Joe Sandbox Cloud Basic Analysis Report

Loading ...

Play interactive tourEdit tour

Analysis Report New Order.exe

Overview

General Information

Sample Name:New Order.exe
Analysis ID:321195
MD5:689357a46d00a4e9fe51ac4d82d73100
SHA1:dc5bdc1892159b46a78b15b604280781b82d8ae5
SHA256:9f8a277b32edd2d8750e81097320cc31b9089020fa5c7b91613d422a2f55da1e
Tags:exe

Most interesting Screenshot:

Detection

AgentTesla
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Yara detected AgentTesla
Adds a directory exclusion to Windows Defender
Connects to a pastebin service (likely for C&C)
Creates an undocumented autostart registry key
Creates autostart registry keys with suspicious names
Creates multiple autostart registry keys
Drops PE files to the startup folder
Hides threads from debuggers
Initial sample is a PE file and has a suspicious name
Machine Learning detection for dropped file
Machine Learning detection for sample
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Antivirus or Machine Learning detection for unpacked file
Checks if the current process is being debugged
Contains capabilities to detect virtual machines
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Creates a start menu entry (Start Menu\Programs\Startup)
Detected potential crypto function
Drops PE files
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
IP address seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
One or more processes crash
Queries disk information (often used to detect virtual machines)
Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines)
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Stores files to the Windows start menu directory
Stores large binary data to the registry
Tries to load missing DLLs
Uses code obfuscation techniques (call, push, ret)

Classification

Startup

  • System is w10x64
  • New Order.exe (PID: 1428 cmdline: 'C:\Users\user\Desktop\New Order.exe' MD5: 689357A46D00A4E9FE51AC4D82D73100)
    • powershell.exe (PID: 6520 cmdline: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\New Order.exe' -Force MD5: DBA3E6449E97D4E3DF64527EF7012A10)
      • conhost.exe (PID: 6488 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • powershell.exe (PID: 6824 cmdline: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\New Order.exe' -Force MD5: DBA3E6449E97D4E3DF64527EF7012A10)
      • conhost.exe (PID: 6608 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • powershell.exe (PID: 6612 cmdline: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\New Order.exe' -Force MD5: DBA3E6449E97D4E3DF64527EF7012A10)
      • conhost.exe (PID: 6756 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • powershell.exe (PID: 6764 cmdline: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\New Order.exe' -Force MD5: DBA3E6449E97D4E3DF64527EF7012A10)
      • conhost.exe (PID: 6600 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • New Order.exe (PID: 7040 cmdline: C:\Users\user\Desktop\New Order.exe MD5: 689357A46D00A4E9FE51AC4D82D73100)
    • WerFault.exe (PID: 1688 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 1428 -s 2476 MD5: 9E2B8ACAD48ECCA55C0230D63623661B)
  • New Order.exe (PID: 5720 cmdline: 'C:\Users\user\Desktop\New Order.exe' MD5: 689357A46D00A4E9FE51AC4D82D73100)
  • New Order.exe (PID: 6284 cmdline: 'C:\Users\user\Desktop\New Order.exe' MD5: 689357A46D00A4E9FE51AC4D82D73100)
  • New Order.exe (PID: 580 cmdline: 'C:\Users\user\Desktop\New Order.exe' MD5: 689357A46D00A4E9FE51AC4D82D73100)
  • New Order.exe (PID: 5312 cmdline: 'C:\Users\user\Desktop\New Order.exe' MD5: 689357A46D00A4E9FE51AC4D82D73100)
  • New Order.exe (PID: 5632 cmdline: 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\New Order.exe' MD5: 689357A46D00A4E9FE51AC4D82D73100)
  • cleanup

Malware Configuration

No configs have been found

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
0000000B.00000002.604840237.0000000000402000.00000040.00000001.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
    Process Memory Space: New Order.exe PID: 7040JoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security

      Unpacked PEs

      SourceRuleDescriptionAuthorStrings
      11.2.New Order.exe.400000.0.unpackJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security

        Sigma Overview

        No Sigma rule has matched

        Signature Overview

        Click to jump to signature section

        Show All Signature Results

        AV Detection:

        barindex
        Multi AV Scanner detection for dropped fileShow sources
        Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\New Order.exeVirustotal: Detection: 34%Perma Link
        Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\New Order.exeReversingLabs: Detection: 27%
        Multi AV Scanner detection for submitted fileShow sources
        Source: New Order.exeVirustotal: Detection: 34%Perma Link
        Source: New Order.exeReversingLabs: Detection: 27%
        Machine Learning detection for dropped fileShow sources
        Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\New Order.exeJoe Sandbox ML: detected
        Machine Learning detection for sampleShow sources
        Source: New Order.exeJoe Sandbox ML: detected
        Source: 11.2.New Order.exe.400000.0.unpackAvira: Label: TR/Spy.Gen8

        Networking:

        barindex
        Connects to a pastebin service (likely for C&C)Show sources
        Source: unknownDNS query: name: pastebin.com
        Source: unknownDNS query: name: pastebin.com
        Source: unknownDNS query: name: pastebin.com
        Source: unknownDNS query: name: pastebin.com
        Source: unknownDNS query: name: pastebin.com
        Source: unknownDNS query: name: pastebin.com
        Source: Joe Sandbox ViewIP Address: 104.23.98.190 104.23.98.190
        Source: Joe Sandbox ViewIP Address: 104.23.98.190 104.23.98.190
        Source: Joe Sandbox ViewJA3 fingerprint: 54328bd36c14bd82ddaa0c04b25ed9ad
        Source: unknownDNS traffic detected: queries for: pastebin.com
        Source: powershell.exe, 00000007.00000003.448132179.0000000007E4C000.00000004.00000001.sdmpString found in binary or memory: http://crl.micro
        Source: New Order.exe, 0000000B.00000002.604840237.0000000000402000.00000040.00000001.sdmpString found in binary or memory: https://api.telegram.org/bot%telegramapi%/
        Source: New Order.exe, 0000000B.00000002.604840237.0000000000402000.00000040.00000001.sdmpString found in binary or memory: https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip
        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49731
        Source: unknownNetwork traffic detected: HTTP traffic on port 49731 -> 443
        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49763
        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49761
        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49760
        Source: unknownNetwork traffic detected: HTTP traffic on port 49761 -> 443
        Source: unknownNetwork traffic detected: HTTP traffic on port 49760 -> 443
        Source: unknownNetwork traffic detected: HTTP traffic on port 49763 -> 443
        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49759
        Source: unknownNetwork traffic detected: HTTP traffic on port 49759 -> 443

        System Summary:

        barindex
        Initial sample is a PE file and has a suspicious nameShow sources
        Source: initial sampleStatic PE information: Filename: New Order.exe
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 3_2_0310807A
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 3_2_031064F0
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 3_2_03100EF8
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 3_2_0311E34A
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 3_2_0311C380
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 3_2_031150C5
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 3_2_0311A758
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 3_2_0311CEF1
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 3_2_0311C370
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 3_2_03112118
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 3_2_03113610
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 3_2_0311EA60
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 3_2_03156F78
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 3_2_03157F60
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 5_2_03356740
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 5_2_0335AEE8
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 5_2_03355538
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 7_2_00CB7A10
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 7_2_00CB9E98
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 7_2_00CEC8F8
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 7_2_00CE2450
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 7_2_00CE58E5
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 7_2_00CE39F0
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 7_2_00CEB903
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 7_2_00CEEDE8
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 7_2_00CE3EA8
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 7_2_02DB83D2
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 7_2_02DB0660
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 7_2_02DD6ED0
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 7_2_02DD7F60
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 9_2_009039C0
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 9_2_009099E0
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 9_2_00905288
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 9_2_00901AA0
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 9_2_0090A270
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 9_2_00905BC0
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 9_2_00904C08
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 9_2_00900C48
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 9_2_00924298
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 9_2_00996830
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 9_2_00990040
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 9_2_009987C2
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 9_2_0092CA61
        Source: C:\Users\user\Desktop\New Order.exeCode function: 11_2_00B429A3
        Source: C:\Users\user\Desktop\New Order.exeCode function: 11_2_00B689BE
        Source: C:\Users\user\Desktop\New Order.exeCode function: 11_2_00B35B96
        Source: C:\Users\user\Desktop\New Order.exeCode function: 11_2_00B4A14E
        Source: C:\Users\user\Desktop\New Order.exeCode function: 15_2_00CB29A3
        Source: C:\Users\user\Desktop\New Order.exeCode function: 15_2_00CBA14E
        Source: C:\Users\user\Desktop\New Order.exeCode function: 15_2_00CA5B96
        Source: C:\Users\user\Desktop\New Order.exeCode function: 15_2_00CD89BE
        Source: C:\Users\user\Desktop\New Order.exeCode function: 19_2_00AA29A3
        Source: C:\Users\user\Desktop\New Order.exeCode function: 19_2_00AC89BE
        Source: C:\Users\user\Desktop\New Order.exeCode function: 19_2_00AAA14E
        Source: C:\Users\user\Desktop\New Order.exeCode function: 19_2_00A95B96
        Source: unknownProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 1428 -s 2476
        Source: New Order.exe, 0000000B.00000002.604840237.0000000000402000.00000040.00000001.sdmpBinary or memory string: OriginalFilenameffec eef.exe2 vs New Order.exe
        Source: C:\Windows\SysWOW64\WerFault.exeSection loaded: sfc.dll
        Source: C:\Windows\SysWOW64\WerFault.exeSection loaded: phoneinfo.dll
        Source: C:\Windows\SysWOW64\WerFault.exeSection loaded: ext-ms-win-xblauth-console-l1.dll
        Source: C:\Windows\SysWOW64\WerFault.exeSection loaded: ext-ms-win-xblauth-console-l1.dll
        Source: classification engineClassification label: mal100.troj.adwa.evad.winEXE@21/19@8/1
        Source: C:\Users\user\Desktop\New Order.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\New Order.exeJump to behavior
        Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6608:120:WilError_01
        Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6600:120:WilError_01
        Source: C:\Windows\SysWOW64\WerFault.exeMutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess1428
        Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6756:120:WilError_01
        Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6488:120:WilError_01
        Source: C:\Users\user\Desktop\New Order.exeFile created: C:\Users\user\AppData\Local\Temp\ddb36c97-004c-420f-a997-52c61e1b898aJump to behavior
        Source: New Order.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
        Source: C:\Users\user\Desktop\New Order.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
        Source: C:\Users\user\Desktop\New Order.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
        Source: C:\Users\user\Desktop\New Order.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
        Source: C:\Users\user\Desktop\New Order.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
        Source: C:\Users\user\Desktop\New Order.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
        Source: C:\Users\user\Desktop\New Order.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
        Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\New Order.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
        Source: C:\Users\user\Desktop\New Order.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
        Source: C:\Users\user\Desktop\New Order.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
        Source: C:\Users\user\Desktop\New Order.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers
        Source: C:\Users\user\Desktop\New Order.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
        Source: C:\Users\user\Desktop\New Order.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
        Source: C:\Windows\SysWOW64\WerFault.exeFile read: C:\Windows\System32\drivers\etc\hosts
        Source: C:\Windows\SysWOW64\WerFault.exeFile read: C:\Windows\System32\drivers\etc\hosts
        Source: New Order.exeVirustotal: Detection: 34%
        Source: New Order.exeReversingLabs: Detection: 27%
        Source: C:\Users\user\Desktop\New Order.exeFile read: C:\Users\user\Desktop\New Order.exeJump to behavior
        Source: unknownProcess created: C:\Users\user\Desktop\New Order.exe 'C:\Users\user\Desktop\New Order.exe'
        Source: unknownProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\New Order.exe' -Force
        Source: unknownProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        Source: unknownProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\New Order.exe' -Force
        Source: unknownProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        Source: unknownProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\New Order.exe' -Force
        Source: unknownProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        Source: unknownProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\New Order.exe' -Force
        Source: unknownProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        Source: unknownProcess created: C:\Users\user\Desktop\New Order.exe C:\Users\user\Desktop\New Order.exe
        Source: unknownProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 1428 -s 2476
        Source: unknownProcess created: C:\Users\user\Desktop\New Order.exe 'C:\Users\user\Desktop\New Order.exe'
        Source: unknownProcess created: C:\Users\user\Desktop\New Order.exe 'C:\Users\user\Desktop\New Order.exe'
        Source: unknownProcess created: C:\Users\user\Desktop\New Order.exe 'C:\Users\user\Desktop\New Order.exe'
        Source: unknownProcess created: C:\Users\user\Desktop\New Order.exe 'C:\Users\user\Desktop\New Order.exe'
        Source: unknownProcess created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\New Order.exe 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\New Order.exe'
        Source: C:\Users\user\Desktop\New Order.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\New Order.exe' -Force
        Source: C:\Users\user\Desktop\New Order.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\New Order.exe' -Force
        Source: C:\Users\user\Desktop\New Order.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\New Order.exe' -Force
        Source: C:\Users\user\Desktop\New Order.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\New Order.exe' -Force
        Source: C:\Users\user\Desktop\New Order.exeProcess created: C:\Users\user\Desktop\New Order.exe C:\Users\user\Desktop\New Order.exe
        Source: C:\Users\user\Desktop\New Order.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CF4CC405-E2C5-4DDD-B3CE-5E7582D8C9FA}\InprocServer32
        Source: Window RecorderWindow detected: More than 3 window changes detected
        Source: C:\Users\user\Desktop\New Order.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll
        Source: New Order.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
        Source: New Order.exeStatic PE information: Virtual size of .text is bigger than: 0x100000
        Source: New Order.exeStatic file information: File size 3756032 > 1048576
        Source: New Order.exeStatic PE information: Raw size of .text is bigger than: 0x100000 < 0x394c00
        Source: New Order.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
        Source: Binary string: .pdb'x source: New Order.exe, 0000000F.00000002.699224401.00000000011C9000.00000004.00000001.sdmp
        Source: Binary string: (PmjLC:\Windows\Microsoft.VisualBasic.pdb source: New Order.exe, 0000000F.00000002.699224401.00000000011C9000.00000004.00000001.sdmp
        Source: Binary string: New Order.PDB- source: New Order.exe, 0000000F.00000002.699224401.00000000011C9000.00000004.00000001.sdmp
        Source: Binary string: npxjVisualBasic.pdbD source: New Order.exe, 0000000F.00000002.699224401.00000000011C9000.00000004.00000001.sdmp
        Source: Binary string: C:\Users\user\Desktop\New Order.PDB source: New Order.exe, 0000000F.00000002.699224401.00000000011C9000.00000004.00000001.sdmp
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 3_2_031017EA push eax; mov dword ptr [esp], edx
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 3_2_03105ACF push eax; mov dword ptr [esp], edx
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 3_2_0311BB40 push esp; retf
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 3_2_03114F08 push esp; iretd
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 3_2_031537E2 push cs; iretd
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 3_2_03155D5A push eax; mov dword ptr [esp], edx
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 5_2_03350610 push eax; mov dword ptr [esp], edx
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 7_2_00CEDF1B push ss; iretd
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 7_2_02DB5025 pushfd ; iretd
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 7_2_02DB1A71 push eax; mov dword ptr [esp], edx
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 7_2_02DB1B08 pushad ; iretd
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 7_2_02DB1888 push eax; retf
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 7_2_02DB5E21 push eax; mov dword ptr [esp], edx
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 7_2_02DD5D30 push eax; mov dword ptr [esp], edx
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 9_2_0090441E push 8B0577A7h; iretd
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 9_2_00924074 push es; retf
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 9_2_00927371 push es; ret
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 9_2_009274C1 push es; ret
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 9_2_009265B0 push es; ret
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 9_2_00996217 push eax; mov dword ptr [esp], edx
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 9_2_00990F05 push eax; mov dword ptr [esp], edx
        Source: C:\Users\user\Desktop\New Order.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\New Order.exeJump to dropped file

        Boot Survival:

        barindex
        Creates an undocumented autostart registry key Show sources
        Source: C:\Users\user\Desktop\New Order.exeKey value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Winlogon shellJump to behavior
        Creates autostart registry keys with suspicious namesShow sources
        Source: C:\Users\user\Desktop\New Order.exeRegistry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run <Unknown>Jump to behavior
        Creates multiple autostart registry keysShow sources
        Source: C:\Users\user\Desktop\New Order.exeRegistry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run <Unknown>Jump to behavior
        Source: C:\Users\user\Desktop\New Order.exeRegistry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run New Order.exeJump to behavior
        Drops PE files to the startup folderShow sources
        Source: C:\Users\user\Desktop\New Order.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\New Order.exeJump to dropped file
        Source: C:\Users\user\Desktop\New Order.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\New Order.exeJump to behavior
        Source: C:\Users\user\Desktop\New Order.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\New Order.exeJump to behavior
        Source: C:\Users\user\Desktop\New Order.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\New Order.exe\:Zone.Identifier:$DATAJump to behavior
        Source: C:\Users\user\Desktop\New Order.exeRegistry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run <Unknown>Jump to behavior
        Source: C:\Users\user\Desktop\New Order.exeRegistry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run <Unknown>Jump to behavior
        Source: C:\Users\user\Desktop\New Order.exeRegistry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run New Order.exeJump to behavior
        Source: C:\Users\user\Desktop\New Order.exeRegistry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run New Order.exeJump to behavior
        Source: C:\Users\user\Desktop\New Order.exeRegistry key monitored for changes: HKEY_CURRENT_USER_Classes
        Source: C:\Windows\SysWOW64\WerFault.exeKey value created or modified: HKEY_CURRENT_USER\Software\Microsoft\IdentityCRL\Immersive\production\Token\{67082621-8D18-4333-9C64-10DE93676363} DeviceTicket
        Source: C:\Users\user\Desktop\New Order.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\New Order.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\New Order.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\New Order.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\New Order.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\New Order.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\New Order.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\New Order.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\New Order.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\New Order.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\New Order.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\New Order.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\New Order.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\New Order.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\New Order.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\New Order.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\New Order.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\New Order.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\New Order.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\New Order.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\New Order.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\New Order.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\New Order.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\New Order.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\New Order.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\New Order.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\New Order.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\New Order.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\New Order.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\New Order.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\New Order.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\New Order.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\New Order.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\New Order.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\New Order.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\New Order.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\New Order.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\New Order.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\New Order.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\New Order.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\New Order.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\New Order.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\New Order.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\New Order.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\New Order.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\New Order.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\New Order.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\New Order.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\New Order.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\New Order.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\New Order.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\New Order.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\New Order.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\New Order.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\New Order.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\New Order.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\New Order.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\New Order.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\New Order.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\New Order.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\New Order.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\New Order.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\New Order.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\New Order.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\New Order.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\New Order.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\New Order.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\New Order.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\New Order.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\New Order.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\New Order.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\New Order.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\New Order.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\New Order.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\New Order.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\New Order.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\New Order.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\New Order.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\New Order.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\New Order.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\New Order.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\New Order.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\New Order.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\New Order.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\New Order.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\New Order.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\New Order.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\New Order.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\New Order.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\New Order.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\New Order.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\New Order.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\New Order.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\New Order.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\New Order.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\New Order.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\New Order.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\New Order.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\New Order.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\New Order.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\New Order.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\New Order.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\New Order.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\New Order.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\New Order.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\New Order.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\New Order.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\New Order.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\New Order.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\New Order.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\New Order.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\New Order.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\New Order.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\New Order.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\New Order.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\New Order.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\New Order.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\New Order.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\New Order.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\New Order.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\New Order.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\New Order.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\New Order.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\New Order.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\New Order.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\New Order.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\New Order.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\New Order.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\New Order.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\New Order.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\New Order.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\New Order.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\New Order.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\New Order.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\New Order.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\New Order.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\New Order.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\New Order.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\New Order.exeProcess information set: NOOPENFILEERRORBOX

        Malware Analysis System Evasion:

        barindex
        Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)Show sources
        Source: C:\Users\user\Desktop\New Order.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
        Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)Show sources
        Source: C:\Users\user\Desktop\New Order.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration
        Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)Show sources
        Source: C:\Users\user\Desktop\New Order.exeWMI Queries: IWbemServices::ExecQuery - ROOT\cimv2 : SELECT * FROM Win32_VideoController
        Source: C:\Users\user\Desktop\New Order.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_VideoController
        Source: C:\Users\user\Desktop\New Order.exeFile opened / queried: C:\WINDOWS\SysWOW64\drivers\vmmouse.sys
        Source: C:\Users\user\Desktop\New Order.exeRegistry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DEVICEMAP\Scsi\Scsi Port 0\Scsi Bus 0\Target Id 0\Logical Unit Id 0 name: Identifier
        Source: C:\Users\user\Desktop\New Order.exeFile opened / queried: C:\WINDOWS\SysWOW64\drivers\vmhgfs.sys
        Source: C:\Users\user\Desktop\New Order.exeRegistry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: SystemBiosVersion
        Source: C:\Users\user\Desktop\New Order.exeRegistry key queried: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000 name: DriverDesc
        Source: C:\Users\user\Desktop\New Order.exeFile opened / queried: C:\WINDOWS\SysWOW64\drivers\VBoxMouse.sys
        Source: C:\Users\user\Desktop\New Order.exeFile opened / queried: SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
        Source: C:\Users\user\Desktop\New Order.exeRegistry key queried: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum name: 0
        Source: C:\Users\user\Desktop\New Order.exeRegistry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: VideoBiosVersion
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
        Source: C:\Users\user\Desktop\New Order.exeThread delayed: delay time: 922337203685477
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 840
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 717
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 560
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 525
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 351
        Source: C:\Users\user\Desktop\New Order.exeWindow / User API: threadDelayed 419
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 6712Thread sleep count: 840 > 30
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 6788Thread sleep count: 312 > 30
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 3164Thread sleep time: -922337203685477s >= -30000s
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 5416Thread sleep time: -922337203685477s >= -30000s
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 5416Thread sleep time: -922337203685477s >= -30000s
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 6868Thread sleep count: 351 > 30
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 6868Thread sleep count: 250 > 30
        Source: C:\Users\user\Desktop\New Order.exe TID: 3312Thread sleep time: -2767011611056431s >= -30000s
        Source: C:\Users\user\Desktop\New Order.exe TID: 7096Thread sleep count: 76 > 30
        Source: C:\Users\user\Desktop\New Order.exe TID: 7096Thread sleep count: 419 > 30
        Source: C:\Users\user\Desktop\New Order.exe TID: 3312Thread sleep time: -30000s >= -30000s
        Source: C:\Windows\SysWOW64\WerFault.exeFile opened: PhysicalDrive0
        Source: C:\Users\user\Desktop\New Order.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_ComputerSystem
        Source: C:\Users\user\Desktop\New Order.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeLast function: Thread delayed
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeLast function: Thread delayed
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeLast function: Thread delayed
        Source: C:\Users\user\Desktop\New Order.exeLast function: Thread delayed
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 7_2_00CBA230 GetSystemInfo,
        Source: New Order.exe, 0000001A.00000002.696829642.0000000000FE1000.00000004.00000020.sdmpBinary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
        Source: WerFault.exe, 0000000E.00000002.510827492.0000000000756000.00000004.00000020.sdmpBinary or memory string: Hyper-V RAW
        Source: New Order.exe, 0000001A.00000002.696829642.0000000000FE1000.00000004.00000020.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllK
        Source: WerFault.exe, 0000000E.00000002.509765532.0000000000729000.00000004.00000020.sdmpBinary or memory string: Hyper-V RAW0}v%SystemRoot%\system32\mswsock.dllid" val=p
        Source: WerFault.exe, 0000000E.00000002.510827492.0000000000756000.00000004.00000020.sdmpBinary or memory string: Hyper-V RAWYam
        Source: C:\Users\user\Desktop\New Order.exeProcess information queried: ProcessInformation

        Anti Debugging:

        barindex
        Hides threads from debuggersShow sources
        Source: C:\Users\user\Desktop\New Order.exeThread information set: HideFromDebugger
        Source: C:\Users\user\Desktop\New Order.exeThread information set: HideFromDebugger
        Source: C:\Users\user\Desktop\New Order.exeThread information set: HideFromDebugger
        Source: C:\Users\user\Desktop\New Order.exeThread information set: HideFromDebugger
        Source: C:\Users\user\Desktop\New Order.exeThread information set: HideFromDebugger
        Source: C:\Users\user\Desktop\New Order.exeThread information set: HideFromDebugger
        Source: C:\Users\user\Desktop\New Order.exeThread information set: HideFromDebugger
        Source: C:\Users\user\Desktop\New Order.exeThread information set: HideFromDebugger
        Source: C:\Users\user\Desktop\New Order.exeThread information set: HideFromDebugger
        Source: C:\Users\user\Desktop\New Order.exeThread information set: HideFromDebugger
        Source: C:\Users\user\Desktop\New Order.exeThread information set: HideFromDebugger
        Source: C:\Users\user\Desktop\New Order.exeThread information set: HideFromDebugger
        Source: C:\Users\user\Desktop\New Order.exeThread information set: HideFromDebugger
        Source: C:\Users\user\Desktop\New Order.exeThread information set: HideFromDebugger
        Source: C:\Users\user\Desktop\New Order.exeProcess queried: DebugPort
        Source: C:\Users\user\Desktop\New Order.exeProcess queried: DebugPort
        Source: C:\Users\user\Desktop\New Order.exeProcess token adjusted: Debug
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: Debug
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: Debug
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: Debug
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: Debug
        Source: C:\Users\user\Desktop\New Order.exeProcess token adjusted: Debug
        Source: C:\Windows\SysWOW64\WerFault.exeProcess token adjusted: Debug
        Source: C:\Users\user\Desktop\New Order.exeMemory allocated: page read and write | page guard

        HIPS / PFW / Operating System Protection Evasion:

        barindex
        Adds a directory exclusion to Windows DefenderShow sources
        Source: unknownProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\New Order.exe' -Force
        Source: unknownProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\New Order.exe' -Force
        Source: unknownProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\New Order.exe' -Force
        Source: unknownProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\New Order.exe' -Force
        Source: C:\Users\user\Desktop\New Order.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\New Order.exe' -Force
        Source: C:\Users\user\Desktop\New Order.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\New Order.exe' -Force
        Source: C:\Users\user\Desktop\New Order.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\New Order.exe' -Force
        Source: C:\Users\user\Desktop\New Order.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\New Order.exe' -Force
        Source: C:\Users\user\Desktop\New Order.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\New Order.exe' -Force
        Source: C:\Users\user\Desktop\New Order.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\New Order.exe' -Force
        Source: C:\Users\user\Desktop\New Order.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\New Order.exe' -Force
        Source: C:\Users\user\Desktop\New Order.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\New Order.exe' -Force
        Source: C:\Users\user\Desktop\New Order.exeProcess created: C:\Users\user\Desktop\New Order.exe C:\Users\user\Desktop\New Order.exe
        Source: C:\Users\user\Desktop\New Order.exeQueries volume information: C:\Users\user\Desktop\New Order.exe VolumeInformation
        Source: C:\Users\user\Desktop\New Order.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
        Source: C:\Users\user\Desktop\New Order.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
        Source: C:\Users\user\Desktop\New Order.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.ConsoleHost\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.ConsoleHost.dll VolumeInformation
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.dll VolumeInformation
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Numerics\v4.0_4.0.0.0__b77a5c561934e089\System.Numerics.dll VolumeInformation
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.DirectoryServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.DirectoryServices.dll VolumeInformation
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Security\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Security.dll VolumeInformation
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.ConsoleHost\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.ConsoleHost.dll VolumeInformation
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.dll VolumeInformation
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Numerics\v4.0_4.0.0.0__b77a5c561934e089\System.Numerics.dll VolumeInformation
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.DirectoryServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.DirectoryServices.dll VolumeInformation
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Security\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Security.dll VolumeInformation
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.ConsoleHost\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.ConsoleHost.dll VolumeInformation
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.dll VolumeInformation
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Numerics\v4.0_4.0.0.0__b77a5c561934e089\System.Numerics.dll VolumeInformation
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.DirectoryServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.DirectoryServices.dll VolumeInformation
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Security\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Security.dll VolumeInformation
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.ConsoleHost\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.ConsoleHost.dll VolumeInformation
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.dll VolumeInformation
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Numerics\v4.0_4.0.0.0__b77a5c561934e089\System.Numerics.dll VolumeInformation
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.DirectoryServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.DirectoryServices.dll VolumeInformation
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Security\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Security.dll VolumeInformation
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
        Source: C:\Users\user\Desktop\New Order.exeQueries volume information: C:\Users\user\Desktop\New Order.exe VolumeInformation
        Source: C:\Users\user\Desktop\New Order.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
        Source: C:\Users\user\Desktop\New Order.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
        Source: C:\Users\user\Desktop\New Order.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation
        Source: C:\Users\user\Desktop\New Order.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation
        Source: C:\Users\user\Desktop\New Order.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation
        Source: C:\Users\user\Desktop\New Order.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation
        Source: C:\Users\user\Desktop\New Order.exeQueries volume information: C:\Users\user\Desktop\New Order.exe VolumeInformation
        Source: C:\Users\user\Desktop\New Order.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
        Source: C:\Users\user\Desktop\New Order.exeQueries volume information: C:\Users\user\Desktop\New Order.exe VolumeInformation
        Source: C:\Users\user\Desktop\New Order.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
        Source: C:\Users\user\Desktop\New Order.exeQueries volume information: C:\Users\user\Desktop\New Order.exe VolumeInformation
        Source: C:\Users\user\Desktop\New Order.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
        Source: C:\Users\user\Desktop\New Order.exeQueries volume information: C:\Users\user\Desktop\New Order.exe VolumeInformation
        Source: C:\Users\user\Desktop\New Order.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
        Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\New Order.exeQueries volume information: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\New Order.exe VolumeInformation
        Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\New Order.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
        Source: C:\Users\user\Desktop\New Order.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

        Stealing of Sensitive Information:

        barindex
        Yara detected AgentTeslaShow sources
        Source: Yara matchFile source: 0000000B.00000002.604840237.0000000000402000.00000040.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: Process Memory Space: New Order.exe PID: 7040, type: MEMORY
        Source: Yara matchFile source: 11.2.New Order.exe.400000.0.unpack, type: UNPACKEDPE

        Remote Access Functionality:

        barindex
        Yara detected AgentTeslaShow sources
        Source: Yara matchFile source: 0000000B.00000002.604840237.0000000000402000.00000040.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: Process Memory Space: New Order.exe PID: 7040, type: MEMORY
        Source: Yara matchFile source: 11.2.New Order.exe.400000.0.unpack, type: UNPACKEDPE

        Mitre Att&ck Matrix

        Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
        Valid AccountsWindows Management Instrumentation321Startup Items1Startup Items1Masquerading1OS Credential DumpingQuery Registry1Remote ServicesArchive Collected Data1Exfiltration Over Other Network MediumWeb Service1Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
        Default AccountsScheduled Task/JobRegistry Run Keys / Startup Folder421Process Injection11Modify Registry1LSASS MemorySecurity Software Discovery451Remote Desktop ProtocolData from Removable MediaExfiltration Over BluetoothEncrypted Channel12Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
        Domain AccountsAt (Linux)DLL Side-Loading1Registry Run Keys / Startup Folder421Virtualization/Sandbox Evasion37Security Account ManagerVirtualization/Sandbox Evasion37SMB/Windows Admin SharesData from Network Shared DriveAutomated ExfiltrationNon-Application Layer Protocol1Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
        Local AccountsAt (Windows)Logon Script (Mac)DLL Side-Loading1Disable or Modify Tools11NTDSProcess Discovery1Distributed Component Object ModelInput CaptureScheduled TransferApplication Layer Protocol2SIM Card SwapCarrier Billing Fraud
        Cloud AccountsCronNetwork Logon ScriptNetwork Logon ScriptProcess Injection11LSA SecretsApplication Window Discovery1SSHKeyloggingData Transfer Size LimitsFallback ChannelsManipulate Device CommunicationManipulate App Store Rankings or Ratings
        Replication Through Removable MediaLaunchdRc.commonRc.commonObfuscated Files or Information1Cached Domain CredentialsRemote System Discovery1VNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features
        External Remote ServicesScheduled TaskStartup ItemsStartup ItemsSoftware Packing1DCSyncFile and Directory Discovery1Windows Remote ManagementWeb Portal CaptureExfiltration Over Alternative ProtocolCommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact
        Drive-by CompromiseCommand and Scripting InterpreterScheduled Task/JobScheduled Task/JobDLL Side-Loading1Proc FilesystemSystem Information Discovery134Shared WebrootCredential API HookingExfiltration Over Symmetric Encrypted Non-C2 ProtocolApplication Layer ProtocolDowngrade to Insecure ProtocolsGenerate Fraudulent Advertising Revenue

        Behavior Graph

        Hide Legend

        Legend:

        • Process
        • Signature
        • Created File
        • DNS/IP Info
        • Is Dropped
        • Is Windows Process
        • Number of created Registry Values
        • Number of created Files
        • Visual Basic
        • Delphi
        • Java
        • .Net C# or VB.NET
        • C, C++ or other language
        • Is malicious
        • Internet
        behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 321195 Sample: New Order.exe Startdate: 20/11/2020 Architecture: WINDOWS Score: 100 42 pastebin.com 2->42 44 g.msn.com 2->44 48 Multi AV Scanner detection for dropped file 2->48 50 Multi AV Scanner detection for submitted file 2->50 52 Yara detected AgentTesla 2->52 56 8 other signatures 2->56 8 New Order.exe 24 6 2->8         started        13 New Order.exe 2->13         started        15 New Order.exe 2->15         started        17 3 other processes 2->17 signatures3 54 Connects to a pastebin service (likely for C&C) 42->54 process4 dnsIp5 46 pastebin.com 104.23.98.190, 443, 49731, 49759 CLOUDFLARENETUS United States 8->46 38 C:\Users\user\AppData\...38ew Order.exe, PE32 8->38 dropped 40 C:\Users\...40ew Order.exe:Zone.Identifier, ASCII 8->40 dropped 58 Creates an undocumented autostart registry key 8->58 60 Creates autostart registry keys with suspicious names 8->60 62 Creates multiple autostart registry keys 8->62 64 2 other signatures 8->64 19 WerFault.exe 8->19         started        22 powershell.exe 12 8->22         started        24 powershell.exe 8 8->24         started        26 3 other processes 8->26 file6 signatures7 process8 file9 36 C:\ProgramData\Microsoft\...\Report.wer, Little-endian 19->36 dropped 28 conhost.exe 22->28         started        30 conhost.exe 24->30         started        32 conhost.exe 26->32         started        34 conhost.exe 26->34         started        process10

        Screenshots

        Thumbnails

        This section contains all screenshots as thumbnails, including those not shown in the slideshow.

        windows-stand

        Antivirus, Machine Learning and Genetic Malware Detection

        Initial Sample

        SourceDetectionScannerLabelLink
        New Order.exe35%VirustotalBrowse
        New Order.exe27%ReversingLabs
        New Order.exe100%Joe Sandbox ML

        Dropped Files

        SourceDetectionScannerLabelLink
        C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\New Order.exe100%Joe Sandbox ML
        C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\New Order.exe35%VirustotalBrowse
        C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\New Order.exe27%ReversingLabs

        Unpacked PE Files

        SourceDetectionScannerLabelLinkDownload
        11.2.New Order.exe.400000.0.unpack100%AviraTR/Spy.Gen8Download File

        Domains

        No Antivirus matches

        URLs

        SourceDetectionScannerLabelLink
        http://crl.micro0%URL Reputationsafe
        http://crl.micro0%URL Reputationsafe
        http://crl.micro0%URL Reputationsafe
        http://crl.micro0%URL Reputationsafe
        https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip0%URL Reputationsafe
        https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip0%URL Reputationsafe
        https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip0%URL Reputationsafe
        https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip0%URL Reputationsafe

        Domains and IPs

        Contacted Domains

        NameIPActiveMaliciousAntivirus DetectionReputation
        pastebin.com
        		104.23.98.190
        		truefalse
          		high
          g.msn.com
          		unknown
          		unknownfalse
            		high

            URLs from Memory and Binaries

            NameSourceMaliciousAntivirus DetectionReputation
            http://crl.micropowershell.exe, 00000007.00000003.448132179.0000000007E4C000.00000004.00000001.sdmpfalse
            • URL Reputation: safe
            • URL Reputation: safe
            • URL Reputation: safe
            • URL Reputation: safe
            		unknown
            https://api.telegram.org/bot%telegramapi%/New Order.exe, 0000000B.00000002.604840237.0000000000402000.00000040.00000001.sdmpfalse
              		high
              https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zipNew Order.exe, 0000000B.00000002.604840237.0000000000402000.00000040.00000001.sdmpfalse
              • URL Reputation: safe
              • URL Reputation: safe
              • URL Reputation: safe
              • URL Reputation: safe
              		unknown

              Contacted IPs

              • No. of IPs < 25%
              • 25% < No. of IPs < 50%
              • 50% < No. of IPs < 75%
              • 75% < No. of IPs

              Public

              IPDomainCountryFlagASNASN NameMalicious
              104.23.98.190
              		unknownUnited States
              		13335CLOUDFLARENETUSfalse

              General Information

              Joe Sandbox Version:31.0.0 Red Diamond
              Analysis ID:321195
              Start date:20.11.2020
              Start time:15:34:25
              Joe Sandbox Product:CloudBasic
              Overall analysis duration:0h 14m 43s
              Hypervisor based Inspection enabled:false
              Report type:light
              Sample file name:New Order.exe
              Cookbook file name:default.jbs
              Analysis system description:Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
              Number of analysed new started processes analysed:33
              Number of new started drivers analysed:0
              Number of existing processes analysed:0
              Number of existing drivers analysed:0
              Number of injected processes analysed:0
              Technologies:
              • HCA enabled
              • EGA enabled
              • HDC enabled
              • AMSI enabled
              Analysis Mode:default
              Analysis stop reason:Timeout
              Detection:MAL
              Classification:mal100.troj.adwa.evad.winEXE@21/19@8/1
              EGA Information:Failed
              HDC Information:Failed
              HCA Information:
              • Successful, ratio: 99%
              • Number of executed functions: 0
              • Number of non-executed functions: 0
              Cookbook Comments:
              • Adjust boot time
              • Enable AMSI
              • Found application associated with file extension: .exe
              Warnings:
              Show All
              • Exclude process from analysis (whitelisted): MpCmdRun.exe, audiodg.exe, BackgroundTransferHost.exe, WerFault.exe, WMIADAP.exe, backgroundTaskHost.exe, conhost.exe, WmiPrvSE.exe, svchost.exe, wuapihost.exe
              • Excluded IPs from analysis (whitelisted): 13.88.21.125, 52.147.198.201, 40.88.32.150, 51.104.139.180, 8.253.204.121, 8.253.95.121, 8.241.123.254, 8.248.113.254, 8.241.9.254, 51.103.5.186, 52.155.217.156, 20.54.26.129, 52.142.114.176, 92.122.213.247, 92.122.213.194, 52.255.188.83, 92.122.144.200
              • Excluded domains from analysis (whitelisted): arc.msn.com.nsatc.net, wns.notify.windows.com.akadns.net, a1449.dscg2.akamai.net, fs-wildcard.microsoft.com.edgekey.net, fs-wildcard.microsoft.com.edgekey.net.globalredir.akadns.net, arc.msn.com, g-msn-com-nsatc.trafficmanager.net, db5eap.displaycatalog.md.mp.microsoft.com.akadns.net, skypedataprdcoleus15.cloudapp.net, par02p.wns.notify.windows.com.akadns.net, emea1.notify.windows.com.akadns.net, audownload.windowsupdate.nsatc.net, displaycatalog.mp.microsoft.com, watson.telemetry.microsoft.com, auto.au.download.windowsupdate.com.c.footprint.net, img-prod-cms-rt-microsoft-com.akamaized.net, prod.fs.microsoft.com.akadns.net, au-bg-shim.trafficmanager.net, displaycatalog-europeeap.md.mp.microsoft.com.akadns.net, client.wns.windows.com, fs.microsoft.com, db3p-ris-pf-prod-atm.trafficmanager.net, displaycatalog.md.mp.microsoft.com.akadns.net, ris-prod.trafficmanager.net, ctldl.windowsupdate.com, e1723.g.akamaiedge.net, skypedataprdcoleus16.cloudapp.net, ris.api.iris.microsoft.com, umwatsonrouting.trafficmanager.net, skypedataprdcoleus17.cloudapp.net, skypedataprdcolwus15.cloudapp.net
              • Report creation exceeded maximum time and may have missing disassembly code information.
              • Report size exceeded maximum capacity and may have missing behavior information.
              • Report size getting too big, too many NtAllocateVirtualMemory calls found.
              • Report size getting too big, too many NtOpenKeyEx calls found.
              • Report size getting too big, too many NtProtectVirtualMemory calls found.
              • Report size getting too big, too many NtQueryValueKey calls found.

              Simulations

              Behavior and APIs

              TimeTypeDescription
              15:35:45AutostartRun: HKCU\Software\Microsoft\Windows\CurrentVersion\Run <Unknown> C:\Users\user\Desktop\New Order.exe
              15:35:54AutostartRun: HKCU\Software\Microsoft\Windows\CurrentVersion\Run New Order.exe C:\Users\user\Desktop\New Order.exe
              15:36:02AutostartRun: HKCU64\Software\Microsoft\Windows\CurrentVersion\Run <Unknown> C:\Users\user\Desktop\New Order.exe
              15:36:11AutostartRun: HKCU64\Software\Microsoft\Windows\CurrentVersion\Run New Order.exe C:\Users\user\Desktop\New Order.exe
              15:36:20AutostartRun: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\New Order.exe
              15:36:36API Interceptor1x Sleep call for process: WerFault.exe modified
              15:36:51API Interceptor243x Sleep call for process: New Order.exe modified
              15:37:07API Interceptor56x Sleep call for process: powershell.exe modified

              Joe Sandbox View / Context

              IPs

              MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
              104.23.98.190b095b966805abb7df4ffddf183def880.exeGet hashmaliciousBrowse
              • pastebin.com/raw/XMKKNkb0
              E1Q0TjeN32.exeGet hashmaliciousBrowse
              • pastebin.com/raw/XMKKNkb0
              6YCl3ATKJw.exeGet hashmaliciousBrowse
              • pastebin.com/raw/XMKKNkb0
              Hjnb15Nuc3.exeGet hashmaliciousBrowse
              • pastebin.com/raw/XMKKNkb0
              JDgYMW0LHW.exeGet hashmaliciousBrowse
              • pastebin.com/raw/XMKKNkb0
              4av8Sn32by.exeGet hashmaliciousBrowse
              • pastebin.com/raw/XMKKNkb0
              5T4Ykc0VSK.exeGet hashmaliciousBrowse
              • pastebin.com/raw/XMKKNkb0
              afvhKak0Ir.exeGet hashmaliciousBrowse
              • pastebin.com/raw/XMKKNkb0
              T6OcyQsUsY.exeGet hashmaliciousBrowse
              • pastebin.com/raw/XMKKNkb0
              1KITgJnGbI.exeGet hashmaliciousBrowse
              • pastebin.com/raw/XMKKNkb0
              PxwWcmbMC5.exeGet hashmaliciousBrowse
              • pastebin.com/raw/XMKKNkb0
              XnAJZR4NcN.exeGet hashmaliciousBrowse
              • pastebin.com/raw/XMKKNkb0
              PbTwrajNMX.exeGet hashmaliciousBrowse
              • pastebin.com/raw/XMKKNkb0
              22NO7gVJ7r.exeGet hashmaliciousBrowse
              • pastebin.com/raw/XMKKNkb0
              rE7DwszvrX.exeGet hashmaliciousBrowse
              • pastebin.com/raw/XMKKNkb0
              VjPHSJkwr6.exeGet hashmaliciousBrowse
              • pastebin.com/raw/XMKKNkb0
              wf86K0dpOP.exeGet hashmaliciousBrowse
              • pastebin.com/raw/XMKKNkb0
              VrR9J0FnSG.exeGet hashmaliciousBrowse
              • pastebin.com/raw/XMKKNkb0
              6C1MYmrVl1.exeGet hashmaliciousBrowse
              • pastebin.com/raw/XMKKNkb0
              aTZQZVVriQ.exeGet hashmaliciousBrowse
              • pastebin.com/raw/XMKKNkb0

              Domains

              MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
              pastebin.com23prRlqeGr.exeGet hashmaliciousBrowse
              • 104.23.98.190
              BT2wDapfoI.exeGet hashmaliciousBrowse
              • 104.23.98.190
              23692 ANRITSU PROBE po 29288.exeGet hashmaliciousBrowse
              • 104.23.99.190
              PO #5618896.gz.exeGet hashmaliciousBrowse
              • 104.23.98.190
              ShippingDoc.jarGet hashmaliciousBrowse
              • 104.23.98.190
              a66a5257bb6ee2e690450c48a91815d4.exeGet hashmaliciousBrowse
              • 104.23.99.190
              Status____201711.gz.exeGet hashmaliciousBrowse
              • 104.23.98.190
              b095b966805abb7df4ffddf183def880.exeGet hashmaliciousBrowse
              • 104.23.98.190
              aguhvLvn.exeGet hashmaliciousBrowse
              • 104.23.98.190
              http://151.80.37.64/exploit/description/34365Get hashmaliciousBrowse
              • 104.23.99.190
              order2020.PDF.exeGet hashmaliciousBrowse
              • 104.23.98.190
              web ori2.exeGet hashmaliciousBrowse
              • 104.23.99.190
              Payment Confirmation NOV-85869983TGTTAS.exeGet hashmaliciousBrowse
              • 104.23.99.190
              7fYoHeaCBG.exeGet hashmaliciousBrowse
              • 104.23.99.190
              DETALLE DE PAGO.exeGet hashmaliciousBrowse
              • 104.23.99.190
              E1Q0TjeN32.exeGet hashmaliciousBrowse
              • 104.23.98.190
              O9f3XKg5N7.exeGet hashmaliciousBrowse
              • 104.23.99.190
              6YCl3ATKJw.exeGet hashmaliciousBrowse
              • 104.23.98.190
              r0QRptqiCl.exeGet hashmaliciousBrowse
              • 104.23.99.190
              Hjnb15Nuc3.exeGet hashmaliciousBrowse
              • 104.23.98.190

              ASN

              MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
              CLOUDFLARENETUShttps://eagleeyeproduce-my.sharepoint.com/:o:/p/mckrayp/EtopxtQDn3pOqhvY4g_gG3ABKX9ornSoGNhGOLlXyaU89Q?e=Ee0wW2Get hashmaliciousBrowse
              • 104.16.19.94
              https://certified1.box.com/s/2ta9r7cyn5g09fblryd9xqqpnfxbjqejGet hashmaliciousBrowse
              • 104.16.19.94
              Report.464129889.docGet hashmaliciousBrowse
              • 104.28.21.160
              SecuriteInfo.com.Trojan.PWS.StealerNET.67.29498.exeGet hashmaliciousBrowse
              • 104.28.29.208
              http://s1022.t.en25.com/e/er?s=1022&lid=2184&elqTrackId=BEDFF87609C7D9DEAD041308DD8FFFB8&lb_email=bkirwer%40farbestfoods.com&elq=b095bd096fb54161953a2cf8316b5d13&elqaid=3115&elqat=1Get hashmaliciousBrowse
              • 104.18.27.190
              https://ubereats.app.link/cwmLFZfMz5?%243p=a_custom_354088&%24deeplink_path=promo%2Fapply%3FpromoCode%3DRECONFORT7&%24desktop_url=tracking.spectrumemp.com/el?aid=8feeb968-bdd0-11e8-b27f-22000be0a14e&rid=50048635&pid=285843&cid=513&dest=overlordscan.com/cmV0by5tZXR6bGVyQGlzb2x1dGlvbnMuY2g=%23#kkowfocjoyuynaip#Get hashmaliciousBrowse
              • 104.24.97.83
              https://hastebin.com/raw/xatuvoxixaGet hashmaliciousBrowse
              • 104.24.126.89
              https://bit.ly/35MTO80Get hashmaliciousBrowse
              • 104.31.69.156
              Order List.xlsxGet hashmaliciousBrowse
              • 104.24.122.89
              USD55,260.84_PAYMENT_ADVICE_NOTE_FROM_20.11.2020.EXEGet hashmaliciousBrowse
              • 162.159.133.233
              Request for quotation.xlsxGet hashmaliciousBrowse
              • 172.67.181.41
              MV TBN.exeGet hashmaliciousBrowse
              • 104.28.5.151
              PO 20-11-2020.ppsGet hashmaliciousBrowse
              • 172.67.22.135
              Quotation ATB-PR28500KINH.exeGet hashmaliciousBrowse
              • 1.1.1.1
              23prRlqeGr.exeGet hashmaliciousBrowse
              • 104.23.98.190
              RFQ-HSO-76411758-1.jarGet hashmaliciousBrowse
              • 104.20.23.46
              RFQ-HSO-76411758-1.jarGet hashmaliciousBrowse
              • 104.20.22.46
              iG9YiwEMru.exeGet hashmaliciousBrowse
              • 104.27.132.115
              Avion Quotation Request.docGet hashmaliciousBrowse
              • 104.22.54.159
              SUSPENSION LETTER ON SIM SWAP.pdf.exeGet hashmaliciousBrowse
              • 172.67.131.55

              JA3 Fingerprints

              MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
              54328bd36c14bd82ddaa0c04b25ed9adMV TBN.exeGet hashmaliciousBrowse
              • 104.23.98.190
              23prRlqeGr.exeGet hashmaliciousBrowse
              • 104.23.98.190
              SUSPENSION LETTER ON SIM SWAP.pdf.exeGet hashmaliciousBrowse
              • 104.23.98.190
              BT2wDapfoI.exeGet hashmaliciousBrowse
              • 104.23.98.190
              Bank SWIFT Advice_pdf.exeGet hashmaliciousBrowse
              • 104.23.98.190
              Purchase_Order_11_19_20.exeGet hashmaliciousBrowse
              • 104.23.98.190
              Proforma Invoice.xlsGet hashmaliciousBrowse
              • 104.23.98.190
              1099008FEDEX_090887766.xlsGet hashmaliciousBrowse
              • 104.23.98.190
              quotation_0087210_pdf.exeGet hashmaliciousBrowse
              • 104.23.98.190
              23692 ANRITSU PROBE po 29288.exeGet hashmaliciousBrowse
              • 104.23.98.190
              PO #5618896.gz.exeGet hashmaliciousBrowse
              • 104.23.98.190
              bGtm3bQKUj.exeGet hashmaliciousBrowse
              • 104.23.98.190
              https://greatdownloadplace.net/estate/formated/xlsc/Setup_v177.exeGet hashmaliciousBrowse
              • 104.23.98.190
              BlueJeansInstaller.exeGet hashmaliciousBrowse
              • 104.23.98.190
              JmuEmJ4T4r5bc8S.exeGet hashmaliciousBrowse
              • 104.23.98.190
              List Of Orders.exeGet hashmaliciousBrowse
              • 104.23.98.190
              Status____201711.gz.exeGet hashmaliciousBrowse
              • 104.23.98.190
              Documento relativo al carico e alla spedizione del cliente_italy2020.exeGet hashmaliciousBrowse
              • 104.23.98.190
              b095b966805abb7df4ffddf183def880.exeGet hashmaliciousBrowse
              • 104.23.98.190
              SIN029088.xlsGet hashmaliciousBrowse
              • 104.23.98.190

              Dropped Files

              No context

              Created / dropped Files

              C:\ProgramData\Microsoft\Windows\WER\ReportArchive\AppCrash_New Order.exe_f5a230c79de9a71bf07561ca332f5bc9c4cbd_65f4d1e6_06c06390\Report.wer
              Process:C:\Windows\SysWOW64\WerFault.exe
              File Type:Little-endian UTF-16 Unicode text, with CRLF line terminators
              Category:dropped
              Size (bytes):6684
              Entropy (8bit):3.7283570594197863
              Encrypted:false
              SSDEEP:96:14tDZhr9p6PTbMlHHxpLUpXItc/NZAXGng5FMTPSkvPkpXmTAafnVXT5Ur9BUhTD:+h5EWmo/u7slS274ItqBl
              MD5:2C2585FD3E5C123F47FA63FB3E25A0F6
              SHA1:4F0FE002607C168882ACE7AD1CAE8393BBADD606
              SHA-256:6542D4AD7F3B826CB16C17115F022CBAB83B261D87950A165F10FE0F2E2445E1
              SHA-512:7A08011D26EBA72C2C409345F6502337743173EC93CFD6DBAA4FD67D1387D23EABDAD0E74D72828CC7B5E223548664F666A405DCD46CF21961615039C19220C1
              Malicious:true
              Reputation:low
              Preview: ..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.C.L.R.2.0.r.3.....E.v.e.n.t.T.i.m.e.=.1.3.2.5.0.3.8.8.9.5.5.8.7.8.6.3.1.6.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.2.5.0.3.8.8.9.9.3.5.6.5.9.5.6.1.....R.e.p.o.r.t.S.t.a.t.u.s.=.2.6.8.5.6.6.5.2.8.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.7.7.1.9.4.7.7.d.-.8.c.a.a.-.4.b.0.1.-.b.b.a.4.-.e.6.3.f.c.a.b.c.d.7.d.0.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.5.2.6.7.4.a.5.7.-.3.b.3.b.-.4.f.f.5.-.9.4.1.a.-.1.d.2.5.3.4.d.5.5.6.d.f.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.N.e.w. .O.r.d.e.r...e.x.e.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.0.5.9.4.-.0.0.0.1.-.0.0.1.7.-.b.a.9.d.-.4.a.c.e.9.5.b.f.d.6.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.6.8.d.4.f.8.5.4.1.1.3.b.7.9.9.d.5.c.e.a.b.4.0.b.4.8.c.9.b.7.d.c.3.0.0.0.0.f.f.f.f.!.0.0.0.0.d.c.5.b.d.c.1.8.9.2.1.5.9.b.4.6.a.7.8.b.1.5.b.6.0.4.2.8.0.7.8.1.b.8.2.d.8.a.e.5.!.N.e.w. .O.r.d.e.r...e.x.e.....T.a.r.g.e.t.A.p.p.
              C:\ProgramData\Microsoft\Windows\WER\Temp\WERD5F8.tmp.WERInternalMetadata.xml
              Process:C:\Windows\SysWOW64\WerFault.exe
              File Type:XML 1.0 document, Little-endian UTF-16 Unicode text, with CRLF line terminators
              Category:dropped
              Size (bytes):7974
              Entropy (8bit):3.69132242435665
              Encrypted:false
              SSDEEP:192:Rrl7r3GLNile6vY6YJBSUIEXigmfZDSGw8CprS89bF2sfuXm:RrlsNis6A6Y/SUIEXigmfNStFVff
              MD5:3B9FAE55CF5EA3932115E628C3C70C71
              SHA1:1D527CFEDC65D9D6CE6D851CBF345D84117D03D4
              SHA-256:15F2F3C1A4AB232D56130136B01056E76796249177A297E4B4EA4CDBB61D2AEE
              SHA-512:18BBBF81E55A02661DF0A99D570C48F439F5F7DD49729176C7E7ABB5E2E744F5AE22643B74DFA5FEE0B47AA670FB4869C1E66CBA8CA7910D7137B26EEFEC6F10
              Malicious:false
              Reputation:low
              Preview: ..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.7.1.3.4.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.7.1.3.4...1...a.m.d.6.4.f.r.e...r.s.4._.r.e.l.e.a.s.e...1.8.0.4.1.0.-.1.8.0.4.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.1.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.1.0.3.3.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.1.4.2.8.<./.P.i.d.>.......
              C:\ProgramData\Microsoft\Windows\WER\Temp\WERE53B.tmp.xml
              Process:C:\Windows\SysWOW64\WerFault.exe
              File Type:XML 1.0 document, ASCII text, with CRLF line terminators
              Category:dropped
              Size (bytes):4680
              Entropy (8bit):4.450945953131055
              Encrypted:false
              SSDEEP:48:cvIwSD8zsZJgtWI9nzzHWSC8BG8fm8M4JxOFFaq+q8vxO0lHCvLbd:uITfrk6SNxJ+KblHCvLbd
              MD5:2FC6EC8140614D1EE54AAE6E28B8FB29
              SHA1:672ED993BC32B617E5384359B7CFF7B1F0755165
              SHA-256:F4824912397A203272369B256FFAACAEEF884ABCC968B1E3977D5211B36A561F
              SHA-512:44890FDB20EFF7CB854474B9D92A66B8C437B874CB970EA6BD35BCAD9C3F0E7675733F68C2D967AA401B3B4541569E2E3035411C751B30CB2172F661895D69CF
              Malicious:false
              Reputation:low
              Preview: <?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="17134" />.. <arg nm="vercsdbld" val="1" />.. <arg nm="verqfe" val="1" />.. <arg nm="csdbld" val="1" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="1033" />.. <arg nm="geoid" val="244" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="737806" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.1.17134.0-11.0.47" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="4096" />..
              C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache
              Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
              File Type:data
              Category:modified
              Size (bytes):698
              Entropy (8bit):5.049094101509586
              Encrypted:false
              SSDEEP:12:reVGyMYx2Y5BYtmWNUc5AtYX5E4a2KryMYGH+ptsxptsOtw9O9S8:reUyMGF5ytmLcetYX5E2KryMb+zsxzsk
              MD5:B0CEEA53B3467F59FD8E87F80213BDE9
              SHA1:D9E6D1CBB480E7248658DF935648DFA733745602
              SHA-256:D9C93CB64E6F1F5BDC94581CEEA99F759EE1E35716EAF623C61962EA0152F9DD
              SHA-512:DDAA6C9FA3535B4926C60B692F8E202D10EB160D1F8BE7A9DE79239EF75AFD470403DF1D8F0CBF29A5F819E907D02E8E656BB9A52E71E30D9259987EAE881655
              Malicious:false
              Reputation:moderate, very likely benign file
              Preview: PSMODULECACHE......w.e...a...C:\Program Files (x86)\WindowsPowerShell\Modules\PackageManagement\1.0.0.1\PackageManagement.psd1........Set-PackageSource........Unregister-PackageSource........Get-PackageSource........Install-Package........Save-Package........Get-Package........Find-Package........Install-PackageProvider........Import-PackageProvider........Get-PackageProvider........Register-PackageSource........Uninstall-Package........Find-PackageProvider........D..8.......C:\Program Files (x86)\WindowsPowerShell\Modules\Microsoft.PowerShell.Operation.Validation\1.0.1\Microsoft.PowerShell.Operation.Validation.psd1........Get-OperationValidation........Invoke-OperationValidation........
              C:\Users\user\AppData\Local\Temp\WERC628.tmp.WERDataCollectionStatus.txt
              Process:C:\Windows\SysWOW64\WerFault.exe
              File Type:Little-endian UTF-16 Unicode text, with CRLF, CR line terminators
              Category:dropped
              Size (bytes):4894
              Entropy (8bit):3.2694451486441247
              Encrypted:false
              SSDEEP:96:pwpIiEkXkkX8k+1uWm0Qz0QF0Qgds0QXz0Qb0Qa3SgLXWdszeuzSzbxGQI5OmYsk:p5lNTuSl0oeyOkNfQ
              MD5:C1113E8E1C4E3AB2C3A4EDE41FF2E39A
              SHA1:CD478057635929CA69FC4FCA8A67DD290E4B41F1
              SHA-256:2940E2EC1C4D0D9B730FB6A41E75A626FC6D8D8F07A1F733B3E4E8C8C228CDFF
              SHA-512:9E8FD863ACE83534BFB589BEFC9BB921D6D8277597842ABF76FCC0F141997616599A09D722C949545E75B3AFD555E2B1D9FD866B91F73597A396E0D51AF30307
              Malicious:false
              Preview: ......S.n.a.p.s.h.o.t. .s.t.a.t.i.s.t.i.c.s.:.....-. .S.i.g.n.a.t.u.r.e. . . . . . . . . . . . . . . . .:. .P.S.S.D.......-. .F.l.a.g.s./.C.a.p.t.u.r.e.F.l.a.g.s. . . . . . . .:. .0.0.0.0.0.0.0.1./.d.0.0.0.3.9.f.f.......-. .A.u.x. .p.a.g.e.s. . . . . . . . . . . . . . . . .:. .1. .e.n.t.r.i.e.s. .l.o.n.g.......-. .V.A. .s.p.a.c.e. .s.t.r.e.a.m. . . . . . . . . . .:. .1.3.0.4.2.4. .b.y.t.e.s. .i.n. .s.i.z.e.......-. .H.a.n.d.l.e. .t.r.a.c.e. .s.t.r.e.a.m. . . . . . .:. .0. .b.y.t.e.s. .i.n. .s.i.z.e.......-. .H.a.n.d.l.e. .s.t.r.e.a.m. . . . . . . . . . . . .:. .6.6.4.9.4. .b.y.t.e.s. .i.n. .s.i.z.e.......-. .T.h.r.e.a.d.s. . . . . . . . . . . . . . . . . . .:. .1.8. .t.h.r.e.a.d.s.......-. .T.h.r.e.a.d. .s.t.r.e.a.m. . . . . . . . . . . . .:. .1.2.0.9.6. .b.y.t.e.s. .i.n. .s.i.z.e...........S.n.a.p.s.h.o.t. .p.e.r.f.o.r.m.a.n.c.e. .c.o.u.n.t.e.r.s.:.....-. .T.o.t.a.l.C.y.c.l.e.C.o.u.n.t. . . . . . . . . . .:. .2.6.7.9.7.5.1.6.4. .c.y.c.l.e.s.......-. .V.a.C.l.o.n.e.C.y.c.l.e.C.o.u.n.t.
              C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_2bstbykx.syk.psm1
              Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
              File Type:very short file (no magic)
              Category:dropped
              Size (bytes):1
              Entropy (8bit):0.0
              Encrypted:false
              SSDEEP:3:U:U
              MD5:C4CA4238A0B923820DCC509A6F75849B
              SHA1:356A192B7913B04C54574D18C28D46E6395428AB
              SHA-256:6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
              SHA-512:4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
              Malicious:false
              Preview: 1
              C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_3bliep4j.bin.psm1
              Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
              File Type:very short file (no magic)
              Category:dropped
              Size (bytes):1
              Entropy (8bit):0.0
              Encrypted:false
              SSDEEP:3:U:U
              MD5:C4CA4238A0B923820DCC509A6F75849B
              SHA1:356A192B7913B04C54574D18C28D46E6395428AB
              SHA-256:6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
              SHA-512:4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
              Malicious:false
              Preview: 1
              C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_chqdqdxi.uqm.psm1
              Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
              File Type:very short file (no magic)
              Category:dropped
              Size (bytes):1
              Entropy (8bit):0.0
              Encrypted:false
              SSDEEP:3:U:U
              MD5:C4CA4238A0B923820DCC509A6F75849B
              SHA1:356A192B7913B04C54574D18C28D46E6395428AB
              SHA-256:6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
              SHA-512:4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
              Malicious:false
              Preview: 1
              C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_d3vsr3um.4sq.ps1
              Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
              File Type:very short file (no magic)
              Category:dropped
              Size (bytes):1
              Entropy (8bit):0.0
              Encrypted:false
              SSDEEP:3:U:U
              MD5:C4CA4238A0B923820DCC509A6F75849B
              SHA1:356A192B7913B04C54574D18C28D46E6395428AB
              SHA-256:6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
              SHA-512:4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
              Malicious:false
              Preview: 1
              C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_ewiel5mn.hui.ps1
              Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
              File Type:very short file (no magic)
              Category:dropped
              Size (bytes):1
              Entropy (8bit):0.0
              Encrypted:false
              SSDEEP:3:U:U
              MD5:C4CA4238A0B923820DCC509A6F75849B
              SHA1:356A192B7913B04C54574D18C28D46E6395428AB
              SHA-256:6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
              SHA-512:4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
              Malicious:false
              Preview: 1
              C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_hty5fodu.olo.ps1
              Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
              File Type:very short file (no magic)
              Category:dropped
              Size (bytes):1
              Entropy (8bit):0.0
              Encrypted:false
              SSDEEP:3:U:U
              MD5:C4CA4238A0B923820DCC509A6F75849B
              SHA1:356A192B7913B04C54574D18C28D46E6395428AB
              SHA-256:6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
              SHA-512:4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
              Malicious:false
              Preview: 1
              C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_pdthudso.jij.ps1
              Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
              File Type:very short file (no magic)
              Category:dropped
              Size (bytes):1
              Entropy (8bit):0.0
              Encrypted:false
              SSDEEP:3:U:U
              MD5:C4CA4238A0B923820DCC509A6F75849B
              SHA1:356A192B7913B04C54574D18C28D46E6395428AB
              SHA-256:6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
              SHA-512:4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
              Malicious:false
              Preview: 1
              C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_plhi2hju.0rn.psm1
              Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
              File Type:very short file (no magic)
              Category:dropped
              Size (bytes):1
              Entropy (8bit):0.0
              Encrypted:false
              SSDEEP:3:U:U
              MD5:C4CA4238A0B923820DCC509A6F75849B
              SHA1:356A192B7913B04C54574D18C28D46E6395428AB
              SHA-256:6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
              SHA-512:4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
              Malicious:false
              Preview: 1
              C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\New Order.exe
              Process:C:\Users\user\Desktop\New Order.exe
              File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
              Category:dropped
              Size (bytes):3756032
              Entropy (8bit):5.137264171676077
              Encrypted:false
              SSDEEP:98304:JsecZvSutK+2OgmdV2iyxjNTmtjuMV2XyjzKw:eNh9oNTm9
              MD5:689357A46D00A4E9FE51AC4D82D73100
              SHA1:DC5BDC1892159B46A78B15B604280781B82D8AE5
              SHA-256:9F8A277B32EDD2D8750E81097320CC31B9089020FA5C7B91613D422A2F55DA1E
              SHA-512:3F3EC2FA1CF2BA33C4E221A358E1EFEC82313A80D8BEE3F1EBBB0FBA17051BA92CF274EF23CC4CF134537C0F3A8D22C1EFB478B6461F4B84AFF422DC2AD44F66
              Malicious:true
              Antivirus:
              • Antivirus: Joe Sandbox ML, Detection: 100%
              • Antivirus: Virustotal, Detection: 35%, Browse
              • Antivirus: ReversingLabs, Detection: 27%
              Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....O._.................L9..........j9.. ....9...@.. ........................9...........@.................................`j9.K.............................9...................................................... ............... ..H............text....J9.. ...L9................. ..`.reloc........9......N9.............@..B.........................................................j9.....H.......x.8.............................................................*..(....*...0..3$8..... .........% .....M.% .....Z.% .... .....% ......% ......% ......% ......% ......% ......% ......% ......% ......% .... .....% .... .....% ......% ......% .... .....% ......% ......% ......% ......% ......% ......% ......% .....@.% ......% ......% ......% ......% ......% ......% ......% .....% !.....% ".....% #.....% $.....% %.....% &.....% '.....% (.....% ).....% *.....% +.....% ,
              C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\New Order.exe:Zone.Identifier
              Process:C:\Users\user\Desktop\New Order.exe
              File Type:ASCII text, with CRLF line terminators
              Category:modified
              Size (bytes):26
              Entropy (8bit):3.95006375643621
              Encrypted:false
              SSDEEP:3:ggPYV:rPYV
              MD5:187F488E27DB4AF347237FE461A079AD
              SHA1:6693BA299EC1881249D59262276A0D2CB21F8E64
              SHA-256:255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
              SHA-512:89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
              Malicious:true
              Preview: [ZoneTransfer]....ZoneId=0
              C:\Users\user\Documents\20201120\PowerShell_transcript.585948.3UB+MGH5.20201120153545.txt
              Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
              File Type:UTF-8 Unicode (with BOM) text, with CRLF line terminators
              Category:dropped
              Size (bytes):741
              Entropy (8bit):5.350430975598896
              Encrypted:false
              SSDEEP:12:57DtSA6N47bv3fBbBB5oizx2DOzzUjjIneSuL+HSuVM1t21SWoWtPw6jewGxMKjB:BxSAx7vBVLHzx2DOXUWeSuLbuVMwSWXc
              MD5:25B7C3AB84A67DEB88FCB59E1D76EA69
              SHA1:15846219734D8CF6937D81E2D7C1E571618F81CB
              SHA-256:E8D6602EFFF74D4CB921A6CB4984CDF1BDAB07FB88C5C251C242F0E4D4297DB6
              SHA-512:4327BDC6C0D01305DB550F259E4776AFB35793BB86B610E06925F202AB7714AFC651D570757A7F0904E55D09300525F4DDF1D7CFEBC3995EA4EEB5C4088403B5
              Malicious:false
              Preview: .**********************..Windows PowerShell transcript start..Start time: 20201120153701..Username: computer\user..RunAs User: computer\user..Configuration Name: ..Machine: 585948 (Microsoft Windows NT 10.0.17134.0)..Host Application: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\New Order.exe -Force..Process ID: 6612..PSVersion: 5.1.17134.1..PSEdition: Desktop..PSCompatibleVersions: 1.0, 2.0, 3.0, 4.0, 5.0, 5.1.17134.1..BuildVersion: 10.0.17134.1..CLRVersion: 4.0.30319.42000..WSManStackVersion: 3.0..PSRemotingProtocolVersion: 2.3..SerializationVersion: 1.1.0.1..**********************..
              C:\Users\user\Documents\20201120\PowerShell_transcript.585948.7Q6cFLSd.20201120153545.txt
              Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
              File Type:UTF-8 Unicode (with BOM) text, with CRLF line terminators
              Category:dropped
              Size (bytes):962
              Entropy (8bit):5.301380258823377
              Encrypted:false
              SSDEEP:24:BxSA17vBVLHzx2DOXUWeSuLbuVMwSW8UHjeTKKjX4CIym1ZJX/6duLbuVMwG:BZ9vTLHzoO+SUu5ltqDYB1ZMdUu5G
              MD5:001F16B92073DF84D1DDB40593C801E3
              SHA1:B528E2A9D47761CDF656ADC2446331EC00A20091
              SHA-256:DF9DE86D0B509FF0A5CEBFFF5AAFC8F74182360E10B560A5FF260294E4C51828
              SHA-512:B7613A87BED44E5A1847AD85508E744C6878DCDD4E6D8646ACF048489C468529C1C74A4139BB3CCB8F586420A28DA17D7EC8B842E7B64AD5578E7EBAB3ED5548
              Malicious:false
              Preview: .**********************..Windows PowerShell transcript start..Start time: 20201120153648..Username: computer\user..RunAs User: computer\user..Configuration Name: ..Machine: 585948 (Microsoft Windows NT 10.0.17134.0)..Host Application: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\New Order.exe -Force..Process ID: 6520..PSVersion: 5.1.17134.1..PSEdition: Desktop..PSCompatibleVersions: 1.0, 2.0, 3.0, 4.0, 5.0, 5.1.17134.1..BuildVersion: 10.0.17134.1..CLRVersion: 4.0.30319.42000..WSManStackVersion: 3.0..PSRemotingProtocolVersion: 2.3..SerializationVersion: 1.1.0.1..**********************..**********************..Command start time: 20201120153649..**********************..PS>Add-MpPreference -ExclusionPath C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\New Order.exe -Force..
              C:\Users\user\Documents\20201120\PowerShell_transcript.585948.ECkwqDy2.20201120153546.txt
              Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
              File Type:UTF-8 Unicode (with BOM) text, with CRLF line terminators
              Category:dropped
              Size (bytes):687
              Entropy (8bit):5.344634267685728
              Encrypted:false
              SSDEEP:12:57DtSA6N4Ebv3fBbBB5oizx2DOzzUjjIneSuL2GWoWPw6jewGxMKjX4CIymgSs2m:BxSAq7vBVLHzx2DOXUWeSuLNWXHjeTKy
              MD5:B8DE820473C0E7741CFA8F10D8243207
              SHA1:68340D89C86CBAEE471F015BEBEA6980900B55E6
              SHA-256:95BE6454F7D8AD05975425DAB203BA288632DFB3B65FC0BAC9466D6E1D5A442D
              SHA-512:BF60D55FB192DDBB015E5257DDD09367D27923EFB1526C7F16809DBB1752E40F33AD0F55A2C85BC552AD9A867B404FCDA068A027DD7A421127C018233346AA60
              Malicious:false
              Preview: .**********************..Windows PowerShell transcript start..Start time: 20201120153708..Username: computer\user..RunAs User: computer\user..Configuration Name: ..Machine: 585948 (Microsoft Windows NT 10.0.17134.0)..Host Application: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath C:\Users\user\Desktop\New Order.exe -Force..Process ID: 6764..PSVersion: 5.1.17134.1..PSEdition: Desktop..PSCompatibleVersions: 1.0, 2.0, 3.0, 4.0, 5.0, 5.1.17134.1..BuildVersion: 10.0.17134.1..CLRVersion: 4.0.30319.42000..WSManStackVersion: 3.0..PSRemotingProtocolVersion: 2.3..SerializationVersion: 1.1.0.1..**********************..
              C:\Users\user\Documents\20201120\PowerShell_transcript.585948.LYmT1g2d.20201120153544.txt
              Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
              File Type:UTF-8 Unicode (with BOM) text, with CRLF line terminators
              Category:dropped
              Size (bytes):962
              Entropy (8bit):5.300326727587063
              Encrypted:false
              SSDEEP:24:BxSAMD7vBVLHzx2DOXUWeSuLbuVMwSWMHjeTKKjX4CIym1ZJXUuLbuVMwG:BZMnvTLHzoO+SUu5lMqDYB1ZSUu5G
              MD5:F7942579BF455B4BD0DAFE2D894A0306
              SHA1:8A12F53F4729FE91E64595F2304908CC9F6EA187
              SHA-256:90622B07A18FA783B755F61DE287A09CC75A191A8139BED4961AB3D46E13868D
              SHA-512:A5D9D0FE8CEE352761DB0EDA70F6FAF25C7347B2C8659091DBB16D9ECD21C35CDB6E6DBBC8BA02F7006040B231E6F17AB9B819F9CD314EC7B01F65C0720EC569
              Malicious:false
              Preview: .**********************..Windows PowerShell transcript start..Start time: 20201120153629..Username: computer\user..RunAs User: computer\user..Configuration Name: ..Machine: 585948 (Microsoft Windows NT 10.0.17134.0)..Host Application: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\New Order.exe -Force..Process ID: 6824..PSVersion: 5.1.17134.1..PSEdition: Desktop..PSCompatibleVersions: 1.0, 2.0, 3.0, 4.0, 5.0, 5.1.17134.1..BuildVersion: 10.0.17134.1..CLRVersion: 4.0.30319.42000..WSManStackVersion: 3.0..PSRemotingProtocolVersion: 2.3..SerializationVersion: 1.1.0.1..**********************..**********************..Command start time: 20201120153630..**********************..PS>Add-MpPreference -ExclusionPath C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\New Order.exe -Force..

              Static File Info

              General

              File type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
              Entropy (8bit):5.137264171676077
              TrID:
              • Win32 Executable (generic) Net Framework (10011505/4) 49.83%
              • Win32 Executable (generic) a (10002005/4) 49.78%
              • Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36%
              • Win16/32 Executable Delphi generic (2074/23) 0.01%
              • Generic Win/DOS Executable (2004/3) 0.01%
              File name:New Order.exe
              File size:3756032
              MD5:689357a46d00a4e9fe51ac4d82d73100
              SHA1:dc5bdc1892159b46a78b15b604280781b82d8ae5
              SHA256:9f8a277b32edd2d8750e81097320cc31b9089020fa5c7b91613d422a2f55da1e
              SHA512:3f3ec2fa1cf2ba33c4e221a358e1efec82313a80d8bee3f1ebbb0fba17051ba92cf274ef23cc4cf134537c0f3a8d22c1efb478b6461f4b84aff422dc2ad44f66
              SSDEEP:98304:JsecZvSutK+2OgmdV2iyxjNTmtjuMV2XyjzKw:eNh9oNTm9
              File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....O._.................L9..........j9.. ....9...@.. ........................9...........@................................

              File Icon

              Icon Hash:00828e8e8686b000

              Static PE Info

              General

              Entrypoint:0x796aae
              Entrypoint Section:.text
              Digitally signed:false
              Imagebase:0x400000
              Subsystem:windows gui
              Image File Characteristics:32BIT_MACHINE, EXECUTABLE_IMAGE
              DLL Characteristics:NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
              Time Stamp:0x5FB74FFA [Fri Nov 20 05:11:22 2020 UTC]
              TLS Callbacks:
              CLR (.Net) Version:v4.0.30319
              OS Version Major:4
              OS Version Minor:0
              File Version Major:4
              File Version Minor:0
              Subsystem Version Major:4
              Subsystem Version Minor:0
              Import Hash:f34d5f2d4577ed6d9ceec516c1f5a744

              Entrypoint Preview

              Instruction
              jmp dword ptr [00402000h]
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al

              Data Directories

              NameVirtual AddressVirtual Size Is in Section
              IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
              IMAGE_DIRECTORY_ENTRY_IMPORT0x396a600x4b.text
              IMAGE_DIRECTORY_ENTRY_RESOURCE0x00x0
              IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
              IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
              IMAGE_DIRECTORY_ENTRY_BASERELOC0x3980000xc.reloc
              IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
              IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
              IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
              IMAGE_DIRECTORY_ENTRY_TLS0x00x0
              IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
              IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
              IMAGE_DIRECTORY_ENTRY_IAT0x20000x8.text
              IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
              IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x20080x48.text
              IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

              Sections

              NameVirtual AddressVirtual SizeRaw SizeXored PEZLIB ComplexityFile TypeEntropyCharacteristics
              .text0x20000x394ab40x394c00unknownunknownunknownunknownIMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
              .reloc0x3980000xc0x200False0.044921875data0.101910425663IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

              Imports

              DLLImport
              mscoree.dll_CorExeMain

              Network Behavior

              Network Port Distribution

              TCP Packets

              TimestampSource PortDest PortSource IPDest IP
              Nov 20, 2020 15:35:44.063740969 CET49731443192.168.2.6104.23.98.190
              Nov 20, 2020 15:35:44.080203056 CET44349731104.23.98.190192.168.2.6
              Nov 20, 2020 15:35:44.080351114 CET49731443192.168.2.6104.23.98.190
              Nov 20, 2020 15:35:44.105235100 CET49731443192.168.2.6104.23.98.190
              Nov 20, 2020 15:35:44.121670008 CET44349731104.23.98.190192.168.2.6
              Nov 20, 2020 15:35:44.124989033 CET44349731104.23.98.190192.168.2.6
              Nov 20, 2020 15:35:44.125042915 CET44349731104.23.98.190192.168.2.6
              Nov 20, 2020 15:35:44.125085115 CET44349731104.23.98.190192.168.2.6
              Nov 20, 2020 15:35:44.125336885 CET49731443192.168.2.6104.23.98.190
              Nov 20, 2020 15:35:44.131493092 CET49731443192.168.2.6104.23.98.190
              Nov 20, 2020 15:35:44.147908926 CET44349731104.23.98.190192.168.2.6
              Nov 20, 2020 15:35:44.148396969 CET44349731104.23.98.190192.168.2.6
              Nov 20, 2020 15:35:44.201792002 CET49731443192.168.2.6104.23.98.190
              Nov 20, 2020 15:35:44.218112946 CET44349731104.23.98.190192.168.2.6
              Nov 20, 2020 15:35:44.232145071 CET44349731104.23.98.190192.168.2.6
              Nov 20, 2020 15:35:44.232166052 CET44349731104.23.98.190192.168.2.6
              Nov 20, 2020 15:35:44.232372046 CET49731443192.168.2.6104.23.98.190
              Nov 20, 2020 15:35:53.934467077 CET49731443192.168.2.6104.23.98.190
              Nov 20, 2020 15:37:29.059398890 CET49759443192.168.2.6104.23.98.190
              Nov 20, 2020 15:37:29.075812101 CET44349759104.23.98.190192.168.2.6
              Nov 20, 2020 15:37:29.077441931 CET49759443192.168.2.6104.23.98.190
              Nov 20, 2020 15:37:29.078515053 CET49759443192.168.2.6104.23.98.190
              Nov 20, 2020 15:37:29.094750881 CET44349759104.23.98.190192.168.2.6
              Nov 20, 2020 15:37:29.098380089 CET44349759104.23.98.190192.168.2.6
              Nov 20, 2020 15:37:29.098409891 CET44349759104.23.98.190192.168.2.6
              Nov 20, 2020 15:37:29.098422050 CET44349759104.23.98.190192.168.2.6
              Nov 20, 2020 15:37:29.098710060 CET49759443192.168.2.6104.23.98.190
              Nov 20, 2020 15:37:29.119215012 CET49759443192.168.2.6104.23.98.190
              Nov 20, 2020 15:37:29.120881081 CET49760443192.168.2.6104.23.98.190
              Nov 20, 2020 15:37:29.135544062 CET44349759104.23.98.190192.168.2.6
              Nov 20, 2020 15:37:29.135742903 CET44349759104.23.98.190192.168.2.6
              Nov 20, 2020 15:37:29.137116909 CET44349760104.23.98.190192.168.2.6
              Nov 20, 2020 15:37:29.137484074 CET49760443192.168.2.6104.23.98.190
              Nov 20, 2020 15:37:29.141237020 CET49760443192.168.2.6104.23.98.190
              Nov 20, 2020 15:37:29.146167040 CET49759443192.168.2.6104.23.98.190
              Nov 20, 2020 15:37:29.157565117 CET44349760104.23.98.190192.168.2.6
              Nov 20, 2020 15:37:29.162441969 CET44349759104.23.98.190192.168.2.6
              Nov 20, 2020 15:37:29.165091038 CET44349760104.23.98.190192.168.2.6
              Nov 20, 2020 15:37:29.165115118 CET44349760104.23.98.190192.168.2.6
              Nov 20, 2020 15:37:29.165126085 CET44349760104.23.98.190192.168.2.6
              Nov 20, 2020 15:37:29.165219069 CET49760443192.168.2.6104.23.98.190
              Nov 20, 2020 15:37:29.168593884 CET49760443192.168.2.6104.23.98.190
              Nov 20, 2020 15:37:29.179536104 CET44349759104.23.98.190192.168.2.6
              Nov 20, 2020 15:37:29.179555893 CET44349759104.23.98.190192.168.2.6
              Nov 20, 2020 15:37:29.180694103 CET49759443192.168.2.6104.23.98.190
              Nov 20, 2020 15:37:29.184861898 CET44349760104.23.98.190192.168.2.6
              Nov 20, 2020 15:37:29.186389923 CET44349760104.23.98.190192.168.2.6
              Nov 20, 2020 15:37:29.192365885 CET49760443192.168.2.6104.23.98.190
              Nov 20, 2020 15:37:29.208690882 CET44349760104.23.98.190192.168.2.6
              Nov 20, 2020 15:37:29.217147112 CET44349760104.23.98.190192.168.2.6
              Nov 20, 2020 15:37:29.217175961 CET44349760104.23.98.190192.168.2.6
              Nov 20, 2020 15:37:29.217392921 CET49760443192.168.2.6104.23.98.190
              Nov 20, 2020 15:37:29.556237936 CET49761443192.168.2.6104.23.98.190
              Nov 20, 2020 15:37:29.572659969 CET44349761104.23.98.190192.168.2.6
              Nov 20, 2020 15:37:29.572823048 CET49761443192.168.2.6104.23.98.190
              Nov 20, 2020 15:37:29.580148935 CET49761443192.168.2.6104.23.98.190
              Nov 20, 2020 15:37:29.596461058 CET44349761104.23.98.190192.168.2.6
              Nov 20, 2020 15:37:29.600106001 CET44349761104.23.98.190192.168.2.6
              Nov 20, 2020 15:37:29.600133896 CET44349761104.23.98.190192.168.2.6
              Nov 20, 2020 15:37:29.600147009 CET44349761104.23.98.190192.168.2.6
              Nov 20, 2020 15:37:29.600220919 CET49761443192.168.2.6104.23.98.190
              Nov 20, 2020 15:37:29.601732016 CET49761443192.168.2.6104.23.98.190
              Nov 20, 2020 15:37:29.618087053 CET44349761104.23.98.190192.168.2.6
              Nov 20, 2020 15:37:29.618206978 CET44349761104.23.98.190192.168.2.6
              Nov 20, 2020 15:37:29.623626947 CET49761443192.168.2.6104.23.98.190
              Nov 20, 2020 15:37:29.640110970 CET44349761104.23.98.190192.168.2.6
              Nov 20, 2020 15:37:29.645976067 CET44349761104.23.98.190192.168.2.6
              Nov 20, 2020 15:37:29.646003008 CET44349761104.23.98.190192.168.2.6
              Nov 20, 2020 15:37:29.646073103 CET49761443192.168.2.6104.23.98.190
              Nov 20, 2020 15:37:29.711172104 CET49763443192.168.2.6104.23.98.190
              Nov 20, 2020 15:37:29.727478027 CET44349763104.23.98.190192.168.2.6
              Nov 20, 2020 15:37:29.727611065 CET49763443192.168.2.6104.23.98.190
              Nov 20, 2020 15:37:29.730321884 CET49763443192.168.2.6104.23.98.190
              Nov 20, 2020 15:37:29.748900890 CET44349763104.23.98.190192.168.2.6
              Nov 20, 2020 15:37:29.751056910 CET44349763104.23.98.190192.168.2.6
              Nov 20, 2020 15:37:29.751080990 CET44349763104.23.98.190192.168.2.6
              Nov 20, 2020 15:37:29.751096010 CET44349763104.23.98.190192.168.2.6
              Nov 20, 2020 15:37:29.751240969 CET49763443192.168.2.6104.23.98.190
              Nov 20, 2020 15:37:29.752656937 CET49763443192.168.2.6104.23.98.190
              Nov 20, 2020 15:37:29.769115925 CET44349763104.23.98.190192.168.2.6
              Nov 20, 2020 15:37:29.769146919 CET44349763104.23.98.190192.168.2.6
              Nov 20, 2020 15:37:29.775429964 CET49763443192.168.2.6104.23.98.190
              Nov 20, 2020 15:37:29.791745901 CET44349763104.23.98.190192.168.2.6
              Nov 20, 2020 15:37:29.802270889 CET44349763104.23.98.190192.168.2.6
              Nov 20, 2020 15:37:29.802408934 CET44349763104.23.98.190192.168.2.6
              Nov 20, 2020 15:37:29.802472115 CET49763443192.168.2.6104.23.98.190

              UDP Packets

              TimestampSource PortDest PortSource IPDest IP
              Nov 20, 2020 15:35:12.916580915 CET5606153192.168.2.68.8.8.8
              Nov 20, 2020 15:35:12.943708897 CET53560618.8.8.8192.168.2.6
              Nov 20, 2020 15:35:14.002284050 CET5833653192.168.2.68.8.8.8
              Nov 20, 2020 15:35:14.029586077 CET53583368.8.8.8192.168.2.6
              Nov 20, 2020 15:35:14.660422087 CET5378153192.168.2.68.8.8.8
              Nov 20, 2020 15:35:14.687665939 CET53537818.8.8.8192.168.2.6
              Nov 20, 2020 15:35:15.754883051 CET5406453192.168.2.68.8.8.8
              Nov 20, 2020 15:35:15.781958103 CET53540648.8.8.8192.168.2.6
              Nov 20, 2020 15:35:16.417238951 CET5281153192.168.2.68.8.8.8
              Nov 20, 2020 15:35:16.444391012 CET53528118.8.8.8192.168.2.6
              Nov 20, 2020 15:35:17.068367958 CET5529953192.168.2.68.8.8.8
              Nov 20, 2020 15:35:17.095542908 CET53552998.8.8.8192.168.2.6
              Nov 20, 2020 15:35:18.493010044 CET6374553192.168.2.68.8.8.8
              Nov 20, 2020 15:35:18.520283937 CET53637458.8.8.8192.168.2.6
              Nov 20, 2020 15:35:20.337762117 CET5005553192.168.2.68.8.8.8
              Nov 20, 2020 15:35:20.364923954 CET53500558.8.8.8192.168.2.6
              Nov 20, 2020 15:35:22.532880068 CET6137453192.168.2.68.8.8.8
              Nov 20, 2020 15:35:22.570643902 CET53613748.8.8.8192.168.2.6
              Nov 20, 2020 15:35:23.351021051 CET5033953192.168.2.68.8.8.8
              Nov 20, 2020 15:35:23.378056049 CET53503398.8.8.8192.168.2.6
              Nov 20, 2020 15:35:24.003668070 CET6330753192.168.2.68.8.8.8
              Nov 20, 2020 15:35:24.030774117 CET53633078.8.8.8192.168.2.6
              Nov 20, 2020 15:35:40.763583899 CET4969453192.168.2.68.8.8.8
              Nov 20, 2020 15:35:40.790786982 CET53496948.8.8.8192.168.2.6
              Nov 20, 2020 15:35:44.005836010 CET5498253192.168.2.68.8.8.8
              Nov 20, 2020 15:35:44.041527987 CET53549828.8.8.8192.168.2.6
              Nov 20, 2020 15:36:03.539654970 CET5001053192.168.2.68.8.8.8
              Nov 20, 2020 15:36:03.566967010 CET53500108.8.8.8192.168.2.6
              Nov 20, 2020 15:36:04.880924940 CET6371853192.168.2.68.8.8.8
              Nov 20, 2020 15:36:04.907879114 CET53637188.8.8.8192.168.2.6
              Nov 20, 2020 15:36:08.273483038 CET6211653192.168.2.68.8.8.8
              Nov 20, 2020 15:36:08.309026957 CET53621168.8.8.8192.168.2.6
              Nov 20, 2020 15:36:09.314721107 CET6381653192.168.2.68.8.8.8
              Nov 20, 2020 15:36:09.342010021 CET53638168.8.8.8192.168.2.6
              Nov 20, 2020 15:36:10.252074957 CET5501453192.168.2.68.8.8.8
              Nov 20, 2020 15:36:10.279213905 CET53550148.8.8.8192.168.2.6
              Nov 20, 2020 15:36:13.531627893 CET6220853192.168.2.68.8.8.8
              Nov 20, 2020 15:36:13.558928967 CET53622088.8.8.8192.168.2.6
              Nov 20, 2020 15:36:14.381637096 CET5757453192.168.2.68.8.8.8
              Nov 20, 2020 15:36:14.427799940 CET53575748.8.8.8192.168.2.6
              Nov 20, 2020 15:36:14.438451052 CET5181853192.168.2.68.8.8.8
              Nov 20, 2020 15:36:14.474061966 CET53518188.8.8.8192.168.2.6
              Nov 20, 2020 15:36:15.287141085 CET5662853192.168.2.68.8.8.8
              Nov 20, 2020 15:36:15.323086977 CET53566288.8.8.8192.168.2.6
              Nov 20, 2020 15:36:17.201430082 CET6077853192.168.2.68.8.8.8
              Nov 20, 2020 15:36:17.228569031 CET53607788.8.8.8192.168.2.6
              Nov 20, 2020 15:36:18.653315067 CET5379953192.168.2.68.8.8.8
              Nov 20, 2020 15:36:18.680938959 CET53537998.8.8.8192.168.2.6
              Nov 20, 2020 15:36:21.597731113 CET5468353192.168.2.68.8.8.8
              Nov 20, 2020 15:36:21.633219957 CET53546838.8.8.8192.168.2.6
              Nov 20, 2020 15:36:22.763257980 CET5932953192.168.2.68.8.8.8
              Nov 20, 2020 15:36:22.798948050 CET53593298.8.8.8192.168.2.6
              Nov 20, 2020 15:36:24.243469954 CET6402153192.168.2.68.8.8.8
              Nov 20, 2020 15:36:24.278980017 CET53640218.8.8.8192.168.2.6
              Nov 20, 2020 15:36:26.917253971 CET5612953192.168.2.68.8.8.8
              Nov 20, 2020 15:36:26.953285933 CET53561298.8.8.8192.168.2.6
              Nov 20, 2020 15:36:36.781316042 CET5817753192.168.2.68.8.8.8
              Nov 20, 2020 15:36:36.808420897 CET53581778.8.8.8192.168.2.6
              Nov 20, 2020 15:36:52.586647987 CET5070053192.168.2.68.8.8.8
              Nov 20, 2020 15:36:52.613817930 CET53507008.8.8.8192.168.2.6
              Nov 20, 2020 15:36:52.757464886 CET5406953192.168.2.68.8.8.8
              Nov 20, 2020 15:36:52.794836044 CET53540698.8.8.8192.168.2.6
              Nov 20, 2020 15:37:10.819080114 CET6117853192.168.2.68.8.8.8
              Nov 20, 2020 15:37:10.854651928 CET53611788.8.8.8192.168.2.6
              Nov 20, 2020 15:37:28.862159967 CET5701753192.168.2.68.8.8.8
              Nov 20, 2020 15:37:28.897542953 CET53570178.8.8.8192.168.2.6
              Nov 20, 2020 15:37:28.965116978 CET5632753192.168.2.68.8.8.8
              Nov 20, 2020 15:37:29.000781059 CET53563278.8.8.8192.168.2.6
              Nov 20, 2020 15:37:29.385303020 CET5024353192.168.2.68.8.8.8
              Nov 20, 2020 15:37:29.433594942 CET53502438.8.8.8192.168.2.6
              Nov 20, 2020 15:37:29.542293072 CET6205553192.168.2.68.8.8.8
              Nov 20, 2020 15:37:29.561456919 CET6124953192.168.2.68.8.8.8
              Nov 20, 2020 15:37:29.577861071 CET53620558.8.8.8192.168.2.6
              Nov 20, 2020 15:37:29.596904039 CET53612498.8.8.8192.168.2.6

              DNS Queries

              TimestampSource IPDest IPTrans IDOP CodeNameTypeClass
              Nov 20, 2020 15:35:44.005836010 CET192.168.2.68.8.8.80x1fbfStandard query (0)pastebin.comA (IP address)IN (0x0001)
              Nov 20, 2020 15:36:14.381637096 CET192.168.2.68.8.8.80x9b1aStandard query (0)g.msn.comA (IP address)IN (0x0001)
              Nov 20, 2020 15:37:10.819080114 CET192.168.2.68.8.8.80x6092Standard query (0)g.msn.comA (IP address)IN (0x0001)
              Nov 20, 2020 15:37:28.862159967 CET192.168.2.68.8.8.80xbaa7Standard query (0)pastebin.comA (IP address)IN (0x0001)
              Nov 20, 2020 15:37:28.965116978 CET192.168.2.68.8.8.80x1f6Standard query (0)pastebin.comA (IP address)IN (0x0001)
              Nov 20, 2020 15:37:29.385303020 CET192.168.2.68.8.8.80xca0aStandard query (0)pastebin.comA (IP address)IN (0x0001)
              Nov 20, 2020 15:37:29.542293072 CET192.168.2.68.8.8.80x217dStandard query (0)pastebin.comA (IP address)IN (0x0001)
              Nov 20, 2020 15:37:29.561456919 CET192.168.2.68.8.8.80xa37bStandard query (0)pastebin.comA (IP address)IN (0x0001)

              DNS Answers

              TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClass
              Nov 20, 2020 15:35:44.041527987 CET8.8.8.8192.168.2.60x1fbfNo error (0)pastebin.com104.23.98.190A (IP address)IN (0x0001)
              Nov 20, 2020 15:35:44.041527987 CET8.8.8.8192.168.2.60x1fbfNo error (0)pastebin.com104.23.99.190A (IP address)IN (0x0001)
              Nov 20, 2020 15:36:14.427799940 CET8.8.8.8192.168.2.60x9b1aNo error (0)g.msn.comg-msn-com-nsatc.trafficmanager.netCNAME (Canonical name)IN (0x0001)
              Nov 20, 2020 15:37:10.854651928 CET8.8.8.8192.168.2.60x6092No error (0)g.msn.comg-msn-com-nsatc.trafficmanager.netCNAME (Canonical name)IN (0x0001)
              Nov 20, 2020 15:37:28.897542953 CET8.8.8.8192.168.2.60xbaa7No error (0)pastebin.com104.23.98.190A (IP address)IN (0x0001)
              Nov 20, 2020 15:37:28.897542953 CET8.8.8.8192.168.2.60xbaa7No error (0)pastebin.com104.23.99.190A (IP address)IN (0x0001)
              Nov 20, 2020 15:37:29.000781059 CET8.8.8.8192.168.2.60x1f6No error (0)pastebin.com104.23.98.190A (IP address)IN (0x0001)
              Nov 20, 2020 15:37:29.000781059 CET8.8.8.8192.168.2.60x1f6No error (0)pastebin.com104.23.99.190A (IP address)IN (0x0001)
              Nov 20, 2020 15:37:29.433594942 CET8.8.8.8192.168.2.60xca0aNo error (0)pastebin.com104.23.98.190A (IP address)IN (0x0001)
              Nov 20, 2020 15:37:29.433594942 CET8.8.8.8192.168.2.60xca0aNo error (0)pastebin.com104.23.99.190A (IP address)IN (0x0001)
              Nov 20, 2020 15:37:29.577861071 CET8.8.8.8192.168.2.60x217dNo error (0)pastebin.com104.23.99.190A (IP address)IN (0x0001)
              Nov 20, 2020 15:37:29.577861071 CET8.8.8.8192.168.2.60x217dNo error (0)pastebin.com104.23.98.190A (IP address)IN (0x0001)
              Nov 20, 2020 15:37:29.596904039 CET8.8.8.8192.168.2.60xa37bNo error (0)pastebin.com104.23.98.190A (IP address)IN (0x0001)
              Nov 20, 2020 15:37:29.596904039 CET8.8.8.8192.168.2.60xa37bNo error (0)pastebin.com104.23.99.190A (IP address)IN (0x0001)

              HTTPS Packets

              TimestampSource IPSource PortDest IPDest PortSubjectIssuerNot BeforeNot AfterJA3 SSL Client FingerprintJA3 SSL Client Digest
              Nov 20, 2020 15:35:44.125085115 CET104.23.98.190443192.168.2.649731CN=sni.cloudflaressl.com, O="Cloudflare, Inc.", L=San Francisco, ST=CA, C=US CN=Cloudflare Inc RSA CA-2, O="Cloudflare, Inc.", C=USCN=Cloudflare Inc RSA CA-2, O="Cloudflare, Inc.", C=US CN=Baltimore CyberTrust Root, OU=CyberTrust, O=Baltimore, C=IEMon Aug 17 02:00:00 CEST 2020 Mon Jan 27 13:46:39 CET 2020Tue Aug 17 14:00:00 CEST 2021 Wed Jan 01 00:59:59 CET 2025769,49162-49161-49172-49171-53-47-10,0-10-11-35-23-65281,29-23-24,054328bd36c14bd82ddaa0c04b25ed9ad
              CN=Cloudflare Inc RSA CA-2, O="Cloudflare, Inc.", C=USCN=Baltimore CyberTrust Root, OU=CyberTrust, O=Baltimore, C=IEMon Jan 27 13:46:39 CET 2020Wed Jan 01 00:59:59 CET 2025
              Nov 20, 2020 15:37:29.098422050 CET104.23.98.190443192.168.2.649759CN=sni.cloudflaressl.com, O="Cloudflare, Inc.", L=San Francisco, ST=CA, C=US CN=Cloudflare Inc RSA CA-2, O="Cloudflare, Inc.", C=USCN=Cloudflare Inc RSA CA-2, O="Cloudflare, Inc.", C=US CN=Baltimore CyberTrust Root, OU=CyberTrust, O=Baltimore, C=IEMon Aug 17 02:00:00 CEST 2020 Mon Jan 27 13:46:39 CET 2020Tue Aug 17 14:00:00 CEST 2021 Wed Jan 01 00:59:59 CET 2025769,49162-49161-49172-49171-53-47-10,0-10-11-35-23-65281,29-23-24,054328bd36c14bd82ddaa0c04b25ed9ad
              CN=Cloudflare Inc RSA CA-2, O="Cloudflare, Inc.", C=USCN=Baltimore CyberTrust Root, OU=CyberTrust, O=Baltimore, C=IEMon Jan 27 13:46:39 CET 2020Wed Jan 01 00:59:59 CET 2025
              Nov 20, 2020 15:37:29.165126085 CET104.23.98.190443192.168.2.649760CN=sni.cloudflaressl.com, O="Cloudflare, Inc.", L=San Francisco, ST=CA, C=US CN=Cloudflare Inc RSA CA-2, O="Cloudflare, Inc.", C=USCN=Cloudflare Inc RSA CA-2, O="Cloudflare, Inc.", C=US CN=Baltimore CyberTrust Root, OU=CyberTrust, O=Baltimore, C=IEMon Aug 17 02:00:00 CEST 2020 Mon Jan 27 13:46:39 CET 2020Tue Aug 17 14:00:00 CEST 2021 Wed Jan 01 00:59:59 CET 2025769,49162-49161-49172-49171-53-47-10,0-10-11-35-23-65281,29-23-24,054328bd36c14bd82ddaa0c04b25ed9ad
              CN=Cloudflare Inc RSA CA-2, O="Cloudflare, Inc.", C=USCN=Baltimore CyberTrust Root, OU=CyberTrust, O=Baltimore, C=IEMon Jan 27 13:46:39 CET 2020Wed Jan 01 00:59:59 CET 2025
              Nov 20, 2020 15:37:29.600147009 CET104.23.98.190443192.168.2.649761CN=sni.cloudflaressl.com, O="Cloudflare, Inc.", L=San Francisco, ST=CA, C=US CN=Cloudflare Inc RSA CA-2, O="Cloudflare, Inc.", C=USCN=Cloudflare Inc RSA CA-2, O="Cloudflare, Inc.", C=US CN=Baltimore CyberTrust Root, OU=CyberTrust, O=Baltimore, C=IEMon Aug 17 02:00:00 CEST 2020 Mon Jan 27 13:46:39 CET 2020Tue Aug 17 14:00:00 CEST 2021 Wed Jan 01 00:59:59 CET 2025769,49162-49161-49172-49171-53-47-10,0-10-11-35-23-65281,29-23-24,054328bd36c14bd82ddaa0c04b25ed9ad
              CN=Cloudflare Inc RSA CA-2, O="Cloudflare, Inc.", C=USCN=Baltimore CyberTrust Root, OU=CyberTrust, O=Baltimore, C=IEMon Jan 27 13:46:39 CET 2020Wed Jan 01 00:59:59 CET 2025
              Nov 20, 2020 15:37:29.751096010 CET104.23.98.190443192.168.2.649763CN=sni.cloudflaressl.com, O="Cloudflare, Inc.", L=San Francisco, ST=CA, C=US CN=Cloudflare Inc RSA CA-2, O="Cloudflare, Inc.", C=USCN=Cloudflare Inc RSA CA-2, O="Cloudflare, Inc.", C=US CN=Baltimore CyberTrust Root, OU=CyberTrust, O=Baltimore, C=IEMon Aug 17 02:00:00 CEST 2020 Mon Jan 27 13:46:39 CET 2020Tue Aug 17 14:00:00 CEST 2021 Wed Jan 01 00:59:59 CET 2025769,49162-49161-49172-49171-53-47-10,0-10-11-35-23-65281,29-23-24,054328bd36c14bd82ddaa0c04b25ed9ad
              CN=Cloudflare Inc RSA CA-2, O="Cloudflare, Inc.", C=USCN=Baltimore CyberTrust Root, OU=CyberTrust, O=Baltimore, C=IEMon Jan 27 13:46:39 CET 2020Wed Jan 01 00:59:59 CET 2025

              Code Manipulations

              Statistics

              Behavior

              Click to jump to process

              System Behavior

              Analysis Process: New Order.exe PID: 1428 Parent PID: 5952

              General

              Start time:15:35:19
              Start date:20/11/2020
              Path:C:\Users\user\Desktop\New Order.exe
              Wow64 process (32bit):true
              Commandline:'C:\Users\user\Desktop\New Order.exe'
              Imagebase:0x4d0000
              File size:3756032 bytes
              MD5 hash:689357A46D00A4E9FE51AC4D82D73100
              Has elevated privileges:true
              Has administrator privileges:true
              Programmed in:.Net C# or VB.NET
              Reputation:low

              Analysis Process: powershell.exe PID: 6520 Parent PID: 1428

              General

              Start time:15:35:41
              Start date:20/11/2020
              Path:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
              Wow64 process (32bit):true
              Commandline:'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\New Order.exe' -Force
              Imagebase:0xd30000
              File size:430592 bytes
              MD5 hash:DBA3E6449E97D4E3DF64527EF7012A10
              Has elevated privileges:true
              Has administrator privileges:true
              Programmed in:.Net C# or VB.NET
              Reputation:high

              Analysis Process: conhost.exe PID: 6488 Parent PID: 6520

              General

              Start time:15:35:41
              Start date:20/11/2020
              Path:C:\Windows\System32\conhost.exe
              Wow64 process (32bit):false
              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
              Imagebase:0x7ff61de10000
              File size:625664 bytes
              MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
              Has elevated privileges:true
              Has administrator privileges:true
              Programmed in:C, C++ or other language
              Reputation:high

              Analysis Process: powershell.exe PID: 6824 Parent PID: 1428

              General

              Start time:15:35:41
              Start date:20/11/2020
              Path:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
              Wow64 process (32bit):true
              Commandline:'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\New Order.exe' -Force
              Imagebase:0xd30000
              File size:430592 bytes
              MD5 hash:DBA3E6449E97D4E3DF64527EF7012A10
              Has elevated privileges:true
              Has administrator privileges:true
              Programmed in:.Net C# or VB.NET
              Reputation:high

              Analysis Process: conhost.exe PID: 6608 Parent PID: 6824

              General

              Start time:15:35:42
              Start date:20/11/2020
              Path:C:\Windows\System32\conhost.exe
              Wow64 process (32bit):false
              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
              Imagebase:0x7ff61de10000
              File size:625664 bytes
              MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
              Has elevated privileges:true
              Has administrator privileges:true
              Programmed in:C, C++ or other language
              Reputation:high

              Analysis Process: powershell.exe PID: 6612 Parent PID: 1428

              General

              Start time:15:35:42
              Start date:20/11/2020
              Path:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
              Wow64 process (32bit):true
              Commandline:'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\New Order.exe' -Force
              Imagebase:0xd30000
              File size:430592 bytes
              MD5 hash:DBA3E6449E97D4E3DF64527EF7012A10
              Has elevated privileges:true
              Has administrator privileges:true
              Programmed in:.Net C# or VB.NET
              Reputation:high

              Analysis Process: conhost.exe PID: 6756 Parent PID: 6612

              General

              Start time:15:35:42
              Start date:20/11/2020
              Path:C:\Windows\System32\conhost.exe
              Wow64 process (32bit):false
              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
              Imagebase:0x7ff61de10000
              File size:625664 bytes
              MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
              Has elevated privileges:true
              Has administrator privileges:true
              Programmed in:C, C++ or other language
              Reputation:high

              Analysis Process: powershell.exe PID: 6764 Parent PID: 1428

              General

              Start time:15:35:42
              Start date:20/11/2020
              Path:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
              Wow64 process (32bit):true
              Commandline:'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\New Order.exe' -Force
              Imagebase:0xd30000
              File size:430592 bytes
              MD5 hash:DBA3E6449E97D4E3DF64527EF7012A10
              Has elevated privileges:true
              Has administrator privileges:true
              Programmed in:.Net C# or VB.NET
              Reputation:high

              Analysis Process: conhost.exe PID: 6600 Parent PID: 6764

              General

              Start time:15:35:42
              Start date:20/11/2020
              Path:C:\Windows\System32\conhost.exe
              Wow64 process (32bit):false
              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
              Imagebase:0x7ff61de10000
              File size:625664 bytes
              MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
              Has elevated privileges:true
              Has administrator privileges:true
              Programmed in:C, C++ or other language
              Reputation:high

              Analysis Process: New Order.exe PID: 7040 Parent PID: 1428

              General

              Start time:15:35:45
              Start date:20/11/2020
              Path:C:\Users\user\Desktop\New Order.exe
              Wow64 process (32bit):true
              Commandline:C:\Users\user\Desktop\New Order.exe
              Imagebase:0xb30000
              File size:3756032 bytes
              MD5 hash:689357A46D00A4E9FE51AC4D82D73100
              Has elevated privileges:true
              Has administrator privileges:true
              Programmed in:.Net C# or VB.NET
              Yara matches:
              • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 0000000B.00000002.604840237.0000000000402000.00000040.00000001.sdmp, Author: Joe Security
              Reputation:low

              Analysis Process: WerFault.exe PID: 1688 Parent PID: 1428

              General

              Start time:15:35:49
              Start date:20/11/2020
              Path:C:\Windows\SysWOW64\WerFault.exe
              Wow64 process (32bit):true
              Commandline:C:\Windows\SysWOW64\WerFault.exe -u -p 1428 -s 2476
              Imagebase:0xef0000
              File size:434592 bytes
              MD5 hash:9E2B8ACAD48ECCA55C0230D63623661B
              Has elevated privileges:true
              Has administrator privileges:true
              Programmed in:C, C++ or other language
              Reputation:high

              Analysis Process: New Order.exe PID: 5720 Parent PID: 3440

              General

              Start time:15:35:54
              Start date:20/11/2020
              Path:C:\Users\user\Desktop\New Order.exe
              Wow64 process (32bit):true
              Commandline:'C:\Users\user\Desktop\New Order.exe'
              Imagebase:0xca0000
              File size:3756032 bytes
              MD5 hash:689357A46D00A4E9FE51AC4D82D73100
              Has elevated privileges:true
              Has administrator privileges:true
              Programmed in:.Net C# or VB.NET
              Reputation:low

              Analysis Process: New Order.exe PID: 6284 Parent PID: 3440

              General

              Start time:15:36:03
              Start date:20/11/2020
              Path:C:\Users\user\Desktop\New Order.exe
              Wow64 process (32bit):true
              Commandline:'C:\Users\user\Desktop\New Order.exe'
              Imagebase:0xa90000
              File size:3756032 bytes
              MD5 hash:689357A46D00A4E9FE51AC4D82D73100
              Has elevated privileges:true
              Has administrator privileges:true
              Programmed in:.Net C# or VB.NET
              Reputation:low

              Analysis Process: New Order.exe PID: 580 Parent PID: 3440

              General

              Start time:15:36:11
              Start date:20/11/2020
              Path:C:\Users\user\Desktop\New Order.exe
              Wow64 process (32bit):true
              Commandline:'C:\Users\user\Desktop\New Order.exe'
              Imagebase:0x560000
              File size:3756032 bytes
              MD5 hash:689357A46D00A4E9FE51AC4D82D73100
              Has elevated privileges:true
              Has administrator privileges:true
              Programmed in:.Net C# or VB.NET
              Reputation:low

              Analysis Process: New Order.exe PID: 5312 Parent PID: 3440

              General

              Start time:15:36:20
              Start date:20/11/2020
              Path:C:\Users\user\Desktop\New Order.exe
              Wow64 process (32bit):true
              Commandline:'C:\Users\user\Desktop\New Order.exe'
              Imagebase:0xd40000
              File size:3756032 bytes
              MD5 hash:689357A46D00A4E9FE51AC4D82D73100
              Has elevated privileges:true
              Has administrator privileges:true
              Programmed in:.Net C# or VB.NET
              Reputation:low

              Analysis Process: New Order.exe PID: 5632 Parent PID: 3440

              General

              Start time:15:36:30
              Start date:20/11/2020
              Path:C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\New Order.exe
              Wow64 process (32bit):true
              Commandline:'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\New Order.exe'
              Imagebase:0x6b0000
              File size:3756032 bytes
              MD5 hash:689357A46D00A4E9FE51AC4D82D73100
              Has elevated privileges:true
              Has administrator privileges:true
              Programmed in:.Net C# or VB.NET
              Antivirus matches:
              • Detection: 100%, Joe Sandbox ML
              • Detection: 35%, Virustotal, Browse
              • Detection: 27%, ReversingLabs
              Reputation:low

              Disassembly

              Code Analysis

              Reset < >