Windows Analysis Report
Orden de compra.exe

Overview

General Information

Sample name:	Orden de compra.exe
Analysis ID:	1501078
MD5:	d9323dddde2041d8b26f7d696499091c
SHA1:	535dc286d8a67be9bca93674ff800c44cfb9b2d1
SHA256:	08c422305e7b10e56d7338bcdf37637b0837e47b6accdee26b43fa93cf3e435d
Tags:	exe
Infos:

Detection

DarkTortilla, FormBook

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

Yara detected AntiVM3

Yara detected DarkTortilla Crypter

Yara detected FormBook

.NET source code contains method to dynamically call methods (often used by packers)

AI detected suspicious sample

Hides that the sample has been downloaded from the Internet (zone.identifier)

Injects a PE file into a foreign processes

Machine Learning detection for sample

Tries to delay execution (extensive OutputDebugStringW loop)

Writes to foreign memory regions

Allocates memory with a write watch (potentially for evading sandboxes)

Checks if the current process is being debugged

Contains functionality for execution timing, often used to detect debuggers

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Contains functionality to call native functions

Contains functionality to launch a process as a different user

Contains functionality to read the PEB

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Detected potential crypto function

Enables debug privileges

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found large amount of non-executed APIs

Found potential string decryption / allocating functions

May sleep (evasive loops) to hinder dynamic analysis

Queries the volume information (name, serial number etc) of a device

Sample file is different than original file name gathered from version info

Uses code obfuscation techniques (call, push, ret)

Yara signature match

Classification

Malware Threat Intel
Provided by

Name	Description	Attribution	Blogpost URLs	Link
DarkTortilla	DarkTortilla is a complex and highly configurable .NET-based crypter that has possibly been active since at least August 2015. It typically delivers popular information stealers and remote access trojans (RATs) such as AgentTesla, AsyncRat, NanoCore, and RedLine. While it appears to primarily deliver commodity malware, Secureworks Counter Threat Unit (CTU) researchers identified DarkTortilla samples delivering targeted payloads such as Cobalt Strike and Metasploit. It can also deliver "addon packages" such as additional malicious payloads, benign decoy documents, and executables. It features robust anti-analysis and anti-tamper controls that can make detection, analysis, and eradication challenging.From January 2021 through May 2022, an average of 93 unique DarkTortilla samples per week were uploaded to the VirusTotal analysis service. Code similarities suggest possible links between DarkTortilla and other malware: a crypter operated by the RATs Crew threat group, which was active between 2008 and 2012, and the Gameloader malware that emerged in 2021.	No Attribution	https://www.secureworks.com/research/darktortilla-malware-analysis	https://malpedia.caad.fkie.fraunhofer.de/details/win.darktortilla

Name	Description	Attribution	Blogpost URLs	Link
Formbook, Formbo	FormBook contains a unique crypter RunPE that has unique behavioral patterns subject to detection. It was initially called "Babushka Crypter" by Insidemalware.	SWEED Cobalt	http://blog.inquest.net/blog/2018/06/22/a-look-at-formbook-stealer/ http://cambuz.blogspot.de/2016/06/form-grabber-2016-cromeffoperathunderbi.html http://www.vkremez.com/2018/01/lets-learn-dissecting-formbook.html https://0xmrmagnezi.github.io/malware%20analysis/FormBook/ https://any.run/cybersecurity-blog/xloader-formbook-encryption-analysis-and-malware-decryption/	https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook

Signatures

AV Detection

Antivirus / Scanner detection for submitted sample

Source: Orden de compra.exe

Avira: detected

Multi AV Scanner detection for submitted file

Source: Orden de compra.exe	Virustotal: Detection: 34%			Perma Link
Source: Orden de compra.exe	ReversingLabs: Detection: 55%

Yara detected FormBook

Source: Yara match	File source: 4.2.AddInProcess32.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.AddInProcess32.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000004.00000002.2281484840.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.2282244894.0000000000EF0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Machine Learning detection for sample

Source: Orden de compra.exe

Joe Sandbox ML: detected

Source: Orden de compra.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source:	Binary string: wntdll.pdbUGP source: AddInProcess32.exe, 00000004.00000002.2282496705.0000000001010000.00000040.00001000.00020000.00000000.sdmp
Source:	Binary string: wntdll.pdb source: AddInProcess32.exe, AddInProcess32.exe, 00000004.00000002.2282496705.0000000001010000.00000040.00001000.00020000.00000000.sdmp

E-Banking Fraud

Yara detected FormBook

Source: Yara match	File source: 4.2.AddInProcess32.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.AddInProcess32.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000004.00000002.2281484840.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.2282244894.0000000000EF0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY

System Summary

Malicious sample detected (through community Yara rule)

Source: 4.2.AddInProcess32.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 4.2.AddInProcess32.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000004.00000002.2281484840.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000004.00000002.2282244894.0000000000EF0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown

Contains functionality to call native functions

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_0042BFF3 NtClose,	4_2_0042BFF3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_01082B60 NtClose,LdrInitializeThunk,	4_2_01082B60
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_01082DF0 NtQuerySystemInformation,LdrInitializeThunk,	4_2_01082DF0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_01082C70 NtFreeVirtualMemory,LdrInitializeThunk,	4_2_01082C70
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_010835C0 NtCreateMutant,LdrInitializeThunk,	4_2_010835C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_01084340 NtSetContextThread,	4_2_01084340
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_01084650 NtSuspendThread,	4_2_01084650
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_01082B80 NtQueryInformationFile,	4_2_01082B80
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_01082BA0 NtEnumerateValueKey,	4_2_01082BA0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_01082BE0 NtQueryValueKey,	4_2_01082BE0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_01082BF0 NtAllocateVirtualMemory,	4_2_01082BF0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_01082AB0 NtWaitForSingleObject,	4_2_01082AB0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_01082AD0 NtReadFile,	4_2_01082AD0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_01082AF0 NtWriteFile,	4_2_01082AF0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_01082D00 NtSetInformationFile,	4_2_01082D00
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_01082D10 NtMapViewOfSection,	4_2_01082D10
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_01082D30 NtUnmapViewOfSection,	4_2_01082D30
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_01082DB0 NtEnumerateKey,	4_2_01082DB0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_01082DD0 NtDelayExecution,	4_2_01082DD0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_01082C00 NtQueryInformationProcess,	4_2_01082C00
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_01082C60 NtCreateKey,	4_2_01082C60
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_01082CA0 NtQueryInformationToken,	4_2_01082CA0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_01082CC0 NtQueryVirtualMemory,	4_2_01082CC0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_01082CF0 NtOpenProcess,	4_2_01082CF0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_01082F30 NtCreateSection,	4_2_01082F30
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_01082F60 NtCreateProcessEx,	4_2_01082F60
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_01082F90 NtProtectVirtualMemory,	4_2_01082F90
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_01082FA0 NtQuerySection,	4_2_01082FA0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_01082FB0 NtResumeThread,	4_2_01082FB0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_01082FE0 NtCreateFile,	4_2_01082FE0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_01082E30 NtWriteVirtualMemory,	4_2_01082E30
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_01082E80 NtReadVirtualMemory,	4_2_01082E80
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_01082EA0 NtAdjustPrivilegesToken,	4_2_01082EA0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_01082EE0 NtQueueApcThread,	4_2_01082EE0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_01083010 NtOpenDirectoryObject,	4_2_01083010
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_01083090 NtSetValueKey,	4_2_01083090
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_010839B0 NtGetContextThread,	4_2_010839B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_01083D10 NtOpenProcessToken,	4_2_01083D10
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_01083D70 NtOpenThread,	4_2_01083D70

Contains functionality to launch a process as a different user

Source: C:\Users\user\Desktop\Orden de compra.exe

Code function: 0_2_09E09C68 CreateProcessAsUserW,

0_2_09E09C68

Detected potential crypto function

Source: C:\Users\user\Desktop\Orden de compra.exe	Code function: 0_2_018EA3D8	0_2_018EA3D8
Source: C:\Users\user\Desktop\Orden de compra.exe	Code function: 0_2_018E6748	0_2_018E6748
Source: C:\Users\user\Desktop\Orden de compra.exe	Code function: 0_2_018E4680	0_2_018E4680
Source: C:\Users\user\Desktop\Orden de compra.exe	Code function: 0_2_018E7388	0_2_018E7388
Source: C:\Users\user\Desktop\Orden de compra.exe	Code function: 0_2_018EA3C8	0_2_018EA3C8
Source: C:\Users\user\Desktop\Orden de compra.exe	Code function: 0_2_09E04B00	0_2_09E04B00
Source: C:\Users\user\Desktop\Orden de compra.exe	Code function: 0_2_09E08A90	0_2_09E08A90
Source: C:\Users\user\Desktop\Orden de compra.exe	Code function: 0_2_09E0A240	0_2_09E0A240
Source: C:\Users\user\Desktop\Orden de compra.exe	Code function: 0_2_09E02CE0	0_2_09E02CE0
Source: C:\Users\user\Desktop\Orden de compra.exe	Code function: 0_2_09E04448	0_2_09E04448
Source: C:\Users\user\Desktop\Orden de compra.exe	Code function: 0_2_09E00040	0_2_09E00040
Source: C:\Users\user\Desktop\Orden de compra.exe	Code function: 0_2_09E00012	0_2_09E00012
Source: C:\Users\user\Desktop\Orden de compra.exe	Code function: 0_2_09E0AB28	0_2_09E0AB28
Source: C:\Users\user\Desktop\Orden de compra.exe	Code function: 0_2_09E04AF0	0_2_09E04AF0
Source: C:\Users\user\Desktop\Orden de compra.exe	Code function: 0_2_09E0E2F8	0_2_09E0E2F8
Source: C:\Users\user\Desktop\Orden de compra.exe	Code function: 0_2_09E0EA00	0_2_09E0EA00
Source: C:\Users\user\Desktop\Orden de compra.exe	Code function: 0_2_09E02CD0	0_2_09E02CD0
Source: C:\Users\user\Desktop\Orden de compra.exe	Code function: 0_2_09E08483	0_2_09E08483
Source: C:\Users\user\Desktop\Orden de compra.exe	Code function: 0_2_09E08490	0_2_09E08490
Source: C:\Users\user\Desktop\Orden de compra.exe	Code function: 0_2_09E03C68	0_2_09E03C68
Source: C:\Users\user\Desktop\Orden de compra.exe	Code function: 0_2_09E03C78	0_2_09E03C78
Source: C:\Users\user\Desktop\Orden de compra.exe	Code function: 0_2_09E04438	0_2_09E04438
Source: C:\Users\user\Desktop\Orden de compra.exe	Code function: 0_2_09E067EB	0_2_09E067EB
Source: C:\Users\user\Desktop\Orden de compra.exe	Code function: 0_2_09E067F8	0_2_09E067F8
Source: C:\Users\user\Desktop\Orden de compra.exe	Code function: 0_2_09E02F80	0_2_09E02F80
Source: C:\Users\user\Desktop\Orden de compra.exe	Code function: 0_2_09E02F70	0_2_09E02F70
Source: C:\Users\user\Desktop\Orden de compra.exe	Code function: 0_2_09E07F59	0_2_09E07F59
Source: C:\Users\user\Desktop\Orden de compra.exe	Code function: 0_2_09E03600	0_2_09E03600
Source: C:\Users\user\Desktop\Orden de compra.exe	Code function: 0_2_09E03610	0_2_09E03610
Source: C:\Users\user\Desktop\Orden de compra.exe	Code function: 0_2_0BA10040	0_2_0BA10040
Source: C:\Users\user\Desktop\Orden de compra.exe	Code function: 0_2_0BA1B3B0	0_2_0BA1B3B0
Source: C:\Users\user\Desktop\Orden de compra.exe	Code function: 0_2_0BA1B3C0	0_2_0BA1B3C0
Source: C:\Users\user\Desktop\Orden de compra.exe	Code function: 0_2_0BA1EF58	0_2_0BA1EF58
Source: C:\Users\user\Desktop\Orden de compra.exe	Code function: 0_2_0BA176B8	0_2_0BA176B8
Source: C:\Users\user\Desktop\Orden de compra.exe	Code function: 0_2_0BA1763D	0_2_0BA1763D
Source: C:\Users\user\Desktop\Orden de compra.exe	Code function: 0_2_0BE10040	0_2_0BE10040
Source: C:\Users\user\Desktop\Orden de compra.exe	Code function: 0_2_0BE1D81B	0_2_0BE1D81B
Source: C:\Users\user\Desktop\Orden de compra.exe	Code function: 0_2_0BE1003B	0_2_0BE1003B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_00403010	4_2_00403010
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_0040F913	4_2_0040F913
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_00401190	4_2_00401190
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_0041621F	4_2_0041621F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_00416223	4_2_00416223
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_004022A4	4_2_004022A4
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_004022B0	4_2_004022B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_0040FB33	4_2_0040FB33
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_00401B87	4_2_00401B87
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_00401B90	4_2_00401B90
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_0040DBB1	4_2_0040DBB1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_0040DBB3	4_2_0040DBB3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_00402480	4_2_00402480
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_0042E5B3	4_2_0042E5B3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_01040100	4_2_01040100
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_010EA118	4_2_010EA118
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_010D8158	4_2_010D8158
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_011041A2	4_2_011041A2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_011101AA	4_2_011101AA
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_011081CC	4_2_011081CC
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_010E2000	4_2_010E2000
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_0110A352	4_2_0110A352
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_0105E3F0	4_2_0105E3F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_011103E6	4_2_011103E6
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_010F0274	4_2_010F0274
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_010D02C0	4_2_010D02C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_01050535	4_2_01050535
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_01110591	4_2_01110591
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_010F4420	4_2_010F4420
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_01102446	4_2_01102446
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_010FE4F6	4_2_010FE4F6
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_01074750	4_2_01074750
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_01050770	4_2_01050770
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_0104C7C0	4_2_0104C7C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_0106C6E0	4_2_0106C6E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_01066962	4_2_01066962
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_010529A0	4_2_010529A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_0111A9A6	4_2_0111A9A6
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_0105A840	4_2_0105A840
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_01052840	4_2_01052840
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_010368B8	4_2_010368B8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_0107E8F0	4_2_0107E8F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_0110AB40	4_2_0110AB40
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_01106BD7	4_2_01106BD7
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_0104EA80	4_2_0104EA80
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_0105AD00	4_2_0105AD00
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_010ECD1F	4_2_010ECD1F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_01068DBF	4_2_01068DBF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_0104ADE0	4_2_0104ADE0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_01050C00	4_2_01050C00
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_010F0CB5	4_2_010F0CB5
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_01040CF2	4_2_01040CF2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_01092F28	4_2_01092F28
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_01070F30	4_2_01070F30
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_010F2F30	4_2_010F2F30
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_010C4F40	4_2_010C4F40
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_010CEFA0	4_2_010CEFA0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_01042FC8	4_2_01042FC8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_0105CFE0	4_2_0105CFE0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_0110EE26	4_2_0110EE26
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_01050E59	4_2_01050E59
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_0110CE93	4_2_0110CE93
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_01062E90	4_2_01062E90
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_0110EEDB	4_2_0110EEDB
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_0108516C	4_2_0108516C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_0103F172	4_2_0103F172
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_0111B16B	4_2_0111B16B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_0105B1B0	4_2_0105B1B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_010FF0CC	4_2_010FF0CC
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_010570C0	4_2_010570C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_0110F0E0	4_2_0110F0E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_011070E9	4_2_011070E9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_0110132D	4_2_0110132D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_0103D34C	4_2_0103D34C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_0109739A	4_2_0109739A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_010552A0	4_2_010552A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_0106B2C0	4_2_0106B2C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_010F12ED	4_2_010F12ED
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_01107571	4_2_01107571
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_010ED5B0	4_2_010ED5B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_011195C3	4_2_011195C3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_0110F43F	4_2_0110F43F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_01041460	4_2_01041460
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_0110F7B0	4_2_0110F7B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_010417EC	4_2_010417EC
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_01095630	4_2_01095630
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_011016CC	4_2_011016CC
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_010E5910	4_2_010E5910
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_01059950	4_2_01059950
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_0106B950	4_2_0106B950
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_010BD800	4_2_010BD800
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_010538E0	4_2_010538E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_0110FB76	4_2_0110FB76
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_0106FB80	4_2_0106FB80
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_0108DBF9	4_2_0108DBF9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_010C5BF0	4_2_010C5BF0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_01107A46	4_2_01107A46
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_0110FA49	4_2_0110FA49
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_010C3A6C	4_2_010C3A6C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_010EDAAC	4_2_010EDAAC
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_01095AA0	4_2_01095AA0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_010F1AA3	4_2_010F1AA3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_010FDAC6	4_2_010FDAC6
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_01053D40	4_2_01053D40
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_01101D5A	4_2_01101D5A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_01107D73	4_2_01107D73
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_0106FDC0	4_2_0106FDC0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_010C9C32	4_2_010C9C32
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_0110FCF2	4_2_0110FCF2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_0110FF09	4_2_0110FF09
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_01051F92	4_2_01051F92
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_0110FFB1	4_2_0110FFB1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_01013FD2	4_2_01013FD2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_01013FD5	4_2_01013FD5
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_01059EB0	4_2_01059EB0

Found potential string decryption / allocating functions

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: String function: 0103B970 appears 283 times
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: String function: 01085130 appears 58 times
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: String function: 010CF290 appears 105 times
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: String function: 01097E54 appears 109 times
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: String function: 010BEA12 appears 86 times

Sample file is different than original file name gathered from version info

Source: Orden de compra.exe, 00000000.00000002.2206216626.000000000141E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameclr.dllT vs Orden de compra.exe
Source: Orden de compra.exe, 00000000.00000002.2225140854.00000000064D1000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameHPzFG9.dll" vs Orden de compra.exe
Source: Orden de compra.exe, 00000000.00000002.2226496984.00000000076D0000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameHPzFG9.dll" vs Orden de compra.exe
Source: Orden de compra.exe, 00000000.00000002.2224165565.0000000005A50000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameRP8SH.dll, vs Orden de compra.exe

Yara signature match

Source: 4.2.AddInProcess32.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 4.2.AddInProcess32.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000004.00000002.2281484840.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000004.00000002.2282244894.0000000000EF0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23

Source: classification engine

Classification label: mal100.troj.evad.winEXE@3/1@0/0

Source: C:\Users\user\Desktop\Orden de compra.exe

File created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\Orden de compra.exe.log

Jump to behavior

Source: C:\Users\user\Desktop\Orden de compra.exe

Mutant created: NULL

Source: Orden de compra.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: Orden de compra.exe

Static file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.79%

Source: C:\Users\user\Desktop\Orden de compra.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: Orden de compra.exe	Virustotal: Detection: 34%
Source: Orden de compra.exe	ReversingLabs: Detection: 55%

Source: C:\Users\user\Desktop\Orden de compra.exe

File read: C:\Users\user\Desktop\Orden de compra.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\Orden de compra.exe "C:\Users\user\Desktop\Orden de compra.exe"
Source: C:\Users\user\Desktop\Orden de compra.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"
Source: C:\Users\user\Desktop\Orden de compra.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"	Jump to behavior

Source: C:\Users\user\Desktop\Orden de compra.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Desktop\Orden de compra.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Orden de compra.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\Orden de compra.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\Orden de compra.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\Orden de compra.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\Orden de compra.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\Orden de compra.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\Orden de compra.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Orden de compra.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\Orden de compra.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\Orden de compra.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\Orden de compra.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Orden de compra.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Orden de compra.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Orden de compra.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\Orden de compra.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\Orden de compra.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Orden de compra.exe	Section loaded: dwrite.dll	Jump to behavior
Source: C:\Users\user\Desktop\Orden de compra.exe	Section loaded: windowscodecs.dll	Jump to behavior

Source: C:\Users\user\Desktop\Orden de compra.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0A29FF9E-7F9C-4437-8B11-F424491E3931}\InprocServer32

Jump to behavior

Source: C:\Users\user\Desktop\Orden de compra.exe

File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll

Jump to behavior

Source: Orden de compra.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Source: Orden de compra.exe

Static PE information: Virtual size of .text is bigger than: 0x100000

Source: Orden de compra.exe

Static file information: File size 2419712 > 1048576

Source: Orden de compra.exe

Static PE information: Raw size of .text is bigger than: 0x100000 < 0x24e600

Source: Orden de compra.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source:	Binary string: wntdll.pdbUGP source: AddInProcess32.exe, 00000004.00000002.2282496705.0000000001010000.00000040.00001000.00020000.00000000.sdmp
Source:	Binary string: wntdll.pdb source: AddInProcess32.exe, AddInProcess32.exe, 00000004.00000002.2282496705.0000000001010000.00000040.00001000.00020000.00000000.sdmp

Data Obfuscation

Yara detected DarkTortilla Crypter

Source: Yara match	File source: 0.2.Orden de compra.exe.76d0000.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Orden de compra.exe.76d0000.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.2225140854.00000000064D1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2226496984.00000000076D0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2207161212.0000000003361000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: Orden de compra.exe PID: 4332, type: MEMORYSTR

.NET source code contains method to dynamically call methods (often used by packers)

Source: Orden de compra.exe, n5T.cs

.Net Code: NewLateBinding.LateCall(objectValue2, (Type)null, "Invoke", new object[2]{null,Ra4()}, (string[])null, (Type[])null, (bool[])null, true)

Uses code obfuscation techniques (call, push, ret)

Source: C:\Users\user\Desktop\Orden de compra.exe	Code function: 0_2_09E04438 push 5DE58B90h; ret	0_2_09E043E9
Source: C:\Users\user\Desktop\Orden de compra.exe	Code function: 0_2_0BA197B1 push ebx; ret	0_2_0BA197B2
Source: C:\Users\user\Desktop\Orden de compra.exe	Code function: 0_2_0BA1B388 push eax; ret	0_2_0BA1B389
Source: C:\Users\user\Desktop\Orden de compra.exe	Code function: 0_2_0BA1A31B push edi; ret	0_2_0BA1A322
Source: C:\Users\user\Desktop\Orden de compra.exe	Code function: 0_2_0BA19747 push edx; ret	0_2_0BA1975A
Source: C:\Users\user\Desktop\Orden de compra.exe	Code function: 0_2_0BA196E5 push edx; ret	0_2_0BA1975A
Source: C:\Users\user\Desktop\Orden de compra.exe	Code function: 0_2_0BA1AED1 pushad ; ret	0_2_0BA1AED2
Source: C:\Users\user\Desktop\Orden de compra.exe	Code function: 0_2_0BA19CE1 push esp; ret	0_2_0BA19CE2
Source: C:\Users\user\Desktop\Orden de compra.exe	Code function: 0_2_0BA1B8C0 pushad ; ret	0_2_0BA1B8C1
Source: C:\Users\user\Desktop\Orden de compra.exe	Code function: 0_2_0BE1D29B push ebx; ret	0_2_0BE1D2A1
Source: C:\Users\user\Desktop\Orden de compra.exe	Code function: 0_2_0BE16205 push eax; ret	0_2_0BE1630E
Source: C:\Users\user\Desktop\Orden de compra.exe	Code function: 0_2_0BE17991 pushfd ; ret	0_2_0BE17992
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_00423E33 pushad ; iretd	4_2_00423EEB
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_00415062 push edx; retf	4_2_00415066
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_0041E23E push edx; retf	4_2_0041E23F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_004142A4 push esi; iretd	4_2_004142A5
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_004032B0 push eax; ret	4_2_004032B2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_00408349 push ss; retf	4_2_0040834A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_0041EB78 push 39FD2CB0h; ret	4_2_0041EB7D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_0040831C push esi; retf	4_2_0040831D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_0040C38A push edi; retf	4_2_0040C38B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_0041E513 push ecx; retf	4_2_0041E514
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_00413518 pushfd ; ret	4_2_00413519
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_00411DE8 push 7D2EA5D3h; retf	4_2_00411DEE
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_0041A5FF push ebp; iretd	4_2_0041A601
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_0041E58D push ss; iretd	4_2_0041E598
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_00406EA8 push edi; iretd	4_2_00406EA9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_0101225F pushad ; ret	4_2_010127F9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_010127FA pushad ; ret	4_2_010127F9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_010409AD push ecx; mov dword ptr [esp], ecx	4_2_010409B6
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_0101283D push eax; iretd	4_2_01012858

Hooking and other Techniques for Hiding and Protection

Hides that the sample has been downloaded from the Internet (zone.identifier)

Source: C:\Users\user\Desktop\Orden de compra.exe

File opened: C:\Users\user\Desktop\Orden de compra.exe\:Zone.Identifier read attributes | delete

Jump to behavior

Source: C:\Users\user\Desktop\Orden de compra.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Orden de compra.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Orden de compra.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Orden de compra.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Orden de compra.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Orden de compra.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Orden de compra.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Orden de compra.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Orden de compra.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Orden de compra.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Orden de compra.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Orden de compra.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Orden de compra.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Orden de compra.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Orden de compra.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Orden de compra.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Orden de compra.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Orden de compra.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Orden de compra.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Orden de compra.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Orden de compra.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Orden de compra.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Orden de compra.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Orden de compra.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Orden de compra.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Orden de compra.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Orden de compra.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Orden de compra.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Orden de compra.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Orden de compra.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Orden de compra.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Orden de compra.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Orden de compra.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Orden de compra.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Orden de compra.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Orden de compra.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Orden de compra.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Orden de compra.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Orden de compra.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Orden de compra.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Orden de compra.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Orden de compra.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Orden de compra.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Orden de compra.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Orden de compra.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Orden de compra.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Orden de compra.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Orden de compra.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Yara detected AntiVM3

Source: Yara match

File source: Process Memory Space: Orden de compra.exe PID: 4332, type: MEMORYSTR

Tries to delay execution (extensive OutputDebugStringW loop)

Source: C:\Users\user\Desktop\Orden de compra.exe

Section loaded: OutputDebugStringW count: 1939

Allocates memory with a write watch (potentially for evading sandboxes)

Source: C:\Users\user\Desktop\Orden de compra.exe	Memory allocated: 18A0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\Orden de compra.exe	Memory allocated: 3360000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\Orden de compra.exe	Memory allocated: 30A0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\Orden de compra.exe	Memory allocated: 64D0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\Orden de compra.exe	Memory allocated: 5B10000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\Orden de compra.exe	Memory allocated: 78A0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\Orden de compra.exe	Memory allocated: 88A0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\Orden de compra.exe	Memory allocated: 8AF0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\Orden de compra.exe	Memory allocated: 78A0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\Orden de compra.exe	Memory allocated: 8AF0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\Orden de compra.exe	Memory allocated: C120000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\Orden de compra.exe	Memory allocated: D120000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\Orden de compra.exe	Memory allocated: D5C0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\Orden de compra.exe	Memory allocated: E5C0000 memory reserve \| memory write watch	Jump to behavior

Contains functionality for execution timing, often used to detect debuggers

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe

Code function: 4_2_0108096E rdtsc

4_2_0108096E

Contains long sleeps (>= 3 min)

Source: C:\Users\user\Desktop\Orden de compra.exe

Thread delayed: delay time: 922337203685477

Jump to behavior

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Source: C:\Users\user\Desktop\Orden de compra.exe	Window / User API: threadDelayed 2674			Jump to behavior
Source: C:\Users\user\Desktop\Orden de compra.exe	Window / User API: threadDelayed 7120			Jump to behavior

Found large amount of non-executed APIs

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe

API coverage: 0.6 %

May sleep (evasive loops) to hinder dynamic analysis

Source: C:\Users\user\Desktop\Orden de compra.exe TID: 6300	Thread sleep time: -34126476536362649s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Orden de compra.exe TID: 6300	Thread sleep time: -30000s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe TID: 6884	Thread sleep time: -30000s >= -30000s	Jump to behavior

Source: C:\Users\user\Desktop\Orden de compra.exe	Thread delayed: delay time: 922337203685477			Jump to behavior
Source: C:\Users\user\Desktop\Orden de compra.exe	Thread delayed: delay time: 30000			Jump to behavior

Source: Orden de compra.exe, 00000000.00000002.2225140854.00000000064D1000.00000004.00000800.00020000.00000000.sdmp, Orden de compra.exe, 00000000.00000002.2226496984.00000000076D0000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: VBoxTray
Source: Orden de compra.exe, 00000000.00000002.2226496984.00000000076D0000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: 806010189GSOFTWARE\VMware, Inc.\VMware VGAuth

Source: C:\Users\user\Desktop\Orden de compra.exe

Process information queried: ProcessInformation

Jump to behavior

Checks if the current process is being debugged

Source: C:\Users\user\Desktop\Orden de compra.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\Desktop\Orden de compra.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process queried: DebugPort	Jump to behavior

Contains functionality for execution timing, often used to detect debuggers

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe

Code function: 4_2_0108096E rdtsc

4_2_0108096E

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe

Code function: 4_2_004171D3 LdrLoadDll,

4_2_004171D3

Contains functionality to read the PEB

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_010EE10E mov eax, dword ptr fs:[00000030h]	4_2_010EE10E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_010EE10E mov ecx, dword ptr fs:[00000030h]	4_2_010EE10E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_010EE10E mov eax, dword ptr fs:[00000030h]	4_2_010EE10E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_010EE10E mov eax, dword ptr fs:[00000030h]	4_2_010EE10E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_010EE10E mov ecx, dword ptr fs:[00000030h]	4_2_010EE10E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_010EE10E mov eax, dword ptr fs:[00000030h]	4_2_010EE10E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_010EE10E mov eax, dword ptr fs:[00000030h]	4_2_010EE10E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_010EE10E mov ecx, dword ptr fs:[00000030h]	4_2_010EE10E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_010EE10E mov eax, dword ptr fs:[00000030h]	4_2_010EE10E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_010EE10E mov ecx, dword ptr fs:[00000030h]	4_2_010EE10E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_01100115 mov eax, dword ptr fs:[00000030h]	4_2_01100115
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_010EA118 mov ecx, dword ptr fs:[00000030h]	4_2_010EA118
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_010EA118 mov eax, dword ptr fs:[00000030h]	4_2_010EA118
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_010EA118 mov eax, dword ptr fs:[00000030h]	4_2_010EA118
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_010EA118 mov eax, dword ptr fs:[00000030h]	4_2_010EA118
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_01070124 mov eax, dword ptr fs:[00000030h]	4_2_01070124
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_010D4144 mov eax, dword ptr fs:[00000030h]	4_2_010D4144
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_010D4144 mov eax, dword ptr fs:[00000030h]	4_2_010D4144
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_010D4144 mov ecx, dword ptr fs:[00000030h]	4_2_010D4144
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_010D4144 mov eax, dword ptr fs:[00000030h]	4_2_010D4144
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_010D4144 mov eax, dword ptr fs:[00000030h]	4_2_010D4144
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_01046154 mov eax, dword ptr fs:[00000030h]	4_2_01046154
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_01046154 mov eax, dword ptr fs:[00000030h]	4_2_01046154
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_0103C156 mov eax, dword ptr fs:[00000030h]	4_2_0103C156
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_010D8158 mov eax, dword ptr fs:[00000030h]	4_2_010D8158
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_01114164 mov eax, dword ptr fs:[00000030h]	4_2_01114164
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_01114164 mov eax, dword ptr fs:[00000030h]	4_2_01114164
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_010FC188 mov eax, dword ptr fs:[00000030h]	4_2_010FC188
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_010FC188 mov eax, dword ptr fs:[00000030h]	4_2_010FC188
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_01080185 mov eax, dword ptr fs:[00000030h]	4_2_01080185
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_010E4180 mov eax, dword ptr fs:[00000030h]	4_2_010E4180
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_010E4180 mov eax, dword ptr fs:[00000030h]	4_2_010E4180
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_010C019F mov eax, dword ptr fs:[00000030h]	4_2_010C019F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_010C019F mov eax, dword ptr fs:[00000030h]	4_2_010C019F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_010C019F mov eax, dword ptr fs:[00000030h]	4_2_010C019F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_010C019F mov eax, dword ptr fs:[00000030h]	4_2_010C019F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_0103A197 mov eax, dword ptr fs:[00000030h]	4_2_0103A197
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_0103A197 mov eax, dword ptr fs:[00000030h]	4_2_0103A197
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_0103A197 mov eax, dword ptr fs:[00000030h]	4_2_0103A197
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_011061C3 mov eax, dword ptr fs:[00000030h]	4_2_011061C3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_011061C3 mov eax, dword ptr fs:[00000030h]	4_2_011061C3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_010BE1D0 mov eax, dword ptr fs:[00000030h]	4_2_010BE1D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_010BE1D0 mov eax, dword ptr fs:[00000030h]	4_2_010BE1D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_010BE1D0 mov ecx, dword ptr fs:[00000030h]	4_2_010BE1D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_010BE1D0 mov eax, dword ptr fs:[00000030h]	4_2_010BE1D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_010BE1D0 mov eax, dword ptr fs:[00000030h]	4_2_010BE1D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_011161E5 mov eax, dword ptr fs:[00000030h]	4_2_011161E5
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_010701F8 mov eax, dword ptr fs:[00000030h]	4_2_010701F8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_010C4000 mov ecx, dword ptr fs:[00000030h]	4_2_010C4000
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_010E2000 mov eax, dword ptr fs:[00000030h]	4_2_010E2000
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_010E2000 mov eax, dword ptr fs:[00000030h]	4_2_010E2000
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_010E2000 mov eax, dword ptr fs:[00000030h]	4_2_010E2000
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_010E2000 mov eax, dword ptr fs:[00000030h]	4_2_010E2000
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_010E2000 mov eax, dword ptr fs:[00000030h]	4_2_010E2000
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_010E2000 mov eax, dword ptr fs:[00000030h]	4_2_010E2000
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_010E2000 mov eax, dword ptr fs:[00000030h]	4_2_010E2000
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_010E2000 mov eax, dword ptr fs:[00000030h]	4_2_010E2000
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_0105E016 mov eax, dword ptr fs:[00000030h]	4_2_0105E016
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_0105E016 mov eax, dword ptr fs:[00000030h]	4_2_0105E016
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_0105E016 mov eax, dword ptr fs:[00000030h]	4_2_0105E016
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_0105E016 mov eax, dword ptr fs:[00000030h]	4_2_0105E016
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_0103A020 mov eax, dword ptr fs:[00000030h]	4_2_0103A020
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_0103C020 mov eax, dword ptr fs:[00000030h]	4_2_0103C020
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_010D6030 mov eax, dword ptr fs:[00000030h]	4_2_010D6030
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_01042050 mov eax, dword ptr fs:[00000030h]	4_2_01042050
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_010C6050 mov eax, dword ptr fs:[00000030h]	4_2_010C6050
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_0106C073 mov eax, dword ptr fs:[00000030h]	4_2_0106C073
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_0104208A mov eax, dword ptr fs:[00000030h]	4_2_0104208A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_010380A0 mov eax, dword ptr fs:[00000030h]	4_2_010380A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_010D80A8 mov eax, dword ptr fs:[00000030h]	4_2_010D80A8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_011060B8 mov eax, dword ptr fs:[00000030h]	4_2_011060B8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_011060B8 mov ecx, dword ptr fs:[00000030h]	4_2_011060B8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_010C20DE mov eax, dword ptr fs:[00000030h]	4_2_010C20DE
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_0103A0E3 mov ecx, dword ptr fs:[00000030h]	4_2_0103A0E3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_010C60E0 mov eax, dword ptr fs:[00000030h]	4_2_010C60E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_010480E9 mov eax, dword ptr fs:[00000030h]	4_2_010480E9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_0103C0F0 mov eax, dword ptr fs:[00000030h]	4_2_0103C0F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_010820F0 mov ecx, dword ptr fs:[00000030h]	4_2_010820F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_0107A30B mov eax, dword ptr fs:[00000030h]	4_2_0107A30B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_0107A30B mov eax, dword ptr fs:[00000030h]	4_2_0107A30B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_0107A30B mov eax, dword ptr fs:[00000030h]	4_2_0107A30B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_0103C310 mov ecx, dword ptr fs:[00000030h]	4_2_0103C310
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_01060310 mov ecx, dword ptr fs:[00000030h]	4_2_01060310
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_01118324 mov eax, dword ptr fs:[00000030h]	4_2_01118324
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_01118324 mov ecx, dword ptr fs:[00000030h]	4_2_01118324
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_01118324 mov eax, dword ptr fs:[00000030h]	4_2_01118324
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_01118324 mov eax, dword ptr fs:[00000030h]	4_2_01118324
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_0110A352 mov eax, dword ptr fs:[00000030h]	4_2_0110A352
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_010C2349 mov eax, dword ptr fs:[00000030h]	4_2_010C2349
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_010C2349 mov eax, dword ptr fs:[00000030h]	4_2_010C2349
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_010C2349 mov eax, dword ptr fs:[00000030h]	4_2_010C2349
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_010C2349 mov eax, dword ptr fs:[00000030h]	4_2_010C2349
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_010C2349 mov eax, dword ptr fs:[00000030h]	4_2_010C2349
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_010C2349 mov eax, dword ptr fs:[00000030h]	4_2_010C2349
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_010C2349 mov eax, dword ptr fs:[00000030h]	4_2_010C2349
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_010C2349 mov eax, dword ptr fs:[00000030h]	4_2_010C2349
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_010C2349 mov eax, dword ptr fs:[00000030h]	4_2_010C2349
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_010C2349 mov eax, dword ptr fs:[00000030h]	4_2_010C2349
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_010C2349 mov eax, dword ptr fs:[00000030h]	4_2_010C2349
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_010C2349 mov eax, dword ptr fs:[00000030h]	4_2_010C2349
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_010C2349 mov eax, dword ptr fs:[00000030h]	4_2_010C2349
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_010C2349 mov eax, dword ptr fs:[00000030h]	4_2_010C2349
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_010C2349 mov eax, dword ptr fs:[00000030h]	4_2_010C2349
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_010C035C mov eax, dword ptr fs:[00000030h]	4_2_010C035C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_010C035C mov eax, dword ptr fs:[00000030h]	4_2_010C035C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_010C035C mov eax, dword ptr fs:[00000030h]	4_2_010C035C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_010C035C mov ecx, dword ptr fs:[00000030h]	4_2_010C035C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_010C035C mov eax, dword ptr fs:[00000030h]	4_2_010C035C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_010C035C mov eax, dword ptr fs:[00000030h]	4_2_010C035C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_010E8350 mov ecx, dword ptr fs:[00000030h]	4_2_010E8350
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_0111634F mov eax, dword ptr fs:[00000030h]	4_2_0111634F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_010E437C mov eax, dword ptr fs:[00000030h]	4_2_010E437C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_0106438F mov eax, dword ptr fs:[00000030h]	4_2_0106438F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_0106438F mov eax, dword ptr fs:[00000030h]	4_2_0106438F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_0103E388 mov eax, dword ptr fs:[00000030h]	4_2_0103E388
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_0103E388 mov eax, dword ptr fs:[00000030h]	4_2_0103E388
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_0103E388 mov eax, dword ptr fs:[00000030h]	4_2_0103E388
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_01038397 mov eax, dword ptr fs:[00000030h]	4_2_01038397
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_01038397 mov eax, dword ptr fs:[00000030h]	4_2_01038397
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_01038397 mov eax, dword ptr fs:[00000030h]	4_2_01038397
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_010FC3CD mov eax, dword ptr fs:[00000030h]	4_2_010FC3CD
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_0104A3C0 mov eax, dword ptr fs:[00000030h]	4_2_0104A3C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_0104A3C0 mov eax, dword ptr fs:[00000030h]	4_2_0104A3C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_0104A3C0 mov eax, dword ptr fs:[00000030h]	4_2_0104A3C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_0104A3C0 mov eax, dword ptr fs:[00000030h]	4_2_0104A3C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_0104A3C0 mov eax, dword ptr fs:[00000030h]	4_2_0104A3C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_0104A3C0 mov eax, dword ptr fs:[00000030h]	4_2_0104A3C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_010483C0 mov eax, dword ptr fs:[00000030h]	4_2_010483C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_010483C0 mov eax, dword ptr fs:[00000030h]	4_2_010483C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_010483C0 mov eax, dword ptr fs:[00000030h]	4_2_010483C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_010483C0 mov eax, dword ptr fs:[00000030h]	4_2_010483C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_010EE3DB mov eax, dword ptr fs:[00000030h]	4_2_010EE3DB
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_010EE3DB mov eax, dword ptr fs:[00000030h]	4_2_010EE3DB
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_010EE3DB mov ecx, dword ptr fs:[00000030h]	4_2_010EE3DB
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_010EE3DB mov eax, dword ptr fs:[00000030h]	4_2_010EE3DB
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_010E43D4 mov eax, dword ptr fs:[00000030h]	4_2_010E43D4
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_010E43D4 mov eax, dword ptr fs:[00000030h]	4_2_010E43D4
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_010503E9 mov eax, dword ptr fs:[00000030h]	4_2_010503E9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_010503E9 mov eax, dword ptr fs:[00000030h]	4_2_010503E9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_010503E9 mov eax, dword ptr fs:[00000030h]	4_2_010503E9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_010503E9 mov eax, dword ptr fs:[00000030h]	4_2_010503E9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_010503E9 mov eax, dword ptr fs:[00000030h]	4_2_010503E9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_010503E9 mov eax, dword ptr fs:[00000030h]	4_2_010503E9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_010503E9 mov eax, dword ptr fs:[00000030h]	4_2_010503E9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_010503E9 mov eax, dword ptr fs:[00000030h]	4_2_010503E9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_0105E3F0 mov eax, dword ptr fs:[00000030h]	4_2_0105E3F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_0105E3F0 mov eax, dword ptr fs:[00000030h]	4_2_0105E3F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_0105E3F0 mov eax, dword ptr fs:[00000030h]	4_2_0105E3F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_010763FF mov eax, dword ptr fs:[00000030h]	4_2_010763FF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_0103823B mov eax, dword ptr fs:[00000030h]	4_2_0103823B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_0111625D mov eax, dword ptr fs:[00000030h]	4_2_0111625D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_010C8243 mov eax, dword ptr fs:[00000030h]	4_2_010C8243
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_010C8243 mov ecx, dword ptr fs:[00000030h]	4_2_010C8243
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_0103A250 mov eax, dword ptr fs:[00000030h]	4_2_0103A250
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_01046259 mov eax, dword ptr fs:[00000030h]	4_2_01046259
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_010FA250 mov eax, dword ptr fs:[00000030h]	4_2_010FA250
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_010FA250 mov eax, dword ptr fs:[00000030h]	4_2_010FA250
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_01044260 mov eax, dword ptr fs:[00000030h]	4_2_01044260
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_01044260 mov eax, dword ptr fs:[00000030h]	4_2_01044260
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_01044260 mov eax, dword ptr fs:[00000030h]	4_2_01044260
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_0103826B mov eax, dword ptr fs:[00000030h]	4_2_0103826B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_010F0274 mov eax, dword ptr fs:[00000030h]	4_2_010F0274
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_010F0274 mov eax, dword ptr fs:[00000030h]	4_2_010F0274
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_010F0274 mov eax, dword ptr fs:[00000030h]	4_2_010F0274
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_010F0274 mov eax, dword ptr fs:[00000030h]	4_2_010F0274
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_010F0274 mov eax, dword ptr fs:[00000030h]	4_2_010F0274
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_010F0274 mov eax, dword ptr fs:[00000030h]	4_2_010F0274
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_010F0274 mov eax, dword ptr fs:[00000030h]	4_2_010F0274
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_010F0274 mov eax, dword ptr fs:[00000030h]	4_2_010F0274
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_010F0274 mov eax, dword ptr fs:[00000030h]	4_2_010F0274
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_010F0274 mov eax, dword ptr fs:[00000030h]	4_2_010F0274
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_010F0274 mov eax, dword ptr fs:[00000030h]	4_2_010F0274
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_010F0274 mov eax, dword ptr fs:[00000030h]	4_2_010F0274
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_0107E284 mov eax, dword ptr fs:[00000030h]	4_2_0107E284
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_0107E284 mov eax, dword ptr fs:[00000030h]	4_2_0107E284
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_010C0283 mov eax, dword ptr fs:[00000030h]	4_2_010C0283
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_010C0283 mov eax, dword ptr fs:[00000030h]	4_2_010C0283
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_010C0283 mov eax, dword ptr fs:[00000030h]	4_2_010C0283
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_010502A0 mov eax, dword ptr fs:[00000030h]	4_2_010502A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_010502A0 mov eax, dword ptr fs:[00000030h]	4_2_010502A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_010D62A0 mov eax, dword ptr fs:[00000030h]	4_2_010D62A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_010D62A0 mov ecx, dword ptr fs:[00000030h]	4_2_010D62A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_010D62A0 mov eax, dword ptr fs:[00000030h]	4_2_010D62A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_010D62A0 mov eax, dword ptr fs:[00000030h]	4_2_010D62A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_010D62A0 mov eax, dword ptr fs:[00000030h]	4_2_010D62A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_010D62A0 mov eax, dword ptr fs:[00000030h]	4_2_010D62A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_0104A2C3 mov eax, dword ptr fs:[00000030h]	4_2_0104A2C3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_0104A2C3 mov eax, dword ptr fs:[00000030h]	4_2_0104A2C3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_0104A2C3 mov eax, dword ptr fs:[00000030h]	4_2_0104A2C3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_0104A2C3 mov eax, dword ptr fs:[00000030h]	4_2_0104A2C3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_0104A2C3 mov eax, dword ptr fs:[00000030h]	4_2_0104A2C3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_011162D6 mov eax, dword ptr fs:[00000030h]	4_2_011162D6
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_010502E1 mov eax, dword ptr fs:[00000030h]	4_2_010502E1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_010502E1 mov eax, dword ptr fs:[00000030h]	4_2_010502E1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_010502E1 mov eax, dword ptr fs:[00000030h]	4_2_010502E1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_010D6500 mov eax, dword ptr fs:[00000030h]	4_2_010D6500
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_01114500 mov eax, dword ptr fs:[00000030h]	4_2_01114500
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_01114500 mov eax, dword ptr fs:[00000030h]	4_2_01114500
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_01114500 mov eax, dword ptr fs:[00000030h]	4_2_01114500
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_01114500 mov eax, dword ptr fs:[00000030h]	4_2_01114500
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_01114500 mov eax, dword ptr fs:[00000030h]	4_2_01114500
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_01114500 mov eax, dword ptr fs:[00000030h]	4_2_01114500
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_01114500 mov eax, dword ptr fs:[00000030h]	4_2_01114500
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_01050535 mov eax, dword ptr fs:[00000030h]	4_2_01050535
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_01050535 mov eax, dword ptr fs:[00000030h]	4_2_01050535
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_01050535 mov eax, dword ptr fs:[00000030h]	4_2_01050535
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_01050535 mov eax, dword ptr fs:[00000030h]	4_2_01050535
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_01050535 mov eax, dword ptr fs:[00000030h]	4_2_01050535
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_01050535 mov eax, dword ptr fs:[00000030h]	4_2_01050535
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_0106E53E mov eax, dword ptr fs:[00000030h]	4_2_0106E53E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_0106E53E mov eax, dword ptr fs:[00000030h]	4_2_0106E53E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_0106E53E mov eax, dword ptr fs:[00000030h]	4_2_0106E53E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_0106E53E mov eax, dword ptr fs:[00000030h]	4_2_0106E53E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_0106E53E mov eax, dword ptr fs:[00000030h]	4_2_0106E53E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_01048550 mov eax, dword ptr fs:[00000030h]	4_2_01048550
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_01048550 mov eax, dword ptr fs:[00000030h]	4_2_01048550
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_0107656A mov eax, dword ptr fs:[00000030h]	4_2_0107656A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_0107656A mov eax, dword ptr fs:[00000030h]	4_2_0107656A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_0107656A mov eax, dword ptr fs:[00000030h]	4_2_0107656A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_01042582 mov eax, dword ptr fs:[00000030h]	4_2_01042582
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_01042582 mov ecx, dword ptr fs:[00000030h]	4_2_01042582
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_01074588 mov eax, dword ptr fs:[00000030h]	4_2_01074588
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_0107E59C mov eax, dword ptr fs:[00000030h]	4_2_0107E59C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_010C05A7 mov eax, dword ptr fs:[00000030h]	4_2_010C05A7
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_010C05A7 mov eax, dword ptr fs:[00000030h]	4_2_010C05A7
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_010C05A7 mov eax, dword ptr fs:[00000030h]	4_2_010C05A7
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_010645B1 mov eax, dword ptr fs:[00000030h]	4_2_010645B1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_010645B1 mov eax, dword ptr fs:[00000030h]	4_2_010645B1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_0107E5CF mov eax, dword ptr fs:[00000030h]	4_2_0107E5CF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_0107E5CF mov eax, dword ptr fs:[00000030h]	4_2_0107E5CF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_010465D0 mov eax, dword ptr fs:[00000030h]	4_2_010465D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_0107A5D0 mov eax, dword ptr fs:[00000030h]	4_2_0107A5D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_0107A5D0 mov eax, dword ptr fs:[00000030h]	4_2_0107A5D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_0106E5E7 mov eax, dword ptr fs:[00000030h]	4_2_0106E5E7
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_0106E5E7 mov eax, dword ptr fs:[00000030h]	4_2_0106E5E7
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_0106E5E7 mov eax, dword ptr fs:[00000030h]	4_2_0106E5E7
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_0106E5E7 mov eax, dword ptr fs:[00000030h]	4_2_0106E5E7
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_0106E5E7 mov eax, dword ptr fs:[00000030h]	4_2_0106E5E7
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_0106E5E7 mov eax, dword ptr fs:[00000030h]	4_2_0106E5E7
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_0106E5E7 mov eax, dword ptr fs:[00000030h]	4_2_0106E5E7
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_0106E5E7 mov eax, dword ptr fs:[00000030h]	4_2_0106E5E7
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_010425E0 mov eax, dword ptr fs:[00000030h]	4_2_010425E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_0107C5ED mov eax, dword ptr fs:[00000030h]	4_2_0107C5ED
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_0107C5ED mov eax, dword ptr fs:[00000030h]	4_2_0107C5ED
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_01078402 mov eax, dword ptr fs:[00000030h]	4_2_01078402
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_01078402 mov eax, dword ptr fs:[00000030h]	4_2_01078402
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_01078402 mov eax, dword ptr fs:[00000030h]	4_2_01078402
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_0103E420 mov eax, dword ptr fs:[00000030h]	4_2_0103E420
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_0103E420 mov eax, dword ptr fs:[00000030h]	4_2_0103E420
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_0103E420 mov eax, dword ptr fs:[00000030h]	4_2_0103E420
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_0103C427 mov eax, dword ptr fs:[00000030h]	4_2_0103C427
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_010C6420 mov eax, dword ptr fs:[00000030h]	4_2_010C6420
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_010C6420 mov eax, dword ptr fs:[00000030h]	4_2_010C6420
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_010C6420 mov eax, dword ptr fs:[00000030h]	4_2_010C6420
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_010C6420 mov eax, dword ptr fs:[00000030h]	4_2_010C6420
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_010C6420 mov eax, dword ptr fs:[00000030h]	4_2_010C6420
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_010C6420 mov eax, dword ptr fs:[00000030h]	4_2_010C6420
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_010C6420 mov eax, dword ptr fs:[00000030h]	4_2_010C6420
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_0107A430 mov eax, dword ptr fs:[00000030h]	4_2_0107A430
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_0107E443 mov eax, dword ptr fs:[00000030h]	4_2_0107E443
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_0107E443 mov eax, dword ptr fs:[00000030h]	4_2_0107E443
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_0107E443 mov eax, dword ptr fs:[00000030h]	4_2_0107E443
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_0107E443 mov eax, dword ptr fs:[00000030h]	4_2_0107E443
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_0107E443 mov eax, dword ptr fs:[00000030h]	4_2_0107E443
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_0107E443 mov eax, dword ptr fs:[00000030h]	4_2_0107E443
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_0107E443 mov eax, dword ptr fs:[00000030h]	4_2_0107E443
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_0107E443 mov eax, dword ptr fs:[00000030h]	4_2_0107E443
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_010FA456 mov eax, dword ptr fs:[00000030h]	4_2_010FA456
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_0106245A mov eax, dword ptr fs:[00000030h]	4_2_0106245A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_0103645D mov eax, dword ptr fs:[00000030h]	4_2_0103645D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_010CC460 mov ecx, dword ptr fs:[00000030h]	4_2_010CC460
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_0106A470 mov eax, dword ptr fs:[00000030h]	4_2_0106A470
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_0106A470 mov eax, dword ptr fs:[00000030h]	4_2_0106A470
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_0106A470 mov eax, dword ptr fs:[00000030h]	4_2_0106A470
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_010FA49A mov eax, dword ptr fs:[00000030h]	4_2_010FA49A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_010464AB mov eax, dword ptr fs:[00000030h]	4_2_010464AB
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_010744B0 mov ecx, dword ptr fs:[00000030h]	4_2_010744B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_010CA4B0 mov eax, dword ptr fs:[00000030h]	4_2_010CA4B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_010404E5 mov ecx, dword ptr fs:[00000030h]	4_2_010404E5
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_0107C700 mov eax, dword ptr fs:[00000030h]	4_2_0107C700
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_01040710 mov eax, dword ptr fs:[00000030h]	4_2_01040710
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_01070710 mov eax, dword ptr fs:[00000030h]	4_2_01070710
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_0107C720 mov eax, dword ptr fs:[00000030h]	4_2_0107C720
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_0107C720 mov eax, dword ptr fs:[00000030h]	4_2_0107C720
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_010BC730 mov eax, dword ptr fs:[00000030h]	4_2_010BC730
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_0107273C mov eax, dword ptr fs:[00000030h]	4_2_0107273C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_0107273C mov ecx, dword ptr fs:[00000030h]	4_2_0107273C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_0107273C mov eax, dword ptr fs:[00000030h]	4_2_0107273C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_0107674D mov esi, dword ptr fs:[00000030h]	4_2_0107674D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_0107674D mov eax, dword ptr fs:[00000030h]	4_2_0107674D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_0107674D mov eax, dword ptr fs:[00000030h]	4_2_0107674D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_010CE75D mov eax, dword ptr fs:[00000030h]	4_2_010CE75D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_01040750 mov eax, dword ptr fs:[00000030h]	4_2_01040750
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_01082750 mov eax, dword ptr fs:[00000030h]	4_2_01082750
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_01082750 mov eax, dword ptr fs:[00000030h]	4_2_01082750
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_010C4755 mov eax, dword ptr fs:[00000030h]	4_2_010C4755
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_01048770 mov eax, dword ptr fs:[00000030h]	4_2_01048770
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_01050770 mov eax, dword ptr fs:[00000030h]	4_2_01050770
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_01050770 mov eax, dword ptr fs:[00000030h]	4_2_01050770
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_01050770 mov eax, dword ptr fs:[00000030h]	4_2_01050770
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_01050770 mov eax, dword ptr fs:[00000030h]	4_2_01050770
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_01050770 mov eax, dword ptr fs:[00000030h]	4_2_01050770
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_01050770 mov eax, dword ptr fs:[00000030h]	4_2_01050770
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_01050770 mov eax, dword ptr fs:[00000030h]	4_2_01050770
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_01050770 mov eax, dword ptr fs:[00000030h]	4_2_01050770
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_01050770 mov eax, dword ptr fs:[00000030h]	4_2_01050770
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_01050770 mov eax, dword ptr fs:[00000030h]	4_2_01050770
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_01050770 mov eax, dword ptr fs:[00000030h]	4_2_01050770
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_01050770 mov eax, dword ptr fs:[00000030h]	4_2_01050770
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_010E678E mov eax, dword ptr fs:[00000030h]	4_2_010E678E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_010407AF mov eax, dword ptr fs:[00000030h]	4_2_010407AF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_010F47A0 mov eax, dword ptr fs:[00000030h]	4_2_010F47A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_0104C7C0 mov eax, dword ptr fs:[00000030h]	4_2_0104C7C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_010C07C3 mov eax, dword ptr fs:[00000030h]	4_2_010C07C3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_010627ED mov eax, dword ptr fs:[00000030h]	4_2_010627ED
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_010627ED mov eax, dword ptr fs:[00000030h]	4_2_010627ED
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_010627ED mov eax, dword ptr fs:[00000030h]	4_2_010627ED
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_010CE7E1 mov eax, dword ptr fs:[00000030h]	4_2_010CE7E1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_010447FB mov eax, dword ptr fs:[00000030h]	4_2_010447FB
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_010447FB mov eax, dword ptr fs:[00000030h]	4_2_010447FB
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_010BE609 mov eax, dword ptr fs:[00000030h]	4_2_010BE609
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_0105260B mov eax, dword ptr fs:[00000030h]	4_2_0105260B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_0105260B mov eax, dword ptr fs:[00000030h]	4_2_0105260B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_0105260B mov eax, dword ptr fs:[00000030h]	4_2_0105260B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_0105260B mov eax, dword ptr fs:[00000030h]	4_2_0105260B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_0105260B mov eax, dword ptr fs:[00000030h]	4_2_0105260B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_0105260B mov eax, dword ptr fs:[00000030h]	4_2_0105260B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_0105260B mov eax, dword ptr fs:[00000030h]	4_2_0105260B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_01082619 mov eax, dword ptr fs:[00000030h]	4_2_01082619
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_0105E627 mov eax, dword ptr fs:[00000030h]	4_2_0105E627
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_01076620 mov eax, dword ptr fs:[00000030h]	4_2_01076620
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_01078620 mov eax, dword ptr fs:[00000030h]	4_2_01078620
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_0104262C mov eax, dword ptr fs:[00000030h]	4_2_0104262C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_0105C640 mov eax, dword ptr fs:[00000030h]	4_2_0105C640
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_0107A660 mov eax, dword ptr fs:[00000030h]	4_2_0107A660
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_0107A660 mov eax, dword ptr fs:[00000030h]	4_2_0107A660
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_01072674 mov eax, dword ptr fs:[00000030h]	4_2_01072674
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_0110866E mov eax, dword ptr fs:[00000030h]	4_2_0110866E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_0110866E mov eax, dword ptr fs:[00000030h]	4_2_0110866E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_01044690 mov eax, dword ptr fs:[00000030h]	4_2_01044690
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_01044690 mov eax, dword ptr fs:[00000030h]	4_2_01044690
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_0107C6A6 mov eax, dword ptr fs:[00000030h]	4_2_0107C6A6
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_010766B0 mov eax, dword ptr fs:[00000030h]	4_2_010766B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_0107A6C7 mov ebx, dword ptr fs:[00000030h]	4_2_0107A6C7
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_0107A6C7 mov eax, dword ptr fs:[00000030h]	4_2_0107A6C7
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_010BE6F2 mov eax, dword ptr fs:[00000030h]	4_2_010BE6F2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_010BE6F2 mov eax, dword ptr fs:[00000030h]	4_2_010BE6F2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_010BE6F2 mov eax, dword ptr fs:[00000030h]	4_2_010BE6F2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_010BE6F2 mov eax, dword ptr fs:[00000030h]	4_2_010BE6F2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_010C06F1 mov eax, dword ptr fs:[00000030h]	4_2_010C06F1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_010C06F1 mov eax, dword ptr fs:[00000030h]	4_2_010C06F1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_010BE908 mov eax, dword ptr fs:[00000030h]	4_2_010BE908
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_010BE908 mov eax, dword ptr fs:[00000030h]	4_2_010BE908
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_01038918 mov eax, dword ptr fs:[00000030h]	4_2_01038918
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_01038918 mov eax, dword ptr fs:[00000030h]	4_2_01038918
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_010CC912 mov eax, dword ptr fs:[00000030h]	4_2_010CC912
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_010C892A mov eax, dword ptr fs:[00000030h]	4_2_010C892A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_010D892B mov eax, dword ptr fs:[00000030h]	4_2_010D892B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_010C0946 mov eax, dword ptr fs:[00000030h]	4_2_010C0946
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_01114940 mov eax, dword ptr fs:[00000030h]	4_2_01114940
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_01066962 mov eax, dword ptr fs:[00000030h]	4_2_01066962
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_01066962 mov eax, dword ptr fs:[00000030h]	4_2_01066962
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_01066962 mov eax, dword ptr fs:[00000030h]	4_2_01066962
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_0108096E mov eax, dword ptr fs:[00000030h]	4_2_0108096E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_0108096E mov edx, dword ptr fs:[00000030h]	4_2_0108096E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_0108096E mov eax, dword ptr fs:[00000030h]	4_2_0108096E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_010CC97C mov eax, dword ptr fs:[00000030h]	4_2_010CC97C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_010E4978 mov eax, dword ptr fs:[00000030h]	4_2_010E4978
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_010E4978 mov eax, dword ptr fs:[00000030h]	4_2_010E4978
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_010529A0 mov eax, dword ptr fs:[00000030h]	4_2_010529A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_010529A0 mov eax, dword ptr fs:[00000030h]	4_2_010529A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_010529A0 mov eax, dword ptr fs:[00000030h]	4_2_010529A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_010529A0 mov eax, dword ptr fs:[00000030h]	4_2_010529A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_010529A0 mov eax, dword ptr fs:[00000030h]	4_2_010529A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_010529A0 mov eax, dword ptr fs:[00000030h]	4_2_010529A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_010529A0 mov eax, dword ptr fs:[00000030h]	4_2_010529A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_010529A0 mov eax, dword ptr fs:[00000030h]	4_2_010529A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_010529A0 mov eax, dword ptr fs:[00000030h]	4_2_010529A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_010529A0 mov eax, dword ptr fs:[00000030h]	4_2_010529A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_010529A0 mov eax, dword ptr fs:[00000030h]	4_2_010529A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_010529A0 mov eax, dword ptr fs:[00000030h]	4_2_010529A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_010529A0 mov eax, dword ptr fs:[00000030h]	4_2_010529A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_010409AD mov eax, dword ptr fs:[00000030h]	4_2_010409AD
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_010409AD mov eax, dword ptr fs:[00000030h]	4_2_010409AD
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_010C89B3 mov esi, dword ptr fs:[00000030h]	4_2_010C89B3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_010C89B3 mov eax, dword ptr fs:[00000030h]	4_2_010C89B3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_010C89B3 mov eax, dword ptr fs:[00000030h]	4_2_010C89B3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_0110A9D3 mov eax, dword ptr fs:[00000030h]	4_2_0110A9D3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_010D69C0 mov eax, dword ptr fs:[00000030h]	4_2_010D69C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_0104A9D0 mov eax, dword ptr fs:[00000030h]	4_2_0104A9D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_0104A9D0 mov eax, dword ptr fs:[00000030h]	4_2_0104A9D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_0104A9D0 mov eax, dword ptr fs:[00000030h]	4_2_0104A9D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_0104A9D0 mov eax, dword ptr fs:[00000030h]	4_2_0104A9D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_0104A9D0 mov eax, dword ptr fs:[00000030h]	4_2_0104A9D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_0104A9D0 mov eax, dword ptr fs:[00000030h]	4_2_0104A9D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_010749D0 mov eax, dword ptr fs:[00000030h]	4_2_010749D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_010CE9E0 mov eax, dword ptr fs:[00000030h]	4_2_010CE9E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_010729F9 mov eax, dword ptr fs:[00000030h]	4_2_010729F9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_010729F9 mov eax, dword ptr fs:[00000030h]	4_2_010729F9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_010CC810 mov eax, dword ptr fs:[00000030h]	4_2_010CC810
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_01062835 mov eax, dword ptr fs:[00000030h]	4_2_01062835
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_01062835 mov eax, dword ptr fs:[00000030h]	4_2_01062835
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_01062835 mov eax, dword ptr fs:[00000030h]	4_2_01062835
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_01062835 mov ecx, dword ptr fs:[00000030h]	4_2_01062835
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_01062835 mov eax, dword ptr fs:[00000030h]	4_2_01062835
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_01062835 mov eax, dword ptr fs:[00000030h]	4_2_01062835
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_010E483A mov eax, dword ptr fs:[00000030h]	4_2_010E483A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_010E483A mov eax, dword ptr fs:[00000030h]	4_2_010E483A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_0107A830 mov eax, dword ptr fs:[00000030h]	4_2_0107A830
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_01052840 mov ecx, dword ptr fs:[00000030h]	4_2_01052840
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_01070854 mov eax, dword ptr fs:[00000030h]	4_2_01070854
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_01044859 mov eax, dword ptr fs:[00000030h]	4_2_01044859
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_01044859 mov eax, dword ptr fs:[00000030h]	4_2_01044859
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_010D6870 mov eax, dword ptr fs:[00000030h]	4_2_010D6870
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_010D6870 mov eax, dword ptr fs:[00000030h]	4_2_010D6870
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_010CE872 mov eax, dword ptr fs:[00000030h]	4_2_010CE872
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_010CE872 mov eax, dword ptr fs:[00000030h]	4_2_010CE872
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_01040887 mov eax, dword ptr fs:[00000030h]	4_2_01040887
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_010CC89D mov eax, dword ptr fs:[00000030h]	4_2_010CC89D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_0106E8C0 mov eax, dword ptr fs:[00000030h]	4_2_0106E8C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_011108C0 mov eax, dword ptr fs:[00000030h]	4_2_011108C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_0110A8E4 mov eax, dword ptr fs:[00000030h]	4_2_0110A8E4
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_0107C8F9 mov eax, dword ptr fs:[00000030h]	4_2_0107C8F9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_0107C8F9 mov eax, dword ptr fs:[00000030h]	4_2_0107C8F9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_01114B00 mov eax, dword ptr fs:[00000030h]	4_2_01114B00
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_010BEB1D mov eax, dword ptr fs:[00000030h]	4_2_010BEB1D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_010BEB1D mov eax, dword ptr fs:[00000030h]	4_2_010BEB1D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_010BEB1D mov eax, dword ptr fs:[00000030h]	4_2_010BEB1D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_010BEB1D mov eax, dword ptr fs:[00000030h]	4_2_010BEB1D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_010BEB1D mov eax, dword ptr fs:[00000030h]	4_2_010BEB1D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_010BEB1D mov eax, dword ptr fs:[00000030h]	4_2_010BEB1D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_010BEB1D mov eax, dword ptr fs:[00000030h]	4_2_010BEB1D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_010BEB1D mov eax, dword ptr fs:[00000030h]	4_2_010BEB1D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_010BEB1D mov eax, dword ptr fs:[00000030h]	4_2_010BEB1D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_0106EB20 mov eax, dword ptr fs:[00000030h]	4_2_0106EB20
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_0106EB20 mov eax, dword ptr fs:[00000030h]	4_2_0106EB20
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_01108B28 mov eax, dword ptr fs:[00000030h]	4_2_01108B28
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_01108B28 mov eax, dword ptr fs:[00000030h]	4_2_01108B28
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_010F4B4B mov eax, dword ptr fs:[00000030h]	4_2_010F4B4B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_010F4B4B mov eax, dword ptr fs:[00000030h]	4_2_010F4B4B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_01112B57 mov eax, dword ptr fs:[00000030h]	4_2_01112B57
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_01112B57 mov eax, dword ptr fs:[00000030h]	4_2_01112B57
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_01112B57 mov eax, dword ptr fs:[00000030h]	4_2_01112B57
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_01112B57 mov eax, dword ptr fs:[00000030h]	4_2_01112B57
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_010E8B42 mov eax, dword ptr fs:[00000030h]	4_2_010E8B42
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_010D6B40 mov eax, dword ptr fs:[00000030h]	4_2_010D6B40
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_010D6B40 mov eax, dword ptr fs:[00000030h]	4_2_010D6B40
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_0110AB40 mov eax, dword ptr fs:[00000030h]	4_2_0110AB40
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_01038B50 mov eax, dword ptr fs:[00000030h]	4_2_01038B50
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_010EEB50 mov eax, dword ptr fs:[00000030h]	4_2_010EEB50
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_0103CB7E mov eax, dword ptr fs:[00000030h]	4_2_0103CB7E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_01050BBE mov eax, dword ptr fs:[00000030h]	4_2_01050BBE
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_01050BBE mov eax, dword ptr fs:[00000030h]	4_2_01050BBE
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_010F4BB0 mov eax, dword ptr fs:[00000030h]	4_2_010F4BB0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_010F4BB0 mov eax, dword ptr fs:[00000030h]	4_2_010F4BB0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_01040BCD mov eax, dword ptr fs:[00000030h]	4_2_01040BCD
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_01040BCD mov eax, dword ptr fs:[00000030h]	4_2_01040BCD
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_01040BCD mov eax, dword ptr fs:[00000030h]	4_2_01040BCD
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_01060BCB mov eax, dword ptr fs:[00000030h]	4_2_01060BCB
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_01060BCB mov eax, dword ptr fs:[00000030h]	4_2_01060BCB
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_01060BCB mov eax, dword ptr fs:[00000030h]	4_2_01060BCB
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_010EEBD0 mov eax, dword ptr fs:[00000030h]	4_2_010EEBD0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_01048BF0 mov eax, dword ptr fs:[00000030h]	4_2_01048BF0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_01048BF0 mov eax, dword ptr fs:[00000030h]	4_2_01048BF0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_01048BF0 mov eax, dword ptr fs:[00000030h]	4_2_01048BF0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_0106EBFC mov eax, dword ptr fs:[00000030h]	4_2_0106EBFC
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_010CCBF0 mov eax, dword ptr fs:[00000030h]	4_2_010CCBF0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_010CCA11 mov eax, dword ptr fs:[00000030h]	4_2_010CCA11
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_0107CA24 mov eax, dword ptr fs:[00000030h]	4_2_0107CA24
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_0106EA2E mov eax, dword ptr fs:[00000030h]	4_2_0106EA2E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_01064A35 mov eax, dword ptr fs:[00000030h]	4_2_01064A35
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_01064A35 mov eax, dword ptr fs:[00000030h]	4_2_01064A35
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_0107CA38 mov eax, dword ptr fs:[00000030h]	4_2_0107CA38
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_01046A50 mov eax, dword ptr fs:[00000030h]	4_2_01046A50
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_01046A50 mov eax, dword ptr fs:[00000030h]	4_2_01046A50
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_01046A50 mov eax, dword ptr fs:[00000030h]	4_2_01046A50
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_01046A50 mov eax, dword ptr fs:[00000030h]	4_2_01046A50
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_01046A50 mov eax, dword ptr fs:[00000030h]	4_2_01046A50
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_01046A50 mov eax, dword ptr fs:[00000030h]	4_2_01046A50
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_01046A50 mov eax, dword ptr fs:[00000030h]	4_2_01046A50
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_01050A5B mov eax, dword ptr fs:[00000030h]	4_2_01050A5B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_01050A5B mov eax, dword ptr fs:[00000030h]	4_2_01050A5B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_0107CA6F mov eax, dword ptr fs:[00000030h]	4_2_0107CA6F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_0107CA6F mov eax, dword ptr fs:[00000030h]	4_2_0107CA6F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_0107CA6F mov eax, dword ptr fs:[00000030h]	4_2_0107CA6F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_010EEA60 mov eax, dword ptr fs:[00000030h]	4_2_010EEA60
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_010BCA72 mov eax, dword ptr fs:[00000030h]	4_2_010BCA72
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_010BCA72 mov eax, dword ptr fs:[00000030h]	4_2_010BCA72
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_0104EA80 mov eax, dword ptr fs:[00000030h]	4_2_0104EA80
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_0104EA80 mov eax, dword ptr fs:[00000030h]	4_2_0104EA80
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_0104EA80 mov eax, dword ptr fs:[00000030h]	4_2_0104EA80
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_0104EA80 mov eax, dword ptr fs:[00000030h]	4_2_0104EA80
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_0104EA80 mov eax, dword ptr fs:[00000030h]	4_2_0104EA80
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_0104EA80 mov eax, dword ptr fs:[00000030h]	4_2_0104EA80
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_0104EA80 mov eax, dword ptr fs:[00000030h]	4_2_0104EA80
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_0104EA80 mov eax, dword ptr fs:[00000030h]	4_2_0104EA80
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_0104EA80 mov eax, dword ptr fs:[00000030h]	4_2_0104EA80
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_01114A80 mov eax, dword ptr fs:[00000030h]	4_2_01114A80
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_01078A90 mov edx, dword ptr fs:[00000030h]	4_2_01078A90
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_01048AA0 mov eax, dword ptr fs:[00000030h]	4_2_01048AA0

Enables debug privileges

Source: C:\Users\user\Desktop\Orden de compra.exe

Process token adjusted: Debug

Jump to behavior

Source: C:\Users\user\Desktop\Orden de compra.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion

Injects a PE file into a foreign processes

Source: C:\Users\user\Desktop\Orden de compra.exe

Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe base: 400000 value starts with: 4D5A

Jump to behavior

Writes to foreign memory regions

Source: C:\Users\user\Desktop\Orden de compra.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe base: 400000	Jump to behavior
Source: C:\Users\user\Desktop\Orden de compra.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe base: 401000	Jump to behavior
Source: C:\Users\user\Desktop\Orden de compra.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe base: 8C2008	Jump to behavior

Creates a process in suspended mode (likely to inject code)

Source: C:\Users\user\Desktop\Orden de compra.exe

Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"

Jump to behavior

Queries the volume information (name, serial number etc) of a device

Source: C:\Users\user\Desktop\Orden de compra.exe	Queries volume information: C:\Users\user\Desktop\Orden de compra.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Orden de compra.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Orden de compra.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Orden de compra.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Orden de compra.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Orden de compra.exe	Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation	Jump to behavior

Source: C:\Users\user\Desktop\Orden de compra.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Stealing of Sensitive Information

Yara detected FormBook

Source: Yara match	File source: 4.2.AddInProcess32.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.AddInProcess32.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000004.00000002.2281484840.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.2282244894.0000000000EF0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY

Remote Access Functionality

Yara detected FormBook

Source: Yara match	File source: 4.2.AddInProcess32.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.AddInProcess32.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000004.00000002.2281484840.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.2282244894.0000000000EF0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY

Screenshots

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Network Map

⊘No contacted IP infos

AV Detection

Antivirus / Scanner detection for submitted sample

Source: Orden de compra.exe

Avira: detected

Multi AV Scanner detection for submitted file

Source: Orden de compra.exe	Virustotal: Detection: 34%			Perma Link
Source: Orden de compra.exe	ReversingLabs: Detection: 55%

Yara detected FormBook

Source: Yara match	File source: 4.2.AddInProcess32.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.AddInProcess32.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000004.00000002.2281484840.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.2282244894.0000000000EF0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Machine Learning detection for sample

Source: Orden de compra.exe

Joe Sandbox ML: detected

Source: Orden de compra.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source:	Binary string: wntdll.pdbUGP source: AddInProcess32.exe, 00000004.00000002.2282496705.0000000001010000.00000040.00001000.00020000.00000000.sdmp
Source:	Binary string: wntdll.pdb source: AddInProcess32.exe, AddInProcess32.exe, 00000004.00000002.2282496705.0000000001010000.00000040.00001000.00020000.00000000.sdmp

E-Banking Fraud

Yara detected FormBook

Source: Yara match	File source: 4.2.AddInProcess32.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.AddInProcess32.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000004.00000002.2281484840.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.2282244894.0000000000EF0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY

System Summary

Malicious sample detected (through community Yara rule)

Source: 4.2.AddInProcess32.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 4.2.AddInProcess32.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000004.00000002.2281484840.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000004.00000002.2282244894.0000000000EF0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown

Contains functionality to call native functions

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_0042BFF3 NtClose,	4_2_0042BFF3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_01082B60 NtClose,LdrInitializeThunk,	4_2_01082B60
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_01082DF0 NtQuerySystemInformation,LdrInitializeThunk,	4_2_01082DF0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_01082C70 NtFreeVirtualMemory,LdrInitializeThunk,	4_2_01082C70
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_010835C0 NtCreateMutant,LdrInitializeThunk,	4_2_010835C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_01084340 NtSetContextThread,	4_2_01084340
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_01084650 NtSuspendThread,	4_2_01084650
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_01082B80 NtQueryInformationFile,	4_2_01082B80
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_01082BA0 NtEnumerateValueKey,	4_2_01082BA0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_01082BE0 NtQueryValueKey,	4_2_01082BE0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_01082BF0 NtAllocateVirtualMemory,	4_2_01082BF0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_01082AB0 NtWaitForSingleObject,	4_2_01082AB0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_01082AD0 NtReadFile,	4_2_01082AD0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_01082AF0 NtWriteFile,	4_2_01082AF0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_01082D00 NtSetInformationFile,	4_2_01082D00
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_01082D10 NtMapViewOfSection,	4_2_01082D10
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_01082D30 NtUnmapViewOfSection,	4_2_01082D30
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_01082DB0 NtEnumerateKey,	4_2_01082DB0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_01082DD0 NtDelayExecution,	4_2_01082DD0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_01082C00 NtQueryInformationProcess,	4_2_01082C00
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_01082C60 NtCreateKey,	4_2_01082C60
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_01082CA0 NtQueryInformationToken,	4_2_01082CA0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_01082CC0 NtQueryVirtualMemory,	4_2_01082CC0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_01082CF0 NtOpenProcess,	4_2_01082CF0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_01082F30 NtCreateSection,	4_2_01082F30
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_01082F60 NtCreateProcessEx,	4_2_01082F60
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_01082F90 NtProtectVirtualMemory,	4_2_01082F90
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_01082FA0 NtQuerySection,	4_2_01082FA0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_01082FB0 NtResumeThread,	4_2_01082FB0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_01082FE0 NtCreateFile,	4_2_01082FE0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_01082E30 NtWriteVirtualMemory,	4_2_01082E30
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_01082E80 NtReadVirtualMemory,	4_2_01082E80
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_01082EA0 NtAdjustPrivilegesToken,	4_2_01082EA0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_01082EE0 NtQueueApcThread,	4_2_01082EE0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_01083010 NtOpenDirectoryObject,	4_2_01083010
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_01083090 NtSetValueKey,	4_2_01083090
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_010839B0 NtGetContextThread,	4_2_010839B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_01083D10 NtOpenProcessToken,	4_2_01083D10
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_01083D70 NtOpenThread,	4_2_01083D70

Contains functionality to launch a process as a different user

Source: C:\Users\user\Desktop\Orden de compra.exe

Code function: 0_2_09E09C68 CreateProcessAsUserW,

0_2_09E09C68

Detected potential crypto function

Source: C:\Users\user\Desktop\Orden de compra.exe	Code function: 0_2_018EA3D8	0_2_018EA3D8
Source: C:\Users\user\Desktop\Orden de compra.exe	Code function: 0_2_018E6748	0_2_018E6748
Source: C:\Users\user\Desktop\Orden de compra.exe	Code function: 0_2_018E4680	0_2_018E4680
Source: C:\Users\user\Desktop\Orden de compra.exe	Code function: 0_2_018E7388	0_2_018E7388
Source: C:\Users\user\Desktop\Orden de compra.exe	Code function: 0_2_018EA3C8	0_2_018EA3C8
Source: C:\Users\user\Desktop\Orden de compra.exe	Code function: 0_2_09E04B00	0_2_09E04B00
Source: C:\Users\user\Desktop\Orden de compra.exe	Code function: 0_2_09E08A90	0_2_09E08A90
Source: C:\Users\user\Desktop\Orden de compra.exe	Code function: 0_2_09E0A240	0_2_09E0A240
Source: C:\Users\user\Desktop\Orden de compra.exe	Code function: 0_2_09E02CE0	0_2_09E02CE0
Source: C:\Users\user\Desktop\Orden de compra.exe	Code function: 0_2_09E04448	0_2_09E04448
Source: C:\Users\user\Desktop\Orden de compra.exe	Code function: 0_2_09E00040	0_2_09E00040
Source: C:\Users\user\Desktop\Orden de compra.exe	Code function: 0_2_09E00012	0_2_09E00012
Source: C:\Users\user\Desktop\Orden de compra.exe	Code function: 0_2_09E0AB28	0_2_09E0AB28
Source: C:\Users\user\Desktop\Orden de compra.exe	Code function: 0_2_09E04AF0	0_2_09E04AF0
Source: C:\Users\user\Desktop\Orden de compra.exe	Code function: 0_2_09E0E2F8	0_2_09E0E2F8
Source: C:\Users\user\Desktop\Orden de compra.exe	Code function: 0_2_09E0EA00	0_2_09E0EA00
Source: C:\Users\user\Desktop\Orden de compra.exe	Code function: 0_2_09E02CD0	0_2_09E02CD0
Source: C:\Users\user\Desktop\Orden de compra.exe	Code function: 0_2_09E08483	0_2_09E08483
Source: C:\Users\user\Desktop\Orden de compra.exe	Code function: 0_2_09E08490	0_2_09E08490
Source: C:\Users\user\Desktop\Orden de compra.exe	Code function: 0_2_09E03C68	0_2_09E03C68
Source: C:\Users\user\Desktop\Orden de compra.exe	Code function: 0_2_09E03C78	0_2_09E03C78
Source: C:\Users\user\Desktop\Orden de compra.exe	Code function: 0_2_09E04438	0_2_09E04438
Source: C:\Users\user\Desktop\Orden de compra.exe	Code function: 0_2_09E067EB	0_2_09E067EB
Source: C:\Users\user\Desktop\Orden de compra.exe	Code function: 0_2_09E067F8	0_2_09E067F8
Source: C:\Users\user\Desktop\Orden de compra.exe	Code function: 0_2_09E02F80	0_2_09E02F80
Source: C:\Users\user\Desktop\Orden de compra.exe	Code function: 0_2_09E02F70	0_2_09E02F70
Source: C:\Users\user\Desktop\Orden de compra.exe	Code function: 0_2_09E07F59	0_2_09E07F59
Source: C:\Users\user\Desktop\Orden de compra.exe	Code function: 0_2_09E03600	0_2_09E03600
Source: C:\Users\user\Desktop\Orden de compra.exe	Code function: 0_2_09E03610	0_2_09E03610
Source: C:\Users\user\Desktop\Orden de compra.exe	Code function: 0_2_0BA10040	0_2_0BA10040
Source: C:\Users\user\Desktop\Orden de compra.exe	Code function: 0_2_0BA1B3B0	0_2_0BA1B3B0
Source: C:\Users\user\Desktop\Orden de compra.exe	Code function: 0_2_0BA1B3C0	0_2_0BA1B3C0
Source: C:\Users\user\Desktop\Orden de compra.exe	Code function: 0_2_0BA1EF58	0_2_0BA1EF58
Source: C:\Users\user\Desktop\Orden de compra.exe	Code function: 0_2_0BA176B8	0_2_0BA176B8
Source: C:\Users\user\Desktop\Orden de compra.exe	Code function: 0_2_0BA1763D	0_2_0BA1763D
Source: C:\Users\user\Desktop\Orden de compra.exe	Code function: 0_2_0BE10040	0_2_0BE10040
Source: C:\Users\user\Desktop\Orden de compra.exe	Code function: 0_2_0BE1D81B	0_2_0BE1D81B
Source: C:\Users\user\Desktop\Orden de compra.exe	Code function: 0_2_0BE1003B	0_2_0BE1003B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_00403010	4_2_00403010
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_0040F913	4_2_0040F913
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_00401190	4_2_00401190
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_0041621F	4_2_0041621F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_00416223	4_2_00416223
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_004022A4	4_2_004022A4
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_004022B0	4_2_004022B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_0040FB33	4_2_0040FB33
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_00401B87	4_2_00401B87
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_00401B90	4_2_00401B90
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_0040DBB1	4_2_0040DBB1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_0040DBB3	4_2_0040DBB3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_00402480	4_2_00402480
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_0042E5B3	4_2_0042E5B3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_01040100	4_2_01040100
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_010EA118	4_2_010EA118
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_010D8158	4_2_010D8158
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_011041A2	4_2_011041A2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_011101AA	4_2_011101AA
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_011081CC	4_2_011081CC
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_010E2000	4_2_010E2000
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_0110A352	4_2_0110A352
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_0105E3F0	4_2_0105E3F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_011103E6	4_2_011103E6
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_010F0274	4_2_010F0274
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_010D02C0	4_2_010D02C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_01050535	4_2_01050535
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_01110591	4_2_01110591
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_010F4420	4_2_010F4420
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_01102446	4_2_01102446
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_010FE4F6	4_2_010FE4F6
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_01074750	4_2_01074750
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_01050770	4_2_01050770
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_0104C7C0	4_2_0104C7C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_0106C6E0	4_2_0106C6E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_01066962	4_2_01066962
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_010529A0	4_2_010529A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_0111A9A6	4_2_0111A9A6
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_0105A840	4_2_0105A840
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_01052840	4_2_01052840
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_010368B8	4_2_010368B8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_0107E8F0	4_2_0107E8F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_0110AB40	4_2_0110AB40
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_01106BD7	4_2_01106BD7
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_0104EA80	4_2_0104EA80
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_0105AD00	4_2_0105AD00
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_010ECD1F	4_2_010ECD1F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_01068DBF	4_2_01068DBF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_0104ADE0	4_2_0104ADE0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_01050C00	4_2_01050C00
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_010F0CB5	4_2_010F0CB5
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_01040CF2	4_2_01040CF2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_01092F28	4_2_01092F28
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_01070F30	4_2_01070F30
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_010F2F30	4_2_010F2F30
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_010C4F40	4_2_010C4F40
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_010CEFA0	4_2_010CEFA0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_01042FC8	4_2_01042FC8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_0105CFE0	4_2_0105CFE0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_0110EE26	4_2_0110EE26
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_01050E59	4_2_01050E59
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_0110CE93	4_2_0110CE93
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_01062E90	4_2_01062E90
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_0110EEDB	4_2_0110EEDB
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_0108516C	4_2_0108516C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_0103F172	4_2_0103F172
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_0111B16B	4_2_0111B16B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_0105B1B0	4_2_0105B1B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_010FF0CC	4_2_010FF0CC
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_010570C0	4_2_010570C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_0110F0E0	4_2_0110F0E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_011070E9	4_2_011070E9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_0110132D	4_2_0110132D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_0103D34C	4_2_0103D34C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_0109739A	4_2_0109739A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_010552A0	4_2_010552A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_0106B2C0	4_2_0106B2C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_010F12ED	4_2_010F12ED
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_01107571	4_2_01107571
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_010ED5B0	4_2_010ED5B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_011195C3	4_2_011195C3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_0110F43F	4_2_0110F43F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_01041460	4_2_01041460
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_0110F7B0	4_2_0110F7B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_010417EC	4_2_010417EC
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_01095630	4_2_01095630
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_011016CC	4_2_011016CC
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_010E5910	4_2_010E5910
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_01059950	4_2_01059950
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_0106B950	4_2_0106B950
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_010BD800	4_2_010BD800
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_010538E0	4_2_010538E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_0110FB76	4_2_0110FB76
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_0106FB80	4_2_0106FB80
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_0108DBF9	4_2_0108DBF9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_010C5BF0	4_2_010C5BF0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_01107A46	4_2_01107A46
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_0110FA49	4_2_0110FA49
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_010C3A6C	4_2_010C3A6C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_010EDAAC	4_2_010EDAAC
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_01095AA0	4_2_01095AA0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_010F1AA3	4_2_010F1AA3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_010FDAC6	4_2_010FDAC6
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_01053D40	4_2_01053D40
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_01101D5A	4_2_01101D5A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_01107D73	4_2_01107D73
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_0106FDC0	4_2_0106FDC0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_010C9C32	4_2_010C9C32
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_0110FCF2	4_2_0110FCF2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_0110FF09	4_2_0110FF09
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_01051F92	4_2_01051F92
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_0110FFB1	4_2_0110FFB1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_01013FD2	4_2_01013FD2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_01013FD5	4_2_01013FD5
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_01059EB0	4_2_01059EB0

Found potential string decryption / allocating functions

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: String function: 0103B970 appears 283 times
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: String function: 01085130 appears 58 times
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: String function: 010CF290 appears 105 times
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: String function: 01097E54 appears 109 times
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: String function: 010BEA12 appears 86 times

Sample file is different than original file name gathered from version info

Source: Orden de compra.exe, 00000000.00000002.2206216626.000000000141E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameclr.dllT vs Orden de compra.exe
Source: Orden de compra.exe, 00000000.00000002.2225140854.00000000064D1000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameHPzFG9.dll" vs Orden de compra.exe
Source: Orden de compra.exe, 00000000.00000002.2226496984.00000000076D0000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameHPzFG9.dll" vs Orden de compra.exe
Source: Orden de compra.exe, 00000000.00000002.2224165565.0000000005A50000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameRP8SH.dll, vs Orden de compra.exe

Yara signature match

Source: 4.2.AddInProcess32.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 4.2.AddInProcess32.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000004.00000002.2281484840.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000004.00000002.2282244894.0000000000EF0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23

Source: classification engine

Classification label: mal100.troj.evad.winEXE@3/1@0/0

Source: C:\Users\user\Desktop\Orden de compra.exe

File created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\Orden de compra.exe.log

Jump to behavior

Source: C:\Users\user\Desktop\Orden de compra.exe

Mutant created: NULL

Source: Orden de compra.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: Orden de compra.exe

Static file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.79%

Source: C:\Users\user\Desktop\Orden de compra.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: Orden de compra.exe	Virustotal: Detection: 34%
Source: Orden de compra.exe	ReversingLabs: Detection: 55%

Source: C:\Users\user\Desktop\Orden de compra.exe

File read: C:\Users\user\Desktop\Orden de compra.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\Orden de compra.exe "C:\Users\user\Desktop\Orden de compra.exe"
Source: C:\Users\user\Desktop\Orden de compra.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"
Source: C:\Users\user\Desktop\Orden de compra.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"	Jump to behavior

Source: C:\Users\user\Desktop\Orden de compra.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Desktop\Orden de compra.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Orden de compra.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\Orden de compra.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\Orden de compra.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\Orden de compra.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\Orden de compra.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\Orden de compra.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\Orden de compra.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Orden de compra.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\Orden de compra.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\Orden de compra.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\Orden de compra.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Orden de compra.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Orden de compra.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Orden de compra.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\Orden de compra.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\Orden de compra.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Orden de compra.exe	Section loaded: dwrite.dll	Jump to behavior
Source: C:\Users\user\Desktop\Orden de compra.exe	Section loaded: windowscodecs.dll	Jump to behavior

Source: C:\Users\user\Desktop\Orden de compra.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0A29FF9E-7F9C-4437-8B11-F424491E3931}\InprocServer32

Jump to behavior

Source: C:\Users\user\Desktop\Orden de compra.exe

File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll

Jump to behavior

Source: Orden de compra.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Source: Orden de compra.exe

Static PE information: Virtual size of .text is bigger than: 0x100000

Source: Orden de compra.exe

Static file information: File size 2419712 > 1048576

Source: Orden de compra.exe

Static PE information: Raw size of .text is bigger than: 0x100000 < 0x24e600

Source: Orden de compra.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source:	Binary string: wntdll.pdbUGP source: AddInProcess32.exe, 00000004.00000002.2282496705.0000000001010000.00000040.00001000.00020000.00000000.sdmp
Source:	Binary string: wntdll.pdb source: AddInProcess32.exe, AddInProcess32.exe, 00000004.00000002.2282496705.0000000001010000.00000040.00001000.00020000.00000000.sdmp

Data Obfuscation

Yara detected DarkTortilla Crypter

Source: Yara match	File source: 0.2.Orden de compra.exe.76d0000.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Orden de compra.exe.76d0000.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.2225140854.00000000064D1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2226496984.00000000076D0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2207161212.0000000003361000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: Orden de compra.exe PID: 4332, type: MEMORYSTR

.NET source code contains method to dynamically call methods (often used by packers)

Source: Orden de compra.exe, n5T.cs

.Net Code: NewLateBinding.LateCall(objectValue2, (Type)null, "Invoke", new object[2]{null,Ra4()}, (string[])null, (Type[])null, (bool[])null, true)

Uses code obfuscation techniques (call, push, ret)

Source: C:\Users\user\Desktop\Orden de compra.exe	Code function: 0_2_09E04438 push 5DE58B90h; ret	0_2_09E043E9
Source: C:\Users\user\Desktop\Orden de compra.exe	Code function: 0_2_0BA197B1 push ebx; ret	0_2_0BA197B2
Source: C:\Users\user\Desktop\Orden de compra.exe	Code function: 0_2_0BA1B388 push eax; ret	0_2_0BA1B389
Source: C:\Users\user\Desktop\Orden de compra.exe	Code function: 0_2_0BA1A31B push edi; ret	0_2_0BA1A322
Source: C:\Users\user\Desktop\Orden de compra.exe	Code function: 0_2_0BA19747 push edx; ret	0_2_0BA1975A
Source: C:\Users\user\Desktop\Orden de compra.exe	Code function: 0_2_0BA196E5 push edx; ret	0_2_0BA1975A
Source: C:\Users\user\Desktop\Orden de compra.exe	Code function: 0_2_0BA1AED1 pushad ; ret	0_2_0BA1AED2
Source: C:\Users\user\Desktop\Orden de compra.exe	Code function: 0_2_0BA19CE1 push esp; ret	0_2_0BA19CE2
Source: C:\Users\user\Desktop\Orden de compra.exe	Code function: 0_2_0BA1B8C0 pushad ; ret	0_2_0BA1B8C1
Source: C:\Users\user\Desktop\Orden de compra.exe	Code function: 0_2_0BE1D29B push ebx; ret	0_2_0BE1D2A1
Source: C:\Users\user\Desktop\Orden de compra.exe	Code function: 0_2_0BE16205 push eax; ret	0_2_0BE1630E
Source: C:\Users\user\Desktop\Orden de compra.exe	Code function: 0_2_0BE17991 pushfd ; ret	0_2_0BE17992
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_00423E33 pushad ; iretd	4_2_00423EEB
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_00415062 push edx; retf	4_2_00415066
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_0041E23E push edx; retf	4_2_0041E23F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_004142A4 push esi; iretd	4_2_004142A5
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_004032B0 push eax; ret	4_2_004032B2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_00408349 push ss; retf	4_2_0040834A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_0041EB78 push 39FD2CB0h; ret	4_2_0041EB7D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_0040831C push esi; retf	4_2_0040831D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_0040C38A push edi; retf	4_2_0040C38B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_0041E513 push ecx; retf	4_2_0041E514
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_00413518 pushfd ; ret	4_2_00413519
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_00411DE8 push 7D2EA5D3h; retf	4_2_00411DEE
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_0041A5FF push ebp; iretd	4_2_0041A601
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_0041E58D push ss; iretd	4_2_0041E598
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_00406EA8 push edi; iretd	4_2_00406EA9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_0101225F pushad ; ret	4_2_010127F9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_010127FA pushad ; ret	4_2_010127F9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_010409AD push ecx; mov dword ptr [esp], ecx	4_2_010409B6
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_0101283D push eax; iretd	4_2_01012858

Hooking and other Techniques for Hiding and Protection

Hides that the sample has been downloaded from the Internet (zone.identifier)

Source: C:\Users\user\Desktop\Orden de compra.exe

File opened: C:\Users\user\Desktop\Orden de compra.exe\:Zone.Identifier read attributes | delete

Jump to behavior

Source: C:\Users\user\Desktop\Orden de compra.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Orden de compra.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Orden de compra.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Orden de compra.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Orden de compra.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Orden de compra.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Orden de compra.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Orden de compra.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Orden de compra.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Orden de compra.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Orden de compra.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Orden de compra.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Orden de compra.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Orden de compra.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Orden de compra.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Orden de compra.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Orden de compra.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Orden de compra.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Orden de compra.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Orden de compra.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Orden de compra.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Orden de compra.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Orden de compra.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Orden de compra.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Orden de compra.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Orden de compra.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Orden de compra.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Orden de compra.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Orden de compra.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Orden de compra.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Orden de compra.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Orden de compra.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Orden de compra.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Orden de compra.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Orden de compra.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Orden de compra.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Orden de compra.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Orden de compra.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Orden de compra.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Orden de compra.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Orden de compra.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Orden de compra.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Orden de compra.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Orden de compra.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Orden de compra.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Orden de compra.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Orden de compra.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Orden de compra.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Yara detected AntiVM3

Source: Yara match

File source: Process Memory Space: Orden de compra.exe PID: 4332, type: MEMORYSTR

Tries to delay execution (extensive OutputDebugStringW loop)

Source: C:\Users\user\Desktop\Orden de compra.exe

Section loaded: OutputDebugStringW count: 1939

Allocates memory with a write watch (potentially for evading sandboxes)

Source: C:\Users\user\Desktop\Orden de compra.exe	Memory allocated: 18A0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\Orden de compra.exe	Memory allocated: 3360000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\Orden de compra.exe	Memory allocated: 30A0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\Orden de compra.exe	Memory allocated: 64D0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\Orden de compra.exe	Memory allocated: 5B10000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\Orden de compra.exe	Memory allocated: 78A0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\Orden de compra.exe	Memory allocated: 88A0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\Orden de compra.exe	Memory allocated: 8AF0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\Orden de compra.exe	Memory allocated: 78A0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\Orden de compra.exe	Memory allocated: 8AF0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\Orden de compra.exe	Memory allocated: C120000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\Orden de compra.exe	Memory allocated: D120000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\Orden de compra.exe	Memory allocated: D5C0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\Orden de compra.exe	Memory allocated: E5C0000 memory reserve \| memory write watch	Jump to behavior

Contains functionality for execution timing, often used to detect debuggers

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe

Code function: 4_2_0108096E rdtsc

4_2_0108096E

Contains long sleeps (>= 3 min)

Source: C:\Users\user\Desktop\Orden de compra.exe

Thread delayed: delay time: 922337203685477

Jump to behavior

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Source: C:\Users\user\Desktop\Orden de compra.exe	Window / User API: threadDelayed 2674			Jump to behavior
Source: C:\Users\user\Desktop\Orden de compra.exe	Window / User API: threadDelayed 7120			Jump to behavior

Found large amount of non-executed APIs

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe

API coverage: 0.6 %

May sleep (evasive loops) to hinder dynamic analysis

Source: C:\Users\user\Desktop\Orden de compra.exe TID: 6300	Thread sleep time: -34126476536362649s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Orden de compra.exe TID: 6300	Thread sleep time: -30000s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe TID: 6884	Thread sleep time: -30000s >= -30000s	Jump to behavior

Source: C:\Users\user\Desktop\Orden de compra.exe	Thread delayed: delay time: 922337203685477			Jump to behavior
Source: C:\Users\user\Desktop\Orden de compra.exe	Thread delayed: delay time: 30000			Jump to behavior

Source: Orden de compra.exe, 00000000.00000002.2225140854.00000000064D1000.00000004.00000800.00020000.00000000.sdmp, Orden de compra.exe, 00000000.00000002.2226496984.00000000076D0000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: VBoxTray
Source: Orden de compra.exe, 00000000.00000002.2226496984.00000000076D0000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: 806010189GSOFTWARE\VMware, Inc.\VMware VGAuth

Source: C:\Users\user\Desktop\Orden de compra.exe

Process information queried: ProcessInformation

Jump to behavior

Checks if the current process is being debugged

Source: C:\Users\user\Desktop\Orden de compra.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\Desktop\Orden de compra.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process queried: DebugPort	Jump to behavior

Contains functionality for execution timing, often used to detect debuggers

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe

Code function: 4_2_0108096E rdtsc

4_2_0108096E

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe

Code function: 4_2_004171D3 LdrLoadDll,

4_2_004171D3

Contains functionality to read the PEB

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_010EE10E mov eax, dword ptr fs:[00000030h]	4_2_010EE10E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_010EE10E mov ecx, dword ptr fs:[00000030h]	4_2_010EE10E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_010EE10E mov eax, dword ptr fs:[00000030h]	4_2_010EE10E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_010EE10E mov eax, dword ptr fs:[00000030h]	4_2_010EE10E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_010EE10E mov ecx, dword ptr fs:[00000030h]	4_2_010EE10E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_010EE10E mov eax, dword ptr fs:[00000030h]	4_2_010EE10E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_010EE10E mov eax, dword ptr fs:[00000030h]	4_2_010EE10E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_010EE10E mov ecx, dword ptr fs:[00000030h]	4_2_010EE10E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_010EE10E mov eax, dword ptr fs:[00000030h]	4_2_010EE10E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_010EE10E mov ecx, dword ptr fs:[00000030h]	4_2_010EE10E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_01100115 mov eax, dword ptr fs:[00000030h]	4_2_01100115
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_010EA118 mov ecx, dword ptr fs:[00000030h]	4_2_010EA118
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_010EA118 mov eax, dword ptr fs:[00000030h]	4_2_010EA118
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_010EA118 mov eax, dword ptr fs:[00000030h]	4_2_010EA118
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_010EA118 mov eax, dword ptr fs:[00000030h]	4_2_010EA118
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_01070124 mov eax, dword ptr fs:[00000030h]	4_2_01070124
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_010D4144 mov eax, dword ptr fs:[00000030h]	4_2_010D4144
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_010D4144 mov eax, dword ptr fs:[00000030h]	4_2_010D4144
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_010D4144 mov ecx, dword ptr fs:[00000030h]	4_2_010D4144
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_010D4144 mov eax, dword ptr fs:[00000030h]	4_2_010D4144
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_010D4144 mov eax, dword ptr fs:[00000030h]	4_2_010D4144
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_01046154 mov eax, dword ptr fs:[00000030h]	4_2_01046154
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_01046154 mov eax, dword ptr fs:[00000030h]	4_2_01046154
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_0103C156 mov eax, dword ptr fs:[00000030h]	4_2_0103C156
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_010D8158 mov eax, dword ptr fs:[00000030h]	4_2_010D8158
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_01114164 mov eax, dword ptr fs:[00000030h]	4_2_01114164
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_01114164 mov eax, dword ptr fs:[00000030h]	4_2_01114164
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_010FC188 mov eax, dword ptr fs:[00000030h]	4_2_010FC188
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_010FC188 mov eax, dword ptr fs:[00000030h]	4_2_010FC188
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_01080185 mov eax, dword ptr fs:[00000030h]	4_2_01080185
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_010E4180 mov eax, dword ptr fs:[00000030h]	4_2_010E4180
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_010E4180 mov eax, dword ptr fs:[00000030h]	4_2_010E4180
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_010C019F mov eax, dword ptr fs:[00000030h]	4_2_010C019F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_010C019F mov eax, dword ptr fs:[00000030h]	4_2_010C019F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_010C019F mov eax, dword ptr fs:[00000030h]	4_2_010C019F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_010C019F mov eax, dword ptr fs:[00000030h]	4_2_010C019F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_0103A197 mov eax, dword ptr fs:[00000030h]	4_2_0103A197
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_0103A197 mov eax, dword ptr fs:[00000030h]	4_2_0103A197
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_0103A197 mov eax, dword ptr fs:[00000030h]	4_2_0103A197
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_011061C3 mov eax, dword ptr fs:[00000030h]	4_2_011061C3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_011061C3 mov eax, dword ptr fs:[00000030h]	4_2_011061C3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_010BE1D0 mov eax, dword ptr fs:[00000030h]	4_2_010BE1D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_010BE1D0 mov eax, dword ptr fs:[00000030h]	4_2_010BE1D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_010BE1D0 mov ecx, dword ptr fs:[00000030h]	4_2_010BE1D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_010BE1D0 mov eax, dword ptr fs:[00000030h]	4_2_010BE1D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_010BE1D0 mov eax, dword ptr fs:[00000030h]	4_2_010BE1D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_011161E5 mov eax, dword ptr fs:[00000030h]	4_2_011161E5
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_010701F8 mov eax, dword ptr fs:[00000030h]	4_2_010701F8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_010C4000 mov ecx, dword ptr fs:[00000030h]	4_2_010C4000
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_010E2000 mov eax, dword ptr fs:[00000030h]	4_2_010E2000
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_010E2000 mov eax, dword ptr fs:[00000030h]	4_2_010E2000
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_010E2000 mov eax, dword ptr fs:[00000030h]	4_2_010E2000
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_010E2000 mov eax, dword ptr fs:[00000030h]	4_2_010E2000
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_010E2000 mov eax, dword ptr fs:[00000030h]	4_2_010E2000
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_010E2000 mov eax, dword ptr fs:[00000030h]	4_2_010E2000
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_010E2000 mov eax, dword ptr fs:[00000030h]	4_2_010E2000
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_010E2000 mov eax, dword ptr fs:[00000030h]	4_2_010E2000
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_0105E016 mov eax, dword ptr fs:[00000030h]	4_2_0105E016
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_0105E016 mov eax, dword ptr fs:[00000030h]	4_2_0105E016
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_0105E016 mov eax, dword ptr fs:[00000030h]	4_2_0105E016
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_0105E016 mov eax, dword ptr fs:[00000030h]	4_2_0105E016
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_0103A020 mov eax, dword ptr fs:[00000030h]	4_2_0103A020
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_0103C020 mov eax, dword ptr fs:[00000030h]	4_2_0103C020
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_010D6030 mov eax, dword ptr fs:[00000030h]	4_2_010D6030
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_01042050 mov eax, dword ptr fs:[00000030h]	4_2_01042050
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_010C6050 mov eax, dword ptr fs:[00000030h]	4_2_010C6050
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_0106C073 mov eax, dword ptr fs:[00000030h]	4_2_0106C073
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_0104208A mov eax, dword ptr fs:[00000030h]	4_2_0104208A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_010380A0 mov eax, dword ptr fs:[00000030h]	4_2_010380A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_010D80A8 mov eax, dword ptr fs:[00000030h]	4_2_010D80A8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_011060B8 mov eax, dword ptr fs:[00000030h]	4_2_011060B8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_011060B8 mov ecx, dword ptr fs:[00000030h]	4_2_011060B8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_010C20DE mov eax, dword ptr fs:[00000030h]	4_2_010C20DE
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_0103A0E3 mov ecx, dword ptr fs:[00000030h]	4_2_0103A0E3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_010C60E0 mov eax, dword ptr fs:[00000030h]	4_2_010C60E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_010480E9 mov eax, dword ptr fs:[00000030h]	4_2_010480E9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_0103C0F0 mov eax, dword ptr fs:[00000030h]	4_2_0103C0F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_010820F0 mov ecx, dword ptr fs:[00000030h]	4_2_010820F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_0107A30B mov eax, dword ptr fs:[00000030h]	4_2_0107A30B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_0107A30B mov eax, dword ptr fs:[00000030h]	4_2_0107A30B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_0107A30B mov eax, dword ptr fs:[00000030h]	4_2_0107A30B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_0103C310 mov ecx, dword ptr fs:[00000030h]	4_2_0103C310
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_01060310 mov ecx, dword ptr fs:[00000030h]	4_2_01060310
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_01118324 mov eax, dword ptr fs:[00000030h]	4_2_01118324
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_01118324 mov ecx, dword ptr fs:[00000030h]	4_2_01118324
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_01118324 mov eax, dword ptr fs:[00000030h]	4_2_01118324
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_01118324 mov eax, dword ptr fs:[00000030h]	4_2_01118324
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_0110A352 mov eax, dword ptr fs:[00000030h]	4_2_0110A352
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_010C2349 mov eax, dword ptr fs:[00000030h]	4_2_010C2349
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_010C2349 mov eax, dword ptr fs:[00000030h]	4_2_010C2349
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_010C2349 mov eax, dword ptr fs:[00000030h]	4_2_010C2349
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_010C2349 mov eax, dword ptr fs:[00000030h]	4_2_010C2349
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_010C2349 mov eax, dword ptr fs:[00000030h]	4_2_010C2349
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_010C2349 mov eax, dword ptr fs:[00000030h]	4_2_010C2349
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_010C2349 mov eax, dword ptr fs:[00000030h]	4_2_010C2349
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_010C2349 mov eax, dword ptr fs:[00000030h]	4_2_010C2349
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_010C2349 mov eax, dword ptr fs:[00000030h]	4_2_010C2349
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_010C2349 mov eax, dword ptr fs:[00000030h]	4_2_010C2349
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_010C2349 mov eax, dword ptr fs:[00000030h]	4_2_010C2349
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_010C2349 mov eax, dword ptr fs:[00000030h]	4_2_010C2349
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_010C2349 mov eax, dword ptr fs:[00000030h]	4_2_010C2349
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_010C2349 mov eax, dword ptr fs:[00000030h]	4_2_010C2349
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_010C2349 mov eax, dword ptr fs:[00000030h]	4_2_010C2349
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_010C035C mov eax, dword ptr fs:[00000030h]	4_2_010C035C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_010C035C mov eax, dword ptr fs:[00000030h]	4_2_010C035C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_010C035C mov eax, dword ptr fs:[00000030h]	4_2_010C035C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_010C035C mov ecx, dword ptr fs:[00000030h]	4_2_010C035C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_010C035C mov eax, dword ptr fs:[00000030h]	4_2_010C035C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_010C035C mov eax, dword ptr fs:[00000030h]	4_2_010C035C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_010E8350 mov ecx, dword ptr fs:[00000030h]	4_2_010E8350
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_0111634F mov eax, dword ptr fs:[00000030h]	4_2_0111634F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_010E437C mov eax, dword ptr fs:[00000030h]	4_2_010E437C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_0106438F mov eax, dword ptr fs:[00000030h]	4_2_0106438F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_0106438F mov eax, dword ptr fs:[00000030h]	4_2_0106438F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_0103E388 mov eax, dword ptr fs:[00000030h]	4_2_0103E388
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_0103E388 mov eax, dword ptr fs:[00000030h]	4_2_0103E388
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_0103E388 mov eax, dword ptr fs:[00000030h]	4_2_0103E388
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_01038397 mov eax, dword ptr fs:[00000030h]	4_2_01038397
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_01038397 mov eax, dword ptr fs:[00000030h]	4_2_01038397
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_01038397 mov eax, dword ptr fs:[00000030h]	4_2_01038397
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_010FC3CD mov eax, dword ptr fs:[00000030h]	4_2_010FC3CD
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_0104A3C0 mov eax, dword ptr fs:[00000030h]	4_2_0104A3C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_0104A3C0 mov eax, dword ptr fs:[00000030h]	4_2_0104A3C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_0104A3C0 mov eax, dword ptr fs:[00000030h]	4_2_0104A3C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_0104A3C0 mov eax, dword ptr fs:[00000030h]	4_2_0104A3C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_0104A3C0 mov eax, dword ptr fs:[00000030h]	4_2_0104A3C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_0104A3C0 mov eax, dword ptr fs:[00000030h]	4_2_0104A3C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_010483C0 mov eax, dword ptr fs:[00000030h]	4_2_010483C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_010483C0 mov eax, dword ptr fs:[00000030h]	4_2_010483C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_010483C0 mov eax, dword ptr fs:[00000030h]	4_2_010483C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_010483C0 mov eax, dword ptr fs:[00000030h]	4_2_010483C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_010EE3DB mov eax, dword ptr fs:[00000030h]	4_2_010EE3DB
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_010EE3DB mov eax, dword ptr fs:[00000030h]	4_2_010EE3DB
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_010EE3DB mov ecx, dword ptr fs:[00000030h]	4_2_010EE3DB
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_010EE3DB mov eax, dword ptr fs:[00000030h]	4_2_010EE3DB
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_010E43D4 mov eax, dword ptr fs:[00000030h]	4_2_010E43D4
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_010E43D4 mov eax, dword ptr fs:[00000030h]	4_2_010E43D4
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_010503E9 mov eax, dword ptr fs:[00000030h]	4_2_010503E9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_010503E9 mov eax, dword ptr fs:[00000030h]	4_2_010503E9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_010503E9 mov eax, dword ptr fs:[00000030h]	4_2_010503E9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_010503E9 mov eax, dword ptr fs:[00000030h]	4_2_010503E9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_010503E9 mov eax, dword ptr fs:[00000030h]	4_2_010503E9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_010503E9 mov eax, dword ptr fs:[00000030h]	4_2_010503E9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_010503E9 mov eax, dword ptr fs:[00000030h]	4_2_010503E9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_010503E9 mov eax, dword ptr fs:[00000030h]	4_2_010503E9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_0105E3F0 mov eax, dword ptr fs:[00000030h]	4_2_0105E3F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_0105E3F0 mov eax, dword ptr fs:[00000030h]	4_2_0105E3F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_0105E3F0 mov eax, dword ptr fs:[00000030h]	4_2_0105E3F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_010763FF mov eax, dword ptr fs:[00000030h]	4_2_010763FF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_0103823B mov eax, dword ptr fs:[00000030h]	4_2_0103823B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_0111625D mov eax, dword ptr fs:[00000030h]	4_2_0111625D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_010C8243 mov eax, dword ptr fs:[00000030h]	4_2_010C8243
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_010C8243 mov ecx, dword ptr fs:[00000030h]	4_2_010C8243
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_0103A250 mov eax, dword ptr fs:[00000030h]	4_2_0103A250
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_01046259 mov eax, dword ptr fs:[00000030h]	4_2_01046259
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_010FA250 mov eax, dword ptr fs:[00000030h]	4_2_010FA250
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_010FA250 mov eax, dword ptr fs:[00000030h]	4_2_010FA250
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_01044260 mov eax, dword ptr fs:[00000030h]	4_2_01044260
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_01044260 mov eax, dword ptr fs:[00000030h]	4_2_01044260
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_01044260 mov eax, dword ptr fs:[00000030h]	4_2_01044260
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_0103826B mov eax, dword ptr fs:[00000030h]	4_2_0103826B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_010F0274 mov eax, dword ptr fs:[00000030h]	4_2_010F0274
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_010F0274 mov eax, dword ptr fs:[00000030h]	4_2_010F0274
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_010F0274 mov eax, dword ptr fs:[00000030h]	4_2_010F0274
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_010F0274 mov eax, dword ptr fs:[00000030h]	4_2_010F0274
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_010F0274 mov eax, dword ptr fs:[00000030h]	4_2_010F0274
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_010F0274 mov eax, dword ptr fs:[00000030h]	4_2_010F0274
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_010F0274 mov eax, dword ptr fs:[00000030h]	4_2_010F0274
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_010F0274 mov eax, dword ptr fs:[00000030h]	4_2_010F0274
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_010F0274 mov eax, dword ptr fs:[00000030h]	4_2_010F0274
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_010F0274 mov eax, dword ptr fs:[00000030h]	4_2_010F0274
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_010F0274 mov eax, dword ptr fs:[00000030h]	4_2_010F0274
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_010F0274 mov eax, dword ptr fs:[00000030h]	4_2_010F0274
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_0107E284 mov eax, dword ptr fs:[00000030h]	4_2_0107E284
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_0107E284 mov eax, dword ptr fs:[00000030h]	4_2_0107E284
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_010C0283 mov eax, dword ptr fs:[00000030h]	4_2_010C0283
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_010C0283 mov eax, dword ptr fs:[00000030h]	4_2_010C0283
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_010C0283 mov eax, dword ptr fs:[00000030h]	4_2_010C0283
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_010502A0 mov eax, dword ptr fs:[00000030h]	4_2_010502A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_010502A0 mov eax, dword ptr fs:[00000030h]	4_2_010502A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_010D62A0 mov eax, dword ptr fs:[00000030h]	4_2_010D62A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_010D62A0 mov ecx, dword ptr fs:[00000030h]	4_2_010D62A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_010D62A0 mov eax, dword ptr fs:[00000030h]	4_2_010D62A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_010D62A0 mov eax, dword ptr fs:[00000030h]	4_2_010D62A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_010D62A0 mov eax, dword ptr fs:[00000030h]	4_2_010D62A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_010D62A0 mov eax, dword ptr fs:[00000030h]	4_2_010D62A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_0104A2C3 mov eax, dword ptr fs:[00000030h]	4_2_0104A2C3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_0104A2C3 mov eax, dword ptr fs:[00000030h]	4_2_0104A2C3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_0104A2C3 mov eax, dword ptr fs:[00000030h]	4_2_0104A2C3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_0104A2C3 mov eax, dword ptr fs:[00000030h]	4_2_0104A2C3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_0104A2C3 mov eax, dword ptr fs:[00000030h]	4_2_0104A2C3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_011162D6 mov eax, dword ptr fs:[00000030h]	4_2_011162D6
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_010502E1 mov eax, dword ptr fs:[00000030h]	4_2_010502E1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_010502E1 mov eax, dword ptr fs:[00000030h]	4_2_010502E1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_010502E1 mov eax, dword ptr fs:[00000030h]	4_2_010502E1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_010D6500 mov eax, dword ptr fs:[00000030h]	4_2_010D6500
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_01114500 mov eax, dword ptr fs:[00000030h]	4_2_01114500
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_01114500 mov eax, dword ptr fs:[00000030h]	4_2_01114500
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_01114500 mov eax, dword ptr fs:[00000030h]	4_2_01114500
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_01114500 mov eax, dword ptr fs:[00000030h]	4_2_01114500
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_01114500 mov eax, dword ptr fs:[00000030h]	4_2_01114500
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_01114500 mov eax, dword ptr fs:[00000030h]	4_2_01114500
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_01114500 mov eax, dword ptr fs:[00000030h]	4_2_01114500
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_01050535 mov eax, dword ptr fs:[00000030h]	4_2_01050535
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_01050535 mov eax, dword ptr fs:[00000030h]	4_2_01050535
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_01050535 mov eax, dword ptr fs:[00000030h]	4_2_01050535
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_01050535 mov eax, dword ptr fs:[00000030h]	4_2_01050535
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_01050535 mov eax, dword ptr fs:[00000030h]	4_2_01050535
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_01050535 mov eax, dword ptr fs:[00000030h]	4_2_01050535
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_0106E53E mov eax, dword ptr fs:[00000030h]	4_2_0106E53E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_0106E53E mov eax, dword ptr fs:[00000030h]	4_2_0106E53E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_0106E53E mov eax, dword ptr fs:[00000030h]	4_2_0106E53E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_0106E53E mov eax, dword ptr fs:[00000030h]	4_2_0106E53E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_0106E53E mov eax, dword ptr fs:[00000030h]	4_2_0106E53E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_01048550 mov eax, dword ptr fs:[00000030h]	4_2_01048550
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_01048550 mov eax, dword ptr fs:[00000030h]	4_2_01048550
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_0107656A mov eax, dword ptr fs:[00000030h]	4_2_0107656A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_0107656A mov eax, dword ptr fs:[00000030h]	4_2_0107656A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_0107656A mov eax, dword ptr fs:[00000030h]	4_2_0107656A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_01042582 mov eax, dword ptr fs:[00000030h]	4_2_01042582
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_01042582 mov ecx, dword ptr fs:[00000030h]	4_2_01042582
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_01074588 mov eax, dword ptr fs:[00000030h]	4_2_01074588
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_0107E59C mov eax, dword ptr fs:[00000030h]	4_2_0107E59C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_010C05A7 mov eax, dword ptr fs:[00000030h]	4_2_010C05A7
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_010C05A7 mov eax, dword ptr fs:[00000030h]	4_2_010C05A7
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_010C05A7 mov eax, dword ptr fs:[00000030h]	4_2_010C05A7
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_010645B1 mov eax, dword ptr fs:[00000030h]	4_2_010645B1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_010645B1 mov eax, dword ptr fs:[00000030h]	4_2_010645B1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_0107E5CF mov eax, dword ptr fs:[00000030h]	4_2_0107E5CF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_0107E5CF mov eax, dword ptr fs:[00000030h]	4_2_0107E5CF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_010465D0 mov eax, dword ptr fs:[00000030h]	4_2_010465D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_0107A5D0 mov eax, dword ptr fs:[00000030h]	4_2_0107A5D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_0107A5D0 mov eax, dword ptr fs:[00000030h]	4_2_0107A5D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_0106E5E7 mov eax, dword ptr fs:[00000030h]	4_2_0106E5E7
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_0106E5E7 mov eax, dword ptr fs:[00000030h]	4_2_0106E5E7
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_0106E5E7 mov eax, dword ptr fs:[00000030h]	4_2_0106E5E7
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_0106E5E7 mov eax, dword ptr fs:[00000030h]	4_2_0106E5E7
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_0106E5E7 mov eax, dword ptr fs:[00000030h]	4_2_0106E5E7
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_0106E5E7 mov eax, dword ptr fs:[00000030h]	4_2_0106E5E7
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_0106E5E7 mov eax, dword ptr fs:[00000030h]	4_2_0106E5E7
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_0106E5E7 mov eax, dword ptr fs:[00000030h]	4_2_0106E5E7
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_010425E0 mov eax, dword ptr fs:[00000030h]	4_2_010425E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_0107C5ED mov eax, dword ptr fs:[00000030h]	4_2_0107C5ED
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_0107C5ED mov eax, dword ptr fs:[00000030h]	4_2_0107C5ED
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_01078402 mov eax, dword ptr fs:[00000030h]	4_2_01078402
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_01078402 mov eax, dword ptr fs:[00000030h]	4_2_01078402
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_01078402 mov eax, dword ptr fs:[00000030h]	4_2_01078402
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_0103E420 mov eax, dword ptr fs:[00000030h]	4_2_0103E420
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_0103E420 mov eax, dword ptr fs:[00000030h]	4_2_0103E420
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_0103E420 mov eax, dword ptr fs:[00000030h]	4_2_0103E420
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_0103C427 mov eax, dword ptr fs:[00000030h]	4_2_0103C427
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_010C6420 mov eax, dword ptr fs:[00000030h]	4_2_010C6420
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_010C6420 mov eax, dword ptr fs:[00000030h]	4_2_010C6420
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_010C6420 mov eax, dword ptr fs:[00000030h]	4_2_010C6420
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_010C6420 mov eax, dword ptr fs:[00000030h]	4_2_010C6420
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_010C6420 mov eax, dword ptr fs:[00000030h]	4_2_010C6420
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_010C6420 mov eax, dword ptr fs:[00000030h]	4_2_010C6420
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_010C6420 mov eax, dword ptr fs:[00000030h]	4_2_010C6420
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_0107A430 mov eax, dword ptr fs:[00000030h]	4_2_0107A430
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_0107E443 mov eax, dword ptr fs:[00000030h]	4_2_0107E443
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_0107E443 mov eax, dword ptr fs:[00000030h]	4_2_0107E443
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_0107E443 mov eax, dword ptr fs:[00000030h]	4_2_0107E443
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_0107E443 mov eax, dword ptr fs:[00000030h]	4_2_0107E443
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_0107E443 mov eax, dword ptr fs:[00000030h]	4_2_0107E443
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_0107E443 mov eax, dword ptr fs:[00000030h]	4_2_0107E443
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_0107E443 mov eax, dword ptr fs:[00000030h]	4_2_0107E443
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_0107E443 mov eax, dword ptr fs:[00000030h]	4_2_0107E443
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_010FA456 mov eax, dword ptr fs:[00000030h]	4_2_010FA456
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_0106245A mov eax, dword ptr fs:[00000030h]	4_2_0106245A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_0103645D mov eax, dword ptr fs:[00000030h]	4_2_0103645D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_010CC460 mov ecx, dword ptr fs:[00000030h]	4_2_010CC460
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_0106A470 mov eax, dword ptr fs:[00000030h]	4_2_0106A470
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_0106A470 mov eax, dword ptr fs:[00000030h]	4_2_0106A470
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_0106A470 mov eax, dword ptr fs:[00000030h]	4_2_0106A470
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_010FA49A mov eax, dword ptr fs:[00000030h]	4_2_010FA49A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_010464AB mov eax, dword ptr fs:[00000030h]	4_2_010464AB
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_010744B0 mov ecx, dword ptr fs:[00000030h]	4_2_010744B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_010CA4B0 mov eax, dword ptr fs:[00000030h]	4_2_010CA4B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_010404E5 mov ecx, dword ptr fs:[00000030h]	4_2_010404E5
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_0107C700 mov eax, dword ptr fs:[00000030h]	4_2_0107C700
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_01040710 mov eax, dword ptr fs:[00000030h]	4_2_01040710
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_01070710 mov eax, dword ptr fs:[00000030h]	4_2_01070710
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_0107C720 mov eax, dword ptr fs:[00000030h]	4_2_0107C720
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_0107C720 mov eax, dword ptr fs:[00000030h]	4_2_0107C720
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_010BC730 mov eax, dword ptr fs:[00000030h]	4_2_010BC730
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_0107273C mov eax, dword ptr fs:[00000030h]	4_2_0107273C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_0107273C mov ecx, dword ptr fs:[00000030h]	4_2_0107273C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_0107273C mov eax, dword ptr fs:[00000030h]	4_2_0107273C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_0107674D mov esi, dword ptr fs:[00000030h]	4_2_0107674D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_0107674D mov eax, dword ptr fs:[00000030h]	4_2_0107674D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_0107674D mov eax, dword ptr fs:[00000030h]	4_2_0107674D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_010CE75D mov eax, dword ptr fs:[00000030h]	4_2_010CE75D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_01040750 mov eax, dword ptr fs:[00000030h]	4_2_01040750
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_01082750 mov eax, dword ptr fs:[00000030h]	4_2_01082750
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_01082750 mov eax, dword ptr fs:[00000030h]	4_2_01082750
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_010C4755 mov eax, dword ptr fs:[00000030h]	4_2_010C4755
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_01048770 mov eax, dword ptr fs:[00000030h]	4_2_01048770
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_01050770 mov eax, dword ptr fs:[00000030h]	4_2_01050770
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_01050770 mov eax, dword ptr fs:[00000030h]	4_2_01050770
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_01050770 mov eax, dword ptr fs:[00000030h]	4_2_01050770
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_01050770 mov eax, dword ptr fs:[00000030h]	4_2_01050770
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_01050770 mov eax, dword ptr fs:[00000030h]	4_2_01050770
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_01050770 mov eax, dword ptr fs:[00000030h]	4_2_01050770
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_01050770 mov eax, dword ptr fs:[00000030h]	4_2_01050770
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_01050770 mov eax, dword ptr fs:[00000030h]	4_2_01050770
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_01050770 mov eax, dword ptr fs:[00000030h]	4_2_01050770
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_01050770 mov eax, dword ptr fs:[00000030h]	4_2_01050770
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_01050770 mov eax, dword ptr fs:[00000030h]	4_2_01050770
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_01050770 mov eax, dword ptr fs:[00000030h]	4_2_01050770
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_010E678E mov eax, dword ptr fs:[00000030h]	4_2_010E678E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_010407AF mov eax, dword ptr fs:[00000030h]	4_2_010407AF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_010F47A0 mov eax, dword ptr fs:[00000030h]	4_2_010F47A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_0104C7C0 mov eax, dword ptr fs:[00000030h]	4_2_0104C7C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_010C07C3 mov eax, dword ptr fs:[00000030h]	4_2_010C07C3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_010627ED mov eax, dword ptr fs:[00000030h]	4_2_010627ED
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_010627ED mov eax, dword ptr fs:[00000030h]	4_2_010627ED
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_010627ED mov eax, dword ptr fs:[00000030h]	4_2_010627ED
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_010CE7E1 mov eax, dword ptr fs:[00000030h]	4_2_010CE7E1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_010447FB mov eax, dword ptr fs:[00000030h]	4_2_010447FB
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_010447FB mov eax, dword ptr fs:[00000030h]	4_2_010447FB
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_010BE609 mov eax, dword ptr fs:[00000030h]	4_2_010BE609
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_0105260B mov eax, dword ptr fs:[00000030h]	4_2_0105260B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_0105260B mov eax, dword ptr fs:[00000030h]	4_2_0105260B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_0105260B mov eax, dword ptr fs:[00000030h]	4_2_0105260B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_0105260B mov eax, dword ptr fs:[00000030h]	4_2_0105260B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_0105260B mov eax, dword ptr fs:[00000030h]	4_2_0105260B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_0105260B mov eax, dword ptr fs:[00000030h]	4_2_0105260B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_0105260B mov eax, dword ptr fs:[00000030h]	4_2_0105260B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_01082619 mov eax, dword ptr fs:[00000030h]	4_2_01082619
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_0105E627 mov eax, dword ptr fs:[00000030h]	4_2_0105E627
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_01076620 mov eax, dword ptr fs:[00000030h]	4_2_01076620
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_01078620 mov eax, dword ptr fs:[00000030h]	4_2_01078620
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_0104262C mov eax, dword ptr fs:[00000030h]	4_2_0104262C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_0105C640 mov eax, dword ptr fs:[00000030h]	4_2_0105C640
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_0107A660 mov eax, dword ptr fs:[00000030h]	4_2_0107A660
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_0107A660 mov eax, dword ptr fs:[00000030h]	4_2_0107A660
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_01072674 mov eax, dword ptr fs:[00000030h]	4_2_01072674
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_0110866E mov eax, dword ptr fs:[00000030h]	4_2_0110866E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_0110866E mov eax, dword ptr fs:[00000030h]	4_2_0110866E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_01044690 mov eax, dword ptr fs:[00000030h]	4_2_01044690
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_01044690 mov eax, dword ptr fs:[00000030h]	4_2_01044690
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_0107C6A6 mov eax, dword ptr fs:[00000030h]	4_2_0107C6A6
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_010766B0 mov eax, dword ptr fs:[00000030h]	4_2_010766B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_0107A6C7 mov ebx, dword ptr fs:[00000030h]	4_2_0107A6C7
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_0107A6C7 mov eax, dword ptr fs:[00000030h]	4_2_0107A6C7
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_010BE6F2 mov eax, dword ptr fs:[00000030h]	4_2_010BE6F2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_010BE6F2 mov eax, dword ptr fs:[00000030h]	4_2_010BE6F2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_010BE6F2 mov eax, dword ptr fs:[00000030h]	4_2_010BE6F2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_010BE6F2 mov eax, dword ptr fs:[00000030h]	4_2_010BE6F2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_010C06F1 mov eax, dword ptr fs:[00000030h]	4_2_010C06F1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_010C06F1 mov eax, dword ptr fs:[00000030h]	4_2_010C06F1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_010BE908 mov eax, dword ptr fs:[00000030h]	4_2_010BE908
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_010BE908 mov eax, dword ptr fs:[00000030h]	4_2_010BE908
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_01038918 mov eax, dword ptr fs:[00000030h]	4_2_01038918
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_01038918 mov eax, dword ptr fs:[00000030h]	4_2_01038918
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_010CC912 mov eax, dword ptr fs:[00000030h]	4_2_010CC912
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_010C892A mov eax, dword ptr fs:[00000030h]	4_2_010C892A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_010D892B mov eax, dword ptr fs:[00000030h]	4_2_010D892B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_010C0946 mov eax, dword ptr fs:[00000030h]	4_2_010C0946
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_01114940 mov eax, dword ptr fs:[00000030h]	4_2_01114940
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_01066962 mov eax, dword ptr fs:[00000030h]	4_2_01066962
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_01066962 mov eax, dword ptr fs:[00000030h]	4_2_01066962
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_01066962 mov eax, dword ptr fs:[00000030h]	4_2_01066962
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_0108096E mov eax, dword ptr fs:[00000030h]	4_2_0108096E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_0108096E mov edx, dword ptr fs:[00000030h]	4_2_0108096E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_0108096E mov eax, dword ptr fs:[00000030h]	4_2_0108096E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_010CC97C mov eax, dword ptr fs:[00000030h]	4_2_010CC97C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_010E4978 mov eax, dword ptr fs:[00000030h]	4_2_010E4978
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_010E4978 mov eax, dword ptr fs:[00000030h]	4_2_010E4978
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_010529A0 mov eax, dword ptr fs:[00000030h]	4_2_010529A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_010529A0 mov eax, dword ptr fs:[00000030h]	4_2_010529A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_010529A0 mov eax, dword ptr fs:[00000030h]	4_2_010529A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_010529A0 mov eax, dword ptr fs:[00000030h]	4_2_010529A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_010529A0 mov eax, dword ptr fs:[00000030h]	4_2_010529A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_010529A0 mov eax, dword ptr fs:[00000030h]	4_2_010529A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_010529A0 mov eax, dword ptr fs:[00000030h]	4_2_010529A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_010529A0 mov eax, dword ptr fs:[00000030h]	4_2_010529A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_010529A0 mov eax, dword ptr fs:[00000030h]	4_2_010529A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_010529A0 mov eax, dword ptr fs:[00000030h]	4_2_010529A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_010529A0 mov eax, dword ptr fs:[00000030h]	4_2_010529A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_010529A0 mov eax, dword ptr fs:[00000030h]	4_2_010529A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_010529A0 mov eax, dword ptr fs:[00000030h]	4_2_010529A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_010409AD mov eax, dword ptr fs:[00000030h]	4_2_010409AD
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_010409AD mov eax, dword ptr fs:[00000030h]	4_2_010409AD
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_010C89B3 mov esi, dword ptr fs:[00000030h]	4_2_010C89B3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_010C89B3 mov eax, dword ptr fs:[00000030h]	4_2_010C89B3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_010C89B3 mov eax, dword ptr fs:[00000030h]	4_2_010C89B3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_0110A9D3 mov eax, dword ptr fs:[00000030h]	4_2_0110A9D3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_010D69C0 mov eax, dword ptr fs:[00000030h]	4_2_010D69C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_0104A9D0 mov eax, dword ptr fs:[00000030h]	4_2_0104A9D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_0104A9D0 mov eax, dword ptr fs:[00000030h]	4_2_0104A9D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_0104A9D0 mov eax, dword ptr fs:[00000030h]	4_2_0104A9D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_0104A9D0 mov eax, dword ptr fs:[00000030h]	4_2_0104A9D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_0104A9D0 mov eax, dword ptr fs:[00000030h]	4_2_0104A9D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_0104A9D0 mov eax, dword ptr fs:[00000030h]	4_2_0104A9D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_010749D0 mov eax, dword ptr fs:[00000030h]	4_2_010749D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_010CE9E0 mov eax, dword ptr fs:[00000030h]	4_2_010CE9E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_010729F9 mov eax, dword ptr fs:[00000030h]	4_2_010729F9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_010729F9 mov eax, dword ptr fs:[00000030h]	4_2_010729F9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_010CC810 mov eax, dword ptr fs:[00000030h]	4_2_010CC810
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_01062835 mov eax, dword ptr fs:[00000030h]	4_2_01062835
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_01062835 mov eax, dword ptr fs:[00000030h]	4_2_01062835
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_01062835 mov eax, dword ptr fs:[00000030h]	4_2_01062835
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_01062835 mov ecx, dword ptr fs:[00000030h]	4_2_01062835
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_01062835 mov eax, dword ptr fs:[00000030h]	4_2_01062835
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_01062835 mov eax, dword ptr fs:[00000030h]	4_2_01062835
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_010E483A mov eax, dword ptr fs:[00000030h]	4_2_010E483A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_010E483A mov eax, dword ptr fs:[00000030h]	4_2_010E483A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_0107A830 mov eax, dword ptr fs:[00000030h]	4_2_0107A830
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_01052840 mov ecx, dword ptr fs:[00000030h]	4_2_01052840
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_01070854 mov eax, dword ptr fs:[00000030h]	4_2_01070854
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_01044859 mov eax, dword ptr fs:[00000030h]	4_2_01044859
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_01044859 mov eax, dword ptr fs:[00000030h]	4_2_01044859
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_010D6870 mov eax, dword ptr fs:[00000030h]	4_2_010D6870
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_010D6870 mov eax, dword ptr fs:[00000030h]	4_2_010D6870
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_010CE872 mov eax, dword ptr fs:[00000030h]	4_2_010CE872
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_010CE872 mov eax, dword ptr fs:[00000030h]	4_2_010CE872
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_01040887 mov eax, dword ptr fs:[00000030h]	4_2_01040887
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_010CC89D mov eax, dword ptr fs:[00000030h]	4_2_010CC89D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_0106E8C0 mov eax, dword ptr fs:[00000030h]	4_2_0106E8C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_011108C0 mov eax, dword ptr fs:[00000030h]	4_2_011108C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_0110A8E4 mov eax, dword ptr fs:[00000030h]	4_2_0110A8E4
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_0107C8F9 mov eax, dword ptr fs:[00000030h]	4_2_0107C8F9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_0107C8F9 mov eax, dword ptr fs:[00000030h]	4_2_0107C8F9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_01114B00 mov eax, dword ptr fs:[00000030h]	4_2_01114B00
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_010BEB1D mov eax, dword ptr fs:[00000030h]	4_2_010BEB1D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_010BEB1D mov eax, dword ptr fs:[00000030h]	4_2_010BEB1D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_010BEB1D mov eax, dword ptr fs:[00000030h]	4_2_010BEB1D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_010BEB1D mov eax, dword ptr fs:[00000030h]	4_2_010BEB1D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_010BEB1D mov eax, dword ptr fs:[00000030h]	4_2_010BEB1D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_010BEB1D mov eax, dword ptr fs:[00000030h]	4_2_010BEB1D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_010BEB1D mov eax, dword ptr fs:[00000030h]	4_2_010BEB1D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_010BEB1D mov eax, dword ptr fs:[00000030h]	4_2_010BEB1D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_010BEB1D mov eax, dword ptr fs:[00000030h]	4_2_010BEB1D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_0106EB20 mov eax, dword ptr fs:[00000030h]	4_2_0106EB20
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_0106EB20 mov eax, dword ptr fs:[00000030h]	4_2_0106EB20
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_01108B28 mov eax, dword ptr fs:[00000030h]	4_2_01108B28
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_01108B28 mov eax, dword ptr fs:[00000030h]	4_2_01108B28
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_010F4B4B mov eax, dword ptr fs:[00000030h]	4_2_010F4B4B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_010F4B4B mov eax, dword ptr fs:[00000030h]	4_2_010F4B4B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_01112B57 mov eax, dword ptr fs:[00000030h]	4_2_01112B57
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_01112B57 mov eax, dword ptr fs:[00000030h]	4_2_01112B57
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_01112B57 mov eax, dword ptr fs:[00000030h]	4_2_01112B57
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_01112B57 mov eax, dword ptr fs:[00000030h]	4_2_01112B57
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_010E8B42 mov eax, dword ptr fs:[00000030h]	4_2_010E8B42
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_010D6B40 mov eax, dword ptr fs:[00000030h]	4_2_010D6B40
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_010D6B40 mov eax, dword ptr fs:[00000030h]	4_2_010D6B40
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_0110AB40 mov eax, dword ptr fs:[00000030h]	4_2_0110AB40
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_01038B50 mov eax, dword ptr fs:[00000030h]	4_2_01038B50
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_010EEB50 mov eax, dword ptr fs:[00000030h]	4_2_010EEB50
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_0103CB7E mov eax, dword ptr fs:[00000030h]	4_2_0103CB7E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_01050BBE mov eax, dword ptr fs:[00000030h]	4_2_01050BBE
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_01050BBE mov eax, dword ptr fs:[00000030h]	4_2_01050BBE
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_010F4BB0 mov eax, dword ptr fs:[00000030h]	4_2_010F4BB0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_010F4BB0 mov eax, dword ptr fs:[00000030h]	4_2_010F4BB0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_01040BCD mov eax, dword ptr fs:[00000030h]	4_2_01040BCD
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_01040BCD mov eax, dword ptr fs:[00000030h]	4_2_01040BCD
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_01040BCD mov eax, dword ptr fs:[00000030h]	4_2_01040BCD
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_01060BCB mov eax, dword ptr fs:[00000030h]	4_2_01060BCB
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_01060BCB mov eax, dword ptr fs:[00000030h]	4_2_01060BCB
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_01060BCB mov eax, dword ptr fs:[00000030h]	4_2_01060BCB
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_010EEBD0 mov eax, dword ptr fs:[00000030h]	4_2_010EEBD0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_01048BF0 mov eax, dword ptr fs:[00000030h]	4_2_01048BF0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_01048BF0 mov eax, dword ptr fs:[00000030h]	4_2_01048BF0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_01048BF0 mov eax, dword ptr fs:[00000030h]	4_2_01048BF0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_0106EBFC mov eax, dword ptr fs:[00000030h]	4_2_0106EBFC
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_010CCBF0 mov eax, dword ptr fs:[00000030h]	4_2_010CCBF0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_010CCA11 mov eax, dword ptr fs:[00000030h]	4_2_010CCA11
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_0107CA24 mov eax, dword ptr fs:[00000030h]	4_2_0107CA24
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_0106EA2E mov eax, dword ptr fs:[00000030h]	4_2_0106EA2E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_01064A35 mov eax, dword ptr fs:[00000030h]	4_2_01064A35
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_01064A35 mov eax, dword ptr fs:[00000030h]	4_2_01064A35
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_0107CA38 mov eax, dword ptr fs:[00000030h]	4_2_0107CA38
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_01046A50 mov eax, dword ptr fs:[00000030h]	4_2_01046A50
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_01046A50 mov eax, dword ptr fs:[00000030h]	4_2_01046A50
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_01046A50 mov eax, dword ptr fs:[00000030h]	4_2_01046A50
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_01046A50 mov eax, dword ptr fs:[00000030h]	4_2_01046A50
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_01046A50 mov eax, dword ptr fs:[00000030h]	4_2_01046A50
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_01046A50 mov eax, dword ptr fs:[00000030h]	4_2_01046A50
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_01046A50 mov eax, dword ptr fs:[00000030h]	4_2_01046A50
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_01050A5B mov eax, dword ptr fs:[00000030h]	4_2_01050A5B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_01050A5B mov eax, dword ptr fs:[00000030h]	4_2_01050A5B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_0107CA6F mov eax, dword ptr fs:[00000030h]	4_2_0107CA6F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_0107CA6F mov eax, dword ptr fs:[00000030h]	4_2_0107CA6F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_0107CA6F mov eax, dword ptr fs:[00000030h]	4_2_0107CA6F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_010EEA60 mov eax, dword ptr fs:[00000030h]	4_2_010EEA60
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_010BCA72 mov eax, dword ptr fs:[00000030h]	4_2_010BCA72
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_010BCA72 mov eax, dword ptr fs:[00000030h]	4_2_010BCA72
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_0104EA80 mov eax, dword ptr fs:[00000030h]	4_2_0104EA80
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_0104EA80 mov eax, dword ptr fs:[00000030h]	4_2_0104EA80
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_0104EA80 mov eax, dword ptr fs:[00000030h]	4_2_0104EA80
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_0104EA80 mov eax, dword ptr fs:[00000030h]	4_2_0104EA80
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_0104EA80 mov eax, dword ptr fs:[00000030h]	4_2_0104EA80
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_0104EA80 mov eax, dword ptr fs:[00000030h]	4_2_0104EA80
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_0104EA80 mov eax, dword ptr fs:[00000030h]	4_2_0104EA80
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_0104EA80 mov eax, dword ptr fs:[00000030h]	4_2_0104EA80
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_0104EA80 mov eax, dword ptr fs:[00000030h]	4_2_0104EA80
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_01114A80 mov eax, dword ptr fs:[00000030h]	4_2_01114A80
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_01078A90 mov edx, dword ptr fs:[00000030h]	4_2_01078A90
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_01048AA0 mov eax, dword ptr fs:[00000030h]	4_2_01048AA0

Enables debug privileges

Source: C:\Users\user\Desktop\Orden de compra.exe

Process token adjusted: Debug

Jump to behavior

Source: C:\Users\user\Desktop\Orden de compra.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion

Injects a PE file into a foreign processes

Source: C:\Users\user\Desktop\Orden de compra.exe

Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe base: 400000 value starts with: 4D5A

Jump to behavior

Writes to foreign memory regions

Source: C:\Users\user\Desktop\Orden de compra.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe base: 400000	Jump to behavior
Source: C:\Users\user\Desktop\Orden de compra.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe base: 401000	Jump to behavior
Source: C:\Users\user\Desktop\Orden de compra.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe base: 8C2008	Jump to behavior

Creates a process in suspended mode (likely to inject code)

Source: C:\Users\user\Desktop\Orden de compra.exe

Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"

Jump to behavior

Queries the volume information (name, serial number etc) of a device

Source: C:\Users\user\Desktop\Orden de compra.exe	Queries volume information: C:\Users\user\Desktop\Orden de compra.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Orden de compra.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Orden de compra.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Orden de compra.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Orden de compra.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Orden de compra.exe	Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation	Jump to behavior

Source: C:\Users\user\Desktop\Orden de compra.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Stealing of Sensitive Information

Yara detected FormBook

Source: Yara match	File source: 4.2.AddInProcess32.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.AddInProcess32.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000004.00000002.2281484840.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.2282244894.0000000000EF0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY

Remote Access Functionality

Yara detected FormBook

Source: Yara match	File source: 4.2.AddInProcess32.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.AddInProcess32.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000004.00000002.2281484840.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.2282244894.0000000000EF0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY

ID:	1501078
Product:	CloudBasic
Start time:	12:01:17
Start date:	29.08.2024
Sample:	Orden de compra.exe
Cookbook:	default.jbs
System description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Architecture:	WINDOWS
MD5:	d9323dddde2041d8b26f7d696499091c
SHA1:	535dc286d8a67be9bca93674ff800c44cfb9b2d1
SHA256:	08c422305e7b10e56d7338bcdf37637b0837e47b6accdee26b43fa93cf3e435d
Filetype:	Win32 Executable (generic) Net Framework (10011505/4) 49.79%

Windows Analysis Report
Orden de compra.exe

Overview

General Information

Detection

Signatures

Classification

Malware Threat Intel
Provided by

Signatures

AV Detection

Compliance

E-Banking Fraud

System Summary

Data Obfuscation

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Screenshots

Behavior Graph

Network Map

Windows Analysis Report Orden de compra.exe

Overview

General Information

Detection

Signatures

Classification

Malware Threat Intel Provided by

Signatures

AV Detection

Compliance

E-Banking Fraud

System Summary

Data Obfuscation

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Screenshots

Behavior Graph

Network Map

Windows Analysis Report
Orden de compra.exe

Malware Threat Intel
Provided by