Windows Analysis Report
BL-INV-PL-ISO.exe

Overview

General Information

Sample name:	BL-INV-PL-ISO.exe
Analysis ID:	1522512
MD5:	98764b1ea06180b4a89c043b0fc11914
SHA1:	88cdfcf42452ca0429f31fdd8d7372effe387969
SHA256:	97fb0388618e3d977b390696f4ca19e38f0e706d70a40726bab9ed8dcdcd036c
Tags:	exeuser-abuse_ch
Infos:

Detection

FormBook

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Sigma detected: Scheduled temp file as task from temp location

Yara detected AntiVM3

Yara detected FormBook

.NET source code contains potential unpacker

AI detected suspicious sample

Adds a directory exclusion to Windows Defender

Loading BitLocker PowerShell Module

Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet

Uses schtasks.exe or at.exe to add and modify task schedules

Allocates memory with a write watch (potentially for evading sandboxes)

Binary contains a suspicious time stamp

Checks if the current process is being debugged

Contains functionality for execution timing, often used to detect debuggers

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Contains functionality to call native functions

Contains functionality to read the PEB

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Detected potential crypto function

Drops PE files

Enables debug privileges

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found large amount of non-executed APIs

Found potential string decryption / allocating functions

May sleep (evasive loops) to hinder dynamic analysis

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Sample file is different than original file name gathered from version info

Sigma detected: Powershell Defender Exclusion

Sigma detected: Suspicious Add Scheduled Task Parent

Sigma detected: Suspicious Schtasks From Env Var Folder

Uses 32bit PE files

Uses code obfuscation techniques (call, push, ret)

Yara signature match

Classification

Malware Threat Intel
Provided by

Name	Description	Attribution	Blogpost URLs	Link
Formbook, Formbo	FormBook contains a unique crypter RunPE that has unique behavioral patterns subject to detection. It was initially called "Babushka Crypter" by Insidemalware.	SWEED Cobalt	http://blog.inquest.net/blog/2018/06/22/a-look-at-formbook-stealer/ http://cambuz.blogspot.de/2016/06/form-grabber-2016-cromeffoperathunderbi.html http://www.vkremez.com/2018/01/lets-learn-dissecting-formbook.html https://0xmrmagnezi.github.io/malware%20analysis/FormBook/ https://any.run/cybersecurity-blog/xloader-formbook-encryption-analysis-and-malware-decryption/	https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook

Signatures

AV Detection

Multi AV Scanner detection for dropped file

Source: C:\Users\user\AppData\Roaming\dZxrrOCj.exe

ReversingLabs: Detection: 26%

Multi AV Scanner detection for submitted file

Source: BL-INV-PL-ISO.exe	ReversingLabs: Detection: 26%
Source: BL-INV-PL-ISO.exe	Virustotal: Detection: 23%			Perma Link

Yara detected FormBook

Source: Yara match	File source: 17.2.vbc.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.2.vbc.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000011.00000002.2054400538.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000011.00000002.2055413010.00000000058F0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Uses 32bit PE files

Source: BL-INV-PL-ISO.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: BL-INV-PL-ISO.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source:	Binary string: UYWF.pdb source: BL-INV-PL-ISO.exe, dZxrrOCj.exe.0.dr
Source:	Binary string: wntdll.pdbUGP source: vbc.exe, 00000011.00000002.2055590273.0000000005A50000.00000040.00001000.00020000.00000000.sdmp
Source:	Binary string: UYWF.pdbSHA256 source: BL-INV-PL-ISO.exe, dZxrrOCj.exe.0.dr
Source:	Binary string: wntdll.pdb source: vbc.exe, vbc.exe, 00000011.00000002.2055590273.0000000005A50000.00000040.00001000.00020000.00000000.sdmp

Source: BL-INV-PL-ISO.exe, 00000000.00000002.1735961289.0000000002604000.00000004.00000800.00020000.00000000.sdmp, dZxrrOCj.exe, 0000000D.00000002.1773816351.0000000002834000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: BL-INV-PL-ISO.exe, 00000000.00000002.1740830875.0000000006712000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
Source: BL-INV-PL-ISO.exe, 00000000.00000002.1740830875.0000000006712000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.carterandcone.coml
Source: BL-INV-PL-ISO.exe, 00000000.00000002.1740830875.0000000006712000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com
Source: BL-INV-PL-ISO.exe, 00000000.00000002.1740830875.0000000006712000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers
Source: BL-INV-PL-ISO.exe, 00000000.00000002.1740830875.0000000006712000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/?
Source: BL-INV-PL-ISO.exe, 00000000.00000002.1740830875.0000000006712000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
Source: BL-INV-PL-ISO.exe, 00000000.00000002.1740830875.0000000006712000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/frere-user.html
Source: BL-INV-PL-ISO.exe, 00000000.00000002.1740830875.0000000006712000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers8
Source: BL-INV-PL-ISO.exe, 00000000.00000002.1740830875.0000000006712000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers?
Source: BL-INV-PL-ISO.exe, 00000000.00000002.1740830875.0000000006712000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designersG
Source: BL-INV-PL-ISO.exe, 00000000.00000002.1740830875.0000000006712000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fonts.com
Source: BL-INV-PL-ISO.exe, 00000000.00000002.1740830875.0000000006712000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.founder.com.cn/cn
Source: BL-INV-PL-ISO.exe, 00000000.00000002.1740830875.0000000006712000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.founder.com.cn/cn/bThe
Source: BL-INV-PL-ISO.exe, 00000000.00000002.1740830875.0000000006712000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.founder.com.cn/cn/cThe
Source: BL-INV-PL-ISO.exe, 00000000.00000002.1740830875.0000000006712000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.galapagosdesign.com/DPlease
Source: BL-INV-PL-ISO.exe, 00000000.00000002.1740830875.0000000006712000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
Source: BL-INV-PL-ISO.exe, 00000000.00000002.1740830875.0000000006712000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.goodfont.co.kr
Source: BL-INV-PL-ISO.exe, 00000000.00000002.1740830875.0000000006712000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/
Source: BL-INV-PL-ISO.exe, 00000000.00000002.1740830875.0000000006712000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.sajatypeworks.com
Source: BL-INV-PL-ISO.exe, 00000000.00000002.1740830875.0000000006712000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.sakkal.com
Source: BL-INV-PL-ISO.exe, 00000000.00000002.1740573197.0000000004EC4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.sakkal.com.
Source: BL-INV-PL-ISO.exe, 00000000.00000002.1740830875.0000000006712000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.sandoll.co.kr
Source: BL-INV-PL-ISO.exe, 00000000.00000002.1740830875.0000000006712000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.tiro.com
Source: BL-INV-PL-ISO.exe, 00000000.00000002.1740830875.0000000006712000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.typography.netD
Source: BL-INV-PL-ISO.exe, 00000000.00000002.1740830875.0000000006712000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.urwpp.deDPlease
Source: BL-INV-PL-ISO.exe, 00000000.00000002.1740830875.0000000006712000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.zhongyicts.com.cn

E-Banking Fraud

Yara detected FormBook

Source: Yara match	File source: 17.2.vbc.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.2.vbc.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000011.00000002.2054400538.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000011.00000002.2055413010.00000000058F0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY

System Summary

Malicious sample detected (through community Yara rule)

Source: 17.2.vbc.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 17.2.vbc.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000011.00000002.2054400538.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000011.00000002.2055413010.00000000058F0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown

Contains functionality to call native functions

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_0042CA83 NtClose,	17_2_0042CA83
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05AC2DF0 NtQuerySystemInformation,LdrInitializeThunk,	17_2_05AC2DF0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05AC2C70 NtFreeVirtualMemory,LdrInitializeThunk,	17_2_05AC2C70
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05AC35C0 NtCreateMutant,LdrInitializeThunk,	17_2_05AC35C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05AC4650 NtSuspendThread,	17_2_05AC4650
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05AC4340 NtSetContextThread,	17_2_05AC4340
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05AC2DB0 NtEnumerateKey,	17_2_05AC2DB0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05AC2DD0 NtDelayExecution,	17_2_05AC2DD0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05AC2D30 NtUnmapViewOfSection,	17_2_05AC2D30
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05AC2D00 NtSetInformationFile,	17_2_05AC2D00
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05AC2D10 NtMapViewOfSection,	17_2_05AC2D10
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05AC2CA0 NtQueryInformationToken,	17_2_05AC2CA0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05AC2CF0 NtOpenProcess,	17_2_05AC2CF0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05AC2CC0 NtQueryVirtualMemory,	17_2_05AC2CC0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05AC2C00 NtQueryInformationProcess,	17_2_05AC2C00
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05AC2C60 NtCreateKey,	17_2_05AC2C60
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05AC2FA0 NtQuerySection,	17_2_05AC2FA0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05AC2FB0 NtResumeThread,	17_2_05AC2FB0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05AC2F90 NtProtectVirtualMemory,	17_2_05AC2F90
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05AC2FE0 NtCreateFile,	17_2_05AC2FE0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05AC2F30 NtCreateSection,	17_2_05AC2F30
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05AC2F60 NtCreateProcessEx,	17_2_05AC2F60
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05AC2EA0 NtAdjustPrivilegesToken,	17_2_05AC2EA0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05AC2E80 NtReadVirtualMemory,	17_2_05AC2E80
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05AC2EE0 NtQueueApcThread,	17_2_05AC2EE0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05AC2E30 NtWriteVirtualMemory,	17_2_05AC2E30
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05AC2BA0 NtEnumerateValueKey,	17_2_05AC2BA0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05AC2B80 NtQueryInformationFile,	17_2_05AC2B80
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05AC2BE0 NtQueryValueKey,	17_2_05AC2BE0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05AC2BF0 NtAllocateVirtualMemory,	17_2_05AC2BF0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05AC2B60 NtClose,	17_2_05AC2B60
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05AC2AB0 NtWaitForSingleObject,	17_2_05AC2AB0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05AC2AF0 NtWriteFile,	17_2_05AC2AF0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05AC2AD0 NtReadFile,	17_2_05AC2AD0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05AC3090 NtSetValueKey,	17_2_05AC3090
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05AC3010 NtOpenDirectoryObject,	17_2_05AC3010
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05AC3D10 NtOpenProcessToken,	17_2_05AC3D10
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05AC3D70 NtOpenThread,	17_2_05AC3D70
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05AC39B0 NtGetContextThread,	17_2_05AC39B0

Detected potential crypto function

Source: C:\Users\user\Desktop\BL-INV-PL-ISO.exe	Code function: 0_2_00AEE12C	0_2_00AEE12C
Source: C:\Users\user\AppData\Roaming\dZxrrOCj.exe	Code function: 13_2_00FDE12C	13_2_00FDE12C
Source: C:\Users\user\AppData\Roaming\dZxrrOCj.exe	Code function: 13_2_04D70BEC	13_2_04D70BEC
Source: C:\Users\user\AppData\Roaming\dZxrrOCj.exe	Code function: 13_2_04D700D8	13_2_04D700D8
Source: C:\Users\user\AppData\Roaming\dZxrrOCj.exe	Code function: 13_2_04D720F0	13_2_04D720F0
Source: C:\Users\user\AppData\Roaming\dZxrrOCj.exe	Code function: 13_2_04D70130	13_2_04D70130
Source: C:\Users\user\AppData\Roaming\dZxrrOCj.exe	Code function: 13_2_04D70120	13_2_04D70120
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_0042F073	17_2_0042F073
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_00403170	17_2_00403170
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_0040111A	17_2_0040111A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_00401270	17_2_00401270
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_004102DA	17_2_004102DA
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_004102E3	17_2_004102E3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_004023EA	17_2_004023EA
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_004023F0	17_2_004023F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_00416C43	17_2_00416C43
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_00416C3E	17_2_00416C3E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_00410503	17_2_00410503
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_0040E583	17_2_0040E583
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_0040258C	17_2_0040258C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_00402590	17_2_00402590
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05B50591	17_2_05B50591
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05A90535	17_2_05A90535
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05B3E4F6	17_2_05B3E4F6
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05B34420	17_2_05B34420
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05B42446	17_2_05B42446
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05A8C7C0	17_2_05A8C7C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05A90770	17_2_05A90770
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05AB4750	17_2_05AB4750
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05AAC6E0	17_2_05AAC6E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05B441A2	17_2_05B441A2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05B501AA	17_2_05B501AA
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05B481CC	17_2_05B481CC
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05A80100	17_2_05A80100
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05B2A118	17_2_05B2A118
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05B18158	17_2_05B18158
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05B22000	17_2_05B22000
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05B503E6	17_2_05B503E6
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05A9E3F0	17_2_05A9E3F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05B4A352	17_2_05B4A352
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05B102C0	17_2_05B102C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05B30274	17_2_05B30274
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05AA8DBF	17_2_05AA8DBF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05A8ADE0	17_2_05A8ADE0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05A9AD00	17_2_05A9AD00
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05B2CD1F	17_2_05B2CD1F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05B30CB5	17_2_05B30CB5
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05A80CF2	17_2_05A80CF2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05A90C00	17_2_05A90C00
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05B0EFA0	17_2_05B0EFA0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05A82FC8	17_2_05A82FC8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05B32F30	17_2_05B32F30
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05AD2F28	17_2_05AD2F28
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05AB0F30	17_2_05AB0F30
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05B04F40	17_2_05B04F40
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05B4CE93	17_2_05B4CE93
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05AA2E90	17_2_05AA2E90
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05B4EEDB	17_2_05B4EEDB
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05B4EE26	17_2_05B4EE26
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05A90E59	17_2_05A90E59
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05A929A0	17_2_05A929A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05B5A9A6	17_2_05B5A9A6
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05AA6962	17_2_05AA6962
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05A768B8	17_2_05A768B8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05ABE8F0	17_2_05ABE8F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05A9A840	17_2_05A9A840
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05A92840	17_2_05A92840
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05B46BD7	17_2_05B46BD7
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05B4AB40	17_2_05B4AB40
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05A8EA80	17_2_05A8EA80
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05B2D5B0	17_2_05B2D5B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05B47571	17_2_05B47571
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05B4F43F	17_2_05B4F43F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05A81460	17_2_05A81460
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05B4F7B0	17_2_05B4F7B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05B416CC	17_2_05B416CC
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05AD5630	17_2_05AD5630
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05A9B1B0	17_2_05A9B1B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05AC516C	17_2_05AC516C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05A7F172	17_2_05A7F172
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05B5B16B	17_2_05B5B16B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05B4F0E0	17_2_05B4F0E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05B470E9	17_2_05B470E9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05A970C0	17_2_05A970C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05B3F0CC	17_2_05B3F0CC
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05AD739A	17_2_05AD739A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05B4132D	17_2_05B4132D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05A7D34C	17_2_05A7D34C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05A952A0	17_2_05A952A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05B312ED	17_2_05B312ED
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05AAB2C0	17_2_05AAB2C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05AAFDC0	17_2_05AAFDC0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05B47D73	17_2_05B47D73
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05A93D40	17_2_05A93D40
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05B41D5A	17_2_05B41D5A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05B4FCF2	17_2_05B4FCF2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05B09C32	17_2_05B09C32
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05B4FFB1	17_2_05B4FFB1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05A91F92	17_2_05A91F92
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05B4FF09	17_2_05B4FF09
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05A99EB0	17_2_05A99EB0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05B25910	17_2_05B25910
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05A99950	17_2_05A99950
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05AAB950	17_2_05AAB950
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05A938E0	17_2_05A938E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05AFD800	17_2_05AFD800
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05AAFB80	17_2_05AAFB80
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05B05BF0	17_2_05B05BF0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05ACDBF9	17_2_05ACDBF9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05B4FB76	17_2_05B4FB76
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05AD5AA0	17_2_05AD5AA0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05B31AA3	17_2_05B31AA3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05B2DAAC	17_2_05B2DAAC
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05B3DAC6	17_2_05B3DAC6
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05B03A6C	17_2_05B03A6C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05B47A46	17_2_05B47A46
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05B4FA49	17_2_05B4FA49

Found potential string decryption / allocating functions

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: String function: 05AD7E54 appears 108 times
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: String function: 05A7B970 appears 265 times
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: String function: 05AFEA12 appears 86 times
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: String function: 05B0F290 appears 105 times
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: String function: 05AC5130 appears 58 times

Sample file is different than original file name gathered from version info

Source: BL-INV-PL-ISO.exe, 00000000.00000002.1725947037.000000000059E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameclr.dllT vs BL-INV-PL-ISO.exe
Source: BL-INV-PL-ISO.exe, 00000000.00000002.1741347431.0000000006B2C000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilename vs BL-INV-PL-ISO.exe
Source: BL-INV-PL-ISO.exe, 00000000.00000002.1742101789.0000000009700000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameTyrone.dll8 vs BL-INV-PL-ISO.exe
Source: BL-INV-PL-ISO.exe, 00000000.00000002.1736708833.00000000040AF000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameTyrone.dll8 vs BL-INV-PL-ISO.exe
Source: BL-INV-PL-ISO.exe, 00000000.00000000.1684503221.000000000010E000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenameUYWF.exe@ vs BL-INV-PL-ISO.exe
Source: BL-INV-PL-ISO.exe	Binary or memory string: OriginalFilenameUYWF.exe@ vs BL-INV-PL-ISO.exe

Uses 32bit PE files

Source: BL-INV-PL-ISO.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Yara signature match

Source: 17.2.vbc.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 17.2.vbc.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000011.00000002.2054400538.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000011.00000002.2055413010.00000000058F0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23

Source: BL-INV-PL-ISO.exe	Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: dZxrrOCj.exe.0.dr	Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: 0.2.BL-INV-PL-ISO.exe.40d8560.2.raw.unpack, uUMOocUIxKVTuplUam.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.BL-INV-PL-ISO.exe.9700000.4.raw.unpack, cfZycf0kcb26X6tlXo.cs	Security API names: _0020.SetAccessControl
Source: 0.2.BL-INV-PL-ISO.exe.9700000.4.raw.unpack, cfZycf0kcb26X6tlXo.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.BL-INV-PL-ISO.exe.9700000.4.raw.unpack, cfZycf0kcb26X6tlXo.cs	Security API names: _0020.AddAccessRule
Source: 0.2.BL-INV-PL-ISO.exe.40d8560.2.raw.unpack, cfZycf0kcb26X6tlXo.cs	Security API names: _0020.SetAccessControl
Source: 0.2.BL-INV-PL-ISO.exe.40d8560.2.raw.unpack, cfZycf0kcb26X6tlXo.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.BL-INV-PL-ISO.exe.40d8560.2.raw.unpack, cfZycf0kcb26X6tlXo.cs	Security API names: _0020.AddAccessRule
Source: 0.2.BL-INV-PL-ISO.exe.9700000.4.raw.unpack, uUMOocUIxKVTuplUam.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()

Source: classification engine

Classification label: mal100.troj.evad.winEXE@27/15@0/0

Source: C:\Users\user\Desktop\BL-INV-PL-ISO.exe

File created: C:\Users\user\AppData\Roaming\dZxrrOCj.exe

Jump to behavior

Source: C:\Users\user\AppData\Roaming\dZxrrOCj.exe	Mutant created: \Sessions\1\BaseNamedObjects\XTpUHwAlqzCYlLXTmffAOhrcva
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5284:120:WilError_03
Source: C:\Users\user\AppData\Roaming\dZxrrOCj.exe	Mutant created: NULL
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7520:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2596:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2932:120:WilError_03

Source: C:\Users\user\Desktop\BL-INV-PL-ISO.exe

File created: C:\Users\user\AppData\Local\Temp\tmp590C.tmp

Jump to behavior

Source: BL-INV-PL-ISO.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: BL-INV-PL-ISO.exe

Static file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.80%

Source: C:\Users\user\Desktop\BL-INV-PL-ISO.exe

File read: C:\Users\user\Desktop\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\BL-INV-PL-ISO.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: BL-INV-PL-ISO.exe	ReversingLabs: Detection: 26%
Source: BL-INV-PL-ISO.exe	Virustotal: Detection: 23%

Source: C:\Users\user\Desktop\BL-INV-PL-ISO.exe

File read: C:\Users\user\Desktop\BL-INV-PL-ISO.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\BL-INV-PL-ISO.exe "C:\Users\user\Desktop\BL-INV-PL-ISO.exe"
Source: C:\Users\user\Desktop\BL-INV-PL-ISO.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\BL-INV-PL-ISO.exe"
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\BL-INV-PL-ISO.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\dZxrrOCj.exe"
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\BL-INV-PL-ISO.exe	Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\dZxrrOCj" /XML "C:\Users\user\AppData\Local\Temp\tmp590C.tmp"
Source: C:\Windows\SysWOW64\schtasks.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\BL-INV-PL-ISO.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
Source: C:\Users\user\Desktop\BL-INV-PL-ISO.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
Source: C:\Users\user\Desktop\BL-INV-PL-ISO.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
Source: C:\Users\user\Desktop\BL-INV-PL-ISO.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
Source: C:\Users\user\Desktop\BL-INV-PL-ISO.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
Source: unknown	Process created: C:\Users\user\AppData\Roaming\dZxrrOCj.exe C:\Users\user\AppData\Roaming\dZxrrOCj.exe
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\wbem\WmiPrvSE.exe C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
Source: C:\Users\user\AppData\Roaming\dZxrrOCj.exe	Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\dZxrrOCj" /XML "C:\Users\user\AppData\Local\Temp\tmp68AC.tmp"
Source: C:\Windows\SysWOW64\schtasks.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Roaming\dZxrrOCj.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
Source: C:\Users\user\Desktop\BL-INV-PL-ISO.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\BL-INV-PL-ISO.exe"	Jump to behavior
Source: C:\Users\user\Desktop\BL-INV-PL-ISO.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\dZxrrOCj.exe"	Jump to behavior
Source: C:\Users\user\Desktop\BL-INV-PL-ISO.exe	Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\dZxrrOCj" /XML "C:\Users\user\AppData\Local\Temp\tmp590C.tmp"	Jump to behavior
Source: C:\Users\user\Desktop\BL-INV-PL-ISO.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"	Jump to behavior
Source: C:\Users\user\Desktop\BL-INV-PL-ISO.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"	Jump to behavior
Source: C:\Users\user\Desktop\BL-INV-PL-ISO.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"	Jump to behavior
Source: C:\Users\user\Desktop\BL-INV-PL-ISO.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"	Jump to behavior
Source: C:\Users\user\Desktop\BL-INV-PL-ISO.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"	Jump to behavior
Source: C:\Users\user\AppData\Roaming\dZxrrOCj.exe	Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\dZxrrOCj" /XML "C:\Users\user\AppData\Local\Temp\tmp68AC.tmp"	Jump to behavior
Source: C:\Users\user\AppData\Roaming\dZxrrOCj.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"	Jump to behavior

Source: C:\Users\user\Desktop\BL-INV-PL-ISO.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Desktop\BL-INV-PL-ISO.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\BL-INV-PL-ISO.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\BL-INV-PL-ISO.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\BL-INV-PL-ISO.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\BL-INV-PL-ISO.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\BL-INV-PL-ISO.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\BL-INV-PL-ISO.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\BL-INV-PL-ISO.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\BL-INV-PL-ISO.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\BL-INV-PL-ISO.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\BL-INV-PL-ISO.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\BL-INV-PL-ISO.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\BL-INV-PL-ISO.exe	Section loaded: dwrite.dll	Jump to behavior
Source: C:\Users\user\Desktop\BL-INV-PL-ISO.exe	Section loaded: windowscodecs.dll	Jump to behavior
Source: C:\Users\user\Desktop\BL-INV-PL-ISO.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\BL-INV-PL-ISO.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\BL-INV-PL-ISO.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\BL-INV-PL-ISO.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\BL-INV-PL-ISO.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\Desktop\BL-INV-PL-ISO.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\Desktop\BL-INV-PL-ISO.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\Desktop\BL-INV-PL-ISO.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\Desktop\BL-INV-PL-ISO.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\BL-INV-PL-ISO.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\BL-INV-PL-ISO.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Users\user\Desktop\BL-INV-PL-ISO.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\BL-INV-PL-ISO.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\BL-INV-PL-ISO.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Users\user\Desktop\BL-INV-PL-ISO.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Users\user\Desktop\BL-INV-PL-ISO.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Users\user\Desktop\BL-INV-PL-ISO.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\Desktop\BL-INV-PL-ISO.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Users\user\Desktop\BL-INV-PL-ISO.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Users\user\Desktop\BL-INV-PL-ISO.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: microsoft.management.infrastructure.native.unmanaged.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: miutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wmidcom.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: microsoft.management.infrastructure.native.unmanaged.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: miutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wmidcom.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: taskschd.dll	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\dZxrrOCj.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\dZxrrOCj.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\dZxrrOCj.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\dZxrrOCj.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\dZxrrOCj.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\dZxrrOCj.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\dZxrrOCj.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\dZxrrOCj.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\dZxrrOCj.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\dZxrrOCj.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\dZxrrOCj.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\dZxrrOCj.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\dZxrrOCj.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\dZxrrOCj.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\dZxrrOCj.exe	Section loaded: dwrite.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\dZxrrOCj.exe	Section loaded: windowscodecs.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\dZxrrOCj.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\dZxrrOCj.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\dZxrrOCj.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\dZxrrOCj.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\dZxrrOCj.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\dZxrrOCj.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\dZxrrOCj.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\dZxrrOCj.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\dZxrrOCj.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\dZxrrOCj.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\dZxrrOCj.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\dZxrrOCj.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\dZxrrOCj.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\dZxrrOCj.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\dZxrrOCj.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\dZxrrOCj.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\dZxrrOCj.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\dZxrrOCj.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\dZxrrOCj.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: fastprox.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: ncobjapi.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: mpclient.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: wmitomi.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: mi.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: miutils.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: miutils.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: taskschd.dll	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: sspicli.dll	Jump to behavior

Source: C:\Users\user\Desktop\BL-INV-PL-ISO.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32

Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Users\user\Desktop\BL-INV-PL-ISO.exe

File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll

Jump to behavior

Source: BL-INV-PL-ISO.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Source: BL-INV-PL-ISO.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source: BL-INV-PL-ISO.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:	Binary string: UYWF.pdb source: BL-INV-PL-ISO.exe, dZxrrOCj.exe.0.dr
Source:	Binary string: wntdll.pdbUGP source: vbc.exe, 00000011.00000002.2055590273.0000000005A50000.00000040.00001000.00020000.00000000.sdmp
Source:	Binary string: UYWF.pdbSHA256 source: BL-INV-PL-ISO.exe, dZxrrOCj.exe.0.dr
Source:	Binary string: wntdll.pdb source: vbc.exe, vbc.exe, 00000011.00000002.2055590273.0000000005A50000.00000040.00001000.00020000.00000000.sdmp

Data Obfuscation

.NET source code contains potential unpacker

Source: 0.2.BL-INV-PL-ISO.exe.40d8560.2.raw.unpack, cfZycf0kcb26X6tlXo.cs	.Net Code: clHhbwHd3t System.Reflection.Assembly.Load(byte[])
Source: 0.2.BL-INV-PL-ISO.exe.3601ea0.1.raw.unpack, MainForm.cs	.Net Code: _200E_200C_200B_202B_202E_200E_200E_202D_200B_206C_202C_202B_200B_200F_200E_206F_206C_202C_202D_200E_206E_206E_200C_206D_202C_200B_200E_202B_200B_206A_202E_206A_202E_206E_206E_206A_206C_206A_206F_202E_202E System.Reflection.Assembly.Load(byte[])
Source: 0.2.BL-INV-PL-ISO.exe.50c0000.3.raw.unpack, MainForm.cs	.Net Code: _200E_200C_200B_202B_202E_200E_200E_202D_200B_206C_202C_202B_200B_200F_200E_206F_206C_202C_202D_200E_206E_206E_200C_206D_202C_200B_200E_202B_200B_206A_202E_206A_202E_206E_206E_206A_206C_206A_206F_202E_202E System.Reflection.Assembly.Load(byte[])
Source: 0.2.BL-INV-PL-ISO.exe.9700000.4.raw.unpack, cfZycf0kcb26X6tlXo.cs	.Net Code: clHhbwHd3t System.Reflection.Assembly.Load(byte[])
Source: 0.2.BL-INV-PL-ISO.exe.35e9c80.0.raw.unpack, MainForm.cs	.Net Code: _200E_200C_200B_202B_202E_200E_200E_202D_200B_206C_202C_202B_200B_200F_200E_206F_206C_202C_202D_200E_206E_206E_200C_206D_202C_200B_200E_202B_200B_206A_202E_206A_202E_206E_206E_206A_206C_206A_206F_202E_202E System.Reflection.Assembly.Load(byte[])

Binary contains a suspicious time stamp

Source: BL-INV-PL-ISO.exe

Static PE information: 0xC3F91EE2 [Sat Mar 10 04:58:10 2074 UTC]

Uses code obfuscation techniques (call, push, ret)

Source: C:\Users\user\Desktop\BL-INV-PL-ISO.exe	Code function: 0_2_00AEDB28 pushad ; retf	0_2_00AEDB29
Source: C:\Users\user\Desktop\BL-INV-PL-ISO.exe	Code function: 0_2_07971B05 push FFFFFF8Bh; iretd	0_2_07971B07
Source: C:\Users\user\AppData\Roaming\dZxrrOCj.exe	Code function: 13_2_00FDDB28 pushad ; retf	13_2_00FDDB29
Source: C:\Users\user\AppData\Roaming\dZxrrOCj.exe	Code function: 13_2_07820D75 push FFFFFF8Bh; iretd	13_2_07820D77
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_0041F058 push esi; ret	17_2_0041F05E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_0041F089 push FFFFFF9Ah; retf	17_2_0041F08D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_0041F8AF push FFFFFFE3h; ret	17_2_0041F8B5
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_0041F95A push ds; iretd	17_2_0041F971
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_00402178 push es; ret	17_2_004021C9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_004021A2 push es; ret	17_2_004021C9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_00419A5A push ds; ret	17_2_00419A5F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_0040D20B push ebp; retf	17_2_0040D211
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_00424AE3 push edi; ret	17_2_00424AEC
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_0040ABDA push ebx; ret	17_2_0040ABDB
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_00423BEF pushfd ; retf	17_2_00423BEE
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_004033F0 push eax; ret	17_2_004033F2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_00423BB8 pushfd ; retf	17_2_00423BEE
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_0041664B pushad ; retf	17_2_00416653
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_00412634 push edi; iretd	17_2_00412635
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_0040CF05 pushad ; iretd	17_2_0040CF14
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_00413FF4 pushad ; iretd	17_2_00413FF5
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_004137A3 push ecx; retf	17_2_00413868
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05A809AD push ecx; mov dword ptr [esp], ecx	17_2_05A809B6

Source: BL-INV-PL-ISO.exe	Static PE information: section name: .text entropy: 7.705373741079922
Source: dZxrrOCj.exe.0.dr	Static PE information: section name: .text entropy: 7.705373741079922

Source: 0.2.BL-INV-PL-ISO.exe.40d8560.2.raw.unpack, l6TFIRal5HdvTuAvFR.cs	High entropy of concatenated method names: 'xVnKMS9NIR', 'dk1KCOIXS1', 'kpVKJMQx0c', 'gQSJLiag9k', 'O9rJz56ISN', 'mQ7KpMXwGS', 'VNXKkrmN3h', 'RMPK84jSg4', 'GDLKGQUqCh', 'qiPKhTghil'
Source: 0.2.BL-INV-PL-ISO.exe.40d8560.2.raw.unpack, TqWwAsLkiN3CFtoVfa.cs	High entropy of concatenated method names: 'x0G6kgNAXJ', 'gYt6G1pPDh', 'gGJ6hWYUxe', 'u0t6MrXpIy', 'ARh6rRPoCq', 'LfR6FD03GN', 'Rdo6J5HFrT', 'awKmg46aiP', 'I7nmu7PdvC', 'ARRm56g5SY'
Source: 0.2.BL-INV-PL-ISO.exe.40d8560.2.raw.unpack, sGidIWAjxT9DQD2jyC.cs	High entropy of concatenated method names: 'IsjJ2yIoUy', 'nnrJrI5AkK', 'cCFJFR72fI', 'onJJKqCvWx', 'eieJ0kwV1b', 'B5MFi0qPud', 'SwkFxgSipX', 'f2nFg6s3jk', 'J7qFumddEi', 'SS1F55XS5M'
Source: 0.2.BL-INV-PL-ISO.exe.40d8560.2.raw.unpack, cfZycf0kcb26X6tlXo.cs	High entropy of concatenated method names: 'RSyG2MIpO4', 'DqMGMh7e3p', 'CmJGre8Fr3', 'fMdGCUoiR8', 'jkNGFU0RLY', 'dBnGJBtVJQ', 'DrDGKvpfiW', 'f2oG0M9mbC', 'utZGSPbAs0', 'jP0GlEHrwP'
Source: 0.2.BL-INV-PL-ISO.exe.40d8560.2.raw.unpack, cU6Qf6h8MixZH75icy.cs	High entropy of concatenated method names: 'VQwkKUMOoc', 'QxKk0VTupl', 'dE6klxU8dN', 'Rulko7H16M', 'QOvkZtGnGi', 'qIWkTjxT9D', 'eWWBiDeHQaUZj0yqVI', 'zDTektAmB4mH3u1o1o', 'EoTkkID8Fl', 'lPAkGEUTlO'
Source: 0.2.BL-INV-PL-ISO.exe.40d8560.2.raw.unpack, lNDQloxMyDmhpPDOWl.cs	High entropy of concatenated method names: 'OKvdut556a', 'GrwdLEcIOT', 'ia1mpgXeIX', 'R3Wmk6KHWx', 'ydSdXCsjpB', 'zX2dYsFtCi', 'rwUd4aBwHX', 'tZxdIteB8N', 'Gj9deO9W5t', 'A8dd7rTUsV'
Source: 0.2.BL-INV-PL-ISO.exe.40d8560.2.raw.unpack, WKKHDvNKxvSnL6SGaH.cs	High entropy of concatenated method names: 'JJMKftASch', 'iw4KDlTtuf', 'D50Kb4dcAR', 'q9uKHyYj7j', 'yJXKBtJpE1', 'zeMK3BMu0g', 'sg1KQue3FM', 'KeGKUYyhav', 'cG0KjT1Ttu', 'U0iKv4j2yu'
Source: 0.2.BL-INV-PL-ISO.exe.40d8560.2.raw.unpack, gEl1DV4DciT4JTELMs.cs	High entropy of concatenated method names: 'UW91UoW2lA', 'BoO1jZc9yx', 'Nei1ApWY50', 'r2n19mrd0F', 'wxA1ytqR7S', 'rnx1PZ1noJ', 'mR21a4QMh6', 'G0d1tblOwc', 'pBx1OWhd7m', 'rRE1XKsd7j'
Source: 0.2.BL-INV-PL-ISO.exe.40d8560.2.raw.unpack, c0PD99zDASEcV46Xs3.cs	High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'ctV61a1JCR', 'NHq6ZD7lIZ', 'OI96TFCxsf', 'QCj6dEAIEv', 'Rdt6msmXmP', 'mZn66IAvHu', 'shN6nDyGBX'
Source: 0.2.BL-INV-PL-ISO.exe.40d8560.2.raw.unpack, VNv1OU8Walm78ZVDd5.cs	High entropy of concatenated method names: 'WjGbqLonU', 'tr4H2MuXo', 'mra3ZiIVV', 'XSDQETlpd', 'csmjS9elG', 'qJYvjuWpX', 'nGKbCdGf1REIvkBFpn', 'v4OfKVsT91hrS2aPoy', 'OsURx8EB6xhyi4uOwV', 'iyqmxjan7'
Source: 0.2.BL-INV-PL-ISO.exe.40d8560.2.raw.unpack, DI7yKUuw3K2T0FjALa.cs	High entropy of concatenated method names: 'MedmM3Eren', 'kgfmrpgF6y', 'RqrmCU3u5D', 'xZ4mFcZVMM', 'FcgmJwRwrw', 'zwQmKuB9lf', 'xvUm0Q7Q6v', 'WXXmSGmYCC', 'b94mlRtUrW', 'zd6moqxxSm'
Source: 0.2.BL-INV-PL-ISO.exe.40d8560.2.raw.unpack, WWDxQnkGDXGaylq8aLM.cs	High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'zR9nIjkxoa', 'st0neacXaH', 'XmVn7aGwMy', 'hPVnsKychO', 'buSniA9TsK', 'n3HnxEeolk', 'DFEngv4Zkd'
Source: 0.2.BL-INV-PL-ISO.exe.40d8560.2.raw.unpack, DYI8K0rsEh87KO9w2Y.cs	High entropy of concatenated method names: 'Dispose', 'xKgk5fgPrX', 'spi89IN3bD', 'rnspp8HGlI', 'FUIkL7yKUw', 'BK2kzT0FjA', 'ProcessDialogKey', 'Yah8pfeKFp', 'uvf8kbxJ1R', 'WCT88sqWwA'
Source: 0.2.BL-INV-PL-ISO.exe.40d8560.2.raw.unpack, dfeKFp5wvfbxJ1RuCT.cs	High entropy of concatenated method names: 'wDxmA9KR7J', 'xeIm9wmF5c', 'FZ8mR9HPKI', 'yZymyMASVh', 'MAwmIaETuv', 'uPImPIMxk6', 'Next', 'Next', 'Next', 'NextBytes'
Source: 0.2.BL-INV-PL-ISO.exe.40d8560.2.raw.unpack, SPhPfhjE6xU8dNeul7.cs	High entropy of concatenated method names: 'MZ7CHitOBu', 'DuPC3l9MiW', 'OR8CU523v9', 'j5oCjkNu2I', 'xuTCZqUJW1', 'TQaCT98hdL', 'bnnCdVV2nb', 'QQdCmHNqye', 'XAHC6dPgoR', 'A20CnDQcQh'
Source: 0.2.BL-INV-PL-ISO.exe.40d8560.2.raw.unpack, uUMOocUIxKVTuplUam.cs	High entropy of concatenated method names: 'UxErIZ2eKJ', 'WUrretkkdt', 'wiXr7GTtus', 'WjlrshmiCX', 'IrGriAAUDv', 'tVErxUNv8x', 'dLxrgvHTkM', 'eEPruMjB3t', 'q0qr5FD2TS', 'zRvrLDWLTt'
Source: 0.2.BL-INV-PL-ISO.exe.40d8560.2.raw.unpack, AgDxvokpfb05xEXq3aJ.cs	High entropy of concatenated method names: 'RhF6fwaO6O', 'M6E6DsaVl9', 'kwu6beDUrJ', 'soe6HSCcRU', 'Cnp6BhAKKg', 'O5Z63ZKLpI', 'a1E6Qdvybj', 'AAb6UL6NWc', 'uuQ6jZannN', 'ECL6v2exdr'
Source: 0.2.BL-INV-PL-ISO.exe.40d8560.2.raw.unpack, A16MKav3vJLRDIOvtG.cs	High entropy of concatenated method names: 'EZLFBEacCa', 'HSuFQNg93E', 'd7xCRCrOLQ', 'IO3CyWSYdw', 'bc2CPcDMwk', 'JGvCWSUD7F', 'yEECaLTlrc', 'ADyCtBhVSi', 'PLACNQ9o2s', 'OVXCO2mEFM'
Source: 0.2.BL-INV-PL-ISO.exe.40d8560.2.raw.unpack, RkTHaNsbNEDWW1Oh0V.cs	High entropy of concatenated method names: 'SKYdloI5vA', 'U9vdoksEWe', 'ToString', 'C4xdMQxeVm', 'q4Wdr7e8BN', 'E0ddCoxYvx', 'g3SdFw58VR', 't35dJbARyf', 'Ab6dKdMR9j', 'XcWd0uExtw'
Source: 0.2.BL-INV-PL-ISO.exe.40d8560.2.raw.unpack, zB1mPmIbOkQbmdJNkb.cs	High entropy of concatenated method names: 'bcqZO42Zws', 'vdbZYDiJJN', 'qrKZIRj5nX', 'IiTZe4MnrD', 'yqEZ9CBLWv', 'mc3ZR9dWJ6', 'x7tZyZopbt', 'oGVZPmGfb6', 'eQ2ZW7WDMt', 'KRVZaBLxmt'
Source: 0.2.BL-INV-PL-ISO.exe.9700000.4.raw.unpack, l6TFIRal5HdvTuAvFR.cs	High entropy of concatenated method names: 'xVnKMS9NIR', 'dk1KCOIXS1', 'kpVKJMQx0c', 'gQSJLiag9k', 'O9rJz56ISN', 'mQ7KpMXwGS', 'VNXKkrmN3h', 'RMPK84jSg4', 'GDLKGQUqCh', 'qiPKhTghil'
Source: 0.2.BL-INV-PL-ISO.exe.9700000.4.raw.unpack, TqWwAsLkiN3CFtoVfa.cs	High entropy of concatenated method names: 'x0G6kgNAXJ', 'gYt6G1pPDh', 'gGJ6hWYUxe', 'u0t6MrXpIy', 'ARh6rRPoCq', 'LfR6FD03GN', 'Rdo6J5HFrT', 'awKmg46aiP', 'I7nmu7PdvC', 'ARRm56g5SY'
Source: 0.2.BL-INV-PL-ISO.exe.9700000.4.raw.unpack, sGidIWAjxT9DQD2jyC.cs	High entropy of concatenated method names: 'IsjJ2yIoUy', 'nnrJrI5AkK', 'cCFJFR72fI', 'onJJKqCvWx', 'eieJ0kwV1b', 'B5MFi0qPud', 'SwkFxgSipX', 'f2nFg6s3jk', 'J7qFumddEi', 'SS1F55XS5M'
Source: 0.2.BL-INV-PL-ISO.exe.9700000.4.raw.unpack, cfZycf0kcb26X6tlXo.cs	High entropy of concatenated method names: 'RSyG2MIpO4', 'DqMGMh7e3p', 'CmJGre8Fr3', 'fMdGCUoiR8', 'jkNGFU0RLY', 'dBnGJBtVJQ', 'DrDGKvpfiW', 'f2oG0M9mbC', 'utZGSPbAs0', 'jP0GlEHrwP'
Source: 0.2.BL-INV-PL-ISO.exe.9700000.4.raw.unpack, cU6Qf6h8MixZH75icy.cs	High entropy of concatenated method names: 'VQwkKUMOoc', 'QxKk0VTupl', 'dE6klxU8dN', 'Rulko7H16M', 'QOvkZtGnGi', 'qIWkTjxT9D', 'eWWBiDeHQaUZj0yqVI', 'zDTektAmB4mH3u1o1o', 'EoTkkID8Fl', 'lPAkGEUTlO'
Source: 0.2.BL-INV-PL-ISO.exe.9700000.4.raw.unpack, lNDQloxMyDmhpPDOWl.cs	High entropy of concatenated method names: 'OKvdut556a', 'GrwdLEcIOT', 'ia1mpgXeIX', 'R3Wmk6KHWx', 'ydSdXCsjpB', 'zX2dYsFtCi', 'rwUd4aBwHX', 'tZxdIteB8N', 'Gj9deO9W5t', 'A8dd7rTUsV'
Source: 0.2.BL-INV-PL-ISO.exe.9700000.4.raw.unpack, WKKHDvNKxvSnL6SGaH.cs	High entropy of concatenated method names: 'JJMKftASch', 'iw4KDlTtuf', 'D50Kb4dcAR', 'q9uKHyYj7j', 'yJXKBtJpE1', 'zeMK3BMu0g', 'sg1KQue3FM', 'KeGKUYyhav', 'cG0KjT1Ttu', 'U0iKv4j2yu'
Source: 0.2.BL-INV-PL-ISO.exe.9700000.4.raw.unpack, gEl1DV4DciT4JTELMs.cs	High entropy of concatenated method names: 'UW91UoW2lA', 'BoO1jZc9yx', 'Nei1ApWY50', 'r2n19mrd0F', 'wxA1ytqR7S', 'rnx1PZ1noJ', 'mR21a4QMh6', 'G0d1tblOwc', 'pBx1OWhd7m', 'rRE1XKsd7j'
Source: 0.2.BL-INV-PL-ISO.exe.9700000.4.raw.unpack, c0PD99zDASEcV46Xs3.cs	High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'ctV61a1JCR', 'NHq6ZD7lIZ', 'OI96TFCxsf', 'QCj6dEAIEv', 'Rdt6msmXmP', 'mZn66IAvHu', 'shN6nDyGBX'
Source: 0.2.BL-INV-PL-ISO.exe.9700000.4.raw.unpack, VNv1OU8Walm78ZVDd5.cs	High entropy of concatenated method names: 'WjGbqLonU', 'tr4H2MuXo', 'mra3ZiIVV', 'XSDQETlpd', 'csmjS9elG', 'qJYvjuWpX', 'nGKbCdGf1REIvkBFpn', 'v4OfKVsT91hrS2aPoy', 'OsURx8EB6xhyi4uOwV', 'iyqmxjan7'
Source: 0.2.BL-INV-PL-ISO.exe.9700000.4.raw.unpack, DI7yKUuw3K2T0FjALa.cs	High entropy of concatenated method names: 'MedmM3Eren', 'kgfmrpgF6y', 'RqrmCU3u5D', 'xZ4mFcZVMM', 'FcgmJwRwrw', 'zwQmKuB9lf', 'xvUm0Q7Q6v', 'WXXmSGmYCC', 'b94mlRtUrW', 'zd6moqxxSm'
Source: 0.2.BL-INV-PL-ISO.exe.9700000.4.raw.unpack, WWDxQnkGDXGaylq8aLM.cs	High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'zR9nIjkxoa', 'st0neacXaH', 'XmVn7aGwMy', 'hPVnsKychO', 'buSniA9TsK', 'n3HnxEeolk', 'DFEngv4Zkd'
Source: 0.2.BL-INV-PL-ISO.exe.9700000.4.raw.unpack, DYI8K0rsEh87KO9w2Y.cs	High entropy of concatenated method names: 'Dispose', 'xKgk5fgPrX', 'spi89IN3bD', 'rnspp8HGlI', 'FUIkL7yKUw', 'BK2kzT0FjA', 'ProcessDialogKey', 'Yah8pfeKFp', 'uvf8kbxJ1R', 'WCT88sqWwA'
Source: 0.2.BL-INV-PL-ISO.exe.9700000.4.raw.unpack, dfeKFp5wvfbxJ1RuCT.cs	High entropy of concatenated method names: 'wDxmA9KR7J', 'xeIm9wmF5c', 'FZ8mR9HPKI', 'yZymyMASVh', 'MAwmIaETuv', 'uPImPIMxk6', 'Next', 'Next', 'Next', 'NextBytes'
Source: 0.2.BL-INV-PL-ISO.exe.9700000.4.raw.unpack, SPhPfhjE6xU8dNeul7.cs	High entropy of concatenated method names: 'MZ7CHitOBu', 'DuPC3l9MiW', 'OR8CU523v9', 'j5oCjkNu2I', 'xuTCZqUJW1', 'TQaCT98hdL', 'bnnCdVV2nb', 'QQdCmHNqye', 'XAHC6dPgoR', 'A20CnDQcQh'
Source: 0.2.BL-INV-PL-ISO.exe.9700000.4.raw.unpack, uUMOocUIxKVTuplUam.cs	High entropy of concatenated method names: 'UxErIZ2eKJ', 'WUrretkkdt', 'wiXr7GTtus', 'WjlrshmiCX', 'IrGriAAUDv', 'tVErxUNv8x', 'dLxrgvHTkM', 'eEPruMjB3t', 'q0qr5FD2TS', 'zRvrLDWLTt'
Source: 0.2.BL-INV-PL-ISO.exe.9700000.4.raw.unpack, AgDxvokpfb05xEXq3aJ.cs	High entropy of concatenated method names: 'RhF6fwaO6O', 'M6E6DsaVl9', 'kwu6beDUrJ', 'soe6HSCcRU', 'Cnp6BhAKKg', 'O5Z63ZKLpI', 'a1E6Qdvybj', 'AAb6UL6NWc', 'uuQ6jZannN', 'ECL6v2exdr'
Source: 0.2.BL-INV-PL-ISO.exe.9700000.4.raw.unpack, A16MKav3vJLRDIOvtG.cs	High entropy of concatenated method names: 'EZLFBEacCa', 'HSuFQNg93E', 'd7xCRCrOLQ', 'IO3CyWSYdw', 'bc2CPcDMwk', 'JGvCWSUD7F', 'yEECaLTlrc', 'ADyCtBhVSi', 'PLACNQ9o2s', 'OVXCO2mEFM'
Source: 0.2.BL-INV-PL-ISO.exe.9700000.4.raw.unpack, RkTHaNsbNEDWW1Oh0V.cs	High entropy of concatenated method names: 'SKYdloI5vA', 'U9vdoksEWe', 'ToString', 'C4xdMQxeVm', 'q4Wdr7e8BN', 'E0ddCoxYvx', 'g3SdFw58VR', 't35dJbARyf', 'Ab6dKdMR9j', 'XcWd0uExtw'
Source: 0.2.BL-INV-PL-ISO.exe.9700000.4.raw.unpack, zB1mPmIbOkQbmdJNkb.cs	High entropy of concatenated method names: 'bcqZO42Zws', 'vdbZYDiJJN', 'qrKZIRj5nX', 'IiTZe4MnrD', 'yqEZ9CBLWv', 'mc3ZR9dWJ6', 'x7tZyZopbt', 'oGVZPmGfb6', 'eQ2ZW7WDMt', 'KRVZaBLxmt'

Drops PE files

Source: C:\Users\user\Desktop\BL-INV-PL-ISO.exe

File created: C:\Users\user\AppData\Roaming\dZxrrOCj.exe

Jump to dropped file

Boot Survival

Uses schtasks.exe or at.exe to add and modify task schedules

Source: C:\Users\user\Desktop\BL-INV-PL-ISO.exe

Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\dZxrrOCj" /XML "C:\Users\user\AppData\Local\Temp\tmp590C.tmp"

Hooking and other Techniques for Hiding and Protection

Loading BitLocker PowerShell Module

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior

Source: C:\Users\user\Desktop\BL-INV-PL-ISO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\BL-INV-PL-ISO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\BL-INV-PL-ISO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\BL-INV-PL-ISO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\BL-INV-PL-ISO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\BL-INV-PL-ISO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\BL-INV-PL-ISO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\BL-INV-PL-ISO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\BL-INV-PL-ISO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\BL-INV-PL-ISO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\BL-INV-PL-ISO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\BL-INV-PL-ISO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\BL-INV-PL-ISO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\BL-INV-PL-ISO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\BL-INV-PL-ISO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\BL-INV-PL-ISO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\BL-INV-PL-ISO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\BL-INV-PL-ISO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\BL-INV-PL-ISO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\BL-INV-PL-ISO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\BL-INV-PL-ISO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\BL-INV-PL-ISO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\BL-INV-PL-ISO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\BL-INV-PL-ISO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\BL-INV-PL-ISO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\BL-INV-PL-ISO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\BL-INV-PL-ISO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\BL-INV-PL-ISO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\BL-INV-PL-ISO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\BL-INV-PL-ISO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\BL-INV-PL-ISO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\BL-INV-PL-ISO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\BL-INV-PL-ISO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\BL-INV-PL-ISO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\BL-INV-PL-ISO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\BL-INV-PL-ISO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\BL-INV-PL-ISO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\BL-INV-PL-ISO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\BL-INV-PL-ISO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\BL-INV-PL-ISO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\BL-INV-PL-ISO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\BL-INV-PL-ISO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\BL-INV-PL-ISO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\BL-INV-PL-ISO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\BL-INV-PL-ISO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\BL-INV-PL-ISO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\BL-INV-PL-ISO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\BL-INV-PL-ISO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\dZxrrOCj.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\dZxrrOCj.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\dZxrrOCj.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\dZxrrOCj.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\dZxrrOCj.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\dZxrrOCj.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\dZxrrOCj.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\dZxrrOCj.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\dZxrrOCj.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\dZxrrOCj.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\dZxrrOCj.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\dZxrrOCj.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\dZxrrOCj.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\dZxrrOCj.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\dZxrrOCj.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\dZxrrOCj.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\dZxrrOCj.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\dZxrrOCj.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\dZxrrOCj.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\dZxrrOCj.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\dZxrrOCj.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\dZxrrOCj.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\dZxrrOCj.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\dZxrrOCj.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\dZxrrOCj.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\dZxrrOCj.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\dZxrrOCj.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\dZxrrOCj.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\dZxrrOCj.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\dZxrrOCj.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\dZxrrOCj.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\dZxrrOCj.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\dZxrrOCj.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\dZxrrOCj.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\dZxrrOCj.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\dZxrrOCj.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\dZxrrOCj.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\dZxrrOCj.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\dZxrrOCj.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\dZxrrOCj.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\dZxrrOCj.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\dZxrrOCj.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Yara detected AntiVM3

Source: Yara match	File source: Process Memory Space: BL-INV-PL-ISO.exe PID: 6848, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: dZxrrOCj.exe PID: 7288, type: MEMORYSTR

Allocates memory with a write watch (potentially for evading sandboxes)

Source: C:\Users\user\Desktop\BL-INV-PL-ISO.exe	Memory allocated: AA0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\BL-INV-PL-ISO.exe	Memory allocated: 25C0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\BL-INV-PL-ISO.exe	Memory allocated: 22E0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\BL-INV-PL-ISO.exe	Memory allocated: 70D0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\BL-INV-PL-ISO.exe	Memory allocated: 6DF0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\BL-INV-PL-ISO.exe	Memory allocated: 80D0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\BL-INV-PL-ISO.exe	Memory allocated: 90D0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\BL-INV-PL-ISO.exe	Memory allocated: 9790000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\BL-INV-PL-ISO.exe	Memory allocated: A790000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\dZxrrOCj.exe	Memory allocated: FD0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\dZxrrOCj.exe	Memory allocated: 27F0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\dZxrrOCj.exe	Memory allocated: 47F0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\dZxrrOCj.exe	Memory allocated: 6F60000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\dZxrrOCj.exe	Memory allocated: 6D50000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\dZxrrOCj.exe	Memory allocated: 7F60000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\dZxrrOCj.exe	Memory allocated: 8F60000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\dZxrrOCj.exe	Memory allocated: 96A0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\dZxrrOCj.exe	Memory allocated: A6A0000 memory reserve \| memory write watch	Jump to behavior

Contains functionality for execution timing, often used to detect debuggers

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe

Code function: 17_2_05AC096E rdtsc

17_2_05AC096E

Contains long sleeps (>= 3 min)

Source: C:\Users\user\Desktop\BL-INV-PL-ISO.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Roaming\dZxrrOCj.exe	Thread delayed: delay time: 922337203685477	Jump to behavior

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 5748			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 6238			Jump to behavior

Found large amount of non-executed APIs

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe

API coverage: 0.6 %

May sleep (evasive loops) to hinder dynamic analysis

Source: C:\Users\user\Desktop\BL-INV-PL-ISO.exe TID: 6948	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 6612	Thread sleep count: 5748 > 30	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7244	Thread sleep time: -2767011611056431s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7208	Thread sleep time: -1844674407370954s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7280	Thread sleep time: -1844674407370954s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7216	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\dZxrrOCj.exe TID: 7432	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe TID: 7568	Thread sleep time: -30000s >= -30000s	Jump to behavior

Sample execution stops while process was sleeping (likely an evasion)

Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed

Source: C:\Users\user\Desktop\BL-INV-PL-ISO.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Roaming\dZxrrOCj.exe	Thread delayed: delay time: 922337203685477	Jump to behavior

Source: C:\Users\user\Desktop\BL-INV-PL-ISO.exe

Process information queried: ProcessInformation

Jump to behavior

Checks if the current process is being debugged

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe

Process queried: DebugPort

Jump to behavior

Contains functionality for execution timing, often used to detect debuggers

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe

Code function: 17_2_05AC096E rdtsc

17_2_05AC096E

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe

Code function: 17_2_00417BF3 LdrLoadDll,

17_2_00417BF3

Contains functionality to read the PEB

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05B005A7 mov eax, dword ptr fs:[00000030h]	17_2_05B005A7
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05B005A7 mov eax, dword ptr fs:[00000030h]	17_2_05B005A7
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05B005A7 mov eax, dword ptr fs:[00000030h]	17_2_05B005A7
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05AA45B1 mov eax, dword ptr fs:[00000030h]	17_2_05AA45B1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05AA45B1 mov eax, dword ptr fs:[00000030h]	17_2_05AA45B1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05AB4588 mov eax, dword ptr fs:[00000030h]	17_2_05AB4588
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05A82582 mov eax, dword ptr fs:[00000030h]	17_2_05A82582
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05A82582 mov ecx, dword ptr fs:[00000030h]	17_2_05A82582
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05ABE59C mov eax, dword ptr fs:[00000030h]	17_2_05ABE59C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05ABC5ED mov eax, dword ptr fs:[00000030h]	17_2_05ABC5ED
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05ABC5ED mov eax, dword ptr fs:[00000030h]	17_2_05ABC5ED
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05A825E0 mov eax, dword ptr fs:[00000030h]	17_2_05A825E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05AAE5E7 mov eax, dword ptr fs:[00000030h]	17_2_05AAE5E7
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05AAE5E7 mov eax, dword ptr fs:[00000030h]	17_2_05AAE5E7
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05AAE5E7 mov eax, dword ptr fs:[00000030h]	17_2_05AAE5E7
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05AAE5E7 mov eax, dword ptr fs:[00000030h]	17_2_05AAE5E7
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05AAE5E7 mov eax, dword ptr fs:[00000030h]	17_2_05AAE5E7
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05AAE5E7 mov eax, dword ptr fs:[00000030h]	17_2_05AAE5E7
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05AAE5E7 mov eax, dword ptr fs:[00000030h]	17_2_05AAE5E7
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05AAE5E7 mov eax, dword ptr fs:[00000030h]	17_2_05AAE5E7
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05ABE5CF mov eax, dword ptr fs:[00000030h]	17_2_05ABE5CF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05ABE5CF mov eax, dword ptr fs:[00000030h]	17_2_05ABE5CF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05A865D0 mov eax, dword ptr fs:[00000030h]	17_2_05A865D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05ABA5D0 mov eax, dword ptr fs:[00000030h]	17_2_05ABA5D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05ABA5D0 mov eax, dword ptr fs:[00000030h]	17_2_05ABA5D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05AAE53E mov eax, dword ptr fs:[00000030h]	17_2_05AAE53E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05AAE53E mov eax, dword ptr fs:[00000030h]	17_2_05AAE53E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05AAE53E mov eax, dword ptr fs:[00000030h]	17_2_05AAE53E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05AAE53E mov eax, dword ptr fs:[00000030h]	17_2_05AAE53E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05AAE53E mov eax, dword ptr fs:[00000030h]	17_2_05AAE53E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05A90535 mov eax, dword ptr fs:[00000030h]	17_2_05A90535
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05A90535 mov eax, dword ptr fs:[00000030h]	17_2_05A90535
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05A90535 mov eax, dword ptr fs:[00000030h]	17_2_05A90535
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05A90535 mov eax, dword ptr fs:[00000030h]	17_2_05A90535
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05A90535 mov eax, dword ptr fs:[00000030h]	17_2_05A90535
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05A90535 mov eax, dword ptr fs:[00000030h]	17_2_05A90535
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05B16500 mov eax, dword ptr fs:[00000030h]	17_2_05B16500
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05B54500 mov eax, dword ptr fs:[00000030h]	17_2_05B54500
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05B54500 mov eax, dword ptr fs:[00000030h]	17_2_05B54500
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05B54500 mov eax, dword ptr fs:[00000030h]	17_2_05B54500
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05B54500 mov eax, dword ptr fs:[00000030h]	17_2_05B54500
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05B54500 mov eax, dword ptr fs:[00000030h]	17_2_05B54500
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05B54500 mov eax, dword ptr fs:[00000030h]	17_2_05B54500
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05B54500 mov eax, dword ptr fs:[00000030h]	17_2_05B54500
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05AB656A mov eax, dword ptr fs:[00000030h]	17_2_05AB656A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05AB656A mov eax, dword ptr fs:[00000030h]	17_2_05AB656A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05AB656A mov eax, dword ptr fs:[00000030h]	17_2_05AB656A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05A88550 mov eax, dword ptr fs:[00000030h]	17_2_05A88550
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05A88550 mov eax, dword ptr fs:[00000030h]	17_2_05A88550
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05B0A4B0 mov eax, dword ptr fs:[00000030h]	17_2_05B0A4B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05A864AB mov eax, dword ptr fs:[00000030h]	17_2_05A864AB
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05AB44B0 mov ecx, dword ptr fs:[00000030h]	17_2_05AB44B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05B3A49A mov eax, dword ptr fs:[00000030h]	17_2_05B3A49A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05A804E5 mov ecx, dword ptr fs:[00000030h]	17_2_05A804E5
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05A7C427 mov eax, dword ptr fs:[00000030h]	17_2_05A7C427
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05A7E420 mov eax, dword ptr fs:[00000030h]	17_2_05A7E420
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05A7E420 mov eax, dword ptr fs:[00000030h]	17_2_05A7E420
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05A7E420 mov eax, dword ptr fs:[00000030h]	17_2_05A7E420
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05B06420 mov eax, dword ptr fs:[00000030h]	17_2_05B06420
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05B06420 mov eax, dword ptr fs:[00000030h]	17_2_05B06420
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05B06420 mov eax, dword ptr fs:[00000030h]	17_2_05B06420
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05B06420 mov eax, dword ptr fs:[00000030h]	17_2_05B06420
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05B06420 mov eax, dword ptr fs:[00000030h]	17_2_05B06420
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05B06420 mov eax, dword ptr fs:[00000030h]	17_2_05B06420
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05B06420 mov eax, dword ptr fs:[00000030h]	17_2_05B06420
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05ABA430 mov eax, dword ptr fs:[00000030h]	17_2_05ABA430
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05AB8402 mov eax, dword ptr fs:[00000030h]	17_2_05AB8402
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05AB8402 mov eax, dword ptr fs:[00000030h]	17_2_05AB8402
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05AB8402 mov eax, dword ptr fs:[00000030h]	17_2_05AB8402
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05B0C460 mov ecx, dword ptr fs:[00000030h]	17_2_05B0C460
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05AAA470 mov eax, dword ptr fs:[00000030h]	17_2_05AAA470
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05AAA470 mov eax, dword ptr fs:[00000030h]	17_2_05AAA470
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05AAA470 mov eax, dword ptr fs:[00000030h]	17_2_05AAA470
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05B3A456 mov eax, dword ptr fs:[00000030h]	17_2_05B3A456
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05ABE443 mov eax, dword ptr fs:[00000030h]	17_2_05ABE443
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05ABE443 mov eax, dword ptr fs:[00000030h]	17_2_05ABE443
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05ABE443 mov eax, dword ptr fs:[00000030h]	17_2_05ABE443
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05ABE443 mov eax, dword ptr fs:[00000030h]	17_2_05ABE443
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05ABE443 mov eax, dword ptr fs:[00000030h]	17_2_05ABE443
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05ABE443 mov eax, dword ptr fs:[00000030h]	17_2_05ABE443
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05ABE443 mov eax, dword ptr fs:[00000030h]	17_2_05ABE443
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05ABE443 mov eax, dword ptr fs:[00000030h]	17_2_05ABE443
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05AA245A mov eax, dword ptr fs:[00000030h]	17_2_05AA245A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05A7645D mov eax, dword ptr fs:[00000030h]	17_2_05A7645D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05A807AF mov eax, dword ptr fs:[00000030h]	17_2_05A807AF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05B347A0 mov eax, dword ptr fs:[00000030h]	17_2_05B347A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05B2678E mov eax, dword ptr fs:[00000030h]	17_2_05B2678E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05AA27ED mov eax, dword ptr fs:[00000030h]	17_2_05AA27ED
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05AA27ED mov eax, dword ptr fs:[00000030h]	17_2_05AA27ED
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05AA27ED mov eax, dword ptr fs:[00000030h]	17_2_05AA27ED
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05B0E7E1 mov eax, dword ptr fs:[00000030h]	17_2_05B0E7E1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05A847FB mov eax, dword ptr fs:[00000030h]	17_2_05A847FB
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05A847FB mov eax, dword ptr fs:[00000030h]	17_2_05A847FB
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05A8C7C0 mov eax, dword ptr fs:[00000030h]	17_2_05A8C7C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05B007C3 mov eax, dword ptr fs:[00000030h]	17_2_05B007C3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05ABC720 mov eax, dword ptr fs:[00000030h]	17_2_05ABC720
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05ABC720 mov eax, dword ptr fs:[00000030h]	17_2_05ABC720
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05AB273C mov eax, dword ptr fs:[00000030h]	17_2_05AB273C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05AB273C mov ecx, dword ptr fs:[00000030h]	17_2_05AB273C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05AB273C mov eax, dword ptr fs:[00000030h]	17_2_05AB273C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05AFC730 mov eax, dword ptr fs:[00000030h]	17_2_05AFC730
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05ABC700 mov eax, dword ptr fs:[00000030h]	17_2_05ABC700
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05A80710 mov eax, dword ptr fs:[00000030h]	17_2_05A80710
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05AB0710 mov eax, dword ptr fs:[00000030h]	17_2_05AB0710
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05A88770 mov eax, dword ptr fs:[00000030h]	17_2_05A88770
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05A90770 mov eax, dword ptr fs:[00000030h]	17_2_05A90770
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05A90770 mov eax, dword ptr fs:[00000030h]	17_2_05A90770
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05A90770 mov eax, dword ptr fs:[00000030h]	17_2_05A90770
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05A90770 mov eax, dword ptr fs:[00000030h]	17_2_05A90770
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05A90770 mov eax, dword ptr fs:[00000030h]	17_2_05A90770
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05A90770 mov eax, dword ptr fs:[00000030h]	17_2_05A90770
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05A90770 mov eax, dword ptr fs:[00000030h]	17_2_05A90770
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05A90770 mov eax, dword ptr fs:[00000030h]	17_2_05A90770
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05A90770 mov eax, dword ptr fs:[00000030h]	17_2_05A90770
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05A90770 mov eax, dword ptr fs:[00000030h]	17_2_05A90770
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05A90770 mov eax, dword ptr fs:[00000030h]	17_2_05A90770
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05A90770 mov eax, dword ptr fs:[00000030h]	17_2_05A90770
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05B04755 mov eax, dword ptr fs:[00000030h]	17_2_05B04755
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05AB674D mov esi, dword ptr fs:[00000030h]	17_2_05AB674D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05AB674D mov eax, dword ptr fs:[00000030h]	17_2_05AB674D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05AB674D mov eax, dword ptr fs:[00000030h]	17_2_05AB674D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05B0E75D mov eax, dword ptr fs:[00000030h]	17_2_05B0E75D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05A80750 mov eax, dword ptr fs:[00000030h]	17_2_05A80750
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05AC2750 mov eax, dword ptr fs:[00000030h]	17_2_05AC2750
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05AC2750 mov eax, dword ptr fs:[00000030h]	17_2_05AC2750
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05ABC6A6 mov eax, dword ptr fs:[00000030h]	17_2_05ABC6A6
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05AB66B0 mov eax, dword ptr fs:[00000030h]	17_2_05AB66B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05A84690 mov eax, dword ptr fs:[00000030h]	17_2_05A84690
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05A84690 mov eax, dword ptr fs:[00000030h]	17_2_05A84690
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05B006F1 mov eax, dword ptr fs:[00000030h]	17_2_05B006F1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05B006F1 mov eax, dword ptr fs:[00000030h]	17_2_05B006F1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05AFE6F2 mov eax, dword ptr fs:[00000030h]	17_2_05AFE6F2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05AFE6F2 mov eax, dword ptr fs:[00000030h]	17_2_05AFE6F2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05AFE6F2 mov eax, dword ptr fs:[00000030h]	17_2_05AFE6F2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05AFE6F2 mov eax, dword ptr fs:[00000030h]	17_2_05AFE6F2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05ABA6C7 mov ebx, dword ptr fs:[00000030h]	17_2_05ABA6C7
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05ABA6C7 mov eax, dword ptr fs:[00000030h]	17_2_05ABA6C7
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05A8262C mov eax, dword ptr fs:[00000030h]	17_2_05A8262C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05AB6620 mov eax, dword ptr fs:[00000030h]	17_2_05AB6620
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05AB8620 mov eax, dword ptr fs:[00000030h]	17_2_05AB8620
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05A9E627 mov eax, dword ptr fs:[00000030h]	17_2_05A9E627
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05A9260B mov eax, dword ptr fs:[00000030h]	17_2_05A9260B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05A9260B mov eax, dword ptr fs:[00000030h]	17_2_05A9260B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05A9260B mov eax, dword ptr fs:[00000030h]	17_2_05A9260B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05A9260B mov eax, dword ptr fs:[00000030h]	17_2_05A9260B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05A9260B mov eax, dword ptr fs:[00000030h]	17_2_05A9260B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05A9260B mov eax, dword ptr fs:[00000030h]	17_2_05A9260B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05A9260B mov eax, dword ptr fs:[00000030h]	17_2_05A9260B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05AFE609 mov eax, dword ptr fs:[00000030h]	17_2_05AFE609
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05AC2619 mov eax, dword ptr fs:[00000030h]	17_2_05AC2619
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05ABA660 mov eax, dword ptr fs:[00000030h]	17_2_05ABA660
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05ABA660 mov eax, dword ptr fs:[00000030h]	17_2_05ABA660
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05B4866E mov eax, dword ptr fs:[00000030h]	17_2_05B4866E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05B4866E mov eax, dword ptr fs:[00000030h]	17_2_05B4866E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05AB2674 mov eax, dword ptr fs:[00000030h]	17_2_05AB2674
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05A9C640 mov eax, dword ptr fs:[00000030h]	17_2_05A9C640
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05AC0185 mov eax, dword ptr fs:[00000030h]	17_2_05AC0185
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05B0019F mov eax, dword ptr fs:[00000030h]	17_2_05B0019F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05B0019F mov eax, dword ptr fs:[00000030h]	17_2_05B0019F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05B0019F mov eax, dword ptr fs:[00000030h]	17_2_05B0019F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05B0019F mov eax, dword ptr fs:[00000030h]	17_2_05B0019F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05A7A197 mov eax, dword ptr fs:[00000030h]	17_2_05A7A197
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05A7A197 mov eax, dword ptr fs:[00000030h]	17_2_05A7A197
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05A7A197 mov eax, dword ptr fs:[00000030h]	17_2_05A7A197
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05B24180 mov eax, dword ptr fs:[00000030h]	17_2_05B24180
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05B24180 mov eax, dword ptr fs:[00000030h]	17_2_05B24180
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05B3C188 mov eax, dword ptr fs:[00000030h]	17_2_05B3C188
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05B3C188 mov eax, dword ptr fs:[00000030h]	17_2_05B3C188
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05B561E5 mov eax, dword ptr fs:[00000030h]	17_2_05B561E5
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05AB01F8 mov eax, dword ptr fs:[00000030h]	17_2_05AB01F8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05B461C3 mov eax, dword ptr fs:[00000030h]	17_2_05B461C3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05B461C3 mov eax, dword ptr fs:[00000030h]	17_2_05B461C3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05AFE1D0 mov eax, dword ptr fs:[00000030h]	17_2_05AFE1D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05AFE1D0 mov eax, dword ptr fs:[00000030h]	17_2_05AFE1D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05AFE1D0 mov ecx, dword ptr fs:[00000030h]	17_2_05AFE1D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05AFE1D0 mov eax, dword ptr fs:[00000030h]	17_2_05AFE1D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05AFE1D0 mov eax, dword ptr fs:[00000030h]	17_2_05AFE1D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05AB0124 mov eax, dword ptr fs:[00000030h]	17_2_05AB0124
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05B40115 mov eax, dword ptr fs:[00000030h]	17_2_05B40115
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05B2A118 mov ecx, dword ptr fs:[00000030h]	17_2_05B2A118
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05B2A118 mov eax, dword ptr fs:[00000030h]	17_2_05B2A118
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05B2A118 mov eax, dword ptr fs:[00000030h]	17_2_05B2A118
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05B2A118 mov eax, dword ptr fs:[00000030h]	17_2_05B2A118
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05B2E10E mov eax, dword ptr fs:[00000030h]	17_2_05B2E10E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05B2E10E mov ecx, dword ptr fs:[00000030h]	17_2_05B2E10E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05B2E10E mov eax, dword ptr fs:[00000030h]	17_2_05B2E10E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05B2E10E mov eax, dword ptr fs:[00000030h]	17_2_05B2E10E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05B2E10E mov ecx, dword ptr fs:[00000030h]	17_2_05B2E10E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05B2E10E mov eax, dword ptr fs:[00000030h]	17_2_05B2E10E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05B2E10E mov eax, dword ptr fs:[00000030h]	17_2_05B2E10E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05B2E10E mov ecx, dword ptr fs:[00000030h]	17_2_05B2E10E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05B2E10E mov eax, dword ptr fs:[00000030h]	17_2_05B2E10E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05B2E10E mov ecx, dword ptr fs:[00000030h]	17_2_05B2E10E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05B54164 mov eax, dword ptr fs:[00000030h]	17_2_05B54164
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05B54164 mov eax, dword ptr fs:[00000030h]	17_2_05B54164
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05B18158 mov eax, dword ptr fs:[00000030h]	17_2_05B18158
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05A7C156 mov eax, dword ptr fs:[00000030h]	17_2_05A7C156
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05B14144 mov eax, dword ptr fs:[00000030h]	17_2_05B14144
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05B14144 mov eax, dword ptr fs:[00000030h]	17_2_05B14144
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05B14144 mov ecx, dword ptr fs:[00000030h]	17_2_05B14144
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05B14144 mov eax, dword ptr fs:[00000030h]	17_2_05B14144
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05B14144 mov eax, dword ptr fs:[00000030h]	17_2_05B14144
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05A86154 mov eax, dword ptr fs:[00000030h]	17_2_05A86154
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05A86154 mov eax, dword ptr fs:[00000030h]	17_2_05A86154
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05A780A0 mov eax, dword ptr fs:[00000030h]	17_2_05A780A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05B460B8 mov eax, dword ptr fs:[00000030h]	17_2_05B460B8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05B460B8 mov ecx, dword ptr fs:[00000030h]	17_2_05B460B8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05B180A8 mov eax, dword ptr fs:[00000030h]	17_2_05B180A8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05A8208A mov eax, dword ptr fs:[00000030h]	17_2_05A8208A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05A880E9 mov eax, dword ptr fs:[00000030h]	17_2_05A880E9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05A7A0E3 mov ecx, dword ptr fs:[00000030h]	17_2_05A7A0E3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05B060E0 mov eax, dword ptr fs:[00000030h]	17_2_05B060E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05A7C0F0 mov eax, dword ptr fs:[00000030h]	17_2_05A7C0F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05AC20F0 mov ecx, dword ptr fs:[00000030h]	17_2_05AC20F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05B020DE mov eax, dword ptr fs:[00000030h]	17_2_05B020DE
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05B16030 mov eax, dword ptr fs:[00000030h]	17_2_05B16030
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05A7A020 mov eax, dword ptr fs:[00000030h]	17_2_05A7A020
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05A7C020 mov eax, dword ptr fs:[00000030h]	17_2_05A7C020
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05B04000 mov ecx, dword ptr fs:[00000030h]	17_2_05B04000
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05B22000 mov eax, dword ptr fs:[00000030h]	17_2_05B22000
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05B22000 mov eax, dword ptr fs:[00000030h]	17_2_05B22000
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05B22000 mov eax, dword ptr fs:[00000030h]	17_2_05B22000
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05B22000 mov eax, dword ptr fs:[00000030h]	17_2_05B22000
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05B22000 mov eax, dword ptr fs:[00000030h]	17_2_05B22000
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05B22000 mov eax, dword ptr fs:[00000030h]	17_2_05B22000
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05B22000 mov eax, dword ptr fs:[00000030h]	17_2_05B22000
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05B22000 mov eax, dword ptr fs:[00000030h]	17_2_05B22000
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05A9E016 mov eax, dword ptr fs:[00000030h]	17_2_05A9E016
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05A9E016 mov eax, dword ptr fs:[00000030h]	17_2_05A9E016
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05A9E016 mov eax, dword ptr fs:[00000030h]	17_2_05A9E016
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05A9E016 mov eax, dword ptr fs:[00000030h]	17_2_05A9E016
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05AAC073 mov eax, dword ptr fs:[00000030h]	17_2_05AAC073
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05B06050 mov eax, dword ptr fs:[00000030h]	17_2_05B06050
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05A82050 mov eax, dword ptr fs:[00000030h]	17_2_05A82050
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05AA438F mov eax, dword ptr fs:[00000030h]	17_2_05AA438F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05AA438F mov eax, dword ptr fs:[00000030h]	17_2_05AA438F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05A7E388 mov eax, dword ptr fs:[00000030h]	17_2_05A7E388
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05A7E388 mov eax, dword ptr fs:[00000030h]	17_2_05A7E388
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05A7E388 mov eax, dword ptr fs:[00000030h]	17_2_05A7E388
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05A78397 mov eax, dword ptr fs:[00000030h]	17_2_05A78397
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05A78397 mov eax, dword ptr fs:[00000030h]	17_2_05A78397
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05A78397 mov eax, dword ptr fs:[00000030h]	17_2_05A78397
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05A903E9 mov eax, dword ptr fs:[00000030h]	17_2_05A903E9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05A903E9 mov eax, dword ptr fs:[00000030h]	17_2_05A903E9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05A903E9 mov eax, dword ptr fs:[00000030h]	17_2_05A903E9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05A903E9 mov eax, dword ptr fs:[00000030h]	17_2_05A903E9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05A903E9 mov eax, dword ptr fs:[00000030h]	17_2_05A903E9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05A903E9 mov eax, dword ptr fs:[00000030h]	17_2_05A903E9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05A903E9 mov eax, dword ptr fs:[00000030h]	17_2_05A903E9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05A903E9 mov eax, dword ptr fs:[00000030h]	17_2_05A903E9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05AB63FF mov eax, dword ptr fs:[00000030h]	17_2_05AB63FF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05A9E3F0 mov eax, dword ptr fs:[00000030h]	17_2_05A9E3F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05A9E3F0 mov eax, dword ptr fs:[00000030h]	17_2_05A9E3F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05A9E3F0 mov eax, dword ptr fs:[00000030h]	17_2_05A9E3F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05B243D4 mov eax, dword ptr fs:[00000030h]	17_2_05B243D4
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05B243D4 mov eax, dword ptr fs:[00000030h]	17_2_05B243D4
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05A8A3C0 mov eax, dword ptr fs:[00000030h]	17_2_05A8A3C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05A8A3C0 mov eax, dword ptr fs:[00000030h]	17_2_05A8A3C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05A8A3C0 mov eax, dword ptr fs:[00000030h]	17_2_05A8A3C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05A8A3C0 mov eax, dword ptr fs:[00000030h]	17_2_05A8A3C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05A8A3C0 mov eax, dword ptr fs:[00000030h]	17_2_05A8A3C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05A8A3C0 mov eax, dword ptr fs:[00000030h]	17_2_05A8A3C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05A883C0 mov eax, dword ptr fs:[00000030h]	17_2_05A883C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05A883C0 mov eax, dword ptr fs:[00000030h]	17_2_05A883C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05A883C0 mov eax, dword ptr fs:[00000030h]	17_2_05A883C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05A883C0 mov eax, dword ptr fs:[00000030h]	17_2_05A883C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05B2E3DB mov eax, dword ptr fs:[00000030h]	17_2_05B2E3DB
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05B2E3DB mov eax, dword ptr fs:[00000030h]	17_2_05B2E3DB
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05B2E3DB mov ecx, dword ptr fs:[00000030h]	17_2_05B2E3DB
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05B2E3DB mov eax, dword ptr fs:[00000030h]	17_2_05B2E3DB
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05B063C0 mov eax, dword ptr fs:[00000030h]	17_2_05B063C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05B3C3CD mov eax, dword ptr fs:[00000030h]	17_2_05B3C3CD
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05B58324 mov eax, dword ptr fs:[00000030h]	17_2_05B58324
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05B58324 mov ecx, dword ptr fs:[00000030h]	17_2_05B58324
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05B58324 mov eax, dword ptr fs:[00000030h]	17_2_05B58324
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05B58324 mov eax, dword ptr fs:[00000030h]	17_2_05B58324
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05ABA30B mov eax, dword ptr fs:[00000030h]	17_2_05ABA30B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05ABA30B mov eax, dword ptr fs:[00000030h]	17_2_05ABA30B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05ABA30B mov eax, dword ptr fs:[00000030h]	17_2_05ABA30B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05A7C310 mov ecx, dword ptr fs:[00000030h]	17_2_05A7C310
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05AA0310 mov ecx, dword ptr fs:[00000030h]	17_2_05AA0310
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05B2437C mov eax, dword ptr fs:[00000030h]	17_2_05B2437C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05B28350 mov ecx, dword ptr fs:[00000030h]	17_2_05B28350
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05B4A352 mov eax, dword ptr fs:[00000030h]	17_2_05B4A352
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05B0035C mov eax, dword ptr fs:[00000030h]	17_2_05B0035C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05B0035C mov eax, dword ptr fs:[00000030h]	17_2_05B0035C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05B0035C mov eax, dword ptr fs:[00000030h]	17_2_05B0035C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05B0035C mov ecx, dword ptr fs:[00000030h]	17_2_05B0035C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05B0035C mov eax, dword ptr fs:[00000030h]	17_2_05B0035C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05B0035C mov eax, dword ptr fs:[00000030h]	17_2_05B0035C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05B02349 mov eax, dword ptr fs:[00000030h]	17_2_05B02349
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05B02349 mov eax, dword ptr fs:[00000030h]	17_2_05B02349
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05B02349 mov eax, dword ptr fs:[00000030h]	17_2_05B02349
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05B02349 mov eax, dword ptr fs:[00000030h]	17_2_05B02349
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05B02349 mov eax, dword ptr fs:[00000030h]	17_2_05B02349
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05B02349 mov eax, dword ptr fs:[00000030h]	17_2_05B02349
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05B02349 mov eax, dword ptr fs:[00000030h]	17_2_05B02349
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05B02349 mov eax, dword ptr fs:[00000030h]	17_2_05B02349
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05B02349 mov eax, dword ptr fs:[00000030h]	17_2_05B02349
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05B02349 mov eax, dword ptr fs:[00000030h]	17_2_05B02349
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05B02349 mov eax, dword ptr fs:[00000030h]	17_2_05B02349
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05B02349 mov eax, dword ptr fs:[00000030h]	17_2_05B02349
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05B02349 mov eax, dword ptr fs:[00000030h]	17_2_05B02349
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05B02349 mov eax, dword ptr fs:[00000030h]	17_2_05B02349
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05B02349 mov eax, dword ptr fs:[00000030h]	17_2_05B02349
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05B5634F mov eax, dword ptr fs:[00000030h]	17_2_05B5634F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05A902A0 mov eax, dword ptr fs:[00000030h]	17_2_05A902A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05A902A0 mov eax, dword ptr fs:[00000030h]	17_2_05A902A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05B162A0 mov eax, dword ptr fs:[00000030h]	17_2_05B162A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05B162A0 mov ecx, dword ptr fs:[00000030h]	17_2_05B162A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05B162A0 mov eax, dword ptr fs:[00000030h]	17_2_05B162A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05B162A0 mov eax, dword ptr fs:[00000030h]	17_2_05B162A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05B162A0 mov eax, dword ptr fs:[00000030h]	17_2_05B162A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05B162A0 mov eax, dword ptr fs:[00000030h]	17_2_05B162A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05ABE284 mov eax, dword ptr fs:[00000030h]	17_2_05ABE284
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05ABE284 mov eax, dword ptr fs:[00000030h]	17_2_05ABE284
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05B00283 mov eax, dword ptr fs:[00000030h]	17_2_05B00283
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05B00283 mov eax, dword ptr fs:[00000030h]	17_2_05B00283
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05B00283 mov eax, dword ptr fs:[00000030h]	17_2_05B00283
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05A902E1 mov eax, dword ptr fs:[00000030h]	17_2_05A902E1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05A902E1 mov eax, dword ptr fs:[00000030h]	17_2_05A902E1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05A902E1 mov eax, dword ptr fs:[00000030h]	17_2_05A902E1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05B562D6 mov eax, dword ptr fs:[00000030h]	17_2_05B562D6
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05A8A2C3 mov eax, dword ptr fs:[00000030h]	17_2_05A8A2C3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05A8A2C3 mov eax, dword ptr fs:[00000030h]	17_2_05A8A2C3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05A8A2C3 mov eax, dword ptr fs:[00000030h]	17_2_05A8A2C3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05A8A2C3 mov eax, dword ptr fs:[00000030h]	17_2_05A8A2C3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05A8A2C3 mov eax, dword ptr fs:[00000030h]	17_2_05A8A2C3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05A7823B mov eax, dword ptr fs:[00000030h]	17_2_05A7823B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05B30274 mov eax, dword ptr fs:[00000030h]	17_2_05B30274
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05B30274 mov eax, dword ptr fs:[00000030h]	17_2_05B30274
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05B30274 mov eax, dword ptr fs:[00000030h]	17_2_05B30274
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05B30274 mov eax, dword ptr fs:[00000030h]	17_2_05B30274
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05B30274 mov eax, dword ptr fs:[00000030h]	17_2_05B30274
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05B30274 mov eax, dword ptr fs:[00000030h]	17_2_05B30274
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05B30274 mov eax, dword ptr fs:[00000030h]	17_2_05B30274
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05B30274 mov eax, dword ptr fs:[00000030h]	17_2_05B30274
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05B30274 mov eax, dword ptr fs:[00000030h]	17_2_05B30274
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05B30274 mov eax, dword ptr fs:[00000030h]	17_2_05B30274
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05B30274 mov eax, dword ptr fs:[00000030h]	17_2_05B30274
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05B30274 mov eax, dword ptr fs:[00000030h]	17_2_05B30274
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05A84260 mov eax, dword ptr fs:[00000030h]	17_2_05A84260
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05A84260 mov eax, dword ptr fs:[00000030h]	17_2_05A84260
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05A84260 mov eax, dword ptr fs:[00000030h]	17_2_05A84260
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05A7826B mov eax, dword ptr fs:[00000030h]	17_2_05A7826B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05B3A250 mov eax, dword ptr fs:[00000030h]	17_2_05B3A250
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05B3A250 mov eax, dword ptr fs:[00000030h]	17_2_05B3A250
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05B5625D mov eax, dword ptr fs:[00000030h]	17_2_05B5625D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05A86259 mov eax, dword ptr fs:[00000030h]	17_2_05A86259
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05B08243 mov eax, dword ptr fs:[00000030h]	17_2_05B08243
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05B08243 mov ecx, dword ptr fs:[00000030h]	17_2_05B08243
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05A7A250 mov eax, dword ptr fs:[00000030h]	17_2_05A7A250
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05AB6DA0 mov eax, dword ptr fs:[00000030h]	17_2_05AB6DA0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05AA8DBF mov eax, dword ptr fs:[00000030h]	17_2_05AA8DBF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05AA8DBF mov eax, dword ptr fs:[00000030h]	17_2_05AA8DBF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05B54DAD mov eax, dword ptr fs:[00000030h]	17_2_05B54DAD
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05B48DAE mov eax, dword ptr fs:[00000030h]	17_2_05B48DAE
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05B48DAE mov eax, dword ptr fs:[00000030h]	17_2_05B48DAE
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05ABCDB1 mov ecx, dword ptr fs:[00000030h]	17_2_05ABCDB1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05ABCDB1 mov eax, dword ptr fs:[00000030h]	17_2_05ABCDB1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05ABCDB1 mov eax, dword ptr fs:[00000030h]	17_2_05ABCDB1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05B20DF0 mov eax, dword ptr fs:[00000030h]	17_2_05B20DF0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05B20DF0 mov eax, dword ptr fs:[00000030h]	17_2_05B20DF0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05A8ADE0 mov eax, dword ptr fs:[00000030h]	17_2_05A8ADE0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05A8ADE0 mov eax, dword ptr fs:[00000030h]	17_2_05A8ADE0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05A8ADE0 mov eax, dword ptr fs:[00000030h]	17_2_05A8ADE0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05A8ADE0 mov eax, dword ptr fs:[00000030h]	17_2_05A8ADE0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05A8ADE0 mov eax, dword ptr fs:[00000030h]	17_2_05A8ADE0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05A8ADE0 mov eax, dword ptr fs:[00000030h]	17_2_05A8ADE0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05AA0DE1 mov eax, dword ptr fs:[00000030h]	17_2_05AA0DE1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05A7CDEA mov eax, dword ptr fs:[00000030h]	17_2_05A7CDEA
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05A7CDEA mov eax, dword ptr fs:[00000030h]	17_2_05A7CDEA
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05A76DF6 mov eax, dword ptr fs:[00000030h]	17_2_05A76DF6
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05AACDF0 mov eax, dword ptr fs:[00000030h]	17_2_05AACDF0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05AACDF0 mov ecx, dword ptr fs:[00000030h]	17_2_05AACDF0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05B04DD7 mov eax, dword ptr fs:[00000030h]	17_2_05B04DD7
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05B04DD7 mov eax, dword ptr fs:[00000030h]	17_2_05B04DD7
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05AAEDD3 mov eax, dword ptr fs:[00000030h]	17_2_05AAEDD3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05AAEDD3 mov eax, dword ptr fs:[00000030h]	17_2_05AAEDD3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05B54D30 mov eax, dword ptr fs:[00000030h]	17_2_05B54D30
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05B08D20 mov eax, dword ptr fs:[00000030h]	17_2_05B08D20
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05B38D10 mov eax, dword ptr fs:[00000030h]	17_2_05B38D10
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05B38D10 mov eax, dword ptr fs:[00000030h]	17_2_05B38D10
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05A9AD00 mov eax, dword ptr fs:[00000030h]	17_2_05A9AD00
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05A9AD00 mov eax, dword ptr fs:[00000030h]	17_2_05A9AD00
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05A9AD00 mov eax, dword ptr fs:[00000030h]	17_2_05A9AD00
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05AB4D1D mov eax, dword ptr fs:[00000030h]	17_2_05AB4D1D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05A76D10 mov eax, dword ptr fs:[00000030h]	17_2_05A76D10
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05A76D10 mov eax, dword ptr fs:[00000030h]	17_2_05A76D10
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05A76D10 mov eax, dword ptr fs:[00000030h]	17_2_05A76D10
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05B18D6B mov eax, dword ptr fs:[00000030h]	17_2_05B18D6B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05A80D59 mov eax, dword ptr fs:[00000030h]	17_2_05A80D59
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05A80D59 mov eax, dword ptr fs:[00000030h]	17_2_05A80D59
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05A80D59 mov eax, dword ptr fs:[00000030h]	17_2_05A80D59
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05A88D59 mov eax, dword ptr fs:[00000030h]	17_2_05A88D59
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05A88D59 mov eax, dword ptr fs:[00000030h]	17_2_05A88D59
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05A88D59 mov eax, dword ptr fs:[00000030h]	17_2_05A88D59
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05A88D59 mov eax, dword ptr fs:[00000030h]	17_2_05A88D59
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05A88D59 mov eax, dword ptr fs:[00000030h]	17_2_05A88D59
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05B30CB5 mov eax, dword ptr fs:[00000030h]	17_2_05B30CB5
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05B30CB5 mov eax, dword ptr fs:[00000030h]	17_2_05B30CB5
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05B30CB5 mov eax, dword ptr fs:[00000030h]	17_2_05B30CB5
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05B30CB5 mov eax, dword ptr fs:[00000030h]	17_2_05B30CB5
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05B30CB5 mov eax, dword ptr fs:[00000030h]	17_2_05B30CB5
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05B30CB5 mov eax, dword ptr fs:[00000030h]	17_2_05B30CB5
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05B30CB5 mov eax, dword ptr fs:[00000030h]	17_2_05B30CB5
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05B30CB5 mov eax, dword ptr fs:[00000030h]	17_2_05B30CB5
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05B30CB5 mov eax, dword ptr fs:[00000030h]	17_2_05B30CB5
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05B30CB5 mov eax, dword ptr fs:[00000030h]	17_2_05B30CB5
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05B30CB5 mov eax, dword ptr fs:[00000030h]	17_2_05B30CB5
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05B30CB5 mov eax, dword ptr fs:[00000030h]	17_2_05B30CB5
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05B30CB5 mov eax, dword ptr fs:[00000030h]	17_2_05B30CB5
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05AFCCA0 mov ecx, dword ptr fs:[00000030h]	17_2_05AFCCA0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05AFCCA0 mov eax, dword ptr fs:[00000030h]	17_2_05AFCCA0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05AFCCA0 mov eax, dword ptr fs:[00000030h]	17_2_05AFCCA0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05AFCCA0 mov eax, dword ptr fs:[00000030h]	17_2_05AFCCA0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05AA8CB1 mov eax, dword ptr fs:[00000030h]	17_2_05AA8CB1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05AA8CB1 mov eax, dword ptr fs:[00000030h]	17_2_05AA8CB1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05A78C8D mov eax, dword ptr fs:[00000030h]	17_2_05A78C8D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05AB2CF0 mov eax, dword ptr fs:[00000030h]	17_2_05AB2CF0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05AB2CF0 mov eax, dword ptr fs:[00000030h]	17_2_05AB2CF0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05AB2CF0 mov eax, dword ptr fs:[00000030h]	17_2_05AB2CF0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05AB2CF0 mov eax, dword ptr fs:[00000030h]	17_2_05AB2CF0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05A7CCC8 mov eax, dword ptr fs:[00000030h]	17_2_05A7CCC8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05A78CD0 mov eax, dword ptr fs:[00000030h]	17_2_05A78CD0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05B24C34 mov eax, dword ptr fs:[00000030h]	17_2_05B24C34
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05B24C34 mov eax, dword ptr fs:[00000030h]	17_2_05B24C34
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05B24C34 mov eax, dword ptr fs:[00000030h]	17_2_05B24C34
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05B24C34 mov eax, dword ptr fs:[00000030h]	17_2_05B24C34
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05B24C34 mov eax, dword ptr fs:[00000030h]	17_2_05B24C34
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05B24C34 mov eax, dword ptr fs:[00000030h]	17_2_05B24C34
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05B24C34 mov ecx, dword ptr fs:[00000030h]	17_2_05B24C34
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05A7EC20 mov eax, dword ptr fs:[00000030h]	17_2_05A7EC20
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05B1CC20 mov eax, dword ptr fs:[00000030h]	17_2_05B1CC20
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05B1CC20 mov eax, dword ptr fs:[00000030h]	17_2_05B1CC20
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05A90C00 mov eax, dword ptr fs:[00000030h]	17_2_05A90C00
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05A90C00 mov eax, dword ptr fs:[00000030h]	17_2_05A90C00
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05A90C00 mov eax, dword ptr fs:[00000030h]	17_2_05A90C00
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05A90C00 mov eax, dword ptr fs:[00000030h]	17_2_05A90C00
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05ABCC00 mov eax, dword ptr fs:[00000030h]	17_2_05ABCC00
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05B04C0F mov eax, dword ptr fs:[00000030h]	17_2_05B04C0F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05AB4C59 mov eax, dword ptr fs:[00000030h]	17_2_05AB4C59
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05A86C50 mov eax, dword ptr fs:[00000030h]	17_2_05A86C50
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05A86C50 mov eax, dword ptr fs:[00000030h]	17_2_05A86C50
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05A86C50 mov eax, dword ptr fs:[00000030h]	17_2_05A86C50
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05A8AC50 mov eax, dword ptr fs:[00000030h]	17_2_05A8AC50
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05A8AC50 mov eax, dword ptr fs:[00000030h]	17_2_05A8AC50
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05A8AC50 mov eax, dword ptr fs:[00000030h]	17_2_05A8AC50
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05A8AC50 mov eax, dword ptr fs:[00000030h]	17_2_05A8AC50
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05A8AC50 mov eax, dword ptr fs:[00000030h]	17_2_05A8AC50
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05A8AC50 mov eax, dword ptr fs:[00000030h]	17_2_05A8AC50
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05ABCF80 mov eax, dword ptr fs:[00000030h]	17_2_05ABCF80
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05AB2F98 mov eax, dword ptr fs:[00000030h]	17_2_05AB2F98
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05AB2F98 mov eax, dword ptr fs:[00000030h]	17_2_05AB2F98
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05B36FF7 mov eax, dword ptr fs:[00000030h]	17_2_05B36FF7
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05B54FE7 mov eax, dword ptr fs:[00000030h]	17_2_05B54FE7
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05AC0FF6 mov eax, dword ptr fs:[00000030h]	17_2_05AC0FF6
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05AC0FF6 mov eax, dword ptr fs:[00000030h]	17_2_05AC0FF6
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05AC0FF6 mov eax, dword ptr fs:[00000030h]	17_2_05AC0FF6
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05AC0FF6 mov eax, dword ptr fs:[00000030h]	17_2_05AC0FF6
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05A82FC8 mov eax, dword ptr fs:[00000030h]	17_2_05A82FC8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05A82FC8 mov eax, dword ptr fs:[00000030h]	17_2_05A82FC8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05A82FC8 mov eax, dword ptr fs:[00000030h]	17_2_05A82FC8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05A82FC8 mov eax, dword ptr fs:[00000030h]	17_2_05A82FC8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05A7EFD8 mov eax, dword ptr fs:[00000030h]	17_2_05A7EFD8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05A7EFD8 mov eax, dword ptr fs:[00000030h]	17_2_05A7EFD8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05A7EFD8 mov eax, dword ptr fs:[00000030h]	17_2_05A7EFD8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05AAEF28 mov eax, dword ptr fs:[00000030h]	17_2_05AAEF28
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05B36F00 mov eax, dword ptr fs:[00000030h]	17_2_05B36F00
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05ABCF1F mov eax, dword ptr fs:[00000030h]	17_2_05ABCF1F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05A82F12 mov eax, dword ptr fs:[00000030h]	17_2_05A82F12
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05AAAF69 mov eax, dword ptr fs:[00000030h]	17_2_05AAAF69
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05AAAF69 mov eax, dword ptr fs:[00000030h]	17_2_05AAAF69
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05B22F60 mov eax, dword ptr fs:[00000030h]	17_2_05B22F60
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05B22F60 mov eax, dword ptr fs:[00000030h]	17_2_05B22F60
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05B54F68 mov eax, dword ptr fs:[00000030h]	17_2_05B54F68
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05B20F50 mov eax, dword ptr fs:[00000030h]	17_2_05B20F50
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05B04F40 mov eax, dword ptr fs:[00000030h]	17_2_05B04F40
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05B04F40 mov eax, dword ptr fs:[00000030h]	17_2_05B04F40
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05B04F40 mov eax, dword ptr fs:[00000030h]	17_2_05B04F40
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05B04F40 mov eax, dword ptr fs:[00000030h]	17_2_05B04F40
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05B24F42 mov eax, dword ptr fs:[00000030h]	17_2_05B24F42
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05A7CF50 mov eax, dword ptr fs:[00000030h]	17_2_05A7CF50
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05A7CF50 mov eax, dword ptr fs:[00000030h]	17_2_05A7CF50
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05A7CF50 mov eax, dword ptr fs:[00000030h]	17_2_05A7CF50
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05A7CF50 mov eax, dword ptr fs:[00000030h]	17_2_05A7CF50
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05A7CF50 mov eax, dword ptr fs:[00000030h]	17_2_05A7CF50
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05A7CF50 mov eax, dword ptr fs:[00000030h]	17_2_05A7CF50
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05ABCF50 mov eax, dword ptr fs:[00000030h]	17_2_05ABCF50
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05B1AEB0 mov eax, dword ptr fs:[00000030h]	17_2_05B1AEB0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05B1AEB0 mov eax, dword ptr fs:[00000030h]	17_2_05B1AEB0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05B0CEA0 mov eax, dword ptr fs:[00000030h]	17_2_05B0CEA0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05B0CEA0 mov eax, dword ptr fs:[00000030h]	17_2_05B0CEA0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05B0CEA0 mov eax, dword ptr fs:[00000030h]	17_2_05B0CEA0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05AB2E9C mov eax, dword ptr fs:[00000030h]	17_2_05AB2E9C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05AB2E9C mov ecx, dword ptr fs:[00000030h]	17_2_05AB2E9C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05A7AE90 mov eax, dword ptr fs:[00000030h]	17_2_05A7AE90
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05A7AE90 mov eax, dword ptr fs:[00000030h]	17_2_05A7AE90
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05A7AE90 mov eax, dword ptr fs:[00000030h]	17_2_05A7AE90
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05A86EE0 mov eax, dword ptr fs:[00000030h]	17_2_05A86EE0

Enables debug privileges

Source: C:\Users\user\Desktop\BL-INV-PL-ISO.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug	Jump to behavior

Source: C:\Users\user\Desktop\BL-INV-PL-ISO.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion

Adds a directory exclusion to Windows Defender

Source: C:\Users\user\Desktop\BL-INV-PL-ISO.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\BL-INV-PL-ISO.exe"
Source: C:\Users\user\Desktop\BL-INV-PL-ISO.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\dZxrrOCj.exe"
Source: C:\Users\user\Desktop\BL-INV-PL-ISO.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\BL-INV-PL-ISO.exe"	Jump to behavior
Source: C:\Users\user\Desktop\BL-INV-PL-ISO.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\dZxrrOCj.exe"	Jump to behavior

Creates a process in suspended mode (likely to inject code)

Source: C:\Users\user\Desktop\BL-INV-PL-ISO.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\BL-INV-PL-ISO.exe"	Jump to behavior
Source: C:\Users\user\Desktop\BL-INV-PL-ISO.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\dZxrrOCj.exe"	Jump to behavior
Source: C:\Users\user\Desktop\BL-INV-PL-ISO.exe	Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\dZxrrOCj" /XML "C:\Users\user\AppData\Local\Temp\tmp590C.tmp"	Jump to behavior
Source: C:\Users\user\Desktop\BL-INV-PL-ISO.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"	Jump to behavior
Source: C:\Users\user\Desktop\BL-INV-PL-ISO.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"	Jump to behavior
Source: C:\Users\user\Desktop\BL-INV-PL-ISO.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"	Jump to behavior
Source: C:\Users\user\Desktop\BL-INV-PL-ISO.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"	Jump to behavior
Source: C:\Users\user\Desktop\BL-INV-PL-ISO.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"	Jump to behavior
Source: C:\Users\user\AppData\Roaming\dZxrrOCj.exe	Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\dZxrrOCj" /XML "C:\Users\user\AppData\Local\Temp\tmp68AC.tmp"	Jump to behavior
Source: C:\Users\user\AppData\Roaming\dZxrrOCj.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"	Jump to behavior

Queries the volume information (name, serial number etc) of a device

Source: C:\Users\user\Desktop\BL-INV-PL-ISO.exe	Queries volume information: C:\Users\user\Desktop\BL-INV-PL-ISO.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BL-INV-PL-ISO.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BL-INV-PL-ISO.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BL-INV-PL-ISO.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BL-INV-PL-ISO.exe	Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BL-INV-PL-ISO.exe	Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BL-INV-PL-ISO.exe	Queries volume information: C:\Windows\Fonts\calibrii.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BL-INV-PL-ISO.exe	Queries volume information: C:\Windows\Fonts\calibrili.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BL-INV-PL-ISO.exe	Queries volume information: C:\Windows\Fonts\calibrib.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BL-INV-PL-ISO.exe	Queries volume information: C:\Windows\Fonts\calibriz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BL-INV-PL-ISO.exe	Queries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BL-INV-PL-ISO.exe	Queries volume information: C:\Windows\Fonts\cambriai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BL-INV-PL-ISO.exe	Queries volume information: C:\Windows\Fonts\cambriab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BL-INV-PL-ISO.exe	Queries volume information: C:\Windows\Fonts\cambriaz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BL-INV-PL-ISO.exe	Queries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BL-INV-PL-ISO.exe	Queries volume information: C:\Windows\Fonts\Candara.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BL-INV-PL-ISO.exe	Queries volume information: C:\Windows\Fonts\Candaral.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BL-INV-PL-ISO.exe	Queries volume information: C:\Windows\Fonts\Candarali.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BL-INV-PL-ISO.exe	Queries volume information: C:\Windows\Fonts\Candarab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BL-INV-PL-ISO.exe	Queries volume information: C:\Windows\Fonts\Candaraz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BL-INV-PL-ISO.exe	Queries volume information: C:\Windows\Fonts\comic.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BL-INV-PL-ISO.exe	Queries volume information: C:\Windows\Fonts\comici.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BL-INV-PL-ISO.exe	Queries volume information: C:\Windows\Fonts\comicbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BL-INV-PL-ISO.exe	Queries volume information: C:\Windows\Fonts\comicz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BL-INV-PL-ISO.exe	Queries volume information: C:\Windows\Fonts\constan.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BL-INV-PL-ISO.exe	Queries volume information: C:\Windows\Fonts\constani.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BL-INV-PL-ISO.exe	Queries volume information: C:\Windows\Fonts\constanb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BL-INV-PL-ISO.exe	Queries volume information: C:\Windows\Fonts\constanz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BL-INV-PL-ISO.exe	Queries volume information: C:\Windows\Fonts\corbel.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BL-INV-PL-ISO.exe	Queries volume information: C:\Windows\Fonts\corbell.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BL-INV-PL-ISO.exe	Queries volume information: C:\Windows\Fonts\corbeli.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BL-INV-PL-ISO.exe	Queries volume information: C:\Windows\Fonts\corbelli.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BL-INV-PL-ISO.exe	Queries volume information: C:\Windows\Fonts\corbelb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BL-INV-PL-ISO.exe	Queries volume information: C:\Windows\Fonts\corbelz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BL-INV-PL-ISO.exe	Queries volume information: C:\Windows\Fonts\cour.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BL-INV-PL-ISO.exe	Queries volume information: C:\Windows\Fonts\couri.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BL-INV-PL-ISO.exe	Queries volume information: C:\Windows\Fonts\courbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BL-INV-PL-ISO.exe	Queries volume information: C:\Windows\Fonts\courbi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BL-INV-PL-ISO.exe	Queries volume information: C:\Windows\Fonts\ebrima.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BL-INV-PL-ISO.exe	Queries volume information: C:\Windows\Fonts\ebrimabd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BL-INV-PL-ISO.exe	Queries volume information: C:\Windows\Fonts\framd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BL-INV-PL-ISO.exe	Queries volume information: C:\Windows\Fonts\FRADM.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BL-INV-PL-ISO.exe	Queries volume information: C:\Windows\Fonts\framdit.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BL-INV-PL-ISO.exe	Queries volume information: C:\Windows\Fonts\FRAMDCN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BL-INV-PL-ISO.exe	Queries volume information: C:\Windows\Fonts\gadugi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BL-INV-PL-ISO.exe	Queries volume information: C:\Windows\Fonts\gadugib.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BL-INV-PL-ISO.exe	Queries volume information: C:\Windows\Fonts\georgia.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BL-INV-PL-ISO.exe	Queries volume information: C:\Windows\Fonts\georgiai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BL-INV-PL-ISO.exe	Queries volume information: C:\Windows\Fonts\georgiaz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BL-INV-PL-ISO.exe	Queries volume information: C:\Windows\Fonts\impact.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BL-INV-PL-ISO.exe	Queries volume information: C:\Windows\Fonts\Inkfree.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BL-INV-PL-ISO.exe	Queries volume information: C:\Windows\Fonts\javatext.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BL-INV-PL-ISO.exe	Queries volume information: C:\Windows\Fonts\LeelawUI.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BL-INV-PL-ISO.exe	Queries volume information: C:\Windows\Fonts\LeelUIsl.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BL-INV-PL-ISO.exe	Queries volume information: C:\Windows\Fonts\LeelaUIb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BL-INV-PL-ISO.exe	Queries volume information: C:\Windows\Fonts\lucon.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BL-INV-PL-ISO.exe	Queries volume information: C:\Windows\Fonts\l_10646.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BL-INV-PL-ISO.exe	Queries volume information: C:\Windows\Fonts\malgun.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BL-INV-PL-ISO.exe	Queries volume information: C:\Windows\Fonts\malgunsl.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BL-INV-PL-ISO.exe	Queries volume information: C:\Windows\Fonts\malgunbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BL-INV-PL-ISO.exe	Queries volume information: C:\Windows\Fonts\himalaya.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BL-INV-PL-ISO.exe	Queries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BL-INV-PL-ISO.exe	Queries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BL-INV-PL-ISO.exe	Queries volume information: C:\Windows\Fonts\msjhbd.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BL-INV-PL-ISO.exe	Queries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BL-INV-PL-ISO.exe	Queries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BL-INV-PL-ISO.exe	Queries volume information: C:\Windows\Fonts\ntailu.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BL-INV-PL-ISO.exe	Queries volume information: C:\Windows\Fonts\ntailub.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BL-INV-PL-ISO.exe	Queries volume information: C:\Windows\Fonts\phagspa.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BL-INV-PL-ISO.exe	Queries volume information: C:\Windows\Fonts\phagspab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BL-INV-PL-ISO.exe	Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BL-INV-PL-ISO.exe	Queries volume information: C:\Windows\Fonts\taile.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BL-INV-PL-ISO.exe	Queries volume information: C:\Windows\Fonts\taileb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BL-INV-PL-ISO.exe	Queries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BL-INV-PL-ISO.exe	Queries volume information: C:\Windows\Fonts\msyhl.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BL-INV-PL-ISO.exe	Queries volume information: C:\Windows\Fonts\msyhbd.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BL-INV-PL-ISO.exe	Queries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BL-INV-PL-ISO.exe	Queries volume information: C:\Windows\Fonts\msyhl.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BL-INV-PL-ISO.exe	Queries volume information: C:\Windows\Fonts\msyi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BL-INV-PL-ISO.exe	Queries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BL-INV-PL-ISO.exe	Queries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BL-INV-PL-ISO.exe	Queries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BL-INV-PL-ISO.exe	Queries volume information: C:\Windows\Fonts\monbaiti.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BL-INV-PL-ISO.exe	Queries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BL-INV-PL-ISO.exe	Queries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BL-INV-PL-ISO.exe	Queries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BL-INV-PL-ISO.exe	Queries volume information: C:\Windows\Fonts\mvboli.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BL-INV-PL-ISO.exe	Queries volume information: C:\Windows\Fonts\mmrtextb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BL-INV-PL-ISO.exe	Queries volume information: C:\Windows\Fonts\Nirmala.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BL-INV-PL-ISO.exe	Queries volume information: C:\Windows\Fonts\NirmalaS.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BL-INV-PL-ISO.exe	Queries volume information: C:\Windows\Fonts\NirmalaB.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BL-INV-PL-ISO.exe	Queries volume information: C:\Windows\Fonts\pala.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BL-INV-PL-ISO.exe	Queries volume information: C:\Windows\Fonts\palai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BL-INV-PL-ISO.exe	Queries volume information: C:\Windows\Fonts\palab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BL-INV-PL-ISO.exe	Queries volume information: C:\Windows\Fonts\palabi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BL-INV-PL-ISO.exe	Queries volume information: C:\Windows\Fonts\segoepr.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BL-INV-PL-ISO.exe	Queries volume information: C:\Windows\Fonts\segoeprb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BL-INV-PL-ISO.exe	Queries volume information: C:\Windows\Fonts\segoesc.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BL-INV-PL-ISO.exe	Queries volume information: C:\Windows\Fonts\segoescb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BL-INV-PL-ISO.exe	Queries volume information: C:\Windows\Fonts\seguihis.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BL-INV-PL-ISO.exe	Queries volume information: C:\Windows\Fonts\simsun.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BL-INV-PL-ISO.exe	Queries volume information: C:\Windows\Fonts\simsunb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BL-INV-PL-ISO.exe	Queries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BL-INV-PL-ISO.exe	Queries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BL-INV-PL-ISO.exe	Queries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BL-INV-PL-ISO.exe	Queries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BL-INV-PL-ISO.exe	Queries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BL-INV-PL-ISO.exe	Queries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BL-INV-PL-ISO.exe	Queries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BL-INV-PL-ISO.exe	Queries volume information: C:\Windows\Fonts\sylfaen.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BL-INV-PL-ISO.exe	Queries volume information: C:\Windows\Fonts\symbol.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BL-INV-PL-ISO.exe	Queries volume information: C:\Windows\Fonts\tahoma.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BL-INV-PL-ISO.exe	Queries volume information: C:\Windows\Fonts\tahomabd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BL-INV-PL-ISO.exe	Queries volume information: C:\Windows\Fonts\timesi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BL-INV-PL-ISO.exe	Queries volume information: C:\Windows\Fonts\timesbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BL-INV-PL-ISO.exe	Queries volume information: C:\Windows\Fonts\timesbi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BL-INV-PL-ISO.exe	Queries volume information: C:\Windows\Fonts\trebuc.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BL-INV-PL-ISO.exe	Queries volume information: C:\Windows\Fonts\trebucit.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BL-INV-PL-ISO.exe	Queries volume information: C:\Windows\Fonts\trebucbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BL-INV-PL-ISO.exe	Queries volume information: C:\Windows\Fonts\trebucbi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BL-INV-PL-ISO.exe	Queries volume information: C:\Windows\Fonts\verdana.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BL-INV-PL-ISO.exe	Queries volume information: C:\Windows\Fonts\verdanai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BL-INV-PL-ISO.exe	Queries volume information: C:\Windows\Fonts\verdanab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BL-INV-PL-ISO.exe	Queries volume information: C:\Windows\Fonts\verdanaz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BL-INV-PL-ISO.exe	Queries volume information: C:\Windows\Fonts\webdings.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BL-INV-PL-ISO.exe	Queries volume information: C:\Windows\Fonts\wingding.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BL-INV-PL-ISO.exe	Queries volume information: C:\Windows\Fonts\YuGothR.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BL-INV-PL-ISO.exe	Queries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BL-INV-PL-ISO.exe	Queries volume information: C:\Windows\Fonts\YuGothL.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BL-INV-PL-ISO.exe	Queries volume information: C:\Windows\Fonts\YuGothB.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BL-INV-PL-ISO.exe	Queries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BL-INV-PL-ISO.exe	Queries volume information: C:\Windows\Fonts\YuGothR.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BL-INV-PL-ISO.exe	Queries volume information: C:\Windows\Fonts\YuGothB.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BL-INV-PL-ISO.exe	Queries volume information: C:\Windows\Fonts\YuGothB.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BL-INV-PL-ISO.exe	Queries volume information: C:\Windows\Fonts\holomdl2.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BL-INV-PL-ISO.exe	Queries volume information: C:\Windows\Fonts\AGENCYR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BL-INV-PL-ISO.exe	Queries volume information: C:\Windows\Fonts\BKANT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BL-INV-PL-ISO.exe	Queries volume information: C:\Windows\Fonts\ANTQUAB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BL-INV-PL-ISO.exe	Queries volume information: C:\Windows\Fonts\BOD_CR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BL-INV-PL-ISO.exe	Queries volume information: C:\Windows\Fonts\BOD_BLAR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BL-INV-PL-ISO.exe	Queries volume information: C:\Windows\Fonts\BOOKOS.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BL-INV-PL-ISO.exe	Queries volume information: C:\Windows\Fonts\SCHLBKI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BL-INV-PL-ISO.exe	Queries volume information: C:\Windows\Fonts\SCHLBKB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BL-INV-PL-ISO.exe	Queries volume information: C:\Windows\Fonts\SCHLBKBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BL-INV-PL-ISO.exe	Queries volume information: C:\Windows\Fonts\CENTAUR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BL-INV-PL-ISO.exe	Queries volume information: C:\Windows\Fonts\DUBAI-BOLD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BL-INV-PL-ISO.exe	Queries volume information: C:\Windows\Fonts\ENGR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BL-INV-PL-ISO.exe	Queries volume information: C:\Windows\Fonts\ERASMD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BL-INV-PL-ISO.exe	Queries volume information: C:\Windows\Fonts\FELIXTI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BL-INV-PL-ISO.exe	Queries volume information: C:\Windows\Fonts\FREESCPT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BL-INV-PL-ISO.exe	Queries volume information: C:\Windows\Fonts\FRSCRIPT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BL-INV-PL-ISO.exe	Queries volume information: C:\Windows\Fonts\FTLTLT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BL-INV-PL-ISO.exe	Queries volume information: C:\Windows\Fonts\GARA.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BL-INV-PL-ISO.exe	Queries volume information: C:\Windows\Fonts\GARABD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BL-INV-PL-ISO.exe	Queries volume information: C:\Windows\Fonts\GOTHICBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BL-INV-PL-ISO.exe	Queries volume information: C:\Windows\Fonts\HARNGTON.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BL-INV-PL-ISO.exe	Queries volume information: C:\Windows\Fonts\HATTEN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BL-INV-PL-ISO.exe	Queries volume information: C:\Windows\Fonts\ITCKRIST.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BL-INV-PL-ISO.exe	Queries volume information: C:\Windows\Fonts\JOKERMAN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BL-INV-PL-ISO.exe	Queries volume information: C:\Windows\Fonts\LBRITE.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BL-INV-PL-ISO.exe	Queries volume information: C:\Windows\Fonts\LEELAWAD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BL-INV-PL-ISO.exe	Queries volume information: C:\Windows\Fonts\LFAXI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BL-INV-PL-ISO.exe	Queries volume information: C:\Windows\Fonts\LSANS.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BL-INV-PL-ISO.exe	Queries volume information: C:\Windows\Fonts\LSANSD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BL-INV-PL-ISO.exe	Queries volume information: C:\Windows\Fonts\NIAGSOL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BL-INV-PL-ISO.exe	Queries volume information: C:\Windows\Fonts\PARCHM.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BL-INV-PL-ISO.exe	Queries volume information: C:\Windows\Fonts\PERBI___.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BL-INV-PL-ISO.exe	Queries volume information: C:\Windows\Fonts\STENCIL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BL-INV-PL-ISO.exe	Queries volume information: C:\Windows\Fonts\TCCB____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BL-INV-PL-ISO.exe	Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BL-INV-PL-ISO.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\dZxrrOCj.exe	Queries volume information: C:\Users\user\AppData\Roaming\dZxrrOCj.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\dZxrrOCj.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\dZxrrOCj.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\dZxrrOCj.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\dZxrrOCj.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior

Source: C:\Users\user\Desktop\BL-INV-PL-ISO.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Stealing of Sensitive Information

Yara detected FormBook

Source: Yara match	File source: 17.2.vbc.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.2.vbc.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000011.00000002.2054400538.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000011.00000002.2055413010.00000000058F0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY

Remote Access Functionality

Yara detected FormBook

Source: Yara match	File source: 17.2.vbc.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.2.vbc.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000011.00000002.2054400538.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000011.00000002.2055413010.00000000058F0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY

Screenshots

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Network Map

⊘No contacted IP infos

AV Detection

Multi AV Scanner detection for dropped file

Source: C:\Users\user\AppData\Roaming\dZxrrOCj.exe

ReversingLabs: Detection: 26%

Multi AV Scanner detection for submitted file

Source: BL-INV-PL-ISO.exe	ReversingLabs: Detection: 26%
Source: BL-INV-PL-ISO.exe	Virustotal: Detection: 23%			Perma Link

Yara detected FormBook

Source: Yara match	File source: 17.2.vbc.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.2.vbc.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000011.00000002.2054400538.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000011.00000002.2055413010.00000000058F0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Uses 32bit PE files

Source: BL-INV-PL-ISO.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: BL-INV-PL-ISO.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source:	Binary string: UYWF.pdb source: BL-INV-PL-ISO.exe, dZxrrOCj.exe.0.dr
Source:	Binary string: wntdll.pdbUGP source: vbc.exe, 00000011.00000002.2055590273.0000000005A50000.00000040.00001000.00020000.00000000.sdmp
Source:	Binary string: UYWF.pdbSHA256 source: BL-INV-PL-ISO.exe, dZxrrOCj.exe.0.dr
Source:	Binary string: wntdll.pdb source: vbc.exe, vbc.exe, 00000011.00000002.2055590273.0000000005A50000.00000040.00001000.00020000.00000000.sdmp

Source: BL-INV-PL-ISO.exe, 00000000.00000002.1735961289.0000000002604000.00000004.00000800.00020000.00000000.sdmp, dZxrrOCj.exe, 0000000D.00000002.1773816351.0000000002834000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: BL-INV-PL-ISO.exe, 00000000.00000002.1740830875.0000000006712000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
Source: BL-INV-PL-ISO.exe, 00000000.00000002.1740830875.0000000006712000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.carterandcone.coml
Source: BL-INV-PL-ISO.exe, 00000000.00000002.1740830875.0000000006712000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com
Source: BL-INV-PL-ISO.exe, 00000000.00000002.1740830875.0000000006712000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers
Source: BL-INV-PL-ISO.exe, 00000000.00000002.1740830875.0000000006712000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/?
Source: BL-INV-PL-ISO.exe, 00000000.00000002.1740830875.0000000006712000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
Source: BL-INV-PL-ISO.exe, 00000000.00000002.1740830875.0000000006712000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/frere-user.html
Source: BL-INV-PL-ISO.exe, 00000000.00000002.1740830875.0000000006712000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers8
Source: BL-INV-PL-ISO.exe, 00000000.00000002.1740830875.0000000006712000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers?
Source: BL-INV-PL-ISO.exe, 00000000.00000002.1740830875.0000000006712000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designersG
Source: BL-INV-PL-ISO.exe, 00000000.00000002.1740830875.0000000006712000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fonts.com
Source: BL-INV-PL-ISO.exe, 00000000.00000002.1740830875.0000000006712000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.founder.com.cn/cn
Source: BL-INV-PL-ISO.exe, 00000000.00000002.1740830875.0000000006712000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.founder.com.cn/cn/bThe
Source: BL-INV-PL-ISO.exe, 00000000.00000002.1740830875.0000000006712000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.founder.com.cn/cn/cThe
Source: BL-INV-PL-ISO.exe, 00000000.00000002.1740830875.0000000006712000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.galapagosdesign.com/DPlease
Source: BL-INV-PL-ISO.exe, 00000000.00000002.1740830875.0000000006712000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
Source: BL-INV-PL-ISO.exe, 00000000.00000002.1740830875.0000000006712000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.goodfont.co.kr
Source: BL-INV-PL-ISO.exe, 00000000.00000002.1740830875.0000000006712000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/
Source: BL-INV-PL-ISO.exe, 00000000.00000002.1740830875.0000000006712000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.sajatypeworks.com
Source: BL-INV-PL-ISO.exe, 00000000.00000002.1740830875.0000000006712000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.sakkal.com
Source: BL-INV-PL-ISO.exe, 00000000.00000002.1740573197.0000000004EC4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.sakkal.com.
Source: BL-INV-PL-ISO.exe, 00000000.00000002.1740830875.0000000006712000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.sandoll.co.kr
Source: BL-INV-PL-ISO.exe, 00000000.00000002.1740830875.0000000006712000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.tiro.com
Source: BL-INV-PL-ISO.exe, 00000000.00000002.1740830875.0000000006712000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.typography.netD
Source: BL-INV-PL-ISO.exe, 00000000.00000002.1740830875.0000000006712000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.urwpp.deDPlease
Source: BL-INV-PL-ISO.exe, 00000000.00000002.1740830875.0000000006712000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.zhongyicts.com.cn

E-Banking Fraud

Yara detected FormBook

Source: Yara match	File source: 17.2.vbc.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.2.vbc.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000011.00000002.2054400538.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000011.00000002.2055413010.00000000058F0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY

System Summary

Malicious sample detected (through community Yara rule)

Source: 17.2.vbc.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 17.2.vbc.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000011.00000002.2054400538.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000011.00000002.2055413010.00000000058F0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown

Contains functionality to call native functions

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_0042CA83 NtClose,	17_2_0042CA83
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05AC2DF0 NtQuerySystemInformation,LdrInitializeThunk,	17_2_05AC2DF0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05AC2C70 NtFreeVirtualMemory,LdrInitializeThunk,	17_2_05AC2C70
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05AC35C0 NtCreateMutant,LdrInitializeThunk,	17_2_05AC35C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05AC4650 NtSuspendThread,	17_2_05AC4650
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05AC4340 NtSetContextThread,	17_2_05AC4340
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05AC2DB0 NtEnumerateKey,	17_2_05AC2DB0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05AC2DD0 NtDelayExecution,	17_2_05AC2DD0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05AC2D30 NtUnmapViewOfSection,	17_2_05AC2D30
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05AC2D00 NtSetInformationFile,	17_2_05AC2D00
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05AC2D10 NtMapViewOfSection,	17_2_05AC2D10
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05AC2CA0 NtQueryInformationToken,	17_2_05AC2CA0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05AC2CF0 NtOpenProcess,	17_2_05AC2CF0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05AC2CC0 NtQueryVirtualMemory,	17_2_05AC2CC0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05AC2C00 NtQueryInformationProcess,	17_2_05AC2C00
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05AC2C60 NtCreateKey,	17_2_05AC2C60
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05AC2FA0 NtQuerySection,	17_2_05AC2FA0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05AC2FB0 NtResumeThread,	17_2_05AC2FB0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05AC2F90 NtProtectVirtualMemory,	17_2_05AC2F90
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05AC2FE0 NtCreateFile,	17_2_05AC2FE0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05AC2F30 NtCreateSection,	17_2_05AC2F30
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05AC2F60 NtCreateProcessEx,	17_2_05AC2F60
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05AC2EA0 NtAdjustPrivilegesToken,	17_2_05AC2EA0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05AC2E80 NtReadVirtualMemory,	17_2_05AC2E80
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05AC2EE0 NtQueueApcThread,	17_2_05AC2EE0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05AC2E30 NtWriteVirtualMemory,	17_2_05AC2E30
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05AC2BA0 NtEnumerateValueKey,	17_2_05AC2BA0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05AC2B80 NtQueryInformationFile,	17_2_05AC2B80
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05AC2BE0 NtQueryValueKey,	17_2_05AC2BE0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05AC2BF0 NtAllocateVirtualMemory,	17_2_05AC2BF0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05AC2B60 NtClose,	17_2_05AC2B60
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05AC2AB0 NtWaitForSingleObject,	17_2_05AC2AB0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05AC2AF0 NtWriteFile,	17_2_05AC2AF0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05AC2AD0 NtReadFile,	17_2_05AC2AD0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05AC3090 NtSetValueKey,	17_2_05AC3090
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05AC3010 NtOpenDirectoryObject,	17_2_05AC3010
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05AC3D10 NtOpenProcessToken,	17_2_05AC3D10
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05AC3D70 NtOpenThread,	17_2_05AC3D70
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05AC39B0 NtGetContextThread,	17_2_05AC39B0

Detected potential crypto function

Source: C:\Users\user\Desktop\BL-INV-PL-ISO.exe	Code function: 0_2_00AEE12C	0_2_00AEE12C
Source: C:\Users\user\AppData\Roaming\dZxrrOCj.exe	Code function: 13_2_00FDE12C	13_2_00FDE12C
Source: C:\Users\user\AppData\Roaming\dZxrrOCj.exe	Code function: 13_2_04D70BEC	13_2_04D70BEC
Source: C:\Users\user\AppData\Roaming\dZxrrOCj.exe	Code function: 13_2_04D700D8	13_2_04D700D8
Source: C:\Users\user\AppData\Roaming\dZxrrOCj.exe	Code function: 13_2_04D720F0	13_2_04D720F0
Source: C:\Users\user\AppData\Roaming\dZxrrOCj.exe	Code function: 13_2_04D70130	13_2_04D70130
Source: C:\Users\user\AppData\Roaming\dZxrrOCj.exe	Code function: 13_2_04D70120	13_2_04D70120
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_0042F073	17_2_0042F073
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_00403170	17_2_00403170
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_0040111A	17_2_0040111A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_00401270	17_2_00401270
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_004102DA	17_2_004102DA
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_004102E3	17_2_004102E3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_004023EA	17_2_004023EA
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_004023F0	17_2_004023F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_00416C43	17_2_00416C43
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_00416C3E	17_2_00416C3E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_00410503	17_2_00410503
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_0040E583	17_2_0040E583
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_0040258C	17_2_0040258C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_00402590	17_2_00402590
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05B50591	17_2_05B50591
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05A90535	17_2_05A90535
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05B3E4F6	17_2_05B3E4F6
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05B34420	17_2_05B34420
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05B42446	17_2_05B42446
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05A8C7C0	17_2_05A8C7C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05A90770	17_2_05A90770
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05AB4750	17_2_05AB4750
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05AAC6E0	17_2_05AAC6E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05B441A2	17_2_05B441A2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05B501AA	17_2_05B501AA
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05B481CC	17_2_05B481CC
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05A80100	17_2_05A80100
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05B2A118	17_2_05B2A118
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05B18158	17_2_05B18158
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05B22000	17_2_05B22000
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05B503E6	17_2_05B503E6
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05A9E3F0	17_2_05A9E3F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05B4A352	17_2_05B4A352
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05B102C0	17_2_05B102C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05B30274	17_2_05B30274
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05AA8DBF	17_2_05AA8DBF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05A8ADE0	17_2_05A8ADE0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05A9AD00	17_2_05A9AD00
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05B2CD1F	17_2_05B2CD1F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05B30CB5	17_2_05B30CB5
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05A80CF2	17_2_05A80CF2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05A90C00	17_2_05A90C00
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05B0EFA0	17_2_05B0EFA0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05A82FC8	17_2_05A82FC8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05B32F30	17_2_05B32F30
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05AD2F28	17_2_05AD2F28
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05AB0F30	17_2_05AB0F30
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05B04F40	17_2_05B04F40
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05B4CE93	17_2_05B4CE93
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05AA2E90	17_2_05AA2E90
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05B4EEDB	17_2_05B4EEDB
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05B4EE26	17_2_05B4EE26
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05A90E59	17_2_05A90E59
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05A929A0	17_2_05A929A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05B5A9A6	17_2_05B5A9A6
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05AA6962	17_2_05AA6962
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05A768B8	17_2_05A768B8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05ABE8F0	17_2_05ABE8F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05A9A840	17_2_05A9A840
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05A92840	17_2_05A92840
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05B46BD7	17_2_05B46BD7
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05B4AB40	17_2_05B4AB40
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05A8EA80	17_2_05A8EA80
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05B2D5B0	17_2_05B2D5B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05B47571	17_2_05B47571
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05B4F43F	17_2_05B4F43F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05A81460	17_2_05A81460
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05B4F7B0	17_2_05B4F7B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05B416CC	17_2_05B416CC
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05AD5630	17_2_05AD5630
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05A9B1B0	17_2_05A9B1B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05AC516C	17_2_05AC516C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05A7F172	17_2_05A7F172
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05B5B16B	17_2_05B5B16B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05B4F0E0	17_2_05B4F0E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05B470E9	17_2_05B470E9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05A970C0	17_2_05A970C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05B3F0CC	17_2_05B3F0CC
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05AD739A	17_2_05AD739A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05B4132D	17_2_05B4132D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05A7D34C	17_2_05A7D34C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05A952A0	17_2_05A952A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05B312ED	17_2_05B312ED
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05AAB2C0	17_2_05AAB2C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05AAFDC0	17_2_05AAFDC0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05B47D73	17_2_05B47D73
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05A93D40	17_2_05A93D40
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05B41D5A	17_2_05B41D5A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05B4FCF2	17_2_05B4FCF2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05B09C32	17_2_05B09C32
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05B4FFB1	17_2_05B4FFB1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05A91F92	17_2_05A91F92
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05B4FF09	17_2_05B4FF09
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05A99EB0	17_2_05A99EB0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05B25910	17_2_05B25910
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05A99950	17_2_05A99950
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05AAB950	17_2_05AAB950
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05A938E0	17_2_05A938E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05AFD800	17_2_05AFD800
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05AAFB80	17_2_05AAFB80
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05B05BF0	17_2_05B05BF0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05ACDBF9	17_2_05ACDBF9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05B4FB76	17_2_05B4FB76
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05AD5AA0	17_2_05AD5AA0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05B31AA3	17_2_05B31AA3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05B2DAAC	17_2_05B2DAAC
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05B3DAC6	17_2_05B3DAC6
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05B03A6C	17_2_05B03A6C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05B47A46	17_2_05B47A46
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05B4FA49	17_2_05B4FA49

Found potential string decryption / allocating functions

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: String function: 05AD7E54 appears 108 times
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: String function: 05A7B970 appears 265 times
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: String function: 05AFEA12 appears 86 times
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: String function: 05B0F290 appears 105 times
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: String function: 05AC5130 appears 58 times

Sample file is different than original file name gathered from version info

Source: BL-INV-PL-ISO.exe, 00000000.00000002.1725947037.000000000059E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameclr.dllT vs BL-INV-PL-ISO.exe
Source: BL-INV-PL-ISO.exe, 00000000.00000002.1741347431.0000000006B2C000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilename vs BL-INV-PL-ISO.exe
Source: BL-INV-PL-ISO.exe, 00000000.00000002.1742101789.0000000009700000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameTyrone.dll8 vs BL-INV-PL-ISO.exe
Source: BL-INV-PL-ISO.exe, 00000000.00000002.1736708833.00000000040AF000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameTyrone.dll8 vs BL-INV-PL-ISO.exe
Source: BL-INV-PL-ISO.exe, 00000000.00000000.1684503221.000000000010E000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenameUYWF.exe@ vs BL-INV-PL-ISO.exe
Source: BL-INV-PL-ISO.exe	Binary or memory string: OriginalFilenameUYWF.exe@ vs BL-INV-PL-ISO.exe

Uses 32bit PE files

Source: BL-INV-PL-ISO.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Yara signature match

Source: 17.2.vbc.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 17.2.vbc.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000011.00000002.2054400538.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000011.00000002.2055413010.00000000058F0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23

Source: BL-INV-PL-ISO.exe	Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: dZxrrOCj.exe.0.dr	Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: 0.2.BL-INV-PL-ISO.exe.40d8560.2.raw.unpack, uUMOocUIxKVTuplUam.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.BL-INV-PL-ISO.exe.9700000.4.raw.unpack, cfZycf0kcb26X6tlXo.cs	Security API names: _0020.SetAccessControl
Source: 0.2.BL-INV-PL-ISO.exe.9700000.4.raw.unpack, cfZycf0kcb26X6tlXo.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.BL-INV-PL-ISO.exe.9700000.4.raw.unpack, cfZycf0kcb26X6tlXo.cs	Security API names: _0020.AddAccessRule
Source: 0.2.BL-INV-PL-ISO.exe.40d8560.2.raw.unpack, cfZycf0kcb26X6tlXo.cs	Security API names: _0020.SetAccessControl
Source: 0.2.BL-INV-PL-ISO.exe.40d8560.2.raw.unpack, cfZycf0kcb26X6tlXo.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.BL-INV-PL-ISO.exe.40d8560.2.raw.unpack, cfZycf0kcb26X6tlXo.cs	Security API names: _0020.AddAccessRule
Source: 0.2.BL-INV-PL-ISO.exe.9700000.4.raw.unpack, uUMOocUIxKVTuplUam.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()

Source: classification engine

Classification label: mal100.troj.evad.winEXE@27/15@0/0

Source: C:\Users\user\Desktop\BL-INV-PL-ISO.exe

File created: C:\Users\user\AppData\Roaming\dZxrrOCj.exe

Jump to behavior

Source: C:\Users\user\AppData\Roaming\dZxrrOCj.exe	Mutant created: \Sessions\1\BaseNamedObjects\XTpUHwAlqzCYlLXTmffAOhrcva
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5284:120:WilError_03
Source: C:\Users\user\AppData\Roaming\dZxrrOCj.exe	Mutant created: NULL
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7520:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2596:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2932:120:WilError_03

Source: C:\Users\user\Desktop\BL-INV-PL-ISO.exe

File created: C:\Users\user\AppData\Local\Temp\tmp590C.tmp

Jump to behavior

Source: BL-INV-PL-ISO.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: BL-INV-PL-ISO.exe

Static file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.80%

Source: C:\Users\user\Desktop\BL-INV-PL-ISO.exe

File read: C:\Users\user\Desktop\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\BL-INV-PL-ISO.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: BL-INV-PL-ISO.exe	ReversingLabs: Detection: 26%
Source: BL-INV-PL-ISO.exe	Virustotal: Detection: 23%

Source: C:\Users\user\Desktop\BL-INV-PL-ISO.exe

File read: C:\Users\user\Desktop\BL-INV-PL-ISO.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\BL-INV-PL-ISO.exe "C:\Users\user\Desktop\BL-INV-PL-ISO.exe"
Source: C:\Users\user\Desktop\BL-INV-PL-ISO.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\BL-INV-PL-ISO.exe"
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\BL-INV-PL-ISO.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\dZxrrOCj.exe"
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\BL-INV-PL-ISO.exe	Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\dZxrrOCj" /XML "C:\Users\user\AppData\Local\Temp\tmp590C.tmp"
Source: C:\Windows\SysWOW64\schtasks.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\BL-INV-PL-ISO.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
Source: C:\Users\user\Desktop\BL-INV-PL-ISO.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
Source: C:\Users\user\Desktop\BL-INV-PL-ISO.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
Source: C:\Users\user\Desktop\BL-INV-PL-ISO.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
Source: C:\Users\user\Desktop\BL-INV-PL-ISO.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
Source: unknown	Process created: C:\Users\user\AppData\Roaming\dZxrrOCj.exe C:\Users\user\AppData\Roaming\dZxrrOCj.exe
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\wbem\WmiPrvSE.exe C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
Source: C:\Users\user\AppData\Roaming\dZxrrOCj.exe	Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\dZxrrOCj" /XML "C:\Users\user\AppData\Local\Temp\tmp68AC.tmp"
Source: C:\Windows\SysWOW64\schtasks.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Roaming\dZxrrOCj.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
Source: C:\Users\user\Desktop\BL-INV-PL-ISO.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\BL-INV-PL-ISO.exe"	Jump to behavior
Source: C:\Users\user\Desktop\BL-INV-PL-ISO.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\dZxrrOCj.exe"	Jump to behavior
Source: C:\Users\user\Desktop\BL-INV-PL-ISO.exe	Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\dZxrrOCj" /XML "C:\Users\user\AppData\Local\Temp\tmp590C.tmp"	Jump to behavior
Source: C:\Users\user\Desktop\BL-INV-PL-ISO.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"	Jump to behavior
Source: C:\Users\user\Desktop\BL-INV-PL-ISO.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"	Jump to behavior
Source: C:\Users\user\Desktop\BL-INV-PL-ISO.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"	Jump to behavior
Source: C:\Users\user\Desktop\BL-INV-PL-ISO.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"	Jump to behavior
Source: C:\Users\user\Desktop\BL-INV-PL-ISO.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"	Jump to behavior
Source: C:\Users\user\AppData\Roaming\dZxrrOCj.exe	Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\dZxrrOCj" /XML "C:\Users\user\AppData\Local\Temp\tmp68AC.tmp"	Jump to behavior
Source: C:\Users\user\AppData\Roaming\dZxrrOCj.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"	Jump to behavior

Source: C:\Users\user\Desktop\BL-INV-PL-ISO.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Desktop\BL-INV-PL-ISO.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\BL-INV-PL-ISO.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\BL-INV-PL-ISO.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\BL-INV-PL-ISO.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\BL-INV-PL-ISO.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\BL-INV-PL-ISO.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\BL-INV-PL-ISO.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\BL-INV-PL-ISO.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\BL-INV-PL-ISO.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\BL-INV-PL-ISO.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\BL-INV-PL-ISO.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\BL-INV-PL-ISO.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\BL-INV-PL-ISO.exe	Section loaded: dwrite.dll	Jump to behavior
Source: C:\Users\user\Desktop\BL-INV-PL-ISO.exe	Section loaded: windowscodecs.dll	Jump to behavior
Source: C:\Users\user\Desktop\BL-INV-PL-ISO.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\BL-INV-PL-ISO.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\BL-INV-PL-ISO.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\BL-INV-PL-ISO.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\BL-INV-PL-ISO.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\Desktop\BL-INV-PL-ISO.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\Desktop\BL-INV-PL-ISO.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\Desktop\BL-INV-PL-ISO.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\Desktop\BL-INV-PL-ISO.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\BL-INV-PL-ISO.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\BL-INV-PL-ISO.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Users\user\Desktop\BL-INV-PL-ISO.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\BL-INV-PL-ISO.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\BL-INV-PL-ISO.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Users\user\Desktop\BL-INV-PL-ISO.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Users\user\Desktop\BL-INV-PL-ISO.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Users\user\Desktop\BL-INV-PL-ISO.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\Desktop\BL-INV-PL-ISO.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Users\user\Desktop\BL-INV-PL-ISO.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Users\user\Desktop\BL-INV-PL-ISO.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: microsoft.management.infrastructure.native.unmanaged.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: miutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wmidcom.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: microsoft.management.infrastructure.native.unmanaged.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: miutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wmidcom.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: taskschd.dll	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\dZxrrOCj.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\dZxrrOCj.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\dZxrrOCj.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\dZxrrOCj.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\dZxrrOCj.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\dZxrrOCj.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\dZxrrOCj.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\dZxrrOCj.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\dZxrrOCj.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\dZxrrOCj.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\dZxrrOCj.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\dZxrrOCj.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\dZxrrOCj.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\dZxrrOCj.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\dZxrrOCj.exe	Section loaded: dwrite.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\dZxrrOCj.exe	Section loaded: windowscodecs.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\dZxrrOCj.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\dZxrrOCj.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\dZxrrOCj.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\dZxrrOCj.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\dZxrrOCj.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\dZxrrOCj.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\dZxrrOCj.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\dZxrrOCj.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\dZxrrOCj.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\dZxrrOCj.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\dZxrrOCj.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\dZxrrOCj.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\dZxrrOCj.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\dZxrrOCj.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\dZxrrOCj.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\dZxrrOCj.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\dZxrrOCj.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\dZxrrOCj.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\dZxrrOCj.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: fastprox.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: ncobjapi.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: mpclient.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: wmitomi.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: mi.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: miutils.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: miutils.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: taskschd.dll	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: sspicli.dll	Jump to behavior

Source: C:\Users\user\Desktop\BL-INV-PL-ISO.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32

Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Users\user\Desktop\BL-INV-PL-ISO.exe

File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll

Jump to behavior

Source: BL-INV-PL-ISO.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Source: BL-INV-PL-ISO.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source: BL-INV-PL-ISO.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:	Binary string: UYWF.pdb source: BL-INV-PL-ISO.exe, dZxrrOCj.exe.0.dr
Source:	Binary string: wntdll.pdbUGP source: vbc.exe, 00000011.00000002.2055590273.0000000005A50000.00000040.00001000.00020000.00000000.sdmp
Source:	Binary string: UYWF.pdbSHA256 source: BL-INV-PL-ISO.exe, dZxrrOCj.exe.0.dr
Source:	Binary string: wntdll.pdb source: vbc.exe, vbc.exe, 00000011.00000002.2055590273.0000000005A50000.00000040.00001000.00020000.00000000.sdmp

Data Obfuscation

.NET source code contains potential unpacker

Source: 0.2.BL-INV-PL-ISO.exe.40d8560.2.raw.unpack, cfZycf0kcb26X6tlXo.cs	.Net Code: clHhbwHd3t System.Reflection.Assembly.Load(byte[])
Source: 0.2.BL-INV-PL-ISO.exe.3601ea0.1.raw.unpack, MainForm.cs	.Net Code: _200E_200C_200B_202B_202E_200E_200E_202D_200B_206C_202C_202B_200B_200F_200E_206F_206C_202C_202D_200E_206E_206E_200C_206D_202C_200B_200E_202B_200B_206A_202E_206A_202E_206E_206E_206A_206C_206A_206F_202E_202E System.Reflection.Assembly.Load(byte[])
Source: 0.2.BL-INV-PL-ISO.exe.50c0000.3.raw.unpack, MainForm.cs	.Net Code: _200E_200C_200B_202B_202E_200E_200E_202D_200B_206C_202C_202B_200B_200F_200E_206F_206C_202C_202D_200E_206E_206E_200C_206D_202C_200B_200E_202B_200B_206A_202E_206A_202E_206E_206E_206A_206C_206A_206F_202E_202E System.Reflection.Assembly.Load(byte[])
Source: 0.2.BL-INV-PL-ISO.exe.9700000.4.raw.unpack, cfZycf0kcb26X6tlXo.cs	.Net Code: clHhbwHd3t System.Reflection.Assembly.Load(byte[])
Source: 0.2.BL-INV-PL-ISO.exe.35e9c80.0.raw.unpack, MainForm.cs	.Net Code: _200E_200C_200B_202B_202E_200E_200E_202D_200B_206C_202C_202B_200B_200F_200E_206F_206C_202C_202D_200E_206E_206E_200C_206D_202C_200B_200E_202B_200B_206A_202E_206A_202E_206E_206E_206A_206C_206A_206F_202E_202E System.Reflection.Assembly.Load(byte[])

Binary contains a suspicious time stamp

Source: BL-INV-PL-ISO.exe

Static PE information: 0xC3F91EE2 [Sat Mar 10 04:58:10 2074 UTC]

Uses code obfuscation techniques (call, push, ret)

Source: C:\Users\user\Desktop\BL-INV-PL-ISO.exe	Code function: 0_2_00AEDB28 pushad ; retf	0_2_00AEDB29
Source: C:\Users\user\Desktop\BL-INV-PL-ISO.exe	Code function: 0_2_07971B05 push FFFFFF8Bh; iretd	0_2_07971B07
Source: C:\Users\user\AppData\Roaming\dZxrrOCj.exe	Code function: 13_2_00FDDB28 pushad ; retf	13_2_00FDDB29
Source: C:\Users\user\AppData\Roaming\dZxrrOCj.exe	Code function: 13_2_07820D75 push FFFFFF8Bh; iretd	13_2_07820D77
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_0041F058 push esi; ret	17_2_0041F05E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_0041F089 push FFFFFF9Ah; retf	17_2_0041F08D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_0041F8AF push FFFFFFE3h; ret	17_2_0041F8B5
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_0041F95A push ds; iretd	17_2_0041F971
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_00402178 push es; ret	17_2_004021C9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_004021A2 push es; ret	17_2_004021C9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_00419A5A push ds; ret	17_2_00419A5F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_0040D20B push ebp; retf	17_2_0040D211
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_00424AE3 push edi; ret	17_2_00424AEC
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_0040ABDA push ebx; ret	17_2_0040ABDB
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_00423BEF pushfd ; retf	17_2_00423BEE
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_004033F0 push eax; ret	17_2_004033F2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_00423BB8 pushfd ; retf	17_2_00423BEE
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_0041664B pushad ; retf	17_2_00416653
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_00412634 push edi; iretd	17_2_00412635
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_0040CF05 pushad ; iretd	17_2_0040CF14
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_00413FF4 pushad ; iretd	17_2_00413FF5
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_004137A3 push ecx; retf	17_2_00413868
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05A809AD push ecx; mov dword ptr [esp], ecx	17_2_05A809B6

Source: BL-INV-PL-ISO.exe	Static PE information: section name: .text entropy: 7.705373741079922
Source: dZxrrOCj.exe.0.dr	Static PE information: section name: .text entropy: 7.705373741079922

Source: 0.2.BL-INV-PL-ISO.exe.40d8560.2.raw.unpack, l6TFIRal5HdvTuAvFR.cs	High entropy of concatenated method names: 'xVnKMS9NIR', 'dk1KCOIXS1', 'kpVKJMQx0c', 'gQSJLiag9k', 'O9rJz56ISN', 'mQ7KpMXwGS', 'VNXKkrmN3h', 'RMPK84jSg4', 'GDLKGQUqCh', 'qiPKhTghil'
Source: 0.2.BL-INV-PL-ISO.exe.40d8560.2.raw.unpack, TqWwAsLkiN3CFtoVfa.cs	High entropy of concatenated method names: 'x0G6kgNAXJ', 'gYt6G1pPDh', 'gGJ6hWYUxe', 'u0t6MrXpIy', 'ARh6rRPoCq', 'LfR6FD03GN', 'Rdo6J5HFrT', 'awKmg46aiP', 'I7nmu7PdvC', 'ARRm56g5SY'
Source: 0.2.BL-INV-PL-ISO.exe.40d8560.2.raw.unpack, sGidIWAjxT9DQD2jyC.cs	High entropy of concatenated method names: 'IsjJ2yIoUy', 'nnrJrI5AkK', 'cCFJFR72fI', 'onJJKqCvWx', 'eieJ0kwV1b', 'B5MFi0qPud', 'SwkFxgSipX', 'f2nFg6s3jk', 'J7qFumddEi', 'SS1F55XS5M'
Source: 0.2.BL-INV-PL-ISO.exe.40d8560.2.raw.unpack, cfZycf0kcb26X6tlXo.cs	High entropy of concatenated method names: 'RSyG2MIpO4', 'DqMGMh7e3p', 'CmJGre8Fr3', 'fMdGCUoiR8', 'jkNGFU0RLY', 'dBnGJBtVJQ', 'DrDGKvpfiW', 'f2oG0M9mbC', 'utZGSPbAs0', 'jP0GlEHrwP'
Source: 0.2.BL-INV-PL-ISO.exe.40d8560.2.raw.unpack, cU6Qf6h8MixZH75icy.cs	High entropy of concatenated method names: 'VQwkKUMOoc', 'QxKk0VTupl', 'dE6klxU8dN', 'Rulko7H16M', 'QOvkZtGnGi', 'qIWkTjxT9D', 'eWWBiDeHQaUZj0yqVI', 'zDTektAmB4mH3u1o1o', 'EoTkkID8Fl', 'lPAkGEUTlO'
Source: 0.2.BL-INV-PL-ISO.exe.40d8560.2.raw.unpack, lNDQloxMyDmhpPDOWl.cs	High entropy of concatenated method names: 'OKvdut556a', 'GrwdLEcIOT', 'ia1mpgXeIX', 'R3Wmk6KHWx', 'ydSdXCsjpB', 'zX2dYsFtCi', 'rwUd4aBwHX', 'tZxdIteB8N', 'Gj9deO9W5t', 'A8dd7rTUsV'
Source: 0.2.BL-INV-PL-ISO.exe.40d8560.2.raw.unpack, WKKHDvNKxvSnL6SGaH.cs	High entropy of concatenated method names: 'JJMKftASch', 'iw4KDlTtuf', 'D50Kb4dcAR', 'q9uKHyYj7j', 'yJXKBtJpE1', 'zeMK3BMu0g', 'sg1KQue3FM', 'KeGKUYyhav', 'cG0KjT1Ttu', 'U0iKv4j2yu'
Source: 0.2.BL-INV-PL-ISO.exe.40d8560.2.raw.unpack, gEl1DV4DciT4JTELMs.cs	High entropy of concatenated method names: 'UW91UoW2lA', 'BoO1jZc9yx', 'Nei1ApWY50', 'r2n19mrd0F', 'wxA1ytqR7S', 'rnx1PZ1noJ', 'mR21a4QMh6', 'G0d1tblOwc', 'pBx1OWhd7m', 'rRE1XKsd7j'
Source: 0.2.BL-INV-PL-ISO.exe.40d8560.2.raw.unpack, c0PD99zDASEcV46Xs3.cs	High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'ctV61a1JCR', 'NHq6ZD7lIZ', 'OI96TFCxsf', 'QCj6dEAIEv', 'Rdt6msmXmP', 'mZn66IAvHu', 'shN6nDyGBX'
Source: 0.2.BL-INV-PL-ISO.exe.40d8560.2.raw.unpack, VNv1OU8Walm78ZVDd5.cs	High entropy of concatenated method names: 'WjGbqLonU', 'tr4H2MuXo', 'mra3ZiIVV', 'XSDQETlpd', 'csmjS9elG', 'qJYvjuWpX', 'nGKbCdGf1REIvkBFpn', 'v4OfKVsT91hrS2aPoy', 'OsURx8EB6xhyi4uOwV', 'iyqmxjan7'
Source: 0.2.BL-INV-PL-ISO.exe.40d8560.2.raw.unpack, DI7yKUuw3K2T0FjALa.cs	High entropy of concatenated method names: 'MedmM3Eren', 'kgfmrpgF6y', 'RqrmCU3u5D', 'xZ4mFcZVMM', 'FcgmJwRwrw', 'zwQmKuB9lf', 'xvUm0Q7Q6v', 'WXXmSGmYCC', 'b94mlRtUrW', 'zd6moqxxSm'
Source: 0.2.BL-INV-PL-ISO.exe.40d8560.2.raw.unpack, WWDxQnkGDXGaylq8aLM.cs	High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'zR9nIjkxoa', 'st0neacXaH', 'XmVn7aGwMy', 'hPVnsKychO', 'buSniA9TsK', 'n3HnxEeolk', 'DFEngv4Zkd'
Source: 0.2.BL-INV-PL-ISO.exe.40d8560.2.raw.unpack, DYI8K0rsEh87KO9w2Y.cs	High entropy of concatenated method names: 'Dispose', 'xKgk5fgPrX', 'spi89IN3bD', 'rnspp8HGlI', 'FUIkL7yKUw', 'BK2kzT0FjA', 'ProcessDialogKey', 'Yah8pfeKFp', 'uvf8kbxJ1R', 'WCT88sqWwA'
Source: 0.2.BL-INV-PL-ISO.exe.40d8560.2.raw.unpack, dfeKFp5wvfbxJ1RuCT.cs	High entropy of concatenated method names: 'wDxmA9KR7J', 'xeIm9wmF5c', 'FZ8mR9HPKI', 'yZymyMASVh', 'MAwmIaETuv', 'uPImPIMxk6', 'Next', 'Next', 'Next', 'NextBytes'
Source: 0.2.BL-INV-PL-ISO.exe.40d8560.2.raw.unpack, SPhPfhjE6xU8dNeul7.cs	High entropy of concatenated method names: 'MZ7CHitOBu', 'DuPC3l9MiW', 'OR8CU523v9', 'j5oCjkNu2I', 'xuTCZqUJW1', 'TQaCT98hdL', 'bnnCdVV2nb', 'QQdCmHNqye', 'XAHC6dPgoR', 'A20CnDQcQh'
Source: 0.2.BL-INV-PL-ISO.exe.40d8560.2.raw.unpack, uUMOocUIxKVTuplUam.cs	High entropy of concatenated method names: 'UxErIZ2eKJ', 'WUrretkkdt', 'wiXr7GTtus', 'WjlrshmiCX', 'IrGriAAUDv', 'tVErxUNv8x', 'dLxrgvHTkM', 'eEPruMjB3t', 'q0qr5FD2TS', 'zRvrLDWLTt'
Source: 0.2.BL-INV-PL-ISO.exe.40d8560.2.raw.unpack, AgDxvokpfb05xEXq3aJ.cs	High entropy of concatenated method names: 'RhF6fwaO6O', 'M6E6DsaVl9', 'kwu6beDUrJ', 'soe6HSCcRU', 'Cnp6BhAKKg', 'O5Z63ZKLpI', 'a1E6Qdvybj', 'AAb6UL6NWc', 'uuQ6jZannN', 'ECL6v2exdr'
Source: 0.2.BL-INV-PL-ISO.exe.40d8560.2.raw.unpack, A16MKav3vJLRDIOvtG.cs	High entropy of concatenated method names: 'EZLFBEacCa', 'HSuFQNg93E', 'd7xCRCrOLQ', 'IO3CyWSYdw', 'bc2CPcDMwk', 'JGvCWSUD7F', 'yEECaLTlrc', 'ADyCtBhVSi', 'PLACNQ9o2s', 'OVXCO2mEFM'
Source: 0.2.BL-INV-PL-ISO.exe.40d8560.2.raw.unpack, RkTHaNsbNEDWW1Oh0V.cs	High entropy of concatenated method names: 'SKYdloI5vA', 'U9vdoksEWe', 'ToString', 'C4xdMQxeVm', 'q4Wdr7e8BN', 'E0ddCoxYvx', 'g3SdFw58VR', 't35dJbARyf', 'Ab6dKdMR9j', 'XcWd0uExtw'
Source: 0.2.BL-INV-PL-ISO.exe.40d8560.2.raw.unpack, zB1mPmIbOkQbmdJNkb.cs	High entropy of concatenated method names: 'bcqZO42Zws', 'vdbZYDiJJN', 'qrKZIRj5nX', 'IiTZe4MnrD', 'yqEZ9CBLWv', 'mc3ZR9dWJ6', 'x7tZyZopbt', 'oGVZPmGfb6', 'eQ2ZW7WDMt', 'KRVZaBLxmt'
Source: 0.2.BL-INV-PL-ISO.exe.9700000.4.raw.unpack, l6TFIRal5HdvTuAvFR.cs	High entropy of concatenated method names: 'xVnKMS9NIR', 'dk1KCOIXS1', 'kpVKJMQx0c', 'gQSJLiag9k', 'O9rJz56ISN', 'mQ7KpMXwGS', 'VNXKkrmN3h', 'RMPK84jSg4', 'GDLKGQUqCh', 'qiPKhTghil'
Source: 0.2.BL-INV-PL-ISO.exe.9700000.4.raw.unpack, TqWwAsLkiN3CFtoVfa.cs	High entropy of concatenated method names: 'x0G6kgNAXJ', 'gYt6G1pPDh', 'gGJ6hWYUxe', 'u0t6MrXpIy', 'ARh6rRPoCq', 'LfR6FD03GN', 'Rdo6J5HFrT', 'awKmg46aiP', 'I7nmu7PdvC', 'ARRm56g5SY'
Source: 0.2.BL-INV-PL-ISO.exe.9700000.4.raw.unpack, sGidIWAjxT9DQD2jyC.cs	High entropy of concatenated method names: 'IsjJ2yIoUy', 'nnrJrI5AkK', 'cCFJFR72fI', 'onJJKqCvWx', 'eieJ0kwV1b', 'B5MFi0qPud', 'SwkFxgSipX', 'f2nFg6s3jk', 'J7qFumddEi', 'SS1F55XS5M'
Source: 0.2.BL-INV-PL-ISO.exe.9700000.4.raw.unpack, cfZycf0kcb26X6tlXo.cs	High entropy of concatenated method names: 'RSyG2MIpO4', 'DqMGMh7e3p', 'CmJGre8Fr3', 'fMdGCUoiR8', 'jkNGFU0RLY', 'dBnGJBtVJQ', 'DrDGKvpfiW', 'f2oG0M9mbC', 'utZGSPbAs0', 'jP0GlEHrwP'
Source: 0.2.BL-INV-PL-ISO.exe.9700000.4.raw.unpack, cU6Qf6h8MixZH75icy.cs	High entropy of concatenated method names: 'VQwkKUMOoc', 'QxKk0VTupl', 'dE6klxU8dN', 'Rulko7H16M', 'QOvkZtGnGi', 'qIWkTjxT9D', 'eWWBiDeHQaUZj0yqVI', 'zDTektAmB4mH3u1o1o', 'EoTkkID8Fl', 'lPAkGEUTlO'
Source: 0.2.BL-INV-PL-ISO.exe.9700000.4.raw.unpack, lNDQloxMyDmhpPDOWl.cs	High entropy of concatenated method names: 'OKvdut556a', 'GrwdLEcIOT', 'ia1mpgXeIX', 'R3Wmk6KHWx', 'ydSdXCsjpB', 'zX2dYsFtCi', 'rwUd4aBwHX', 'tZxdIteB8N', 'Gj9deO9W5t', 'A8dd7rTUsV'
Source: 0.2.BL-INV-PL-ISO.exe.9700000.4.raw.unpack, WKKHDvNKxvSnL6SGaH.cs	High entropy of concatenated method names: 'JJMKftASch', 'iw4KDlTtuf', 'D50Kb4dcAR', 'q9uKHyYj7j', 'yJXKBtJpE1', 'zeMK3BMu0g', 'sg1KQue3FM', 'KeGKUYyhav', 'cG0KjT1Ttu', 'U0iKv4j2yu'
Source: 0.2.BL-INV-PL-ISO.exe.9700000.4.raw.unpack, gEl1DV4DciT4JTELMs.cs	High entropy of concatenated method names: 'UW91UoW2lA', 'BoO1jZc9yx', 'Nei1ApWY50', 'r2n19mrd0F', 'wxA1ytqR7S', 'rnx1PZ1noJ', 'mR21a4QMh6', 'G0d1tblOwc', 'pBx1OWhd7m', 'rRE1XKsd7j'
Source: 0.2.BL-INV-PL-ISO.exe.9700000.4.raw.unpack, c0PD99zDASEcV46Xs3.cs	High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'ctV61a1JCR', 'NHq6ZD7lIZ', 'OI96TFCxsf', 'QCj6dEAIEv', 'Rdt6msmXmP', 'mZn66IAvHu', 'shN6nDyGBX'
Source: 0.2.BL-INV-PL-ISO.exe.9700000.4.raw.unpack, VNv1OU8Walm78ZVDd5.cs	High entropy of concatenated method names: 'WjGbqLonU', 'tr4H2MuXo', 'mra3ZiIVV', 'XSDQETlpd', 'csmjS9elG', 'qJYvjuWpX', 'nGKbCdGf1REIvkBFpn', 'v4OfKVsT91hrS2aPoy', 'OsURx8EB6xhyi4uOwV', 'iyqmxjan7'
Source: 0.2.BL-INV-PL-ISO.exe.9700000.4.raw.unpack, DI7yKUuw3K2T0FjALa.cs	High entropy of concatenated method names: 'MedmM3Eren', 'kgfmrpgF6y', 'RqrmCU3u5D', 'xZ4mFcZVMM', 'FcgmJwRwrw', 'zwQmKuB9lf', 'xvUm0Q7Q6v', 'WXXmSGmYCC', 'b94mlRtUrW', 'zd6moqxxSm'
Source: 0.2.BL-INV-PL-ISO.exe.9700000.4.raw.unpack, WWDxQnkGDXGaylq8aLM.cs	High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'zR9nIjkxoa', 'st0neacXaH', 'XmVn7aGwMy', 'hPVnsKychO', 'buSniA9TsK', 'n3HnxEeolk', 'DFEngv4Zkd'
Source: 0.2.BL-INV-PL-ISO.exe.9700000.4.raw.unpack, DYI8K0rsEh87KO9w2Y.cs	High entropy of concatenated method names: 'Dispose', 'xKgk5fgPrX', 'spi89IN3bD', 'rnspp8HGlI', 'FUIkL7yKUw', 'BK2kzT0FjA', 'ProcessDialogKey', 'Yah8pfeKFp', 'uvf8kbxJ1R', 'WCT88sqWwA'
Source: 0.2.BL-INV-PL-ISO.exe.9700000.4.raw.unpack, dfeKFp5wvfbxJ1RuCT.cs	High entropy of concatenated method names: 'wDxmA9KR7J', 'xeIm9wmF5c', 'FZ8mR9HPKI', 'yZymyMASVh', 'MAwmIaETuv', 'uPImPIMxk6', 'Next', 'Next', 'Next', 'NextBytes'
Source: 0.2.BL-INV-PL-ISO.exe.9700000.4.raw.unpack, SPhPfhjE6xU8dNeul7.cs	High entropy of concatenated method names: 'MZ7CHitOBu', 'DuPC3l9MiW', 'OR8CU523v9', 'j5oCjkNu2I', 'xuTCZqUJW1', 'TQaCT98hdL', 'bnnCdVV2nb', 'QQdCmHNqye', 'XAHC6dPgoR', 'A20CnDQcQh'
Source: 0.2.BL-INV-PL-ISO.exe.9700000.4.raw.unpack, uUMOocUIxKVTuplUam.cs	High entropy of concatenated method names: 'UxErIZ2eKJ', 'WUrretkkdt', 'wiXr7GTtus', 'WjlrshmiCX', 'IrGriAAUDv', 'tVErxUNv8x', 'dLxrgvHTkM', 'eEPruMjB3t', 'q0qr5FD2TS', 'zRvrLDWLTt'
Source: 0.2.BL-INV-PL-ISO.exe.9700000.4.raw.unpack, AgDxvokpfb05xEXq3aJ.cs	High entropy of concatenated method names: 'RhF6fwaO6O', 'M6E6DsaVl9', 'kwu6beDUrJ', 'soe6HSCcRU', 'Cnp6BhAKKg', 'O5Z63ZKLpI', 'a1E6Qdvybj', 'AAb6UL6NWc', 'uuQ6jZannN', 'ECL6v2exdr'
Source: 0.2.BL-INV-PL-ISO.exe.9700000.4.raw.unpack, A16MKav3vJLRDIOvtG.cs	High entropy of concatenated method names: 'EZLFBEacCa', 'HSuFQNg93E', 'd7xCRCrOLQ', 'IO3CyWSYdw', 'bc2CPcDMwk', 'JGvCWSUD7F', 'yEECaLTlrc', 'ADyCtBhVSi', 'PLACNQ9o2s', 'OVXCO2mEFM'
Source: 0.2.BL-INV-PL-ISO.exe.9700000.4.raw.unpack, RkTHaNsbNEDWW1Oh0V.cs	High entropy of concatenated method names: 'SKYdloI5vA', 'U9vdoksEWe', 'ToString', 'C4xdMQxeVm', 'q4Wdr7e8BN', 'E0ddCoxYvx', 'g3SdFw58VR', 't35dJbARyf', 'Ab6dKdMR9j', 'XcWd0uExtw'
Source: 0.2.BL-INV-PL-ISO.exe.9700000.4.raw.unpack, zB1mPmIbOkQbmdJNkb.cs	High entropy of concatenated method names: 'bcqZO42Zws', 'vdbZYDiJJN', 'qrKZIRj5nX', 'IiTZe4MnrD', 'yqEZ9CBLWv', 'mc3ZR9dWJ6', 'x7tZyZopbt', 'oGVZPmGfb6', 'eQ2ZW7WDMt', 'KRVZaBLxmt'

Drops PE files

Source: C:\Users\user\Desktop\BL-INV-PL-ISO.exe

File created: C:\Users\user\AppData\Roaming\dZxrrOCj.exe

Jump to dropped file

Boot Survival

Uses schtasks.exe or at.exe to add and modify task schedules

Source: C:\Users\user\Desktop\BL-INV-PL-ISO.exe

Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\dZxrrOCj" /XML "C:\Users\user\AppData\Local\Temp\tmp590C.tmp"

Hooking and other Techniques for Hiding and Protection

Loading BitLocker PowerShell Module

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior

Source: C:\Users\user\Desktop\BL-INV-PL-ISO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\BL-INV-PL-ISO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\BL-INV-PL-ISO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\BL-INV-PL-ISO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\BL-INV-PL-ISO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\BL-INV-PL-ISO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\BL-INV-PL-ISO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\BL-INV-PL-ISO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\BL-INV-PL-ISO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\BL-INV-PL-ISO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\BL-INV-PL-ISO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\BL-INV-PL-ISO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\BL-INV-PL-ISO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\BL-INV-PL-ISO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\BL-INV-PL-ISO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\BL-INV-PL-ISO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\BL-INV-PL-ISO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\BL-INV-PL-ISO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\BL-INV-PL-ISO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\BL-INV-PL-ISO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\BL-INV-PL-ISO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\BL-INV-PL-ISO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\BL-INV-PL-ISO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\BL-INV-PL-ISO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\BL-INV-PL-ISO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\BL-INV-PL-ISO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\BL-INV-PL-ISO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\BL-INV-PL-ISO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\BL-INV-PL-ISO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\BL-INV-PL-ISO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\BL-INV-PL-ISO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\BL-INV-PL-ISO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\BL-INV-PL-ISO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\BL-INV-PL-ISO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\BL-INV-PL-ISO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\BL-INV-PL-ISO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\BL-INV-PL-ISO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\BL-INV-PL-ISO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\BL-INV-PL-ISO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\BL-INV-PL-ISO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\BL-INV-PL-ISO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\BL-INV-PL-ISO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\BL-INV-PL-ISO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\BL-INV-PL-ISO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\BL-INV-PL-ISO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\BL-INV-PL-ISO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\BL-INV-PL-ISO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\BL-INV-PL-ISO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\dZxrrOCj.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\dZxrrOCj.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\dZxrrOCj.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\dZxrrOCj.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\dZxrrOCj.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\dZxrrOCj.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\dZxrrOCj.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\dZxrrOCj.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\dZxrrOCj.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\dZxrrOCj.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\dZxrrOCj.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\dZxrrOCj.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\dZxrrOCj.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\dZxrrOCj.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\dZxrrOCj.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\dZxrrOCj.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\dZxrrOCj.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\dZxrrOCj.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\dZxrrOCj.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\dZxrrOCj.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\dZxrrOCj.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\dZxrrOCj.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\dZxrrOCj.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\dZxrrOCj.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\dZxrrOCj.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\dZxrrOCj.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\dZxrrOCj.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\dZxrrOCj.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\dZxrrOCj.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\dZxrrOCj.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\dZxrrOCj.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\dZxrrOCj.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\dZxrrOCj.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\dZxrrOCj.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\dZxrrOCj.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\dZxrrOCj.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\dZxrrOCj.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\dZxrrOCj.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\dZxrrOCj.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\dZxrrOCj.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\dZxrrOCj.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\dZxrrOCj.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Yara detected AntiVM3

Source: Yara match	File source: Process Memory Space: BL-INV-PL-ISO.exe PID: 6848, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: dZxrrOCj.exe PID: 7288, type: MEMORYSTR

Allocates memory with a write watch (potentially for evading sandboxes)

Source: C:\Users\user\Desktop\BL-INV-PL-ISO.exe	Memory allocated: AA0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\BL-INV-PL-ISO.exe	Memory allocated: 25C0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\BL-INV-PL-ISO.exe	Memory allocated: 22E0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\BL-INV-PL-ISO.exe	Memory allocated: 70D0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\BL-INV-PL-ISO.exe	Memory allocated: 6DF0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\BL-INV-PL-ISO.exe	Memory allocated: 80D0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\BL-INV-PL-ISO.exe	Memory allocated: 90D0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\BL-INV-PL-ISO.exe	Memory allocated: 9790000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\BL-INV-PL-ISO.exe	Memory allocated: A790000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\dZxrrOCj.exe	Memory allocated: FD0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\dZxrrOCj.exe	Memory allocated: 27F0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\dZxrrOCj.exe	Memory allocated: 47F0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\dZxrrOCj.exe	Memory allocated: 6F60000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\dZxrrOCj.exe	Memory allocated: 6D50000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\dZxrrOCj.exe	Memory allocated: 7F60000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\dZxrrOCj.exe	Memory allocated: 8F60000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\dZxrrOCj.exe	Memory allocated: 96A0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\dZxrrOCj.exe	Memory allocated: A6A0000 memory reserve \| memory write watch	Jump to behavior

Contains functionality for execution timing, often used to detect debuggers

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe

Code function: 17_2_05AC096E rdtsc

17_2_05AC096E

Contains long sleeps (>= 3 min)

Source: C:\Users\user\Desktop\BL-INV-PL-ISO.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Roaming\dZxrrOCj.exe	Thread delayed: delay time: 922337203685477	Jump to behavior

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 5748			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 6238			Jump to behavior

Found large amount of non-executed APIs

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe

API coverage: 0.6 %

May sleep (evasive loops) to hinder dynamic analysis

Source: C:\Users\user\Desktop\BL-INV-PL-ISO.exe TID: 6948	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 6612	Thread sleep count: 5748 > 30	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7244	Thread sleep time: -2767011611056431s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7208	Thread sleep time: -1844674407370954s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7280	Thread sleep time: -1844674407370954s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7216	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\dZxrrOCj.exe TID: 7432	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe TID: 7568	Thread sleep time: -30000s >= -30000s	Jump to behavior

Sample execution stops while process was sleeping (likely an evasion)

Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed

Source: C:\Users\user\Desktop\BL-INV-PL-ISO.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Roaming\dZxrrOCj.exe	Thread delayed: delay time: 922337203685477	Jump to behavior

Source: C:\Users\user\Desktop\BL-INV-PL-ISO.exe

Process information queried: ProcessInformation

Jump to behavior

Checks if the current process is being debugged

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe

Process queried: DebugPort

Jump to behavior

Contains functionality for execution timing, often used to detect debuggers

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe

Code function: 17_2_05AC096E rdtsc

17_2_05AC096E

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe

Code function: 17_2_00417BF3 LdrLoadDll,

17_2_00417BF3

Contains functionality to read the PEB

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05B005A7 mov eax, dword ptr fs:[00000030h]	17_2_05B005A7
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05B005A7 mov eax, dword ptr fs:[00000030h]	17_2_05B005A7
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05B005A7 mov eax, dword ptr fs:[00000030h]	17_2_05B005A7
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05AA45B1 mov eax, dword ptr fs:[00000030h]	17_2_05AA45B1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05AA45B1 mov eax, dword ptr fs:[00000030h]	17_2_05AA45B1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05AB4588 mov eax, dword ptr fs:[00000030h]	17_2_05AB4588
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05A82582 mov eax, dword ptr fs:[00000030h]	17_2_05A82582
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05A82582 mov ecx, dword ptr fs:[00000030h]	17_2_05A82582
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05ABE59C mov eax, dword ptr fs:[00000030h]	17_2_05ABE59C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05ABC5ED mov eax, dword ptr fs:[00000030h]	17_2_05ABC5ED
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05ABC5ED mov eax, dword ptr fs:[00000030h]	17_2_05ABC5ED
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05A825E0 mov eax, dword ptr fs:[00000030h]	17_2_05A825E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05AAE5E7 mov eax, dword ptr fs:[00000030h]	17_2_05AAE5E7
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05AAE5E7 mov eax, dword ptr fs:[00000030h]	17_2_05AAE5E7
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05AAE5E7 mov eax, dword ptr fs:[00000030h]	17_2_05AAE5E7
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05AAE5E7 mov eax, dword ptr fs:[00000030h]	17_2_05AAE5E7
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05AAE5E7 mov eax, dword ptr fs:[00000030h]	17_2_05AAE5E7
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05AAE5E7 mov eax, dword ptr fs:[00000030h]	17_2_05AAE5E7
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05AAE5E7 mov eax, dword ptr fs:[00000030h]	17_2_05AAE5E7
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05AAE5E7 mov eax, dword ptr fs:[00000030h]	17_2_05AAE5E7
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05ABE5CF mov eax, dword ptr fs:[00000030h]	17_2_05ABE5CF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05ABE5CF mov eax, dword ptr fs:[00000030h]	17_2_05ABE5CF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05A865D0 mov eax, dword ptr fs:[00000030h]	17_2_05A865D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05ABA5D0 mov eax, dword ptr fs:[00000030h]	17_2_05ABA5D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05ABA5D0 mov eax, dword ptr fs:[00000030h]	17_2_05ABA5D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05AAE53E mov eax, dword ptr fs:[00000030h]	17_2_05AAE53E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05AAE53E mov eax, dword ptr fs:[00000030h]	17_2_05AAE53E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05AAE53E mov eax, dword ptr fs:[00000030h]	17_2_05AAE53E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05AAE53E mov eax, dword ptr fs:[00000030h]	17_2_05AAE53E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05AAE53E mov eax, dword ptr fs:[00000030h]	17_2_05AAE53E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05A90535 mov eax, dword ptr fs:[00000030h]	17_2_05A90535
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05A90535 mov eax, dword ptr fs:[00000030h]	17_2_05A90535
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05A90535 mov eax, dword ptr fs:[00000030h]	17_2_05A90535
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05A90535 mov eax, dword ptr fs:[00000030h]	17_2_05A90535
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05A90535 mov eax, dword ptr fs:[00000030h]	17_2_05A90535
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05A90535 mov eax, dword ptr fs:[00000030h]	17_2_05A90535
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05B16500 mov eax, dword ptr fs:[00000030h]	17_2_05B16500
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05B54500 mov eax, dword ptr fs:[00000030h]	17_2_05B54500
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05B54500 mov eax, dword ptr fs:[00000030h]	17_2_05B54500
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05B54500 mov eax, dword ptr fs:[00000030h]	17_2_05B54500
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05B54500 mov eax, dword ptr fs:[00000030h]	17_2_05B54500
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05B54500 mov eax, dword ptr fs:[00000030h]	17_2_05B54500
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05B54500 mov eax, dword ptr fs:[00000030h]	17_2_05B54500
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05B54500 mov eax, dword ptr fs:[00000030h]	17_2_05B54500
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05AB656A mov eax, dword ptr fs:[00000030h]	17_2_05AB656A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05AB656A mov eax, dword ptr fs:[00000030h]	17_2_05AB656A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05AB656A mov eax, dword ptr fs:[00000030h]	17_2_05AB656A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05A88550 mov eax, dword ptr fs:[00000030h]	17_2_05A88550
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05A88550 mov eax, dword ptr fs:[00000030h]	17_2_05A88550
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05B0A4B0 mov eax, dword ptr fs:[00000030h]	17_2_05B0A4B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05A864AB mov eax, dword ptr fs:[00000030h]	17_2_05A864AB
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05AB44B0 mov ecx, dword ptr fs:[00000030h]	17_2_05AB44B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05B3A49A mov eax, dword ptr fs:[00000030h]	17_2_05B3A49A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05A804E5 mov ecx, dword ptr fs:[00000030h]	17_2_05A804E5
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05A7C427 mov eax, dword ptr fs:[00000030h]	17_2_05A7C427
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05A7E420 mov eax, dword ptr fs:[00000030h]	17_2_05A7E420
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05A7E420 mov eax, dword ptr fs:[00000030h]	17_2_05A7E420
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05A7E420 mov eax, dword ptr fs:[00000030h]	17_2_05A7E420
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05B06420 mov eax, dword ptr fs:[00000030h]	17_2_05B06420
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05B06420 mov eax, dword ptr fs:[00000030h]	17_2_05B06420
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05B06420 mov eax, dword ptr fs:[00000030h]	17_2_05B06420
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05B06420 mov eax, dword ptr fs:[00000030h]	17_2_05B06420
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05B06420 mov eax, dword ptr fs:[00000030h]	17_2_05B06420
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05B06420 mov eax, dword ptr fs:[00000030h]	17_2_05B06420
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05B06420 mov eax, dword ptr fs:[00000030h]	17_2_05B06420
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05ABA430 mov eax, dword ptr fs:[00000030h]	17_2_05ABA430
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05AB8402 mov eax, dword ptr fs:[00000030h]	17_2_05AB8402
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05AB8402 mov eax, dword ptr fs:[00000030h]	17_2_05AB8402
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05AB8402 mov eax, dword ptr fs:[00000030h]	17_2_05AB8402
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05B0C460 mov ecx, dword ptr fs:[00000030h]	17_2_05B0C460
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05AAA470 mov eax, dword ptr fs:[00000030h]	17_2_05AAA470
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05AAA470 mov eax, dword ptr fs:[00000030h]	17_2_05AAA470
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05AAA470 mov eax, dword ptr fs:[00000030h]	17_2_05AAA470
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05B3A456 mov eax, dword ptr fs:[00000030h]	17_2_05B3A456
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05ABE443 mov eax, dword ptr fs:[00000030h]	17_2_05ABE443
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05ABE443 mov eax, dword ptr fs:[00000030h]	17_2_05ABE443
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05ABE443 mov eax, dword ptr fs:[00000030h]	17_2_05ABE443
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05ABE443 mov eax, dword ptr fs:[00000030h]	17_2_05ABE443
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05ABE443 mov eax, dword ptr fs:[00000030h]	17_2_05ABE443
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05ABE443 mov eax, dword ptr fs:[00000030h]	17_2_05ABE443
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05ABE443 mov eax, dword ptr fs:[00000030h]	17_2_05ABE443
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05ABE443 mov eax, dword ptr fs:[00000030h]	17_2_05ABE443
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05AA245A mov eax, dword ptr fs:[00000030h]	17_2_05AA245A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05A7645D mov eax, dword ptr fs:[00000030h]	17_2_05A7645D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05A807AF mov eax, dword ptr fs:[00000030h]	17_2_05A807AF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05B347A0 mov eax, dword ptr fs:[00000030h]	17_2_05B347A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05B2678E mov eax, dword ptr fs:[00000030h]	17_2_05B2678E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05AA27ED mov eax, dword ptr fs:[00000030h]	17_2_05AA27ED
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05AA27ED mov eax, dword ptr fs:[00000030h]	17_2_05AA27ED
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05AA27ED mov eax, dword ptr fs:[00000030h]	17_2_05AA27ED
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05B0E7E1 mov eax, dword ptr fs:[00000030h]	17_2_05B0E7E1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05A847FB mov eax, dword ptr fs:[00000030h]	17_2_05A847FB
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05A847FB mov eax, dword ptr fs:[00000030h]	17_2_05A847FB
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05A8C7C0 mov eax, dword ptr fs:[00000030h]	17_2_05A8C7C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05B007C3 mov eax, dword ptr fs:[00000030h]	17_2_05B007C3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05ABC720 mov eax, dword ptr fs:[00000030h]	17_2_05ABC720
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05ABC720 mov eax, dword ptr fs:[00000030h]	17_2_05ABC720
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05AB273C mov eax, dword ptr fs:[00000030h]	17_2_05AB273C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05AB273C mov ecx, dword ptr fs:[00000030h]	17_2_05AB273C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05AB273C mov eax, dword ptr fs:[00000030h]	17_2_05AB273C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05AFC730 mov eax, dword ptr fs:[00000030h]	17_2_05AFC730
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05ABC700 mov eax, dword ptr fs:[00000030h]	17_2_05ABC700
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05A80710 mov eax, dword ptr fs:[00000030h]	17_2_05A80710
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05AB0710 mov eax, dword ptr fs:[00000030h]	17_2_05AB0710
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05A88770 mov eax, dword ptr fs:[00000030h]	17_2_05A88770
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05A90770 mov eax, dword ptr fs:[00000030h]	17_2_05A90770
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05A90770 mov eax, dword ptr fs:[00000030h]	17_2_05A90770
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05A90770 mov eax, dword ptr fs:[00000030h]	17_2_05A90770
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05A90770 mov eax, dword ptr fs:[00000030h]	17_2_05A90770
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05A90770 mov eax, dword ptr fs:[00000030h]	17_2_05A90770
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05A90770 mov eax, dword ptr fs:[00000030h]	17_2_05A90770
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05A90770 mov eax, dword ptr fs:[00000030h]	17_2_05A90770
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05A90770 mov eax, dword ptr fs:[00000030h]	17_2_05A90770
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05A90770 mov eax, dword ptr fs:[00000030h]	17_2_05A90770
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05A90770 mov eax, dword ptr fs:[00000030h]	17_2_05A90770
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05A90770 mov eax, dword ptr fs:[00000030h]	17_2_05A90770
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05A90770 mov eax, dword ptr fs:[00000030h]	17_2_05A90770
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05B04755 mov eax, dword ptr fs:[00000030h]	17_2_05B04755
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05AB674D mov esi, dword ptr fs:[00000030h]	17_2_05AB674D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05AB674D mov eax, dword ptr fs:[00000030h]	17_2_05AB674D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05AB674D mov eax, dword ptr fs:[00000030h]	17_2_05AB674D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05B0E75D mov eax, dword ptr fs:[00000030h]	17_2_05B0E75D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05A80750 mov eax, dword ptr fs:[00000030h]	17_2_05A80750
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05AC2750 mov eax, dword ptr fs:[00000030h]	17_2_05AC2750
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05AC2750 mov eax, dword ptr fs:[00000030h]	17_2_05AC2750
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05ABC6A6 mov eax, dword ptr fs:[00000030h]	17_2_05ABC6A6
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05AB66B0 mov eax, dword ptr fs:[00000030h]	17_2_05AB66B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05A84690 mov eax, dword ptr fs:[00000030h]	17_2_05A84690
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05A84690 mov eax, dword ptr fs:[00000030h]	17_2_05A84690
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05B006F1 mov eax, dword ptr fs:[00000030h]	17_2_05B006F1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05B006F1 mov eax, dword ptr fs:[00000030h]	17_2_05B006F1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05AFE6F2 mov eax, dword ptr fs:[00000030h]	17_2_05AFE6F2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05AFE6F2 mov eax, dword ptr fs:[00000030h]	17_2_05AFE6F2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05AFE6F2 mov eax, dword ptr fs:[00000030h]	17_2_05AFE6F2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05AFE6F2 mov eax, dword ptr fs:[00000030h]	17_2_05AFE6F2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05ABA6C7 mov ebx, dword ptr fs:[00000030h]	17_2_05ABA6C7
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05ABA6C7 mov eax, dword ptr fs:[00000030h]	17_2_05ABA6C7
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05A8262C mov eax, dword ptr fs:[00000030h]	17_2_05A8262C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05AB6620 mov eax, dword ptr fs:[00000030h]	17_2_05AB6620
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05AB8620 mov eax, dword ptr fs:[00000030h]	17_2_05AB8620
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05A9E627 mov eax, dword ptr fs:[00000030h]	17_2_05A9E627
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05A9260B mov eax, dword ptr fs:[00000030h]	17_2_05A9260B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05A9260B mov eax, dword ptr fs:[00000030h]	17_2_05A9260B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05A9260B mov eax, dword ptr fs:[00000030h]	17_2_05A9260B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05A9260B mov eax, dword ptr fs:[00000030h]	17_2_05A9260B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05A9260B mov eax, dword ptr fs:[00000030h]	17_2_05A9260B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05A9260B mov eax, dword ptr fs:[00000030h]	17_2_05A9260B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05A9260B mov eax, dword ptr fs:[00000030h]	17_2_05A9260B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05AFE609 mov eax, dword ptr fs:[00000030h]	17_2_05AFE609
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05AC2619 mov eax, dword ptr fs:[00000030h]	17_2_05AC2619
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05ABA660 mov eax, dword ptr fs:[00000030h]	17_2_05ABA660
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05ABA660 mov eax, dword ptr fs:[00000030h]	17_2_05ABA660
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05B4866E mov eax, dword ptr fs:[00000030h]	17_2_05B4866E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05B4866E mov eax, dword ptr fs:[00000030h]	17_2_05B4866E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05AB2674 mov eax, dword ptr fs:[00000030h]	17_2_05AB2674
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05A9C640 mov eax, dword ptr fs:[00000030h]	17_2_05A9C640
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05AC0185 mov eax, dword ptr fs:[00000030h]	17_2_05AC0185
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05B0019F mov eax, dword ptr fs:[00000030h]	17_2_05B0019F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05B0019F mov eax, dword ptr fs:[00000030h]	17_2_05B0019F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05B0019F mov eax, dword ptr fs:[00000030h]	17_2_05B0019F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05B0019F mov eax, dword ptr fs:[00000030h]	17_2_05B0019F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05A7A197 mov eax, dword ptr fs:[00000030h]	17_2_05A7A197
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05A7A197 mov eax, dword ptr fs:[00000030h]	17_2_05A7A197
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05A7A197 mov eax, dword ptr fs:[00000030h]	17_2_05A7A197
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05B24180 mov eax, dword ptr fs:[00000030h]	17_2_05B24180
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05B24180 mov eax, dword ptr fs:[00000030h]	17_2_05B24180
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05B3C188 mov eax, dword ptr fs:[00000030h]	17_2_05B3C188
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05B3C188 mov eax, dword ptr fs:[00000030h]	17_2_05B3C188
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05B561E5 mov eax, dword ptr fs:[00000030h]	17_2_05B561E5
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05AB01F8 mov eax, dword ptr fs:[00000030h]	17_2_05AB01F8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05B461C3 mov eax, dword ptr fs:[00000030h]	17_2_05B461C3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05B461C3 mov eax, dword ptr fs:[00000030h]	17_2_05B461C3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05AFE1D0 mov eax, dword ptr fs:[00000030h]	17_2_05AFE1D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05AFE1D0 mov eax, dword ptr fs:[00000030h]	17_2_05AFE1D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05AFE1D0 mov ecx, dword ptr fs:[00000030h]	17_2_05AFE1D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05AFE1D0 mov eax, dword ptr fs:[00000030h]	17_2_05AFE1D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05AFE1D0 mov eax, dword ptr fs:[00000030h]	17_2_05AFE1D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05AB0124 mov eax, dword ptr fs:[00000030h]	17_2_05AB0124
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05B40115 mov eax, dword ptr fs:[00000030h]	17_2_05B40115
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05B2A118 mov ecx, dword ptr fs:[00000030h]	17_2_05B2A118
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05B2A118 mov eax, dword ptr fs:[00000030h]	17_2_05B2A118
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05B2A118 mov eax, dword ptr fs:[00000030h]	17_2_05B2A118
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05B2A118 mov eax, dword ptr fs:[00000030h]	17_2_05B2A118
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05B2E10E mov eax, dword ptr fs:[00000030h]	17_2_05B2E10E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05B2E10E mov ecx, dword ptr fs:[00000030h]	17_2_05B2E10E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05B2E10E mov eax, dword ptr fs:[00000030h]	17_2_05B2E10E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05B2E10E mov eax, dword ptr fs:[00000030h]	17_2_05B2E10E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05B2E10E mov ecx, dword ptr fs:[00000030h]	17_2_05B2E10E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05B2E10E mov eax, dword ptr fs:[00000030h]	17_2_05B2E10E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05B2E10E mov eax, dword ptr fs:[00000030h]	17_2_05B2E10E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05B2E10E mov ecx, dword ptr fs:[00000030h]	17_2_05B2E10E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05B2E10E mov eax, dword ptr fs:[00000030h]	17_2_05B2E10E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05B2E10E mov ecx, dword ptr fs:[00000030h]	17_2_05B2E10E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05B54164 mov eax, dword ptr fs:[00000030h]	17_2_05B54164
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05B54164 mov eax, dword ptr fs:[00000030h]	17_2_05B54164
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05B18158 mov eax, dword ptr fs:[00000030h]	17_2_05B18158
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05A7C156 mov eax, dword ptr fs:[00000030h]	17_2_05A7C156
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05B14144 mov eax, dword ptr fs:[00000030h]	17_2_05B14144
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05B14144 mov eax, dword ptr fs:[00000030h]	17_2_05B14144
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05B14144 mov ecx, dword ptr fs:[00000030h]	17_2_05B14144
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05B14144 mov eax, dword ptr fs:[00000030h]	17_2_05B14144
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05B14144 mov eax, dword ptr fs:[00000030h]	17_2_05B14144
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05A86154 mov eax, dword ptr fs:[00000030h]	17_2_05A86154
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05A86154 mov eax, dword ptr fs:[00000030h]	17_2_05A86154
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05A780A0 mov eax, dword ptr fs:[00000030h]	17_2_05A780A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05B460B8 mov eax, dword ptr fs:[00000030h]	17_2_05B460B8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05B460B8 mov ecx, dword ptr fs:[00000030h]	17_2_05B460B8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05B180A8 mov eax, dword ptr fs:[00000030h]	17_2_05B180A8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05A8208A mov eax, dword ptr fs:[00000030h]	17_2_05A8208A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05A880E9 mov eax, dword ptr fs:[00000030h]	17_2_05A880E9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05A7A0E3 mov ecx, dword ptr fs:[00000030h]	17_2_05A7A0E3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05B060E0 mov eax, dword ptr fs:[00000030h]	17_2_05B060E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05A7C0F0 mov eax, dword ptr fs:[00000030h]	17_2_05A7C0F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05AC20F0 mov ecx, dword ptr fs:[00000030h]	17_2_05AC20F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05B020DE mov eax, dword ptr fs:[00000030h]	17_2_05B020DE
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05B16030 mov eax, dword ptr fs:[00000030h]	17_2_05B16030
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05A7A020 mov eax, dword ptr fs:[00000030h]	17_2_05A7A020
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05A7C020 mov eax, dword ptr fs:[00000030h]	17_2_05A7C020
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05B04000 mov ecx, dword ptr fs:[00000030h]	17_2_05B04000
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05B22000 mov eax, dword ptr fs:[00000030h]	17_2_05B22000
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05B22000 mov eax, dword ptr fs:[00000030h]	17_2_05B22000
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05B22000 mov eax, dword ptr fs:[00000030h]	17_2_05B22000
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05B22000 mov eax, dword ptr fs:[00000030h]	17_2_05B22000
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05B22000 mov eax, dword ptr fs:[00000030h]	17_2_05B22000
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05B22000 mov eax, dword ptr fs:[00000030h]	17_2_05B22000
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05B22000 mov eax, dword ptr fs:[00000030h]	17_2_05B22000
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05B22000 mov eax, dword ptr fs:[00000030h]	17_2_05B22000
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05A9E016 mov eax, dword ptr fs:[00000030h]	17_2_05A9E016
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05A9E016 mov eax, dword ptr fs:[00000030h]	17_2_05A9E016
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05A9E016 mov eax, dword ptr fs:[00000030h]	17_2_05A9E016
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05A9E016 mov eax, dword ptr fs:[00000030h]	17_2_05A9E016
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05AAC073 mov eax, dword ptr fs:[00000030h]	17_2_05AAC073
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05B06050 mov eax, dword ptr fs:[00000030h]	17_2_05B06050
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05A82050 mov eax, dword ptr fs:[00000030h]	17_2_05A82050
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05AA438F mov eax, dword ptr fs:[00000030h]	17_2_05AA438F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05AA438F mov eax, dword ptr fs:[00000030h]	17_2_05AA438F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05A7E388 mov eax, dword ptr fs:[00000030h]	17_2_05A7E388
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05A7E388 mov eax, dword ptr fs:[00000030h]	17_2_05A7E388
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05A7E388 mov eax, dword ptr fs:[00000030h]	17_2_05A7E388
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05A78397 mov eax, dword ptr fs:[00000030h]	17_2_05A78397
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05A78397 mov eax, dword ptr fs:[00000030h]	17_2_05A78397
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05A78397 mov eax, dword ptr fs:[00000030h]	17_2_05A78397
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05A903E9 mov eax, dword ptr fs:[00000030h]	17_2_05A903E9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05A903E9 mov eax, dword ptr fs:[00000030h]	17_2_05A903E9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05A903E9 mov eax, dword ptr fs:[00000030h]	17_2_05A903E9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05A903E9 mov eax, dword ptr fs:[00000030h]	17_2_05A903E9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05A903E9 mov eax, dword ptr fs:[00000030h]	17_2_05A903E9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05A903E9 mov eax, dword ptr fs:[00000030h]	17_2_05A903E9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05A903E9 mov eax, dword ptr fs:[00000030h]	17_2_05A903E9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05A903E9 mov eax, dword ptr fs:[00000030h]	17_2_05A903E9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05AB63FF mov eax, dword ptr fs:[00000030h]	17_2_05AB63FF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05A9E3F0 mov eax, dword ptr fs:[00000030h]	17_2_05A9E3F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05A9E3F0 mov eax, dword ptr fs:[00000030h]	17_2_05A9E3F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05A9E3F0 mov eax, dword ptr fs:[00000030h]	17_2_05A9E3F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05B243D4 mov eax, dword ptr fs:[00000030h]	17_2_05B243D4
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05B243D4 mov eax, dword ptr fs:[00000030h]	17_2_05B243D4
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05A8A3C0 mov eax, dword ptr fs:[00000030h]	17_2_05A8A3C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05A8A3C0 mov eax, dword ptr fs:[00000030h]	17_2_05A8A3C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05A8A3C0 mov eax, dword ptr fs:[00000030h]	17_2_05A8A3C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05A8A3C0 mov eax, dword ptr fs:[00000030h]	17_2_05A8A3C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05A8A3C0 mov eax, dword ptr fs:[00000030h]	17_2_05A8A3C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05A8A3C0 mov eax, dword ptr fs:[00000030h]	17_2_05A8A3C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05A883C0 mov eax, dword ptr fs:[00000030h]	17_2_05A883C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05A883C0 mov eax, dword ptr fs:[00000030h]	17_2_05A883C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05A883C0 mov eax, dword ptr fs:[00000030h]	17_2_05A883C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05A883C0 mov eax, dword ptr fs:[00000030h]	17_2_05A883C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05B2E3DB mov eax, dword ptr fs:[00000030h]	17_2_05B2E3DB
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05B2E3DB mov eax, dword ptr fs:[00000030h]	17_2_05B2E3DB
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05B2E3DB mov ecx, dword ptr fs:[00000030h]	17_2_05B2E3DB
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05B2E3DB mov eax, dword ptr fs:[00000030h]	17_2_05B2E3DB
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05B063C0 mov eax, dword ptr fs:[00000030h]	17_2_05B063C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05B3C3CD mov eax, dword ptr fs:[00000030h]	17_2_05B3C3CD
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05B58324 mov eax, dword ptr fs:[00000030h]	17_2_05B58324
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05B58324 mov ecx, dword ptr fs:[00000030h]	17_2_05B58324
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05B58324 mov eax, dword ptr fs:[00000030h]	17_2_05B58324
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05B58324 mov eax, dword ptr fs:[00000030h]	17_2_05B58324
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05ABA30B mov eax, dword ptr fs:[00000030h]	17_2_05ABA30B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05ABA30B mov eax, dword ptr fs:[00000030h]	17_2_05ABA30B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05ABA30B mov eax, dword ptr fs:[00000030h]	17_2_05ABA30B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05A7C310 mov ecx, dword ptr fs:[00000030h]	17_2_05A7C310
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05AA0310 mov ecx, dword ptr fs:[00000030h]	17_2_05AA0310
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05B2437C mov eax, dword ptr fs:[00000030h]	17_2_05B2437C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05B28350 mov ecx, dword ptr fs:[00000030h]	17_2_05B28350
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05B4A352 mov eax, dword ptr fs:[00000030h]	17_2_05B4A352
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05B0035C mov eax, dword ptr fs:[00000030h]	17_2_05B0035C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05B0035C mov eax, dword ptr fs:[00000030h]	17_2_05B0035C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05B0035C mov eax, dword ptr fs:[00000030h]	17_2_05B0035C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05B0035C mov ecx, dword ptr fs:[00000030h]	17_2_05B0035C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05B0035C mov eax, dword ptr fs:[00000030h]	17_2_05B0035C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05B0035C mov eax, dword ptr fs:[00000030h]	17_2_05B0035C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05B02349 mov eax, dword ptr fs:[00000030h]	17_2_05B02349
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05B02349 mov eax, dword ptr fs:[00000030h]	17_2_05B02349
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05B02349 mov eax, dword ptr fs:[00000030h]	17_2_05B02349
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05B02349 mov eax, dword ptr fs:[00000030h]	17_2_05B02349
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05B02349 mov eax, dword ptr fs:[00000030h]	17_2_05B02349
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05B02349 mov eax, dword ptr fs:[00000030h]	17_2_05B02349
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05B02349 mov eax, dword ptr fs:[00000030h]	17_2_05B02349
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05B02349 mov eax, dword ptr fs:[00000030h]	17_2_05B02349
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05B02349 mov eax, dword ptr fs:[00000030h]	17_2_05B02349
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05B02349 mov eax, dword ptr fs:[00000030h]	17_2_05B02349
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05B02349 mov eax, dword ptr fs:[00000030h]	17_2_05B02349
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05B02349 mov eax, dword ptr fs:[00000030h]	17_2_05B02349
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05B02349 mov eax, dword ptr fs:[00000030h]	17_2_05B02349
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05B02349 mov eax, dword ptr fs:[00000030h]	17_2_05B02349
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05B02349 mov eax, dword ptr fs:[00000030h]	17_2_05B02349
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05B5634F mov eax, dword ptr fs:[00000030h]	17_2_05B5634F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05A902A0 mov eax, dword ptr fs:[00000030h]	17_2_05A902A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05A902A0 mov eax, dword ptr fs:[00000030h]	17_2_05A902A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05B162A0 mov eax, dword ptr fs:[00000030h]	17_2_05B162A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05B162A0 mov ecx, dword ptr fs:[00000030h]	17_2_05B162A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05B162A0 mov eax, dword ptr fs:[00000030h]	17_2_05B162A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05B162A0 mov eax, dword ptr fs:[00000030h]	17_2_05B162A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05B162A0 mov eax, dword ptr fs:[00000030h]	17_2_05B162A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05B162A0 mov eax, dword ptr fs:[00000030h]	17_2_05B162A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05ABE284 mov eax, dword ptr fs:[00000030h]	17_2_05ABE284
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05ABE284 mov eax, dword ptr fs:[00000030h]	17_2_05ABE284
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05B00283 mov eax, dword ptr fs:[00000030h]	17_2_05B00283
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05B00283 mov eax, dword ptr fs:[00000030h]	17_2_05B00283
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05B00283 mov eax, dword ptr fs:[00000030h]	17_2_05B00283
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05A902E1 mov eax, dword ptr fs:[00000030h]	17_2_05A902E1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05A902E1 mov eax, dword ptr fs:[00000030h]	17_2_05A902E1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05A902E1 mov eax, dword ptr fs:[00000030h]	17_2_05A902E1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05B562D6 mov eax, dword ptr fs:[00000030h]	17_2_05B562D6
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05A8A2C3 mov eax, dword ptr fs:[00000030h]	17_2_05A8A2C3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05A8A2C3 mov eax, dword ptr fs:[00000030h]	17_2_05A8A2C3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05A8A2C3 mov eax, dword ptr fs:[00000030h]	17_2_05A8A2C3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05A8A2C3 mov eax, dword ptr fs:[00000030h]	17_2_05A8A2C3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05A8A2C3 mov eax, dword ptr fs:[00000030h]	17_2_05A8A2C3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05A7823B mov eax, dword ptr fs:[00000030h]	17_2_05A7823B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05B30274 mov eax, dword ptr fs:[00000030h]	17_2_05B30274
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05B30274 mov eax, dword ptr fs:[00000030h]	17_2_05B30274
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05B30274 mov eax, dword ptr fs:[00000030h]	17_2_05B30274
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05B30274 mov eax, dword ptr fs:[00000030h]	17_2_05B30274
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05B30274 mov eax, dword ptr fs:[00000030h]	17_2_05B30274
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05B30274 mov eax, dword ptr fs:[00000030h]	17_2_05B30274
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05B30274 mov eax, dword ptr fs:[00000030h]	17_2_05B30274
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05B30274 mov eax, dword ptr fs:[00000030h]	17_2_05B30274
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05B30274 mov eax, dword ptr fs:[00000030h]	17_2_05B30274
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05B30274 mov eax, dword ptr fs:[00000030h]	17_2_05B30274
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05B30274 mov eax, dword ptr fs:[00000030h]	17_2_05B30274
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05B30274 mov eax, dword ptr fs:[00000030h]	17_2_05B30274
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05A84260 mov eax, dword ptr fs:[00000030h]	17_2_05A84260
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05A84260 mov eax, dword ptr fs:[00000030h]	17_2_05A84260
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05A84260 mov eax, dword ptr fs:[00000030h]	17_2_05A84260
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05A7826B mov eax, dword ptr fs:[00000030h]	17_2_05A7826B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05B3A250 mov eax, dword ptr fs:[00000030h]	17_2_05B3A250
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05B3A250 mov eax, dword ptr fs:[00000030h]	17_2_05B3A250
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05B5625D mov eax, dword ptr fs:[00000030h]	17_2_05B5625D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05A86259 mov eax, dword ptr fs:[00000030h]	17_2_05A86259
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05B08243 mov eax, dword ptr fs:[00000030h]	17_2_05B08243
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05B08243 mov ecx, dword ptr fs:[00000030h]	17_2_05B08243
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05A7A250 mov eax, dword ptr fs:[00000030h]	17_2_05A7A250
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05AB6DA0 mov eax, dword ptr fs:[00000030h]	17_2_05AB6DA0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05AA8DBF mov eax, dword ptr fs:[00000030h]	17_2_05AA8DBF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05AA8DBF mov eax, dword ptr fs:[00000030h]	17_2_05AA8DBF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05B54DAD mov eax, dword ptr fs:[00000030h]	17_2_05B54DAD
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05B48DAE mov eax, dword ptr fs:[00000030h]	17_2_05B48DAE
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05B48DAE mov eax, dword ptr fs:[00000030h]	17_2_05B48DAE
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05ABCDB1 mov ecx, dword ptr fs:[00000030h]	17_2_05ABCDB1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05ABCDB1 mov eax, dword ptr fs:[00000030h]	17_2_05ABCDB1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05ABCDB1 mov eax, dword ptr fs:[00000030h]	17_2_05ABCDB1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05B20DF0 mov eax, dword ptr fs:[00000030h]	17_2_05B20DF0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05B20DF0 mov eax, dword ptr fs:[00000030h]	17_2_05B20DF0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05A8ADE0 mov eax, dword ptr fs:[00000030h]	17_2_05A8ADE0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05A8ADE0 mov eax, dword ptr fs:[00000030h]	17_2_05A8ADE0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05A8ADE0 mov eax, dword ptr fs:[00000030h]	17_2_05A8ADE0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05A8ADE0 mov eax, dword ptr fs:[00000030h]	17_2_05A8ADE0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05A8ADE0 mov eax, dword ptr fs:[00000030h]	17_2_05A8ADE0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05A8ADE0 mov eax, dword ptr fs:[00000030h]	17_2_05A8ADE0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05AA0DE1 mov eax, dword ptr fs:[00000030h]	17_2_05AA0DE1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05A7CDEA mov eax, dword ptr fs:[00000030h]	17_2_05A7CDEA
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05A7CDEA mov eax, dword ptr fs:[00000030h]	17_2_05A7CDEA
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05A76DF6 mov eax, dword ptr fs:[00000030h]	17_2_05A76DF6
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05AACDF0 mov eax, dword ptr fs:[00000030h]	17_2_05AACDF0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05AACDF0 mov ecx, dword ptr fs:[00000030h]	17_2_05AACDF0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05B04DD7 mov eax, dword ptr fs:[00000030h]	17_2_05B04DD7
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05B04DD7 mov eax, dword ptr fs:[00000030h]	17_2_05B04DD7
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05AAEDD3 mov eax, dword ptr fs:[00000030h]	17_2_05AAEDD3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05AAEDD3 mov eax, dword ptr fs:[00000030h]	17_2_05AAEDD3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05B54D30 mov eax, dword ptr fs:[00000030h]	17_2_05B54D30
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05B08D20 mov eax, dword ptr fs:[00000030h]	17_2_05B08D20
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05B38D10 mov eax, dword ptr fs:[00000030h]	17_2_05B38D10
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05B38D10 mov eax, dword ptr fs:[00000030h]	17_2_05B38D10
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05A9AD00 mov eax, dword ptr fs:[00000030h]	17_2_05A9AD00
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05A9AD00 mov eax, dword ptr fs:[00000030h]	17_2_05A9AD00
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05A9AD00 mov eax, dword ptr fs:[00000030h]	17_2_05A9AD00
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05AB4D1D mov eax, dword ptr fs:[00000030h]	17_2_05AB4D1D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05A76D10 mov eax, dword ptr fs:[00000030h]	17_2_05A76D10
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05A76D10 mov eax, dword ptr fs:[00000030h]	17_2_05A76D10
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05A76D10 mov eax, dword ptr fs:[00000030h]	17_2_05A76D10
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05B18D6B mov eax, dword ptr fs:[00000030h]	17_2_05B18D6B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05A80D59 mov eax, dword ptr fs:[00000030h]	17_2_05A80D59
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05A80D59 mov eax, dword ptr fs:[00000030h]	17_2_05A80D59
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05A80D59 mov eax, dword ptr fs:[00000030h]	17_2_05A80D59
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05A88D59 mov eax, dword ptr fs:[00000030h]	17_2_05A88D59
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05A88D59 mov eax, dword ptr fs:[00000030h]	17_2_05A88D59
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05A88D59 mov eax, dword ptr fs:[00000030h]	17_2_05A88D59
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05A88D59 mov eax, dword ptr fs:[00000030h]	17_2_05A88D59
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05A88D59 mov eax, dword ptr fs:[00000030h]	17_2_05A88D59
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05B30CB5 mov eax, dword ptr fs:[00000030h]	17_2_05B30CB5
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05B30CB5 mov eax, dword ptr fs:[00000030h]	17_2_05B30CB5
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05B30CB5 mov eax, dword ptr fs:[00000030h]	17_2_05B30CB5
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05B30CB5 mov eax, dword ptr fs:[00000030h]	17_2_05B30CB5
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05B30CB5 mov eax, dword ptr fs:[00000030h]	17_2_05B30CB5
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05B30CB5 mov eax, dword ptr fs:[00000030h]	17_2_05B30CB5
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05B30CB5 mov eax, dword ptr fs:[00000030h]	17_2_05B30CB5
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05B30CB5 mov eax, dword ptr fs:[00000030h]	17_2_05B30CB5
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05B30CB5 mov eax, dword ptr fs:[00000030h]	17_2_05B30CB5
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05B30CB5 mov eax, dword ptr fs:[00000030h]	17_2_05B30CB5
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05B30CB5 mov eax, dword ptr fs:[00000030h]	17_2_05B30CB5
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05B30CB5 mov eax, dword ptr fs:[00000030h]	17_2_05B30CB5
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05B30CB5 mov eax, dword ptr fs:[00000030h]	17_2_05B30CB5
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05AFCCA0 mov ecx, dword ptr fs:[00000030h]	17_2_05AFCCA0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05AFCCA0 mov eax, dword ptr fs:[00000030h]	17_2_05AFCCA0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05AFCCA0 mov eax, dword ptr fs:[00000030h]	17_2_05AFCCA0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05AFCCA0 mov eax, dword ptr fs:[00000030h]	17_2_05AFCCA0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05AA8CB1 mov eax, dword ptr fs:[00000030h]	17_2_05AA8CB1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05AA8CB1 mov eax, dword ptr fs:[00000030h]	17_2_05AA8CB1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05A78C8D mov eax, dword ptr fs:[00000030h]	17_2_05A78C8D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05AB2CF0 mov eax, dword ptr fs:[00000030h]	17_2_05AB2CF0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05AB2CF0 mov eax, dword ptr fs:[00000030h]	17_2_05AB2CF0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05AB2CF0 mov eax, dword ptr fs:[00000030h]	17_2_05AB2CF0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05AB2CF0 mov eax, dword ptr fs:[00000030h]	17_2_05AB2CF0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05A7CCC8 mov eax, dword ptr fs:[00000030h]	17_2_05A7CCC8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05A78CD0 mov eax, dword ptr fs:[00000030h]	17_2_05A78CD0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05B24C34 mov eax, dword ptr fs:[00000030h]	17_2_05B24C34
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05B24C34 mov eax, dword ptr fs:[00000030h]	17_2_05B24C34
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05B24C34 mov eax, dword ptr fs:[00000030h]	17_2_05B24C34
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05B24C34 mov eax, dword ptr fs:[00000030h]	17_2_05B24C34
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05B24C34 mov eax, dword ptr fs:[00000030h]	17_2_05B24C34
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05B24C34 mov eax, dword ptr fs:[00000030h]	17_2_05B24C34
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05B24C34 mov ecx, dword ptr fs:[00000030h]	17_2_05B24C34
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05A7EC20 mov eax, dword ptr fs:[00000030h]	17_2_05A7EC20
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05B1CC20 mov eax, dword ptr fs:[00000030h]	17_2_05B1CC20
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05B1CC20 mov eax, dword ptr fs:[00000030h]	17_2_05B1CC20
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05A90C00 mov eax, dword ptr fs:[00000030h]	17_2_05A90C00
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05A90C00 mov eax, dword ptr fs:[00000030h]	17_2_05A90C00
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05A90C00 mov eax, dword ptr fs:[00000030h]	17_2_05A90C00
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05A90C00 mov eax, dword ptr fs:[00000030h]	17_2_05A90C00
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05ABCC00 mov eax, dword ptr fs:[00000030h]	17_2_05ABCC00
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05B04C0F mov eax, dword ptr fs:[00000030h]	17_2_05B04C0F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05AB4C59 mov eax, dword ptr fs:[00000030h]	17_2_05AB4C59
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05A86C50 mov eax, dword ptr fs:[00000030h]	17_2_05A86C50
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05A86C50 mov eax, dword ptr fs:[00000030h]	17_2_05A86C50
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05A86C50 mov eax, dword ptr fs:[00000030h]	17_2_05A86C50
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05A8AC50 mov eax, dword ptr fs:[00000030h]	17_2_05A8AC50
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05A8AC50 mov eax, dword ptr fs:[00000030h]	17_2_05A8AC50
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05A8AC50 mov eax, dword ptr fs:[00000030h]	17_2_05A8AC50
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05A8AC50 mov eax, dword ptr fs:[00000030h]	17_2_05A8AC50
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05A8AC50 mov eax, dword ptr fs:[00000030h]	17_2_05A8AC50
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05A8AC50 mov eax, dword ptr fs:[00000030h]	17_2_05A8AC50
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05ABCF80 mov eax, dword ptr fs:[00000030h]	17_2_05ABCF80
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05AB2F98 mov eax, dword ptr fs:[00000030h]	17_2_05AB2F98
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05AB2F98 mov eax, dword ptr fs:[00000030h]	17_2_05AB2F98
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05B36FF7 mov eax, dword ptr fs:[00000030h]	17_2_05B36FF7
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05B54FE7 mov eax, dword ptr fs:[00000030h]	17_2_05B54FE7
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05AC0FF6 mov eax, dword ptr fs:[00000030h]	17_2_05AC0FF6
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05AC0FF6 mov eax, dword ptr fs:[00000030h]	17_2_05AC0FF6
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05AC0FF6 mov eax, dword ptr fs:[00000030h]	17_2_05AC0FF6
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05AC0FF6 mov eax, dword ptr fs:[00000030h]	17_2_05AC0FF6
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05A82FC8 mov eax, dword ptr fs:[00000030h]	17_2_05A82FC8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05A82FC8 mov eax, dword ptr fs:[00000030h]	17_2_05A82FC8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05A82FC8 mov eax, dword ptr fs:[00000030h]	17_2_05A82FC8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05A82FC8 mov eax, dword ptr fs:[00000030h]	17_2_05A82FC8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05A7EFD8 mov eax, dword ptr fs:[00000030h]	17_2_05A7EFD8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05A7EFD8 mov eax, dword ptr fs:[00000030h]	17_2_05A7EFD8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05A7EFD8 mov eax, dword ptr fs:[00000030h]	17_2_05A7EFD8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05AAEF28 mov eax, dword ptr fs:[00000030h]	17_2_05AAEF28
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05B36F00 mov eax, dword ptr fs:[00000030h]	17_2_05B36F00
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05ABCF1F mov eax, dword ptr fs:[00000030h]	17_2_05ABCF1F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05A82F12 mov eax, dword ptr fs:[00000030h]	17_2_05A82F12
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05AAAF69 mov eax, dword ptr fs:[00000030h]	17_2_05AAAF69
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05AAAF69 mov eax, dword ptr fs:[00000030h]	17_2_05AAAF69
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05B22F60 mov eax, dword ptr fs:[00000030h]	17_2_05B22F60
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05B22F60 mov eax, dword ptr fs:[00000030h]	17_2_05B22F60
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05B54F68 mov eax, dword ptr fs:[00000030h]	17_2_05B54F68
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05B20F50 mov eax, dword ptr fs:[00000030h]	17_2_05B20F50
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05B04F40 mov eax, dword ptr fs:[00000030h]	17_2_05B04F40
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05B04F40 mov eax, dword ptr fs:[00000030h]	17_2_05B04F40
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05B04F40 mov eax, dword ptr fs:[00000030h]	17_2_05B04F40
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05B04F40 mov eax, dword ptr fs:[00000030h]	17_2_05B04F40
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05B24F42 mov eax, dword ptr fs:[00000030h]	17_2_05B24F42
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05A7CF50 mov eax, dword ptr fs:[00000030h]	17_2_05A7CF50
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05A7CF50 mov eax, dword ptr fs:[00000030h]	17_2_05A7CF50
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05A7CF50 mov eax, dword ptr fs:[00000030h]	17_2_05A7CF50
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05A7CF50 mov eax, dword ptr fs:[00000030h]	17_2_05A7CF50
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05A7CF50 mov eax, dword ptr fs:[00000030h]	17_2_05A7CF50
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05A7CF50 mov eax, dword ptr fs:[00000030h]	17_2_05A7CF50
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05ABCF50 mov eax, dword ptr fs:[00000030h]	17_2_05ABCF50
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05B1AEB0 mov eax, dword ptr fs:[00000030h]	17_2_05B1AEB0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05B1AEB0 mov eax, dword ptr fs:[00000030h]	17_2_05B1AEB0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05B0CEA0 mov eax, dword ptr fs:[00000030h]	17_2_05B0CEA0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05B0CEA0 mov eax, dword ptr fs:[00000030h]	17_2_05B0CEA0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05B0CEA0 mov eax, dword ptr fs:[00000030h]	17_2_05B0CEA0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05AB2E9C mov eax, dword ptr fs:[00000030h]	17_2_05AB2E9C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05AB2E9C mov ecx, dword ptr fs:[00000030h]	17_2_05AB2E9C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05A7AE90 mov eax, dword ptr fs:[00000030h]	17_2_05A7AE90
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05A7AE90 mov eax, dword ptr fs:[00000030h]	17_2_05A7AE90
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05A7AE90 mov eax, dword ptr fs:[00000030h]	17_2_05A7AE90
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05A86EE0 mov eax, dword ptr fs:[00000030h]	17_2_05A86EE0

Enables debug privileges

Source: C:\Users\user\Desktop\BL-INV-PL-ISO.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug	Jump to behavior

Source: C:\Users\user\Desktop\BL-INV-PL-ISO.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion

Adds a directory exclusion to Windows Defender

Source: C:\Users\user\Desktop\BL-INV-PL-ISO.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\BL-INV-PL-ISO.exe"
Source: C:\Users\user\Desktop\BL-INV-PL-ISO.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\dZxrrOCj.exe"
Source: C:\Users\user\Desktop\BL-INV-PL-ISO.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\BL-INV-PL-ISO.exe"	Jump to behavior
Source: C:\Users\user\Desktop\BL-INV-PL-ISO.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\dZxrrOCj.exe"	Jump to behavior

Creates a process in suspended mode (likely to inject code)

Source: C:\Users\user\Desktop\BL-INV-PL-ISO.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\BL-INV-PL-ISO.exe"	Jump to behavior
Source: C:\Users\user\Desktop\BL-INV-PL-ISO.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\dZxrrOCj.exe"	Jump to behavior
Source: C:\Users\user\Desktop\BL-INV-PL-ISO.exe	Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\dZxrrOCj" /XML "C:\Users\user\AppData\Local\Temp\tmp590C.tmp"	Jump to behavior
Source: C:\Users\user\Desktop\BL-INV-PL-ISO.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"	Jump to behavior
Source: C:\Users\user\Desktop\BL-INV-PL-ISO.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"	Jump to behavior
Source: C:\Users\user\Desktop\BL-INV-PL-ISO.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"	Jump to behavior
Source: C:\Users\user\Desktop\BL-INV-PL-ISO.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"	Jump to behavior
Source: C:\Users\user\Desktop\BL-INV-PL-ISO.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"	Jump to behavior
Source: C:\Users\user\AppData\Roaming\dZxrrOCj.exe	Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\dZxrrOCj" /XML "C:\Users\user\AppData\Local\Temp\tmp68AC.tmp"	Jump to behavior
Source: C:\Users\user\AppData\Roaming\dZxrrOCj.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"	Jump to behavior

Queries the volume information (name, serial number etc) of a device

Source: C:\Users\user\Desktop\BL-INV-PL-ISO.exe	Queries volume information: C:\Users\user\Desktop\BL-INV-PL-ISO.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BL-INV-PL-ISO.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BL-INV-PL-ISO.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BL-INV-PL-ISO.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BL-INV-PL-ISO.exe	Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BL-INV-PL-ISO.exe	Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BL-INV-PL-ISO.exe	Queries volume information: C:\Windows\Fonts\calibrii.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BL-INV-PL-ISO.exe	Queries volume information: C:\Windows\Fonts\calibrili.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BL-INV-PL-ISO.exe	Queries volume information: C:\Windows\Fonts\calibrib.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BL-INV-PL-ISO.exe	Queries volume information: C:\Windows\Fonts\calibriz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BL-INV-PL-ISO.exe	Queries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BL-INV-PL-ISO.exe	Queries volume information: C:\Windows\Fonts\cambriai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BL-INV-PL-ISO.exe	Queries volume information: C:\Windows\Fonts\cambriab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BL-INV-PL-ISO.exe	Queries volume information: C:\Windows\Fonts\cambriaz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BL-INV-PL-ISO.exe	Queries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BL-INV-PL-ISO.exe	Queries volume information: C:\Windows\Fonts\Candara.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BL-INV-PL-ISO.exe	Queries volume information: C:\Windows\Fonts\Candaral.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BL-INV-PL-ISO.exe	Queries volume information: C:\Windows\Fonts\Candarali.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BL-INV-PL-ISO.exe	Queries volume information: C:\Windows\Fonts\Candarab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BL-INV-PL-ISO.exe	Queries volume information: C:\Windows\Fonts\Candaraz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BL-INV-PL-ISO.exe	Queries volume information: C:\Windows\Fonts\comic.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BL-INV-PL-ISO.exe	Queries volume information: C:\Windows\Fonts\comici.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BL-INV-PL-ISO.exe	Queries volume information: C:\Windows\Fonts\comicbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BL-INV-PL-ISO.exe	Queries volume information: C:\Windows\Fonts\comicz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BL-INV-PL-ISO.exe	Queries volume information: C:\Windows\Fonts\constan.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BL-INV-PL-ISO.exe	Queries volume information: C:\Windows\Fonts\constani.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BL-INV-PL-ISO.exe	Queries volume information: C:\Windows\Fonts\constanb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BL-INV-PL-ISO.exe	Queries volume information: C:\Windows\Fonts\constanz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BL-INV-PL-ISO.exe	Queries volume information: C:\Windows\Fonts\corbel.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BL-INV-PL-ISO.exe	Queries volume information: C:\Windows\Fonts\corbell.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BL-INV-PL-ISO.exe	Queries volume information: C:\Windows\Fonts\corbeli.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BL-INV-PL-ISO.exe	Queries volume information: C:\Windows\Fonts\corbelli.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BL-INV-PL-ISO.exe	Queries volume information: C:\Windows\Fonts\corbelb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BL-INV-PL-ISO.exe	Queries volume information: C:\Windows\Fonts\corbelz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BL-INV-PL-ISO.exe	Queries volume information: C:\Windows\Fonts\cour.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BL-INV-PL-ISO.exe	Queries volume information: C:\Windows\Fonts\couri.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BL-INV-PL-ISO.exe	Queries volume information: C:\Windows\Fonts\courbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BL-INV-PL-ISO.exe	Queries volume information: C:\Windows\Fonts\courbi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BL-INV-PL-ISO.exe	Queries volume information: C:\Windows\Fonts\ebrima.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BL-INV-PL-ISO.exe	Queries volume information: C:\Windows\Fonts\ebrimabd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BL-INV-PL-ISO.exe	Queries volume information: C:\Windows\Fonts\framd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BL-INV-PL-ISO.exe	Queries volume information: C:\Windows\Fonts\FRADM.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BL-INV-PL-ISO.exe	Queries volume information: C:\Windows\Fonts\framdit.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BL-INV-PL-ISO.exe	Queries volume information: C:\Windows\Fonts\FRAMDCN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BL-INV-PL-ISO.exe	Queries volume information: C:\Windows\Fonts\gadugi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BL-INV-PL-ISO.exe	Queries volume information: C:\Windows\Fonts\gadugib.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BL-INV-PL-ISO.exe	Queries volume information: C:\Windows\Fonts\georgia.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BL-INV-PL-ISO.exe	Queries volume information: C:\Windows\Fonts\georgiai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BL-INV-PL-ISO.exe	Queries volume information: C:\Windows\Fonts\georgiaz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BL-INV-PL-ISO.exe	Queries volume information: C:\Windows\Fonts\impact.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BL-INV-PL-ISO.exe	Queries volume information: C:\Windows\Fonts\Inkfree.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BL-INV-PL-ISO.exe	Queries volume information: C:\Windows\Fonts\javatext.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BL-INV-PL-ISO.exe	Queries volume information: C:\Windows\Fonts\LeelawUI.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BL-INV-PL-ISO.exe	Queries volume information: C:\Windows\Fonts\LeelUIsl.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BL-INV-PL-ISO.exe	Queries volume information: C:\Windows\Fonts\LeelaUIb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BL-INV-PL-ISO.exe	Queries volume information: C:\Windows\Fonts\lucon.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BL-INV-PL-ISO.exe	Queries volume information: C:\Windows\Fonts\l_10646.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BL-INV-PL-ISO.exe	Queries volume information: C:\Windows\Fonts\malgun.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BL-INV-PL-ISO.exe	Queries volume information: C:\Windows\Fonts\malgunsl.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BL-INV-PL-ISO.exe	Queries volume information: C:\Windows\Fonts\malgunbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BL-INV-PL-ISO.exe	Queries volume information: C:\Windows\Fonts\himalaya.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BL-INV-PL-ISO.exe	Queries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BL-INV-PL-ISO.exe	Queries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BL-INV-PL-ISO.exe	Queries volume information: C:\Windows\Fonts\msjhbd.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BL-INV-PL-ISO.exe	Queries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BL-INV-PL-ISO.exe	Queries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BL-INV-PL-ISO.exe	Queries volume information: C:\Windows\Fonts\ntailu.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BL-INV-PL-ISO.exe	Queries volume information: C:\Windows\Fonts\ntailub.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BL-INV-PL-ISO.exe	Queries volume information: C:\Windows\Fonts\phagspa.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BL-INV-PL-ISO.exe	Queries volume information: C:\Windows\Fonts\phagspab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BL-INV-PL-ISO.exe	Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BL-INV-PL-ISO.exe	Queries volume information: C:\Windows\Fonts\taile.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BL-INV-PL-ISO.exe	Queries volume information: C:\Windows\Fonts\taileb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BL-INV-PL-ISO.exe	Queries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BL-INV-PL-ISO.exe	Queries volume information: C:\Windows\Fonts\msyhl.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BL-INV-PL-ISO.exe	Queries volume information: C:\Windows\Fonts\msyhbd.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BL-INV-PL-ISO.exe	Queries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BL-INV-PL-ISO.exe	Queries volume information: C:\Windows\Fonts\msyhl.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BL-INV-PL-ISO.exe	Queries volume information: C:\Windows\Fonts\msyi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BL-INV-PL-ISO.exe	Queries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BL-INV-PL-ISO.exe	Queries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BL-INV-PL-ISO.exe	Queries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BL-INV-PL-ISO.exe	Queries volume information: C:\Windows\Fonts\monbaiti.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BL-INV-PL-ISO.exe	Queries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BL-INV-PL-ISO.exe	Queries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BL-INV-PL-ISO.exe	Queries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BL-INV-PL-ISO.exe	Queries volume information: C:\Windows\Fonts\mvboli.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BL-INV-PL-ISO.exe	Queries volume information: C:\Windows\Fonts\mmrtextb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BL-INV-PL-ISO.exe	Queries volume information: C:\Windows\Fonts\Nirmala.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BL-INV-PL-ISO.exe	Queries volume information: C:\Windows\Fonts\NirmalaS.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BL-INV-PL-ISO.exe	Queries volume information: C:\Windows\Fonts\NirmalaB.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BL-INV-PL-ISO.exe	Queries volume information: C:\Windows\Fonts\pala.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BL-INV-PL-ISO.exe	Queries volume information: C:\Windows\Fonts\palai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BL-INV-PL-ISO.exe	Queries volume information: C:\Windows\Fonts\palab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BL-INV-PL-ISO.exe	Queries volume information: C:\Windows\Fonts\palabi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BL-INV-PL-ISO.exe	Queries volume information: C:\Windows\Fonts\segoepr.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BL-INV-PL-ISO.exe	Queries volume information: C:\Windows\Fonts\segoeprb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BL-INV-PL-ISO.exe	Queries volume information: C:\Windows\Fonts\segoesc.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BL-INV-PL-ISO.exe	Queries volume information: C:\Windows\Fonts\segoescb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BL-INV-PL-ISO.exe	Queries volume information: C:\Windows\Fonts\seguihis.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BL-INV-PL-ISO.exe	Queries volume information: C:\Windows\Fonts\simsun.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BL-INV-PL-ISO.exe	Queries volume information: C:\Windows\Fonts\simsunb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BL-INV-PL-ISO.exe	Queries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BL-INV-PL-ISO.exe	Queries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BL-INV-PL-ISO.exe	Queries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BL-INV-PL-ISO.exe	Queries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BL-INV-PL-ISO.exe	Queries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BL-INV-PL-ISO.exe	Queries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BL-INV-PL-ISO.exe	Queries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BL-INV-PL-ISO.exe	Queries volume information: C:\Windows\Fonts\sylfaen.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BL-INV-PL-ISO.exe	Queries volume information: C:\Windows\Fonts\symbol.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BL-INV-PL-ISO.exe	Queries volume information: C:\Windows\Fonts\tahoma.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BL-INV-PL-ISO.exe	Queries volume information: C:\Windows\Fonts\tahomabd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BL-INV-PL-ISO.exe	Queries volume information: C:\Windows\Fonts\timesi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BL-INV-PL-ISO.exe	Queries volume information: C:\Windows\Fonts\timesbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BL-INV-PL-ISO.exe	Queries volume information: C:\Windows\Fonts\timesbi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BL-INV-PL-ISO.exe	Queries volume information: C:\Windows\Fonts\trebuc.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BL-INV-PL-ISO.exe	Queries volume information: C:\Windows\Fonts\trebucit.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BL-INV-PL-ISO.exe	Queries volume information: C:\Windows\Fonts\trebucbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BL-INV-PL-ISO.exe	Queries volume information: C:\Windows\Fonts\trebucbi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BL-INV-PL-ISO.exe	Queries volume information: C:\Windows\Fonts\verdana.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BL-INV-PL-ISO.exe	Queries volume information: C:\Windows\Fonts\verdanai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BL-INV-PL-ISO.exe	Queries volume information: C:\Windows\Fonts\verdanab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BL-INV-PL-ISO.exe	Queries volume information: C:\Windows\Fonts\verdanaz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BL-INV-PL-ISO.exe	Queries volume information: C:\Windows\Fonts\webdings.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BL-INV-PL-ISO.exe	Queries volume information: C:\Windows\Fonts\wingding.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BL-INV-PL-ISO.exe	Queries volume information: C:\Windows\Fonts\YuGothR.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BL-INV-PL-ISO.exe	Queries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BL-INV-PL-ISO.exe	Queries volume information: C:\Windows\Fonts\YuGothL.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BL-INV-PL-ISO.exe	Queries volume information: C:\Windows\Fonts\YuGothB.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BL-INV-PL-ISO.exe	Queries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BL-INV-PL-ISO.exe	Queries volume information: C:\Windows\Fonts\YuGothR.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BL-INV-PL-ISO.exe	Queries volume information: C:\Windows\Fonts\YuGothB.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BL-INV-PL-ISO.exe	Queries volume information: C:\Windows\Fonts\YuGothB.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BL-INV-PL-ISO.exe	Queries volume information: C:\Windows\Fonts\holomdl2.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BL-INV-PL-ISO.exe	Queries volume information: C:\Windows\Fonts\AGENCYR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BL-INV-PL-ISO.exe	Queries volume information: C:\Windows\Fonts\BKANT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BL-INV-PL-ISO.exe	Queries volume information: C:\Windows\Fonts\ANTQUAB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BL-INV-PL-ISO.exe	Queries volume information: C:\Windows\Fonts\BOD_CR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BL-INV-PL-ISO.exe	Queries volume information: C:\Windows\Fonts\BOD_BLAR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BL-INV-PL-ISO.exe	Queries volume information: C:\Windows\Fonts\BOOKOS.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BL-INV-PL-ISO.exe	Queries volume information: C:\Windows\Fonts\SCHLBKI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BL-INV-PL-ISO.exe	Queries volume information: C:\Windows\Fonts\SCHLBKB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BL-INV-PL-ISO.exe	Queries volume information: C:\Windows\Fonts\SCHLBKBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BL-INV-PL-ISO.exe	Queries volume information: C:\Windows\Fonts\CENTAUR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BL-INV-PL-ISO.exe	Queries volume information: C:\Windows\Fonts\DUBAI-BOLD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BL-INV-PL-ISO.exe	Queries volume information: C:\Windows\Fonts\ENGR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BL-INV-PL-ISO.exe	Queries volume information: C:\Windows\Fonts\ERASMD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BL-INV-PL-ISO.exe	Queries volume information: C:\Windows\Fonts\FELIXTI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BL-INV-PL-ISO.exe	Queries volume information: C:\Windows\Fonts\FREESCPT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BL-INV-PL-ISO.exe	Queries volume information: C:\Windows\Fonts\FRSCRIPT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BL-INV-PL-ISO.exe	Queries volume information: C:\Windows\Fonts\FTLTLT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BL-INV-PL-ISO.exe	Queries volume information: C:\Windows\Fonts\GARA.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BL-INV-PL-ISO.exe	Queries volume information: C:\Windows\Fonts\GARABD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BL-INV-PL-ISO.exe	Queries volume information: C:\Windows\Fonts\GOTHICBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BL-INV-PL-ISO.exe	Queries volume information: C:\Windows\Fonts\HARNGTON.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BL-INV-PL-ISO.exe	Queries volume information: C:\Windows\Fonts\HATTEN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BL-INV-PL-ISO.exe	Queries volume information: C:\Windows\Fonts\ITCKRIST.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BL-INV-PL-ISO.exe	Queries volume information: C:\Windows\Fonts\JOKERMAN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BL-INV-PL-ISO.exe	Queries volume information: C:\Windows\Fonts\LBRITE.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BL-INV-PL-ISO.exe	Queries volume information: C:\Windows\Fonts\LEELAWAD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BL-INV-PL-ISO.exe	Queries volume information: C:\Windows\Fonts\LFAXI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BL-INV-PL-ISO.exe	Queries volume information: C:\Windows\Fonts\LSANS.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BL-INV-PL-ISO.exe	Queries volume information: C:\Windows\Fonts\LSANSD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BL-INV-PL-ISO.exe	Queries volume information: C:\Windows\Fonts\NIAGSOL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BL-INV-PL-ISO.exe	Queries volume information: C:\Windows\Fonts\PARCHM.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BL-INV-PL-ISO.exe	Queries volume information: C:\Windows\Fonts\PERBI___.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BL-INV-PL-ISO.exe	Queries volume information: C:\Windows\Fonts\STENCIL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BL-INV-PL-ISO.exe	Queries volume information: C:\Windows\Fonts\TCCB____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BL-INV-PL-ISO.exe	Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BL-INV-PL-ISO.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\dZxrrOCj.exe	Queries volume information: C:\Users\user\AppData\Roaming\dZxrrOCj.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\dZxrrOCj.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\dZxrrOCj.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\dZxrrOCj.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\dZxrrOCj.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior

Source: C:\Users\user\Desktop\BL-INV-PL-ISO.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Stealing of Sensitive Information

Yara detected FormBook

Source: Yara match	File source: 17.2.vbc.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.2.vbc.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000011.00000002.2054400538.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000011.00000002.2055413010.00000000058F0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY

Remote Access Functionality

Yara detected FormBook

Source: Yara match	File source: 17.2.vbc.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.2.vbc.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000011.00000002.2054400538.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000011.00000002.2055413010.00000000058F0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY

ID:	1522512
Product:	CloudBasic
Start time:	09:53:07
Start date:	30.09.2024
Sample:	BL-INV-PL-ISO.exe
Cookbook:	default.jbs
System description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Architecture:	WINDOWS
MD5:	98764b1ea06180b4a89c043b0fc11914
SHA1:	88cdfcf42452ca0429f31fdd8d7372effe387969
SHA256:	97fb0388618e3d977b390696f4ca19e38f0e706d70a40726bab9ed8dcdcd036c
Filetype:	Win32 Executable (generic) Net Framework (10011505/4) 49.80%

Name	Type	MD5	SHA1	SHA256
C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\BL-INV-PL-ISO.exe.log	ASCII text, with CRLF line terminators	1330C80CAAC9A0FB172F202485E9B1E8	86BAFDA4E4AE68C7C3012714A33D85D2B6E1A492	B6C63ECE799A8F7E497C2A158B1FFC2F5CB4F745A2F8E585F794572B7CF03560
C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\dZxrrOCj.exe.log	ASCII text, with CRLF line terminators	1330C80CAAC9A0FB172F202485E9B1E8	86BAFDA4E4AE68C7C3012714A33D85D2B6E1A492	B6C63ECE799A8F7E497C2A158B1FFC2F5CB4F745A2F8E585F794572B7CF03560
C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive	data	8D858A903F4F5A554A798D5A9E6FC43E	3422755EEA787BDA946C2C36F945A471A5A11416	5D2C99871C47D463475A7A52ABC4F23269E7D3EA03467C4AAF2252A4B45097D5
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_2gyktmql.t4p.psm1	ASCII text, with no line terminators	D17FE0A3F47BE24A6453E9EF58C94641	6AB83620379FC69F80C0242105DDFFD7D98D5D9D	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_cbazdhg0.dun.ps1	ASCII text, with no line terminators	D17FE0A3F47BE24A6453E9EF58C94641	6AB83620379FC69F80C0242105DDFFD7D98D5D9D	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_cn1tgy2e.ph1.psm1	ASCII text, with no line terminators	D17FE0A3F47BE24A6453E9EF58C94641	6AB83620379FC69F80C0242105DDFFD7D98D5D9D	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_n4esw3el.htp.ps1	ASCII text, with no line terminators	D17FE0A3F47BE24A6453E9EF58C94641	6AB83620379FC69F80C0242105DDFFD7D98D5D9D	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_pq2ypskd.3gr.ps1	ASCII text, with no line terminators	D17FE0A3F47BE24A6453E9EF58C94641	6AB83620379FC69F80C0242105DDFFD7D98D5D9D	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_sjycvick.3it.ps1	ASCII text, with no line terminators	D17FE0A3F47BE24A6453E9EF58C94641	6AB83620379FC69F80C0242105DDFFD7D98D5D9D	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_u4ht5npl.kop.psm1	ASCII text, with no line terminators	D17FE0A3F47BE24A6453E9EF58C94641	6AB83620379FC69F80C0242105DDFFD7D98D5D9D	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_yt04t5bh.pzc.psm1	ASCII text, with no line terminators	D17FE0A3F47BE24A6453E9EF58C94641	6AB83620379FC69F80C0242105DDFFD7D98D5D9D	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
C:\Users\user\AppData\Local\Temp\tmp590C.tmp	XML 1.0 document, ASCII text	F01F88FADE9B5782C3A3532648DDC66C	056662B358015B54BECCE838D0FF0CD9AD9148F4	9FAC25FE31D127447909D325577C295D25446C09E1EB9640B86DC462BF1BB7E7
C:\Users\user\AppData\Local\Temp\tmp68AC.tmp	XML 1.0 document, ASCII text	F01F88FADE9B5782C3A3532648DDC66C	056662B358015B54BECCE838D0FF0CD9AD9148F4	9FAC25FE31D127447909D325577C295D25446C09E1EB9640B86DC462BF1BB7E7
C:\Users\user\AppData\Roaming\dZxrrOCj.exe	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows	98764B1EA06180B4A89C043B0FC11914	88CDFCF42452CA0429F31FDD8D7372EFFE387969	97FB0388618E3D977B390696F4CA19E38F0E706D70A40726BAB9ED8DCDCD036C
C:\Users\user\AppData\Roaming\dZxrrOCj.exe:Zone.Identifier	ASCII text, with CRLF line terminators	187F488E27DB4AF347237FE461A079AD	6693BA299EC1881249D59262276A0D2CB21F8E64	255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309

Windows Analysis Report
BL-INV-PL-ISO.exe

Overview

General Information

Detection

Signatures

Classification

Malware Threat Intel
Provided by

Signatures

AV Detection

Compliance

Networking

E-Banking Fraud

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Screenshots

Behavior Graph

Network Map

Windows Analysis Report BL-INV-PL-ISO.exe

Overview

General Information

Detection

Signatures

Classification

Malware Threat Intel Provided by

Signatures

AV Detection

Compliance

Networking

E-Banking Fraud

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Screenshots

Behavior Graph

Network Map

Windows Analysis Report
BL-INV-PL-ISO.exe

Malware Threat Intel
Provided by