Windows Analysis Report
RFQ STS3780082024.exe

Overview

General Information

Sample name:	RFQ STS3780082024.exe
Analysis ID:	1500397
MD5:	9a057309180e58b6f230abfddd69d641
SHA1:	fdd107e8261be425264c7863b07cdbaec37a23cf
SHA256:	f758dbb63208445f8ed1f1d8bb648759ba6f1b8116b6ecd2ef996f8be008128b
Tags:	exe
Infos:

Detection

FormBook

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

Yara detected AntiVM3

Yara detected FormBook

.NET source code contains potential unpacker

AI detected suspicious sample

Adds a directory exclusion to Windows Defender

Allocates memory in foreign processes

Initial sample is a PE file and has a suspicious name

Injects a PE file into a foreign processes

Loading BitLocker PowerShell Module

Machine Learning detection for sample

Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet

Writes to foreign memory regions

Allocates memory with a write watch (potentially for evading sandboxes)

Checks if the current process is being debugged

Contains functionality for execution timing, often used to detect debuggers

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Contains functionality to call native functions

Contains functionality to read the PEB

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Detected potential crypto function

Enables debug privileges

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found inlined nop instructions (likely shell or obfuscated code)

Found large amount of non-executed APIs

Found potential string decryption / allocating functions

May sleep (evasive loops) to hinder dynamic analysis

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Sample file is different than original file name gathered from version info

Sigma detected: Powershell Defender Exclusion

Uses 32bit PE files

Uses code obfuscation techniques (call, push, ret)

Yara signature match

Classification

Malware Threat Intel
Provided by

Name	Description	Attribution	Blogpost URLs	Link
Formbook, Formbo	FormBook contains a unique crypter RunPE that has unique behavioral patterns subject to detection. It was initially called "Babushka Crypter" by Insidemalware.	SWEED Cobalt	http://blog.inquest.net/blog/2018/06/22/a-look-at-formbook-stealer/ http://cambuz.blogspot.de/2016/06/form-grabber-2016-cromeffoperathunderbi.html http://www.vkremez.com/2018/01/lets-learn-dissecting-formbook.html https://0xmrmagnezi.github.io/malware%20analysis/FormBook/ https://any.run/cybersecurity-blog/xloader-formbook-encryption-analysis-and-malware-decryption/	https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook

Signatures

AV Detection

Multi AV Scanner detection for submitted file

Source: RFQ STS3780082024.exe	ReversingLabs: Detection: 50%
Source: RFQ STS3780082024.exe	Virustotal: Detection: 62%			Perma Link

Yara detected FormBook

Source: Yara match	File source: 5.2.MSBuild.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.MSBuild.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000005.00000002.1758340713.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.1758552750.0000000000CB0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Machine Learning detection for sample

Source: RFQ STS3780082024.exe

Joe Sandbox ML: detected

Uses 32bit PE files

Source: RFQ STS3780082024.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: RFQ STS3780082024.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source:	Binary string: wntdll.pdbUGP source: MSBuild.exe, 00000005.00000002.1758837702.00000000011C0000.00000040.00001000.00020000.00000000.sdmp
Source:	Binary string: wntdll.pdb source: MSBuild.exe, MSBuild.exe, 00000005.00000002.1758837702.00000000011C0000.00000040.00001000.00020000.00000000.sdmp

Found inlined nop instructions (likely shell or obfuscated code)

Source: C:\Users\user\Desktop\RFQ STS3780082024.exe

Code function: 4x nop then jmp 06F3AA34h

0_2_06F3A0D6

Source: unknown	TCP traffic detected without corresponding DNS query: 173.222.162.32
Source: unknown	TCP traffic detected without corresponding DNS query: 173.222.162.32

Source: RFQ STS3780082024.exe, 00000000.00000002.1698168982.000000000282A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: RFQ STS3780082024.exe	String found in binary or memory: http://tempuri.org/tt.xsd;VP_Lab_6.Properties.Resources
Source: RFQ STS3780082024.exe, 00000000.00000002.1700359196.0000000006972000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
Source: RFQ STS3780082024.exe, 00000000.00000002.1700359196.0000000006972000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.carterandcone.coml
Source: RFQ STS3780082024.exe, 00000000.00000002.1700359196.0000000006972000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com
Source: RFQ STS3780082024.exe, 00000000.00000002.1700359196.0000000006972000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers
Source: RFQ STS3780082024.exe, 00000000.00000002.1700359196.0000000006972000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/?
Source: RFQ STS3780082024.exe, 00000000.00000002.1700359196.0000000006972000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
Source: RFQ STS3780082024.exe, 00000000.00000002.1700359196.0000000006972000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/frere-user.html
Source: RFQ STS3780082024.exe, 00000000.00000002.1700359196.0000000006972000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers8
Source: RFQ STS3780082024.exe, 00000000.00000002.1700359196.0000000006972000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers?
Source: RFQ STS3780082024.exe, 00000000.00000002.1700359196.0000000006972000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designersG
Source: RFQ STS3780082024.exe, 00000000.00000002.1700359196.0000000006972000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fonts.com
Source: RFQ STS3780082024.exe, 00000000.00000002.1700359196.0000000006972000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.founder.com.cn/cn
Source: RFQ STS3780082024.exe, 00000000.00000002.1700359196.0000000006972000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.founder.com.cn/cn/bThe
Source: RFQ STS3780082024.exe, 00000000.00000002.1700359196.0000000006972000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.founder.com.cn/cn/cThe
Source: RFQ STS3780082024.exe, 00000000.00000002.1700359196.0000000006972000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.galapagosdesign.com/DPlease
Source: RFQ STS3780082024.exe, 00000000.00000002.1700359196.0000000006972000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
Source: RFQ STS3780082024.exe, 00000000.00000002.1700359196.0000000006972000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.goodfont.co.kr
Source: RFQ STS3780082024.exe, 00000000.00000002.1700359196.0000000006972000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/
Source: RFQ STS3780082024.exe, 00000000.00000002.1700359196.0000000006972000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.sajatypeworks.com
Source: RFQ STS3780082024.exe, 00000000.00000002.1700359196.0000000006972000.00000004.00000800.00020000.00000000.sdmp, RFQ STS3780082024.exe, 00000000.00000002.1700223321.00000000051F4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.sakkal.com
Source: RFQ STS3780082024.exe, 00000000.00000002.1700359196.0000000006972000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.sandoll.co.kr
Source: RFQ STS3780082024.exe, 00000000.00000002.1700359196.0000000006972000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.tiro.com
Source: RFQ STS3780082024.exe, 00000000.00000002.1700359196.0000000006972000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.typography.netD
Source: RFQ STS3780082024.exe, 00000000.00000002.1700359196.0000000006972000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.urwpp.deDPlease
Source: RFQ STS3780082024.exe, 00000000.00000002.1700359196.0000000006972000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.zhongyicts.com.cn

Source: unknown

Network traffic detected: HTTP traffic on port 49675 -> 443

E-Banking Fraud

Yara detected FormBook

Source: Yara match	File source: 5.2.MSBuild.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.MSBuild.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000005.00000002.1758340713.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.1758552750.0000000000CB0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY

System Summary

Malicious sample detected (through community Yara rule)

Source: 5.2.MSBuild.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 5.2.MSBuild.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000005.00000002.1758340713.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000005.00000002.1758552750.0000000000CB0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown

Initial sample is a PE file and has a suspicious name

Source: initial sample

Static PE information: Filename: RFQ STS3780082024.exe

Contains functionality to call native functions

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_0042C003 NtClose,	5_2_0042C003
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_01232DF0 NtQuerySystemInformation,LdrInitializeThunk,	5_2_01232DF0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_01232C70 NtFreeVirtualMemory,LdrInitializeThunk,	5_2_01232C70
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_012335C0 NtCreateMutant,LdrInitializeThunk,	5_2_012335C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_01234340 NtSetContextThread,	5_2_01234340
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_01234650 NtSuspendThread,	5_2_01234650
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_01232B60 NtClose,	5_2_01232B60
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_01232BA0 NtEnumerateValueKey,	5_2_01232BA0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_01232B80 NtQueryInformationFile,	5_2_01232B80
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_01232BE0 NtQueryValueKey,	5_2_01232BE0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_01232BF0 NtAllocateVirtualMemory,	5_2_01232BF0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_01232AB0 NtWaitForSingleObject,	5_2_01232AB0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_01232AF0 NtWriteFile,	5_2_01232AF0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_01232AD0 NtReadFile,	5_2_01232AD0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_01232D30 NtUnmapViewOfSection,	5_2_01232D30
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_01232D00 NtSetInformationFile,	5_2_01232D00
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_01232D10 NtMapViewOfSection,	5_2_01232D10
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_01232DB0 NtEnumerateKey,	5_2_01232DB0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_01232DD0 NtDelayExecution,	5_2_01232DD0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_01232C00 NtQueryInformationProcess,	5_2_01232C00
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_01232C60 NtCreateKey,	5_2_01232C60
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_01232CA0 NtQueryInformationToken,	5_2_01232CA0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_01232CF0 NtOpenProcess,	5_2_01232CF0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_01232CC0 NtQueryVirtualMemory,	5_2_01232CC0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_01232F30 NtCreateSection,	5_2_01232F30
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_01232F60 NtCreateProcessEx,	5_2_01232F60
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_01232FA0 NtQuerySection,	5_2_01232FA0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_01232FB0 NtResumeThread,	5_2_01232FB0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_01232F90 NtProtectVirtualMemory,	5_2_01232F90
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_01232FE0 NtCreateFile,	5_2_01232FE0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_01232E30 NtWriteVirtualMemory,	5_2_01232E30
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_01232EA0 NtAdjustPrivilegesToken,	5_2_01232EA0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_01232E80 NtReadVirtualMemory,	5_2_01232E80
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_01232EE0 NtQueueApcThread,	5_2_01232EE0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_01233010 NtOpenDirectoryObject,	5_2_01233010
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_01233090 NtSetValueKey,	5_2_01233090
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_012339B0 NtGetContextThread,	5_2_012339B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_01233D10 NtOpenProcessToken,	5_2_01233D10
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_01233D70 NtOpenThread,	5_2_01233D70

Detected potential crypto function

Source: C:\Users\user\Desktop\RFQ STS3780082024.exe	Code function: 0_2_027BE0E4	0_2_027BE0E4
Source: C:\Users\user\Desktop\RFQ STS3780082024.exe	Code function: 0_2_06F321D0	0_2_06F321D0
Source: C:\Users\user\Desktop\RFQ STS3780082024.exe	Code function: 0_2_06F376D8	0_2_06F376D8
Source: C:\Users\user\Desktop\RFQ STS3780082024.exe	Code function: 0_2_06F376C9	0_2_06F376C9
Source: C:\Users\user\Desktop\RFQ STS3780082024.exe	Code function: 0_2_06F35628	0_2_06F35628
Source: C:\Users\user\Desktop\RFQ STS3780082024.exe	Code function: 0_2_06F36CD0	0_2_06F36CD0
Source: C:\Users\user\Desktop\RFQ STS3780082024.exe	Code function: 0_2_06F34DB8	0_2_06F34DB8
Source: C:\Users\user\Desktop\RFQ STS3780082024.exe	Code function: 0_2_06F34D7C	0_2_06F34D7C
Source: C:\Users\user\Desktop\RFQ STS3780082024.exe	Code function: 0_2_06F3C380	0_2_06F3C380
Source: C:\Users\user\Desktop\RFQ STS3780082024.exe	Code function: 0_2_06F351F0	0_2_06F351F0
Source: C:\Users\user\Desktop\RFQ STS3780082024.exe	Code function: 0_2_06F351E0	0_2_06F351E0
Source: C:\Users\user\Desktop\RFQ STS3780082024.exe	Code function: 0_2_06F321C0	0_2_06F321C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_00401000	5_2_00401000
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_0040292E	5_2_0040292E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_00402930	5_2_00402930
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_0040F98A	5_2_0040F98A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_0040F993	5_2_0040F993
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_004162D0	5_2_004162D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_004162D3	5_2_004162D3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_0040228B	5_2_0040228B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_00402290	5_2_00402290
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_0040FBB3	5_2_0040FBB3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_0040DC33	5_2_0040DC33
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_00402590	5_2_00402590
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_0042E613	5_2_0042E613
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_00402E20	5_2_00402E20
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_011F0100	5_2_011F0100
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_0129A118	5_2_0129A118
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_01288158	5_2_01288158
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_012C01AA	5_2_012C01AA
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_012B41A2	5_2_012B41A2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_012B81CC	5_2_012B81CC
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_01292000	5_2_01292000
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_012BA352	5_2_012BA352
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_012C03E6	5_2_012C03E6
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_0120E3F0	5_2_0120E3F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_012A0274	5_2_012A0274
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_012802C0	5_2_012802C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_01200535	5_2_01200535
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_012C0591	5_2_012C0591
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_012A4420	5_2_012A4420
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_012B2446	5_2_012B2446
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_012AE4F6	5_2_012AE4F6
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_01200770	5_2_01200770
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_01224750	5_2_01224750
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_011FC7C0	5_2_011FC7C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_0121C6E0	5_2_0121C6E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_01216962	5_2_01216962
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_012029A0	5_2_012029A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_012CA9A6	5_2_012CA9A6
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_0120A840	5_2_0120A840
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_01202840	5_2_01202840
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_011E68B8	5_2_011E68B8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_0122E8F0	5_2_0122E8F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_012BAB40	5_2_012BAB40
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_012B6BD7	5_2_012B6BD7
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_011FEA80	5_2_011FEA80
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_0120AD00	5_2_0120AD00
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_0129CD1F	5_2_0129CD1F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_01218DBF	5_2_01218DBF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_011FADE0	5_2_011FADE0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_01200C00	5_2_01200C00
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_012A0CB5	5_2_012A0CB5
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_011F0CF2	5_2_011F0CF2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_01242F28	5_2_01242F28
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_01220F30	5_2_01220F30
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_012A2F30	5_2_012A2F30
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_01274F40	5_2_01274F40
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_0127EFA0	5_2_0127EFA0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_011F2FC8	5_2_011F2FC8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_012BEE26	5_2_012BEE26
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_01200E59	5_2_01200E59
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_01212E90	5_2_01212E90
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_012BCE93	5_2_012BCE93
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_012BEEDB	5_2_012BEEDB
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_012CB16B	5_2_012CB16B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_0123516C	5_2_0123516C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_011EF172	5_2_011EF172
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_0120B1B0	5_2_0120B1B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_012B70E9	5_2_012B70E9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_012BF0E0	5_2_012BF0E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_012070C0	5_2_012070C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_012AF0CC	5_2_012AF0CC
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_012B132D	5_2_012B132D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_011ED34C	5_2_011ED34C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_0124739A	5_2_0124739A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_012052A0	5_2_012052A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_012A12ED	5_2_012A12ED
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_0121B2C0	5_2_0121B2C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_012B7571	5_2_012B7571
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_0129D5B0	5_2_0129D5B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_012C95C3	5_2_012C95C3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_012BF43F	5_2_012BF43F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_011F1460	5_2_011F1460
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_012BF7B0	5_2_012BF7B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_01245630	5_2_01245630
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_012B16CC	5_2_012B16CC
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_01295910	5_2_01295910
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_01209950	5_2_01209950
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_0121B950	5_2_0121B950
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_0126D800	5_2_0126D800
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_012038E0	5_2_012038E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_012BFB76	5_2_012BFB76
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_0121FB80	5_2_0121FB80
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_01275BF0	5_2_01275BF0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_0123DBF9	5_2_0123DBF9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_01273A6C	5_2_01273A6C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_012BFA49	5_2_012BFA49
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_012B7A46	5_2_012B7A46
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_01245AA0	5_2_01245AA0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_0129DAAC	5_2_0129DAAC
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_012A1AA3	5_2_012A1AA3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_012ADAC6	5_2_012ADAC6
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_012B7D73	5_2_012B7D73
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_01203D40	5_2_01203D40
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_012B1D5A	5_2_012B1D5A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_0121FDC0	5_2_0121FDC0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_01279C32	5_2_01279C32
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_012BFCF2	5_2_012BFCF2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_012BFF09	5_2_012BFF09
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_012BFFB1	5_2_012BFFB1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_01201F92	5_2_01201F92
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_011C3FD5	5_2_011C3FD5
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_011C3FD2	5_2_011C3FD2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_01209EB0	5_2_01209EB0

Found potential string decryption / allocating functions

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: String function: 01247E54 appears 108 times
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: String function: 0127F290 appears 105 times
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: String function: 011EB970 appears 265 times
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: String function: 0126EA12 appears 86 times
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: String function: 01235130 appears 58 times

Sample file is different than original file name gathered from version info

Source: RFQ STS3780082024.exe, 00000000.00000002.1698605704.0000000003897000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameTyrone.dll8 vs RFQ STS3780082024.exe
Source: RFQ STS3780082024.exe, 00000000.00000002.1701092052.0000000006E80000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameTyrone.dll8 vs RFQ STS3780082024.exe
Source: RFQ STS3780082024.exe, 00000000.00000000.1643859543.00000000004C2000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenameBpCj.exe6 vs RFQ STS3780082024.exe
Source: RFQ STS3780082024.exe, 00000000.00000002.1700250671.00000000052A0000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameGB-lesson-forms.dll@ vs RFQ STS3780082024.exe
Source: RFQ STS3780082024.exe, 00000000.00000002.1696339255.00000000009CE000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameclr.dllT vs RFQ STS3780082024.exe
Source: RFQ STS3780082024.exe, 00000000.00000002.1698605704.00000000037F9000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameGB-lesson-forms.dll@ vs RFQ STS3780082024.exe
Source: RFQ STS3780082024.exe	Binary or memory string: OriginalFilenameBpCj.exe6 vs RFQ STS3780082024.exe

Uses 32bit PE files

Source: RFQ STS3780082024.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Yara signature match

Source: 5.2.MSBuild.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 5.2.MSBuild.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000005.00000002.1758340713.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000005.00000002.1758552750.0000000000CB0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23

Source: RFQ STS3780082024.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: 0.2.RFQ STS3780082024.exe.38c7b28.2.raw.unpack, b75OHExKKCmLTZp12S.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.RFQ STS3780082024.exe.3a69fb0.0.raw.unpack, b75OHExKKCmLTZp12S.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.RFQ STS3780082024.exe.38c7b28.2.raw.unpack, oHURga50K82imqYymd.cs	Security API names: _0020.SetAccessControl
Source: 0.2.RFQ STS3780082024.exe.38c7b28.2.raw.unpack, oHURga50K82imqYymd.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.RFQ STS3780082024.exe.38c7b28.2.raw.unpack, oHURga50K82imqYymd.cs	Security API names: _0020.AddAccessRule
Source: 0.2.RFQ STS3780082024.exe.6e80000.4.raw.unpack, b75OHExKKCmLTZp12S.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.RFQ STS3780082024.exe.6e80000.4.raw.unpack, oHURga50K82imqYymd.cs	Security API names: _0020.SetAccessControl
Source: 0.2.RFQ STS3780082024.exe.6e80000.4.raw.unpack, oHURga50K82imqYymd.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.RFQ STS3780082024.exe.6e80000.4.raw.unpack, oHURga50K82imqYymd.cs	Security API names: _0020.AddAccessRule
Source: 0.2.RFQ STS3780082024.exe.3a69fb0.0.raw.unpack, oHURga50K82imqYymd.cs	Security API names: _0020.SetAccessControl
Source: 0.2.RFQ STS3780082024.exe.3a69fb0.0.raw.unpack, oHURga50K82imqYymd.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.RFQ STS3780082024.exe.3a69fb0.0.raw.unpack, oHURga50K82imqYymd.cs	Security API names: _0020.AddAccessRule

Source: classification engine

Classification label: mal100.troj.evad.winEXE@8/6@0/0

Source: C:\Users\user\Desktop\RFQ STS3780082024.exe

File created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\RFQ STS3780082024.exe.log

Jump to behavior

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Mutant created: NULL
Source: C:\Users\user\Desktop\RFQ STS3780082024.exe	Mutant created: \Sessions\1\BaseNamedObjects\DjyZLedjLNbHnESeUkdoDHNOD
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7524:120:WilError_03

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

File created: C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_aj4revyi.lf2.ps1

Jump to behavior

Source: RFQ STS3780082024.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: RFQ STS3780082024.exe

Static file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.83%

Source: C:\Users\user\Desktop\RFQ STS3780082024.exe

File read: C:\Users\user\Desktop\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\RFQ STS3780082024.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: RFQ STS3780082024.exe	ReversingLabs: Detection: 50%
Source: RFQ STS3780082024.exe	Virustotal: Detection: 62%

Source: unknown	Process created: C:\Users\user\Desktop\RFQ STS3780082024.exe "C:\Users\user\Desktop\RFQ STS3780082024.exe"
Source: C:\Users\user\Desktop\RFQ STS3780082024.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\RFQ STS3780082024.exe"
Source: C:\Users\user\Desktop\RFQ STS3780082024.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\RFQ STS3780082024.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
Source: C:\Users\user\Desktop\RFQ STS3780082024.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\RFQ STS3780082024.exe"	Jump to behavior
Source: C:\Users\user\Desktop\RFQ STS3780082024.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"	Jump to behavior
Source: C:\Users\user\Desktop\RFQ STS3780082024.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"	Jump to behavior

Source: C:\Users\user\Desktop\RFQ STS3780082024.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Desktop\RFQ STS3780082024.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\RFQ STS3780082024.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\RFQ STS3780082024.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\RFQ STS3780082024.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\RFQ STS3780082024.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\RFQ STS3780082024.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\RFQ STS3780082024.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\RFQ STS3780082024.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\RFQ STS3780082024.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\RFQ STS3780082024.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\RFQ STS3780082024.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\RFQ STS3780082024.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\RFQ STS3780082024.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\RFQ STS3780082024.exe	Section loaded: dwrite.dll	Jump to behavior
Source: C:\Users\user\Desktop\RFQ STS3780082024.exe	Section loaded: windowscodecs.dll	Jump to behavior
Source: C:\Users\user\Desktop\RFQ STS3780082024.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\RFQ STS3780082024.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\RFQ STS3780082024.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\RFQ STS3780082024.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\RFQ STS3780082024.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\Desktop\RFQ STS3780082024.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\Desktop\RFQ STS3780082024.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\Desktop\RFQ STS3780082024.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\Desktop\RFQ STS3780082024.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\RFQ STS3780082024.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\RFQ STS3780082024.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Users\user\Desktop\RFQ STS3780082024.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\RFQ STS3780082024.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\RFQ STS3780082024.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Users\user\Desktop\RFQ STS3780082024.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Users\user\Desktop\RFQ STS3780082024.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Users\user\Desktop\RFQ STS3780082024.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\Desktop\RFQ STS3780082024.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Users\user\Desktop\RFQ STS3780082024.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wininet.dll	Jump to behavior

Source: C:\Users\user\Desktop\RFQ STS3780082024.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32

Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Users\user\Desktop\RFQ STS3780082024.exe

File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll

Jump to behavior

Source: RFQ STS3780082024.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Source: RFQ STS3780082024.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source:	Binary string: wntdll.pdbUGP source: MSBuild.exe, 00000005.00000002.1758837702.00000000011C0000.00000040.00001000.00020000.00000000.sdmp
Source:	Binary string: wntdll.pdb source: MSBuild.exe, MSBuild.exe, 00000005.00000002.1758837702.00000000011C0000.00000040.00001000.00020000.00000000.sdmp

Data Obfuscation

.NET source code contains potential unpacker

Source: 0.2.RFQ STS3780082024.exe.38c7b28.2.raw.unpack, oHURga50K82imqYymd.cs	.Net Code: R4f8I39MJA System.Reflection.Assembly.Load(byte[])
Source: 0.2.RFQ STS3780082024.exe.3a69fb0.0.raw.unpack, oHURga50K82imqYymd.cs	.Net Code: R4f8I39MJA System.Reflection.Assembly.Load(byte[])
Source: 0.2.RFQ STS3780082024.exe.6e80000.4.raw.unpack, oHURga50K82imqYymd.cs	.Net Code: R4f8I39MJA System.Reflection.Assembly.Load(byte[])
Source: 0.2.RFQ STS3780082024.exe.52a0000.3.raw.unpack, .cs	.Net Code: System.Reflection.Assembly.Load(byte[])
Source: 0.2.RFQ STS3780082024.exe.3812250.1.raw.unpack, .cs	.Net Code: System.Reflection.Assembly.Load(byte[])

Uses code obfuscation techniques (call, push, ret)

Source: C:\Users\user\Desktop\RFQ STS3780082024.exe	Code function: 0_2_06F30006 push es; retf	0_2_06F3001C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_004030F0 push eax; ret	5_2_004030F2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_004220F2 push ss; retn 0000h	5_2_004220FA
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_00423134 push esp; iretd	5_2_00423135
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_0041A265 pushfd ; retf	5_2_0041A26C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_004132CA push edx; retf	5_2_004132CE
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_0041CB52 push es; retf	5_2_0041CB53
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_0041CBD6 pushfd ; retf	5_2_0041CBD7
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_0041ED9D push ebp; iretd	5_2_0041ED9E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_011C225F pushad ; ret	5_2_011C27F9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_011C27FA pushad ; ret	5_2_011C27F9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_011F09AD push ecx; mov dword ptr [esp], ecx	5_2_011F09B6
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_011C283D push eax; iretd	5_2_011C2858

Source: RFQ STS3780082024.exe

Static PE information: section name: .text entropy: 7.771271485735661

Source: 0.2.RFQ STS3780082024.exe.38c7b28.2.raw.unpack, BwMyEtOMEZLZYAjRrQ.cs	High entropy of concatenated method names: 'QOIXviPese', 'zD7XycAovT', 'MH9XInxAxv', 'pnHXVdKFSE', 'vZ0XwMdeBS', 'oKdX0sim2c', 'gwyXSauUhd', 'ceXXxGjhoU', 'a16XZeLSya', 'g7XXJoXsVp'
Source: 0.2.RFQ STS3780082024.exe.38c7b28.2.raw.unpack, AocHb1ZAB5KCyGZCof.cs	High entropy of concatenated method names: 'OnQCVliLw1', 'stMC0sX34S', 'qsaCx7RHcR', 'lSxCZkp3Yi', 'rGZCqJv7MP', 'STsCRcNBAR', 'SA6C6ydHO4', 'G1qCsfKqiR', 'a3UCpn58Uj', 'bB1CYa7JCw'
Source: 0.2.RFQ STS3780082024.exe.38c7b28.2.raw.unpack, b75OHExKKCmLTZp12S.cs	High entropy of concatenated method names: 'nqFclMjCTM', 'An8cD75oqS', 'eavcQN8GhY', 'OJncoPxDb1', 'AbFcH01LPk', 'cK2c2yGQa5', 'YQKc415PaR', 'jLUcMwO5Tc', 'aHfc1w1FYm', 'PrWcP7USly'
Source: 0.2.RFQ STS3780082024.exe.38c7b28.2.raw.unpack, bGIP4VPhgee4XJbWYW.cs	High entropy of concatenated method names: 'hCWpiOjgtk', 'Jo9pW8SSPK', 'kQ9p8Z71ox', 'AX1pGS9Vqm', 'R0apcBdnFT', 'V3vpbGBxSO', 'OPYpFlm4Bq', 'jeMs4qGKB4', 'y75sMbgast', 'uJns16vRqM'
Source: 0.2.RFQ STS3780082024.exe.38c7b28.2.raw.unpack, nDXOKo1yIbNE6rsG63.cs	High entropy of concatenated method names: 'ATQsBAEcCs', 'gfesULGWWR', 'vD2sa6mqAR', 'g2nsrVh99B', 'radslXh4MW', 'nEUsNgW7xp', 'Next', 'Next', 'Next', 'NextBytes'
Source: 0.2.RFQ STS3780082024.exe.38c7b28.2.raw.unpack, ECXidh2Ok4EYkVxfJM.cs	High entropy of concatenated method names: 'mVG6MeMqa1', 'wS36PHsUuM', 'XHmsd5Y6rH', 'qbasiWUWy2', 'eI36hLXL6U', 'nug6K8vjfH', 'dZS69EEdEE', 'k1V6lKGDWE', 'pWk6DsBec8', 'Ojq6QGwpj6'
Source: 0.2.RFQ STS3780082024.exe.38c7b28.2.raw.unpack, Ed6mgvidnb18jusbqYM.cs	High entropy of concatenated method names: 'FGwpv5xNGW', 'cJypyPO8rO', 'WALpIOTwV3', 'LWJpVknyEB', 'ytopw6LDLQ', 'mLLp0UykgD', 'AtwpSmJi87', 'Cnepx8kVWe', 'GWppZuD8vY', 'oqppJriIib'
Source: 0.2.RFQ STS3780082024.exe.38c7b28.2.raw.unpack, TXTbaGQ0KUAcEUAtid.cs	High entropy of concatenated method names: 'ToString', 'TtHRhpUCln', 'pG3RU9aWwk', 'G6nRawma52', 'c6pRrQdDaa', 'VCtRNfHd9E', 'xvQRLoDLvG', 'oAfREvRsAX', 'yPrRT69IYS', 'FAAROs0UBC'
Source: 0.2.RFQ STS3780082024.exe.38c7b28.2.raw.unpack, oHURga50K82imqYymd.cs	High entropy of concatenated method names: 'Y9OWAitGvW', 'BtOWGqQgC9', 'hr4WcKImj8', 'YVFWCXCtSh', 'qdJWbokoxF', 'JKLWFJ5Omp', 'UT7WXpSOQB', 'oG8W50ZV6f', 'CijWegWBTr', 'zEuW3bOm9o'
Source: 0.2.RFQ STS3780082024.exe.38c7b28.2.raw.unpack, WW5xheokSZ8VVQ7D4i.cs	High entropy of concatenated method names: 's0k63lyo9M', 'LQN6m60Rin', 'ToString', 'toH6GKe6Wh', 'TZv6cP2vju', 'z3f6CWU2Qy', 'wny6bIZsRN', 'CPn6FfIp4U', 'nwf6Xe1Os9', 'peZ65PuBsQ'
Source: 0.2.RFQ STS3780082024.exe.38c7b28.2.raw.unpack, DZ8ZB3BdHeRtLT0553.cs	High entropy of concatenated method names: 'yp1FAwiPds', 'gmHFcUGU58', 'sdkFbcg9t8', 'ogKFX8TAmC', 'IeXF5HpVcp', 'ljvbHsi1m9', 'NBJb2T8PIi', 'Wdtb4c8IZY', 'LU0bMQCZQw', 'rp7b1tUyMi'
Source: 0.2.RFQ STS3780082024.exe.38c7b28.2.raw.unpack, eep0eurW4XfvJow9uS.cs	High entropy of concatenated method names: 'c4iFfe83g6', 'QRGFvRbTKJ', 'P4eFIGU0fQ', 'MaCFVRcylQ', 'PqcF0JPVdb', 'nftFSVBo4b', 'vk5FZPqWu9', 'lKoFJIC6qr', 'UNQ1pNpAUEdQ3wkmRfm', 'eD6QfLp3AJ6Ow5jJNsU'
Source: 0.2.RFQ STS3780082024.exe.38c7b28.2.raw.unpack, Xk6pi9CtV2cWLNt0YA.cs	High entropy of concatenated method names: 'EditValue', 'GetEditStyle', 'q8bu15Fk3w', 'VT3uPhVA7u', 'wxHuz7X647', 'mybWdsr719', 'QQmWisF5rs', 'qh3WuIgWsB', 'ThKWWTEdos', 'vl9qsV5Z5fX68FLsYAB'
Source: 0.2.RFQ STS3780082024.exe.38c7b28.2.raw.unpack, jOPHPw9WEuBY3DCChO.cs	High entropy of concatenated method names: 'E3KkxAREvr', 'qeikZJ24iS', 'lxYkBaHxe3', 'EPxkUIY348', 'LXDkrcNwpe', 'scwkNPAsRO', 'Ub6kEKKkBS', 'EiEkT6KfG2', 'u2YkgIYcJ8', 'xv1khY6Y97'
Source: 0.2.RFQ STS3780082024.exe.38c7b28.2.raw.unpack, OTVyyWl5Lo9Aatm1D4.cs	High entropy of concatenated method names: 'K69qgtNZY1', 'knQqKQP4q2', 'kylqlmh7pe', 'iglqDRGCEe', 'Gt9qUGJHrP', 'BI1qah6E2n', 'GkAqrEuUKA', 'iWjqNxa12B', 'XHgqLP9dy5', 'er9qE0hd1X'
Source: 0.2.RFQ STS3780082024.exe.38c7b28.2.raw.unpack, jg8gKduya513c4c42N.cs	High entropy of concatenated method names: 'OKmIFfqwa', 'VfIV5rOyF', 'yvB0e9iJu', 'xtfSvZeVq', 'WBiZ3Hs6E', 'PG9J7sBLW', 'uSkaQrQrl3e2RtcAiu', 'p01fGAYKGNZY9W9DIi', 'UYjsvrOlH', 'VvaYEds6O'
Source: 0.2.RFQ STS3780082024.exe.38c7b28.2.raw.unpack, EEXWFIEZeH8bTA0oOc.cs	High entropy of concatenated method names: 'JnbXG5nyxx', 'bYaXCjI879', 'yExXFqlk2w', 'Ol7FPMpMct', 'pRbFzMiLVX', 'JIAXd9POST', 'PdAXiNs5yZ', 'NH2XuXyUuv', 'zBjXWdtZ8s', 'RqnX8DuLw8'
Source: 0.2.RFQ STS3780082024.exe.38c7b28.2.raw.unpack, wnqWLXMJX3pNWvkjNt.cs	High entropy of concatenated method names: 'QftsG30VQl', 'ChTscnI1Cw', 'oWHsCjqNr8', 'wnmsbPtQgE', 'NZcsFFFTvh', 'iDrsXwfF3o', 'qHps5A8T1E', 'wwpseCyJ3W', 'Gt5s312fOZ', 'tRnsmmrCd3'
Source: 0.2.RFQ STS3780082024.exe.38c7b28.2.raw.unpack, Q1yxb5cLC9fn5s9rZZ.cs	High entropy of concatenated method names: 'Dispose', 'HO4i1RiFWH', 'AwmuUqiw1b', 'U6snn7CPol', 'M7niPqWLXJ', 'j3pizNWvkj', 'ProcessDialogKey', 'JtkudDXOKo', 'yIbuiNE6rs', 'f63uuuGIP4'
Source: 0.2.RFQ STS3780082024.exe.38c7b28.2.raw.unpack, kpTloqiW2SE0hI0NgKE.cs	High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'ExWYl0q9gj', 'FCkYDwZfFd', 'qYTYQbdFlP', 'f20YotXqNi', 'g6vYHQbJhm', 'mF8Y2tBTng', 'zWyY4NWXOo'
Source: 0.2.RFQ STS3780082024.exe.38c7b28.2.raw.unpack, rA6FNO8JLBoShZm83v.cs	High entropy of concatenated method names: 'A7uiX75OHE', 'PKCi5mLTZp', 'XABi35KCyG', 'ECoimf4w7c', 'edviqXHSZ8', 'EB3iRdHeRt', 'ApaUycuuayBlF8BUuy', 'QS9ZbqDwG0sjUr26FY', 'yPvii9Fy4m', 'y0DiWScJlZ'
Source: 0.2.RFQ STS3780082024.exe.38c7b28.2.raw.unpack, Vw7c5ZJwx3H6LAdvXH.cs	High entropy of concatenated method names: 'o8ibwFJAQN', 'ptlbSB8eAR', 'r09CaLu6bq', 'SS9CrWA2nI', 'rxECNPXbrb', 'GSsCLndw74', 'cq0CEg7Lej', 'fYPCTlu11B', 'ILyCO0dCla', 'zKrCgiySR9'
Source: 0.2.RFQ STS3780082024.exe.3a69fb0.0.raw.unpack, BwMyEtOMEZLZYAjRrQ.cs	High entropy of concatenated method names: 'QOIXviPese', 'zD7XycAovT', 'MH9XInxAxv', 'pnHXVdKFSE', 'vZ0XwMdeBS', 'oKdX0sim2c', 'gwyXSauUhd', 'ceXXxGjhoU', 'a16XZeLSya', 'g7XXJoXsVp'
Source: 0.2.RFQ STS3780082024.exe.3a69fb0.0.raw.unpack, AocHb1ZAB5KCyGZCof.cs	High entropy of concatenated method names: 'OnQCVliLw1', 'stMC0sX34S', 'qsaCx7RHcR', 'lSxCZkp3Yi', 'rGZCqJv7MP', 'STsCRcNBAR', 'SA6C6ydHO4', 'G1qCsfKqiR', 'a3UCpn58Uj', 'bB1CYa7JCw'
Source: 0.2.RFQ STS3780082024.exe.3a69fb0.0.raw.unpack, b75OHExKKCmLTZp12S.cs	High entropy of concatenated method names: 'nqFclMjCTM', 'An8cD75oqS', 'eavcQN8GhY', 'OJncoPxDb1', 'AbFcH01LPk', 'cK2c2yGQa5', 'YQKc415PaR', 'jLUcMwO5Tc', 'aHfc1w1FYm', 'PrWcP7USly'
Source: 0.2.RFQ STS3780082024.exe.3a69fb0.0.raw.unpack, bGIP4VPhgee4XJbWYW.cs	High entropy of concatenated method names: 'hCWpiOjgtk', 'Jo9pW8SSPK', 'kQ9p8Z71ox', 'AX1pGS9Vqm', 'R0apcBdnFT', 'V3vpbGBxSO', 'OPYpFlm4Bq', 'jeMs4qGKB4', 'y75sMbgast', 'uJns16vRqM'
Source: 0.2.RFQ STS3780082024.exe.3a69fb0.0.raw.unpack, nDXOKo1yIbNE6rsG63.cs	High entropy of concatenated method names: 'ATQsBAEcCs', 'gfesULGWWR', 'vD2sa6mqAR', 'g2nsrVh99B', 'radslXh4MW', 'nEUsNgW7xp', 'Next', 'Next', 'Next', 'NextBytes'
Source: 0.2.RFQ STS3780082024.exe.3a69fb0.0.raw.unpack, ECXidh2Ok4EYkVxfJM.cs	High entropy of concatenated method names: 'mVG6MeMqa1', 'wS36PHsUuM', 'XHmsd5Y6rH', 'qbasiWUWy2', 'eI36hLXL6U', 'nug6K8vjfH', 'dZS69EEdEE', 'k1V6lKGDWE', 'pWk6DsBec8', 'Ojq6QGwpj6'
Source: 0.2.RFQ STS3780082024.exe.3a69fb0.0.raw.unpack, Ed6mgvidnb18jusbqYM.cs	High entropy of concatenated method names: 'FGwpv5xNGW', 'cJypyPO8rO', 'WALpIOTwV3', 'LWJpVknyEB', 'ytopw6LDLQ', 'mLLp0UykgD', 'AtwpSmJi87', 'Cnepx8kVWe', 'GWppZuD8vY', 'oqppJriIib'
Source: 0.2.RFQ STS3780082024.exe.3a69fb0.0.raw.unpack, TXTbaGQ0KUAcEUAtid.cs	High entropy of concatenated method names: 'ToString', 'TtHRhpUCln', 'pG3RU9aWwk', 'G6nRawma52', 'c6pRrQdDaa', 'VCtRNfHd9E', 'xvQRLoDLvG', 'oAfREvRsAX', 'yPrRT69IYS', 'FAAROs0UBC'
Source: 0.2.RFQ STS3780082024.exe.3a69fb0.0.raw.unpack, oHURga50K82imqYymd.cs	High entropy of concatenated method names: 'Y9OWAitGvW', 'BtOWGqQgC9', 'hr4WcKImj8', 'YVFWCXCtSh', 'qdJWbokoxF', 'JKLWFJ5Omp', 'UT7WXpSOQB', 'oG8W50ZV6f', 'CijWegWBTr', 'zEuW3bOm9o'
Source: 0.2.RFQ STS3780082024.exe.3a69fb0.0.raw.unpack, WW5xheokSZ8VVQ7D4i.cs	High entropy of concatenated method names: 's0k63lyo9M', 'LQN6m60Rin', 'ToString', 'toH6GKe6Wh', 'TZv6cP2vju', 'z3f6CWU2Qy', 'wny6bIZsRN', 'CPn6FfIp4U', 'nwf6Xe1Os9', 'peZ65PuBsQ'
Source: 0.2.RFQ STS3780082024.exe.3a69fb0.0.raw.unpack, DZ8ZB3BdHeRtLT0553.cs	High entropy of concatenated method names: 'yp1FAwiPds', 'gmHFcUGU58', 'sdkFbcg9t8', 'ogKFX8TAmC', 'IeXF5HpVcp', 'ljvbHsi1m9', 'NBJb2T8PIi', 'Wdtb4c8IZY', 'LU0bMQCZQw', 'rp7b1tUyMi'
Source: 0.2.RFQ STS3780082024.exe.3a69fb0.0.raw.unpack, eep0eurW4XfvJow9uS.cs	High entropy of concatenated method names: 'c4iFfe83g6', 'QRGFvRbTKJ', 'P4eFIGU0fQ', 'MaCFVRcylQ', 'PqcF0JPVdb', 'nftFSVBo4b', 'vk5FZPqWu9', 'lKoFJIC6qr', 'UNQ1pNpAUEdQ3wkmRfm', 'eD6QfLp3AJ6Ow5jJNsU'
Source: 0.2.RFQ STS3780082024.exe.3a69fb0.0.raw.unpack, Xk6pi9CtV2cWLNt0YA.cs	High entropy of concatenated method names: 'EditValue', 'GetEditStyle', 'q8bu15Fk3w', 'VT3uPhVA7u', 'wxHuz7X647', 'mybWdsr719', 'QQmWisF5rs', 'qh3WuIgWsB', 'ThKWWTEdos', 'vl9qsV5Z5fX68FLsYAB'
Source: 0.2.RFQ STS3780082024.exe.3a69fb0.0.raw.unpack, jOPHPw9WEuBY3DCChO.cs	High entropy of concatenated method names: 'E3KkxAREvr', 'qeikZJ24iS', 'lxYkBaHxe3', 'EPxkUIY348', 'LXDkrcNwpe', 'scwkNPAsRO', 'Ub6kEKKkBS', 'EiEkT6KfG2', 'u2YkgIYcJ8', 'xv1khY6Y97'
Source: 0.2.RFQ STS3780082024.exe.3a69fb0.0.raw.unpack, OTVyyWl5Lo9Aatm1D4.cs	High entropy of concatenated method names: 'K69qgtNZY1', 'knQqKQP4q2', 'kylqlmh7pe', 'iglqDRGCEe', 'Gt9qUGJHrP', 'BI1qah6E2n', 'GkAqrEuUKA', 'iWjqNxa12B', 'XHgqLP9dy5', 'er9qE0hd1X'
Source: 0.2.RFQ STS3780082024.exe.3a69fb0.0.raw.unpack, jg8gKduya513c4c42N.cs	High entropy of concatenated method names: 'OKmIFfqwa', 'VfIV5rOyF', 'yvB0e9iJu', 'xtfSvZeVq', 'WBiZ3Hs6E', 'PG9J7sBLW', 'uSkaQrQrl3e2RtcAiu', 'p01fGAYKGNZY9W9DIi', 'UYjsvrOlH', 'VvaYEds6O'
Source: 0.2.RFQ STS3780082024.exe.3a69fb0.0.raw.unpack, EEXWFIEZeH8bTA0oOc.cs	High entropy of concatenated method names: 'JnbXG5nyxx', 'bYaXCjI879', 'yExXFqlk2w', 'Ol7FPMpMct', 'pRbFzMiLVX', 'JIAXd9POST', 'PdAXiNs5yZ', 'NH2XuXyUuv', 'zBjXWdtZ8s', 'RqnX8DuLw8'
Source: 0.2.RFQ STS3780082024.exe.3a69fb0.0.raw.unpack, wnqWLXMJX3pNWvkjNt.cs	High entropy of concatenated method names: 'QftsG30VQl', 'ChTscnI1Cw', 'oWHsCjqNr8', 'wnmsbPtQgE', 'NZcsFFFTvh', 'iDrsXwfF3o', 'qHps5A8T1E', 'wwpseCyJ3W', 'Gt5s312fOZ', 'tRnsmmrCd3'
Source: 0.2.RFQ STS3780082024.exe.3a69fb0.0.raw.unpack, Q1yxb5cLC9fn5s9rZZ.cs	High entropy of concatenated method names: 'Dispose', 'HO4i1RiFWH', 'AwmuUqiw1b', 'U6snn7CPol', 'M7niPqWLXJ', 'j3pizNWvkj', 'ProcessDialogKey', 'JtkudDXOKo', 'yIbuiNE6rs', 'f63uuuGIP4'
Source: 0.2.RFQ STS3780082024.exe.3a69fb0.0.raw.unpack, kpTloqiW2SE0hI0NgKE.cs	High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'ExWYl0q9gj', 'FCkYDwZfFd', 'qYTYQbdFlP', 'f20YotXqNi', 'g6vYHQbJhm', 'mF8Y2tBTng', 'zWyY4NWXOo'
Source: 0.2.RFQ STS3780082024.exe.3a69fb0.0.raw.unpack, rA6FNO8JLBoShZm83v.cs	High entropy of concatenated method names: 'A7uiX75OHE', 'PKCi5mLTZp', 'XABi35KCyG', 'ECoimf4w7c', 'edviqXHSZ8', 'EB3iRdHeRt', 'ApaUycuuayBlF8BUuy', 'QS9ZbqDwG0sjUr26FY', 'yPvii9Fy4m', 'y0DiWScJlZ'
Source: 0.2.RFQ STS3780082024.exe.3a69fb0.0.raw.unpack, Vw7c5ZJwx3H6LAdvXH.cs	High entropy of concatenated method names: 'o8ibwFJAQN', 'ptlbSB8eAR', 'r09CaLu6bq', 'SS9CrWA2nI', 'rxECNPXbrb', 'GSsCLndw74', 'cq0CEg7Lej', 'fYPCTlu11B', 'ILyCO0dCla', 'zKrCgiySR9'
Source: 0.2.RFQ STS3780082024.exe.6e80000.4.raw.unpack, BwMyEtOMEZLZYAjRrQ.cs	High entropy of concatenated method names: 'QOIXviPese', 'zD7XycAovT', 'MH9XInxAxv', 'pnHXVdKFSE', 'vZ0XwMdeBS', 'oKdX0sim2c', 'gwyXSauUhd', 'ceXXxGjhoU', 'a16XZeLSya', 'g7XXJoXsVp'
Source: 0.2.RFQ STS3780082024.exe.6e80000.4.raw.unpack, AocHb1ZAB5KCyGZCof.cs	High entropy of concatenated method names: 'OnQCVliLw1', 'stMC0sX34S', 'qsaCx7RHcR', 'lSxCZkp3Yi', 'rGZCqJv7MP', 'STsCRcNBAR', 'SA6C6ydHO4', 'G1qCsfKqiR', 'a3UCpn58Uj', 'bB1CYa7JCw'
Source: 0.2.RFQ STS3780082024.exe.6e80000.4.raw.unpack, b75OHExKKCmLTZp12S.cs	High entropy of concatenated method names: 'nqFclMjCTM', 'An8cD75oqS', 'eavcQN8GhY', 'OJncoPxDb1', 'AbFcH01LPk', 'cK2c2yGQa5', 'YQKc415PaR', 'jLUcMwO5Tc', 'aHfc1w1FYm', 'PrWcP7USly'
Source: 0.2.RFQ STS3780082024.exe.6e80000.4.raw.unpack, bGIP4VPhgee4XJbWYW.cs	High entropy of concatenated method names: 'hCWpiOjgtk', 'Jo9pW8SSPK', 'kQ9p8Z71ox', 'AX1pGS9Vqm', 'R0apcBdnFT', 'V3vpbGBxSO', 'OPYpFlm4Bq', 'jeMs4qGKB4', 'y75sMbgast', 'uJns16vRqM'
Source: 0.2.RFQ STS3780082024.exe.6e80000.4.raw.unpack, nDXOKo1yIbNE6rsG63.cs	High entropy of concatenated method names: 'ATQsBAEcCs', 'gfesULGWWR', 'vD2sa6mqAR', 'g2nsrVh99B', 'radslXh4MW', 'nEUsNgW7xp', 'Next', 'Next', 'Next', 'NextBytes'
Source: 0.2.RFQ STS3780082024.exe.6e80000.4.raw.unpack, ECXidh2Ok4EYkVxfJM.cs	High entropy of concatenated method names: 'mVG6MeMqa1', 'wS36PHsUuM', 'XHmsd5Y6rH', 'qbasiWUWy2', 'eI36hLXL6U', 'nug6K8vjfH', 'dZS69EEdEE', 'k1V6lKGDWE', 'pWk6DsBec8', 'Ojq6QGwpj6'
Source: 0.2.RFQ STS3780082024.exe.6e80000.4.raw.unpack, Ed6mgvidnb18jusbqYM.cs	High entropy of concatenated method names: 'FGwpv5xNGW', 'cJypyPO8rO', 'WALpIOTwV3', 'LWJpVknyEB', 'ytopw6LDLQ', 'mLLp0UykgD', 'AtwpSmJi87', 'Cnepx8kVWe', 'GWppZuD8vY', 'oqppJriIib'
Source: 0.2.RFQ STS3780082024.exe.6e80000.4.raw.unpack, TXTbaGQ0KUAcEUAtid.cs	High entropy of concatenated method names: 'ToString', 'TtHRhpUCln', 'pG3RU9aWwk', 'G6nRawma52', 'c6pRrQdDaa', 'VCtRNfHd9E', 'xvQRLoDLvG', 'oAfREvRsAX', 'yPrRT69IYS', 'FAAROs0UBC'
Source: 0.2.RFQ STS3780082024.exe.6e80000.4.raw.unpack, oHURga50K82imqYymd.cs	High entropy of concatenated method names: 'Y9OWAitGvW', 'BtOWGqQgC9', 'hr4WcKImj8', 'YVFWCXCtSh', 'qdJWbokoxF', 'JKLWFJ5Omp', 'UT7WXpSOQB', 'oG8W50ZV6f', 'CijWegWBTr', 'zEuW3bOm9o'
Source: 0.2.RFQ STS3780082024.exe.6e80000.4.raw.unpack, WW5xheokSZ8VVQ7D4i.cs	High entropy of concatenated method names: 's0k63lyo9M', 'LQN6m60Rin', 'ToString', 'toH6GKe6Wh', 'TZv6cP2vju', 'z3f6CWU2Qy', 'wny6bIZsRN', 'CPn6FfIp4U', 'nwf6Xe1Os9', 'peZ65PuBsQ'
Source: 0.2.RFQ STS3780082024.exe.6e80000.4.raw.unpack, DZ8ZB3BdHeRtLT0553.cs	High entropy of concatenated method names: 'yp1FAwiPds', 'gmHFcUGU58', 'sdkFbcg9t8', 'ogKFX8TAmC', 'IeXF5HpVcp', 'ljvbHsi1m9', 'NBJb2T8PIi', 'Wdtb4c8IZY', 'LU0bMQCZQw', 'rp7b1tUyMi'
Source: 0.2.RFQ STS3780082024.exe.6e80000.4.raw.unpack, eep0eurW4XfvJow9uS.cs	High entropy of concatenated method names: 'c4iFfe83g6', 'QRGFvRbTKJ', 'P4eFIGU0fQ', 'MaCFVRcylQ', 'PqcF0JPVdb', 'nftFSVBo4b', 'vk5FZPqWu9', 'lKoFJIC6qr', 'UNQ1pNpAUEdQ3wkmRfm', 'eD6QfLp3AJ6Ow5jJNsU'
Source: 0.2.RFQ STS3780082024.exe.6e80000.4.raw.unpack, Xk6pi9CtV2cWLNt0YA.cs	High entropy of concatenated method names: 'EditValue', 'GetEditStyle', 'q8bu15Fk3w', 'VT3uPhVA7u', 'wxHuz7X647', 'mybWdsr719', 'QQmWisF5rs', 'qh3WuIgWsB', 'ThKWWTEdos', 'vl9qsV5Z5fX68FLsYAB'
Source: 0.2.RFQ STS3780082024.exe.6e80000.4.raw.unpack, jOPHPw9WEuBY3DCChO.cs	High entropy of concatenated method names: 'E3KkxAREvr', 'qeikZJ24iS', 'lxYkBaHxe3', 'EPxkUIY348', 'LXDkrcNwpe', 'scwkNPAsRO', 'Ub6kEKKkBS', 'EiEkT6KfG2', 'u2YkgIYcJ8', 'xv1khY6Y97'
Source: 0.2.RFQ STS3780082024.exe.6e80000.4.raw.unpack, OTVyyWl5Lo9Aatm1D4.cs	High entropy of concatenated method names: 'K69qgtNZY1', 'knQqKQP4q2', 'kylqlmh7pe', 'iglqDRGCEe', 'Gt9qUGJHrP', 'BI1qah6E2n', 'GkAqrEuUKA', 'iWjqNxa12B', 'XHgqLP9dy5', 'er9qE0hd1X'
Source: 0.2.RFQ STS3780082024.exe.6e80000.4.raw.unpack, jg8gKduya513c4c42N.cs	High entropy of concatenated method names: 'OKmIFfqwa', 'VfIV5rOyF', 'yvB0e9iJu', 'xtfSvZeVq', 'WBiZ3Hs6E', 'PG9J7sBLW', 'uSkaQrQrl3e2RtcAiu', 'p01fGAYKGNZY9W9DIi', 'UYjsvrOlH', 'VvaYEds6O'
Source: 0.2.RFQ STS3780082024.exe.6e80000.4.raw.unpack, EEXWFIEZeH8bTA0oOc.cs	High entropy of concatenated method names: 'JnbXG5nyxx', 'bYaXCjI879', 'yExXFqlk2w', 'Ol7FPMpMct', 'pRbFzMiLVX', 'JIAXd9POST', 'PdAXiNs5yZ', 'NH2XuXyUuv', 'zBjXWdtZ8s', 'RqnX8DuLw8'
Source: 0.2.RFQ STS3780082024.exe.6e80000.4.raw.unpack, wnqWLXMJX3pNWvkjNt.cs	High entropy of concatenated method names: 'QftsG30VQl', 'ChTscnI1Cw', 'oWHsCjqNr8', 'wnmsbPtQgE', 'NZcsFFFTvh', 'iDrsXwfF3o', 'qHps5A8T1E', 'wwpseCyJ3W', 'Gt5s312fOZ', 'tRnsmmrCd3'
Source: 0.2.RFQ STS3780082024.exe.6e80000.4.raw.unpack, Q1yxb5cLC9fn5s9rZZ.cs	High entropy of concatenated method names: 'Dispose', 'HO4i1RiFWH', 'AwmuUqiw1b', 'U6snn7CPol', 'M7niPqWLXJ', 'j3pizNWvkj', 'ProcessDialogKey', 'JtkudDXOKo', 'yIbuiNE6rs', 'f63uuuGIP4'
Source: 0.2.RFQ STS3780082024.exe.6e80000.4.raw.unpack, kpTloqiW2SE0hI0NgKE.cs	High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'ExWYl0q9gj', 'FCkYDwZfFd', 'qYTYQbdFlP', 'f20YotXqNi', 'g6vYHQbJhm', 'mF8Y2tBTng', 'zWyY4NWXOo'
Source: 0.2.RFQ STS3780082024.exe.6e80000.4.raw.unpack, rA6FNO8JLBoShZm83v.cs	High entropy of concatenated method names: 'A7uiX75OHE', 'PKCi5mLTZp', 'XABi35KCyG', 'ECoimf4w7c', 'edviqXHSZ8', 'EB3iRdHeRt', 'ApaUycuuayBlF8BUuy', 'QS9ZbqDwG0sjUr26FY', 'yPvii9Fy4m', 'y0DiWScJlZ'
Source: 0.2.RFQ STS3780082024.exe.6e80000.4.raw.unpack, Vw7c5ZJwx3H6LAdvXH.cs	High entropy of concatenated method names: 'o8ibwFJAQN', 'ptlbSB8eAR', 'r09CaLu6bq', 'SS9CrWA2nI', 'rxECNPXbrb', 'GSsCLndw74', 'cq0CEg7Lej', 'fYPCTlu11B', 'ILyCO0dCla', 'zKrCgiySR9'

Hooking and other Techniques for Hiding and Protection

Loading BitLocker PowerShell Module

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior

Source: C:\Users\user\Desktop\RFQ STS3780082024.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RFQ STS3780082024.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RFQ STS3780082024.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RFQ STS3780082024.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RFQ STS3780082024.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RFQ STS3780082024.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RFQ STS3780082024.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RFQ STS3780082024.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RFQ STS3780082024.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RFQ STS3780082024.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RFQ STS3780082024.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RFQ STS3780082024.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RFQ STS3780082024.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RFQ STS3780082024.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RFQ STS3780082024.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RFQ STS3780082024.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RFQ STS3780082024.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RFQ STS3780082024.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RFQ STS3780082024.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RFQ STS3780082024.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RFQ STS3780082024.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RFQ STS3780082024.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RFQ STS3780082024.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RFQ STS3780082024.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RFQ STS3780082024.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RFQ STS3780082024.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RFQ STS3780082024.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RFQ STS3780082024.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RFQ STS3780082024.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RFQ STS3780082024.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RFQ STS3780082024.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RFQ STS3780082024.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RFQ STS3780082024.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RFQ STS3780082024.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RFQ STS3780082024.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RFQ STS3780082024.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RFQ STS3780082024.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RFQ STS3780082024.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RFQ STS3780082024.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RFQ STS3780082024.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RFQ STS3780082024.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RFQ STS3780082024.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RFQ STS3780082024.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RFQ STS3780082024.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RFQ STS3780082024.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RFQ STS3780082024.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RFQ STS3780082024.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Yara detected AntiVM3

Source: Yara match

File source: Process Memory Space: RFQ STS3780082024.exe PID: 7316, type: MEMORYSTR

Allocates memory with a write watch (potentially for evading sandboxes)

Source: C:\Users\user\Desktop\RFQ STS3780082024.exe	Memory allocated: 27B0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\RFQ STS3780082024.exe	Memory allocated: 27F0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\RFQ STS3780082024.exe	Memory allocated: 47F0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\RFQ STS3780082024.exe	Memory allocated: 76A0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\RFQ STS3780082024.exe	Memory allocated: 7080000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\RFQ STS3780082024.exe	Memory allocated: 86A0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\RFQ STS3780082024.exe	Memory allocated: 96A0000 memory reserve \| memory write watch	Jump to behavior

Contains functionality for execution timing, often used to detect debuggers

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

Code function: 5_2_0123096E rdtsc

5_2_0123096E

Contains long sleeps (>= 3 min)

Source: C:\Users\user\Desktop\RFQ STS3780082024.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 6196			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 2581			Jump to behavior

Found large amount of non-executed APIs

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

API coverage: 0.6 %

May sleep (evasive loops) to hinder dynamic analysis

Source: C:\Users\user\Desktop\RFQ STS3780082024.exe TID: 7336	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7640	Thread sleep time: -1844674407370954s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7628	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 7536	Thread sleep time: -30000s >= -30000s	Jump to behavior

Sample execution stops while process was sleeping (likely an evasion)

Source: C:\Windows\System32\conhost.exe

Last function: Thread delayed

Source: C:\Users\user\Desktop\RFQ STS3780082024.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior

Source: RFQ STS3780082024.exe, 00000000.00000002.1696339255.0000000000A02000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}<

Source: C:\Users\user\Desktop\RFQ STS3780082024.exe

Process information queried: ProcessInformation

Jump to behavior

Checks if the current process is being debugged

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

Process queried: DebugPort

Jump to behavior

Contains functionality for execution timing, often used to detect debuggers

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

Code function: 5_2_0123096E rdtsc

5_2_0123096E

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

Code function: 5_2_00417283 LdrLoadDll,

5_2_00417283

Contains functionality to read the PEB

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_01220124 mov eax, dword ptr fs:[00000030h]	5_2_01220124
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_0129E10E mov eax, dword ptr fs:[00000030h]	5_2_0129E10E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_0129E10E mov ecx, dword ptr fs:[00000030h]	5_2_0129E10E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_0129E10E mov eax, dword ptr fs:[00000030h]	5_2_0129E10E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_0129E10E mov eax, dword ptr fs:[00000030h]	5_2_0129E10E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_0129E10E mov ecx, dword ptr fs:[00000030h]	5_2_0129E10E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_0129E10E mov eax, dword ptr fs:[00000030h]	5_2_0129E10E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_0129E10E mov eax, dword ptr fs:[00000030h]	5_2_0129E10E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_0129E10E mov ecx, dword ptr fs:[00000030h]	5_2_0129E10E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_0129E10E mov eax, dword ptr fs:[00000030h]	5_2_0129E10E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_0129E10E mov ecx, dword ptr fs:[00000030h]	5_2_0129E10E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_0129A118 mov ecx, dword ptr fs:[00000030h]	5_2_0129A118
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_0129A118 mov eax, dword ptr fs:[00000030h]	5_2_0129A118
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_0129A118 mov eax, dword ptr fs:[00000030h]	5_2_0129A118
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_0129A118 mov eax, dword ptr fs:[00000030h]	5_2_0129A118
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_012B0115 mov eax, dword ptr fs:[00000030h]	5_2_012B0115
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_011EC156 mov eax, dword ptr fs:[00000030h]	5_2_011EC156
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_012C4164 mov eax, dword ptr fs:[00000030h]	5_2_012C4164
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_012C4164 mov eax, dword ptr fs:[00000030h]	5_2_012C4164
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_011F6154 mov eax, dword ptr fs:[00000030h]	5_2_011F6154
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_011F6154 mov eax, dword ptr fs:[00000030h]	5_2_011F6154
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_01284144 mov eax, dword ptr fs:[00000030h]	5_2_01284144
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_01284144 mov eax, dword ptr fs:[00000030h]	5_2_01284144
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_01284144 mov ecx, dword ptr fs:[00000030h]	5_2_01284144
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_01284144 mov eax, dword ptr fs:[00000030h]	5_2_01284144
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_01284144 mov eax, dword ptr fs:[00000030h]	5_2_01284144
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_01288158 mov eax, dword ptr fs:[00000030h]	5_2_01288158
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_011EA197 mov eax, dword ptr fs:[00000030h]	5_2_011EA197
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_011EA197 mov eax, dword ptr fs:[00000030h]	5_2_011EA197
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_011EA197 mov eax, dword ptr fs:[00000030h]	5_2_011EA197
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_012AC188 mov eax, dword ptr fs:[00000030h]	5_2_012AC188
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_012AC188 mov eax, dword ptr fs:[00000030h]	5_2_012AC188
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_01230185 mov eax, dword ptr fs:[00000030h]	5_2_01230185
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_01294180 mov eax, dword ptr fs:[00000030h]	5_2_01294180
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_01294180 mov eax, dword ptr fs:[00000030h]	5_2_01294180
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_0127019F mov eax, dword ptr fs:[00000030h]	5_2_0127019F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_0127019F mov eax, dword ptr fs:[00000030h]	5_2_0127019F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_0127019F mov eax, dword ptr fs:[00000030h]	5_2_0127019F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_0127019F mov eax, dword ptr fs:[00000030h]	5_2_0127019F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_012C61E5 mov eax, dword ptr fs:[00000030h]	5_2_012C61E5
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_012201F8 mov eax, dword ptr fs:[00000030h]	5_2_012201F8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_012B61C3 mov eax, dword ptr fs:[00000030h]	5_2_012B61C3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_012B61C3 mov eax, dword ptr fs:[00000030h]	5_2_012B61C3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_0126E1D0 mov eax, dword ptr fs:[00000030h]	5_2_0126E1D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_0126E1D0 mov eax, dword ptr fs:[00000030h]	5_2_0126E1D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_0126E1D0 mov ecx, dword ptr fs:[00000030h]	5_2_0126E1D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_0126E1D0 mov eax, dword ptr fs:[00000030h]	5_2_0126E1D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_0126E1D0 mov eax, dword ptr fs:[00000030h]	5_2_0126E1D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_01286030 mov eax, dword ptr fs:[00000030h]	5_2_01286030
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_01274000 mov ecx, dword ptr fs:[00000030h]	5_2_01274000
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_01292000 mov eax, dword ptr fs:[00000030h]	5_2_01292000
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_01292000 mov eax, dword ptr fs:[00000030h]	5_2_01292000
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_01292000 mov eax, dword ptr fs:[00000030h]	5_2_01292000
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_01292000 mov eax, dword ptr fs:[00000030h]	5_2_01292000
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_01292000 mov eax, dword ptr fs:[00000030h]	5_2_01292000
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_01292000 mov eax, dword ptr fs:[00000030h]	5_2_01292000
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_01292000 mov eax, dword ptr fs:[00000030h]	5_2_01292000
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_01292000 mov eax, dword ptr fs:[00000030h]	5_2_01292000
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_0120E016 mov eax, dword ptr fs:[00000030h]	5_2_0120E016
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_0120E016 mov eax, dword ptr fs:[00000030h]	5_2_0120E016
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_0120E016 mov eax, dword ptr fs:[00000030h]	5_2_0120E016
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_0120E016 mov eax, dword ptr fs:[00000030h]	5_2_0120E016
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_011EA020 mov eax, dword ptr fs:[00000030h]	5_2_011EA020
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_011EC020 mov eax, dword ptr fs:[00000030h]	5_2_011EC020
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_011F2050 mov eax, dword ptr fs:[00000030h]	5_2_011F2050
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_0121C073 mov eax, dword ptr fs:[00000030h]	5_2_0121C073
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_01276050 mov eax, dword ptr fs:[00000030h]	5_2_01276050
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_012880A8 mov eax, dword ptr fs:[00000030h]	5_2_012880A8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_012B60B8 mov eax, dword ptr fs:[00000030h]	5_2_012B60B8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_012B60B8 mov ecx, dword ptr fs:[00000030h]	5_2_012B60B8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_011F208A mov eax, dword ptr fs:[00000030h]	5_2_011F208A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_011E80A0 mov eax, dword ptr fs:[00000030h]	5_2_011E80A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_012760E0 mov eax, dword ptr fs:[00000030h]	5_2_012760E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_012320F0 mov ecx, dword ptr fs:[00000030h]	5_2_012320F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_011EC0F0 mov eax, dword ptr fs:[00000030h]	5_2_011EC0F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_011F80E9 mov eax, dword ptr fs:[00000030h]	5_2_011F80E9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_012720DE mov eax, dword ptr fs:[00000030h]	5_2_012720DE
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_011EA0E3 mov ecx, dword ptr fs:[00000030h]	5_2_011EA0E3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_012C8324 mov eax, dword ptr fs:[00000030h]	5_2_012C8324
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_012C8324 mov ecx, dword ptr fs:[00000030h]	5_2_012C8324
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_012C8324 mov eax, dword ptr fs:[00000030h]	5_2_012C8324
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_012C8324 mov eax, dword ptr fs:[00000030h]	5_2_012C8324
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_011EC310 mov ecx, dword ptr fs:[00000030h]	5_2_011EC310
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_0122A30B mov eax, dword ptr fs:[00000030h]	5_2_0122A30B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_0122A30B mov eax, dword ptr fs:[00000030h]	5_2_0122A30B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_0122A30B mov eax, dword ptr fs:[00000030h]	5_2_0122A30B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_01210310 mov ecx, dword ptr fs:[00000030h]	5_2_01210310
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_0129437C mov eax, dword ptr fs:[00000030h]	5_2_0129437C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_012C634F mov eax, dword ptr fs:[00000030h]	5_2_012C634F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_01272349 mov eax, dword ptr fs:[00000030h]	5_2_01272349
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_01272349 mov eax, dword ptr fs:[00000030h]	5_2_01272349
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_01272349 mov eax, dword ptr fs:[00000030h]	5_2_01272349
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_01272349 mov eax, dword ptr fs:[00000030h]	5_2_01272349
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_01272349 mov eax, dword ptr fs:[00000030h]	5_2_01272349
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_01272349 mov eax, dword ptr fs:[00000030h]	5_2_01272349
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_01272349 mov eax, dword ptr fs:[00000030h]	5_2_01272349
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_01272349 mov eax, dword ptr fs:[00000030h]	5_2_01272349
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_01272349 mov eax, dword ptr fs:[00000030h]	5_2_01272349
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_01272349 mov eax, dword ptr fs:[00000030h]	5_2_01272349
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_01272349 mov eax, dword ptr fs:[00000030h]	5_2_01272349
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_01272349 mov eax, dword ptr fs:[00000030h]	5_2_01272349
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_01272349 mov eax, dword ptr fs:[00000030h]	5_2_01272349
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_01272349 mov eax, dword ptr fs:[00000030h]	5_2_01272349
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_01272349 mov eax, dword ptr fs:[00000030h]	5_2_01272349
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_012BA352 mov eax, dword ptr fs:[00000030h]	5_2_012BA352
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_01298350 mov ecx, dword ptr fs:[00000030h]	5_2_01298350
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_0127035C mov eax, dword ptr fs:[00000030h]	5_2_0127035C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_0127035C mov eax, dword ptr fs:[00000030h]	5_2_0127035C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_0127035C mov eax, dword ptr fs:[00000030h]	5_2_0127035C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_0127035C mov ecx, dword ptr fs:[00000030h]	5_2_0127035C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_0127035C mov eax, dword ptr fs:[00000030h]	5_2_0127035C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_0127035C mov eax, dword ptr fs:[00000030h]	5_2_0127035C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_011E8397 mov eax, dword ptr fs:[00000030h]	5_2_011E8397
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_011E8397 mov eax, dword ptr fs:[00000030h]	5_2_011E8397
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_011E8397 mov eax, dword ptr fs:[00000030h]	5_2_011E8397
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_011EE388 mov eax, dword ptr fs:[00000030h]	5_2_011EE388
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_011EE388 mov eax, dword ptr fs:[00000030h]	5_2_011EE388
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_011EE388 mov eax, dword ptr fs:[00000030h]	5_2_011EE388
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_0121438F mov eax, dword ptr fs:[00000030h]	5_2_0121438F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_0121438F mov eax, dword ptr fs:[00000030h]	5_2_0121438F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_012003E9 mov eax, dword ptr fs:[00000030h]	5_2_012003E9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_012003E9 mov eax, dword ptr fs:[00000030h]	5_2_012003E9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_012003E9 mov eax, dword ptr fs:[00000030h]	5_2_012003E9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_012003E9 mov eax, dword ptr fs:[00000030h]	5_2_012003E9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_012003E9 mov eax, dword ptr fs:[00000030h]	5_2_012003E9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_012003E9 mov eax, dword ptr fs:[00000030h]	5_2_012003E9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_012003E9 mov eax, dword ptr fs:[00000030h]	5_2_012003E9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_012003E9 mov eax, dword ptr fs:[00000030h]	5_2_012003E9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_0120E3F0 mov eax, dword ptr fs:[00000030h]	5_2_0120E3F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_0120E3F0 mov eax, dword ptr fs:[00000030h]	5_2_0120E3F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_0120E3F0 mov eax, dword ptr fs:[00000030h]	5_2_0120E3F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_012263FF mov eax, dword ptr fs:[00000030h]	5_2_012263FF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_011F83C0 mov eax, dword ptr fs:[00000030h]	5_2_011F83C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_011F83C0 mov eax, dword ptr fs:[00000030h]	5_2_011F83C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_011F83C0 mov eax, dword ptr fs:[00000030h]	5_2_011F83C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_011F83C0 mov eax, dword ptr fs:[00000030h]	5_2_011F83C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_011FA3C0 mov eax, dword ptr fs:[00000030h]	5_2_011FA3C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_011FA3C0 mov eax, dword ptr fs:[00000030h]	5_2_011FA3C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_011FA3C0 mov eax, dword ptr fs:[00000030h]	5_2_011FA3C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_011FA3C0 mov eax, dword ptr fs:[00000030h]	5_2_011FA3C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_011FA3C0 mov eax, dword ptr fs:[00000030h]	5_2_011FA3C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_011FA3C0 mov eax, dword ptr fs:[00000030h]	5_2_011FA3C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_012AC3CD mov eax, dword ptr fs:[00000030h]	5_2_012AC3CD
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_012763C0 mov eax, dword ptr fs:[00000030h]	5_2_012763C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_0129E3DB mov eax, dword ptr fs:[00000030h]	5_2_0129E3DB
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_0129E3DB mov eax, dword ptr fs:[00000030h]	5_2_0129E3DB
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_0129E3DB mov ecx, dword ptr fs:[00000030h]	5_2_0129E3DB
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_0129E3DB mov eax, dword ptr fs:[00000030h]	5_2_0129E3DB
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_012943D4 mov eax, dword ptr fs:[00000030h]	5_2_012943D4
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_012943D4 mov eax, dword ptr fs:[00000030h]	5_2_012943D4
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_011E823B mov eax, dword ptr fs:[00000030h]	5_2_011E823B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_011F6259 mov eax, dword ptr fs:[00000030h]	5_2_011F6259
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_011EA250 mov eax, dword ptr fs:[00000030h]	5_2_011EA250
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_012A0274 mov eax, dword ptr fs:[00000030h]	5_2_012A0274
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_012A0274 mov eax, dword ptr fs:[00000030h]	5_2_012A0274
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_012A0274 mov eax, dword ptr fs:[00000030h]	5_2_012A0274
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_012A0274 mov eax, dword ptr fs:[00000030h]	5_2_012A0274
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_012A0274 mov eax, dword ptr fs:[00000030h]	5_2_012A0274
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_012A0274 mov eax, dword ptr fs:[00000030h]	5_2_012A0274
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_012A0274 mov eax, dword ptr fs:[00000030h]	5_2_012A0274
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_012A0274 mov eax, dword ptr fs:[00000030h]	5_2_012A0274
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_012A0274 mov eax, dword ptr fs:[00000030h]	5_2_012A0274
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_012A0274 mov eax, dword ptr fs:[00000030h]	5_2_012A0274
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_012A0274 mov eax, dword ptr fs:[00000030h]	5_2_012A0274
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_012A0274 mov eax, dword ptr fs:[00000030h]	5_2_012A0274
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_01278243 mov eax, dword ptr fs:[00000030h]	5_2_01278243
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_01278243 mov ecx, dword ptr fs:[00000030h]	5_2_01278243
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_012C625D mov eax, dword ptr fs:[00000030h]	5_2_012C625D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_011E826B mov eax, dword ptr fs:[00000030h]	5_2_011E826B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_012AA250 mov eax, dword ptr fs:[00000030h]	5_2_012AA250
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_012AA250 mov eax, dword ptr fs:[00000030h]	5_2_012AA250
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_011F4260 mov eax, dword ptr fs:[00000030h]	5_2_011F4260
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_011F4260 mov eax, dword ptr fs:[00000030h]	5_2_011F4260
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_011F4260 mov eax, dword ptr fs:[00000030h]	5_2_011F4260
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_012002A0 mov eax, dword ptr fs:[00000030h]	5_2_012002A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_012002A0 mov eax, dword ptr fs:[00000030h]	5_2_012002A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_012862A0 mov eax, dword ptr fs:[00000030h]	5_2_012862A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_012862A0 mov ecx, dword ptr fs:[00000030h]	5_2_012862A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_012862A0 mov eax, dword ptr fs:[00000030h]	5_2_012862A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_012862A0 mov eax, dword ptr fs:[00000030h]	5_2_012862A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_012862A0 mov eax, dword ptr fs:[00000030h]	5_2_012862A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_012862A0 mov eax, dword ptr fs:[00000030h]	5_2_012862A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_01270283 mov eax, dword ptr fs:[00000030h]	5_2_01270283
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_01270283 mov eax, dword ptr fs:[00000030h]	5_2_01270283
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_01270283 mov eax, dword ptr fs:[00000030h]	5_2_01270283
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_0122E284 mov eax, dword ptr fs:[00000030h]	5_2_0122E284
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_0122E284 mov eax, dword ptr fs:[00000030h]	5_2_0122E284
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_012002E1 mov eax, dword ptr fs:[00000030h]	5_2_012002E1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_012002E1 mov eax, dword ptr fs:[00000030h]	5_2_012002E1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_012002E1 mov eax, dword ptr fs:[00000030h]	5_2_012002E1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_011FA2C3 mov eax, dword ptr fs:[00000030h]	5_2_011FA2C3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_011FA2C3 mov eax, dword ptr fs:[00000030h]	5_2_011FA2C3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_011FA2C3 mov eax, dword ptr fs:[00000030h]	5_2_011FA2C3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_011FA2C3 mov eax, dword ptr fs:[00000030h]	5_2_011FA2C3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_011FA2C3 mov eax, dword ptr fs:[00000030h]	5_2_011FA2C3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_012C62D6 mov eax, dword ptr fs:[00000030h]	5_2_012C62D6
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_01200535 mov eax, dword ptr fs:[00000030h]	5_2_01200535
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_01200535 mov eax, dword ptr fs:[00000030h]	5_2_01200535
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_01200535 mov eax, dword ptr fs:[00000030h]	5_2_01200535
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_01200535 mov eax, dword ptr fs:[00000030h]	5_2_01200535
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_01200535 mov eax, dword ptr fs:[00000030h]	5_2_01200535
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_01200535 mov eax, dword ptr fs:[00000030h]	5_2_01200535
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_0121E53E mov eax, dword ptr fs:[00000030h]	5_2_0121E53E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_0121E53E mov eax, dword ptr fs:[00000030h]	5_2_0121E53E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_0121E53E mov eax, dword ptr fs:[00000030h]	5_2_0121E53E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_0121E53E mov eax, dword ptr fs:[00000030h]	5_2_0121E53E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_0121E53E mov eax, dword ptr fs:[00000030h]	5_2_0121E53E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_01286500 mov eax, dword ptr fs:[00000030h]	5_2_01286500
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_012C4500 mov eax, dword ptr fs:[00000030h]	5_2_012C4500
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_012C4500 mov eax, dword ptr fs:[00000030h]	5_2_012C4500
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_012C4500 mov eax, dword ptr fs:[00000030h]	5_2_012C4500
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_012C4500 mov eax, dword ptr fs:[00000030h]	5_2_012C4500
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_012C4500 mov eax, dword ptr fs:[00000030h]	5_2_012C4500
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_012C4500 mov eax, dword ptr fs:[00000030h]	5_2_012C4500
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_012C4500 mov eax, dword ptr fs:[00000030h]	5_2_012C4500
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_0122656A mov eax, dword ptr fs:[00000030h]	5_2_0122656A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_0122656A mov eax, dword ptr fs:[00000030h]	5_2_0122656A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_0122656A mov eax, dword ptr fs:[00000030h]	5_2_0122656A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_011F8550 mov eax, dword ptr fs:[00000030h]	5_2_011F8550
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_011F8550 mov eax, dword ptr fs:[00000030h]	5_2_011F8550
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_012705A7 mov eax, dword ptr fs:[00000030h]	5_2_012705A7
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_012705A7 mov eax, dword ptr fs:[00000030h]	5_2_012705A7
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_012705A7 mov eax, dword ptr fs:[00000030h]	5_2_012705A7
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_012145B1 mov eax, dword ptr fs:[00000030h]	5_2_012145B1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_012145B1 mov eax, dword ptr fs:[00000030h]	5_2_012145B1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_011F2582 mov eax, dword ptr fs:[00000030h]	5_2_011F2582
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_011F2582 mov ecx, dword ptr fs:[00000030h]	5_2_011F2582
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_01224588 mov eax, dword ptr fs:[00000030h]	5_2_01224588
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_0122E59C mov eax, dword ptr fs:[00000030h]	5_2_0122E59C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_0121E5E7 mov eax, dword ptr fs:[00000030h]	5_2_0121E5E7
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_0121E5E7 mov eax, dword ptr fs:[00000030h]	5_2_0121E5E7
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_0121E5E7 mov eax, dword ptr fs:[00000030h]	5_2_0121E5E7
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_0121E5E7 mov eax, dword ptr fs:[00000030h]	5_2_0121E5E7
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_0121E5E7 mov eax, dword ptr fs:[00000030h]	5_2_0121E5E7
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_0121E5E7 mov eax, dword ptr fs:[00000030h]	5_2_0121E5E7
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_0121E5E7 mov eax, dword ptr fs:[00000030h]	5_2_0121E5E7
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_0121E5E7 mov eax, dword ptr fs:[00000030h]	5_2_0121E5E7
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_011F65D0 mov eax, dword ptr fs:[00000030h]	5_2_011F65D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_0122C5ED mov eax, dword ptr fs:[00000030h]	5_2_0122C5ED
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_0122C5ED mov eax, dword ptr fs:[00000030h]	5_2_0122C5ED
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_0122E5CF mov eax, dword ptr fs:[00000030h]	5_2_0122E5CF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_0122E5CF mov eax, dword ptr fs:[00000030h]	5_2_0122E5CF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_0122A5D0 mov eax, dword ptr fs:[00000030h]	5_2_0122A5D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_0122A5D0 mov eax, dword ptr fs:[00000030h]	5_2_0122A5D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_011F25E0 mov eax, dword ptr fs:[00000030h]	5_2_011F25E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_01276420 mov eax, dword ptr fs:[00000030h]	5_2_01276420
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_01276420 mov eax, dword ptr fs:[00000030h]	5_2_01276420
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_01276420 mov eax, dword ptr fs:[00000030h]	5_2_01276420
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_01276420 mov eax, dword ptr fs:[00000030h]	5_2_01276420
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_01276420 mov eax, dword ptr fs:[00000030h]	5_2_01276420
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_01276420 mov eax, dword ptr fs:[00000030h]	5_2_01276420
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_01276420 mov eax, dword ptr fs:[00000030h]	5_2_01276420
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_0122A430 mov eax, dword ptr fs:[00000030h]	5_2_0122A430
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_01228402 mov eax, dword ptr fs:[00000030h]	5_2_01228402
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_01228402 mov eax, dword ptr fs:[00000030h]	5_2_01228402
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_01228402 mov eax, dword ptr fs:[00000030h]	5_2_01228402
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_011EC427 mov eax, dword ptr fs:[00000030h]	5_2_011EC427
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_011EE420 mov eax, dword ptr fs:[00000030h]	5_2_011EE420
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_011EE420 mov eax, dword ptr fs:[00000030h]	5_2_011EE420
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_011EE420 mov eax, dword ptr fs:[00000030h]	5_2_011EE420
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_011E645D mov eax, dword ptr fs:[00000030h]	5_2_011E645D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_0127C460 mov ecx, dword ptr fs:[00000030h]	5_2_0127C460
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_0121A470 mov eax, dword ptr fs:[00000030h]	5_2_0121A470
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_0121A470 mov eax, dword ptr fs:[00000030h]	5_2_0121A470
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_0121A470 mov eax, dword ptr fs:[00000030h]	5_2_0121A470
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_0122E443 mov eax, dword ptr fs:[00000030h]	5_2_0122E443
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_0122E443 mov eax, dword ptr fs:[00000030h]	5_2_0122E443
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_0122E443 mov eax, dword ptr fs:[00000030h]	5_2_0122E443
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_0122E443 mov eax, dword ptr fs:[00000030h]	5_2_0122E443
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_0122E443 mov eax, dword ptr fs:[00000030h]	5_2_0122E443
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_0122E443 mov eax, dword ptr fs:[00000030h]	5_2_0122E443
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_0122E443 mov eax, dword ptr fs:[00000030h]	5_2_0122E443
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_0122E443 mov eax, dword ptr fs:[00000030h]	5_2_0122E443
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_0121245A mov eax, dword ptr fs:[00000030h]	5_2_0121245A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_012AA456 mov eax, dword ptr fs:[00000030h]	5_2_012AA456
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_012244B0 mov ecx, dword ptr fs:[00000030h]	5_2_012244B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_0127A4B0 mov eax, dword ptr fs:[00000030h]	5_2_0127A4B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_012AA49A mov eax, dword ptr fs:[00000030h]	5_2_012AA49A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_011F64AB mov eax, dword ptr fs:[00000030h]	5_2_011F64AB
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_011F04E5 mov ecx, dword ptr fs:[00000030h]	5_2_011F04E5
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_0122C720 mov eax, dword ptr fs:[00000030h]	5_2_0122C720
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_0122C720 mov eax, dword ptr fs:[00000030h]	5_2_0122C720
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_011F0710 mov eax, dword ptr fs:[00000030h]	5_2_011F0710
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_0126C730 mov eax, dword ptr fs:[00000030h]	5_2_0126C730
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_0122273C mov eax, dword ptr fs:[00000030h]	5_2_0122273C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_0122273C mov ecx, dword ptr fs:[00000030h]	5_2_0122273C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_0122273C mov eax, dword ptr fs:[00000030h]	5_2_0122273C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_0122C700 mov eax, dword ptr fs:[00000030h]	5_2_0122C700
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_01220710 mov eax, dword ptr fs:[00000030h]	5_2_01220710
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_011F0750 mov eax, dword ptr fs:[00000030h]	5_2_011F0750
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_01200770 mov eax, dword ptr fs:[00000030h]	5_2_01200770
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_01200770 mov eax, dword ptr fs:[00000030h]	5_2_01200770
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_01200770 mov eax, dword ptr fs:[00000030h]	5_2_01200770
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_01200770 mov eax, dword ptr fs:[00000030h]	5_2_01200770
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_01200770 mov eax, dword ptr fs:[00000030h]	5_2_01200770
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_01200770 mov eax, dword ptr fs:[00000030h]	5_2_01200770
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_01200770 mov eax, dword ptr fs:[00000030h]	5_2_01200770
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_01200770 mov eax, dword ptr fs:[00000030h]	5_2_01200770
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_01200770 mov eax, dword ptr fs:[00000030h]	5_2_01200770
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_01200770 mov eax, dword ptr fs:[00000030h]	5_2_01200770
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_01200770 mov eax, dword ptr fs:[00000030h]	5_2_01200770
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_01200770 mov eax, dword ptr fs:[00000030h]	5_2_01200770
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_011F8770 mov eax, dword ptr fs:[00000030h]	5_2_011F8770
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_0122674D mov esi, dword ptr fs:[00000030h]	5_2_0122674D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_0122674D mov eax, dword ptr fs:[00000030h]	5_2_0122674D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_0122674D mov eax, dword ptr fs:[00000030h]	5_2_0122674D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_01274755 mov eax, dword ptr fs:[00000030h]	5_2_01274755
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_01232750 mov eax, dword ptr fs:[00000030h]	5_2_01232750
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_01232750 mov eax, dword ptr fs:[00000030h]	5_2_01232750
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_0127E75D mov eax, dword ptr fs:[00000030h]	5_2_0127E75D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_012A47A0 mov eax, dword ptr fs:[00000030h]	5_2_012A47A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_0129678E mov eax, dword ptr fs:[00000030h]	5_2_0129678E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_011F07AF mov eax, dword ptr fs:[00000030h]	5_2_011F07AF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_0127E7E1 mov eax, dword ptr fs:[00000030h]	5_2_0127E7E1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_012127ED mov eax, dword ptr fs:[00000030h]	5_2_012127ED
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_012127ED mov eax, dword ptr fs:[00000030h]	5_2_012127ED
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_012127ED mov eax, dword ptr fs:[00000030h]	5_2_012127ED
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_011FC7C0 mov eax, dword ptr fs:[00000030h]	5_2_011FC7C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_011F47FB mov eax, dword ptr fs:[00000030h]	5_2_011F47FB
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_011F47FB mov eax, dword ptr fs:[00000030h]	5_2_011F47FB
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_012707C3 mov eax, dword ptr fs:[00000030h]	5_2_012707C3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_01226620 mov eax, dword ptr fs:[00000030h]	5_2_01226620
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_01228620 mov eax, dword ptr fs:[00000030h]	5_2_01228620
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_0120E627 mov eax, dword ptr fs:[00000030h]	5_2_0120E627
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_0120260B mov eax, dword ptr fs:[00000030h]	5_2_0120260B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_0120260B mov eax, dword ptr fs:[00000030h]	5_2_0120260B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_0120260B mov eax, dword ptr fs:[00000030h]	5_2_0120260B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_0120260B mov eax, dword ptr fs:[00000030h]	5_2_0120260B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_0120260B mov eax, dword ptr fs:[00000030h]	5_2_0120260B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_0120260B mov eax, dword ptr fs:[00000030h]	5_2_0120260B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_0120260B mov eax, dword ptr fs:[00000030h]	5_2_0120260B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_0126E609 mov eax, dword ptr fs:[00000030h]	5_2_0126E609
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_011F262C mov eax, dword ptr fs:[00000030h]	5_2_011F262C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_01232619 mov eax, dword ptr fs:[00000030h]	5_2_01232619
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_0122A660 mov eax, dword ptr fs:[00000030h]	5_2_0122A660
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_0122A660 mov eax, dword ptr fs:[00000030h]	5_2_0122A660
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_012B866E mov eax, dword ptr fs:[00000030h]	5_2_012B866E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_012B866E mov eax, dword ptr fs:[00000030h]	5_2_012B866E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_01222674 mov eax, dword ptr fs:[00000030h]	5_2_01222674
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_0120C640 mov eax, dword ptr fs:[00000030h]	5_2_0120C640
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_0122C6A6 mov eax, dword ptr fs:[00000030h]	5_2_0122C6A6
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_011F4690 mov eax, dword ptr fs:[00000030h]	5_2_011F4690
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_011F4690 mov eax, dword ptr fs:[00000030h]	5_2_011F4690
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_012266B0 mov eax, dword ptr fs:[00000030h]	5_2_012266B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_0126E6F2 mov eax, dword ptr fs:[00000030h]	5_2_0126E6F2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_0126E6F2 mov eax, dword ptr fs:[00000030h]	5_2_0126E6F2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_0126E6F2 mov eax, dword ptr fs:[00000030h]	5_2_0126E6F2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_0126E6F2 mov eax, dword ptr fs:[00000030h]	5_2_0126E6F2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_012706F1 mov eax, dword ptr fs:[00000030h]	5_2_012706F1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_012706F1 mov eax, dword ptr fs:[00000030h]	5_2_012706F1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_0122A6C7 mov ebx, dword ptr fs:[00000030h]	5_2_0122A6C7
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_0122A6C7 mov eax, dword ptr fs:[00000030h]	5_2_0122A6C7
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_0128892B mov eax, dword ptr fs:[00000030h]	5_2_0128892B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_011E8918 mov eax, dword ptr fs:[00000030h]	5_2_011E8918
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_011E8918 mov eax, dword ptr fs:[00000030h]	5_2_011E8918
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_0127892A mov eax, dword ptr fs:[00000030h]	5_2_0127892A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_0126E908 mov eax, dword ptr fs:[00000030h]	5_2_0126E908
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_0126E908 mov eax, dword ptr fs:[00000030h]	5_2_0126E908
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_0127C912 mov eax, dword ptr fs:[00000030h]	5_2_0127C912
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_01216962 mov eax, dword ptr fs:[00000030h]	5_2_01216962
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_01216962 mov eax, dword ptr fs:[00000030h]	5_2_01216962
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_01216962 mov eax, dword ptr fs:[00000030h]	5_2_01216962
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_0123096E mov eax, dword ptr fs:[00000030h]	5_2_0123096E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_0123096E mov edx, dword ptr fs:[00000030h]	5_2_0123096E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_0123096E mov eax, dword ptr fs:[00000030h]	5_2_0123096E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_01294978 mov eax, dword ptr fs:[00000030h]	5_2_01294978
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_01294978 mov eax, dword ptr fs:[00000030h]	5_2_01294978
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_0127C97C mov eax, dword ptr fs:[00000030h]	5_2_0127C97C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_01270946 mov eax, dword ptr fs:[00000030h]	5_2_01270946
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_012C4940 mov eax, dword ptr fs:[00000030h]	5_2_012C4940
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_012029A0 mov eax, dword ptr fs:[00000030h]	5_2_012029A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_012029A0 mov eax, dword ptr fs:[00000030h]	5_2_012029A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_012029A0 mov eax, dword ptr fs:[00000030h]	5_2_012029A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_012029A0 mov eax, dword ptr fs:[00000030h]	5_2_012029A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_012029A0 mov eax, dword ptr fs:[00000030h]	5_2_012029A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_012029A0 mov eax, dword ptr fs:[00000030h]	5_2_012029A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_012029A0 mov eax, dword ptr fs:[00000030h]	5_2_012029A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_012029A0 mov eax, dword ptr fs:[00000030h]	5_2_012029A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_012029A0 mov eax, dword ptr fs:[00000030h]	5_2_012029A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_012029A0 mov eax, dword ptr fs:[00000030h]	5_2_012029A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_012029A0 mov eax, dword ptr fs:[00000030h]	5_2_012029A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_012029A0 mov eax, dword ptr fs:[00000030h]	5_2_012029A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_012029A0 mov eax, dword ptr fs:[00000030h]	5_2_012029A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_012789B3 mov esi, dword ptr fs:[00000030h]	5_2_012789B3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_012789B3 mov eax, dword ptr fs:[00000030h]	5_2_012789B3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_012789B3 mov eax, dword ptr fs:[00000030h]	5_2_012789B3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_011F09AD mov eax, dword ptr fs:[00000030h]	5_2_011F09AD
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_011F09AD mov eax, dword ptr fs:[00000030h]	5_2_011F09AD
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_0127E9E0 mov eax, dword ptr fs:[00000030h]	5_2_0127E9E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_011FA9D0 mov eax, dword ptr fs:[00000030h]	5_2_011FA9D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_011FA9D0 mov eax, dword ptr fs:[00000030h]	5_2_011FA9D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_011FA9D0 mov eax, dword ptr fs:[00000030h]	5_2_011FA9D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_011FA9D0 mov eax, dword ptr fs:[00000030h]	5_2_011FA9D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_011FA9D0 mov eax, dword ptr fs:[00000030h]	5_2_011FA9D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_011FA9D0 mov eax, dword ptr fs:[00000030h]	5_2_011FA9D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_012229F9 mov eax, dword ptr fs:[00000030h]	5_2_012229F9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_012229F9 mov eax, dword ptr fs:[00000030h]	5_2_012229F9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_012869C0 mov eax, dword ptr fs:[00000030h]	5_2_012869C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_012249D0 mov eax, dword ptr fs:[00000030h]	5_2_012249D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_012BA9D3 mov eax, dword ptr fs:[00000030h]	5_2_012BA9D3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_0122A830 mov eax, dword ptr fs:[00000030h]	5_2_0122A830
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_0129483A mov eax, dword ptr fs:[00000030h]	5_2_0129483A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_0129483A mov eax, dword ptr fs:[00000030h]	5_2_0129483A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_01212835 mov eax, dword ptr fs:[00000030h]	5_2_01212835
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_01212835 mov eax, dword ptr fs:[00000030h]	5_2_01212835
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_01212835 mov eax, dword ptr fs:[00000030h]	5_2_01212835
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_01212835 mov ecx, dword ptr fs:[00000030h]	5_2_01212835
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_01212835 mov eax, dword ptr fs:[00000030h]	5_2_01212835
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_01212835 mov eax, dword ptr fs:[00000030h]	5_2_01212835
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_0127C810 mov eax, dword ptr fs:[00000030h]	5_2_0127C810
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_011F4859 mov eax, dword ptr fs:[00000030h]	5_2_011F4859
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_011F4859 mov eax, dword ptr fs:[00000030h]	5_2_011F4859
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_0127E872 mov eax, dword ptr fs:[00000030h]	5_2_0127E872
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_0127E872 mov eax, dword ptr fs:[00000030h]	5_2_0127E872
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_01286870 mov eax, dword ptr fs:[00000030h]	5_2_01286870
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_01286870 mov eax, dword ptr fs:[00000030h]	5_2_01286870
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_01202840 mov ecx, dword ptr fs:[00000030h]	5_2_01202840
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_01220854 mov eax, dword ptr fs:[00000030h]	5_2_01220854
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_011F0887 mov eax, dword ptr fs:[00000030h]	5_2_011F0887
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_0127C89D mov eax, dword ptr fs:[00000030h]	5_2_0127C89D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_012BA8E4 mov eax, dword ptr fs:[00000030h]	5_2_012BA8E4
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_0122C8F9 mov eax, dword ptr fs:[00000030h]	5_2_0122C8F9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_0122C8F9 mov eax, dword ptr fs:[00000030h]	5_2_0122C8F9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_0121E8C0 mov eax, dword ptr fs:[00000030h]	5_2_0121E8C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_012C08C0 mov eax, dword ptr fs:[00000030h]	5_2_012C08C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_0121EB20 mov eax, dword ptr fs:[00000030h]	5_2_0121EB20
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_0121EB20 mov eax, dword ptr fs:[00000030h]	5_2_0121EB20
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_012B8B28 mov eax, dword ptr fs:[00000030h]	5_2_012B8B28
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_012B8B28 mov eax, dword ptr fs:[00000030h]	5_2_012B8B28
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_012C4B00 mov eax, dword ptr fs:[00000030h]	5_2_012C4B00
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_0126EB1D mov eax, dword ptr fs:[00000030h]	5_2_0126EB1D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_0126EB1D mov eax, dword ptr fs:[00000030h]	5_2_0126EB1D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_0126EB1D mov eax, dword ptr fs:[00000030h]	5_2_0126EB1D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_0126EB1D mov eax, dword ptr fs:[00000030h]	5_2_0126EB1D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_0126EB1D mov eax, dword ptr fs:[00000030h]	5_2_0126EB1D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_0126EB1D mov eax, dword ptr fs:[00000030h]	5_2_0126EB1D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_0126EB1D mov eax, dword ptr fs:[00000030h]	5_2_0126EB1D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_0126EB1D mov eax, dword ptr fs:[00000030h]	5_2_0126EB1D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_0126EB1D mov eax, dword ptr fs:[00000030h]	5_2_0126EB1D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_011E8B50 mov eax, dword ptr fs:[00000030h]	5_2_011E8B50
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_011ECB7E mov eax, dword ptr fs:[00000030h]	5_2_011ECB7E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_012A4B4B mov eax, dword ptr fs:[00000030h]	5_2_012A4B4B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_012A4B4B mov eax, dword ptr fs:[00000030h]	5_2_012A4B4B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_01286B40 mov eax, dword ptr fs:[00000030h]	5_2_01286B40
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_01286B40 mov eax, dword ptr fs:[00000030h]	5_2_01286B40
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_012BAB40 mov eax, dword ptr fs:[00000030h]	5_2_012BAB40
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_01298B42 mov eax, dword ptr fs:[00000030h]	5_2_01298B42
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_0129EB50 mov eax, dword ptr fs:[00000030h]	5_2_0129EB50
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_012C2B57 mov eax, dword ptr fs:[00000030h]	5_2_012C2B57
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_012C2B57 mov eax, dword ptr fs:[00000030h]	5_2_012C2B57
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_012C2B57 mov eax, dword ptr fs:[00000030h]	5_2_012C2B57
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_012C2B57 mov eax, dword ptr fs:[00000030h]	5_2_012C2B57
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_012A4BB0 mov eax, dword ptr fs:[00000030h]	5_2_012A4BB0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_012A4BB0 mov eax, dword ptr fs:[00000030h]	5_2_012A4BB0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_01200BBE mov eax, dword ptr fs:[00000030h]	5_2_01200BBE
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_01200BBE mov eax, dword ptr fs:[00000030h]	5_2_01200BBE
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_011F0BCD mov eax, dword ptr fs:[00000030h]	5_2_011F0BCD
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_011F0BCD mov eax, dword ptr fs:[00000030h]	5_2_011F0BCD
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_011F0BCD mov eax, dword ptr fs:[00000030h]	5_2_011F0BCD
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_0127CBF0 mov eax, dword ptr fs:[00000030h]	5_2_0127CBF0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_0121EBFC mov eax, dword ptr fs:[00000030h]	5_2_0121EBFC
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_01210BCB mov eax, dword ptr fs:[00000030h]	5_2_01210BCB
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_01210BCB mov eax, dword ptr fs:[00000030h]	5_2_01210BCB
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_01210BCB mov eax, dword ptr fs:[00000030h]	5_2_01210BCB
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_011F8BF0 mov eax, dword ptr fs:[00000030h]	5_2_011F8BF0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_011F8BF0 mov eax, dword ptr fs:[00000030h]	5_2_011F8BF0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_011F8BF0 mov eax, dword ptr fs:[00000030h]	5_2_011F8BF0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_0129EBD0 mov eax, dword ptr fs:[00000030h]	5_2_0129EBD0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_0122CA24 mov eax, dword ptr fs:[00000030h]	5_2_0122CA24
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_0121EA2E mov eax, dword ptr fs:[00000030h]	5_2_0121EA2E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_01214A35 mov eax, dword ptr fs:[00000030h]	5_2_01214A35
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_01214A35 mov eax, dword ptr fs:[00000030h]	5_2_01214A35
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_0122CA38 mov eax, dword ptr fs:[00000030h]	5_2_0122CA38
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_0127CA11 mov eax, dword ptr fs:[00000030h]	5_2_0127CA11
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_0129EA60 mov eax, dword ptr fs:[00000030h]	5_2_0129EA60
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_0122CA6F mov eax, dword ptr fs:[00000030h]	5_2_0122CA6F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_0122CA6F mov eax, dword ptr fs:[00000030h]	5_2_0122CA6F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_0122CA6F mov eax, dword ptr fs:[00000030h]	5_2_0122CA6F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_011F6A50 mov eax, dword ptr fs:[00000030h]	5_2_011F6A50
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_011F6A50 mov eax, dword ptr fs:[00000030h]	5_2_011F6A50
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_011F6A50 mov eax, dword ptr fs:[00000030h]	5_2_011F6A50
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_011F6A50 mov eax, dword ptr fs:[00000030h]	5_2_011F6A50
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_011F6A50 mov eax, dword ptr fs:[00000030h]	5_2_011F6A50
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_011F6A50 mov eax, dword ptr fs:[00000030h]	5_2_011F6A50
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_011F6A50 mov eax, dword ptr fs:[00000030h]	5_2_011F6A50
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_0126CA72 mov eax, dword ptr fs:[00000030h]	5_2_0126CA72
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_0126CA72 mov eax, dword ptr fs:[00000030h]	5_2_0126CA72
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_01200A5B mov eax, dword ptr fs:[00000030h]	5_2_01200A5B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_01200A5B mov eax, dword ptr fs:[00000030h]	5_2_01200A5B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_01246AA4 mov eax, dword ptr fs:[00000030h]	5_2_01246AA4
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_011FEA80 mov eax, dword ptr fs:[00000030h]	5_2_011FEA80
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_011FEA80 mov eax, dword ptr fs:[00000030h]	5_2_011FEA80
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_011FEA80 mov eax, dword ptr fs:[00000030h]	5_2_011FEA80
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_011FEA80 mov eax, dword ptr fs:[00000030h]	5_2_011FEA80
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_011FEA80 mov eax, dword ptr fs:[00000030h]	5_2_011FEA80
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_011FEA80 mov eax, dword ptr fs:[00000030h]	5_2_011FEA80
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_011FEA80 mov eax, dword ptr fs:[00000030h]	5_2_011FEA80
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_011FEA80 mov eax, dword ptr fs:[00000030h]	5_2_011FEA80
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_011FEA80 mov eax, dword ptr fs:[00000030h]	5_2_011FEA80
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_012C4A80 mov eax, dword ptr fs:[00000030h]	5_2_012C4A80

Enables debug privileges

Source: C:\Users\user\Desktop\RFQ STS3780082024.exe	Process token adjusted: Debug			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug			Jump to behavior

Source: C:\Users\user\Desktop\RFQ STS3780082024.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion

Adds a directory exclusion to Windows Defender

Source: C:\Users\user\Desktop\RFQ STS3780082024.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\RFQ STS3780082024.exe"
Source: C:\Users\user\Desktop\RFQ STS3780082024.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\RFQ STS3780082024.exe"			Jump to behavior

Allocates memory in foreign processes

Source: C:\Users\user\Desktop\RFQ STS3780082024.exe

Memory allocated: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 400000 protect: page execute and read and write

Jump to behavior

Injects a PE file into a foreign processes

Source: C:\Users\user\Desktop\RFQ STS3780082024.exe

Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 400000 value starts with: 4D5A

Jump to behavior

Writes to foreign memory regions

Source: C:\Users\user\Desktop\RFQ STS3780082024.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 400000	Jump to behavior
Source: C:\Users\user\Desktop\RFQ STS3780082024.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 401000	Jump to behavior
Source: C:\Users\user\Desktop\RFQ STS3780082024.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 80C008	Jump to behavior

Creates a process in suspended mode (likely to inject code)

Source: C:\Users\user\Desktop\RFQ STS3780082024.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\RFQ STS3780082024.exe"	Jump to behavior
Source: C:\Users\user\Desktop\RFQ STS3780082024.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"	Jump to behavior
Source: C:\Users\user\Desktop\RFQ STS3780082024.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"	Jump to behavior

Queries the volume information (name, serial number etc) of a device

Source: C:\Users\user\Desktop\RFQ STS3780082024.exe	Queries volume information: C:\Users\user\Desktop\RFQ STS3780082024.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\RFQ STS3780082024.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\RFQ STS3780082024.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\RFQ STS3780082024.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\RFQ STS3780082024.exe	Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\RFQ STS3780082024.exe	Queries volume information: C:\Windows\Fonts\calibrii.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\RFQ STS3780082024.exe	Queries volume information: C:\Windows\Fonts\calibrili.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\RFQ STS3780082024.exe	Queries volume information: C:\Windows\Fonts\calibrib.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\RFQ STS3780082024.exe	Queries volume information: C:\Windows\Fonts\calibriz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\RFQ STS3780082024.exe	Queries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\RFQ STS3780082024.exe	Queries volume information: C:\Windows\Fonts\cambriai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\RFQ STS3780082024.exe	Queries volume information: C:\Windows\Fonts\cambriab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\RFQ STS3780082024.exe	Queries volume information: C:\Windows\Fonts\cambriaz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\RFQ STS3780082024.exe	Queries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\RFQ STS3780082024.exe	Queries volume information: C:\Windows\Fonts\Candara.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\RFQ STS3780082024.exe	Queries volume information: C:\Windows\Fonts\Candaral.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\RFQ STS3780082024.exe	Queries volume information: C:\Windows\Fonts\Candarai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\RFQ STS3780082024.exe	Queries volume information: C:\Windows\Fonts\Candarali.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\RFQ STS3780082024.exe	Queries volume information: C:\Windows\Fonts\Candarab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\RFQ STS3780082024.exe	Queries volume information: C:\Windows\Fonts\Candaraz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\RFQ STS3780082024.exe	Queries volume information: C:\Windows\Fonts\comic.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\RFQ STS3780082024.exe	Queries volume information: C:\Windows\Fonts\comici.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\RFQ STS3780082024.exe	Queries volume information: C:\Windows\Fonts\comicbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\RFQ STS3780082024.exe	Queries volume information: C:\Windows\Fonts\comicz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\RFQ STS3780082024.exe	Queries volume information: C:\Windows\Fonts\constan.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\RFQ STS3780082024.exe	Queries volume information: C:\Windows\Fonts\constani.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\RFQ STS3780082024.exe	Queries volume information: C:\Windows\Fonts\constanb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\RFQ STS3780082024.exe	Queries volume information: C:\Windows\Fonts\constanz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\RFQ STS3780082024.exe	Queries volume information: C:\Windows\Fonts\corbel.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\RFQ STS3780082024.exe	Queries volume information: C:\Windows\Fonts\corbell.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\RFQ STS3780082024.exe	Queries volume information: C:\Windows\Fonts\corbeli.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\RFQ STS3780082024.exe	Queries volume information: C:\Windows\Fonts\corbelli.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\RFQ STS3780082024.exe	Queries volume information: C:\Windows\Fonts\corbelb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\RFQ STS3780082024.exe	Queries volume information: C:\Windows\Fonts\corbelz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\RFQ STS3780082024.exe	Queries volume information: C:\Windows\Fonts\cour.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\RFQ STS3780082024.exe	Queries volume information: C:\Windows\Fonts\couri.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\RFQ STS3780082024.exe	Queries volume information: C:\Windows\Fonts\courbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\RFQ STS3780082024.exe	Queries volume information: C:\Windows\Fonts\courbi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\RFQ STS3780082024.exe	Queries volume information: C:\Windows\Fonts\ebrima.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\RFQ STS3780082024.exe	Queries volume information: C:\Windows\Fonts\ebrimabd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\RFQ STS3780082024.exe	Queries volume information: C:\Windows\Fonts\framd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\RFQ STS3780082024.exe	Queries volume information: C:\Windows\Fonts\FRADM.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\RFQ STS3780082024.exe	Queries volume information: C:\Windows\Fonts\framdit.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\RFQ STS3780082024.exe	Queries volume information: C:\Windows\Fonts\FRADMIT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\RFQ STS3780082024.exe	Queries volume information: C:\Windows\Fonts\FRAMDCN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\RFQ STS3780082024.exe	Queries volume information: C:\Windows\Fonts\FRAHVIT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\RFQ STS3780082024.exe	Queries volume information: C:\Windows\Fonts\Gabriola.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\RFQ STS3780082024.exe	Queries volume information: C:\Windows\Fonts\gadugi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\RFQ STS3780082024.exe	Queries volume information: C:\Windows\Fonts\gadugib.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\RFQ STS3780082024.exe	Queries volume information: C:\Windows\Fonts\georgiai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\RFQ STS3780082024.exe	Queries volume information: C:\Windows\Fonts\georgiab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\RFQ STS3780082024.exe	Queries volume information: C:\Windows\Fonts\georgiaz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\RFQ STS3780082024.exe	Queries volume information: C:\Windows\Fonts\impact.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\RFQ STS3780082024.exe	Queries volume information: C:\Windows\Fonts\Inkfree.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\RFQ STS3780082024.exe	Queries volume information: C:\Windows\Fonts\javatext.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\RFQ STS3780082024.exe	Queries volume information: C:\Windows\Fonts\LeelawUI.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\RFQ STS3780082024.exe	Queries volume information: C:\Windows\Fonts\LeelUIsl.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\RFQ STS3780082024.exe	Queries volume information: C:\Windows\Fonts\LeelaUIb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\RFQ STS3780082024.exe	Queries volume information: C:\Windows\Fonts\lucon.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\RFQ STS3780082024.exe	Queries volume information: C:\Windows\Fonts\l_10646.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\RFQ STS3780082024.exe	Queries volume information: C:\Windows\Fonts\malgun.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\RFQ STS3780082024.exe	Queries volume information: C:\Windows\Fonts\malgunsl.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\RFQ STS3780082024.exe	Queries volume information: C:\Windows\Fonts\malgunbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\RFQ STS3780082024.exe	Queries volume information: C:\Windows\Fonts\himalaya.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\RFQ STS3780082024.exe	Queries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\RFQ STS3780082024.exe	Queries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\RFQ STS3780082024.exe	Queries volume information: C:\Windows\Fonts\msjhbd.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\RFQ STS3780082024.exe	Queries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\RFQ STS3780082024.exe	Queries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\RFQ STS3780082024.exe	Queries volume information: C:\Windows\Fonts\ntailu.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\RFQ STS3780082024.exe	Queries volume information: C:\Windows\Fonts\ntailub.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\RFQ STS3780082024.exe	Queries volume information: C:\Windows\Fonts\phagspa.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\RFQ STS3780082024.exe	Queries volume information: C:\Windows\Fonts\phagspab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\RFQ STS3780082024.exe	Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\RFQ STS3780082024.exe	Queries volume information: C:\Windows\Fonts\taile.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\RFQ STS3780082024.exe	Queries volume information: C:\Windows\Fonts\taileb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\RFQ STS3780082024.exe	Queries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\RFQ STS3780082024.exe	Queries volume information: C:\Windows\Fonts\msyhbd.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\RFQ STS3780082024.exe	Queries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\RFQ STS3780082024.exe	Queries volume information: C:\Windows\Fonts\msyhl.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\RFQ STS3780082024.exe	Queries volume information: C:\Windows\Fonts\msyi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\RFQ STS3780082024.exe	Queries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\RFQ STS3780082024.exe	Queries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\RFQ STS3780082024.exe	Queries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\RFQ STS3780082024.exe	Queries volume information: C:\Windows\Fonts\monbaiti.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\RFQ STS3780082024.exe	Queries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\RFQ STS3780082024.exe	Queries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\RFQ STS3780082024.exe	Queries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\RFQ STS3780082024.exe	Queries volume information: C:\Windows\Fonts\mmrtext.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\RFQ STS3780082024.exe	Queries volume information: C:\Windows\Fonts\mmrtextb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\RFQ STS3780082024.exe	Queries volume information: C:\Windows\Fonts\Nirmala.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\RFQ STS3780082024.exe	Queries volume information: C:\Windows\Fonts\NirmalaS.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\RFQ STS3780082024.exe	Queries volume information: C:\Windows\Fonts\NirmalaB.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\RFQ STS3780082024.exe	Queries volume information: C:\Windows\Fonts\pala.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\RFQ STS3780082024.exe	Queries volume information: C:\Windows\Fonts\palai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\RFQ STS3780082024.exe	Queries volume information: C:\Windows\Fonts\palab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\RFQ STS3780082024.exe	Queries volume information: C:\Windows\Fonts\palabi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\RFQ STS3780082024.exe	Queries volume information: C:\Windows\Fonts\segoepr.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\RFQ STS3780082024.exe	Queries volume information: C:\Windows\Fonts\segoeprb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\RFQ STS3780082024.exe	Queries volume information: C:\Windows\Fonts\segoesc.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\RFQ STS3780082024.exe	Queries volume information: C:\Windows\Fonts\segoescb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\RFQ STS3780082024.exe	Queries volume information: C:\Windows\Fonts\seguihis.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\RFQ STS3780082024.exe	Queries volume information: C:\Windows\Fonts\simsun.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\RFQ STS3780082024.exe	Queries volume information: C:\Windows\Fonts\simsunb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\RFQ STS3780082024.exe	Queries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\RFQ STS3780082024.exe	Queries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\RFQ STS3780082024.exe	Queries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\RFQ STS3780082024.exe	Queries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\RFQ STS3780082024.exe	Queries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\RFQ STS3780082024.exe	Queries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\RFQ STS3780082024.exe	Queries volume information: C:\Windows\Fonts\sylfaen.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\RFQ STS3780082024.exe	Queries volume information: C:\Windows\Fonts\symbol.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\RFQ STS3780082024.exe	Queries volume information: C:\Windows\Fonts\tahoma.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\RFQ STS3780082024.exe	Queries volume information: C:\Windows\Fonts\tahomabd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\RFQ STS3780082024.exe	Queries volume information: C:\Windows\Fonts\timesi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\RFQ STS3780082024.exe	Queries volume information: C:\Windows\Fonts\timesbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\RFQ STS3780082024.exe	Queries volume information: C:\Windows\Fonts\timesbi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\RFQ STS3780082024.exe	Queries volume information: C:\Windows\Fonts\trebuc.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\RFQ STS3780082024.exe	Queries volume information: C:\Windows\Fonts\trebucit.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\RFQ STS3780082024.exe	Queries volume information: C:\Windows\Fonts\trebucbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\RFQ STS3780082024.exe	Queries volume information: C:\Windows\Fonts\trebucbi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\RFQ STS3780082024.exe	Queries volume information: C:\Windows\Fonts\verdana.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\RFQ STS3780082024.exe	Queries volume information: C:\Windows\Fonts\verdanai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\RFQ STS3780082024.exe	Queries volume information: C:\Windows\Fonts\verdanab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\RFQ STS3780082024.exe	Queries volume information: C:\Windows\Fonts\verdanaz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\RFQ STS3780082024.exe	Queries volume information: C:\Windows\Fonts\webdings.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\RFQ STS3780082024.exe	Queries volume information: C:\Windows\Fonts\wingding.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\RFQ STS3780082024.exe	Queries volume information: C:\Windows\Fonts\YuGothR.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\RFQ STS3780082024.exe	Queries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\RFQ STS3780082024.exe	Queries volume information: C:\Windows\Fonts\YuGothL.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\RFQ STS3780082024.exe	Queries volume information: C:\Windows\Fonts\YuGothB.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\RFQ STS3780082024.exe	Queries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\RFQ STS3780082024.exe	Queries volume information: C:\Windows\Fonts\YuGothR.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\RFQ STS3780082024.exe	Queries volume information: C:\Windows\Fonts\holomdl2.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\RFQ STS3780082024.exe	Queries volume information: C:\Windows\Fonts\AGENCYR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\RFQ STS3780082024.exe	Queries volume information: C:\Windows\Fonts\AGENCYB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\RFQ STS3780082024.exe	Queries volume information: C:\Windows\Fonts\BKANT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\RFQ STS3780082024.exe	Queries volume information: C:\Windows\Fonts\ANTQUAI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\RFQ STS3780082024.exe	Queries volume information: C:\Windows\Fonts\ANTQUAB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\RFQ STS3780082024.exe	Queries volume information: C:\Windows\Fonts\ANTQUABI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\RFQ STS3780082024.exe	Queries volume information: C:\Windows\Fonts\BAUHS93.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\RFQ STS3780082024.exe	Queries volume information: C:\Windows\Fonts\BERNHC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\RFQ STS3780082024.exe	Queries volume information: C:\Windows\Fonts\BOD_I.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\RFQ STS3780082024.exe	Queries volume information: C:\Windows\Fonts\BOD_B.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\RFQ STS3780082024.exe	Queries volume information: C:\Windows\Fonts\BOD_BI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\RFQ STS3780082024.exe	Queries volume information: C:\Windows\Fonts\BOD_BLAR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\RFQ STS3780082024.exe	Queries volume information: C:\Windows\Fonts\BOD_CI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\RFQ STS3780082024.exe	Queries volume information: C:\Windows\Fonts\BOD_CB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\RFQ STS3780082024.exe	Queries volume information: C:\Windows\Fonts\BOD_BLAI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\RFQ STS3780082024.exe	Queries volume information: C:\Windows\Fonts\BOD_PSTC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\RFQ STS3780082024.exe	Queries volume information: C:\Windows\Fonts\BOOKOSI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\RFQ STS3780082024.exe	Queries volume information: C:\Windows\Fonts\BRADHITC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\RFQ STS3780082024.exe	Queries volume information: C:\Windows\Fonts\BRLNSR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\RFQ STS3780082024.exe	Queries volume information: C:\Windows\Fonts\BRLNSDB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\RFQ STS3780082024.exe	Queries volume information: C:\Windows\Fonts\BRLNSB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\RFQ STS3780082024.exe	Queries volume information: C:\Windows\Fonts\BRUSHSCI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\RFQ STS3780082024.exe	Queries volume information: C:\Windows\Fonts\BSSYM7.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\RFQ STS3780082024.exe	Queries volume information: C:\Windows\Fonts\CALIFR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\RFQ STS3780082024.exe	Queries volume information: C:\Windows\Fonts\CALISTBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\RFQ STS3780082024.exe	Queries volume information: C:\Windows\Fonts\CENTURY.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\RFQ STS3780082024.exe	Queries volume information: C:\Windows\Fonts\COLONNA.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\RFQ STS3780082024.exe	Queries volume information: C:\Windows\Fonts\DUBAI-REGULAR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\RFQ STS3780082024.exe	Queries volume information: C:\Windows\Fonts\ENGR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\RFQ STS3780082024.exe	Queries volume information: C:\Windows\Fonts\ERASLGHT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\RFQ STS3780082024.exe	Queries volume information: C:\Windows\Fonts\ERASDEMI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\RFQ STS3780082024.exe	Queries volume information: C:\Windows\Fonts\FRABK.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\RFQ STS3780082024.exe	Queries volume information: C:\Windows\Fonts\FREESCPT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\RFQ STS3780082024.exe	Queries volume information: C:\Windows\Fonts\GARABD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\RFQ STS3780082024.exe	Queries volume information: C:\Windows\Fonts\GILBI___.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\RFQ STS3780082024.exe	Queries volume information: C:\Windows\Fonts\GOUDOS.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\RFQ STS3780082024.exe	Queries volume information: C:\Windows\Fonts\HATTEN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\RFQ STS3780082024.exe	Queries volume information: C:\Windows\Fonts\LBRITE.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\RFQ STS3780082024.exe	Queries volume information: C:\Windows\Fonts\LEELAWDB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\RFQ STS3780082024.exe	Queries volume information: C:\Windows\Fonts\LFAX.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\RFQ STS3780082024.exe	Queries volume information: C:\Windows\Fonts\LFAXI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\RFQ STS3780082024.exe	Queries volume information: C:\Windows\Fonts\MISTRAL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\RFQ STS3780082024.exe	Queries volume information: C:\Windows\Fonts\PALSCRI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\RFQ STS3780082024.exe	Queries volume information: C:\Windows\Fonts\PERBI___.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\RFQ STS3780082024.exe	Queries volume information: C:\Windows\Fonts\TCMI____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\RFQ STS3780082024.exe	Queries volume information: C:\Windows\Fonts\VLADIMIR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\RFQ STS3780082024.exe	Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\RFQ STS3780082024.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior

Source: C:\Users\user\Desktop\RFQ STS3780082024.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Stealing of Sensitive Information

Yara detected FormBook

Source: Yara match	File source: 5.2.MSBuild.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.MSBuild.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000005.00000002.1758340713.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.1758552750.0000000000CB0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY

Remote Access Functionality

Yara detected FormBook

Source: Yara match	File source: 5.2.MSBuild.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.MSBuild.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000005.00000002.1758340713.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.1758552750.0000000000CB0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY

Screenshots

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Network Map

⊘No contacted IP infos

Contacted Domains

Name	IP	Active
bg.microsoft.map.fastly.net	199.232.210.172	true
fp2e7a.wpc.phicdn.net	192.229.221.95	true

AV Detection

Multi AV Scanner detection for submitted file

Source: RFQ STS3780082024.exe	ReversingLabs: Detection: 50%
Source: RFQ STS3780082024.exe	Virustotal: Detection: 62%			Perma Link

Yara detected FormBook

Source: Yara match	File source: 5.2.MSBuild.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.MSBuild.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000005.00000002.1758340713.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.1758552750.0000000000CB0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Machine Learning detection for sample

Source: RFQ STS3780082024.exe

Joe Sandbox ML: detected

Uses 32bit PE files

Source: RFQ STS3780082024.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: RFQ STS3780082024.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source:	Binary string: wntdll.pdbUGP source: MSBuild.exe, 00000005.00000002.1758837702.00000000011C0000.00000040.00001000.00020000.00000000.sdmp
Source:	Binary string: wntdll.pdb source: MSBuild.exe, MSBuild.exe, 00000005.00000002.1758837702.00000000011C0000.00000040.00001000.00020000.00000000.sdmp

Found inlined nop instructions (likely shell or obfuscated code)

Source: C:\Users\user\Desktop\RFQ STS3780082024.exe

Code function: 4x nop then jmp 06F3AA34h

0_2_06F3A0D6

Source: unknown	TCP traffic detected without corresponding DNS query: 173.222.162.32
Source: unknown	TCP traffic detected without corresponding DNS query: 173.222.162.32

Source: RFQ STS3780082024.exe, 00000000.00000002.1698168982.000000000282A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: RFQ STS3780082024.exe	String found in binary or memory: http://tempuri.org/tt.xsd;VP_Lab_6.Properties.Resources
Source: RFQ STS3780082024.exe, 00000000.00000002.1700359196.0000000006972000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
Source: RFQ STS3780082024.exe, 00000000.00000002.1700359196.0000000006972000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.carterandcone.coml
Source: RFQ STS3780082024.exe, 00000000.00000002.1700359196.0000000006972000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com
Source: RFQ STS3780082024.exe, 00000000.00000002.1700359196.0000000006972000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers
Source: RFQ STS3780082024.exe, 00000000.00000002.1700359196.0000000006972000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/?
Source: RFQ STS3780082024.exe, 00000000.00000002.1700359196.0000000006972000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
Source: RFQ STS3780082024.exe, 00000000.00000002.1700359196.0000000006972000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/frere-user.html
Source: RFQ STS3780082024.exe, 00000000.00000002.1700359196.0000000006972000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers8
Source: RFQ STS3780082024.exe, 00000000.00000002.1700359196.0000000006972000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers?
Source: RFQ STS3780082024.exe, 00000000.00000002.1700359196.0000000006972000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designersG
Source: RFQ STS3780082024.exe, 00000000.00000002.1700359196.0000000006972000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fonts.com
Source: RFQ STS3780082024.exe, 00000000.00000002.1700359196.0000000006972000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.founder.com.cn/cn
Source: RFQ STS3780082024.exe, 00000000.00000002.1700359196.0000000006972000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.founder.com.cn/cn/bThe
Source: RFQ STS3780082024.exe, 00000000.00000002.1700359196.0000000006972000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.founder.com.cn/cn/cThe
Source: RFQ STS3780082024.exe, 00000000.00000002.1700359196.0000000006972000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.galapagosdesign.com/DPlease
Source: RFQ STS3780082024.exe, 00000000.00000002.1700359196.0000000006972000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
Source: RFQ STS3780082024.exe, 00000000.00000002.1700359196.0000000006972000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.goodfont.co.kr
Source: RFQ STS3780082024.exe, 00000000.00000002.1700359196.0000000006972000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/
Source: RFQ STS3780082024.exe, 00000000.00000002.1700359196.0000000006972000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.sajatypeworks.com
Source: RFQ STS3780082024.exe, 00000000.00000002.1700359196.0000000006972000.00000004.00000800.00020000.00000000.sdmp, RFQ STS3780082024.exe, 00000000.00000002.1700223321.00000000051F4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.sakkal.com
Source: RFQ STS3780082024.exe, 00000000.00000002.1700359196.0000000006972000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.sandoll.co.kr
Source: RFQ STS3780082024.exe, 00000000.00000002.1700359196.0000000006972000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.tiro.com
Source: RFQ STS3780082024.exe, 00000000.00000002.1700359196.0000000006972000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.typography.netD
Source: RFQ STS3780082024.exe, 00000000.00000002.1700359196.0000000006972000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.urwpp.deDPlease
Source: RFQ STS3780082024.exe, 00000000.00000002.1700359196.0000000006972000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.zhongyicts.com.cn

Source: unknown

Network traffic detected: HTTP traffic on port 49675 -> 443

E-Banking Fraud

Yara detected FormBook

Source: Yara match	File source: 5.2.MSBuild.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.MSBuild.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000005.00000002.1758340713.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.1758552750.0000000000CB0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY

System Summary

Malicious sample detected (through community Yara rule)

Source: 5.2.MSBuild.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 5.2.MSBuild.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000005.00000002.1758340713.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000005.00000002.1758552750.0000000000CB0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown

Initial sample is a PE file and has a suspicious name

Source: initial sample

Static PE information: Filename: RFQ STS3780082024.exe

Contains functionality to call native functions

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_0042C003 NtClose,	5_2_0042C003
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_01232DF0 NtQuerySystemInformation,LdrInitializeThunk,	5_2_01232DF0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_01232C70 NtFreeVirtualMemory,LdrInitializeThunk,	5_2_01232C70
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_012335C0 NtCreateMutant,LdrInitializeThunk,	5_2_012335C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_01234340 NtSetContextThread,	5_2_01234340
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_01234650 NtSuspendThread,	5_2_01234650
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_01232B60 NtClose,	5_2_01232B60
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_01232BA0 NtEnumerateValueKey,	5_2_01232BA0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_01232B80 NtQueryInformationFile,	5_2_01232B80
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_01232BE0 NtQueryValueKey,	5_2_01232BE0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_01232BF0 NtAllocateVirtualMemory,	5_2_01232BF0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_01232AB0 NtWaitForSingleObject,	5_2_01232AB0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_01232AF0 NtWriteFile,	5_2_01232AF0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_01232AD0 NtReadFile,	5_2_01232AD0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_01232D30 NtUnmapViewOfSection,	5_2_01232D30
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_01232D00 NtSetInformationFile,	5_2_01232D00
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_01232D10 NtMapViewOfSection,	5_2_01232D10
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_01232DB0 NtEnumerateKey,	5_2_01232DB0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_01232DD0 NtDelayExecution,	5_2_01232DD0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_01232C00 NtQueryInformationProcess,	5_2_01232C00
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_01232C60 NtCreateKey,	5_2_01232C60
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_01232CA0 NtQueryInformationToken,	5_2_01232CA0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_01232CF0 NtOpenProcess,	5_2_01232CF0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_01232CC0 NtQueryVirtualMemory,	5_2_01232CC0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_01232F30 NtCreateSection,	5_2_01232F30
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_01232F60 NtCreateProcessEx,	5_2_01232F60
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_01232FA0 NtQuerySection,	5_2_01232FA0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_01232FB0 NtResumeThread,	5_2_01232FB0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_01232F90 NtProtectVirtualMemory,	5_2_01232F90
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_01232FE0 NtCreateFile,	5_2_01232FE0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_01232E30 NtWriteVirtualMemory,	5_2_01232E30
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_01232EA0 NtAdjustPrivilegesToken,	5_2_01232EA0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_01232E80 NtReadVirtualMemory,	5_2_01232E80
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_01232EE0 NtQueueApcThread,	5_2_01232EE0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_01233010 NtOpenDirectoryObject,	5_2_01233010
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_01233090 NtSetValueKey,	5_2_01233090
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_012339B0 NtGetContextThread,	5_2_012339B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_01233D10 NtOpenProcessToken,	5_2_01233D10
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_01233D70 NtOpenThread,	5_2_01233D70

Detected potential crypto function

Source: C:\Users\user\Desktop\RFQ STS3780082024.exe	Code function: 0_2_027BE0E4	0_2_027BE0E4
Source: C:\Users\user\Desktop\RFQ STS3780082024.exe	Code function: 0_2_06F321D0	0_2_06F321D0
Source: C:\Users\user\Desktop\RFQ STS3780082024.exe	Code function: 0_2_06F376D8	0_2_06F376D8
Source: C:\Users\user\Desktop\RFQ STS3780082024.exe	Code function: 0_2_06F376C9	0_2_06F376C9
Source: C:\Users\user\Desktop\RFQ STS3780082024.exe	Code function: 0_2_06F35628	0_2_06F35628
Source: C:\Users\user\Desktop\RFQ STS3780082024.exe	Code function: 0_2_06F36CD0	0_2_06F36CD0
Source: C:\Users\user\Desktop\RFQ STS3780082024.exe	Code function: 0_2_06F34DB8	0_2_06F34DB8
Source: C:\Users\user\Desktop\RFQ STS3780082024.exe	Code function: 0_2_06F34D7C	0_2_06F34D7C
Source: C:\Users\user\Desktop\RFQ STS3780082024.exe	Code function: 0_2_06F3C380	0_2_06F3C380
Source: C:\Users\user\Desktop\RFQ STS3780082024.exe	Code function: 0_2_06F351F0	0_2_06F351F0
Source: C:\Users\user\Desktop\RFQ STS3780082024.exe	Code function: 0_2_06F351E0	0_2_06F351E0
Source: C:\Users\user\Desktop\RFQ STS3780082024.exe	Code function: 0_2_06F321C0	0_2_06F321C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_00401000	5_2_00401000
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_0040292E	5_2_0040292E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_00402930	5_2_00402930
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_0040F98A	5_2_0040F98A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_0040F993	5_2_0040F993
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_004162D0	5_2_004162D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_004162D3	5_2_004162D3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_0040228B	5_2_0040228B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_00402290	5_2_00402290
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_0040FBB3	5_2_0040FBB3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_0040DC33	5_2_0040DC33
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_00402590	5_2_00402590
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_0042E613	5_2_0042E613
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_00402E20	5_2_00402E20
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_011F0100	5_2_011F0100
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_0129A118	5_2_0129A118
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_01288158	5_2_01288158
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_012C01AA	5_2_012C01AA
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_012B41A2	5_2_012B41A2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_012B81CC	5_2_012B81CC
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_01292000	5_2_01292000
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_012BA352	5_2_012BA352
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_012C03E6	5_2_012C03E6
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_0120E3F0	5_2_0120E3F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_012A0274	5_2_012A0274
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_012802C0	5_2_012802C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_01200535	5_2_01200535
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_012C0591	5_2_012C0591
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_012A4420	5_2_012A4420
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_012B2446	5_2_012B2446
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_012AE4F6	5_2_012AE4F6
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_01200770	5_2_01200770
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_01224750	5_2_01224750
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_011FC7C0	5_2_011FC7C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_0121C6E0	5_2_0121C6E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_01216962	5_2_01216962
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_012029A0	5_2_012029A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_012CA9A6	5_2_012CA9A6
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_0120A840	5_2_0120A840
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_01202840	5_2_01202840
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_011E68B8	5_2_011E68B8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_0122E8F0	5_2_0122E8F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_012BAB40	5_2_012BAB40
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_012B6BD7	5_2_012B6BD7
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_011FEA80	5_2_011FEA80
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_0120AD00	5_2_0120AD00
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_0129CD1F	5_2_0129CD1F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_01218DBF	5_2_01218DBF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_011FADE0	5_2_011FADE0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_01200C00	5_2_01200C00
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_012A0CB5	5_2_012A0CB5
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_011F0CF2	5_2_011F0CF2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_01242F28	5_2_01242F28
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_01220F30	5_2_01220F30
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_012A2F30	5_2_012A2F30
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_01274F40	5_2_01274F40
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_0127EFA0	5_2_0127EFA0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_011F2FC8	5_2_011F2FC8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_012BEE26	5_2_012BEE26
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_01200E59	5_2_01200E59
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_01212E90	5_2_01212E90
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_012BCE93	5_2_012BCE93
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_012BEEDB	5_2_012BEEDB
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_012CB16B	5_2_012CB16B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_0123516C	5_2_0123516C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_011EF172	5_2_011EF172
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_0120B1B0	5_2_0120B1B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_012B70E9	5_2_012B70E9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_012BF0E0	5_2_012BF0E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_012070C0	5_2_012070C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_012AF0CC	5_2_012AF0CC
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_012B132D	5_2_012B132D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_011ED34C	5_2_011ED34C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_0124739A	5_2_0124739A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_012052A0	5_2_012052A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_012A12ED	5_2_012A12ED
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_0121B2C0	5_2_0121B2C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_012B7571	5_2_012B7571
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_0129D5B0	5_2_0129D5B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_012C95C3	5_2_012C95C3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_012BF43F	5_2_012BF43F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_011F1460	5_2_011F1460
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_012BF7B0	5_2_012BF7B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_01245630	5_2_01245630
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_012B16CC	5_2_012B16CC
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_01295910	5_2_01295910
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_01209950	5_2_01209950
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_0121B950	5_2_0121B950
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_0126D800	5_2_0126D800
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_012038E0	5_2_012038E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_012BFB76	5_2_012BFB76
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_0121FB80	5_2_0121FB80
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_01275BF0	5_2_01275BF0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_0123DBF9	5_2_0123DBF9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_01273A6C	5_2_01273A6C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_012BFA49	5_2_012BFA49
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_012B7A46	5_2_012B7A46
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_01245AA0	5_2_01245AA0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_0129DAAC	5_2_0129DAAC
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_012A1AA3	5_2_012A1AA3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_012ADAC6	5_2_012ADAC6
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_012B7D73	5_2_012B7D73
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_01203D40	5_2_01203D40
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_012B1D5A	5_2_012B1D5A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_0121FDC0	5_2_0121FDC0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_01279C32	5_2_01279C32
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_012BFCF2	5_2_012BFCF2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_012BFF09	5_2_012BFF09
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_012BFFB1	5_2_012BFFB1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_01201F92	5_2_01201F92
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_011C3FD5	5_2_011C3FD5
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_011C3FD2	5_2_011C3FD2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_01209EB0	5_2_01209EB0

Found potential string decryption / allocating functions

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: String function: 01247E54 appears 108 times
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: String function: 0127F290 appears 105 times
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: String function: 011EB970 appears 265 times
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: String function: 0126EA12 appears 86 times
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: String function: 01235130 appears 58 times

Sample file is different than original file name gathered from version info

Source: RFQ STS3780082024.exe, 00000000.00000002.1698605704.0000000003897000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameTyrone.dll8 vs RFQ STS3780082024.exe
Source: RFQ STS3780082024.exe, 00000000.00000002.1701092052.0000000006E80000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameTyrone.dll8 vs RFQ STS3780082024.exe
Source: RFQ STS3780082024.exe, 00000000.00000000.1643859543.00000000004C2000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenameBpCj.exe6 vs RFQ STS3780082024.exe
Source: RFQ STS3780082024.exe, 00000000.00000002.1700250671.00000000052A0000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameGB-lesson-forms.dll@ vs RFQ STS3780082024.exe
Source: RFQ STS3780082024.exe, 00000000.00000002.1696339255.00000000009CE000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameclr.dllT vs RFQ STS3780082024.exe
Source: RFQ STS3780082024.exe, 00000000.00000002.1698605704.00000000037F9000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameGB-lesson-forms.dll@ vs RFQ STS3780082024.exe
Source: RFQ STS3780082024.exe	Binary or memory string: OriginalFilenameBpCj.exe6 vs RFQ STS3780082024.exe

Uses 32bit PE files

Source: RFQ STS3780082024.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Yara signature match

Source: 5.2.MSBuild.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 5.2.MSBuild.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000005.00000002.1758340713.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000005.00000002.1758552750.0000000000CB0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23

Source: RFQ STS3780082024.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: 0.2.RFQ STS3780082024.exe.38c7b28.2.raw.unpack, b75OHExKKCmLTZp12S.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.RFQ STS3780082024.exe.3a69fb0.0.raw.unpack, b75OHExKKCmLTZp12S.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.RFQ STS3780082024.exe.38c7b28.2.raw.unpack, oHURga50K82imqYymd.cs	Security API names: _0020.SetAccessControl
Source: 0.2.RFQ STS3780082024.exe.38c7b28.2.raw.unpack, oHURga50K82imqYymd.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.RFQ STS3780082024.exe.38c7b28.2.raw.unpack, oHURga50K82imqYymd.cs	Security API names: _0020.AddAccessRule
Source: 0.2.RFQ STS3780082024.exe.6e80000.4.raw.unpack, b75OHExKKCmLTZp12S.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.RFQ STS3780082024.exe.6e80000.4.raw.unpack, oHURga50K82imqYymd.cs	Security API names: _0020.SetAccessControl
Source: 0.2.RFQ STS3780082024.exe.6e80000.4.raw.unpack, oHURga50K82imqYymd.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.RFQ STS3780082024.exe.6e80000.4.raw.unpack, oHURga50K82imqYymd.cs	Security API names: _0020.AddAccessRule
Source: 0.2.RFQ STS3780082024.exe.3a69fb0.0.raw.unpack, oHURga50K82imqYymd.cs	Security API names: _0020.SetAccessControl
Source: 0.2.RFQ STS3780082024.exe.3a69fb0.0.raw.unpack, oHURga50K82imqYymd.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.RFQ STS3780082024.exe.3a69fb0.0.raw.unpack, oHURga50K82imqYymd.cs	Security API names: _0020.AddAccessRule

Source: classification engine

Classification label: mal100.troj.evad.winEXE@8/6@0/0

Source: C:\Users\user\Desktop\RFQ STS3780082024.exe

File created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\RFQ STS3780082024.exe.log

Jump to behavior

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Mutant created: NULL
Source: C:\Users\user\Desktop\RFQ STS3780082024.exe	Mutant created: \Sessions\1\BaseNamedObjects\DjyZLedjLNbHnESeUkdoDHNOD
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7524:120:WilError_03

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

File created: C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_aj4revyi.lf2.ps1

Jump to behavior

Source: RFQ STS3780082024.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: RFQ STS3780082024.exe

Static file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.83%

Source: C:\Users\user\Desktop\RFQ STS3780082024.exe

File read: C:\Users\user\Desktop\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\RFQ STS3780082024.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: RFQ STS3780082024.exe	ReversingLabs: Detection: 50%
Source: RFQ STS3780082024.exe	Virustotal: Detection: 62%

Source: unknown	Process created: C:\Users\user\Desktop\RFQ STS3780082024.exe "C:\Users\user\Desktop\RFQ STS3780082024.exe"
Source: C:\Users\user\Desktop\RFQ STS3780082024.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\RFQ STS3780082024.exe"
Source: C:\Users\user\Desktop\RFQ STS3780082024.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\RFQ STS3780082024.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
Source: C:\Users\user\Desktop\RFQ STS3780082024.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\RFQ STS3780082024.exe"	Jump to behavior
Source: C:\Users\user\Desktop\RFQ STS3780082024.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"	Jump to behavior
Source: C:\Users\user\Desktop\RFQ STS3780082024.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"	Jump to behavior

Source: C:\Users\user\Desktop\RFQ STS3780082024.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Desktop\RFQ STS3780082024.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\RFQ STS3780082024.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\RFQ STS3780082024.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\RFQ STS3780082024.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\RFQ STS3780082024.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\RFQ STS3780082024.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\RFQ STS3780082024.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\RFQ STS3780082024.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\RFQ STS3780082024.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\RFQ STS3780082024.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\RFQ STS3780082024.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\RFQ STS3780082024.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\RFQ STS3780082024.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\RFQ STS3780082024.exe	Section loaded: dwrite.dll	Jump to behavior
Source: C:\Users\user\Desktop\RFQ STS3780082024.exe	Section loaded: windowscodecs.dll	Jump to behavior
Source: C:\Users\user\Desktop\RFQ STS3780082024.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\RFQ STS3780082024.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\RFQ STS3780082024.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\RFQ STS3780082024.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\RFQ STS3780082024.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\Desktop\RFQ STS3780082024.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\Desktop\RFQ STS3780082024.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\Desktop\RFQ STS3780082024.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\Desktop\RFQ STS3780082024.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\RFQ STS3780082024.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\RFQ STS3780082024.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Users\user\Desktop\RFQ STS3780082024.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\RFQ STS3780082024.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\RFQ STS3780082024.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Users\user\Desktop\RFQ STS3780082024.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Users\user\Desktop\RFQ STS3780082024.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Users\user\Desktop\RFQ STS3780082024.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\Desktop\RFQ STS3780082024.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Users\user\Desktop\RFQ STS3780082024.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wininet.dll	Jump to behavior

Source: C:\Users\user\Desktop\RFQ STS3780082024.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32

Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Users\user\Desktop\RFQ STS3780082024.exe

File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll

Jump to behavior

Source: RFQ STS3780082024.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Source: RFQ STS3780082024.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source:	Binary string: wntdll.pdbUGP source: MSBuild.exe, 00000005.00000002.1758837702.00000000011C0000.00000040.00001000.00020000.00000000.sdmp
Source:	Binary string: wntdll.pdb source: MSBuild.exe, MSBuild.exe, 00000005.00000002.1758837702.00000000011C0000.00000040.00001000.00020000.00000000.sdmp

Data Obfuscation

.NET source code contains potential unpacker

Source: 0.2.RFQ STS3780082024.exe.38c7b28.2.raw.unpack, oHURga50K82imqYymd.cs	.Net Code: R4f8I39MJA System.Reflection.Assembly.Load(byte[])
Source: 0.2.RFQ STS3780082024.exe.3a69fb0.0.raw.unpack, oHURga50K82imqYymd.cs	.Net Code: R4f8I39MJA System.Reflection.Assembly.Load(byte[])
Source: 0.2.RFQ STS3780082024.exe.6e80000.4.raw.unpack, oHURga50K82imqYymd.cs	.Net Code: R4f8I39MJA System.Reflection.Assembly.Load(byte[])
Source: 0.2.RFQ STS3780082024.exe.52a0000.3.raw.unpack, .cs	.Net Code: System.Reflection.Assembly.Load(byte[])
Source: 0.2.RFQ STS3780082024.exe.3812250.1.raw.unpack, .cs	.Net Code: System.Reflection.Assembly.Load(byte[])

Uses code obfuscation techniques (call, push, ret)

Source: C:\Users\user\Desktop\RFQ STS3780082024.exe	Code function: 0_2_06F30006 push es; retf	0_2_06F3001C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_004030F0 push eax; ret	5_2_004030F2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_004220F2 push ss; retn 0000h	5_2_004220FA
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_00423134 push esp; iretd	5_2_00423135
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_0041A265 pushfd ; retf	5_2_0041A26C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_004132CA push edx; retf	5_2_004132CE
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_0041CB52 push es; retf	5_2_0041CB53
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_0041CBD6 pushfd ; retf	5_2_0041CBD7
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_0041ED9D push ebp; iretd	5_2_0041ED9E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_011C225F pushad ; ret	5_2_011C27F9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_011C27FA pushad ; ret	5_2_011C27F9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_011F09AD push ecx; mov dword ptr [esp], ecx	5_2_011F09B6
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_011C283D push eax; iretd	5_2_011C2858

Source: RFQ STS3780082024.exe

Static PE information: section name: .text entropy: 7.771271485735661

Source: 0.2.RFQ STS3780082024.exe.38c7b28.2.raw.unpack, BwMyEtOMEZLZYAjRrQ.cs	High entropy of concatenated method names: 'QOIXviPese', 'zD7XycAovT', 'MH9XInxAxv', 'pnHXVdKFSE', 'vZ0XwMdeBS', 'oKdX0sim2c', 'gwyXSauUhd', 'ceXXxGjhoU', 'a16XZeLSya', 'g7XXJoXsVp'
Source: 0.2.RFQ STS3780082024.exe.38c7b28.2.raw.unpack, AocHb1ZAB5KCyGZCof.cs	High entropy of concatenated method names: 'OnQCVliLw1', 'stMC0sX34S', 'qsaCx7RHcR', 'lSxCZkp3Yi', 'rGZCqJv7MP', 'STsCRcNBAR', 'SA6C6ydHO4', 'G1qCsfKqiR', 'a3UCpn58Uj', 'bB1CYa7JCw'
Source: 0.2.RFQ STS3780082024.exe.38c7b28.2.raw.unpack, b75OHExKKCmLTZp12S.cs	High entropy of concatenated method names: 'nqFclMjCTM', 'An8cD75oqS', 'eavcQN8GhY', 'OJncoPxDb1', 'AbFcH01LPk', 'cK2c2yGQa5', 'YQKc415PaR', 'jLUcMwO5Tc', 'aHfc1w1FYm', 'PrWcP7USly'
Source: 0.2.RFQ STS3780082024.exe.38c7b28.2.raw.unpack, bGIP4VPhgee4XJbWYW.cs	High entropy of concatenated method names: 'hCWpiOjgtk', 'Jo9pW8SSPK', 'kQ9p8Z71ox', 'AX1pGS9Vqm', 'R0apcBdnFT', 'V3vpbGBxSO', 'OPYpFlm4Bq', 'jeMs4qGKB4', 'y75sMbgast', 'uJns16vRqM'
Source: 0.2.RFQ STS3780082024.exe.38c7b28.2.raw.unpack, nDXOKo1yIbNE6rsG63.cs	High entropy of concatenated method names: 'ATQsBAEcCs', 'gfesULGWWR', 'vD2sa6mqAR', 'g2nsrVh99B', 'radslXh4MW', 'nEUsNgW7xp', 'Next', 'Next', 'Next', 'NextBytes'
Source: 0.2.RFQ STS3780082024.exe.38c7b28.2.raw.unpack, ECXidh2Ok4EYkVxfJM.cs	High entropy of concatenated method names: 'mVG6MeMqa1', 'wS36PHsUuM', 'XHmsd5Y6rH', 'qbasiWUWy2', 'eI36hLXL6U', 'nug6K8vjfH', 'dZS69EEdEE', 'k1V6lKGDWE', 'pWk6DsBec8', 'Ojq6QGwpj6'
Source: 0.2.RFQ STS3780082024.exe.38c7b28.2.raw.unpack, Ed6mgvidnb18jusbqYM.cs	High entropy of concatenated method names: 'FGwpv5xNGW', 'cJypyPO8rO', 'WALpIOTwV3', 'LWJpVknyEB', 'ytopw6LDLQ', 'mLLp0UykgD', 'AtwpSmJi87', 'Cnepx8kVWe', 'GWppZuD8vY', 'oqppJriIib'
Source: 0.2.RFQ STS3780082024.exe.38c7b28.2.raw.unpack, TXTbaGQ0KUAcEUAtid.cs	High entropy of concatenated method names: 'ToString', 'TtHRhpUCln', 'pG3RU9aWwk', 'G6nRawma52', 'c6pRrQdDaa', 'VCtRNfHd9E', 'xvQRLoDLvG', 'oAfREvRsAX', 'yPrRT69IYS', 'FAAROs0UBC'
Source: 0.2.RFQ STS3780082024.exe.38c7b28.2.raw.unpack, oHURga50K82imqYymd.cs	High entropy of concatenated method names: 'Y9OWAitGvW', 'BtOWGqQgC9', 'hr4WcKImj8', 'YVFWCXCtSh', 'qdJWbokoxF', 'JKLWFJ5Omp', 'UT7WXpSOQB', 'oG8W50ZV6f', 'CijWegWBTr', 'zEuW3bOm9o'
Source: 0.2.RFQ STS3780082024.exe.38c7b28.2.raw.unpack, WW5xheokSZ8VVQ7D4i.cs	High entropy of concatenated method names: 's0k63lyo9M', 'LQN6m60Rin', 'ToString', 'toH6GKe6Wh', 'TZv6cP2vju', 'z3f6CWU2Qy', 'wny6bIZsRN', 'CPn6FfIp4U', 'nwf6Xe1Os9', 'peZ65PuBsQ'
Source: 0.2.RFQ STS3780082024.exe.38c7b28.2.raw.unpack, DZ8ZB3BdHeRtLT0553.cs	High entropy of concatenated method names: 'yp1FAwiPds', 'gmHFcUGU58', 'sdkFbcg9t8', 'ogKFX8TAmC', 'IeXF5HpVcp', 'ljvbHsi1m9', 'NBJb2T8PIi', 'Wdtb4c8IZY', 'LU0bMQCZQw', 'rp7b1tUyMi'
Source: 0.2.RFQ STS3780082024.exe.38c7b28.2.raw.unpack, eep0eurW4XfvJow9uS.cs	High entropy of concatenated method names: 'c4iFfe83g6', 'QRGFvRbTKJ', 'P4eFIGU0fQ', 'MaCFVRcylQ', 'PqcF0JPVdb', 'nftFSVBo4b', 'vk5FZPqWu9', 'lKoFJIC6qr', 'UNQ1pNpAUEdQ3wkmRfm', 'eD6QfLp3AJ6Ow5jJNsU'
Source: 0.2.RFQ STS3780082024.exe.38c7b28.2.raw.unpack, Xk6pi9CtV2cWLNt0YA.cs	High entropy of concatenated method names: 'EditValue', 'GetEditStyle', 'q8bu15Fk3w', 'VT3uPhVA7u', 'wxHuz7X647', 'mybWdsr719', 'QQmWisF5rs', 'qh3WuIgWsB', 'ThKWWTEdos', 'vl9qsV5Z5fX68FLsYAB'
Source: 0.2.RFQ STS3780082024.exe.38c7b28.2.raw.unpack, jOPHPw9WEuBY3DCChO.cs	High entropy of concatenated method names: 'E3KkxAREvr', 'qeikZJ24iS', 'lxYkBaHxe3', 'EPxkUIY348', 'LXDkrcNwpe', 'scwkNPAsRO', 'Ub6kEKKkBS', 'EiEkT6KfG2', 'u2YkgIYcJ8', 'xv1khY6Y97'
Source: 0.2.RFQ STS3780082024.exe.38c7b28.2.raw.unpack, OTVyyWl5Lo9Aatm1D4.cs	High entropy of concatenated method names: 'K69qgtNZY1', 'knQqKQP4q2', 'kylqlmh7pe', 'iglqDRGCEe', 'Gt9qUGJHrP', 'BI1qah6E2n', 'GkAqrEuUKA', 'iWjqNxa12B', 'XHgqLP9dy5', 'er9qE0hd1X'
Source: 0.2.RFQ STS3780082024.exe.38c7b28.2.raw.unpack, jg8gKduya513c4c42N.cs	High entropy of concatenated method names: 'OKmIFfqwa', 'VfIV5rOyF', 'yvB0e9iJu', 'xtfSvZeVq', 'WBiZ3Hs6E', 'PG9J7sBLW', 'uSkaQrQrl3e2RtcAiu', 'p01fGAYKGNZY9W9DIi', 'UYjsvrOlH', 'VvaYEds6O'
Source: 0.2.RFQ STS3780082024.exe.38c7b28.2.raw.unpack, EEXWFIEZeH8bTA0oOc.cs	High entropy of concatenated method names: 'JnbXG5nyxx', 'bYaXCjI879', 'yExXFqlk2w', 'Ol7FPMpMct', 'pRbFzMiLVX', 'JIAXd9POST', 'PdAXiNs5yZ', 'NH2XuXyUuv', 'zBjXWdtZ8s', 'RqnX8DuLw8'
Source: 0.2.RFQ STS3780082024.exe.38c7b28.2.raw.unpack, wnqWLXMJX3pNWvkjNt.cs	High entropy of concatenated method names: 'QftsG30VQl', 'ChTscnI1Cw', 'oWHsCjqNr8', 'wnmsbPtQgE', 'NZcsFFFTvh', 'iDrsXwfF3o', 'qHps5A8T1E', 'wwpseCyJ3W', 'Gt5s312fOZ', 'tRnsmmrCd3'
Source: 0.2.RFQ STS3780082024.exe.38c7b28.2.raw.unpack, Q1yxb5cLC9fn5s9rZZ.cs	High entropy of concatenated method names: 'Dispose', 'HO4i1RiFWH', 'AwmuUqiw1b', 'U6snn7CPol', 'M7niPqWLXJ', 'j3pizNWvkj', 'ProcessDialogKey', 'JtkudDXOKo', 'yIbuiNE6rs', 'f63uuuGIP4'
Source: 0.2.RFQ STS3780082024.exe.38c7b28.2.raw.unpack, kpTloqiW2SE0hI0NgKE.cs	High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'ExWYl0q9gj', 'FCkYDwZfFd', 'qYTYQbdFlP', 'f20YotXqNi', 'g6vYHQbJhm', 'mF8Y2tBTng', 'zWyY4NWXOo'
Source: 0.2.RFQ STS3780082024.exe.38c7b28.2.raw.unpack, rA6FNO8JLBoShZm83v.cs	High entropy of concatenated method names: 'A7uiX75OHE', 'PKCi5mLTZp', 'XABi35KCyG', 'ECoimf4w7c', 'edviqXHSZ8', 'EB3iRdHeRt', 'ApaUycuuayBlF8BUuy', 'QS9ZbqDwG0sjUr26FY', 'yPvii9Fy4m', 'y0DiWScJlZ'
Source: 0.2.RFQ STS3780082024.exe.38c7b28.2.raw.unpack, Vw7c5ZJwx3H6LAdvXH.cs	High entropy of concatenated method names: 'o8ibwFJAQN', 'ptlbSB8eAR', 'r09CaLu6bq', 'SS9CrWA2nI', 'rxECNPXbrb', 'GSsCLndw74', 'cq0CEg7Lej', 'fYPCTlu11B', 'ILyCO0dCla', 'zKrCgiySR9'
Source: 0.2.RFQ STS3780082024.exe.3a69fb0.0.raw.unpack, BwMyEtOMEZLZYAjRrQ.cs	High entropy of concatenated method names: 'QOIXviPese', 'zD7XycAovT', 'MH9XInxAxv', 'pnHXVdKFSE', 'vZ0XwMdeBS', 'oKdX0sim2c', 'gwyXSauUhd', 'ceXXxGjhoU', 'a16XZeLSya', 'g7XXJoXsVp'
Source: 0.2.RFQ STS3780082024.exe.3a69fb0.0.raw.unpack, AocHb1ZAB5KCyGZCof.cs	High entropy of concatenated method names: 'OnQCVliLw1', 'stMC0sX34S', 'qsaCx7RHcR', 'lSxCZkp3Yi', 'rGZCqJv7MP', 'STsCRcNBAR', 'SA6C6ydHO4', 'G1qCsfKqiR', 'a3UCpn58Uj', 'bB1CYa7JCw'
Source: 0.2.RFQ STS3780082024.exe.3a69fb0.0.raw.unpack, b75OHExKKCmLTZp12S.cs	High entropy of concatenated method names: 'nqFclMjCTM', 'An8cD75oqS', 'eavcQN8GhY', 'OJncoPxDb1', 'AbFcH01LPk', 'cK2c2yGQa5', 'YQKc415PaR', 'jLUcMwO5Tc', 'aHfc1w1FYm', 'PrWcP7USly'
Source: 0.2.RFQ STS3780082024.exe.3a69fb0.0.raw.unpack, bGIP4VPhgee4XJbWYW.cs	High entropy of concatenated method names: 'hCWpiOjgtk', 'Jo9pW8SSPK', 'kQ9p8Z71ox', 'AX1pGS9Vqm', 'R0apcBdnFT', 'V3vpbGBxSO', 'OPYpFlm4Bq', 'jeMs4qGKB4', 'y75sMbgast', 'uJns16vRqM'
Source: 0.2.RFQ STS3780082024.exe.3a69fb0.0.raw.unpack, nDXOKo1yIbNE6rsG63.cs	High entropy of concatenated method names: 'ATQsBAEcCs', 'gfesULGWWR', 'vD2sa6mqAR', 'g2nsrVh99B', 'radslXh4MW', 'nEUsNgW7xp', 'Next', 'Next', 'Next', 'NextBytes'
Source: 0.2.RFQ STS3780082024.exe.3a69fb0.0.raw.unpack, ECXidh2Ok4EYkVxfJM.cs	High entropy of concatenated method names: 'mVG6MeMqa1', 'wS36PHsUuM', 'XHmsd5Y6rH', 'qbasiWUWy2', 'eI36hLXL6U', 'nug6K8vjfH', 'dZS69EEdEE', 'k1V6lKGDWE', 'pWk6DsBec8', 'Ojq6QGwpj6'
Source: 0.2.RFQ STS3780082024.exe.3a69fb0.0.raw.unpack, Ed6mgvidnb18jusbqYM.cs	High entropy of concatenated method names: 'FGwpv5xNGW', 'cJypyPO8rO', 'WALpIOTwV3', 'LWJpVknyEB', 'ytopw6LDLQ', 'mLLp0UykgD', 'AtwpSmJi87', 'Cnepx8kVWe', 'GWppZuD8vY', 'oqppJriIib'
Source: 0.2.RFQ STS3780082024.exe.3a69fb0.0.raw.unpack, TXTbaGQ0KUAcEUAtid.cs	High entropy of concatenated method names: 'ToString', 'TtHRhpUCln', 'pG3RU9aWwk', 'G6nRawma52', 'c6pRrQdDaa', 'VCtRNfHd9E', 'xvQRLoDLvG', 'oAfREvRsAX', 'yPrRT69IYS', 'FAAROs0UBC'
Source: 0.2.RFQ STS3780082024.exe.3a69fb0.0.raw.unpack, oHURga50K82imqYymd.cs	High entropy of concatenated method names: 'Y9OWAitGvW', 'BtOWGqQgC9', 'hr4WcKImj8', 'YVFWCXCtSh', 'qdJWbokoxF', 'JKLWFJ5Omp', 'UT7WXpSOQB', 'oG8W50ZV6f', 'CijWegWBTr', 'zEuW3bOm9o'
Source: 0.2.RFQ STS3780082024.exe.3a69fb0.0.raw.unpack, WW5xheokSZ8VVQ7D4i.cs	High entropy of concatenated method names: 's0k63lyo9M', 'LQN6m60Rin', 'ToString', 'toH6GKe6Wh', 'TZv6cP2vju', 'z3f6CWU2Qy', 'wny6bIZsRN', 'CPn6FfIp4U', 'nwf6Xe1Os9', 'peZ65PuBsQ'
Source: 0.2.RFQ STS3780082024.exe.3a69fb0.0.raw.unpack, DZ8ZB3BdHeRtLT0553.cs	High entropy of concatenated method names: 'yp1FAwiPds', 'gmHFcUGU58', 'sdkFbcg9t8', 'ogKFX8TAmC', 'IeXF5HpVcp', 'ljvbHsi1m9', 'NBJb2T8PIi', 'Wdtb4c8IZY', 'LU0bMQCZQw', 'rp7b1tUyMi'
Source: 0.2.RFQ STS3780082024.exe.3a69fb0.0.raw.unpack, eep0eurW4XfvJow9uS.cs	High entropy of concatenated method names: 'c4iFfe83g6', 'QRGFvRbTKJ', 'P4eFIGU0fQ', 'MaCFVRcylQ', 'PqcF0JPVdb', 'nftFSVBo4b', 'vk5FZPqWu9', 'lKoFJIC6qr', 'UNQ1pNpAUEdQ3wkmRfm', 'eD6QfLp3AJ6Ow5jJNsU'
Source: 0.2.RFQ STS3780082024.exe.3a69fb0.0.raw.unpack, Xk6pi9CtV2cWLNt0YA.cs	High entropy of concatenated method names: 'EditValue', 'GetEditStyle', 'q8bu15Fk3w', 'VT3uPhVA7u', 'wxHuz7X647', 'mybWdsr719', 'QQmWisF5rs', 'qh3WuIgWsB', 'ThKWWTEdos', 'vl9qsV5Z5fX68FLsYAB'
Source: 0.2.RFQ STS3780082024.exe.3a69fb0.0.raw.unpack, jOPHPw9WEuBY3DCChO.cs	High entropy of concatenated method names: 'E3KkxAREvr', 'qeikZJ24iS', 'lxYkBaHxe3', 'EPxkUIY348', 'LXDkrcNwpe', 'scwkNPAsRO', 'Ub6kEKKkBS', 'EiEkT6KfG2', 'u2YkgIYcJ8', 'xv1khY6Y97'
Source: 0.2.RFQ STS3780082024.exe.3a69fb0.0.raw.unpack, OTVyyWl5Lo9Aatm1D4.cs	High entropy of concatenated method names: 'K69qgtNZY1', 'knQqKQP4q2', 'kylqlmh7pe', 'iglqDRGCEe', 'Gt9qUGJHrP', 'BI1qah6E2n', 'GkAqrEuUKA', 'iWjqNxa12B', 'XHgqLP9dy5', 'er9qE0hd1X'
Source: 0.2.RFQ STS3780082024.exe.3a69fb0.0.raw.unpack, jg8gKduya513c4c42N.cs	High entropy of concatenated method names: 'OKmIFfqwa', 'VfIV5rOyF', 'yvB0e9iJu', 'xtfSvZeVq', 'WBiZ3Hs6E', 'PG9J7sBLW', 'uSkaQrQrl3e2RtcAiu', 'p01fGAYKGNZY9W9DIi', 'UYjsvrOlH', 'VvaYEds6O'
Source: 0.2.RFQ STS3780082024.exe.3a69fb0.0.raw.unpack, EEXWFIEZeH8bTA0oOc.cs	High entropy of concatenated method names: 'JnbXG5nyxx', 'bYaXCjI879', 'yExXFqlk2w', 'Ol7FPMpMct', 'pRbFzMiLVX', 'JIAXd9POST', 'PdAXiNs5yZ', 'NH2XuXyUuv', 'zBjXWdtZ8s', 'RqnX8DuLw8'
Source: 0.2.RFQ STS3780082024.exe.3a69fb0.0.raw.unpack, wnqWLXMJX3pNWvkjNt.cs	High entropy of concatenated method names: 'QftsG30VQl', 'ChTscnI1Cw', 'oWHsCjqNr8', 'wnmsbPtQgE', 'NZcsFFFTvh', 'iDrsXwfF3o', 'qHps5A8T1E', 'wwpseCyJ3W', 'Gt5s312fOZ', 'tRnsmmrCd3'
Source: 0.2.RFQ STS3780082024.exe.3a69fb0.0.raw.unpack, Q1yxb5cLC9fn5s9rZZ.cs	High entropy of concatenated method names: 'Dispose', 'HO4i1RiFWH', 'AwmuUqiw1b', 'U6snn7CPol', 'M7niPqWLXJ', 'j3pizNWvkj', 'ProcessDialogKey', 'JtkudDXOKo', 'yIbuiNE6rs', 'f63uuuGIP4'
Source: 0.2.RFQ STS3780082024.exe.3a69fb0.0.raw.unpack, kpTloqiW2SE0hI0NgKE.cs	High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'ExWYl0q9gj', 'FCkYDwZfFd', 'qYTYQbdFlP', 'f20YotXqNi', 'g6vYHQbJhm', 'mF8Y2tBTng', 'zWyY4NWXOo'
Source: 0.2.RFQ STS3780082024.exe.3a69fb0.0.raw.unpack, rA6FNO8JLBoShZm83v.cs	High entropy of concatenated method names: 'A7uiX75OHE', 'PKCi5mLTZp', 'XABi35KCyG', 'ECoimf4w7c', 'edviqXHSZ8', 'EB3iRdHeRt', 'ApaUycuuayBlF8BUuy', 'QS9ZbqDwG0sjUr26FY', 'yPvii9Fy4m', 'y0DiWScJlZ'
Source: 0.2.RFQ STS3780082024.exe.3a69fb0.0.raw.unpack, Vw7c5ZJwx3H6LAdvXH.cs	High entropy of concatenated method names: 'o8ibwFJAQN', 'ptlbSB8eAR', 'r09CaLu6bq', 'SS9CrWA2nI', 'rxECNPXbrb', 'GSsCLndw74', 'cq0CEg7Lej', 'fYPCTlu11B', 'ILyCO0dCla', 'zKrCgiySR9'
Source: 0.2.RFQ STS3780082024.exe.6e80000.4.raw.unpack, BwMyEtOMEZLZYAjRrQ.cs	High entropy of concatenated method names: 'QOIXviPese', 'zD7XycAovT', 'MH9XInxAxv', 'pnHXVdKFSE', 'vZ0XwMdeBS', 'oKdX0sim2c', 'gwyXSauUhd', 'ceXXxGjhoU', 'a16XZeLSya', 'g7XXJoXsVp'
Source: 0.2.RFQ STS3780082024.exe.6e80000.4.raw.unpack, AocHb1ZAB5KCyGZCof.cs	High entropy of concatenated method names: 'OnQCVliLw1', 'stMC0sX34S', 'qsaCx7RHcR', 'lSxCZkp3Yi', 'rGZCqJv7MP', 'STsCRcNBAR', 'SA6C6ydHO4', 'G1qCsfKqiR', 'a3UCpn58Uj', 'bB1CYa7JCw'
Source: 0.2.RFQ STS3780082024.exe.6e80000.4.raw.unpack, b75OHExKKCmLTZp12S.cs	High entropy of concatenated method names: 'nqFclMjCTM', 'An8cD75oqS', 'eavcQN8GhY', 'OJncoPxDb1', 'AbFcH01LPk', 'cK2c2yGQa5', 'YQKc415PaR', 'jLUcMwO5Tc', 'aHfc1w1FYm', 'PrWcP7USly'
Source: 0.2.RFQ STS3780082024.exe.6e80000.4.raw.unpack, bGIP4VPhgee4XJbWYW.cs	High entropy of concatenated method names: 'hCWpiOjgtk', 'Jo9pW8SSPK', 'kQ9p8Z71ox', 'AX1pGS9Vqm', 'R0apcBdnFT', 'V3vpbGBxSO', 'OPYpFlm4Bq', 'jeMs4qGKB4', 'y75sMbgast', 'uJns16vRqM'
Source: 0.2.RFQ STS3780082024.exe.6e80000.4.raw.unpack, nDXOKo1yIbNE6rsG63.cs	High entropy of concatenated method names: 'ATQsBAEcCs', 'gfesULGWWR', 'vD2sa6mqAR', 'g2nsrVh99B', 'radslXh4MW', 'nEUsNgW7xp', 'Next', 'Next', 'Next', 'NextBytes'
Source: 0.2.RFQ STS3780082024.exe.6e80000.4.raw.unpack, ECXidh2Ok4EYkVxfJM.cs	High entropy of concatenated method names: 'mVG6MeMqa1', 'wS36PHsUuM', 'XHmsd5Y6rH', 'qbasiWUWy2', 'eI36hLXL6U', 'nug6K8vjfH', 'dZS69EEdEE', 'k1V6lKGDWE', 'pWk6DsBec8', 'Ojq6QGwpj6'
Source: 0.2.RFQ STS3780082024.exe.6e80000.4.raw.unpack, Ed6mgvidnb18jusbqYM.cs	High entropy of concatenated method names: 'FGwpv5xNGW', 'cJypyPO8rO', 'WALpIOTwV3', 'LWJpVknyEB', 'ytopw6LDLQ', 'mLLp0UykgD', 'AtwpSmJi87', 'Cnepx8kVWe', 'GWppZuD8vY', 'oqppJriIib'
Source: 0.2.RFQ STS3780082024.exe.6e80000.4.raw.unpack, TXTbaGQ0KUAcEUAtid.cs	High entropy of concatenated method names: 'ToString', 'TtHRhpUCln', 'pG3RU9aWwk', 'G6nRawma52', 'c6pRrQdDaa', 'VCtRNfHd9E', 'xvQRLoDLvG', 'oAfREvRsAX', 'yPrRT69IYS', 'FAAROs0UBC'
Source: 0.2.RFQ STS3780082024.exe.6e80000.4.raw.unpack, oHURga50K82imqYymd.cs	High entropy of concatenated method names: 'Y9OWAitGvW', 'BtOWGqQgC9', 'hr4WcKImj8', 'YVFWCXCtSh', 'qdJWbokoxF', 'JKLWFJ5Omp', 'UT7WXpSOQB', 'oG8W50ZV6f', 'CijWegWBTr', 'zEuW3bOm9o'
Source: 0.2.RFQ STS3780082024.exe.6e80000.4.raw.unpack, WW5xheokSZ8VVQ7D4i.cs	High entropy of concatenated method names: 's0k63lyo9M', 'LQN6m60Rin', 'ToString', 'toH6GKe6Wh', 'TZv6cP2vju', 'z3f6CWU2Qy', 'wny6bIZsRN', 'CPn6FfIp4U', 'nwf6Xe1Os9', 'peZ65PuBsQ'
Source: 0.2.RFQ STS3780082024.exe.6e80000.4.raw.unpack, DZ8ZB3BdHeRtLT0553.cs	High entropy of concatenated method names: 'yp1FAwiPds', 'gmHFcUGU58', 'sdkFbcg9t8', 'ogKFX8TAmC', 'IeXF5HpVcp', 'ljvbHsi1m9', 'NBJb2T8PIi', 'Wdtb4c8IZY', 'LU0bMQCZQw', 'rp7b1tUyMi'
Source: 0.2.RFQ STS3780082024.exe.6e80000.4.raw.unpack, eep0eurW4XfvJow9uS.cs	High entropy of concatenated method names: 'c4iFfe83g6', 'QRGFvRbTKJ', 'P4eFIGU0fQ', 'MaCFVRcylQ', 'PqcF0JPVdb', 'nftFSVBo4b', 'vk5FZPqWu9', 'lKoFJIC6qr', 'UNQ1pNpAUEdQ3wkmRfm', 'eD6QfLp3AJ6Ow5jJNsU'
Source: 0.2.RFQ STS3780082024.exe.6e80000.4.raw.unpack, Xk6pi9CtV2cWLNt0YA.cs	High entropy of concatenated method names: 'EditValue', 'GetEditStyle', 'q8bu15Fk3w', 'VT3uPhVA7u', 'wxHuz7X647', 'mybWdsr719', 'QQmWisF5rs', 'qh3WuIgWsB', 'ThKWWTEdos', 'vl9qsV5Z5fX68FLsYAB'
Source: 0.2.RFQ STS3780082024.exe.6e80000.4.raw.unpack, jOPHPw9WEuBY3DCChO.cs	High entropy of concatenated method names: 'E3KkxAREvr', 'qeikZJ24iS', 'lxYkBaHxe3', 'EPxkUIY348', 'LXDkrcNwpe', 'scwkNPAsRO', 'Ub6kEKKkBS', 'EiEkT6KfG2', 'u2YkgIYcJ8', 'xv1khY6Y97'
Source: 0.2.RFQ STS3780082024.exe.6e80000.4.raw.unpack, OTVyyWl5Lo9Aatm1D4.cs	High entropy of concatenated method names: 'K69qgtNZY1', 'knQqKQP4q2', 'kylqlmh7pe', 'iglqDRGCEe', 'Gt9qUGJHrP', 'BI1qah6E2n', 'GkAqrEuUKA', 'iWjqNxa12B', 'XHgqLP9dy5', 'er9qE0hd1X'
Source: 0.2.RFQ STS3780082024.exe.6e80000.4.raw.unpack, jg8gKduya513c4c42N.cs	High entropy of concatenated method names: 'OKmIFfqwa', 'VfIV5rOyF', 'yvB0e9iJu', 'xtfSvZeVq', 'WBiZ3Hs6E', 'PG9J7sBLW', 'uSkaQrQrl3e2RtcAiu', 'p01fGAYKGNZY9W9DIi', 'UYjsvrOlH', 'VvaYEds6O'
Source: 0.2.RFQ STS3780082024.exe.6e80000.4.raw.unpack, EEXWFIEZeH8bTA0oOc.cs	High entropy of concatenated method names: 'JnbXG5nyxx', 'bYaXCjI879', 'yExXFqlk2w', 'Ol7FPMpMct', 'pRbFzMiLVX', 'JIAXd9POST', 'PdAXiNs5yZ', 'NH2XuXyUuv', 'zBjXWdtZ8s', 'RqnX8DuLw8'
Source: 0.2.RFQ STS3780082024.exe.6e80000.4.raw.unpack, wnqWLXMJX3pNWvkjNt.cs	High entropy of concatenated method names: 'QftsG30VQl', 'ChTscnI1Cw', 'oWHsCjqNr8', 'wnmsbPtQgE', 'NZcsFFFTvh', 'iDrsXwfF3o', 'qHps5A8T1E', 'wwpseCyJ3W', 'Gt5s312fOZ', 'tRnsmmrCd3'
Source: 0.2.RFQ STS3780082024.exe.6e80000.4.raw.unpack, Q1yxb5cLC9fn5s9rZZ.cs	High entropy of concatenated method names: 'Dispose', 'HO4i1RiFWH', 'AwmuUqiw1b', 'U6snn7CPol', 'M7niPqWLXJ', 'j3pizNWvkj', 'ProcessDialogKey', 'JtkudDXOKo', 'yIbuiNE6rs', 'f63uuuGIP4'
Source: 0.2.RFQ STS3780082024.exe.6e80000.4.raw.unpack, kpTloqiW2SE0hI0NgKE.cs	High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'ExWYl0q9gj', 'FCkYDwZfFd', 'qYTYQbdFlP', 'f20YotXqNi', 'g6vYHQbJhm', 'mF8Y2tBTng', 'zWyY4NWXOo'
Source: 0.2.RFQ STS3780082024.exe.6e80000.4.raw.unpack, rA6FNO8JLBoShZm83v.cs	High entropy of concatenated method names: 'A7uiX75OHE', 'PKCi5mLTZp', 'XABi35KCyG', 'ECoimf4w7c', 'edviqXHSZ8', 'EB3iRdHeRt', 'ApaUycuuayBlF8BUuy', 'QS9ZbqDwG0sjUr26FY', 'yPvii9Fy4m', 'y0DiWScJlZ'
Source: 0.2.RFQ STS3780082024.exe.6e80000.4.raw.unpack, Vw7c5ZJwx3H6LAdvXH.cs	High entropy of concatenated method names: 'o8ibwFJAQN', 'ptlbSB8eAR', 'r09CaLu6bq', 'SS9CrWA2nI', 'rxECNPXbrb', 'GSsCLndw74', 'cq0CEg7Lej', 'fYPCTlu11B', 'ILyCO0dCla', 'zKrCgiySR9'

Hooking and other Techniques for Hiding and Protection

Loading BitLocker PowerShell Module

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior

Source: C:\Users\user\Desktop\RFQ STS3780082024.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RFQ STS3780082024.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RFQ STS3780082024.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RFQ STS3780082024.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RFQ STS3780082024.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RFQ STS3780082024.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RFQ STS3780082024.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RFQ STS3780082024.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RFQ STS3780082024.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RFQ STS3780082024.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RFQ STS3780082024.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RFQ STS3780082024.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RFQ STS3780082024.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RFQ STS3780082024.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RFQ STS3780082024.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RFQ STS3780082024.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RFQ STS3780082024.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RFQ STS3780082024.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RFQ STS3780082024.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RFQ STS3780082024.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RFQ STS3780082024.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RFQ STS3780082024.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RFQ STS3780082024.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RFQ STS3780082024.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RFQ STS3780082024.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RFQ STS3780082024.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RFQ STS3780082024.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RFQ STS3780082024.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RFQ STS3780082024.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RFQ STS3780082024.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RFQ STS3780082024.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RFQ STS3780082024.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RFQ STS3780082024.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RFQ STS3780082024.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RFQ STS3780082024.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RFQ STS3780082024.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RFQ STS3780082024.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RFQ STS3780082024.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RFQ STS3780082024.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RFQ STS3780082024.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RFQ STS3780082024.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RFQ STS3780082024.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RFQ STS3780082024.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RFQ STS3780082024.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RFQ STS3780082024.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RFQ STS3780082024.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RFQ STS3780082024.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Yara detected AntiVM3

Source: Yara match

File source: Process Memory Space: RFQ STS3780082024.exe PID: 7316, type: MEMORYSTR

Allocates memory with a write watch (potentially for evading sandboxes)

Source: C:\Users\user\Desktop\RFQ STS3780082024.exe	Memory allocated: 27B0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\RFQ STS3780082024.exe	Memory allocated: 27F0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\RFQ STS3780082024.exe	Memory allocated: 47F0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\RFQ STS3780082024.exe	Memory allocated: 76A0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\RFQ STS3780082024.exe	Memory allocated: 7080000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\RFQ STS3780082024.exe	Memory allocated: 86A0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\RFQ STS3780082024.exe	Memory allocated: 96A0000 memory reserve \| memory write watch	Jump to behavior

Contains functionality for execution timing, often used to detect debuggers

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

Code function: 5_2_0123096E rdtsc

5_2_0123096E

Contains long sleeps (>= 3 min)

Source: C:\Users\user\Desktop\RFQ STS3780082024.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 6196			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 2581			Jump to behavior

Found large amount of non-executed APIs

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

API coverage: 0.6 %

May sleep (evasive loops) to hinder dynamic analysis

Source: C:\Users\user\Desktop\RFQ STS3780082024.exe TID: 7336	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7640	Thread sleep time: -1844674407370954s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7628	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 7536	Thread sleep time: -30000s >= -30000s	Jump to behavior

Sample execution stops while process was sleeping (likely an evasion)

Source: C:\Windows\System32\conhost.exe

Last function: Thread delayed

Source: C:\Users\user\Desktop\RFQ STS3780082024.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior

Source: RFQ STS3780082024.exe, 00000000.00000002.1696339255.0000000000A02000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}<

Source: C:\Users\user\Desktop\RFQ STS3780082024.exe

Process information queried: ProcessInformation

Jump to behavior

Checks if the current process is being debugged

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

Process queried: DebugPort

Jump to behavior

Contains functionality for execution timing, often used to detect debuggers

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

Code function: 5_2_0123096E rdtsc

5_2_0123096E

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

Code function: 5_2_00417283 LdrLoadDll,

5_2_00417283

Contains functionality to read the PEB

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_01220124 mov eax, dword ptr fs:[00000030h]	5_2_01220124
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_0129E10E mov eax, dword ptr fs:[00000030h]	5_2_0129E10E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_0129E10E mov ecx, dword ptr fs:[00000030h]	5_2_0129E10E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_0129E10E mov eax, dword ptr fs:[00000030h]	5_2_0129E10E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_0129E10E mov eax, dword ptr fs:[00000030h]	5_2_0129E10E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_0129E10E mov ecx, dword ptr fs:[00000030h]	5_2_0129E10E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_0129E10E mov eax, dword ptr fs:[00000030h]	5_2_0129E10E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_0129E10E mov eax, dword ptr fs:[00000030h]	5_2_0129E10E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_0129E10E mov ecx, dword ptr fs:[00000030h]	5_2_0129E10E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_0129E10E mov eax, dword ptr fs:[00000030h]	5_2_0129E10E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_0129E10E mov ecx, dword ptr fs:[00000030h]	5_2_0129E10E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_0129A118 mov ecx, dword ptr fs:[00000030h]	5_2_0129A118
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_0129A118 mov eax, dword ptr fs:[00000030h]	5_2_0129A118
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_0129A118 mov eax, dword ptr fs:[00000030h]	5_2_0129A118
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_0129A118 mov eax, dword ptr fs:[00000030h]	5_2_0129A118
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_012B0115 mov eax, dword ptr fs:[00000030h]	5_2_012B0115
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_011EC156 mov eax, dword ptr fs:[00000030h]	5_2_011EC156
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_012C4164 mov eax, dword ptr fs:[00000030h]	5_2_012C4164
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_012C4164 mov eax, dword ptr fs:[00000030h]	5_2_012C4164
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_011F6154 mov eax, dword ptr fs:[00000030h]	5_2_011F6154
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_011F6154 mov eax, dword ptr fs:[00000030h]	5_2_011F6154
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_01284144 mov eax, dword ptr fs:[00000030h]	5_2_01284144
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_01284144 mov eax, dword ptr fs:[00000030h]	5_2_01284144
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_01284144 mov ecx, dword ptr fs:[00000030h]	5_2_01284144
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_01284144 mov eax, dword ptr fs:[00000030h]	5_2_01284144
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_01284144 mov eax, dword ptr fs:[00000030h]	5_2_01284144
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_01288158 mov eax, dword ptr fs:[00000030h]	5_2_01288158
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_011EA197 mov eax, dword ptr fs:[00000030h]	5_2_011EA197
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_011EA197 mov eax, dword ptr fs:[00000030h]	5_2_011EA197
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_011EA197 mov eax, dword ptr fs:[00000030h]	5_2_011EA197
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_012AC188 mov eax, dword ptr fs:[00000030h]	5_2_012AC188
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_012AC188 mov eax, dword ptr fs:[00000030h]	5_2_012AC188
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_01230185 mov eax, dword ptr fs:[00000030h]	5_2_01230185
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_01294180 mov eax, dword ptr fs:[00000030h]	5_2_01294180
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_01294180 mov eax, dword ptr fs:[00000030h]	5_2_01294180
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_0127019F mov eax, dword ptr fs:[00000030h]	5_2_0127019F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_0127019F mov eax, dword ptr fs:[00000030h]	5_2_0127019F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_0127019F mov eax, dword ptr fs:[00000030h]	5_2_0127019F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_0127019F mov eax, dword ptr fs:[00000030h]	5_2_0127019F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_012C61E5 mov eax, dword ptr fs:[00000030h]	5_2_012C61E5
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_012201F8 mov eax, dword ptr fs:[00000030h]	5_2_012201F8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_012B61C3 mov eax, dword ptr fs:[00000030h]	5_2_012B61C3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_012B61C3 mov eax, dword ptr fs:[00000030h]	5_2_012B61C3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_0126E1D0 mov eax, dword ptr fs:[00000030h]	5_2_0126E1D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_0126E1D0 mov eax, dword ptr fs:[00000030h]	5_2_0126E1D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_0126E1D0 mov ecx, dword ptr fs:[00000030h]	5_2_0126E1D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_0126E1D0 mov eax, dword ptr fs:[00000030h]	5_2_0126E1D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_0126E1D0 mov eax, dword ptr fs:[00000030h]	5_2_0126E1D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_01286030 mov eax, dword ptr fs:[00000030h]	5_2_01286030
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_01274000 mov ecx, dword ptr fs:[00000030h]	5_2_01274000
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_01292000 mov eax, dword ptr fs:[00000030h]	5_2_01292000
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_01292000 mov eax, dword ptr fs:[00000030h]	5_2_01292000
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_01292000 mov eax, dword ptr fs:[00000030h]	5_2_01292000
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_01292000 mov eax, dword ptr fs:[00000030h]	5_2_01292000
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_01292000 mov eax, dword ptr fs:[00000030h]	5_2_01292000
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_01292000 mov eax, dword ptr fs:[00000030h]	5_2_01292000
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_01292000 mov eax, dword ptr fs:[00000030h]	5_2_01292000
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_01292000 mov eax, dword ptr fs:[00000030h]	5_2_01292000
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_0120E016 mov eax, dword ptr fs:[00000030h]	5_2_0120E016
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_0120E016 mov eax, dword ptr fs:[00000030h]	5_2_0120E016
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_0120E016 mov eax, dword ptr fs:[00000030h]	5_2_0120E016
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_0120E016 mov eax, dword ptr fs:[00000030h]	5_2_0120E016
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_011EA020 mov eax, dword ptr fs:[00000030h]	5_2_011EA020
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_011EC020 mov eax, dword ptr fs:[00000030h]	5_2_011EC020
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_011F2050 mov eax, dword ptr fs:[00000030h]	5_2_011F2050
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_0121C073 mov eax, dword ptr fs:[00000030h]	5_2_0121C073
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_01276050 mov eax, dword ptr fs:[00000030h]	5_2_01276050
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_012880A8 mov eax, dword ptr fs:[00000030h]	5_2_012880A8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_012B60B8 mov eax, dword ptr fs:[00000030h]	5_2_012B60B8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_012B60B8 mov ecx, dword ptr fs:[00000030h]	5_2_012B60B8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_011F208A mov eax, dword ptr fs:[00000030h]	5_2_011F208A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_011E80A0 mov eax, dword ptr fs:[00000030h]	5_2_011E80A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_012760E0 mov eax, dword ptr fs:[00000030h]	5_2_012760E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_012320F0 mov ecx, dword ptr fs:[00000030h]	5_2_012320F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_011EC0F0 mov eax, dword ptr fs:[00000030h]	5_2_011EC0F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_011F80E9 mov eax, dword ptr fs:[00000030h]	5_2_011F80E9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_012720DE mov eax, dword ptr fs:[00000030h]	5_2_012720DE
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_011EA0E3 mov ecx, dword ptr fs:[00000030h]	5_2_011EA0E3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_012C8324 mov eax, dword ptr fs:[00000030h]	5_2_012C8324
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_012C8324 mov ecx, dword ptr fs:[00000030h]	5_2_012C8324
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_012C8324 mov eax, dword ptr fs:[00000030h]	5_2_012C8324
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_012C8324 mov eax, dword ptr fs:[00000030h]	5_2_012C8324
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_011EC310 mov ecx, dword ptr fs:[00000030h]	5_2_011EC310
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_0122A30B mov eax, dword ptr fs:[00000030h]	5_2_0122A30B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_0122A30B mov eax, dword ptr fs:[00000030h]	5_2_0122A30B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_0122A30B mov eax, dword ptr fs:[00000030h]	5_2_0122A30B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_01210310 mov ecx, dword ptr fs:[00000030h]	5_2_01210310
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_0129437C mov eax, dword ptr fs:[00000030h]	5_2_0129437C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_012C634F mov eax, dword ptr fs:[00000030h]	5_2_012C634F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_01272349 mov eax, dword ptr fs:[00000030h]	5_2_01272349
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_01272349 mov eax, dword ptr fs:[00000030h]	5_2_01272349
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_01272349 mov eax, dword ptr fs:[00000030h]	5_2_01272349
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_01272349 mov eax, dword ptr fs:[00000030h]	5_2_01272349
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_01272349 mov eax, dword ptr fs:[00000030h]	5_2_01272349
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_01272349 mov eax, dword ptr fs:[00000030h]	5_2_01272349
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_01272349 mov eax, dword ptr fs:[00000030h]	5_2_01272349
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_01272349 mov eax, dword ptr fs:[00000030h]	5_2_01272349
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_01272349 mov eax, dword ptr fs:[00000030h]	5_2_01272349
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_01272349 mov eax, dword ptr fs:[00000030h]	5_2_01272349
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_01272349 mov eax, dword ptr fs:[00000030h]	5_2_01272349
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_01272349 mov eax, dword ptr fs:[00000030h]	5_2_01272349
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_01272349 mov eax, dword ptr fs:[00000030h]	5_2_01272349
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_01272349 mov eax, dword ptr fs:[00000030h]	5_2_01272349
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_01272349 mov eax, dword ptr fs:[00000030h]	5_2_01272349
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_012BA352 mov eax, dword ptr fs:[00000030h]	5_2_012BA352
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_01298350 mov ecx, dword ptr fs:[00000030h]	5_2_01298350
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_0127035C mov eax, dword ptr fs:[00000030h]	5_2_0127035C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_0127035C mov eax, dword ptr fs:[00000030h]	5_2_0127035C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_0127035C mov eax, dword ptr fs:[00000030h]	5_2_0127035C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_0127035C mov ecx, dword ptr fs:[00000030h]	5_2_0127035C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_0127035C mov eax, dword ptr fs:[00000030h]	5_2_0127035C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_0127035C mov eax, dword ptr fs:[00000030h]	5_2_0127035C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_011E8397 mov eax, dword ptr fs:[00000030h]	5_2_011E8397
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_011E8397 mov eax, dword ptr fs:[00000030h]	5_2_011E8397
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_011E8397 mov eax, dword ptr fs:[00000030h]	5_2_011E8397
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_011EE388 mov eax, dword ptr fs:[00000030h]	5_2_011EE388
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_011EE388 mov eax, dword ptr fs:[00000030h]	5_2_011EE388
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_011EE388 mov eax, dword ptr fs:[00000030h]	5_2_011EE388
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_0121438F mov eax, dword ptr fs:[00000030h]	5_2_0121438F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_0121438F mov eax, dword ptr fs:[00000030h]	5_2_0121438F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_012003E9 mov eax, dword ptr fs:[00000030h]	5_2_012003E9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_012003E9 mov eax, dword ptr fs:[00000030h]	5_2_012003E9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_012003E9 mov eax, dword ptr fs:[00000030h]	5_2_012003E9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_012003E9 mov eax, dword ptr fs:[00000030h]	5_2_012003E9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_012003E9 mov eax, dword ptr fs:[00000030h]	5_2_012003E9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_012003E9 mov eax, dword ptr fs:[00000030h]	5_2_012003E9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_012003E9 mov eax, dword ptr fs:[00000030h]	5_2_012003E9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_012003E9 mov eax, dword ptr fs:[00000030h]	5_2_012003E9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_0120E3F0 mov eax, dword ptr fs:[00000030h]	5_2_0120E3F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_0120E3F0 mov eax, dword ptr fs:[00000030h]	5_2_0120E3F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_0120E3F0 mov eax, dword ptr fs:[00000030h]	5_2_0120E3F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_012263FF mov eax, dword ptr fs:[00000030h]	5_2_012263FF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_011F83C0 mov eax, dword ptr fs:[00000030h]	5_2_011F83C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_011F83C0 mov eax, dword ptr fs:[00000030h]	5_2_011F83C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_011F83C0 mov eax, dword ptr fs:[00000030h]	5_2_011F83C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_011F83C0 mov eax, dword ptr fs:[00000030h]	5_2_011F83C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_011FA3C0 mov eax, dword ptr fs:[00000030h]	5_2_011FA3C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_011FA3C0 mov eax, dword ptr fs:[00000030h]	5_2_011FA3C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_011FA3C0 mov eax, dword ptr fs:[00000030h]	5_2_011FA3C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_011FA3C0 mov eax, dword ptr fs:[00000030h]	5_2_011FA3C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_011FA3C0 mov eax, dword ptr fs:[00000030h]	5_2_011FA3C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_011FA3C0 mov eax, dword ptr fs:[00000030h]	5_2_011FA3C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_012AC3CD mov eax, dword ptr fs:[00000030h]	5_2_012AC3CD
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_012763C0 mov eax, dword ptr fs:[00000030h]	5_2_012763C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_0129E3DB mov eax, dword ptr fs:[00000030h]	5_2_0129E3DB
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_0129E3DB mov eax, dword ptr fs:[00000030h]	5_2_0129E3DB
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_0129E3DB mov ecx, dword ptr fs:[00000030h]	5_2_0129E3DB
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_0129E3DB mov eax, dword ptr fs:[00000030h]	5_2_0129E3DB
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_012943D4 mov eax, dword ptr fs:[00000030h]	5_2_012943D4
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_012943D4 mov eax, dword ptr fs:[00000030h]	5_2_012943D4
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_011E823B mov eax, dword ptr fs:[00000030h]	5_2_011E823B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_011F6259 mov eax, dword ptr fs:[00000030h]	5_2_011F6259
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_011EA250 mov eax, dword ptr fs:[00000030h]	5_2_011EA250
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_012A0274 mov eax, dword ptr fs:[00000030h]	5_2_012A0274
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_012A0274 mov eax, dword ptr fs:[00000030h]	5_2_012A0274
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_012A0274 mov eax, dword ptr fs:[00000030h]	5_2_012A0274
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_012A0274 mov eax, dword ptr fs:[00000030h]	5_2_012A0274
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_012A0274 mov eax, dword ptr fs:[00000030h]	5_2_012A0274
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_012A0274 mov eax, dword ptr fs:[00000030h]	5_2_012A0274
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_012A0274 mov eax, dword ptr fs:[00000030h]	5_2_012A0274
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_012A0274 mov eax, dword ptr fs:[00000030h]	5_2_012A0274
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_012A0274 mov eax, dword ptr fs:[00000030h]	5_2_012A0274
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_012A0274 mov eax, dword ptr fs:[00000030h]	5_2_012A0274
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_012A0274 mov eax, dword ptr fs:[00000030h]	5_2_012A0274
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_012A0274 mov eax, dword ptr fs:[00000030h]	5_2_012A0274
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_01278243 mov eax, dword ptr fs:[00000030h]	5_2_01278243
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_01278243 mov ecx, dword ptr fs:[00000030h]	5_2_01278243
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_012C625D mov eax, dword ptr fs:[00000030h]	5_2_012C625D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_011E826B mov eax, dword ptr fs:[00000030h]	5_2_011E826B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_012AA250 mov eax, dword ptr fs:[00000030h]	5_2_012AA250
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_012AA250 mov eax, dword ptr fs:[00000030h]	5_2_012AA250
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_011F4260 mov eax, dword ptr fs:[00000030h]	5_2_011F4260
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_011F4260 mov eax, dword ptr fs:[00000030h]	5_2_011F4260
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_011F4260 mov eax, dword ptr fs:[00000030h]	5_2_011F4260
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_012002A0 mov eax, dword ptr fs:[00000030h]	5_2_012002A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_012002A0 mov eax, dword ptr fs:[00000030h]	5_2_012002A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_012862A0 mov eax, dword ptr fs:[00000030h]	5_2_012862A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_012862A0 mov ecx, dword ptr fs:[00000030h]	5_2_012862A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_012862A0 mov eax, dword ptr fs:[00000030h]	5_2_012862A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_012862A0 mov eax, dword ptr fs:[00000030h]	5_2_012862A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_012862A0 mov eax, dword ptr fs:[00000030h]	5_2_012862A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_012862A0 mov eax, dword ptr fs:[00000030h]	5_2_012862A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_01270283 mov eax, dword ptr fs:[00000030h]	5_2_01270283
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_01270283 mov eax, dword ptr fs:[00000030h]	5_2_01270283
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_01270283 mov eax, dword ptr fs:[00000030h]	5_2_01270283
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_0122E284 mov eax, dword ptr fs:[00000030h]	5_2_0122E284
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_0122E284 mov eax, dword ptr fs:[00000030h]	5_2_0122E284
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_012002E1 mov eax, dword ptr fs:[00000030h]	5_2_012002E1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_012002E1 mov eax, dword ptr fs:[00000030h]	5_2_012002E1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_012002E1 mov eax, dword ptr fs:[00000030h]	5_2_012002E1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_011FA2C3 mov eax, dword ptr fs:[00000030h]	5_2_011FA2C3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_011FA2C3 mov eax, dword ptr fs:[00000030h]	5_2_011FA2C3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_011FA2C3 mov eax, dword ptr fs:[00000030h]	5_2_011FA2C3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_011FA2C3 mov eax, dword ptr fs:[00000030h]	5_2_011FA2C3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_011FA2C3 mov eax, dword ptr fs:[00000030h]	5_2_011FA2C3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_012C62D6 mov eax, dword ptr fs:[00000030h]	5_2_012C62D6
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_01200535 mov eax, dword ptr fs:[00000030h]	5_2_01200535
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_01200535 mov eax, dword ptr fs:[00000030h]	5_2_01200535
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_01200535 mov eax, dword ptr fs:[00000030h]	5_2_01200535
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_01200535 mov eax, dword ptr fs:[00000030h]	5_2_01200535
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_01200535 mov eax, dword ptr fs:[00000030h]	5_2_01200535
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_01200535 mov eax, dword ptr fs:[00000030h]	5_2_01200535
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_0121E53E mov eax, dword ptr fs:[00000030h]	5_2_0121E53E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_0121E53E mov eax, dword ptr fs:[00000030h]	5_2_0121E53E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_0121E53E mov eax, dword ptr fs:[00000030h]	5_2_0121E53E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_0121E53E mov eax, dword ptr fs:[00000030h]	5_2_0121E53E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_0121E53E mov eax, dword ptr fs:[00000030h]	5_2_0121E53E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_01286500 mov eax, dword ptr fs:[00000030h]	5_2_01286500
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_012C4500 mov eax, dword ptr fs:[00000030h]	5_2_012C4500
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_012C4500 mov eax, dword ptr fs:[00000030h]	5_2_012C4500
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_012C4500 mov eax, dword ptr fs:[00000030h]	5_2_012C4500
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_012C4500 mov eax, dword ptr fs:[00000030h]	5_2_012C4500
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_012C4500 mov eax, dword ptr fs:[00000030h]	5_2_012C4500
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_012C4500 mov eax, dword ptr fs:[00000030h]	5_2_012C4500
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_012C4500 mov eax, dword ptr fs:[00000030h]	5_2_012C4500
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_0122656A mov eax, dword ptr fs:[00000030h]	5_2_0122656A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_0122656A mov eax, dword ptr fs:[00000030h]	5_2_0122656A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_0122656A mov eax, dword ptr fs:[00000030h]	5_2_0122656A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_011F8550 mov eax, dword ptr fs:[00000030h]	5_2_011F8550
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_011F8550 mov eax, dword ptr fs:[00000030h]	5_2_011F8550
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_012705A7 mov eax, dword ptr fs:[00000030h]	5_2_012705A7
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_012705A7 mov eax, dword ptr fs:[00000030h]	5_2_012705A7
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_012705A7 mov eax, dword ptr fs:[00000030h]	5_2_012705A7
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_012145B1 mov eax, dword ptr fs:[00000030h]	5_2_012145B1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_012145B1 mov eax, dword ptr fs:[00000030h]	5_2_012145B1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_011F2582 mov eax, dword ptr fs:[00000030h]	5_2_011F2582
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_011F2582 mov ecx, dword ptr fs:[00000030h]	5_2_011F2582
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_01224588 mov eax, dword ptr fs:[00000030h]	5_2_01224588
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_0122E59C mov eax, dword ptr fs:[00000030h]	5_2_0122E59C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_0121E5E7 mov eax, dword ptr fs:[00000030h]	5_2_0121E5E7
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_0121E5E7 mov eax, dword ptr fs:[00000030h]	5_2_0121E5E7
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_0121E5E7 mov eax, dword ptr fs:[00000030h]	5_2_0121E5E7
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_0121E5E7 mov eax, dword ptr fs:[00000030h]	5_2_0121E5E7
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_0121E5E7 mov eax, dword ptr fs:[00000030h]	5_2_0121E5E7
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_0121E5E7 mov eax, dword ptr fs:[00000030h]	5_2_0121E5E7
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_0121E5E7 mov eax, dword ptr fs:[00000030h]	5_2_0121E5E7
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_0121E5E7 mov eax, dword ptr fs:[00000030h]	5_2_0121E5E7
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_011F65D0 mov eax, dword ptr fs:[00000030h]	5_2_011F65D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_0122C5ED mov eax, dword ptr fs:[00000030h]	5_2_0122C5ED
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_0122C5ED mov eax, dword ptr fs:[00000030h]	5_2_0122C5ED
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_0122E5CF mov eax, dword ptr fs:[00000030h]	5_2_0122E5CF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_0122E5CF mov eax, dword ptr fs:[00000030h]	5_2_0122E5CF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_0122A5D0 mov eax, dword ptr fs:[00000030h]	5_2_0122A5D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_0122A5D0 mov eax, dword ptr fs:[00000030h]	5_2_0122A5D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_011F25E0 mov eax, dword ptr fs:[00000030h]	5_2_011F25E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_01276420 mov eax, dword ptr fs:[00000030h]	5_2_01276420
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_01276420 mov eax, dword ptr fs:[00000030h]	5_2_01276420
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_01276420 mov eax, dword ptr fs:[00000030h]	5_2_01276420
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_01276420 mov eax, dword ptr fs:[00000030h]	5_2_01276420
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_01276420 mov eax, dword ptr fs:[00000030h]	5_2_01276420
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_01276420 mov eax, dword ptr fs:[00000030h]	5_2_01276420
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_01276420 mov eax, dword ptr fs:[00000030h]	5_2_01276420
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_0122A430 mov eax, dword ptr fs:[00000030h]	5_2_0122A430
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_01228402 mov eax, dword ptr fs:[00000030h]	5_2_01228402
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_01228402 mov eax, dword ptr fs:[00000030h]	5_2_01228402
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_01228402 mov eax, dword ptr fs:[00000030h]	5_2_01228402
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_011EC427 mov eax, dword ptr fs:[00000030h]	5_2_011EC427
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_011EE420 mov eax, dword ptr fs:[00000030h]	5_2_011EE420
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_011EE420 mov eax, dword ptr fs:[00000030h]	5_2_011EE420
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_011EE420 mov eax, dword ptr fs:[00000030h]	5_2_011EE420
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_011E645D mov eax, dword ptr fs:[00000030h]	5_2_011E645D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_0127C460 mov ecx, dword ptr fs:[00000030h]	5_2_0127C460
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_0121A470 mov eax, dword ptr fs:[00000030h]	5_2_0121A470
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_0121A470 mov eax, dword ptr fs:[00000030h]	5_2_0121A470
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_0121A470 mov eax, dword ptr fs:[00000030h]	5_2_0121A470
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_0122E443 mov eax, dword ptr fs:[00000030h]	5_2_0122E443
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_0122E443 mov eax, dword ptr fs:[00000030h]	5_2_0122E443
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_0122E443 mov eax, dword ptr fs:[00000030h]	5_2_0122E443
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_0122E443 mov eax, dword ptr fs:[00000030h]	5_2_0122E443
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_0122E443 mov eax, dword ptr fs:[00000030h]	5_2_0122E443
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_0122E443 mov eax, dword ptr fs:[00000030h]	5_2_0122E443
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_0122E443 mov eax, dword ptr fs:[00000030h]	5_2_0122E443
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_0122E443 mov eax, dword ptr fs:[00000030h]	5_2_0122E443
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_0121245A mov eax, dword ptr fs:[00000030h]	5_2_0121245A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_012AA456 mov eax, dword ptr fs:[00000030h]	5_2_012AA456
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_012244B0 mov ecx, dword ptr fs:[00000030h]	5_2_012244B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_0127A4B0 mov eax, dword ptr fs:[00000030h]	5_2_0127A4B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_012AA49A mov eax, dword ptr fs:[00000030h]	5_2_012AA49A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_011F64AB mov eax, dword ptr fs:[00000030h]	5_2_011F64AB
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_011F04E5 mov ecx, dword ptr fs:[00000030h]	5_2_011F04E5
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_0122C720 mov eax, dword ptr fs:[00000030h]	5_2_0122C720
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_0122C720 mov eax, dword ptr fs:[00000030h]	5_2_0122C720
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_011F0710 mov eax, dword ptr fs:[00000030h]	5_2_011F0710
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_0126C730 mov eax, dword ptr fs:[00000030h]	5_2_0126C730
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_0122273C mov eax, dword ptr fs:[00000030h]	5_2_0122273C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_0122273C mov ecx, dword ptr fs:[00000030h]	5_2_0122273C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_0122273C mov eax, dword ptr fs:[00000030h]	5_2_0122273C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_0122C700 mov eax, dword ptr fs:[00000030h]	5_2_0122C700
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_01220710 mov eax, dword ptr fs:[00000030h]	5_2_01220710
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_011F0750 mov eax, dword ptr fs:[00000030h]	5_2_011F0750
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_01200770 mov eax, dword ptr fs:[00000030h]	5_2_01200770
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_01200770 mov eax, dword ptr fs:[00000030h]	5_2_01200770
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_01200770 mov eax, dword ptr fs:[00000030h]	5_2_01200770
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_01200770 mov eax, dword ptr fs:[00000030h]	5_2_01200770
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_01200770 mov eax, dword ptr fs:[00000030h]	5_2_01200770
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_01200770 mov eax, dword ptr fs:[00000030h]	5_2_01200770
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_01200770 mov eax, dword ptr fs:[00000030h]	5_2_01200770
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_01200770 mov eax, dword ptr fs:[00000030h]	5_2_01200770
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_01200770 mov eax, dword ptr fs:[00000030h]	5_2_01200770
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_01200770 mov eax, dword ptr fs:[00000030h]	5_2_01200770
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_01200770 mov eax, dword ptr fs:[00000030h]	5_2_01200770
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_01200770 mov eax, dword ptr fs:[00000030h]	5_2_01200770
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_011F8770 mov eax, dword ptr fs:[00000030h]	5_2_011F8770
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_0122674D mov esi, dword ptr fs:[00000030h]	5_2_0122674D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_0122674D mov eax, dword ptr fs:[00000030h]	5_2_0122674D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_0122674D mov eax, dword ptr fs:[00000030h]	5_2_0122674D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_01274755 mov eax, dword ptr fs:[00000030h]	5_2_01274755
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_01232750 mov eax, dword ptr fs:[00000030h]	5_2_01232750
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_01232750 mov eax, dword ptr fs:[00000030h]	5_2_01232750
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_0127E75D mov eax, dword ptr fs:[00000030h]	5_2_0127E75D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_012A47A0 mov eax, dword ptr fs:[00000030h]	5_2_012A47A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_0129678E mov eax, dword ptr fs:[00000030h]	5_2_0129678E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_011F07AF mov eax, dword ptr fs:[00000030h]	5_2_011F07AF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_0127E7E1 mov eax, dword ptr fs:[00000030h]	5_2_0127E7E1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_012127ED mov eax, dword ptr fs:[00000030h]	5_2_012127ED
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_012127ED mov eax, dword ptr fs:[00000030h]	5_2_012127ED
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_012127ED mov eax, dword ptr fs:[00000030h]	5_2_012127ED
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_011FC7C0 mov eax, dword ptr fs:[00000030h]	5_2_011FC7C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_011F47FB mov eax, dword ptr fs:[00000030h]	5_2_011F47FB
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_011F47FB mov eax, dword ptr fs:[00000030h]	5_2_011F47FB
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_012707C3 mov eax, dword ptr fs:[00000030h]	5_2_012707C3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_01226620 mov eax, dword ptr fs:[00000030h]	5_2_01226620
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_01228620 mov eax, dword ptr fs:[00000030h]	5_2_01228620
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_0120E627 mov eax, dword ptr fs:[00000030h]	5_2_0120E627
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_0120260B mov eax, dword ptr fs:[00000030h]	5_2_0120260B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_0120260B mov eax, dword ptr fs:[00000030h]	5_2_0120260B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_0120260B mov eax, dword ptr fs:[00000030h]	5_2_0120260B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_0120260B mov eax, dword ptr fs:[00000030h]	5_2_0120260B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_0120260B mov eax, dword ptr fs:[00000030h]	5_2_0120260B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_0120260B mov eax, dword ptr fs:[00000030h]	5_2_0120260B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_0120260B mov eax, dword ptr fs:[00000030h]	5_2_0120260B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_0126E609 mov eax, dword ptr fs:[00000030h]	5_2_0126E609
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_011F262C mov eax, dword ptr fs:[00000030h]	5_2_011F262C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_01232619 mov eax, dword ptr fs:[00000030h]	5_2_01232619
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_0122A660 mov eax, dword ptr fs:[00000030h]	5_2_0122A660
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_0122A660 mov eax, dword ptr fs:[00000030h]	5_2_0122A660
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_012B866E mov eax, dword ptr fs:[00000030h]	5_2_012B866E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_012B866E mov eax, dword ptr fs:[00000030h]	5_2_012B866E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_01222674 mov eax, dword ptr fs:[00000030h]	5_2_01222674
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_0120C640 mov eax, dword ptr fs:[00000030h]	5_2_0120C640
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_0122C6A6 mov eax, dword ptr fs:[00000030h]	5_2_0122C6A6
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_011F4690 mov eax, dword ptr fs:[00000030h]	5_2_011F4690
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_011F4690 mov eax, dword ptr fs:[00000030h]	5_2_011F4690
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_012266B0 mov eax, dword ptr fs:[00000030h]	5_2_012266B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_0126E6F2 mov eax, dword ptr fs:[00000030h]	5_2_0126E6F2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_0126E6F2 mov eax, dword ptr fs:[00000030h]	5_2_0126E6F2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_0126E6F2 mov eax, dword ptr fs:[00000030h]	5_2_0126E6F2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_0126E6F2 mov eax, dword ptr fs:[00000030h]	5_2_0126E6F2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_012706F1 mov eax, dword ptr fs:[00000030h]	5_2_012706F1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_012706F1 mov eax, dword ptr fs:[00000030h]	5_2_012706F1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_0122A6C7 mov ebx, dword ptr fs:[00000030h]	5_2_0122A6C7
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_0122A6C7 mov eax, dword ptr fs:[00000030h]	5_2_0122A6C7
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_0128892B mov eax, dword ptr fs:[00000030h]	5_2_0128892B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_011E8918 mov eax, dword ptr fs:[00000030h]	5_2_011E8918
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_011E8918 mov eax, dword ptr fs:[00000030h]	5_2_011E8918
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_0127892A mov eax, dword ptr fs:[00000030h]	5_2_0127892A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_0126E908 mov eax, dword ptr fs:[00000030h]	5_2_0126E908
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_0126E908 mov eax, dword ptr fs:[00000030h]	5_2_0126E908
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_0127C912 mov eax, dword ptr fs:[00000030h]	5_2_0127C912
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_01216962 mov eax, dword ptr fs:[00000030h]	5_2_01216962
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_01216962 mov eax, dword ptr fs:[00000030h]	5_2_01216962
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_01216962 mov eax, dword ptr fs:[00000030h]	5_2_01216962
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_0123096E mov eax, dword ptr fs:[00000030h]	5_2_0123096E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_0123096E mov edx, dword ptr fs:[00000030h]	5_2_0123096E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_0123096E mov eax, dword ptr fs:[00000030h]	5_2_0123096E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_01294978 mov eax, dword ptr fs:[00000030h]	5_2_01294978
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_01294978 mov eax, dword ptr fs:[00000030h]	5_2_01294978
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_0127C97C mov eax, dword ptr fs:[00000030h]	5_2_0127C97C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_01270946 mov eax, dword ptr fs:[00000030h]	5_2_01270946
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_012C4940 mov eax, dword ptr fs:[00000030h]	5_2_012C4940
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_012029A0 mov eax, dword ptr fs:[00000030h]	5_2_012029A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_012029A0 mov eax, dword ptr fs:[00000030h]	5_2_012029A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_012029A0 mov eax, dword ptr fs:[00000030h]	5_2_012029A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_012029A0 mov eax, dword ptr fs:[00000030h]	5_2_012029A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_012029A0 mov eax, dword ptr fs:[00000030h]	5_2_012029A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_012029A0 mov eax, dword ptr fs:[00000030h]	5_2_012029A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_012029A0 mov eax, dword ptr fs:[00000030h]	5_2_012029A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_012029A0 mov eax, dword ptr fs:[00000030h]	5_2_012029A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_012029A0 mov eax, dword ptr fs:[00000030h]	5_2_012029A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_012029A0 mov eax, dword ptr fs:[00000030h]	5_2_012029A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_012029A0 mov eax, dword ptr fs:[00000030h]	5_2_012029A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_012029A0 mov eax, dword ptr fs:[00000030h]	5_2_012029A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_012029A0 mov eax, dword ptr fs:[00000030h]	5_2_012029A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_012789B3 mov esi, dword ptr fs:[00000030h]	5_2_012789B3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_012789B3 mov eax, dword ptr fs:[00000030h]	5_2_012789B3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_012789B3 mov eax, dword ptr fs:[00000030h]	5_2_012789B3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_011F09AD mov eax, dword ptr fs:[00000030h]	5_2_011F09AD
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_011F09AD mov eax, dword ptr fs:[00000030h]	5_2_011F09AD
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_0127E9E0 mov eax, dword ptr fs:[00000030h]	5_2_0127E9E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_011FA9D0 mov eax, dword ptr fs:[00000030h]	5_2_011FA9D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_011FA9D0 mov eax, dword ptr fs:[00000030h]	5_2_011FA9D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_011FA9D0 mov eax, dword ptr fs:[00000030h]	5_2_011FA9D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_011FA9D0 mov eax, dword ptr fs:[00000030h]	5_2_011FA9D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_011FA9D0 mov eax, dword ptr fs:[00000030h]	5_2_011FA9D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_011FA9D0 mov eax, dword ptr fs:[00000030h]	5_2_011FA9D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_012229F9 mov eax, dword ptr fs:[00000030h]	5_2_012229F9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_012229F9 mov eax, dword ptr fs:[00000030h]	5_2_012229F9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_012869C0 mov eax, dword ptr fs:[00000030h]	5_2_012869C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_012249D0 mov eax, dword ptr fs:[00000030h]	5_2_012249D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_012BA9D3 mov eax, dword ptr fs:[00000030h]	5_2_012BA9D3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_0122A830 mov eax, dword ptr fs:[00000030h]	5_2_0122A830
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_0129483A mov eax, dword ptr fs:[00000030h]	5_2_0129483A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_0129483A mov eax, dword ptr fs:[00000030h]	5_2_0129483A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_01212835 mov eax, dword ptr fs:[00000030h]	5_2_01212835
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_01212835 mov eax, dword ptr fs:[00000030h]	5_2_01212835
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_01212835 mov eax, dword ptr fs:[00000030h]	5_2_01212835
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_01212835 mov ecx, dword ptr fs:[00000030h]	5_2_01212835
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_01212835 mov eax, dword ptr fs:[00000030h]	5_2_01212835
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_01212835 mov eax, dword ptr fs:[00000030h]	5_2_01212835
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_0127C810 mov eax, dword ptr fs:[00000030h]	5_2_0127C810
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_011F4859 mov eax, dword ptr fs:[00000030h]	5_2_011F4859
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_011F4859 mov eax, dword ptr fs:[00000030h]	5_2_011F4859
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_0127E872 mov eax, dword ptr fs:[00000030h]	5_2_0127E872
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_0127E872 mov eax, dword ptr fs:[00000030h]	5_2_0127E872
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_01286870 mov eax, dword ptr fs:[00000030h]	5_2_01286870
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_01286870 mov eax, dword ptr fs:[00000030h]	5_2_01286870
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_01202840 mov ecx, dword ptr fs:[00000030h]	5_2_01202840
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_01220854 mov eax, dword ptr fs:[00000030h]	5_2_01220854
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_011F0887 mov eax, dword ptr fs:[00000030h]	5_2_011F0887
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_0127C89D mov eax, dword ptr fs:[00000030h]	5_2_0127C89D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_012BA8E4 mov eax, dword ptr fs:[00000030h]	5_2_012BA8E4
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_0122C8F9 mov eax, dword ptr fs:[00000030h]	5_2_0122C8F9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_0122C8F9 mov eax, dword ptr fs:[00000030h]	5_2_0122C8F9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_0121E8C0 mov eax, dword ptr fs:[00000030h]	5_2_0121E8C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_012C08C0 mov eax, dword ptr fs:[00000030h]	5_2_012C08C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_0121EB20 mov eax, dword ptr fs:[00000030h]	5_2_0121EB20
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_0121EB20 mov eax, dword ptr fs:[00000030h]	5_2_0121EB20
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_012B8B28 mov eax, dword ptr fs:[00000030h]	5_2_012B8B28
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_012B8B28 mov eax, dword ptr fs:[00000030h]	5_2_012B8B28
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_012C4B00 mov eax, dword ptr fs:[00000030h]	5_2_012C4B00
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_0126EB1D mov eax, dword ptr fs:[00000030h]	5_2_0126EB1D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_0126EB1D mov eax, dword ptr fs:[00000030h]	5_2_0126EB1D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_0126EB1D mov eax, dword ptr fs:[00000030h]	5_2_0126EB1D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_0126EB1D mov eax, dword ptr fs:[00000030h]	5_2_0126EB1D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_0126EB1D mov eax, dword ptr fs:[00000030h]	5_2_0126EB1D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_0126EB1D mov eax, dword ptr fs:[00000030h]	5_2_0126EB1D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_0126EB1D mov eax, dword ptr fs:[00000030h]	5_2_0126EB1D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_0126EB1D mov eax, dword ptr fs:[00000030h]	5_2_0126EB1D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_0126EB1D mov eax, dword ptr fs:[00000030h]	5_2_0126EB1D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_011E8B50 mov eax, dword ptr fs:[00000030h]	5_2_011E8B50
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_011ECB7E mov eax, dword ptr fs:[00000030h]	5_2_011ECB7E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_012A4B4B mov eax, dword ptr fs:[00000030h]	5_2_012A4B4B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_012A4B4B mov eax, dword ptr fs:[00000030h]	5_2_012A4B4B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_01286B40 mov eax, dword ptr fs:[00000030h]	5_2_01286B40
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_01286B40 mov eax, dword ptr fs:[00000030h]	5_2_01286B40
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_012BAB40 mov eax, dword ptr fs:[00000030h]	5_2_012BAB40
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_01298B42 mov eax, dword ptr fs:[00000030h]	5_2_01298B42
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_0129EB50 mov eax, dword ptr fs:[00000030h]	5_2_0129EB50
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_012C2B57 mov eax, dword ptr fs:[00000030h]	5_2_012C2B57
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_012C2B57 mov eax, dword ptr fs:[00000030h]	5_2_012C2B57
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_012C2B57 mov eax, dword ptr fs:[00000030h]	5_2_012C2B57
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_012C2B57 mov eax, dword ptr fs:[00000030h]	5_2_012C2B57
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_012A4BB0 mov eax, dword ptr fs:[00000030h]	5_2_012A4BB0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_012A4BB0 mov eax, dword ptr fs:[00000030h]	5_2_012A4BB0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_01200BBE mov eax, dword ptr fs:[00000030h]	5_2_01200BBE
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_01200BBE mov eax, dword ptr fs:[00000030h]	5_2_01200BBE
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_011F0BCD mov eax, dword ptr fs:[00000030h]	5_2_011F0BCD
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_011F0BCD mov eax, dword ptr fs:[00000030h]	5_2_011F0BCD
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_011F0BCD mov eax, dword ptr fs:[00000030h]	5_2_011F0BCD
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_0127CBF0 mov eax, dword ptr fs:[00000030h]	5_2_0127CBF0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_0121EBFC mov eax, dword ptr fs:[00000030h]	5_2_0121EBFC
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_01210BCB mov eax, dword ptr fs:[00000030h]	5_2_01210BCB
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_01210BCB mov eax, dword ptr fs:[00000030h]	5_2_01210BCB
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_01210BCB mov eax, dword ptr fs:[00000030h]	5_2_01210BCB
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_011F8BF0 mov eax, dword ptr fs:[00000030h]	5_2_011F8BF0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_011F8BF0 mov eax, dword ptr fs:[00000030h]	5_2_011F8BF0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_011F8BF0 mov eax, dword ptr fs:[00000030h]	5_2_011F8BF0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_0129EBD0 mov eax, dword ptr fs:[00000030h]	5_2_0129EBD0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_0122CA24 mov eax, dword ptr fs:[00000030h]	5_2_0122CA24
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_0121EA2E mov eax, dword ptr fs:[00000030h]	5_2_0121EA2E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_01214A35 mov eax, dword ptr fs:[00000030h]	5_2_01214A35
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_01214A35 mov eax, dword ptr fs:[00000030h]	5_2_01214A35
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_0122CA38 mov eax, dword ptr fs:[00000030h]	5_2_0122CA38
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_0127CA11 mov eax, dword ptr fs:[00000030h]	5_2_0127CA11
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_0129EA60 mov eax, dword ptr fs:[00000030h]	5_2_0129EA60
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_0122CA6F mov eax, dword ptr fs:[00000030h]	5_2_0122CA6F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_0122CA6F mov eax, dword ptr fs:[00000030h]	5_2_0122CA6F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_0122CA6F mov eax, dword ptr fs:[00000030h]	5_2_0122CA6F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_011F6A50 mov eax, dword ptr fs:[00000030h]	5_2_011F6A50
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_011F6A50 mov eax, dword ptr fs:[00000030h]	5_2_011F6A50
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_011F6A50 mov eax, dword ptr fs:[00000030h]	5_2_011F6A50
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_011F6A50 mov eax, dword ptr fs:[00000030h]	5_2_011F6A50
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_011F6A50 mov eax, dword ptr fs:[00000030h]	5_2_011F6A50
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_011F6A50 mov eax, dword ptr fs:[00000030h]	5_2_011F6A50
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_011F6A50 mov eax, dword ptr fs:[00000030h]	5_2_011F6A50
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_0126CA72 mov eax, dword ptr fs:[00000030h]	5_2_0126CA72
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_0126CA72 mov eax, dword ptr fs:[00000030h]	5_2_0126CA72
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_01200A5B mov eax, dword ptr fs:[00000030h]	5_2_01200A5B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_01200A5B mov eax, dword ptr fs:[00000030h]	5_2_01200A5B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_01246AA4 mov eax, dword ptr fs:[00000030h]	5_2_01246AA4
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_011FEA80 mov eax, dword ptr fs:[00000030h]	5_2_011FEA80
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_011FEA80 mov eax, dword ptr fs:[00000030h]	5_2_011FEA80
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_011FEA80 mov eax, dword ptr fs:[00000030h]	5_2_011FEA80
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_011FEA80 mov eax, dword ptr fs:[00000030h]	5_2_011FEA80
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_011FEA80 mov eax, dword ptr fs:[00000030h]	5_2_011FEA80
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_011FEA80 mov eax, dword ptr fs:[00000030h]	5_2_011FEA80
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_011FEA80 mov eax, dword ptr fs:[00000030h]	5_2_011FEA80
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_011FEA80 mov eax, dword ptr fs:[00000030h]	5_2_011FEA80
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_011FEA80 mov eax, dword ptr fs:[00000030h]	5_2_011FEA80
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_012C4A80 mov eax, dword ptr fs:[00000030h]	5_2_012C4A80

Enables debug privileges

Source: C:\Users\user\Desktop\RFQ STS3780082024.exe	Process token adjusted: Debug			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug			Jump to behavior

Source: C:\Users\user\Desktop\RFQ STS3780082024.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion

Adds a directory exclusion to Windows Defender

Source: C:\Users\user\Desktop\RFQ STS3780082024.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\RFQ STS3780082024.exe"
Source: C:\Users\user\Desktop\RFQ STS3780082024.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\RFQ STS3780082024.exe"			Jump to behavior

Allocates memory in foreign processes

Source: C:\Users\user\Desktop\RFQ STS3780082024.exe

Memory allocated: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 400000 protect: page execute and read and write

Jump to behavior

Injects a PE file into a foreign processes

Source: C:\Users\user\Desktop\RFQ STS3780082024.exe

Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 400000 value starts with: 4D5A

Jump to behavior

Writes to foreign memory regions

Source: C:\Users\user\Desktop\RFQ STS3780082024.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 400000	Jump to behavior
Source: C:\Users\user\Desktop\RFQ STS3780082024.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 401000	Jump to behavior
Source: C:\Users\user\Desktop\RFQ STS3780082024.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 80C008	Jump to behavior

Creates a process in suspended mode (likely to inject code)

Source: C:\Users\user\Desktop\RFQ STS3780082024.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\RFQ STS3780082024.exe"	Jump to behavior
Source: C:\Users\user\Desktop\RFQ STS3780082024.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"	Jump to behavior
Source: C:\Users\user\Desktop\RFQ STS3780082024.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"	Jump to behavior

Queries the volume information (name, serial number etc) of a device

Source: C:\Users\user\Desktop\RFQ STS3780082024.exe	Queries volume information: C:\Users\user\Desktop\RFQ STS3780082024.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\RFQ STS3780082024.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\RFQ STS3780082024.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\RFQ STS3780082024.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\RFQ STS3780082024.exe	Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\RFQ STS3780082024.exe	Queries volume information: C:\Windows\Fonts\calibrii.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\RFQ STS3780082024.exe	Queries volume information: C:\Windows\Fonts\calibrili.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\RFQ STS3780082024.exe	Queries volume information: C:\Windows\Fonts\calibrib.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\RFQ STS3780082024.exe	Queries volume information: C:\Windows\Fonts\calibriz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\RFQ STS3780082024.exe	Queries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\RFQ STS3780082024.exe	Queries volume information: C:\Windows\Fonts\cambriai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\RFQ STS3780082024.exe	Queries volume information: C:\Windows\Fonts\cambriab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\RFQ STS3780082024.exe	Queries volume information: C:\Windows\Fonts\cambriaz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\RFQ STS3780082024.exe	Queries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\RFQ STS3780082024.exe	Queries volume information: C:\Windows\Fonts\Candara.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\RFQ STS3780082024.exe	Queries volume information: C:\Windows\Fonts\Candaral.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\RFQ STS3780082024.exe	Queries volume information: C:\Windows\Fonts\Candarai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\RFQ STS3780082024.exe	Queries volume information: C:\Windows\Fonts\Candarali.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\RFQ STS3780082024.exe	Queries volume information: C:\Windows\Fonts\Candarab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\RFQ STS3780082024.exe	Queries volume information: C:\Windows\Fonts\Candaraz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\RFQ STS3780082024.exe	Queries volume information: C:\Windows\Fonts\comic.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\RFQ STS3780082024.exe	Queries volume information: C:\Windows\Fonts\comici.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\RFQ STS3780082024.exe	Queries volume information: C:\Windows\Fonts\comicbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\RFQ STS3780082024.exe	Queries volume information: C:\Windows\Fonts\comicz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\RFQ STS3780082024.exe	Queries volume information: C:\Windows\Fonts\constan.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\RFQ STS3780082024.exe	Queries volume information: C:\Windows\Fonts\constani.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\RFQ STS3780082024.exe	Queries volume information: C:\Windows\Fonts\constanb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\RFQ STS3780082024.exe	Queries volume information: C:\Windows\Fonts\constanz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\RFQ STS3780082024.exe	Queries volume information: C:\Windows\Fonts\corbel.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\RFQ STS3780082024.exe	Queries volume information: C:\Windows\Fonts\corbell.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\RFQ STS3780082024.exe	Queries volume information: C:\Windows\Fonts\corbeli.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\RFQ STS3780082024.exe	Queries volume information: C:\Windows\Fonts\corbelli.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\RFQ STS3780082024.exe	Queries volume information: C:\Windows\Fonts\corbelb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\RFQ STS3780082024.exe	Queries volume information: C:\Windows\Fonts\corbelz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\RFQ STS3780082024.exe	Queries volume information: C:\Windows\Fonts\cour.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\RFQ STS3780082024.exe	Queries volume information: C:\Windows\Fonts\couri.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\RFQ STS3780082024.exe	Queries volume information: C:\Windows\Fonts\courbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\RFQ STS3780082024.exe	Queries volume information: C:\Windows\Fonts\courbi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\RFQ STS3780082024.exe	Queries volume information: C:\Windows\Fonts\ebrima.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\RFQ STS3780082024.exe	Queries volume information: C:\Windows\Fonts\ebrimabd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\RFQ STS3780082024.exe	Queries volume information: C:\Windows\Fonts\framd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\RFQ STS3780082024.exe	Queries volume information: C:\Windows\Fonts\FRADM.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\RFQ STS3780082024.exe	Queries volume information: C:\Windows\Fonts\framdit.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\RFQ STS3780082024.exe	Queries volume information: C:\Windows\Fonts\FRADMIT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\RFQ STS3780082024.exe	Queries volume information: C:\Windows\Fonts\FRAMDCN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\RFQ STS3780082024.exe	Queries volume information: C:\Windows\Fonts\FRAHVIT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\RFQ STS3780082024.exe	Queries volume information: C:\Windows\Fonts\Gabriola.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\RFQ STS3780082024.exe	Queries volume information: C:\Windows\Fonts\gadugi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\RFQ STS3780082024.exe	Queries volume information: C:\Windows\Fonts\gadugib.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\RFQ STS3780082024.exe	Queries volume information: C:\Windows\Fonts\georgiai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\RFQ STS3780082024.exe	Queries volume information: C:\Windows\Fonts\georgiab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\RFQ STS3780082024.exe	Queries volume information: C:\Windows\Fonts\georgiaz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\RFQ STS3780082024.exe	Queries volume information: C:\Windows\Fonts\impact.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\RFQ STS3780082024.exe	Queries volume information: C:\Windows\Fonts\Inkfree.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\RFQ STS3780082024.exe	Queries volume information: C:\Windows\Fonts\javatext.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\RFQ STS3780082024.exe	Queries volume information: C:\Windows\Fonts\LeelawUI.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\RFQ STS3780082024.exe	Queries volume information: C:\Windows\Fonts\LeelUIsl.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\RFQ STS3780082024.exe	Queries volume information: C:\Windows\Fonts\LeelaUIb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\RFQ STS3780082024.exe	Queries volume information: C:\Windows\Fonts\lucon.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\RFQ STS3780082024.exe	Queries volume information: C:\Windows\Fonts\l_10646.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\RFQ STS3780082024.exe	Queries volume information: C:\Windows\Fonts\malgun.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\RFQ STS3780082024.exe	Queries volume information: C:\Windows\Fonts\malgunsl.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\RFQ STS3780082024.exe	Queries volume information: C:\Windows\Fonts\malgunbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\RFQ STS3780082024.exe	Queries volume information: C:\Windows\Fonts\himalaya.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\RFQ STS3780082024.exe	Queries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\RFQ STS3780082024.exe	Queries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\RFQ STS3780082024.exe	Queries volume information: C:\Windows\Fonts\msjhbd.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\RFQ STS3780082024.exe	Queries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\RFQ STS3780082024.exe	Queries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\RFQ STS3780082024.exe	Queries volume information: C:\Windows\Fonts\ntailu.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\RFQ STS3780082024.exe	Queries volume information: C:\Windows\Fonts\ntailub.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\RFQ STS3780082024.exe	Queries volume information: C:\Windows\Fonts\phagspa.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\RFQ STS3780082024.exe	Queries volume information: C:\Windows\Fonts\phagspab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\RFQ STS3780082024.exe	Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\RFQ STS3780082024.exe	Queries volume information: C:\Windows\Fonts\taile.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\RFQ STS3780082024.exe	Queries volume information: C:\Windows\Fonts\taileb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\RFQ STS3780082024.exe	Queries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\RFQ STS3780082024.exe	Queries volume information: C:\Windows\Fonts\msyhbd.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\RFQ STS3780082024.exe	Queries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\RFQ STS3780082024.exe	Queries volume information: C:\Windows\Fonts\msyhl.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\RFQ STS3780082024.exe	Queries volume information: C:\Windows\Fonts\msyi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\RFQ STS3780082024.exe	Queries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\RFQ STS3780082024.exe	Queries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\RFQ STS3780082024.exe	Queries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\RFQ STS3780082024.exe	Queries volume information: C:\Windows\Fonts\monbaiti.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\RFQ STS3780082024.exe	Queries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\RFQ STS3780082024.exe	Queries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\RFQ STS3780082024.exe	Queries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\RFQ STS3780082024.exe	Queries volume information: C:\Windows\Fonts\mmrtext.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\RFQ STS3780082024.exe	Queries volume information: C:\Windows\Fonts\mmrtextb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\RFQ STS3780082024.exe	Queries volume information: C:\Windows\Fonts\Nirmala.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\RFQ STS3780082024.exe	Queries volume information: C:\Windows\Fonts\NirmalaS.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\RFQ STS3780082024.exe	Queries volume information: C:\Windows\Fonts\NirmalaB.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\RFQ STS3780082024.exe	Queries volume information: C:\Windows\Fonts\pala.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\RFQ STS3780082024.exe	Queries volume information: C:\Windows\Fonts\palai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\RFQ STS3780082024.exe	Queries volume information: C:\Windows\Fonts\palab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\RFQ STS3780082024.exe	Queries volume information: C:\Windows\Fonts\palabi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\RFQ STS3780082024.exe	Queries volume information: C:\Windows\Fonts\segoepr.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\RFQ STS3780082024.exe	Queries volume information: C:\Windows\Fonts\segoeprb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\RFQ STS3780082024.exe	Queries volume information: C:\Windows\Fonts\segoesc.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\RFQ STS3780082024.exe	Queries volume information: C:\Windows\Fonts\segoescb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\RFQ STS3780082024.exe	Queries volume information: C:\Windows\Fonts\seguihis.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\RFQ STS3780082024.exe	Queries volume information: C:\Windows\Fonts\simsun.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\RFQ STS3780082024.exe	Queries volume information: C:\Windows\Fonts\simsunb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\RFQ STS3780082024.exe	Queries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\RFQ STS3780082024.exe	Queries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\RFQ STS3780082024.exe	Queries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\RFQ STS3780082024.exe	Queries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\RFQ STS3780082024.exe	Queries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\RFQ STS3780082024.exe	Queries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\RFQ STS3780082024.exe	Queries volume information: C:\Windows\Fonts\sylfaen.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\RFQ STS3780082024.exe	Queries volume information: C:\Windows\Fonts\symbol.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\RFQ STS3780082024.exe	Queries volume information: C:\Windows\Fonts\tahoma.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\RFQ STS3780082024.exe	Queries volume information: C:\Windows\Fonts\tahomabd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\RFQ STS3780082024.exe	Queries volume information: C:\Windows\Fonts\timesi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\RFQ STS3780082024.exe	Queries volume information: C:\Windows\Fonts\timesbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\RFQ STS3780082024.exe	Queries volume information: C:\Windows\Fonts\timesbi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\RFQ STS3780082024.exe	Queries volume information: C:\Windows\Fonts\trebuc.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\RFQ STS3780082024.exe	Queries volume information: C:\Windows\Fonts\trebucit.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\RFQ STS3780082024.exe	Queries volume information: C:\Windows\Fonts\trebucbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\RFQ STS3780082024.exe	Queries volume information: C:\Windows\Fonts\trebucbi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\RFQ STS3780082024.exe	Queries volume information: C:\Windows\Fonts\verdana.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\RFQ STS3780082024.exe	Queries volume information: C:\Windows\Fonts\verdanai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\RFQ STS3780082024.exe	Queries volume information: C:\Windows\Fonts\verdanab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\RFQ STS3780082024.exe	Queries volume information: C:\Windows\Fonts\verdanaz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\RFQ STS3780082024.exe	Queries volume information: C:\Windows\Fonts\webdings.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\RFQ STS3780082024.exe	Queries volume information: C:\Windows\Fonts\wingding.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\RFQ STS3780082024.exe	Queries volume information: C:\Windows\Fonts\YuGothR.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\RFQ STS3780082024.exe	Queries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\RFQ STS3780082024.exe	Queries volume information: C:\Windows\Fonts\YuGothL.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\RFQ STS3780082024.exe	Queries volume information: C:\Windows\Fonts\YuGothB.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\RFQ STS3780082024.exe	Queries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\RFQ STS3780082024.exe	Queries volume information: C:\Windows\Fonts\YuGothR.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\RFQ STS3780082024.exe	Queries volume information: C:\Windows\Fonts\holomdl2.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\RFQ STS3780082024.exe	Queries volume information: C:\Windows\Fonts\AGENCYR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\RFQ STS3780082024.exe	Queries volume information: C:\Windows\Fonts\AGENCYB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\RFQ STS3780082024.exe	Queries volume information: C:\Windows\Fonts\BKANT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\RFQ STS3780082024.exe	Queries volume information: C:\Windows\Fonts\ANTQUAI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\RFQ STS3780082024.exe	Queries volume information: C:\Windows\Fonts\ANTQUAB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\RFQ STS3780082024.exe	Queries volume information: C:\Windows\Fonts\ANTQUABI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\RFQ STS3780082024.exe	Queries volume information: C:\Windows\Fonts\BAUHS93.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\RFQ STS3780082024.exe	Queries volume information: C:\Windows\Fonts\BERNHC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\RFQ STS3780082024.exe	Queries volume information: C:\Windows\Fonts\BOD_I.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\RFQ STS3780082024.exe	Queries volume information: C:\Windows\Fonts\BOD_B.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\RFQ STS3780082024.exe	Queries volume information: C:\Windows\Fonts\BOD_BI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\RFQ STS3780082024.exe	Queries volume information: C:\Windows\Fonts\BOD_BLAR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\RFQ STS3780082024.exe	Queries volume information: C:\Windows\Fonts\BOD_CI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\RFQ STS3780082024.exe	Queries volume information: C:\Windows\Fonts\BOD_CB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\RFQ STS3780082024.exe	Queries volume information: C:\Windows\Fonts\BOD_BLAI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\RFQ STS3780082024.exe	Queries volume information: C:\Windows\Fonts\BOD_PSTC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\RFQ STS3780082024.exe	Queries volume information: C:\Windows\Fonts\BOOKOSI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\RFQ STS3780082024.exe	Queries volume information: C:\Windows\Fonts\BRADHITC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\RFQ STS3780082024.exe	Queries volume information: C:\Windows\Fonts\BRLNSR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\RFQ STS3780082024.exe	Queries volume information: C:\Windows\Fonts\BRLNSDB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\RFQ STS3780082024.exe	Queries volume information: C:\Windows\Fonts\BRLNSB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\RFQ STS3780082024.exe	Queries volume information: C:\Windows\Fonts\BRUSHSCI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\RFQ STS3780082024.exe	Queries volume information: C:\Windows\Fonts\BSSYM7.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\RFQ STS3780082024.exe	Queries volume information: C:\Windows\Fonts\CALIFR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\RFQ STS3780082024.exe	Queries volume information: C:\Windows\Fonts\CALISTBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\RFQ STS3780082024.exe	Queries volume information: C:\Windows\Fonts\CENTURY.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\RFQ STS3780082024.exe	Queries volume information: C:\Windows\Fonts\COLONNA.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\RFQ STS3780082024.exe	Queries volume information: C:\Windows\Fonts\DUBAI-REGULAR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\RFQ STS3780082024.exe	Queries volume information: C:\Windows\Fonts\ENGR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\RFQ STS3780082024.exe	Queries volume information: C:\Windows\Fonts\ERASLGHT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\RFQ STS3780082024.exe	Queries volume information: C:\Windows\Fonts\ERASDEMI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\RFQ STS3780082024.exe	Queries volume information: C:\Windows\Fonts\FRABK.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\RFQ STS3780082024.exe	Queries volume information: C:\Windows\Fonts\FREESCPT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\RFQ STS3780082024.exe	Queries volume information: C:\Windows\Fonts\GARABD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\RFQ STS3780082024.exe	Queries volume information: C:\Windows\Fonts\GILBI___.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\RFQ STS3780082024.exe	Queries volume information: C:\Windows\Fonts\GOUDOS.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\RFQ STS3780082024.exe	Queries volume information: C:\Windows\Fonts\HATTEN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\RFQ STS3780082024.exe	Queries volume information: C:\Windows\Fonts\LBRITE.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\RFQ STS3780082024.exe	Queries volume information: C:\Windows\Fonts\LEELAWDB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\RFQ STS3780082024.exe	Queries volume information: C:\Windows\Fonts\LFAX.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\RFQ STS3780082024.exe	Queries volume information: C:\Windows\Fonts\LFAXI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\RFQ STS3780082024.exe	Queries volume information: C:\Windows\Fonts\MISTRAL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\RFQ STS3780082024.exe	Queries volume information: C:\Windows\Fonts\PALSCRI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\RFQ STS3780082024.exe	Queries volume information: C:\Windows\Fonts\PERBI___.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\RFQ STS3780082024.exe	Queries volume information: C:\Windows\Fonts\TCMI____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\RFQ STS3780082024.exe	Queries volume information: C:\Windows\Fonts\VLADIMIR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\RFQ STS3780082024.exe	Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\RFQ STS3780082024.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior

Source: C:\Users\user\Desktop\RFQ STS3780082024.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Stealing of Sensitive Information

Yara detected FormBook

Source: Yara match	File source: 5.2.MSBuild.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.MSBuild.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000005.00000002.1758340713.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.1758552750.0000000000CB0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY

Remote Access Functionality

Yara detected FormBook

Source: Yara match	File source: 5.2.MSBuild.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.MSBuild.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000005.00000002.1758340713.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.1758552750.0000000000CB0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY

ID:	1500397
Product:	CloudBasic
Start time:	12:12:07
Start date:	28.08.2024
Sample:	RFQ STS3780082024.exe
Cookbook:	default.jbs
System description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Architecture:	WINDOWS
MD5:	9a057309180e58b6f230abfddd69d641
SHA1:	fdd107e8261be425264c7863b07cdbaec37a23cf
SHA256:	f758dbb63208445f8ed1f1d8bb648759ba6f1b8116b6ecd2ef996f8be008128b
Filetype:	Win32 Executable (generic) Net Framework (10011505/4) 49.83%

Name	Type	MD5	SHA1	SHA256
C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\RFQ STS3780082024.exe.log	ASCII text, with CRLF line terminators	1330C80CAAC9A0FB172F202485E9B1E8	86BAFDA4E4AE68C7C3012714A33D85D2B6E1A492	B6C63ECE799A8F7E497C2A158B1FFC2F5CB4F745A2F8E585F794572B7CF03560
C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive	data	92C17FC0DE8449D1E50ED56DBEBAA35D	A617D392757DC7B1BEF28448B72CBD131CF4D0FB	DA2D2B57AFF1C99E62DD8102CF4DB3F2F0621D687D275BFAF3DB77772131E485
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_4ukbocuc.xhg.psm1	ASCII text, with no line terminators	D17FE0A3F47BE24A6453E9EF58C94641	6AB83620379FC69F80C0242105DDFFD7D98D5D9D	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_aj4revyi.lf2.ps1	ASCII text, with no line terminators	D17FE0A3F47BE24A6453E9EF58C94641	6AB83620379FC69F80C0242105DDFFD7D98D5D9D	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_rdoz4beh.t1g.psm1	ASCII text, with no line terminators	D17FE0A3F47BE24A6453E9EF58C94641	6AB83620379FC69F80C0242105DDFFD7D98D5D9D	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_vplyho4s.lei.ps1	ASCII text, with no line terminators	D17FE0A3F47BE24A6453E9EF58C94641	6AB83620379FC69F80C0242105DDFFD7D98D5D9D	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7

Windows Analysis Report
RFQ STS3780082024.exe

Overview

General Information

Detection

Signatures

Classification

Malware Threat Intel
Provided by

Signatures

AV Detection

Compliance

Software Vulnerabilities

Networking

E-Banking Fraud

System Summary

Data Obfuscation

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Screenshots

Behavior Graph

Network Map

Contacted Domains

Windows Analysis Report RFQ STS3780082024.exe

Overview

General Information

Detection

Signatures

Classification

Malware Threat Intel Provided by

Signatures

AV Detection

Compliance

Software Vulnerabilities

Networking

E-Banking Fraud

System Summary

Data Obfuscation

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Screenshots

Behavior Graph

Network Map

Contacted Domains

Windows Analysis Report
RFQ STS3780082024.exe

Malware Threat Intel
Provided by