1.Contract Agreement.exe.400000.0.unpack Avira: Label: TR/Crypt.ZPACK.Gen
Source: 4.2.cmstp.exe.4bff834.5.unpack Avira: Label: TR/Patched.Ren.Gen
Source: 4.2.cmstp.exe.5bbc70.2.unpack Avira: Label: TR/Patched.Ren.Gen
Source: 1.2.Contract Agreement.exe.400000.0.unpack Avira: Label: TR/Crypt.ZPACK.Gen

Compliance:

barindex
Uses 32bit PE files
Source: Contract Agreement.exe Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED
Source: Binary string: cmstp.pdbGCTL source: Contract Agreement.exe, 00000001.00000002.687889109.0000000000970000.00000040.00000001.sdmp
Source: Binary string: wscui.pdbUGP source: explorer.exe, 00000003.00000002.916848212.0000000005A00000.00000002.00000001.sdmp
Source: Binary string: wntdll.pdbUGP source: Contract Agreement.exe, 00000000.00000003.644430719.000000001EF60000.00000004.00000001.sdmp, Contract Agreement.exe, 00000001.00000002.688088335.0000000000B0F000.00000040.00000001.sdmp, cmstp.exe, 00000004.00000002.907753990.00000000046D0000.00000040.00000001.sdmp
Source: Binary string: wntdll.pdb source: Contract Agreement.exe, cmstp.exe
Source: Binary string: cmstp.pdb source: Contract Agreement.exe, 00000001.00000002.687889109.0000000000970000.00000040.00000001.sdmp
Source: Binary string: wscui.pdb source: explorer.exe, 00000003.00000002.916848212.0000000005A00000.00000002.00000001.sdmp
Source: C:\Users\user\Desktop\Contract Agreement.exe Code function: 0_2_00405301 DeleteFileA,lstrcatA,lstrcatA,lstrlenA,FindFirstFileA,SetFileAttributesA,DeleteFileA,FindNextFileA,FindClose,SetFileAttributesA,RemoveDirectoryA, 0_2_00405301
Source: C:\Users\user\Desktop\Contract Agreement.exe Code function: 0_2_00405C94 SetErrorMode,SetErrorMode,FindFirstFileA,SetErrorMode,FindClose, 0_2_00405C94
Source: C:\Users\user\Desktop\Contract Agreement.exe Code function: 0_2_004026BC FindFirstFileA, 0_2_004026BC

Software Vulnerabilities:

barindex
Found inlined nop instructions (likely shell or obfuscated code)
Source: C:\Users\user\Desktop\Contract Agreement.exe Code function: 4x nop then pop ebx 1_2_00407B02
Source: C:\Users\user\Desktop\Contract Agreement.exe Code function: 4x nop then pop ebx 1_1_00407B02
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 4x nop then pop ebx 4_2_02BA7B02

Networking:

barindex
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Source: Traffic Snort IDS: 2031453 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.4:49750 -> 142.111.179.147:80
Source: Traffic Snort IDS: 2031449 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.4:49750 -> 142.111.179.147:80
Source: Traffic Snort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.4:49750 -> 142.111.179.147:80
Source: Traffic Snort IDS: 2031453 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.4:49756 -> 72.52.251.1:80
Source: Traffic Snort IDS: 2031449 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.4:49756 -> 72.52.251.1:80
Source: Traffic Snort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.4:49756 -> 72.52.251.1:80
C2 URLs / IPs found in malware configuration
Source: Malware configuration extractor URLs: www.middlehambooks.com/klf/
HTTP GET or POST without a user agent
Source: global traffic HTTP traffic detected: GET /klf/?bl=VTChTP0hZXHDb84&Y4pTrva=ZAijfgstlYq8fKC0iYK9133s/sVwbQ6uXCBDF/fP0oHXHYAEtG3x8g/iP6moTRr8/loA HTTP/1.1Host: www.sapanyc.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic HTTP traffic detected: GET /klf/?Y4pTrva=l4OXKFqiDRIL5M7Qs3ptSHdfRIx3aIBnF9VcnLQHKrQrW9fnriE9a3t8qZQrlYiaWXmB&bl=VTChTP0hZXHDb84 HTTP/1.1Host: www.bizcert360.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Internet Provider seen in connection with other malware
Source: Joe Sandbox View ASN Name: EGIHOSTINGUS EGIHOSTINGUS
Source: Joe Sandbox View ASN Name: LIQUIDWEBUS LIQUIDWEBUS
Source: global traffic HTTP traffic detected: GET /klf/?bl=VTChTP0hZXHDb84&Y4pTrva=ZAijfgstlYq8fKC0iYK9133s/sVwbQ6uXCBDF/fP0oHXHYAEtG3x8g/iP6moTRr8/loA HTTP/1.1Host: www.sapanyc.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic HTTP traffic detected: GET /klf/?Y4pTrva=l4OXKFqiDRIL5M7Qs3ptSHdfRIx3aIBnF9VcnLQHKrQrW9fnriE9a3t8qZQrlYiaWXmB&bl=VTChTP0hZXHDb84 HTTP/1.1Host: www.bizcert360.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: unknown DNS traffic detected: queries for: www.sapanyc.com
Source: explorer.exe, 00000003.00000000.671346590.000000000B976000.00000002.00000001.sdmp String found in binary or memory: http://fontfabrik.com
Source: explorer.exe, 00000003.00000002.908299208.0000000002B50000.00000002.00000001.sdmp String found in binary or memory: http://www.%s.comPA
Source: explorer.exe, 00000003.00000000.671346590.000000000B976000.00000002.00000001.sdmp String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
Source: explorer.exe, 00000003.00000000.671346590.000000000B976000.00000002.00000001.sdmp String found in binary or memory: http://www.carterandcone.coml
Source: explorer.exe, 00000003.00000000.671346590.000000000B976000.00000002.00000001.sdmp String found in binary or memory: http://www.fontbureau.com
Source: explorer.exe, 00000003.00000000.671346590.000000000B976000.00000002.00000001.sdmp String found in binary or memory: http://www.fontbureau.com/designers
Source: explorer.exe, 00000003.00000000.671346590.000000000B976000.00000002.00000001.sdmp String found in binary or memory: http://www.fontbureau.com/designers/?
Source: explorer.exe, 00000003.00000000.671346590.000000000B976000.00000002.00000001.sdmp String found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
Source: explorer.exe, 00000003.00000000.671346590.000000000B976000.00000002.00000001.sdmp String found in binary or memory: http://www.fontbureau.com/designers/frere-user.html
Source: explorer.exe, 00000003.00000000.671346590.000000000B976000.00000002.00000001.sdmp String found in binary or memory: http://www.fontbureau.com/designers8
Source: explorer.exe, 00000003.00000000.671346590.000000000B976000.00000002.00000001.sdmp String found in binary or memory: http://www.fontbureau.com/designers?
Source: explorer.exe, 00000003.00000000.671346590.000000000B976000.00000002.00000001.sdmp String found in binary or memory: http://www.fontbureau.com/designersG
Source: explorer.exe, 00000003.00000000.671346590.000000000B976000.00000002.00000001.sdmp String found in binary or memory: http://www.fonts.com
Source: explorer.exe, 00000003.00000000.671346590.000000000B976000.00000002.00000001.sdmp String found in binary or memory: http://www.founder.com.cn/cn
Source: explorer.exe, 00000003.00000000.671346590.000000000B976000.00000002.00000001.sdmp String found in binary or memory: http://www.founder.com.cn/cn/bThe
Source: explorer.exe, 00000003.00000000.671346590.000000000B976000.00000002.00000001.sdmp String found in binary or memory: http://www.founder.com.cn/cn/cThe
Source: explorer.exe, 00000003.00000000.671346590.000000000B976000.00000002.00000001.sdmp String found in binary or memory: http://www.galapagosdesign.com/DPlease
Source: explorer.exe, 00000003.00000000.671346590.000000000B976000.00000002.00000001.sdmp String found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
Source: explorer.exe, 00000003.00000000.671346590.000000000B976000.00000002.00000001.sdmp String found in binary or memory: http://www.goodfont.co.kr
Source: explorer.exe, 00000003.00000000.671346590.000000000B976000.00000002.00000001.sdmp String found in binary or memory: http://www.jiyu-kobo.co.jp/
Source: explorer.exe, 00000003.00000000.671346590.000000000B976000.00000002.00000001.sdmp String found in binary or memory: http://www.sajatypeworks.com
Source: explorer.exe, 00000003.00000000.671346590.000000000B976000.00000002.00000001.sdmp String found in binary or memory: http://www.sakkal.com
Source: explorer.exe, 00000003.00000000.671346590.000000000B976000.00000002.00000001.sdmp String found in binary or memory: http://www.sandoll.co.kr
Source: explorer.exe, 00000003.00000000.671346590.000000000B976000.00000002.00000001.sdmp String found in binary or memory: http://www.tiro.com
Source: explorer.exe, 00000003.00000000.671346590.000000000B976000.00000002.00000001.sdmp String found in binary or memory: http://www.typography.netD
Source: explorer.exe, 00000003.00000000.671346590.000000000B976000.00000002.00000001.sdmp String found in binary or memory: http://www.urwpp.deDPlease
Source: explorer.exe, 00000003.00000000.671346590.000000000B976000.00000002.00000001.sdmp String found in binary or memory: http://www.zhongyicts.com.cn

Key, Mouse, Clipboard, Microphone and Screen Capturing:

barindex
Contains functionality for read data from the clipboard
Source: C:\Users\user\Desktop\Contract Agreement.exe Code function: 0_2_00404EA0 GetDlgItem,GetDlgItem,GetDlgItem,GetDlgItem,GetClientRect,GetSystemMetrics,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,ShowWindow,ShowWindow,GetDlgItem,SendMessageA,SendMessageA,SendMessageA,GetDlgItem,CreateThread,CloseHandle,ShowWindow,ShowWindow,ShowWindow,ShowWindow,SendMessageA,CreatePopupMenu,AppendMenuA,GetWindowRect,TrackPopupMenu,SendMessageA,OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,SendMessageA,lstrlenA,GlobalUnlock,SetClipboardData,CloseClipboard, 0_2_00404EA0

E-Banking Fraud:

barindex
Yara detected FormBook
Source: Yara match File source: 00000004.00000002.907184797.00000000004C0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000002.687663466.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000002.907519885.0000000002BA0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000002.687843865.00000000008E0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000001.648606618.0000000000400000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000002.687826261.00000000008B0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.652649547.000000001EDA0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0.2.Contract Agreement.exe.1eda0000.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.1.Contract Agreement.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.1.Contract Agreement.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.2.Contract Agreement.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.2.Contract Agreement.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.Contract Agreement.exe.1eda0000.2.raw.unpack, type: UNPACKEDPE

System Summary:

barindex
Malicious sample detected (through community Yara rule)
Source: 00000004.00000002.907184797.00000000004C0000.00000004.00000001.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000004.00000002.907184797.00000000004C0000.00000004.00000001.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000001.00000002.687663466.0000000000400000.00000040.00000001.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000001.00000002.687663466.0000000000400000.00000040.00000001.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000004.00000002.907519885.0000000002BA0000.00000040.00000001.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000004.00000002.907519885.0000000002BA0000.00000040.00000001.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000001.00000002.687843865.00000000008E0000.00000040.00000001.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000001.00000002.687843865.00000000008E0000.00000040.00000001.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000001.00000001.648606618.0000000000400000.00000040.00020000.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000001.00000001.648606618.0000000000400000.00000040.00020000.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000001.00000002.687826261.00000000008B0000.00000040.00000001.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000001.00000002.687826261.00000000008B0000.00000040.00000001.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000000.00000002.652649547.000000001EDA0000.00000004.00000001.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000000.00000002.652649547.000000001EDA0000.00000004.00000001.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 0.2.Contract Agreement.exe.1eda0000.2.unpack, type: UNPACKEDPE Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 0.2.Contract Agreement.exe.1eda0000.2.unpack, type: UNPACKEDPE Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 1.1.Contract Agreement.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 1.1.Contract Agreement.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 1.1.Contract Agreement.exe.400000.0.raw.unpack, type: UNPACKEDPE Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 1.1.Contract Agreement.exe.400000.0.raw.unpack, type: UNPACKEDPE Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 1.2.Contract Agreement.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 1.2.Contract Agreement.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 1.2.Contract Agreement.exe.400000.0.raw.unpack, type: UNPACKEDPE Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 1.2.Contract Agreement.exe.400000.0.raw.unpack, type: UNPACKEDPE Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 0.2.Contract Agreement.exe.1eda0000.2.raw.unpack, type: UNPACKEDPE Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 0.2.Contract Agreement.exe.1eda0000.2.raw.unpack, type: UNPACKEDPE Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Contains functionality to call native functions
Source: C:\Users\user\Desktop\Contract Agreement.exe Code function: 1_2_00419D60 NtCreateFile, 1_2_00419D60
Source: C:\Users\user\Desktop\Contract Agreement.exe Code function: 1_2_00419E10 NtReadFile, 1_2_00419E10
Source: C:\Users\user\Desktop\Contract Agreement.exe Code function: 1_2_00419E90 NtClose, 1_2_00419E90
Source: C:\Users\user\Desktop\Contract Agreement.exe Code function: 1_2_00419F40 NtAllocateVirtualMemory, 1_2_00419F40
Source: C:\Users\user\Desktop\Contract Agreement.exe Code function: 1_2_00419D5A NtCreateFile, 1_2_00419D5A
Source: C:\Users\user\Desktop\Contract Agreement.exe Code function: 1_2_00419DB4 NtReadFile, 1_2_00419DB4
Source: C:\Users\user\Desktop\Contract Agreement.exe Code function: 1_2_00419E0A NtReadFile, 1_2_00419E0A
Source: C:\Users\user\Desktop\Contract Agreement.exe Code function: 1_2_00A598F0 NtReadVirtualMemory,LdrInitializeThunk, 1_2_00A598F0
Source: C:\Users\user\Desktop\Contract Agreement.exe Code function: 1_2_00A59860 NtQuerySystemInformation,LdrInitializeThunk, 1_2_00A59860
Source: C:\Users\user\Desktop\Contract Agreement.exe Code function: 1_2_00A59840 NtDelayExecution,LdrInitializeThunk, 1_2_00A59840
Source: C:\Users\user\Desktop\Contract Agreement.exe Code function: 1_2_00A599A0 NtCreateSection,LdrInitializeThunk, 1_2_00A599A0
Source: C:\Users\user\Desktop\Contract Agreement.exe Code function: 1_2_00A59910 NtAdjustPrivilegesToken,LdrInitializeThunk, 1_2_00A59910
Source: C:\Users\user\Desktop\Contract Agreement.exe Code function: 1_2_00A59A20 NtResumeThread,LdrInitializeThunk, 1_2_00A59A20
Source: C:\Users\user\Desktop\Contract Agreement.exe Code function: 1_2_00A59A00 NtProtectVirtualMemory,LdrInitializeThunk, 1_2_00A59A00
Source: C:\Users\user\Desktop\Contract Agreement.exe Code function: 1_2_00A59A50 NtCreateFile,LdrInitializeThunk, 1_2_00A59A50
Source: C:\Users\user\Desktop\Contract Agreement.exe Code function: 1_2_00A595D0 NtClose,LdrInitializeThunk, 1_2_00A595D0
Source: C:\Users\user\Desktop\Contract Agreement.exe Code function: 1_2_00A59540 NtReadFile,LdrInitializeThunk, 1_2_00A59540
Source: C:\Users\user\Desktop\Contract Agreement.exe Code function: 1_2_00A596E0 NtFreeVirtualMemory,LdrInitializeThunk, 1_2_00A596E0
Source: C:\Users\user\Desktop\Contract Agreement.exe Code function: 1_2_00A59660 NtAllocateVirtualMemory,LdrInitializeThunk, 1_2_00A59660
Source: C:\Users\user\Desktop\Contract Agreement.exe Code function: 1_2_00A597A0 NtUnmapViewOfSection,LdrInitializeThunk, 1_2_00A597A0
Source: C:\Users\user\Desktop\Contract Agreement.exe Code function: 1_2_00A59780 NtMapViewOfSection,LdrInitializeThunk, 1_2_00A59780
Source: C:\Users\user\Desktop\Contract Agreement.exe Code function: 1_2_00A59710 NtQueryInformationToken,LdrInitializeThunk, 1_2_00A59710
Source: C:\Users\user\Desktop\Contract Agreement.exe Code function: 1_2_00A598A0 NtWriteVirtualMemory, 1_2_00A598A0
Source: C:\Users\user\Desktop\Contract Agreement.exe Code function: 1_2_00A59820 NtEnumerateKey, 1_2_00A59820
Source: C:\Users\user\Desktop\Contract Agreement.exe Code function: 1_2_00A5B040 NtSuspendThread, 1_2_00A5B040
Source: C:\Users\user\Desktop\Contract Agreement.exe Code function: 1_2_00A599D0 NtCreateProcessEx, 1_2_00A599D0
Source: C:\Users\user\Desktop\Contract Agreement.exe Code function: 1_2_00A59950 NtQueueApcThread, 1_2_00A59950
Source: C:\Users\user\Desktop\Contract Agreement.exe Code function: 1_2_00A59A80 NtOpenDirectoryObject, 1_2_00A59A80
Source: C:\Users\user\Desktop\Contract Agreement.exe Code function: 1_2_00A59A10 NtQuerySection, 1_2_00A59A10
Source: C:\Users\user\Desktop\Contract Agreement.exe Code function: 1_2_00A5A3B0 NtGetContextThread, 1_2_00A5A3B0
Source: C:\Users\user\Desktop\Contract Agreement.exe Code function: 1_2_00A59B00 NtSetValueKey, 1_2_00A59B00
Source: C:\Users\user\Desktop\Contract Agreement.exe Code function: 1_2_00A595F0 NtQueryInformationFile, 1_2_00A595F0
Source: C:\Users\user\Desktop\Contract Agreement.exe Code function: 1_2_00A59520 NtWaitForSingleObject, 1_2_00A59520
Source: C:\Users\user\Desktop\Contract Agreement.exe Code function: 1_2_00A5AD30 NtSetContextThread, 1_2_00A5AD30
Source: C:\Users\user\Desktop\Contract Agreement.exe Code function: 1_2_00A59560 NtWriteFile, 1_2_00A59560
Source: C:\Users\user\Desktop\Contract Agreement.exe Code function: 1_2_00A596D0 NtCreateKey, 1_2_00A596D0
Source: C:\Users\user\Desktop\Contract Agreement.exe Code function: 1_2_00A59610 NtEnumerateValueKey, 1_2_00A59610
Source: C:\Users\user\Desktop\Contract Agreement.exe Code function: 1_2_00A59670 NtQueryInformationProcess, 1_2_00A59670
Source: C:\Users\user\Desktop\Contract Agreement.exe Code function: 1_2_00A59650 NtQueryValueKey, 1_2_00A59650
Source: C:\Users\user\Desktop\Contract Agreement.exe Code function: 1_2_00A59FE0 NtCreateMutant, 1_2_00A59FE0
Source: C:\Users\user\Desktop\Contract Agreement.exe Code function: 1_2_00A59730 NtQueryVirtualMemory, 1_2_00A59730
Source: C:\Users\user\Desktop\Contract Agreement.exe Code function: 1_2_00A5A710 NtOpenProcessToken, 1_2_00A5A710
Source: C:\Users\user\Desktop\Contract Agreement.exe Code function: 1_2_00A59760 NtOpenProcess, 1_2_00A59760
Source: C:\Users\user\Desktop\Contract Agreement.exe Code function: 1_2_00A59770 NtSetInformationFile, 1_2_00A59770
Source: C:\Users\user\Desktop\Contract Agreement.exe Code function: 1_2_00A5A770 NtOpenThread, 1_2_00A5A770
Source: C:\Users\user\Desktop\Contract Agreement.exe Code function: 1_1_00419D60 NtCreateFile, 1_1_00419D60
Source: C:\Users\user\Desktop\Contract Agreement.exe Code function: 1_1_00419E10 NtReadFile, 1_1_00419E10
Source: C:\Users\user\Desktop\Contract Agreement.exe Code function: 1_1_00419E90 NtClose, 1_1_00419E90
Source: C:\Users\user\Desktop\Contract Agreement.exe Code function: 1_1_00419F40 NtAllocateVirtualMemory, 1_1_00419F40
Source: C:\Users\user\Desktop\Contract Agreement.exe Code function: 1_1_00419D5A NtCreateFile, 1_1_00419D5A
Source: C:\Users\user\Desktop\Contract Agreement.exe Code function: 1_1_00419DB4 NtReadFile, 1_1_00419DB4
Source: C:\Users\user\Desktop\Contract Agreement.exe Code function: 1_1_00419E0A NtReadFile, 1_1_00419E0A
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 4_2_04739540 NtReadFile,LdrInitializeThunk, 4_2_04739540
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 4_2_047395D0 NtClose,LdrInitializeThunk, 4_2_047395D0
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 4_2_04739660 NtAllocateVirtualMemory,LdrInitializeThunk, 4_2_04739660
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 4_2_04739650 NtQueryValueKey,LdrInitializeThunk, 4_2_04739650
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 4_2_047396E0 NtFreeVirtualMemory,LdrInitializeThunk, 4_2_047396E0
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 4_2_047396D0 NtCreateKey,LdrInitializeThunk, 4_2_047396D0
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 4_2_04739710 NtQueryInformationToken,LdrInitializeThunk, 4_2_04739710
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 4_2_04739FE0 NtCreateMutant,LdrInitializeThunk, 4_2_04739FE0
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 4_2_04739780 NtMapViewOfSection,LdrInitializeThunk, 4_2_04739780
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 4_2_04739860 NtQuerySystemInformation,LdrInitializeThunk, 4_2_04739860
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 4_2_04739840 NtDelayExecution,LdrInitializeThunk, 4_2_04739840
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 4_2_04739910 NtAdjustPrivilegesToken,LdrInitializeThunk, 4_2_04739910
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 4_2_047399A0 NtCreateSection,LdrInitializeThunk, 4_2_047399A0
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 4_2_04739A50 NtCreateFile,LdrInitializeThunk, 4_2_04739A50
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 4_2_04739560 NtWriteFile, 4_2_04739560
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 4_2_0473AD30 NtSetContextThread, 4_2_0473AD30
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 4_2_04739520 NtWaitForSingleObject, 4_2_04739520
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 4_2_047395F0 NtQueryInformationFile, 4_2_047395F0
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 4_2_04739670 NtQueryInformationProcess, 4_2_04739670
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 4_2_04739610 NtEnumerateValueKey, 4_2_04739610
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 4_2_0473A770 NtOpenThread, 4_2_0473A770
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 4_2_04739770 NtSetInformationFile, 4_2_04739770
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 4_2_04739760 NtOpenProcess, 4_2_04739760
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 4_2_04739730 NtQueryVirtualMemory, 4_2_04739730
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 4_2_0473A710 NtOpenProcessToken, 4_2_0473A710
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 4_2_047397A0 NtUnmapViewOfSection, 4_2_047397A0
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 4_2_0473B040 NtSuspendThread, 4_2_0473B040
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 4_2_04739820 NtEnumerateKey, 4_2_04739820
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 4_2_047398F0 NtReadVirtualMemory, 4_2_047398F0
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 4_2_047398A0 NtWriteVirtualMemory, 4_2_047398A0
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 4_2_04739950 NtQueueApcThread, 4_2_04739950
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 4_2_047399D0 NtCreateProcessEx, 4_2_047399D0
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 4_2_04739A20 NtResumeThread, 4_2_04739A20
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 4_2_04739A10 NtQuerySection, 4_2_04739A10
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 4_2_04739A00 NtProtectVirtualMemory, 4_2_04739A00
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 4_2_04739A80 NtOpenDirectoryObject, 4_2_04739A80
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 4_2_04739B00 NtSetValueKey, 4_2_04739B00
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 4_2_0473A3B0 NtGetContextThread, 4_2_0473A3B0
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 4_2_02BB9E90 NtClose, 4_2_02BB9E90
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 4_2_02BB9E10 NtReadFile, 4_2_02BB9E10
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 4_2_02BB9F40 NtAllocateVirtualMemory, 4_2_02BB9F40
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 4_2_02BB9D60 NtCreateFile, 4_2_02BB9D60
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 4_2_02BB9E0A NtReadFile, 4_2_02BB9E0A
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 4_2_02BB9DB4 NtReadFile, 4_2_02BB9DB4
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 4_2_02BB9D5A NtCreateFile, 4_2_02BB9D5A
Contains functionality to shutdown / reboot the system
Source: C:\Users\user\Desktop\Contract Agreement.exe Code function: 0_2_0040314A EntryPoint,#17,OleInitialize,SHGetFileInfoA,GetTempPathA,GetWindowsDirectoryA,lstrcatA,DeleteFileA,GetCommandLineA,GetModuleHandleA,CharNextA,OleUninitialize,ExitProcess,lstrcatA,CreateDirectoryA,lstrcatA,lstrcatA,DeleteFileA,GetModuleFileNameA,lstrcmpiA,CopyFileA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,CloseHandle,GetCurrentProcess,ExitWindowsEx,ExitProcess, 0_2_0040314A
Detected potential crypto function
Source: C:\Users\user\Desktop\Contract Agreement.exe Code function: 0_2_004046A7 0_2_004046A7
Source: C:\Users\user\Desktop\Contract Agreement.exe Code function: 1_2_0040102E 1_2_0040102E
Source: C:\Users\user\Desktop\Contract Agreement.exe Code function: 1_2_00401030 1_2_00401030
Source: C:\Users\user\Desktop\Contract Agreement.exe Code function: 1_2_00402D8D 1_2_00402D8D
Source: C:\Users\user\Desktop\Contract Agreement.exe Code function: 1_2_00402D90 1_2_00402D90
Source: C:\Users\user\Desktop\Contract Agreement.exe Code function: 1_2_00409E40 1_2_00409E40
Source: C:\Users\user\Desktop\Contract Agreement.exe Code function: 1_2_0041D669 1_2_0041D669
Source: C:\Users\user\Desktop\Contract Agreement.exe Code function: 1_2_00409E3B 1_2_00409E3B
Source: C:\Users\user\Desktop\Contract Agreement.exe Code function: 1_2_0041D743 1_2_0041D743
Source: C:\Users\user\Desktop\Contract Agreement.exe Code function: 1_2_0041CFA3 1_2_0041CFA3
Source: C:\Users\user\Desktop\Contract Agreement.exe Code function: 1_2_00402FB0 1_2_00402FB0
Source: C:\Users\user\Desktop\Contract Agreement.exe Code function: 1_2_00A420A0 1_2_00A420A0
Source: C:\Users\user\Desktop\Contract Agreement.exe Code function: 1_2_00AE20A8 1_2_00AE20A8
Source: C:\Users\user\Desktop\Contract Agreement.exe Code function: 1_2_00A2B090 1_2_00A2B090
Source: C:\Users\user\Desktop\Contract Agreement.exe Code function: 1_2_00AE28EC 1_2_00AE28EC
Source: C:\Users\user\Desktop\Contract Agreement.exe Code function: 1_2_00AEE824 1_2_00AEE824
Source: C:\Users\user\Desktop\Contract Agreement.exe Code function: 1_2_00A3A830 1_2_00A3A830
Source: C:\Users\user\Desktop\Contract Agreement.exe Code function: 1_2_00AD1002 1_2_00AD1002
Source: C:\Users\user\Desktop\Contract Agreement.exe Code function: 1_2_00A399BF 1_2_00A399BF
Source: C:\Users\user\Desktop\Contract Agreement.exe Code function: 1_2_00A34120 1_2_00A34120
Source: C:\Users\user\Desktop\Contract Agreement.exe Code function: 1_2_00A1F900 1_2_00A1F900
Source: C:\Users\user\Desktop\Contract Agreement.exe Code function: 1_2_00AE22AE 1_2_00AE22AE
Source: C:\Users\user\Desktop\Contract Agreement.exe Code function: 1_2_00AD4AEF 1_2_00AD4AEF
Source: C:\Users\user\Desktop\Contract Agreement.exe Code function: 1_2_00ACFA2B 1_2_00ACFA2B
Source: C:\Users\user\Desktop\Contract Agreement.exe Code function: 1_2_00A4EBB0 1_2_00A4EBB0
Source: C:\Users\user\Desktop\Contract Agreement.exe Code function: 1_2_00AC23E3 1_2_00AC23E3
Source: C:\Users\user\Desktop\Contract Agreement.exe Code function: 1_2_00AD03DA 1_2_00AD03DA
Source: C:\Users\user\Desktop\Contract Agreement.exe Code function: 1_2_00A4ABD8 1_2_00A4ABD8
Source: C:\Users\user\Desktop\Contract Agreement.exe Code function: 1_2_00ADDBD2 1_2_00ADDBD2
Source: C:\Users\user\Desktop\Contract Agreement.exe Code function: 1_2_00AE2B28 1_2_00AE2B28
Source: C:\Users\user\Desktop\Contract Agreement.exe Code function: 1_2_00A3A309 1_2_00A3A309
Source: C:\Users\user\Desktop\Contract Agreement.exe Code function: 1_2_00A3AB40 1_2_00A3AB40
Source: C:\Users\user\Desktop\Contract Agreement.exe Code function: 1_2_00AD4496 1_2_00AD4496
Source: C:\Users\user\Desktop\Contract Agreement.exe Code function: 1_2_00A2841F 1_2_00A2841F
Source: C:\Users\user\Desktop\Contract Agreement.exe Code function: 1_2_00ADD466 1_2_00ADD466
Source: C:\Users\user\Desktop\Contract Agreement.exe Code function: 1_2_00A42581 1_2_00A42581
Source: C:\Users\user\Desktop\Contract Agreement.exe Code function: 1_2_00AD2D82 1_2_00AD2D82
Source: C:\Users\user\Desktop\Contract Agreement.exe Code function: 1_2_00A2D5E0 1_2_00A2D5E0
Source: C:\Users\user\Desktop\Contract Agreement.exe Code function: 1_2_00AE25DD 1_2_00AE25DD
Source: C:\Users\user\Desktop\Contract Agreement.exe Code function: 1_2_00A10D20 1_2_00A10D20
Source: C:\Users\user\Desktop\Contract Agreement.exe Code function: 1_2_00AE2D07 1_2_00AE2D07
Source: C:\Users\user\Desktop\Contract Agreement.exe Code function: 1_2_00AE1D55 1_2_00AE1D55
Source: C:\Users\user\Desktop\Contract Agreement.exe Code function: 1_2_00AE2EF7 1_2_00AE2EF7
Source: C:\Users\user\Desktop\Contract Agreement.exe Code function: 1_2_00A36E30 1_2_00A36E30
Source: C:\Users\user\Desktop\Contract Agreement.exe Code function: 1_2_00ADD616 1_2_00ADD616
Source: C:\Users\user\Desktop\Contract Agreement.exe Code function: 1_2_00AE1FF1 1_2_00AE1FF1
Source: C:\Users\user\Desktop\Contract Agreement.exe Code function: 1_2_00AEDFCE 1_2_00AEDFCE
Source: C:\Users\user\Desktop\Contract Agreement.exe Code function: 1_1_0040102E 1_1_0040102E
Source: C:\Users\user\Desktop\Contract Agreement.exe Code function: 1_1_00401030 1_1_00401030
Source: C:\Users\user\Desktop\Contract Agreement.exe Code function: 1_1_00402D8D 1_1_00402D8D
Source: C:\Users\user\Desktop\Contract Agreement.exe Code function: 1_1_00402D90 1_1_00402D90
Source: C:\Users\user\Desktop\Contract Agreement.exe Code function: 1_1_00409E40 1_1_00409E40
Source: C:\Users\user\Desktop\Contract Agreement.exe Code function: 1_1_0041D669 1_1_0041D669
Source: C:\Users\user\Desktop\Contract Agreement.exe Code function: 1_1_00409E3B 1_1_00409E3B
Source: C:\Users\user\Desktop\Contract Agreement.exe Code function: 1_1_0041D743 1_1_0041D743
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 4_2_0471B477 4_2_0471B477
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 4_2_047BD466 4_2_047BD466
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 4_2_0470841F 4_2_0470841F
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 4_2_047B4496 4_2_047B4496
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 4_2_047C1D55 4_2_047C1D55
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 4_2_046F0D20 4_2_046F0D20
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 4_2_047C2D07 4_2_047C2D07
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 4_2_0470D5E0 4_2_0470D5E0
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 4_2_047C25DD 4_2_047C25DD
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 4_2_04722581 4_2_04722581
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 4_2_047B2D82 4_2_047B2D82
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 4_2_04716E30 4_2_04716E30
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 4_2_047BD616 4_2_047BD616
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 4_2_047C2EF7 4_2_047C2EF7
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 4_2_047C1FF1 4_2_047C1FF1
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 4_2_047CDFCE 4_2_047CDFCE
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 4_2_0471A830 4_2_0471A830
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 4_2_047CE824 4_2_047CE824
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 4_2_047B1002 4_2_047B1002
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 4_2_047C28EC 4_2_047C28EC
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 4_2_047220A0 4_2_047220A0
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 4_2_047C20A8 4_2_047C20A8
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 4_2_0470B090 4_2_0470B090
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 4_2_04714120 4_2_04714120
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 4_2_046FF900 4_2_046FF900
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 4_2_047199BF 4_2_047199BF
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 4_2_0471B236 4_2_0471B236
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 4_2_047AFA2B 4_2_047AFA2B
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 4_2_047B4AEF 4_2_047B4AEF
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 4_2_047C22AE 4_2_047C22AE
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 4_2_0471AB40 4_2_0471AB40
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 4_2_0479CB4F 4_2_0479CB4F
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 4_2_047C2B28 4_2_047C2B28
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 4_2_0471A309 4_2_0471A309
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 4_2_047A23E3 4_2_047A23E3
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 4_2_047B03DA 4_2_047B03DA
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 4_2_047BDBD2 4_2_047BDBD2
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 4_2_0472ABD8 4_2_0472ABD8
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 4_2_0472EBB0 4_2_0472EBB0
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 4_2_0472138B 4_2_0472138B
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 4_2_02BA9E3B 4_2_02BA9E3B
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 4_2_02BA9E40 4_2_02BA9E40
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 4_2_02BA2FB0 4_2_02BA2FB0
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 4_2_02BBCFA3 4_2_02BBCFA3
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 4_2_02BBD743 4_2_02BBD743
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 4_2_02BA2D90 4_2_02BA2D90
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 4_2_02BA2D8D 4_2_02BA2D8D
Found potential string decryption / allocating functions
Source: C:\Users\user\Desktop\Contract Agreement.exe Code function: String function: 00A1B150 appears 133 times
Source: C:\Users\user\Desktop\Contract Agreement.exe Code function: String function: 0041BBE0 appears 38 times
Source: C:\Windows\SysWOW64\cmstp.exe Code function: String function: 046FB150 appears 136 times
Sample file is different than original file name gathered from version info
Source: Contract Agreement.exe, 00000000.00000003.648343088.000000001EF16000.00000004.00000001.sdmp Binary or memory string: OriginalFilenamentdll.dllj% vs Contract Agreement.exe
Source: Contract Agreement.exe, 00000001.00000002.688088335.0000000000B0F000.00000040.00000001.sdmp Binary or memory string: OriginalFilenamentdll.dllj% vs Contract Agreement.exe
Source: Contract Agreement.exe, 00000001.00000002.687889109.0000000000970000.00000040.00000001.sdmp Binary or memory string: OriginalFilenameCMSTP.EXE` vs Contract Agreement.exe
Uses 32bit PE files
Source: Contract Agreement.exe Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED
Uses a Windows Living Off The Land Binaries (LOL bins)
Source: C:\Windows\explorer.exe Process created: C:\Windows\SysWOW64\cmstp.exe C:\Windows\SysWOW64\cmstp.exe
Yara signature match
Source: 00000004.00000002.907184797.00000000004C0000.00000004.00000001.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000004.00000002.907184797.00000000004C0000.00000004.00000001.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000001.00000002.687663466.0000000000400000.00000040.00000001.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000001.00000002.687663466.0000000000400000.00000040.00000001.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000004.00000002.907519885.0000000002BA0000.00000040.00000001.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000004.00000002.907519885.0000000002BA0000.00000040.00000001.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000001.00000002.687843865.00000000008E0000.00000040.00000001.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000001.00000002.687843865.00000000008E0000.00000040.00000001.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000001.00000001.648606618.0000000000400000.00000040.00020000.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000001.00000001.648606618.0000000000400000.00000040.00020000.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000001.00000002.687826261.00000000008B0000.00000040.00000001.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000001.00000002.687826261.00000000008B0000.00000040.00000001.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000000.00000002.652649547.000000001EDA0000.00000004.00000001.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000000.00000002.652649547.000000001EDA0000.00000004.00000001.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 0.2.Contract Agreement.exe.1eda0000.2.unpack, type: UNPACKEDPE Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 0.2.Contract Agreement.exe.1eda0000.2.unpack, type: UNPACKEDPE Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 1.1.Contract Agreement.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 1.1.Contract Agreement.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 1.1.Contract Agreement.exe.400000.0.raw.unpack, type: UNPACKEDPE Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 1.1.Contract Agreement.exe.400000.0.raw.unpack, type: UNPACKEDPE Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 1.2.Contract Agreement.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 1.2.Contract Agreement.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 1.2.Contract Agreement.exe.400000.0.raw.unpack, type: UNPACKEDPE Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 1.2.Contract Agreement.exe.400000.0.raw.unpack, type: UNPACKEDPE Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 0.2.Contract Agreement.exe.1eda0000.2.raw.unpack, type: UNPACKEDPE Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 0.2.Contract Agreement.exe.1eda0000.2.raw.unpack, type: UNPACKEDPE Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: classification engine Classification label: mal100.troj.evad.winEXE@7/3@4/2
Source: C:\Users\user\Desktop\Contract Agreement.exe Code function: 0_2_004041E5 GetDlgItem,SetWindowTextA,SHBrowseForFolderA,lstrcmpiA,lstrcatA,SetDlgItemTextA,GetDiskFreeSpaceA,MulDiv,SetDlgItemTextA, 0_2_004041E5
Source: C:\Users\user\Desktop\Contract Agreement.exe Code function: 0_2_004020A6 CoCreateInstance,MultiByteToWideChar, 0_2_004020A6
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6004:120:WilError_01
Source: C:\Users\user\Desktop\Contract Agreement.exe File created: C:\Users\user\AppData\Local\Temp\nsg2E20.tmp Jump to behavior
Source: Contract Agreement.exe Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: C:\Users\user\Desktop\Contract Agreement.exe File read: C:\Users\desktop.ini Jump to behavior
Source: C:\Users\user\Desktop\Contract Agreement.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: C:\Windows\explorer.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Windows\explorer.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: Contract Agreement.exe ReversingLabs: Detection: 20%
Source: C:\Users\user\Desktop\Contract Agreement.exe File read: C:\Users\user\Desktop\Contract Agreement.exe Jump to behavior
Source: unknown Process created: C:\Users\user\Desktop\Contract Agreement.exe 'C:\Users\user\Desktop\Contract Agreement.exe'
Source: C:\Users\user\Desktop\Contract Agreement.exe Process created: C:\Users\user\Desktop\Contract Agreement.exe 'C:\Users\user\Desktop\Contract Agreement.exe'
Source: C:\Windows\explorer.exe Process created: C:\Windows\SysWOW64\cmstp.exe C:\Windows\SysWOW64\cmstp.exe
Source: C:\Windows\SysWOW64\cmstp.exe Process created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Users\user\Desktop\Contract Agreement.exe'
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\Contract Agreement.exe Process created: C:\Users\user\Desktop\Contract Agreement.exe 'C:\Users\user\Desktop\Contract Agreement.exe' Jump to behavior
Source: C:\Windows\SysWOW64\cmstp.exe Process created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Users\user\Desktop\Contract Agreement.exe' Jump to behavior
Source: C:\Users\user\Desktop\Contract Agreement.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\InProcServer32 Jump to behavior
Source: Binary string: cmstp.pdbGCTL source: Contract Agreement.exe, 00000001.00000002.687889109.0000000000970000.00000040.00000001.sdmp
Source: Binary string: wscui.pdbUGP source: explorer.exe, 00000003.00000002.916848212.0000000005A00000.00000002.00000001.sdmp
Source: Binary string: wntdll.pdbUGP source: Contract Agreement.exe, 00000000.00000003.644430719.000000001EF60000.00000004.00000001.sdmp, Contract Agreement.exe, 00000001.00000002.688088335.0000000000B0F000.00000040.00000001.sdmp, cmstp.exe, 00000004.00000002.907753990.00000000046D0000.00000040.00000001.sdmp
Source: Binary string: wntdll.pdb source: Contract Agreement.exe, cmstp.exe
Source: Binary string: cmstp.pdb source: Contract Agreement.exe, 00000001.00000002.687889109.0000000000970000.00000040.00000001.sdmp
Source: Binary string: wscui.pdb source: explorer.exe, 00000003.00000002.916848212.0000000005A00000.00000002.00000001.sdmp

Data Obfuscation:

barindex
Detected unpacking (changes PE section rights)
Source: C:\Users\user\Desktop\Contract Agreement.exe Unpacked PE file: 1.2.Contract Agreement.exe.400000.0.unpack .text:ER;.rdata:R;.data:W;.ndata:W;.rsrc:R; vs .text:ER;
Contains functionality to dynamically determine API calls
Source: C:\Users\user\Desktop\Contract Agreement.exe Code function: 0_2_00401FDC SetErrorMode,GetModuleHandleA,LoadLibraryA,GetProcAddress,FreeLibrary,SetErrorMode, 0_2_00401FDC
PE file contains sections with non-standard names
Source: 1hqxmv.dll.0.dr Static PE information: section name: .code
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\Desktop\Contract Agreement.exe Code function: 1_2_004048E9 push ebp; retf 1_2_004048EA
Source: C:\Users\user\Desktop\Contract Agreement.exe Code function: 1_2_00417138 push ecx; iretd 1_2_00417150
Source: C:\Users\user\Desktop\Contract Agreement.exe Code function: 1_2_0040993B pushad ; retf 1_2_0040993C
Source: C:\Users\user\Desktop\Contract Agreement.exe Code function: 1_2_004169DF push eax; iretd 1_2_004169E0
Source: C:\Users\user\Desktop\Contract Agreement.exe Code function: 1_2_0041CEB5 push eax; ret 1_2_0041CF08
Source: C:\Users\user\Desktop\Contract Agreement.exe Code function: 1_2_0041CF6C push eax; ret 1_2_0041CF72
Source: C:\Users\user\Desktop\Contract Agreement.exe Code function: 1_2_0041CF02 push eax; ret 1_2_0041CF08
Source: C:\Users\user\Desktop\Contract Agreement.exe Code function: 1_2_0041CF0B push eax; ret 1_2_0041CF72
Source: C:\Users\user\Desktop\Contract Agreement.exe Code function: 1_2_00A6D0D1 push ecx; ret 1_2_00A6D0E4
Source: C:\Users\user\Desktop\Contract Agreement.exe Code function: 1_1_004048E9 push ebp; retf 1_1_004048EA
Source: C:\Users\user\Desktop\Contract Agreement.exe Code function: 1_1_00417138 push ecx; iretd 1_1_00417150
Source: C:\Users\user\Desktop\Contract Agreement.exe Code function: 1_1_0040993B pushad ; retf 1_1_0040993C
Source: C:\Users\user\Desktop\Contract Agreement.exe Code function: 1_1_004169DF push eax; iretd 1_1_004169E0
Source: C:\Users\user\Desktop\Contract Agreement.exe Code function: 1_1_0041CEB5 push eax; ret 1_1_0041CF08
Source: C:\Users\user\Desktop\Contract Agreement.exe Code function: 1_1_0041CF6C push eax; ret 1_1_0041CF72
Source: C:\Users\user\Desktop\Contract Agreement.exe Code function: 1_1_0041CF02 push eax; ret 1_1_0041CF08
Source: C:\Users\user\Desktop\Contract Agreement.exe Code function: 1_1_0041CF0B push eax; ret 1_1_0041CF72
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 4_2_0474D0D1 push ecx; ret 4_2_0474D0E4
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 4_2_02BA48E9 push ebp; retf 4_2_02BA48EA
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 4_2_02BB69DF push eax; iretd 4_2_02BB69E0
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 4_2_02BA993B pushad ; retf 4_2_02BA993C
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 4_2_02BB7138 push ecx; iretd 4_2_02BB7150
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 4_2_02BBCEB5 push eax; ret 4_2_02BBCF08
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 4_2_02BBCF0B push eax; ret 4_2_02BBCF72
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 4_2_02BBCF02 push eax; ret 4_2_02BBCF08
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 4_2_02BBCF6C push eax; ret 4_2_02BBCF72

Persistence and Installation Behavior:

barindex
Drops PE files
Source: C:\Users\user\Desktop\Contract Agreement.exe File created: C:\Users\user\AppData\Local\Temp\nsg2E21.tmp\1hqxmv.dll Jump to dropped file

Hooking and other Techniques for Hiding and Protection:

barindex
Modifies the prolog of user mode functions (user mode inline hooks)
Source: explorer.exe User mode code has changed: module: user32.dll function: PeekMessageA new code: 0x48 0x8B 0xB8 0x82 0x2E 0xE0
Source: C:\Users\user\Desktop\Contract Agreement.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Contract Agreement.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\cmstp.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX Jump to behavior

Malware Analysis System Evasion:

barindex
Tries to detect virtualization through RDTSC time measurements
Source: C:\Users\user\Desktop\Contract Agreement.exe RDTSC instruction interceptor: First address: 00000000004098E4 second address: 00000000004098EA instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\Contract Agreement.exe RDTSC instruction interceptor: First address: 0000000000409B5E second address: 0000000000409B64 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Windows\SysWOW64\cmstp.exe RDTSC instruction interceptor: First address: 0000000002BA98E4 second address: 0000000002BA98EA instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Windows\SysWOW64\cmstp.exe RDTSC instruction interceptor: First address: 0000000002BA9B5E second address: 0000000002BA9B64 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Contains capabilities to detect virtual machines
Source: C:\Users\user\Desktop\Contract Agreement.exe File opened / queried: SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b} Jump to behavior
Contains functionality for execution timing, often used to detect debuggers
Source: C:\Users\user\Desktop\Contract Agreement.exe Code function: 1_2_00409A90 rdtsc 1_2_00409A90
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Windows\explorer.exe TID: 2864 Thread sleep count: 39 > 30 Jump to behavior
Source: C:\Windows\explorer.exe TID: 2864 Thread sleep time: -78000s >= -30000s Jump to behavior
Source: C:\Windows\SysWOW64\cmstp.exe TID: 4856 Thread sleep time: -75000s >= -30000s Jump to behavior
Sample execution stops while process was sleeping (likely an evasion)
Source: C:\Windows\explorer.exe Last function: Thread delayed
Source: C:\Windows\explorer.exe Last function: Thread delayed
Source: C:\Users\user\Desktop\Contract Agreement.exe Code function: 0_2_00405301 DeleteFileA,lstrcatA,lstrcatA,lstrlenA,FindFirstFileA,SetFileAttributesA,DeleteFileA,FindNextFileA,FindClose,SetFileAttributesA,RemoveDirectoryA, 0_2_00405301
Source: C:\Users\user\Desktop\Contract Agreement.exe Code function: 0_2_00405C94 SetErrorMode,SetErrorMode,FindFirstFileA,SetErrorMode,FindClose, 0_2_00405C94
Source: C:\Users\user\Desktop\Contract Agreement.exe Code function: 0_2_004026BC FindFirstFileA, 0_2_004026BC
Source: explorer.exe, 00000003.00000002.916677438.00000000058C0000.00000002.00000001.sdmp Binary or memory string: A Virtual Machine could not be started because Hyper-V is not installed.
Source: explorer.exe, 00000003.00000000.669272634.000000000A60E000.00000004.00000001.sdmp Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}
Source: explorer.exe, 00000003.00000000.662962199.0000000004710000.00000004.00000001.sdmp Binary or memory string: d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&f
Source: explorer.exe, 00000003.00000002.917092318.0000000006650000.00000004.00000001.sdmp Binary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: explorer.exe, 00000003.00000000.669272634.000000000A60E000.00000004.00000001.sdmp Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}
Source: explorer.exe, 00000003.00000000.662962199.0000000004710000.00000004.00000001.sdmp Binary or memory string: SCSI\Disk&Ven_VMware&Prod_Virtual_disk\5&1ec51bf7&0&000000[Wm
Source: explorer.exe, 00000003.00000002.916677438.00000000058C0000.00000002.00000001.sdmp Binary or memory string: A communication protocol error has occurred between the Hyper-V Host and Guest Compute Service.
Source: explorer.exe, 00000003.00000000.669566755.000000000A716000.00000004.00000001.sdmp Binary or memory string: SCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\5&280b647&0&000000/
Source: explorer.exe, 00000003.00000002.916677438.00000000058C0000.00000002.00000001.sdmp Binary or memory string: The communication protocol version between the Hyper-V Host and Guest Compute Services is not supported.
Source: explorer.exe, 00000003.00000000.669677507.000000000A784000.00000004.00000001.sdmp Binary or memory string: SCSI\CDROM&VEN_NECVMWAR&PROD_VMWARE_SATA_CD00\5&280B647&0&000000@
Source: explorer.exe, 00000003.00000002.916677438.00000000058C0000.00000002.00000001.sdmp Binary or memory string: An unknown internal message was received by the Hyper-V Compute Service.
Source: C:\Users\user\Desktop\Contract Agreement.exe Process information queried: ProcessInformation Jump to behavior

Anti Debugging:

barindex
Checks if the current process is being debugged
Source: C:\Users\user\Desktop\Contract Agreement.exe Process queried: DebugPort Jump to behavior
Source: C:\Windows\SysWOW64\cmstp.exe Process queried: DebugPort Jump to behavior
Contains functionality for execution timing, often used to detect debuggers
Source: C:\Users\user\Desktop\Contract Agreement.exe Code function: 1_2_00409A90 rdtsc 1_2_00409A90
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Source: C:\Users\user\Desktop\Contract Agreement.exe Code function: 1_2_0040ACD0 LdrLoadDll, 1_2_0040ACD0
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Source: C:\Users\user\Desktop\Contract Agreement.exe Code function: 0_2_6FC71000 Rcxlxosdkhvclf,IsDebuggerPresent,DebugBreak,GetTempPathW,lstrcatW,CreateFileW,GetFileSize,VirtualAlloc,ReadFile,VirtualProtect, 0_2_6FC71000
Contains functionality to dynamically determine API calls
Source: C:\Users\user\Desktop\Contract Agreement.exe Code function: 0_2_00401FDC SetErrorMode,GetModuleHandleA,LoadLibraryA,GetProcAddress,FreeLibrary,SetErrorMode, 0_2_00401FDC
Contains functionality to read the PEB
Source: C:\Users\user\Desktop\Contract Agreement.exe Code function: 0_2_02B918A0 mov eax, dword ptr fs:[00000030h] 0_2_02B918A0
Source: C:\Users\user\Desktop\Contract Agreement.exe Code function: 0_2_02B91688 mov eax, dword ptr fs:[00000030h] 0_2_02B91688
Source: C:\Users\user\Desktop\Contract Agreement.exe Code function: 1_2_00A420A0 mov eax, dword ptr fs:[00000030h] 1_2_00A420A0
Source: C:\Users\user\Desktop\Contract Agreement.exe Code function: 1_2_00A420A0 mov eax, dword ptr fs:[00000030h] 1_2_00A420A0
Source: C:\Users\user\Desktop\Contract Agreement.exe Code function: 1_2_00A420A0 mov eax, dword ptr fs:[00000030h] 1_2_00A420A0
Source: C:\Users\user\Desktop\Contract Agreement.exe Code function: 1_2_00A420A0 mov eax, dword ptr fs:[00000030h] 1_2_00A420A0
Source: C:\Users\user\Desktop\Contract Agreement.exe Code function: 1_2_00A420A0 mov eax, dword ptr fs:[00000030h] 1_2_00A420A0
Source: C:\Users\user\Desktop\Contract Agreement.exe Code function: 1_2_00A420A0 mov eax, dword ptr fs:[00000030h] 1_2_00A420A0
Source: C:\Users\user\Desktop\Contract Agreement.exe Code function: 1_2_00A590AF mov eax, dword ptr fs:[00000030h] 1_2_00A590AF
Source: C:\Users\user\Desktop\Contract Agreement.exe Code function: 1_2_00A4F0BF mov ecx, dword ptr fs:[00000030h] 1_2_00A4F0BF
Source: C:\Users\user\Desktop\Contract Agreement.exe Code function: 1_2_00A4F0BF mov eax, dword ptr fs:[00000030h] 1_2_00A4F0BF
Source: C:\Users\user\Desktop\Contract Agreement.exe Code function: 1_2_00A4F0BF mov eax, dword ptr fs:[00000030h] 1_2_00A4F0BF
Source: C:\Users\user\Desktop\Contract Agreement.exe Code function: 1_2_00A19080 mov eax, dword ptr fs:[00000030h] 1_2_00A19080
Source: C:\Users\user\Desktop\Contract Agreement.exe Code function: 1_2_00A93884 mov eax, dword ptr fs:[00000030h] 1_2_00A93884
Source: C:\Users\user\Desktop\Contract Agreement.exe Code function: 1_2_00A93884 mov eax, dword ptr fs:[00000030h] 1_2_00A93884
Source: C:\Users\user\Desktop\Contract Agreement.exe Code function: 1_2_00A140E1 mov eax, dword ptr fs:[00000030h] 1_2_00A140E1
Source: C:\Users\user\Desktop\Contract Agreement.exe Code function: 1_2_00A140E1 mov eax, dword ptr fs:[00000030h] 1_2_00A140E1
Source: C:\Users\user\Desktop\Contract Agreement.exe Code function: 1_2_00A140E1 mov eax, dword ptr fs:[00000030h] 1_2_00A140E1
Source: C:\Users\user\Desktop\Contract Agreement.exe Code function: 1_2_00A3B8E4 mov eax, dword ptr fs:[00000030h] 1_2_00A3B8E4
Source: C:\Users\user\Desktop\Contract Agreement.exe Code function: 1_2_00A3B8E4 mov eax, dword ptr fs:[00000030h] 1_2_00A3B8E4
Source: C:\Users\user\Desktop\Contract Agreement.exe Code function: 1_2_00A158EC mov eax, dword ptr fs:[00000030h] 1_2_00A158EC
Source: C:\Users\user\Desktop\Contract Agreement.exe Code function: 1_2_00AAB8D0 mov eax, dword ptr fs:[00000030h] 1_2_00AAB8D0
Source: C:\Users\user\Desktop\Contract Agreement.exe Code function: 1_2_00AAB8D0 mov ecx, dword ptr fs:[00000030h] 1_2_00AAB8D0
Source: C:\Users\user\Desktop\Contract Agreement.exe Code function: 1_2_00AAB8D0 mov eax, dword ptr fs:[00000030h] 1_2_00AAB8D0
Source: C:\Users\user\Desktop\Contract Agreement.exe Code function: 1_2_00AAB8D0 mov eax, dword ptr fs:[00000030h] 1_2_00AAB8D0
Source: C:\Users\user\Desktop\Contract Agreement.exe Code function: 1_2_00AAB8D0 mov eax, dword ptr fs:[00000030h] 1_2_00AAB8D0
Source: C:\Users\user\Desktop\Contract Agreement.exe Code function: 1_2_00AAB8D0 mov eax, dword ptr fs:[00000030h] 1_2_00AAB8D0
Source: C:\Users\user\Desktop\Contract Agreement.exe Code function: 1_2_00A2B02A mov eax, dword ptr fs:[00000030h] 1_2_00A2B02A
Source: C:\Users\user\Desktop\Contract Agreement.exe Code function: 1_2_00A2B02A mov eax, dword ptr fs:[00000030h] 1_2_00A2B02A
Source: C:\Users\user\Desktop\Contract Agreement.exe Code function: 1_2_00A2B02A mov eax, dword ptr fs:[00000030h] 1_2_00A2B02A
Source: C:\Users\user\Desktop\Contract Agreement.exe Code function: 1_2_00A2B02A mov eax, dword ptr fs:[00000030h] 1_2_00A2B02A
Source: C:\Users\user\Desktop\Contract Agreement.exe Code function: 1_2_00A4002D mov eax, dword ptr fs:[00000030h] 1_2_00A4002D
Source: C:\Users\user\Desktop\Contract Agreement.exe Code function: 1_2_00A4002D mov eax, dword ptr fs:[00000030h] 1_2_00A4002D
Source: C:\Users\user\Desktop\Contract Agreement.exe Code function: 1_2_00A4002D mov eax, dword ptr fs:[00000030h] 1_2_00A4002D
Source: C:\Users\user\Desktop\Contract Agreement.exe Code function: 1_2_00A4002D mov eax, dword ptr fs:[00000030h] 1_2_00A4002D
Source: C:\Users\user\Desktop\Contract Agreement.exe Code function: 1_2_00A4002D mov eax, dword ptr fs:[00000030h] 1_2_00A4002D
Source: C:\Users\user\Desktop\Contract Agreement.exe Code function: 1_2_00A3A830 mov eax, dword ptr fs:[00000030h] 1_2_00A3A830
Source: C:\Users\user\Desktop\Contract Agreement.exe Code function: 1_2_00A3A830 mov eax, dword ptr fs:[00000030h] 1_2_00A3A830
Source: C:\Users\user\Desktop\Contract Agreement.exe Code function: 1_2_00A3A830 mov eax, dword ptr fs:[00000030h] 1_2_00A3A830
Source: C:\Users\user\Desktop\Contract Agreement.exe Code function: 1_2_00A3A830 mov eax, dword ptr fs:[00000030h] 1_2_00A3A830
Source: C:\Users\user\Desktop\Contract Agreement.exe Code function: 1_2_00AE4015 mov eax, dword ptr fs:[00000030h] 1_2_00AE4015
Source: C:\Users\user\Desktop\Contract Agreement.exe Code function: 1_2_00AE4015 mov eax, dword ptr fs:[00000030h] 1_2_00AE4015
Source: C:\Users\user\Desktop\Contract Agreement.exe Code function: 1_2_00A97016 mov eax, dword ptr fs:[00000030h] 1_2_00A97016
Source: C:\Users\user\Desktop\Contract Agreement.exe Code function: 1_2_00A97016 mov eax, dword ptr fs:[00000030h] 1_2_00A97016
Source: C:\Users\user\Desktop\Contract Agreement.exe Code function: 1_2_00A97016 mov eax, dword ptr fs:[00000030h] 1_2_00A97016
Source: C:\Users\user\Desktop\Contract Agreement.exe Code function: 1_2_00AE1074 mov eax, dword ptr fs:[00000030h] 1_2_00AE1074
Source: C:\Users\user\Desktop\Contract Agreement.exe Code function: 1_2_00AD2073 mov eax, dword ptr fs:[00000030h] 1_2_00AD2073
Source: C:\Users\user\Desktop\Contract Agreement.exe Code function: 1_2_00A30050 mov eax, dword ptr fs:[00000030h] 1_2_00A30050
Source: C:\Users\user\Desktop\Contract Agreement.exe Code function: 1_2_00A30050 mov eax, dword ptr fs:[00000030h] 1_2_00A30050
Source: C:\Users\user\Desktop\Contract Agreement.exe Code function: 1_2_00A461A0 mov eax, dword ptr fs:[00000030h] 1_2_00A461A0
Source: C:\Users\user\Desktop\Contract Agreement.exe Code function: 1_2_00A461A0 mov eax, dword ptr fs:[00000030h] 1_2_00A461A0
Source: C:\Users\user\Desktop\Contract Agreement.exe Code function: 1_2_00AD49A4 mov eax, dword ptr fs:[00000030h] 1_2_00AD49A4
Source: C:\Users\user\Desktop\Contract Agreement.exe Code function: 1_2_00AD49A4 mov eax, dword ptr fs:[00000030h] 1_2_00AD49A4
Source: C:\Users\user\Desktop\Contract Agreement.exe Code function: 1_2_00AD49A4 mov eax, dword ptr fs:[00000030h] 1_2_00AD49A4
Source: C:\Users\user\Desktop\Contract Agreement.exe Code function: 1_2_00AD49A4 mov eax, dword ptr fs:[00000030h] 1_2_00AD49A4
Source: C:\Users\user\Desktop\Contract Agreement.exe Code function: 1_2_00A969A6 mov eax, dword ptr fs:[00000030h] 1_2_00A969A6
Source: C:\Users\user\Desktop\Contract Agreement.exe Code function: 1_2_00A951BE mov eax, dword ptr fs:[00000030h] 1_2_00A951BE
Source: C:\Users\user\Desktop\Contract Agreement.exe Code function: 1_2_00A951BE mov eax, dword ptr fs:[00000030h] 1_2_00A951BE
Source: C:\Users\user\Desktop\Contract Agreement.exe Code function: 1_2_00A951BE mov eax, dword ptr fs:[00000030h] 1_2_00A951BE
Source: C:\Users\user\Desktop\Contract Agreement.exe Code function: 1_2_00A951BE mov eax, dword ptr fs:[00000030h] 1_2_00A951BE
Source: C:\Users\user\Desktop\Contract Agreement.exe Code function: 1_2_00A399BF mov ecx, dword ptr fs:[00000030h] 1_2_00A399BF
Source: C:\Users\user\Desktop\Contract Agreement.exe Code function: 1_2_00A399BF mov ecx, dword ptr fs:[00000030h] 1_2_00A399BF
Source: C:\Users\user\Desktop\Contract Agreement.exe Code function: 1_2_00A399BF mov eax, dword ptr fs:[00000030h] 1_2_00A399BF
Source: C:\Users\user\Desktop\Contract Agreement.exe Code function: 1_2_00A399BF mov ecx, dword ptr fs:[00000030h] 1_2_00A399BF
Source: C:\Users\user\Desktop\Contract Agreement.exe Code function: 1_2_00A399BF mov ecx, dword ptr fs:[00000030h] 1_2_00A399BF
Source: C:\Users\user\Desktop\Contract Agreement.exe Code function: 1_2_00A399BF mov eax, dword ptr fs:[00000030h] 1_2_00A399BF
Source: C:\Users\user\Desktop\Contract Agreement.exe Code function: 1_2_00A399BF mov ecx, dword ptr fs:[00000030h] 1_2_00A399BF
Source: C:\Users\user\Desktop\Contract Agreement.exe Code function: 1_2_00A399BF mov ecx, dword ptr fs:[00000030h] 1_2_00A399BF
Source: C:\Users\user\Desktop\Contract Agreement.exe Code function: 1_2_00A399BF mov eax, dword ptr fs:[00000030h] 1_2_00A399BF
Source: C:\Users\user\Desktop\Contract Agreement.exe Code function: 1_2_00A399BF mov ecx, dword ptr fs:[00000030h] 1_2_00A399BF
Source: C:\Users\user\Desktop\Contract Agreement.exe Code function: 1_2_00A399BF mov ecx, dword ptr fs:[00000030h] 1_2_00A399BF
Source: C:\Users\user\Desktop\Contract Agreement.exe Code function: 1_2_00A399BF mov eax, dword ptr fs:[00000030h] 1_2_00A399BF
Source: C:\Users\user\Desktop\Contract Agreement.exe Code function: 1_2_00A4A185 mov eax, dword ptr fs:[00000030h] 1_2_00A4A185
Source: C:\Users\user\Desktop\Contract Agreement.exe Code function: 1_2_00A3C182 mov eax, dword ptr fs:[00000030h] 1_2_00A3C182
Source: C:\Users\user\Desktop\Contract Agreement.exe Code function: 1_2_00A42990 mov eax, dword ptr fs:[00000030h] 1_2_00A42990
Source: C:\Users\user\Desktop\Contract Agreement.exe Code function: 1_2_00A1B1E1 mov eax, dword ptr fs:[00000030h] 1_2_00A1B1E1
Source: C:\Users\user\Desktop\Contract Agreement.exe Code function: 1_2_00A1B1E1 mov eax, dword ptr fs:[00000030h] 1_2_00A1B1E1
Source: C:\Users\user\Desktop\Contract Agreement.exe Code function: 1_2_00A1B1E1 mov eax, dword ptr fs:[00000030h] 1_2_00A1B1E1
Source: C:\Users\user\Desktop\Contract Agreement.exe Code function: 1_2_00AA41E8 mov eax, dword ptr fs:[00000030h] 1_2_00AA41E8
Source: C:\Users\user\Desktop\Contract Agreement.exe Code function: 1_2_00A34120 mov eax, dword ptr fs:[00000030h] 1_2_00A34120
Source: C:\Users\user\Desktop\Contract Agreement.exe Code function: 1_2_00A34120 mov eax, dword ptr fs:[00000030h] 1_2_00A34120
Source: C:\Users\user\Desktop\Contract Agreement.exe Code function: 1_2_00A34120 mov eax, dword ptr fs:[00000030h] 1_2_00A34120
Source: C:\Users\user\Desktop\Contract Agreement.exe Code function: 1_2_00A34120 mov eax, dword ptr fs:[00000030h] 1_2_00A34120
Source: C:\Users\user\Desktop\Contract Agreement.exe Code function: 1_2_00A34120 mov ecx, dword ptr fs:[00000030h] 1_2_00A34120
Source: C:\Users\user\Desktop\Contract Agreement.exe Code function: 1_2_00A4513A mov eax, dword ptr fs:[00000030h] 1_2_00A4513A
Source: C:\Users\user\Desktop\Contract Agreement.exe Code function: 1_2_00A4513A mov eax, dword ptr fs:[00000030h] 1_2_00A4513A
Source: C:\Users\user\Desktop\Contract Agreement.exe Code function: 1_2_00A19100 mov eax, dword ptr fs:[00000030h] 1_2_00A19100
Source: C:\Users\user\Desktop\Contract Agreement.exe Code function: 1_2_00A19100 mov eax, dword ptr fs:[00000030h] 1_2_00A19100
Source: C:\Users\user\Desktop\Contract Agreement.exe Code function: 1_2_00A19100 mov eax, dword ptr fs:[00000030h] 1_2_00A19100
Source: C:\Users\user\Desktop\Contract Agreement.exe Code function: 1_2_00A1C962 mov eax, dword ptr fs:[00000030h] 1_2_00A1C962
Source: C:\Users\user\Desktop\Contract Agreement.exe Code function: 1_2_00A1B171 mov eax, dword ptr fs:[00000030h] 1_2_00A1B171
Source: C:\Users\user\Desktop\Contract Agreement.exe Code function: 1_2_00A1B171 mov eax, dword ptr fs:[00000030h] 1_2_00A1B171
Source: C:\Users\user\Desktop\Contract Agreement.exe Code function: 1_2_00A3B944 mov eax, dword ptr fs:[00000030h] 1_2_00A3B944
Source: C:\Users\user\Desktop\Contract Agreement.exe Code function: 1_2_00A3B944 mov eax, dword ptr fs:[00000030h] 1_2_00A3B944
Source: C:\Users\user\Desktop\Contract Agreement.exe Code function: 1_2_00A152A5 mov eax, dword ptr fs:[00000030h] 1_2_00A152A5
Source: C:\Users\user\Desktop\Contract Agreement.exe Code function: 1_2_00A152A5 mov eax, dword ptr fs:[00000030h] 1_2_00A152A5
Source: C:\Users\user\Desktop\Contract Agreement.exe Code function: 1_2_00A152A5 mov eax, dword ptr fs:[00000030h] 1_2_00A152A5
Source: C:\Users\user\Desktop\Contract Agreement.exe Code function: 1_2_00A152A5 mov eax, dword ptr fs:[00000030h] 1_2_00A152A5
Source: C:\Users\user\Desktop\Contract Agreement.exe Code function: 1_2_00A152A5 mov eax, dword ptr fs:[00000030h] 1_2_00A152A5
Source: C:\Users\user\Desktop\Contract Agreement.exe Code function: 1_2_00A2AAB0 mov eax, dword ptr fs:[00000030h] 1_2_00A2AAB0
Source: C:\Users\user\Desktop\Contract Agreement.exe Code function: 1_2_00A2AAB0 mov eax, dword ptr fs:[00000030h] 1_2_00A2AAB0
Source: C:\Users\user\Desktop\Contract Agreement.exe Code function: 1_2_00A4FAB0 mov eax, dword ptr fs:[00000030h] 1_2_00A4FAB0
Source: C:\Users\user\Desktop\Contract Agreement.exe Code function: 1_2_00A4D294 mov eax, dword ptr fs:[00000030h] 1_2_00A4D294
Source: C:\Users\user\Desktop\Contract Agreement.exe Code function: 1_2_00A4D294 mov eax, dword ptr fs:[00000030h] 1_2_00A4D294
Source: C:\Users\user\Desktop\Contract Agreement.exe Code function: 1_2_00A42AE4 mov eax, dword ptr fs:[00000030h] 1_2_00A42AE4
Source: C:\Users\user\Desktop\Contract Agreement.exe Code function: 1_2_00AD4AEF mov eax, dword ptr fs:[00000030h] 1_2_00AD4AEF
Source: C:\Users\user\Desktop\Contract Agreement.exe Code function: 1_2_00AD4AEF mov eax, dword ptr fs:[00000030h] 1_2_00AD4AEF
Source: C:\Users\user\Desktop\Contract Agreement.exe Code function: 1_2_00AD4AEF mov eax, dword ptr fs:[00000030h] 1_2_00AD4AEF
Source: C:\Users\user\Desktop\Contract Agreement.exe Code function: 1_2_00AD4AEF mov eax, dword ptr fs:[00000030h] 1_2_00AD4AEF
Source: C:\Users\user\Desktop\Contract Agreement.exe Code function: 1_2_00AD4AEF mov eax, dword ptr fs:[00000030h] 1_2_00AD4AEF
Source: C:\Users\user\Desktop\Contract Agreement.exe Code function: 1_2_00AD4AEF mov eax, dword ptr fs:[00000030h] 1_2_00AD4AEF
Source: C:\Users\user\Desktop\Contract Agreement.exe Code function: 1_2_00AD4AEF mov eax, dword ptr fs:[00000030h] 1_2_00AD4AEF
Source: C:\Users\user\Desktop\Contract Agreement.exe Code function: 1_2_00AD4AEF mov eax, dword ptr fs:[00000030h] 1_2_00AD4AEF
Source: C:\Users\user\Desktop\Contract Agreement.exe Code function: 1_2_00AD4AEF mov eax, dword ptr fs:[00000030h] 1_2_00AD4AEF
Source: C:\Users\user\Desktop\Contract Agreement.exe Code function: 1_2_00AD4AEF mov eax, dword ptr fs:[00000030h] 1_2_00AD4AEF
Source: C:\Users\user\Desktop\Contract Agreement.exe Code function: 1_2_00AD4AEF mov eax, dword ptr fs:[00000030h] 1_2_00AD4AEF
Source: C:\Users\user\Desktop\Contract Agreement.exe Code function: 1_2_00AD4AEF mov eax, dword ptr fs:[00000030h] 1_2_00AD4AEF
Source: C:\Users\user\Desktop\Contract Agreement.exe Code function: 1_2_00AD4AEF mov eax, dword ptr fs:[00000030h] 1_2_00AD4AEF
Source: C:\Users\user\Desktop\Contract Agreement.exe Code function: 1_2_00AD4AEF mov eax, dword ptr fs:[00000030h] 1_2_00AD4AEF
Source: C:\Users\user\Desktop\Contract Agreement.exe Code function: 1_2_00A42ACB mov eax, dword ptr fs:[00000030h] 1_2_00A42ACB
Source: C:\Users\user\Desktop\Contract Agreement.exe Code function: 1_2_00A54A2C mov eax, dword ptr fs:[00000030h] 1_2_00A54A2C
Source: C:\Users\user\Desktop\Contract Agreement.exe Code function: 1_2_00A54A2C mov eax, dword ptr fs:[00000030h] 1_2_00A54A2C
Source: C:\Users\user\Desktop\Contract Agreement.exe Code function: 1_2_00A3A229 mov eax, dword ptr fs:[00000030h] 1_2_00A3A229
Source: C:\Users\user\Desktop\Contract Agreement.exe Code function: 1_2_00A3A229 mov eax, dword ptr fs:[00000030h] 1_2_00A3A229
Source: C:\Users\user\Desktop\Contract Agreement.exe Code function: 1_2_00A3A229 mov eax, dword ptr fs:[00000030h] 1_2_00A3A229
Source: C:\Users\user\Desktop\Contract Agreement.exe Code function: 1_2_00A3A229 mov eax, dword ptr fs:[00000030h] 1_2_00A3A229
Source: C:\Users\user\Desktop\Contract Agreement.exe Code function: 1_2_00A3A229 mov eax, dword ptr fs:[00000030h] 1_2_00A3A229
Source: C:\Users\user\Desktop\Contract Agreement.exe Code function: 1_2_00A3A229 mov eax, dword ptr fs:[00000030h] 1_2_00A3A229
Source: C:\Users\user\Desktop\Contract Agreement.exe Code function: 1_2_00A3A229 mov eax, dword ptr fs:[00000030h] 1_2_00A3A229
Source: C:\Users\user\Desktop\Contract Agreement.exe Code function: 1_2_00A3A229 mov eax, dword ptr fs:[00000030h] 1_2_00A3A229
Source: C:\Users\user\Desktop\Contract Agreement.exe Code function: 1_2_00A3A229 mov eax, dword ptr fs:[00000030h] 1_2_00A3A229
Source: C:\Users\user\Desktop\Contract Agreement.exe Code function: 1_2_00A28A0A mov eax, dword ptr fs:[00000030h] 1_2_00A28A0A
Source: C:\Users\user\Desktop\Contract Agreement.exe Code function: 1_2_00A15210 mov eax, dword ptr fs:[00000030h] 1_2_00A15210
Source: C:\Users\user\Desktop\Contract Agreement.exe Code function: 1_2_00A15210 mov ecx, dword ptr fs:[00000030h] 1_2_00A15210
Source: C:\Users\user\Desktop\Contract Agreement.exe Code function: 1_2_00A15210 mov eax, dword ptr fs:[00000030h] 1_2_00A15210
Source: C:\Users\user\Desktop\Contract Agreement.exe Code function: 1_2_00A15210 mov eax, dword ptr fs:[00000030h] 1_2_00A15210
Source: C:\Users\user\Desktop\Contract Agreement.exe Code function: 1_2_00A1AA16 mov eax, dword ptr fs:[00000030h] 1_2_00A1AA16
Source: C:\Users\user\Desktop\Contract Agreement.exe Code function: 1_2_00A1AA16 mov eax, dword ptr fs:[00000030h] 1_2_00A1AA16
Source: C:\Users\user\Desktop\Contract Agreement.exe Code function: 1_2_00ADAA16 mov eax, dword ptr fs:[00000030h] 1_2_00ADAA16
Source: C:\Users\user\Desktop\Contract Agreement.exe Code function: 1_2_00ADAA16 mov eax, dword ptr fs:[00000030h] 1_2_00ADAA16
Source: C:\Users\user\Desktop\Contract Agreement.exe Code function: 1_2_00A33A1C mov eax, dword ptr fs:[00000030h] 1_2_00A33A1C
Source: C:\Users\user\Desktop\Contract Agreement.exe Code function: 1_2_00ACB260 mov eax, dword ptr fs:[00000030h] 1_2_00ACB260
Source: C:\Users\user\Desktop\Contract Agreement.exe Code function: 1_2_00ACB260 mov eax, dword ptr fs:[00000030h] 1_2_00ACB260
Source: C:\Users\user\Desktop\Contract Agreement.exe Code function: 1_2_00AE8A62 mov eax, dword ptr fs:[00000030h] 1_2_00AE8A62
Source: C:\Users\user\Desktop\Contract Agreement.exe Code function: 1_2_00A5927A mov eax, dword ptr fs:[00000030h] 1_2_00A5927A
Source: C:\Users\user\Desktop\Contract Agreement.exe Code function: 1_2_00A19240 mov eax, dword ptr fs:[00000030h] 1_2_00A19240
Source: C:\Users\user\Desktop\Contract Agreement.exe Code function: 1_2_00A19240 mov eax, dword ptr fs:[00000030h] 1_2_00A19240
Source: C:\Users\user\Desktop\Contract Agreement.exe Code function: 1_2_00A19240 mov eax, dword ptr fs:[00000030h] 1_2_00A19240
Source: C:\Users\user\Desktop\Contract Agreement.exe Code function: 1_2_00A19240 mov eax, dword ptr fs:[00000030h] 1_2_00A19240
Source: C:\Users\user\Desktop\Contract Agreement.exe Code function: 1_2_00ADEA55 mov eax, dword ptr fs:[00000030h] 1_2_00ADEA55
Source: C:\Users\user\Desktop\Contract Agreement.exe Code function: 1_2_00AA4257 mov eax, dword ptr fs:[00000030h] 1_2_00AA4257
Source: C:\Users\user\Desktop\Contract Agreement.exe Code function: 1_2_00A44BAD mov eax, dword ptr fs:[00000030h] 1_2_00A44BAD
Source: C:\Users\user\Desktop\Contract Agreement.exe Code function: 1_2_00A44BAD mov eax, dword ptr fs:[00000030h] 1_2_00A44BAD
Source: C:\Users\user\Desktop\Contract Agreement.exe Code function: 1_2_00A44BAD mov eax, dword ptr fs:[00000030h] 1_2_00A44BAD
Source: C:\Users\user\Desktop\Contract Agreement.exe Code function: 1_2_00AE5BA5 mov eax, dword ptr fs:[00000030h] 1_2_00AE5BA5
Source: C:\Users\user\Desktop\Contract Agreement.exe Code function: 1_2_00AD138A mov eax, dword ptr fs:[00000030h] 1_2_00AD138A
Source: C:\Users\user\Desktop\Contract Agreement.exe Code function: 1_2_00ACD380 mov ecx, dword ptr fs:[00000030h] 1_2_00ACD380
Source: C:\Users\user\Desktop\Contract Agreement.exe Code function: 1_2_00A21B8F mov eax, dword ptr fs:[00000030h] 1_2_00A21B8F
Source: C:\Users\user\Desktop\Contract Agreement.exe Code function: 1_2_00A21B8F mov eax, dword ptr fs:[00000030h] 1_2_00A21B8F
Source: C:\Users\user\Desktop\Contract Agreement.exe Code function: 1_2_00A42397 mov eax, dword ptr fs:[00000030h] 1_2_00A42397
Source: C:\Users\user\Desktop\Contract Agreement.exe Code function: 1_2_00A4B390 mov eax, dword ptr fs:[00000030h] 1_2_00A4B390
Source: C:\Users\user\Desktop\Contract Agreement.exe Code function: 1_2_00A403E2 mov eax, dword ptr fs:[00000030h] 1_2_00A403E2
Source: C:\Users\user\Desktop\Contract Agreement.exe Code function: 1_2_00A403E2 mov eax, dword ptr fs:[00000030h] 1_2_00A403E2
Source: C:\Users\user\Desktop\Contract Agreement.exe Code function: 1_2_00A403E2 mov eax, dword ptr fs:[00000030h] 1_2_00A403E2
Source: C:\Users\user\Desktop\Contract Agreement.exe Code function: 1_2_00A403E2 mov eax, dword ptr fs:[00000030h] 1_2_00A403E2
Source: C:\Users\user\Desktop\Contract Agreement.exe Code function: 1_2_00A403E2 mov eax, dword ptr fs:[00000030h] 1_2_00A403E2
Source: C:\Users\user\Desktop\Contract Agreement.exe Code function: 1_2_00A403E2 mov eax, dword ptr fs:[00000030h] 1_2_00A403E2
Source: C:\Users\user\Desktop\Contract Agreement.exe Code function: 1_2_00A3DBE9 mov eax, dword ptr fs:[00000030h] 1_2_00A3DBE9
Source: C:\Users\user\Desktop\Contract Agreement.exe Code function: 1_2_00AC23E3 mov ecx, dword ptr fs:[00000030h] 1_2_00AC23E3
Source: C:\Users\user\Desktop\Contract Agreement.exe Code function: 1_2_00AC23E3 mov ecx, dword ptr fs:[00000030h] 1_2_00AC23E3
Source: C:\Users\user\Desktop\Contract Agreement.exe Code function: 1_2_00AC23E3 mov eax, dword ptr fs:[00000030h] 1_2_00AC23E3
Source: C:\Users\user\Desktop\Contract Agreement.exe Code function: 1_2_00A953CA mov eax, dword ptr fs:[00000030h] 1_2_00A953CA
Source: C:\Users\user\Desktop\Contract Agreement.exe Code function: 1_2_00A953CA mov eax, dword ptr fs:[00000030h] 1_2_00A953CA
Source: C:\Users\user\Desktop\Contract Agreement.exe Code function: 1_2_00A3A309 mov eax, dword ptr fs:[00000030h] 1_2_00A3A309
Source: C:\Users\user\Desktop\Contract Agreement.exe Code function: 1_2_00A3A309 mov eax, dword ptr fs:[00000030h] 1_2_00A3A309
Source: C:\Users\user\Desktop\Contract Agreement.exe Code function: 1_2_00A3A309 mov eax, dword ptr fs:[00000030h] 1_2_00A3A309
Source: C:\Users\user\Desktop\Contract Agreement.exe Code function: 1_2_00A3A309 mov eax, dword ptr fs:[00000030h] 1_2_00A3A309
Source: C:\Users\user\Desktop\Contract Agreement.exe Code function: 1_2_00A3A309 mov eax, dword ptr fs:[00000030h] 1_2_00A3A309
Source: C:\Users\user\Desktop\Contract Agreement.exe Code function: 1_2_00A3A309 mov eax, dword ptr fs:[00000030h] 1_2_00A3A309
Source: C:\Users\user\Desktop\Contract Agreement.exe Code function: 1_2_00A3A309 mov eax, dword ptr fs:[00000030h] 1_2_00A3A309
Source: C:\Users\user\Desktop\Contract Agreement.exe Code function: 1_2_00A3A309 mov eax, dword ptr fs:[00000030h] 1_2_00A3A309
Source: C:\Users\user\Desktop\Contract Agreement.exe Code function: 1_2_00A3A309 mov eax, dword ptr fs:[00000030h] 1_2_00A3A309
Source: C:\Users\user\Desktop\Contract Agreement.exe Code function: 1_2_00A3A309 mov eax, dword ptr fs:[00000030h] 1_2_00A3A309
Source: C:\Users\user\Desktop\Contract Agreement.exe Code function: 1_2_00A3A309 mov eax, dword ptr fs:[00000030h] 1_2_00A3A309
Source: C:\Users\user\Desktop\Contract Agreement.exe Code function: 1_2_00A3A309 mov eax, dword ptr fs:[00000030h] 1_2_00A3A309
Source: C:\Users\user\Desktop\Contract Agreement.exe Code function: 1_2_00A3A309 mov eax, dword ptr fs:[00000030h] 1_2_00A3A309
Source: C:\Users\user\Desktop\Contract Agreement.exe Code function: 1_2_00A3A309 mov eax, dword ptr fs:[00000030h] 1_2_00A3A309
Source: C:\Users\user\Desktop\Contract Agreement.exe Code function: 1_2_00A3A309 mov eax, dword ptr fs:[00000030h] 1_2_00A3A309
Source: C:\Users\user\Desktop\Contract Agreement.exe Code function: 1_2_00A3A309 mov eax, dword ptr fs:[00000030h] 1_2_00A3A309
Source: C:\Users\user\Desktop\Contract Agreement.exe Code function: 1_2_00A3A309 mov eax, dword ptr fs:[00000030h] 1_2_00A3A309
Source: C:\Users\user\Desktop\Contract Agreement.exe Code function: 1_2_00A3A309 mov eax, dword ptr fs:[00000030h] 1_2_00A3A309
Source: C:\Users\user\Desktop\Contract Agreement.exe Code function: 1_2_00A3A309 mov eax, dword ptr fs:[00000030h] 1_2_00A3A309
Source: C:\Users\user\Desktop\Contract Agreement.exe Code function: 1_2_00A3A309 mov eax, dword ptr fs:[00000030h] 1_2_00A3A309
Source: C:\Users\user\Desktop\Contract Agreement.exe Code function: 1_2_00A3A309 mov eax, dword ptr fs:[00000030h] 1_2_00A3A309
Source: C:\Users\user\Desktop\Contract Agreement.exe Code function: 1_2_00AD131B mov eax, dword ptr fs:[00000030h] 1_2_00AD131B
Source: C:\Users\user\Desktop\Contract Agreement.exe Code function: 1_2_00A1DB60 mov ecx, dword ptr fs:[00000030h] 1_2_00A1DB60
Source: C:\Users\user\Desktop\Contract Agreement.exe Code function: 1_2_00A43B7A mov eax, dword ptr fs:[00000030h] 1_2_00A43B7A
Source: C:\Users\user\Desktop\Contract Agreement.exe Code function: 1_2_00A43B7A mov eax, dword ptr fs:[00000030h] 1_2_00A43B7A
Source: C:\Users\user\Desktop\Contract Agreement.exe Code function: 1_2_00A1DB40 mov eax, dword ptr fs:[00000030h] 1_2_00A1DB40
Source: C:\Users\user\Desktop\Contract Agreement.exe Code function: 1_2_00AE8B58 mov eax, dword ptr fs:[00000030h] 1_2_00AE8B58
Source: C:\Users\user\Desktop\Contract Agreement.exe Code function: 1_2_00A1F358 mov eax, dword ptr fs:[00000030h] 1_2_00A1F358
Source: C:\Users\user\Desktop\Contract Agreement.exe Code function: 1_2_00A2849B mov eax, dword ptr fs:[00000030h] 1_2_00A2849B
Source: C:\Users\user\Desktop\Contract Agreement.exe Code function: 1_2_00AD4496 mov eax, dword ptr fs:[00000030h] 1_2_00AD4496
Source: C:\Users\user\Desktop\Contract Agreement.exe Code function: 1_2_00AD4496 mov eax, dword ptr fs:[00000030h] 1_2_00AD4496
Source: C:\Users\user\Desktop\Contract Agreement.exe Code function: 1_2_00AD4496 mov eax, dword ptr fs:[00000030h] 1_2_00AD4496
Source: C:\Users\user\Desktop\Contract Agreement.exe Code function: 1_2_00AD4496 mov eax, dword ptr fs:[00000030h] 1_2_00AD4496
Source: C:\Users\user\Desktop\Contract Agreement.exe Code function: 1_2_00AD4496 mov eax, dword ptr fs:[00000030h] 1_2_00AD4496
Source: C:\Users\user\Desktop\Contract Agreement.exe Code function: 1_2_00AD4496 mov eax, dword ptr fs:[00000030h] 1_2_00AD4496
Source: C:\Users\user\Desktop\Contract Agreement.exe Code function: 1_2_00AD4496 mov eax, dword ptr fs:[00000030h] 1_2_00AD4496
Source: C:\Users\user\Desktop\Contract Agreement.exe Code function: 1_2_00AD4496 mov eax, dword ptr fs:[00000030h] 1_2_00AD4496
Source: C:\Users\user\Desktop\Contract Agreement.exe Code function: 1_2_00AD4496 mov eax, dword ptr fs:[00000030h] 1_2_00AD4496
Source: C:\Users\user\Desktop\Contract Agreement.exe Code function: 1_2_00AD4496 mov eax, dword ptr fs:[00000030h] 1_2_00AD4496
Source: C:\Users\user\Desktop\Contract Agreement.exe Code function: 1_2_00AD4496 mov eax, dword ptr fs:[00000030h] 1_2_00AD4496
Source: C:\Users\user\Desktop\Contract Agreement.exe Code function: 1_2_00AD4496 mov eax, dword ptr fs:[00000030h] 1_2_00AD4496
Source: C:\Users\user\Desktop\Contract Agreement.exe Code function: 1_2_00AD4496 mov eax, dword ptr fs:[00000030h] 1_2_00AD4496
Source: C:\Users\user\Desktop\Contract Agreement.exe Code function: 1_2_00AD14FB mov eax, dword ptr fs:[00000030h] 1_2_00AD14FB
Source: C:\Users\user\Desktop\Contract Agreement.exe Code function: 1_2_00A96CF0 mov eax, dword ptr fs:[00000030h] 1_2_00A96CF0
Source: C:\Users\user\Desktop\Contract Agreement.exe Code function: 1_2_00A96CF0 mov eax, dword ptr fs:[00000030h] 1_2_00A96CF0
Source: C:\Users\user\Desktop\Contract Agreement.exe Code function: 1_2_00A96CF0 mov eax, dword ptr fs:[00000030h] 1_2_00A96CF0
Source: C:\Users\user\Desktop\Contract Agreement.exe Code function: 1_2_00AE8CD6 mov eax, dword ptr fs:[00000030h] 1_2_00AE8CD6
Source: C:\Users\user\Desktop\Contract Agreement.exe Code function: 1_2_00A4BC2C mov eax, dword ptr fs:[00000030h] 1_2_00A4BC2C
Source: C:\Users\user\Desktop\Contract Agreement.exe Code function: 1_2_00AE740D mov eax, dword ptr fs:[00000030h] 1_2_00AE740D
Source: C:\Users\user\Desktop\Contract Agreement.exe Code function: 1_2_00AE740D mov eax, dword ptr fs:[00000030h] 1_2_00AE740D
Source: C:\Users\user\Desktop\Contract Agreement.exe Code function: 1_2_00AE740D mov eax, dword ptr fs:[00000030h] 1_2_00AE740D
Source: C:\Users\user\Desktop\Contract Agreement.exe Code function: 1_2_00A96C0A mov eax, dword ptr fs:[00000030h] 1_2_00A96C0A
Source: C:\Users\user\Desktop\Contract Agreement.exe Code function: 1_2_00A96C0A mov eax, dword ptr fs:[00000030h] 1_2_00A96C0A
Source: C:\Users\user\Desktop\Contract Agreement.exe Code function: 1_2_00A96C0A mov eax, dword ptr fs:[00000030h] 1_2_00A96C0A
Source: C:\Users\user\Desktop\Contract Agreement.exe Code function: 1_2_00A96C0A mov eax, dword ptr fs:[00000030h] 1_2_00A96C0A
Source: C:\Users\user\Desktop\Contract Agreement.exe Code function: 1_2_00AD1C06 mov eax, dword ptr fs:[00000030h] 1_2_00AD1C06
Source: C:\Users\user\Desktop\Contract Agreement.exe Code function: 1_2_00AD1C06 mov eax, dword ptr fs:[00000030h] 1_2_00AD1C06
Source: C:\Users\user\Desktop\Contract Agreement.exe Code function: 1_2_00AD1C06 mov eax, dword ptr fs:[00000030h] 1_2_00AD1C06
Source: C:\Users\user\Desktop\Contract Agreement.exe Code function: 1_2_00AD1C06 mov eax, dword ptr fs:[00000030h] 1_2_00AD1C06
Source: C:\Users\user\Desktop\Contract Agreement.exe Code function: 1_2_00AD1C06 mov eax, dword ptr fs:[00000030h] 1_2_00AD1C06
Source: C:\Users\user\Desktop\Contract Agreement.exe Code function: 1_2_00AD1C06 mov eax, dword ptr fs:[00000030h] 1_2_00AD1C06
Source: C:\Users\user\Desktop\Contract Agreement.exe Code function: 1_2_00AD1C06 mov eax, dword ptr fs:[00000030h] 1_2_00AD1C06
Source: C:\Users\user\Desktop\Contract Agreement.exe Code function: 1_2_00AD1C06 mov eax, dword ptr fs:[00000030h] 1_2_00AD1C06
Source: C:\Users\user\Desktop\Contract Agreement.exe Code function: 1_2_00AD1C06 mov eax, dword ptr fs:[00000030h] 1_2_00AD1C06
Source: C:\Users\user\Desktop\Contract Agreement.exe Code function: 1_2_00AD1C06 mov eax, dword ptr fs:[00000030h] 1_2_00AD1C06
Source: C:\Users\user\Desktop\Contract Agreement.exe Code function: 1_2_00AD1C06 mov eax, dword ptr fs:[00000030h] 1_2_00AD1C06
Source: C:\Users\user\Desktop\Contract Agreement.exe Code function: 1_2_00AD1C06 mov eax, dword ptr fs:[00000030h] 1_2_00AD1C06
Source: C:\Users\user\Desktop\Contract Agreement.exe Code function: 1_2_00AD1C06 mov eax, dword ptr fs:[00000030h] 1_2_00AD1C06
Source: C:\Users\user\Desktop\Contract Agreement.exe Code function: 1_2_00AD1C06 mov eax, dword ptr fs:[00000030h] 1_2_00AD1C06
Source: C:\Users\user\Desktop\Contract Agreement.exe Code function: 1_2_00A3746D mov eax, dword ptr fs:[00000030h] 1_2_00A3746D
Source: C:\Users\user\Desktop\Contract Agreement.exe Code function: 1_2_00A4AC7B mov eax, dword ptr fs:[00000030h] 1_2_00A4AC7B
Source: C:\Users\user\Desktop\Contract Agreement.exe Code function: 1_2_00A4AC7B mov eax, dword ptr fs:[00000030h] 1_2_00A4AC7B
Source: C:\Users\user\Desktop\Contract Agreement.exe Code function: 1_2_00A4AC7B mov eax, dword ptr fs:[00000030h] 1_2_00A4AC7B
Source: C:\Users\user\Desktop\Contract Agreement.exe Code function: 1_2_00A4AC7B mov eax, dword ptr fs:[00000030h] 1_2_00A4AC7B
Source: C:\Users\user\Desktop\Contract Agreement.exe Code function: 1_2_00A4AC7B mov eax, dword ptr fs:[00000030h] 1_2_00A4AC7B
Source: C:\Users\user\Desktop\Contract Agreement.exe Code function: 1_2_00A4AC7B mov eax, dword ptr fs:[00000030h] 1_2_00A4AC7B
Source: C:\Users\user\Desktop\Contract Agreement.exe Code function: 1_2_00A4AC7B mov eax, dword ptr fs:[00000030h] 1_2_00A4AC7B
Source: C:\Users\user\Desktop\Contract Agreement.exe Code function: 1_2_00A4AC7B mov eax, dword ptr fs:[00000030h] 1_2_00A4AC7B
Source: C:\Users\user\Desktop\Contract Agreement.exe Code function: 1_2_00A4AC7B mov eax, dword ptr fs:[00000030h] 1_2_00A4AC7B
Source: C:\Users\user\Desktop\Contract Agreement.exe Code function: 1_2_00A4AC7B mov eax, dword ptr fs:[00000030h] 1_2_00A4AC7B
Source: C:\Users\user\Desktop\Contract Agreement.exe Code function: 1_2_00A4AC7B mov eax, dword ptr fs:[00000030h] 1_2_00A4AC7B
Source: C:\Users\user\Desktop\Contract Agreement.exe Code function: 1_2_00A4A44B mov eax, dword ptr fs:[00000030h] 1_2_00A4A44B
Source: C:\Users\user\Desktop\Contract Agreement.exe Code function: 1_2_00AAC450 mov eax, dword ptr fs:[00000030h] 1_2_00AAC450
Source: C:\Users\user\Desktop\Contract Agreement.exe Code function: 1_2_00AAC450 mov eax, dword ptr fs:[00000030h] 1_2_00AAC450
Source: C:\Users\user\Desktop\Contract Agreement.exe Code function: 1_2_00AE05AC mov eax, dword ptr fs:[00000030h] 1_2_00AE05AC
Source: C:\Users\user\Desktop\Contract Agreement.exe Code function: 1_2_00AE05AC mov eax, dword ptr fs:[00000030h] 1_2_00AE05AC
Source: C:\Users\user\Desktop\Contract Agreement.exe Code function: 1_2_00A435A1 mov eax, dword ptr fs:[00000030h] 1_2_00A435A1
Source: C:\Users\user\Desktop\Contract Agreement.exe Code function: 1_2_00A41DB5 mov eax, dword ptr fs:[00000030h] 1_2_00A41DB5
Source: C:\Users\user\Desktop\Contract Agreement.exe Code function: 1_2_00A41DB5 mov eax, dword ptr fs:[00000030h] 1_2_00A41DB5
Source: C:\Users\user\Desktop\Contract Agreement.exe Code function: 1_2_00A41DB5 mov eax, dword ptr fs:[00000030h] 1_2_00A41DB5
Source: C:\Users\user\Desktop\Contract Agreement.exe Code function: 1_2_00A42581 mov eax, dword ptr fs:[00000030h] 1_2_00A42581
Source: C:\Users\user\Desktop\Contract Agreement.exe Code function: 1_2_00A42581 mov eax, dword ptr fs:[00000030h] 1_2_00A42581
Source: C:\Users\user\Desktop\Contract Agreement.exe Code function: 1_2_00A42581 mov eax, dword ptr fs:[00000030h] 1_2_00A42581
Source: C:\Users\user\Desktop\Contract Agreement.exe Code function: 1_2_00A42581 mov eax, dword ptr fs:[00000030h] 1_2_00A42581
Source: C:\Users\user\Desktop\Contract Agreement.exe Code function: 1_2_00A12D8A mov eax, dword ptr fs:[00000030h] 1_2_00A12D8A
Source: C:\Users\user\Desktop\Contract Agreement.exe Code function: 1_2_00A12D8A mov eax, dword ptr fs:[00000030h] 1_2_00A12D8A
Source: C:\Users\user\Desktop\Contract Agreement.exe Code function: 1_2_00A12D8A mov eax, dword ptr fs:[00000030h] 1_2_00A12D8A
Source: C:\Users\user\Desktop\Contract Agreement.exe Code function: 1_2_00A12D8A mov eax, dword ptr fs:[00000030h] 1_2_00A12D8A
Source: C:\Users\user\Desktop\Contract Agreement.exe Code function: 1_2_00A12D8A mov eax, dword ptr fs:[00000030h] 1_2_00A12D8A
Source: C:\Users\user\Desktop\Contract Agreement.exe Code function: 1_2_00AD2D82 mov eax, dword ptr fs:[00000030h] 1_2_00AD2D82
Source: C:\Users\user\Desktop\Contract Agreement.exe Code function: 1_2_00AD2D82 mov eax, dword ptr fs:[00000030h] 1_2_00AD2D82
Source: C:\Users\user\Desktop\Contract Agreement.exe Code function: 1_2_00AD2D82 mov eax, dword ptr fs:[00000030h] 1_2_00AD2D82
Source: C:\Users\user\Desktop\Contract Agreement.exe Code function: 1_2_00AD2D82 mov eax, dword ptr fs:[00000030h] 1_2_00AD2D82
Source: C:\Users\user\Desktop\Contract Agreement.exe Code function: 1_2_00AD2D82 mov eax, dword ptr fs:[00000030h] 1_2_00AD2D82
Source: C:\Users\user\Desktop\Contract Agreement.exe Code function: 1_2_00AD2D82 mov eax, dword ptr fs:[00000030h] 1_2_00AD2D82
Source: C:\Users\user\Desktop\Contract Agreement.exe Code function: 1_2_00AD2D82 mov eax, dword ptr fs:[00000030h] 1_2_00AD2D82
Source: C:\Users\user\Desktop\Contract Agreement.exe Code function: 1_2_00A4FD9B mov eax, dword ptr fs:[00000030h] 1_2_00A4FD9B
Source: C:\Users\user\Desktop\Contract Agreement.exe Code function: 1_2_00A4FD9B mov eax, dword ptr fs:[00000030h] 1_2_00A4FD9B
Source: C:\Users\user\Desktop\Contract Agreement.exe Code function: 1_2_00A2D5E0 mov eax, dword ptr fs:[00000030h] 1_2_00A2D5E0
Source: C:\Users\user\Desktop\Contract Agreement.exe Code function: 1_2_00A2D5E0 mov eax, dword ptr fs:[00000030h] 1_2_00A2D5E0
Source: C:\Users\user\Desktop\Contract Agreement.exe Code function: 1_2_00ADFDE2 mov eax, dword ptr fs:[00000030h] 1_2_00ADFDE2
Source: C:\Users\user\Desktop\Contract Agreement.exe Code function: 1_2_00ADFDE2 mov eax, dword ptr fs:[00000030h] 1_2_00ADFDE2
Source: C:\Users\user\Desktop\Contract Agreement.exe Code function: 1_2_00ADFDE2 mov eax, dword ptr fs:[00000030h] 1_2_00ADFDE2
Source: C:\Users\user\Desktop\Contract Agreement.exe Code function: 1_2_00ADFDE2 mov eax, dword ptr fs:[00000030h] 1_2_00ADFDE2
Source: C:\Users\user\Desktop\Contract Agreement.exe Code function: 1_2_00AC8DF1 mov eax, dword ptr fs:[00000030h] 1_2_00AC8DF1
Source: C:\Users\user\Desktop\Contract Agreement.exe Code function: 1_2_00A96DC9 mov eax, dword ptr fs:[00000030h] 1_2_00A96DC9
Source: C:\Users\user\Desktop\Contract Agreement.exe Code function: 1_2_00A96DC9 mov eax, dword ptr fs:[00000030h] 1_2_00A96DC9
Source: C:\Users\user\Desktop\Contract Agreement.exe Code function: 1_2_00A96DC9 mov eax, dword ptr fs:[00000030h] 1_2_00A96DC9
Source: C:\Users\user\Desktop\Contract Agreement.exe Code function: 1_2_00A96DC9 mov ecx, dword ptr fs:[00000030h] 1_2_00A96DC9
Source: C:\Users\user\Desktop\Contract Agreement.exe Code function: 1_2_00A96DC9 mov eax, dword ptr fs:[00000030h] 1_2_00A96DC9
Source: C:\Users\user\Desktop\Contract Agreement.exe Code function: 1_2_00A96DC9 mov eax, dword ptr fs:[00000030h] 1_2_00A96DC9
Source: C:\Users\user\Desktop\Contract Agreement.exe Code function: 1_2_00A1AD30 mov eax, dword ptr fs:[00000030h] 1_2_00A1AD30
Source: C:\Users\user\Desktop\Contract Agreement.exe Code function: 1_2_00ADE539 mov eax, dword ptr fs:[00000030h] 1_2_00ADE539
Source: C:\Users\user\Desktop\Contract Agreement.exe Code function: 1_2_00A23D34 mov eax, dword ptr fs:[00000030h] 1_2_00A23D34
Source: C:\Users\user\Desktop\Contract Agreement.exe Code function: 1_2_00A23D34 mov eax, dword ptr fs:[00000030h] 1_2_00A23D34
Source: C:\Users\user\Desktop\Contract Agreement.exe Code function: 1_2_00A23D34 mov eax, dword ptr fs:[00000030h] 1_2_00A23D34
Source: C:\Users\user\Desktop\Contract Agreement.exe Code function: 1_2_00A23D34 mov eax, dword ptr fs:[00000030h] 1_2_00A23D34
Source: C:\Users\user\Desktop\Contract Agreement.exe Code function: 1_2_00A23D34 mov eax, dword ptr fs:[00000030h] 1_2_00A23D34
Source: C:\Users\user\Desktop\Contract Agreement.exe Code function: 1_2_00A23D34 mov eax, dword ptr fs:[00000030h] 1_2_00A23D34
Source: C:\Users\user\Desktop\Contract Agreement.exe Code function: 1_2_00A23D34 mov eax, dword ptr fs:[00000030h] 1_2_00A23D34
Source: C:\Users\user\Desktop\Contract Agreement.exe Code function: 1_2_00A23D34 mov eax, dword ptr fs:[00000030h] 1_2_00A23D34
Source: C:\Users\user\Desktop\Contract Agreement.exe Code function: 1_2_00A23D34 mov eax, dword ptr fs:[00000030h] 1_2_00A23D34
Source: C:\Users\user\Desktop\Contract Agreement.exe Code function: 1_2_00A23D34 mov eax, dword ptr fs:[00000030h] 1_2_00A23D34
Source: C:\Users\user\Desktop\Contract Agreement.exe Code function: 1_2_00A23D34 mov eax, dword ptr fs:[00000030h] 1_2_00A23D34
Source: C:\Users\user\Desktop\Contract Agreement.exe Code function: 1_2_00A23D34 mov eax, dword ptr fs:[00000030h] 1_2_00A23D34
Source: C:\Users\user\Desktop\Contract Agreement.exe Code function: 1_2_00A23D34 mov eax, dword ptr fs:[00000030h] 1_2_00A23D34
Source: C:\Users\user\Desktop\Contract Agreement.exe Code function: 1_2_00AE8D34 mov eax, dword ptr fs:[00000030h] 1_2_00AE8D34
Source: C:\Users\user\Desktop\Contract Agreement.exe Code function: 1_2_00A9A537 mov eax, dword ptr fs:[00000030h] 1_2_00A9A537
Source: C:\Users\user\Desktop\Contract Agreement.exe Code function: 1_2_00A44D3B mov eax, dword ptr fs:[00000030h] 1_2_00A44D3B
Source: C:\Users\user\Desktop\Contract Agreement.exe Code function: 1_2_00A44D3B mov eax, dword ptr fs:[00000030h] 1_2_00A44D3B
Source: C:\Users\user\Desktop\Contract Agreement.exe Code function: 1_2_00A44D3B mov eax, dword ptr fs:[00000030h] 1_2_00A44D3B
Source: C:\Users\user\Desktop\Contract Agreement.exe Code function: 1_2_00A3C577 mov eax, dword ptr fs:[00000030h] 1_2_00A3C577
Source: C:\Users\user\Desktop\Contract Agreement.exe Code function: 1_2_00A3C577 mov eax, dword ptr fs:[00000030h] 1_2_00A3C577
Source: C:\Users\user\Desktop\Contract Agreement.exe Code function: 1_2_00A53D43 mov eax, dword ptr fs:[00000030h] 1_2_00A53D43
Source: C:\Users\user\Desktop\Contract Agreement.exe Code function: 1_2_00A93540 mov eax, dword ptr fs:[00000030h] 1_2_00A93540
Source: C:\Users\user\Desktop\Contract Agreement.exe Code function: 1_2_00AC3D40 mov eax, dword ptr fs:[00000030h] 1_2_00AC3D40
Source: C:\Users\user\Desktop\Contract Agreement.exe Code function: 1_2_00A37D50 mov eax, dword ptr fs:[00000030h] 1_2_00A37D50
Source: C:\Users\user\Desktop\Contract Agreement.exe Code function: 1_2_00AE0EA5 mov eax, dword ptr fs:[00000030h] 1_2_00AE0EA5
Source: C:\Users\user\Desktop\Contract Agreement.exe Code function: 1_2_00AE0EA5 mov eax, dword ptr fs:[00000030h] 1_2_00AE0EA5
Source: C:\Users\user\Desktop\Contract Agreement.exe Code function: 1_2_00AE0EA5 mov eax, dword ptr fs:[00000030h] 1_2_00AE0EA5
Source: C:\Users\user\Desktop\Contract Agreement.exe Code function: 1_2_00A946A7 mov eax, dword ptr fs:[00000030h] 1_2_00A946A7
Source: C:\Users\user\Desktop\Contract Agreement.exe Code function: 1_2_00AAFE87 mov eax, dword ptr fs:[00000030h] 1_2_00AAFE87
Source: C:\Users\user\Desktop\Contract Agreement.exe Code function: 1_2_00A276E2 mov eax, dword ptr fs:[00000030h] 1_2_00A276E2
Source: C:\Users\user\Desktop\Contract Agreement.exe Code function: 1_2_00A416E0 mov ecx, dword ptr fs:[00000030h] 1_2_00A416E0
Source: C:\Users\user\Desktop\Contract Agreement.exe Code function: 1_2_00A58EC7 mov eax, dword ptr fs:[00000030h] 1_2_00A58EC7
Source: C:\Users\user\Desktop\Contract Agreement.exe Code function: 1_2_00A436CC mov eax, dword ptr fs:[00000030h] 1_2_00A436CC
Source: C:\Users\user\Desktop\Contract Agreement.exe Code function: 1_2_00ACFEC0 mov eax, dword ptr fs:[00000030h] 1_2_00ACFEC0
Source: C:\Users\user\Desktop\Contract Agreement.exe Code function: 1_2_00AE8ED6 mov eax, dword ptr fs:[00000030h] 1_2_00AE8ED6
Source: C:\Users\user\Desktop\Contract Agreement.exe Code function: 1_2_00A1E620 mov eax, dword ptr fs:[00000030h] 1_2_00A1E620
Source: C:\Users\user\Desktop\Contract Agreement.exe Code function: 1_2_00ACFE3F mov eax, dword ptr fs:[00000030h] 1_2_00ACFE3F
Source: C:\Users\user\Desktop\Contract Agreement.exe Code function: 1_2_00A1C600 mov eax, dword ptr fs:[00000030h] 1_2_00A1C600
Source: C:\Users\user\Desktop\Contract Agreement.exe Code function: 1_2_00A1C600 mov eax, dword ptr fs:[00000030h] 1_2_00A1C600
Source: C:\Users\user\Desktop\Contract Agreement.exe Code function: 1_2_00A1C600 mov eax, dword ptr fs:[00000030h] 1_2_00A1C600
Source: C:\Users\user\Desktop\Contract Agreement.exe Code function: 1_2_00A48E00 mov eax, dword ptr fs:[00000030h] 1_2_00A48E00
Source: C:\Users\user\Desktop\Contract Agreement.exe Code function: 1_2_00AD1608 mov eax, dword ptr fs:[00000030h] 1_2_00AD1608
Source: C:\Users\user\Desktop\Contract Agreement.exe Code function: 1_2_00A4A61C mov eax, dword ptr fs:[00000030h] 1_2_00A4A61C
Source: C:\Users\user\Desktop\Contract Agreement.exe Code function: 1_2_00A4A61C mov eax, dword ptr fs:[00000030h] 1_2_00A4A61C
Source: C:\Users\user\Desktop\Contract Agreement.exe Code function: 1_2_00A2766D mov eax, dword ptr fs:[00000030h] 1_2_00A2766D
Source: C:\Users\user\Desktop\Contract Agreement.exe Code function: 1_2_00A3AE73 mov eax, dword ptr fs:[00000030h] 1_2_00A3AE73
Source: C:\Users\user\Desktop\Contract Agreement.exe Code function: 1_2_00A3AE73 mov eax, dword ptr fs:[00000030h] 1_2_00A3AE73
Source: C:\Users\user\Desktop\Contract Agreement.exe Code function: 1_2_00A3AE73 mov eax, dword ptr fs:[00000030h] 1_2_00A3AE73
Source: C:\Users\user\Desktop\Contract Agreement.exe Code function: 1_2_00A3AE73 mov eax, dword ptr fs:[00000030h] 1_2_00A3AE73
Source: C:\Users\user\Desktop\Contract Agreement.exe Code function: 1_2_00A3AE73 mov eax, dword ptr fs:[00000030h] 1_2_00A3AE73
Source: C:\Users\user\Desktop\Contract Agreement.exe Code function: 1_2_00A27E41 mov eax, dword ptr fs:[00000030h] 1_2_00A27E41
Source: C:\Users\user\Desktop\Contract Agreement.exe Code function: 1_2_00A27E41 mov eax, dword ptr fs:[00000030h] 1_2_00A27E41
Source: C:\Users\user\Desktop\Contract Agreement.exe Code function: 1_2_00A27E41 mov eax, dword ptr fs:[00000030h] 1_2_00A27E41
Source: C:\Users\user\Desktop\Contract Agreement.exe Code function: 1_2_00A27E41 mov eax, dword ptr fs:[00000030h] 1_2_00A27E41
Source: C:\Users\user\Desktop\Contract Agreement.exe Code function: 1_2_00A27E41 mov eax, dword ptr fs:[00000030h] 1_2_00A27E41
Source: C:\Users\user\Desktop\Contract Agreement.exe Code function: 1_2_00A27E41 mov eax, dword ptr fs:[00000030h] 1_2_00A27E41
Source: C:\Users\user\Desktop\Contract Agreement.exe Code function: 1_2_00ADAE44 mov eax, dword ptr fs:[00000030h] 1_2_00ADAE44
Source: C:\Users\user\Desktop\Contract Agreement.exe Code function: 1_2_00ADAE44 mov eax, dword ptr fs:[00000030h] 1_2_00ADAE44
Source: C:\Users\user\Desktop\Contract Agreement.exe Code function: 1_2_00A28794 mov eax, dword ptr fs:[00000030h] 1_2_00A28794
Source: C:\Users\user\Desktop\Contract Agreement.exe Code function: 1_2_00A97794 mov eax, dword ptr fs:[00000030h] 1_2_00A97794
Source: C:\Users\user\Desktop\Contract Agreement.exe Code function: 1_2_00A97794 mov eax, dword ptr fs:[00000030h] 1_2_00A97794
Source: C:\Users\user\Desktop\Contract Agreement.exe Code function: 1_2_00A97794 mov eax, dword ptr fs:[00000030h] 1_2_00A97794
Source: C:\Users\user\Desktop\Contract Agreement.exe Code function: 1_2_00A537F5 mov eax, dword ptr fs:[00000030h] 1_2_00A537F5
Source: C:\Users\user\Desktop\Contract Agreement.exe Code function: 1_2_00A14F2E mov eax, dword ptr fs:[00000030h] 1_2_00A14F2E
Source: C:\Users\user\Desktop\Contract Agreement.exe Code function: 1_2_00A14F2E mov eax, dword ptr fs:[00000030h] 1_2_00A14F2E
Source: C:\Users\user\Desktop\Contract Agreement.exe Code function: 1_2_00A4E730 mov eax, dword ptr fs:[00000030h] 1_2_00A4E730
Source: C:\Users\user\Desktop\Contract Agreement.exe Code function: 1_2_00A3B73D mov eax, dword ptr fs:[00000030h] 1_2_00A3B73D
Source: C:\Users\user\Desktop\Contract Agreement.exe Code function: 1_2_00A3B73D mov eax, dword ptr fs:[00000030h] 1_2_00A3B73D
Source: C:\Users\user\Desktop\Contract Agreement.exe Code function: 1_2_00AE070D mov eax, dword ptr fs:[00000030h] 1_2_00AE070D
Source: C:\Users\user\Desktop\Contract Agreement.exe Code function: 1_2_00AE070D mov eax, dword ptr fs:[00000030h] 1_2_00AE070D
Source: C:\Users\user\Desktop\Contract Agreement.exe Code function: 1_2_00A4A70E mov eax, dword ptr fs:[00000030h] 1_2_00A4A70E
Source: C:\Users\user\Desktop\Contract Agreement.exe Code function: 1_2_00A4A70E mov eax, dword ptr fs:[00000030h] 1_2_00A4A70E
Source: C:\Users\user\Desktop\Contract Agreement.exe Code function: 1_2_00A3F716 mov eax, dword ptr fs:[00000030h] 1_2_00A3F716
Source: C:\Users\user\Desktop\Contract Agreement.exe Code function: 1_2_00AAFF10 mov eax, dword ptr fs:[00000030h] 1_2_00AAFF10
Source: C:\Users\user\Desktop\Contract Agreement.exe Code function: 1_2_00AAFF10 mov eax, dword ptr fs:[00000030h] 1_2_00AAFF10
Source: C:\Users\user\Desktop\Contract Agreement.exe Code function: 1_2_00A2FF60 mov eax, dword ptr fs:[00000030h] 1_2_00A2FF60
Source: C:\Users\user\Desktop\Contract Agreement.exe Code function: 1_2_00AE8F6A mov eax, dword ptr fs:[00000030h] 1_2_00AE8F6A
Source: C:\Users\user\Desktop\Contract Agreement.exe Code function: 1_2_00A2EF40 mov eax, dword ptr fs:[00000030h] 1_2_00A2EF40
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 4_2_0471B477 mov eax, dword ptr fs:[00000030h] 4_2_0471B477
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 4_2_0471B477 mov eax, dword ptr fs:[00000030h] 4_2_0471B477
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 4_2_0471B477 mov eax, dword ptr fs:[00000030h] 4_2_0471B477
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 4_2_0471B477 mov eax, dword ptr fs:[00000030h] 4_2_0471B477
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 4_2_0471B477 mov eax, dword ptr fs:[00000030h] 4_2_0471B477
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 4_2_0471B477 mov eax, dword ptr fs:[00000030h] 4_2_0471B477
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 4_2_0471B477 mov eax, dword ptr fs:[00000030h] 4_2_0471B477
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 4_2_0471B477 mov eax, dword ptr fs:[00000030h] 4_2_0471B477
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 4_2_0471B477 mov eax, dword ptr fs:[00000030h] 4_2_0471B477
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 4_2_0471B477 mov eax, dword ptr fs:[00000030h] 4_2_0471B477
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 4_2_0471B477 mov eax, dword ptr fs:[00000030h] 4_2_0471B477
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 4_2_0471B477 mov eax, dword ptr fs:[00000030h] 4_2_0471B477
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 4_2_0472AC7B mov eax, dword ptr fs:[00000030h] 4_2_0472AC7B
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 4_2_0472AC7B mov eax, dword ptr fs:[00000030h] 4_2_0472AC7B
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 4_2_0472AC7B mov eax, dword ptr fs:[00000030h] 4_2_0472AC7B
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 4_2_0472AC7B mov eax, dword ptr fs:[00000030h] 4_2_0472AC7B
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 4_2_0472AC7B mov eax, dword ptr fs:[00000030h] 4_2_0472AC7B
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 4_2_0472AC7B mov eax, dword ptr fs:[00000030h] 4_2_0472AC7B
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 4_2_0472AC7B mov eax, dword ptr fs:[00000030h] 4_2_0472AC7B
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 4_2_0472AC7B mov eax, dword ptr fs:[00000030h] 4_2_0472AC7B
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 4_2_0472AC7B mov eax, dword ptr fs:[00000030h] 4_2_0472AC7B
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 4_2_0472AC7B mov eax, dword ptr fs:[00000030h] 4_2_0472AC7B
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 4_2_0472AC7B mov eax, dword ptr fs:[00000030h] 4_2_0472AC7B
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 4_2_0471746D mov eax, dword ptr fs:[00000030h] 4_2_0471746D
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 4_2_0478C450 mov eax, dword ptr fs:[00000030h] 4_2_0478C450
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 4_2_0478C450 mov eax, dword ptr fs:[00000030h] 4_2_0478C450
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 4_2_0472A44B mov eax, dword ptr fs:[00000030h] 4_2_0472A44B
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 4_2_0472BC2C mov eax, dword ptr fs:[00000030h] 4_2_0472BC2C
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 4_2_047C740D mov eax, dword ptr fs:[00000030h] 4_2_047C740D
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 4_2_047C740D mov eax, dword ptr fs:[00000030h] 4_2_047C740D
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 4_2_047C740D mov eax, dword ptr fs:[00000030h] 4_2_047C740D
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 4_2_047B1C06 mov eax, dword ptr fs:[00000030h] 4_2_047B1C06
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 4_2_047B1C06 mov eax, dword ptr fs:[00000030h] 4_2_047B1C06
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 4_2_047B1C06 mov eax, dword ptr fs:[00000030h] 4_2_047B1C06
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 4_2_047B1C06 mov eax, dword ptr fs:[00000030h] 4_2_047B1C06
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 4_2_047B1C06 mov eax, dword ptr fs:[00000030h] 4_2_047B1C06
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 4_2_047B1C06 mov eax, dword ptr fs:[00000030h] 4_2_047B1C06
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 4_2_047B1C06 mov eax, dword ptr fs:[00000030h] 4_2_047B1C06
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 4_2_047B1C06 mov eax, dword ptr fs:[00000030h] 4_2_047B1C06
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 4_2_047B1C06 mov eax, dword ptr fs:[00000030h] 4_2_047B1C06
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 4_2_047B1C06 mov eax, dword ptr fs:[00000030h] 4_2_047B1C06
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 4_2_047B1C06 mov eax, dword ptr fs:[00000030h] 4_2_047B1C06
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 4_2_047B1C06 mov eax, dword ptr fs:[00000030h] 4_2_047B1C06
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 4_2_047B1C06 mov eax, dword ptr fs:[00000030h] 4_2_047B1C06
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 4_2_047B1C06 mov eax, dword ptr fs:[00000030h] 4_2_047B1C06
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 4_2_04776C0A mov eax, dword ptr fs:[00000030h] 4_2_04776C0A
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 4_2_04776C0A mov eax, dword ptr fs:[00000030h] 4_2_04776C0A
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 4_2_04776C0A mov eax, dword ptr fs:[00000030h] 4_2_04776C0A
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 4_2_04776C0A mov eax, dword ptr fs:[00000030h] 4_2_04776C0A
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 4_2_047B14FB mov eax, dword ptr fs:[00000030h] 4_2_047B14FB
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 4_2_04776CF0 mov eax, dword ptr fs:[00000030h] 4_2_04776CF0
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 4_2_04776CF0 mov eax, dword ptr fs:[00000030h] 4_2_04776CF0
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 4_2_04776CF0 mov eax, dword ptr fs:[00000030h] 4_2_04776CF0
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 4_2_047C8CD6 mov eax, dword ptr fs:[00000030h] 4_2_047C8CD6
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 4_2_0470849B mov eax, dword ptr fs:[00000030h] 4_2_0470849B
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 4_2_047B4496 mov eax, dword ptr fs:[00000030h] 4_2_047B4496
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 4_2_047B4496 mov eax, dword ptr fs:[00000030h] 4_2_047B4496
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 4_2_047B4496 mov eax, dword ptr fs:[00000030h] 4_2_047B4496
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 4_2_047B4496 mov eax, dword ptr fs:[00000030h] 4_2_047B4496
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 4_2_047B4496 mov eax, dword ptr fs:[00000030h] 4_2_047B4496
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 4_2_047B4496 mov eax, dword ptr fs:[00000030h] 4_2_047B4496
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 4_2_047B4496 mov eax, dword ptr fs:[00000030h] 4_2_047B4496
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 4_2_047B4496 mov eax, dword ptr fs:[00000030h] 4_2_047B4496
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 4_2_047B4496 mov eax, dword ptr fs:[00000030h] 4_2_047B4496
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 4_2_047B4496 mov eax, dword ptr fs:[00000030h] 4_2_047B4496
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 4_2_047B4496 mov eax, dword ptr fs:[00000030h] 4_2_047B4496
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 4_2_047B4496 mov eax, dword ptr fs:[00000030h] 4_2_047B4496
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 4_2_047B4496 mov eax, dword ptr fs:[00000030h] 4_2_047B4496
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 4_2_0471C577 mov eax, dword ptr fs:[00000030h] 4_2_0471C577
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 4_2_0471C577 mov eax, dword ptr fs:[00000030h] 4_2_0471C577
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 4_2_04717D50 mov eax, dword ptr fs:[00000030h] 4_2_04717D50
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 4_2_04733D43 mov eax, dword ptr fs:[00000030h] 4_2_04733D43
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 4_2_04773540 mov eax, dword ptr fs:[00000030h] 4_2_04773540
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 4_2_047A3D40 mov eax, dword ptr fs:[00000030h] 4_2_047A3D40
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 4_2_0477A537 mov eax, dword ptr fs:[00000030h] 4_2_0477A537
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 4_2_047BE539 mov eax, dword ptr fs:[00000030h] 4_2_047BE539
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 4_2_04703D34 mov eax, dword ptr fs:[00000030h] 4_2_04703D34
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 4_2_04703D34 mov eax, dword ptr fs:[00000030h] 4_2_04703D34
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 4_2_04703D34 mov eax, dword ptr fs:[00000030h] 4_2_04703D34
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 4_2_04703D34 mov eax, dword ptr fs:[00000030h] 4_2_04703D34
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 4_2_04703D34 mov eax, dword ptr fs:[00000030h] 4_2_04703D34
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 4_2_04703D34 mov eax, dword ptr fs:[00000030h] 4_2_04703D34
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 4_2_04703D34 mov eax, dword ptr fs:[00000030h] 4_2_04703D34
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 4_2_04703D34 mov eax, dword ptr fs:[00000030h] 4_2_04703D34
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 4_2_04703D34 mov eax, dword ptr fs:[00000030h] 4_2_04703D34
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 4_2_04703D34 mov eax, dword ptr fs:[00000030h] 4_2_04703D34
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 4_2_04703D34 mov eax, dword ptr fs:[00000030h] 4_2_04703D34
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 4_2_04703D34 mov eax, dword ptr fs:[00000030h] 4_2_04703D34
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 4_2_04703D34 mov eax, dword ptr fs:[00000030h] 4_2_04703D34
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 4_2_047C8D34 mov eax, dword ptr fs:[00000030h] 4_2_047C8D34
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 4_2_04724D3B mov eax, dword ptr fs:[00000030h] 4_2_04724D3B
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 4_2_04724D3B mov eax, dword ptr fs:[00000030h] 4_2_04724D3B
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 4_2_04724D3B mov eax, dword ptr fs:[00000030h] 4_2_04724D3B
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 4_2_0472F527 mov eax, dword ptr fs:[00000030h] 4_2_0472F527
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 4_2_0472F527 mov eax, dword ptr fs:[00000030h] 4_2_0472F527
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 4_2_0472F527 mov eax, dword ptr fs:[00000030h] 4_2_0472F527
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 4_2_046FAD30 mov eax, dword ptr fs:[00000030h] 4_2_046FAD30
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 4_2_047A8DF1 mov eax, dword ptr fs:[00000030h] 4_2_047A8DF1
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 4_2_0470D5E0 mov eax, dword ptr fs:[00000030h] 4_2_0470D5E0
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 4_2_0470D5E0 mov eax, dword ptr fs:[00000030h] 4_2_0470D5E0
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 4_2_047BFDE2 mov eax, dword ptr fs:[00000030h] 4_2_047BFDE2
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 4_2_047BFDE2 mov eax, dword ptr fs:[00000030h] 4_2_047BFDE2
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 4_2_047BFDE2 mov eax, dword ptr fs:[00000030h] 4_2_047BFDE2
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 4_2_047BFDE2 mov eax, dword ptr fs:[00000030h] 4_2_047BFDE2
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 4_2_04776DC9 mov eax, dword ptr fs:[00000030h] 4_2_04776DC9
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 4_2_04776DC9 mov eax, dword ptr fs:[00000030h] 4_2_04776DC9
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 4_2_04776DC9 mov eax, dword ptr fs:[00000030h] 4_2_04776DC9
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 4_2_04776DC9 mov ecx, dword ptr fs:[00000030h] 4_2_04776DC9
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 4_2_04776DC9 mov eax, dword ptr fs:[00000030h] 4_2_04776DC9
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 4_2_04776DC9 mov eax, dword ptr fs:[00000030h] 4_2_04776DC9
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 4_2_04721DB5 mov eax, dword ptr fs:[00000030h] 4_2_04721DB5
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 4_2_04721DB5 mov eax, dword ptr fs:[00000030h] 4_2_04721DB5
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 4_2_04721DB5 mov eax, dword ptr fs:[00000030h] 4_2_04721DB5
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 4_2_047C05AC mov eax, dword ptr fs:[00000030h] 4_2_047C05AC
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 4_2_047C05AC mov eax, dword ptr fs:[00000030h] 4_2_047C05AC
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 4_2_047235A1 mov eax, dword ptr fs:[00000030h] 4_2_047235A1
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 4_2_046F2D8A mov eax, dword ptr fs:[00000030h] 4_2_046F2D8A
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 4_2_046F2D8A mov eax, dword ptr fs:[00000030h] 4_2_046F2D8A
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 4_2_046F2D8A mov eax, dword ptr fs:[00000030h] 4_2_046F2D8A
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 4_2_046F2D8A mov eax, dword ptr fs:[00000030h] 4_2_046F2D8A
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 4_2_046F2D8A mov eax, dword ptr fs:[00000030h] 4_2_046F2D8A
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 4_2_0472FD9B mov eax, dword ptr fs:[00000030h] 4_2_0472FD9B
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 4_2_0472FD9B mov eax, dword ptr fs:[00000030h] 4_2_0472FD9B
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 4_2_04722581 mov eax, dword ptr fs:[00000030h] 4_2_04722581
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 4_2_04722581 mov eax, dword ptr fs:[00000030h] 4_2_04722581
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 4_2_04722581 mov eax, dword ptr fs:[00000030h] 4_2_04722581
Enables debug privileges
Source: C:\Users\user\Desktop\Contract Agreement.exe Process token adjusted: Debug Jump to behavior
Source: C:\Windows\SysWOW64\cmstp.exe Process token adjusted: Debug Jump to behavior

HIPS / PFW / Operating System Protection Evasion:

barindex
System process connects to network (likely due to code injection or exploit)
Source: C:\Windows\explorer.exe Domain query: www.protocolmodern.com
Source: C:\Windows\explorer.exe Network Connect: 142.111.179.147 80 Jump to behavior
Source: C:\Windows\explorer.exe Network Connect: 72.52.251.1 80 Jump to behavior
Source: C:\Windows\explorer.exe Domain query: www.nyariorganics.com
Source: C:\Windows\explorer.exe Domain query: www.bizcert360.com
Source: C:\Windows\explorer.exe Domain query: www.sapanyc.com
Contains functionality to prevent local Windows debugging
Source: C:\Users\user\Desktop\Contract Agreement.exe Code function: 0_2_6FC71000 Rcxlxosdkhvclf,IsDebuggerPresent,DebugBreak,GetTempPathW,lstrcatW,CreateFileW,GetFileSize,VirtualAlloc,ReadFile,VirtualProtect, 0_2_6FC71000
Maps a DLL or memory area into another process
Source: C:\Users\user\Desktop\Contract Agreement.exe Section loaded: unknown target: C:\Users\user\Desktop\Contract Agreement.exe protection: execute and read and write Jump to behavior
Source: C:\Users\user\Desktop\Contract Agreement.exe Section loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write Jump to behavior
Source: C:\Users\user\Desktop\Contract Agreement.exe Section loaded: unknown target: C:\Windows\SysWOW64\cmstp.exe protection: execute and read and write Jump to behavior
Source: C:\Users\user\Desktop\Contract Agreement.exe Section loaded: unknown target: C:\Windows\SysWOW64\cmstp.exe protection: execute and read and write Jump to behavior
Source: C:\Windows\SysWOW64\cmstp.exe Section loaded: unknown target: C:\Windows\explorer.exe protection: read write Jump to behavior
Source: C:\Windows\SysWOW64\cmstp.exe Section loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write Jump to behavior
Modifies the context of a thread in another process (thread injection)
Source: C:\Users\user\Desktop\Contract Agreement.exe Thread register set: target process: 3424 Jump to behavior
Source: C:\Windows\SysWOW64\cmstp.exe Thread register set: target process: 3424 Jump to behavior
Queues an APC in another process (thread injection)
Source: C:\Users\user\Desktop\Contract Agreement.exe Thread APC queued: target process: C:\Windows\explorer.exe Jump to behavior
Sample uses process hollowing technique
Source: C:\Users\user\Desktop\Contract Agreement.exe Section unmapped: C:\Windows\SysWOW64\cmstp.exe base address: 310000 Jump to behavior
Creates a process in suspended mode (likely to inject code)
Source: C:\Users\user\Desktop\Contract Agreement.exe Process created: C:\Users\user\Desktop\Contract Agreement.exe 'C:\Users\user\Desktop\Contract Agreement.exe' Jump to behavior
Source: C:\Windows\SysWOW64\cmstp.exe Process created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Users\user\Desktop\Contract Agreement.exe' Jump to behavior
Source: explorer.exe, 00000003.00000000.653398591.0000000000AD8000.00000004.00000020.sdmp Binary or memory string: ProgmanMD6
Source: explorer.exe, 00000003.00000002.907549316.0000000001080000.00000002.00000001.sdmp Binary or memory string: Program Manager
Source: explorer.exe, 00000003.00000000.665606010.0000000005E50000.00000004.00000001.sdmp Binary or memory string: Shell_TrayWnd
Source: explorer.exe, 00000003.00000002.907549316.0000000001080000.00000002.00000001.sdmp Binary or memory string: Progman
Source: explorer.exe, 00000003.00000002.907549316.0000000001080000.00000002.00000001.sdmp Binary or memory string: Progmanlock
Source: explorer.exe, 00000003.00000000.669566755.000000000A716000.00000004.00000001.sdmp Binary or memory string: Shell_TrayWnd5D

Stealing of Sensitive Information:

barindex
Yara detected FormBook
Source: Yara match File source: 00000004.00000002.907184797.00000000004C0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000002.687663466.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000002.907519885.0000000002BA0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000002.687843865.00000000008E0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000001.648606618.0000000000400000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000002.687826261.00000000008B0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.652649547.000000001EDA0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0.2.Contract Agreement.exe.1eda0000.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.1.Contract Agreement.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.1.Contract Agreement.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.2.Contract Agreement.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.2.Contract Agreement.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.Contract Agreement.exe.1eda0000.2.raw.unpack, type: UNPACKEDPE

Remote Access Functionality:

barindex
Yara detected FormBook
Source: Yara match File source: 00000004.00000002.907184797.00000000004C0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000002.687663466.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000002.907519885.0000000002BA0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000002.687843865.00000000008E0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000001.648606618.0000000000400000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000002.687826261.00000000008B0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.652649547.000000001EDA0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0.2.Contract Agreement.exe.1eda0000.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.1.Contract Agreement.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.1.Contract Agreement.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.2.Contract Agreement.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.2.Contract Agreement.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.Contract Agreement.exe.1eda0000.2.raw.unpack, type: UNPACKEDPE
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 385426 Sample: Contract Agreement.exe Startdate: 12/04/2021 Architecture: WINDOWS Score: 100 36 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->36 38 Found malware configuration 2->38 40 Malicious sample detected (through community Yara rule) 2->40 42 7 other signatures 2->42 10 Contract Agreement.exe 18 2->10         started        process3 file4 28 C:\Users\user\AppData\Local\...\1hqxmv.dll, PE32 10->28 dropped 52 Maps a DLL or memory area into another process 10->52 14 Contract Agreement.exe 10->14         started        signatures5 process6 signatures7 54 Modifies the context of a thread in another process (thread injection) 14->54 56 Maps a DLL or memory area into another process 14->56 58 Sample uses process hollowing technique 14->58 60 Queues an APC in another process (thread injection) 14->60 17 explorer.exe 14->17 injected process8 dnsIp9 30 bizcert360.com 72.52.251.1, 49756, 80 LIQUIDWEBUS United States 17->30 32 www.sapanyc.com 142.111.179.147, 49750, 80 EGIHOSTINGUS United States 17->32 34 3 other IPs or domains 17->34 44 System process connects to network (likely due to code injection or exploit) 17->44 21 cmstp.exe 17->21         started        signatures10 process11 signatures12 46 Modifies the context of a thread in another process (thread injection) 21->46 48 Maps a DLL or memory area into another process 21->48 50 Tries to detect virtualization through RDTSC time measurements 21->50 24 cmd.exe 1 21->24         started        process13 process14 26 conhost.exe 24->26         started       
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
142.111.179.147
 www.sapanyc.com United States
18779 EGIHOSTINGUS true
72.52.251.1
 bizcert360.com United States
32244 LIQUIDWEBUS true

Contacted Domains

Name IP Active
bizcert360.com 72.52.251.1 true
www.sapanyc.com 142.111.179.147 true
www.protocolmodern.com unknown unknown
www.nyariorganics.com unknown unknown
www.bizcert360.com unknown unknown

Contacted URLs

Name Malicious Antivirus Detection Reputation
http://www.sapanyc.com/klf/?bl=VTChTP0hZXHDb84&Y4pTrva=ZAijfgstlYq8fKC0iYK9133s/sVwbQ6uXCBDF/fP0oHXHYAEtG3x8g/iP6moTRr8/loA true
  • Avira URL Cloud: safe
 unknown
www.middlehambooks.com/klf/ true
  • Avira URL Cloud: safe
 low
http://www.bizcert360.com/klf/?Y4pTrva=l4OXKFqiDRIL5M7Qs3ptSHdfRIx3aIBnF9VcnLQHKrQrW9fnriE9a3t8qZQrlYiaWXmB&bl=VTChTP0hZXHDb84 true
  • Avira URL Cloud: safe
 unknown