Windows Analysis Report
New Order 000212.exe

Overview

General Information

Sample Name: New Order 000212.exe
Analysis ID: 680420
MD5: 989e8988e2ed04a3e86a6faf2727c00f
SHA1: 6a5397ef11996176e5c5ec5b94004591a77208e5
SHA256: c19a3d6f7af18f9fae141a7234341d0bf8e1038638c13a625194eb3fece6a540
Tags: exeFormbookloki
Infos:

Detection

FormBook
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Multi AV Scanner detection for submitted file
Yara detected FormBook
Malicious sample detected (through community Yara rule)
Antivirus / Scanner detection for submitted sample
Antivirus detection for URL or domain
Maps a DLL or memory area into another process
Initial sample is a PE file and has a suspicious name
Writes to foreign memory regions
Encrypted powershell cmdline option found
Machine Learning detection for sample
.NET source code contains potential unpacker
Injects a PE file into a foreign processes
Yara detected Generic Downloader
Queues an APC in another process (thread injection)
.NET source code contains very large array initializations
Modifies the context of a thread in another process (thread injection)
C2 URLs / IPs found in malware configuration
Uses 32bit PE files
Queries the volume information (name, serial number etc) of a device
Yara signature match
Antivirus or Machine Learning detection for unpacked file
May sleep (evasive loops) to hinder dynamic analysis
Uses code obfuscation techniques (call, push, ret)
Detected potential crypto function
Found potential string decryption / allocating functions
Contains functionality to call native functions
Contains functionality for execution timing, often used to detect debuggers
Contains long sleeps (>= 3 min)
Enables debug privileges
Creates a DirectInput object (often for capturing keystrokes)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Sample file is different than original file name gathered from version info
Contains functionality to read the PEB
Checks if the current process is being debugged
Found large amount of non-executed APIs
Creates a process in suspended mode (likely to inject code)
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Classification

AV Detection
barindex
Multi AV Scanner detection for submitted file
Source: New Order 000212.exe Virustotal: Detection: 35% Perma Link
Source: New Order 000212.exe ReversingLabs: Detection: 42%
Yara detected FormBook
Source: Yara match File source: 16.0.InstallUtil.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000012.00000000.437480635.00000000074AC000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.370454504.0000000003E31000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000010.00000000.360788700.0000000000401000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.371811220.0000000003F30000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000012.00000000.455452421.00000000074AC000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
Antivirus / Scanner detection for submitted sample
Source: New Order 000212.exe Avira: detected
Antivirus detection for URL or domain
Source: www.bitp0ker.com/ch0y/ Avira URL Cloud: Label: malware
Machine Learning detection for sample
Source: New Order 000212.exe Joe Sandbox ML: detected
Antivirus or Machine Learning detection for unpacked file
Source: 16.0.InstallUtil.exe.400000.0.unpack Avira: Label: TR/Crypt.ZPACK.Gen
Source: 0.0.New Order 000212.exe.6c0000.0.unpack Avira: Label: TR/Crypt.XPACK.Gen7
Source: 00000000.00000002.370454504.0000000003E31000.00000004.00000800.00020000.00000000.sdmp Malware Configuration Extractor: FormBook {"C2 list": ["www.bitp0ker.com/ch0y/"], "decoy": ["Ds5uTIKP/TGroQ==", "P9qN441Kxi+xjWTAhKNR1LVxMgQ=", "9qCL4zvn9mwIdk0h/yV7/huJF5n3D30s", "j3uKB82SGqWBQ5xcOVU=", "6pKRfMiuuToAgP0cqw==", "4PiOeIts9Uq4vg==", "hHZlS1fCwzXHL+Nmy2McH7RGLJS6", "VMCC6Z2YZcKNXyHVh62k/ZBj", "MplUSTGToAHVs6dJSfvF", "rWIiAAFoa+19AxYCyu7nIEN5NjPOCLc4mA==", "F4VSNDGZpizupadJSfvF", "kUcwDfhqa8FGq35iHI+L1Q==", "U7pxZ33UK0oEgP0cqw==", "AVoLdz8pa5cChDxr04vA", "0oSIgH72TZJXqw==", "OJpSKSiksjbxJdr7uBde7ARCBg==", "kk5PLGxObs2YQ5xcOVU=", "LyYV4NAyNrh+O0Q0oFFFGKVGLJS6", "act4W4dKW9fV5afRXQlQ3Q==", "smBEMTUISG878JUW+Sab4rVxMgQ=", "Wb1w2UzCO3qQxcsYrg==", "dSXgTwHz4FQOQ1O4eaVX2LVxMgQ=", "QvKfeZZimp6l3cCXY5rN", "9VUBVxcFpD3AOw2NdRbP", "hG5VLzW5zD3NmHF/+6/N", "9Q2iC5t3RLk8", "H/vFsO8OKLJ4vYKcLxDdpDfPcww=", "SyIff/NY0lMW24cgrkgDE2mSNBM=", "h/af9Xs+GWhCf1SuXwxEqcReAN1MQQE=", "0sqqFcF9RJ4ik2MixGURGrNGLJS6", "5qCkDtvJCzff5Nsz+xGg8ZVp", "aVRU0kgCua5scnvoow==", "KhoDZfmuv0D5q6lJSfvF", "AuTfVsNxhvJ86NC0gauk/ZBj", "mEg6LRZjbPyU98icaiGk/ZBj", "vKKkf2/c3E4RNQ3i", "moZ6xEVmCotDuJpavA==", "3dbQwevfJF0RNQ3i", "v56zK/b0QJgusKlJSfvF", "4kEIfiWb7Cb+gP0cqw==", "ULZ/Z23Z4Aq+JATg", "2/V7WpqzpZVqqQ==", "0o6A/IhIDDoOwMvHN9/i7kJjDg==", "q2lbsR/ut/vWCJd1O1dgqLCyQWJ9CLc4mA==", "JHcxkSZ3SIJFdEP7", "jkABch8PzOa8bW1MAKxbWPPNv87tUYkk", "A2faCjfr9lAw9JEW+eu1AwZzDpj3D30s", "hi4UAvI9PLpOy7JJSfvF", "j2ZsUX1BQnF0JjlLHI+L1Q==", "QDAVa9qFOGAuz7JJSfvF", "i/esHebaIjvS1ZxcOVU=", "7VICdTIBPyw+Z20=", "c96mm825+D0JNRDo", "ULJ1c4LAsDDzqVD7", "LZJQLjXzKFYx87lJSfvF", "R7xeUVnL4CMc0d/EhKuk/ZBj", "UQAJ6h9Ctt5WgP0cqw==", "WEA7BDDp8lsRNQ3i", "UxC8g6d9uPrOgS+ggPT185Nr", "8lQI/eJYWLx1JTkJ5vnS", "6KJjWKGNrDoAgP0cqw==", "guFYvYNFTFbZrieXzmivlOs4JeTUGw==", "o5B7Q3xLEET9MQJD7hGV4bVxMgQ=", "4lQVff1TGVEIxGU="]}
Uses 32bit PE files
Source: New Order 000212.exe Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
Source: New Order 000212.exe Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Source: Binary string: explorer.pdbUGP source: InstallUtil.exe, 00000010.00000003.506919919.0000000003304000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000010.00000003.492046255.0000000002F89000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000010.00000002.525417511.0000000002F80000.00000040.10000000.00040000.00000000.sdmp
Source: Binary string: wntdll.pdbUGP source: InstallUtil.exe, 00000010.00000003.361531595.0000000000C69000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000010.00000002.520472277.0000000000FB0000.00000040.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000010.00000003.364711699.0000000000E0F000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: wntdll.pdb source: InstallUtil.exe, InstallUtil.exe, 00000010.00000003.361531595.0000000000C69000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000010.00000002.520472277.0000000000FB0000.00000040.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000010.00000003.364711699.0000000000E0F000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: explorer.pdb source: InstallUtil.exe, 00000010.00000003.506919919.0000000003304000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000010.00000003.492046255.0000000002F89000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000010.00000002.525417511.0000000002F80000.00000040.10000000.00040000.00000000.sdmp

Networking
barindex
Yara detected Generic Downloader
Source: Yara match File source: 0.2.New Order 000212.exe.9050000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000000.00000002.390898687.0000000009050000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
C2 URLs / IPs found in malware configuration
Source: Malware configuration extractor URLs: www.bitp0ker.com/ch0y/
Source: New Order 000212.exe, 00000000.00000000.240015200.00000000006C2000.00000002.00000001.01000000.00000003.sdmp, New Order 000212.exe, 00000000.00000002.367007188.0000000002E31000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://google.com
Source: New Order 000212.exe, 00000000.00000002.367648258.0000000002E7A000.00000004.00000800.00020000.00000000.sdmp, New Order 000212.exe, 00000000.00000002.369178934.0000000002F50000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://james.newtonking.com/projects/json
Source: New Order 000212.exe, 00000000.00000002.371811220.0000000003F30000.00000004.00000800.00020000.00000000.sdmp, New Order 000212.exe, 00000000.00000002.390898687.0000000009050000.00000004.08000000.00040000.00000000.sdmp String found in binary or memory: https://www.newtonsoft.com/jsonschema
Source: New Order 000212.exe, 00000000.00000002.371811220.0000000003F30000.00000004.00000800.00020000.00000000.sdmp, New Order 000212.exe, 00000000.00000002.390898687.0000000009050000.00000004.08000000.00040000.00000000.sdmp String found in binary or memory: https://www.nuget.org/packages/Newtonsoft.Json.Bson
Creates a DirectInput object (often for capturing keystrokes)
Source: New Order 000212.exe, 00000000.00000002.363190554.0000000000FD0000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>

E-Banking Fraud
barindex
Yara detected FormBook
Source: Yara match File source: 16.0.InstallUtil.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000012.00000000.437480635.00000000074AC000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.370454504.0000000003E31000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000010.00000000.360788700.0000000000401000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.371811220.0000000003F30000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000012.00000000.455452421.00000000074AC000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY

System Summary
barindex
Malicious sample detected (through community Yara rule)
Source: 16.0.InstallUtil.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 16.0.InstallUtil.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 16.0.InstallUtil.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000012.00000000.437480635.00000000074AC000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000012.00000000.437480635.00000000074AC000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000012.00000000.437480635.00000000074AC000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000000.00000002.368882478.0000000002F24000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000000.00000002.370454504.0000000003E31000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000000.00000002.370454504.0000000003E31000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000000.00000002.370454504.0000000003E31000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000010.00000000.360788700.0000000000401000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000010.00000000.360788700.0000000000401000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000010.00000000.360788700.0000000000401000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000000.00000002.371811220.0000000003F30000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000000.00000002.371811220.0000000003F30000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000000.00000002.371811220.0000000003F30000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000012.00000000.455452421.00000000074AC000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000012.00000000.455452421.00000000074AC000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000012.00000000.455452421.00000000074AC000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: Process Memory Space: New Order 000212.exe PID: 5020, type: MEMORYSTR Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: Process Memory Space: InstallUtil.exe PID: 6444, type: MEMORYSTR Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Initial sample is a PE file and has a suspicious name
Source: initial sample Static PE information: Filename: New Order 000212.exe
.NET source code contains very large array initializations
Source: New Order 000212.exe, cahr.cs Large array initialization: yuue: array initializer size 2067968
Uses 32bit PE files
Source: New Order 000212.exe Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
Yara signature match
Source: 16.0.InstallUtil.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 16.0.InstallUtil.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 16.0.InstallUtil.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000012.00000000.437480635.00000000074AC000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000012.00000000.437480635.00000000074AC000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000012.00000000.437480635.00000000074AC000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000000.00000002.368882478.0000000002F24000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000000.00000002.370454504.0000000003E31000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000000.00000002.370454504.0000000003E31000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000000.00000002.370454504.0000000003E31000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000010.00000000.360788700.0000000000401000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000010.00000000.360788700.0000000000401000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000010.00000000.360788700.0000000000401000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000000.00000002.371811220.0000000003F30000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000000.00000002.371811220.0000000003F30000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000000.00000002.371811220.0000000003F30000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000012.00000000.455452421.00000000074AC000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000012.00000000.455452421.00000000074AC000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000012.00000000.455452421.00000000074AC000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: Process Memory Space: New Order 000212.exe PID: 5020, type: MEMORYSTR Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: Process Memory Space: InstallUtil.exe PID: 6444, type: MEMORYSTR Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Detected potential crypto function
Source: C:\Users\user\Desktop\New Order 000212.exe Code function: 0_2_0130B0E8 0_2_0130B0E8
Source: C:\Users\user\Desktop\New Order 000212.exe Code function: 0_2_0130AF84 0_2_0130AF84
Source: C:\Users\user\Desktop\New Order 000212.exe Code function: 0_2_0130DCA0 0_2_0130DCA0
Source: C:\Users\user\Desktop\New Order 000212.exe Code function: 0_2_0130DC90 0_2_0130DC90
Source: C:\Users\user\Desktop\New Order 000212.exe Code function: 0_2_05EB0040 0_2_05EB0040
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 16_2_00FEB090 16_2_00FEB090
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 16_2_00FFA830 16_2_00FFA830
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 16_2_01091002 16_2_01091002
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 16_2_010AE824 16_2_010AE824
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 16_2_010020A0 16_2_010020A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 16_2_010A20A8 16_2_010A20A8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 16_2_00FF4120 16_2_00FF4120
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 16_2_010A28EC 16_2_010A28EC
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 16_2_00FDF900 16_2_00FDF900
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 16_2_010A2B28 16_2_010A2B28
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 16_2_0100EBB0 16_2_0100EBB0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 16_2_010903DA 16_2_010903DA
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 16_2_0109DBD2 16_2_0109DBD2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 16_2_0108FA2B 16_2_0108FA2B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 16_2_010A22AE 16_2_010A22AE
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 16_2_00FFAB40 16_2_00FFAB40
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 16_2_010A2D07 16_2_010A2D07
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 16_2_010A1D55 16_2_010A1D55
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 16_2_01002581 16_2_01002581
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 16_2_010A25DD 16_2_010A25DD
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 16_2_00FE841F 16_2_00FE841F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 16_2_00FED5E0 16_2_00FED5E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 16_2_0109D466 16_2_0109D466
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 16_2_00FD0D20 16_2_00FD0D20
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 16_2_010ADFCE 16_2_010ADFCE
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 16_2_00FF6E30 16_2_00FF6E30
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 16_2_010A1FF1 16_2_010A1FF1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 16_2_0109D616 16_2_0109D616
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 16_2_010A2EF7 16_2_010A2EF7
Found potential string decryption / allocating functions
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: String function: 00FDB150 appears 54 times
Contains functionality to call native functions
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 16_2_01019910 NtAdjustPrivilegesToken,LdrInitializeThunk, 16_2_01019910
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 16_2_010199A0 NtCreateSection,LdrInitializeThunk, 16_2_010199A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 16_2_01019840 NtDelayExecution,LdrInitializeThunk, 16_2_01019840
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 16_2_01019860 NtQuerySystemInformation,LdrInitializeThunk, 16_2_01019860
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 16_2_010198F0 NtReadVirtualMemory,LdrInitializeThunk, 16_2_010198F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 16_2_01019A00 NtProtectVirtualMemory,LdrInitializeThunk, 16_2_01019A00
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 16_2_01019A50 NtCreateFile,LdrInitializeThunk, 16_2_01019A50
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 16_2_01019540 NtReadFile,LdrInitializeThunk, 16_2_01019540
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 16_2_010195D0 NtClose,LdrInitializeThunk, 16_2_010195D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 16_2_01019710 NtQueryInformationToken,LdrInitializeThunk, 16_2_01019710
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 16_2_01019780 NtMapViewOfSection,LdrInitializeThunk, 16_2_01019780
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 16_2_01019FE0 NtCreateMutant,LdrInitializeThunk, 16_2_01019FE0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 16_2_01019660 NtAllocateVirtualMemory,LdrInitializeThunk, 16_2_01019660
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 16_2_010196E0 NtFreeVirtualMemory,LdrInitializeThunk, 16_2_010196E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 16_2_01019950 NtQueueApcThread, 16_2_01019950
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 16_2_010199D0 NtCreateProcessEx, 16_2_010199D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 16_2_01019820 NtEnumerateKey, 16_2_01019820
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 16_2_0101B040 NtSuspendThread, 16_2_0101B040
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 16_2_010198A0 NtWriteVirtualMemory, 16_2_010198A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 16_2_01019B00 NtSetValueKey, 16_2_01019B00
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 16_2_0101A3B0 NtGetContextThread, 16_2_0101A3B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 16_2_01019A10 NtQuerySection, 16_2_01019A10
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 16_2_01019A20 NtResumeThread, 16_2_01019A20
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 16_2_01019A80 NtOpenDirectoryObject, 16_2_01019A80
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 16_2_01019520 NtWaitForSingleObject, 16_2_01019520
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 16_2_0101AD30 NtSetContextThread, 16_2_0101AD30
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 16_2_01019560 NtWriteFile, 16_2_01019560
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 16_2_010195F0 NtQueryInformationFile, 16_2_010195F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 16_2_0101A710 NtOpenProcessToken, 16_2_0101A710
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 16_2_01019730 NtQueryVirtualMemory, 16_2_01019730
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 16_2_01019760 NtOpenProcess, 16_2_01019760
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 16_2_0101A770 NtOpenThread, 16_2_0101A770
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 16_2_01019770 NtSetInformationFile, 16_2_01019770
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 16_2_010197A0 NtUnmapViewOfSection, 16_2_010197A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 16_2_01019610 NtEnumerateValueKey, 16_2_01019610
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 16_2_01019650 NtQueryValueKey, 16_2_01019650
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 16_2_01019670 NtQueryInformationProcess, 16_2_01019670
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 16_2_010196D0 NtCreateKey, 16_2_010196D0
Sample file is different than original file name gathered from version info
Source: New Order 000212.exe, 00000000.00000000.240715388.00000000008BE000.00000002.00000001.01000000.00000003.sdmp Binary or memory string: OriginalFilenameNakglss.exeH vs New Order 000212.exe
Source: New Order 000212.exe, 00000000.00000002.362612162.0000000000CF9000.00000004.00000010.00020000.00000000.sdmp Binary or memory string: OriginalFilenameUNKNOWN_FILET vs New Order 000212.exe
Source: New Order 000212.exe, 00000000.00000002.367155906.0000000002E45000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilename vs New Order 000212.exe
Source: New Order 000212.exe, 00000000.00000002.371811220.0000000003F30000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenameEnrtxcvwynqqa.dll" vs New Order 000212.exe
Source: New Order 000212.exe, 00000000.00000002.363190554.0000000000FD0000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: OriginalFilenameclr.dllT vs New Order 000212.exe
Source: New Order 000212.exe, 00000000.00000002.390898687.0000000009050000.00000004.08000000.00040000.00000000.sdmp Binary or memory string: OriginalFilenameEnrtxcvwynqqa.dll" vs New Order 000212.exe
Source: New Order 000212.exe Virustotal: Detection: 35%
Source: New Order 000212.exe ReversingLabs: Detection: 42%
Source: New Order 000212.exe Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: C:\Users\user\Desktop\New Order 000212.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: unknown Process created: C:\Users\user\Desktop\New Order 000212.exe "C:\Users\user\Desktop\New Order 000212.exe"
Source: C:\Users\user\Desktop\New Order 000212.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -enc UwB0AGEAcgB0AC0AUwBsAGUAZQBwACAALQBTAGUAYwBvAG4AZABzACAAMgAwAA==
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\New Order 000212.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
Source: C:\Windows\explorer.exe Process created: C:\Windows\SysWOW64\explorer.exe C:\Windows\SysWOW64\explorer.exe
Source: C:\Users\user\Desktop\New Order 000212.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -enc UwB0AGEAcgB0AC0AUwBsAGUAZQBwACAALQBTAGUAYwBvAG4AZABzACAAMgAwAA== Jump to behavior
Source: C:\Users\user\Desktop\New Order 000212.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Jump to behavior
Source: C:\Users\user\Desktop\New Order 000212.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{95E15D0A-66E6-93D9-C53C-76E6219D3341}\InProcServer32 Jump to behavior
Source: C:\Users\user\Desktop\New Order 000212.exe File created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\New Order 000212.exe.log Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File created: C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_hhwx0ezb.tco.ps1 Jump to behavior
Source: classification engine Classification label: mal100.troj.evad.winEXE@7/6@0/0
Source: C:\Users\user\Desktop\New Order 000212.exe File read: C:\Users\user\Desktop\desktop.ini Jump to behavior
Source: New Order 000212.exe Static file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.83%
Source: C:\Users\user\Desktop\New Order 000212.exe Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll Jump to behavior
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5516:120:WilError_01
Source: C:\Windows\explorer.exe Process created: C:\Windows\SysWOW64\explorer.exe
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll Jump to behavior
Source: New Order 000212.exe Static PE information: Virtual size of .text is bigger than: 0x100000
Source: New Order 000212.exe Static file information: File size 2097664 > 1048576
Source: New Order 000212.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
Source: New Order 000212.exe Static PE information: Raw size of .text is bigger than: 0x100000 < 0x1fa200
Source: New Order 000212.exe Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Source: Binary string: explorer.pdbUGP source: InstallUtil.exe, 00000010.00000003.506919919.0000000003304000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000010.00000003.492046255.0000000002F89000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000010.00000002.525417511.0000000002F80000.00000040.10000000.00040000.00000000.sdmp
Source: Binary string: wntdll.pdbUGP source: InstallUtil.exe, 00000010.00000003.361531595.0000000000C69000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000010.00000002.520472277.0000000000FB0000.00000040.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000010.00000003.364711699.0000000000E0F000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: wntdll.pdb source: InstallUtil.exe, InstallUtil.exe, 00000010.00000003.361531595.0000000000C69000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000010.00000002.520472277.0000000000FB0000.00000040.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000010.00000003.364711699.0000000000E0F000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: explorer.pdb source: InstallUtil.exe, 00000010.00000003.506919919.0000000003304000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000010.00000003.492046255.0000000002F89000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000010.00000002.525417511.0000000002F80000.00000040.10000000.00040000.00000000.sdmp

Data Obfuscation
barindex
.NET source code contains potential unpacker
Source: New Order 000212.exe, cahq.cs .Net Code: qxko System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\Desktop\New Order 000212.exe Code function: 0_2_01300498 pushad ; retn 0002h 0_2_0130049A
Source: C:\Users\user\Desktop\New Order 000212.exe Code function: 0_2_05EB15B8 push eax; retf 0_2_05EB15B9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 16_2_0102D0D1 push ecx; ret 16_2_0102D0E4
Source: C:\Users\user\Desktop\New Order 000212.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\New Order 000212.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\New Order 000212.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\New Order 000212.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\New Order 000212.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\New Order 000212.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\New Order 000212.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\New Order 000212.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\New Order 000212.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\New Order 000212.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\New Order 000212.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\New Order 000212.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\New Order 000212.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\New Order 000212.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\New Order 000212.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\New Order 000212.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\New Order 000212.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\New Order 000212.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\New Order 000212.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\New Order 000212.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\New Order 000212.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\New Order 000212.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\New Order 000212.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\New Order 000212.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\New Order 000212.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\New Order 000212.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\New Order 000212.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\New Order 000212.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\New Order 000212.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\New Order 000212.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\New Order 000212.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\New Order 000212.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\New Order 000212.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\New Order 000212.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\New Order 000212.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\New Order 000212.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\New Order 000212.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\New Order 000212.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\New Order 000212.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\New Order 000212.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\New Order 000212.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\New Order 000212.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\New Order 000212.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\New Order 000212.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\New Order 000212.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\New Order 000212.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\New Order 000212.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\New Order 000212.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\New Order 000212.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\New Order 000212.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\New Order 000212.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\New Order 000212.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\New Order 000212.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\New Order 000212.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\New Order 000212.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\New Order 000212.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\New Order 000212.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\New Order 000212.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\New Order 000212.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\New Order 000212.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Users\user\Desktop\New Order 000212.exe TID: 5684 Thread sleep time: -922337203685477s >= -30000s Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 5668 Thread sleep time: -7378697629483816s >= -30000s Jump to behavior
Contains functionality for execution timing, often used to detect debuggers
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 16_2_01006B90 rdtsc 16_2_01006B90
Contains long sleeps (>= 3 min)
Source: C:\Users\user\Desktop\New Order 000212.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Window / User API: threadDelayed 9163 Jump to behavior
Found large amount of non-executed APIs
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe API coverage: 5.0 %
Source: C:\Users\user\Desktop\New Order 000212.exe Process information queried: ProcessInformation Jump to behavior
Source: C:\Users\user\Desktop\New Order 000212.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: explorer.exe, 00000012.00000000.402361534.00000000080ED000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: SCSI\Disk&Ven_VMware&Prod_Virtual_disk\5&1ec51bf7&0&000000
Source: explorer.exe, 00000012.00000000.438938333.000000000820E000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: \\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000025700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#000000001F400000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000026700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}*^d
Source: explorer.exe, 00000012.00000000.402361534.00000000080ED000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: Prod_VMware_SATA
Source: explorer.exe, 00000012.00000000.446278697.0000000000680000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: _VMware_SATA_CD00#5&280b647&
Source: explorer.exe, 00000012.00000000.438938333.000000000820E000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: \\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000025700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#000000001F400000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000026700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: explorer.exe, 00000012.00000000.446345350.000000000069D000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}
Source: explorer.exe, 00000012.00000000.438938333.000000000820E000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: VMware SATA CD00
Source: explorer.exe, 00000012.00000000.434299264.00000000062C4000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}
Source: explorer.exe, 00000012.00000000.449364756.0000000004287000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}0
Source: explorer.exe, 00000012.00000000.438938333.000000000820E000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: SCSI\CDROM&VEN_NECVMWAR&PROD_VMWARE_SATA_CD00\5&280B647&0&000000
Source: New Order 000212.exe, 00000000.00000002.364191680.000000000109E000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\
Source: New Order 000212.exe, 00000000.00000002.364191680.000000000109E000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: explorer.exe, 00000012.00000000.402361534.00000000080ED000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: SCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\5&280b647&0&000000
Source: explorer.exe, 00000012.00000000.438938333.000000000820E000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: VMware SATA CD00l
Contains functionality for execution timing, often used to detect debuggers
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 16_2_01006B90 rdtsc 16_2_01006B90
Enables debug privileges
Source: C:\Users\user\Desktop\New Order 000212.exe Process token adjusted: Debug Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process token adjusted: Debug Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process token adjusted: Debug Jump to behavior
Contains functionality to read the PEB
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 16_2_00FD58EC mov eax, dword ptr fs:[00000030h] 16_2_00FD58EC
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 16_2_00FD40E1 mov eax, dword ptr fs:[00000030h] 16_2_00FD40E1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 16_2_00FD40E1 mov eax, dword ptr fs:[00000030h] 16_2_00FD40E1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 16_2_00FD40E1 mov eax, dword ptr fs:[00000030h] 16_2_00FD40E1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 16_2_0100513A mov eax, dword ptr fs:[00000030h] 16_2_0100513A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 16_2_0100513A mov eax, dword ptr fs:[00000030h] 16_2_0100513A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 16_2_00FD9080 mov eax, dword ptr fs:[00000030h] 16_2_00FD9080
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 16_2_0100A185 mov eax, dword ptr fs:[00000030h] 16_2_0100A185
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 16_2_01002990 mov eax, dword ptr fs:[00000030h] 16_2_01002990
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 16_2_010061A0 mov eax, dword ptr fs:[00000030h] 16_2_010061A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 16_2_010061A0 mov eax, dword ptr fs:[00000030h] 16_2_010061A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 16_2_010569A6 mov eax, dword ptr fs:[00000030h] 16_2_010569A6
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 16_2_010949A4 mov eax, dword ptr fs:[00000030h] 16_2_010949A4
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 16_2_010949A4 mov eax, dword ptr fs:[00000030h] 16_2_010949A4
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 16_2_010949A4 mov eax, dword ptr fs:[00000030h] 16_2_010949A4
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 16_2_010949A4 mov eax, dword ptr fs:[00000030h] 16_2_010949A4
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 16_2_00FF0050 mov eax, dword ptr fs:[00000030h] 16_2_00FF0050
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 16_2_00FF0050 mov eax, dword ptr fs:[00000030h] 16_2_00FF0050
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 16_2_010551BE mov eax, dword ptr fs:[00000030h] 16_2_010551BE
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 16_2_010551BE mov eax, dword ptr fs:[00000030h] 16_2_010551BE
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 16_2_010551BE mov eax, dword ptr fs:[00000030h] 16_2_010551BE
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 16_2_010551BE mov eax, dword ptr fs:[00000030h] 16_2_010551BE
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 16_2_00FFA830 mov eax, dword ptr fs:[00000030h] 16_2_00FFA830
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 16_2_00FFA830 mov eax, dword ptr fs:[00000030h] 16_2_00FFA830
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 16_2_00FFA830 mov eax, dword ptr fs:[00000030h] 16_2_00FFA830
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 16_2_00FFA830 mov eax, dword ptr fs:[00000030h] 16_2_00FFA830
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 16_2_00FEB02A mov eax, dword ptr fs:[00000030h] 16_2_00FEB02A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 16_2_00FEB02A mov eax, dword ptr fs:[00000030h] 16_2_00FEB02A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 16_2_00FEB02A mov eax, dword ptr fs:[00000030h] 16_2_00FEB02A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 16_2_00FEB02A mov eax, dword ptr fs:[00000030h] 16_2_00FEB02A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 16_2_010641E8 mov eax, dword ptr fs:[00000030h] 16_2_010641E8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 16_2_01057016 mov eax, dword ptr fs:[00000030h] 16_2_01057016
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 16_2_01057016 mov eax, dword ptr fs:[00000030h] 16_2_01057016
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 16_2_01057016 mov eax, dword ptr fs:[00000030h] 16_2_01057016
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 16_2_00FDB1E1 mov eax, dword ptr fs:[00000030h] 16_2_00FDB1E1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 16_2_00FDB1E1 mov eax, dword ptr fs:[00000030h] 16_2_00FDB1E1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 16_2_00FDB1E1 mov eax, dword ptr fs:[00000030h] 16_2_00FDB1E1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 16_2_010A4015 mov eax, dword ptr fs:[00000030h] 16_2_010A4015
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 16_2_010A4015 mov eax, dword ptr fs:[00000030h] 16_2_010A4015
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 16_2_0100002D mov eax, dword ptr fs:[00000030h] 16_2_0100002D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 16_2_0100002D mov eax, dword ptr fs:[00000030h] 16_2_0100002D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 16_2_0100002D mov eax, dword ptr fs:[00000030h] 16_2_0100002D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 16_2_0100002D mov eax, dword ptr fs:[00000030h] 16_2_0100002D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 16_2_0100002D mov eax, dword ptr fs:[00000030h] 16_2_0100002D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 16_2_01092073 mov eax, dword ptr fs:[00000030h] 16_2_01092073
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 16_2_00FFC182 mov eax, dword ptr fs:[00000030h] 16_2_00FFC182
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 16_2_010A1074 mov eax, dword ptr fs:[00000030h] 16_2_010A1074
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 16_2_01053884 mov eax, dword ptr fs:[00000030h] 16_2_01053884
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 16_2_01053884 mov eax, dword ptr fs:[00000030h] 16_2_01053884
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 16_2_00FDB171 mov eax, dword ptr fs:[00000030h] 16_2_00FDB171
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 16_2_00FDB171 mov eax, dword ptr fs:[00000030h] 16_2_00FDB171
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 16_2_00FDC962 mov eax, dword ptr fs:[00000030h] 16_2_00FDC962
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 16_2_010020A0 mov eax, dword ptr fs:[00000030h] 16_2_010020A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 16_2_010020A0 mov eax, dword ptr fs:[00000030h] 16_2_010020A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 16_2_010020A0 mov eax, dword ptr fs:[00000030h] 16_2_010020A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 16_2_010020A0 mov eax, dword ptr fs:[00000030h] 16_2_010020A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 16_2_010020A0 mov eax, dword ptr fs:[00000030h] 16_2_010020A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 16_2_010020A0 mov eax, dword ptr fs:[00000030h] 16_2_010020A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 16_2_010190AF mov eax, dword ptr fs:[00000030h] 16_2_010190AF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 16_2_00FFB944 mov eax, dword ptr fs:[00000030h] 16_2_00FFB944
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 16_2_00FFB944 mov eax, dword ptr fs:[00000030h] 16_2_00FFB944
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 16_2_0100F0BF mov ecx, dword ptr fs:[00000030h] 16_2_0100F0BF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 16_2_0100F0BF mov eax, dword ptr fs:[00000030h] 16_2_0100F0BF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 16_2_0100F0BF mov eax, dword ptr fs:[00000030h] 16_2_0100F0BF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 16_2_0106B8D0 mov eax, dword ptr fs:[00000030h] 16_2_0106B8D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 16_2_0106B8D0 mov ecx, dword ptr fs:[00000030h] 16_2_0106B8D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 16_2_0106B8D0 mov eax, dword ptr fs:[00000030h] 16_2_0106B8D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 16_2_0106B8D0 mov eax, dword ptr fs:[00000030h] 16_2_0106B8D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 16_2_0106B8D0 mov eax, dword ptr fs:[00000030h] 16_2_0106B8D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 16_2_0106B8D0 mov eax, dword ptr fs:[00000030h] 16_2_0106B8D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 16_2_00FF4120 mov eax, dword ptr fs:[00000030h] 16_2_00FF4120
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 16_2_00FF4120 mov eax, dword ptr fs:[00000030h] 16_2_00FF4120
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 16_2_00FF4120 mov eax, dword ptr fs:[00000030h] 16_2_00FF4120
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 16_2_00FF4120 mov eax, dword ptr fs:[00000030h] 16_2_00FF4120
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 16_2_00FF4120 mov ecx, dword ptr fs:[00000030h] 16_2_00FF4120
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 16_2_00FD9100 mov eax, dword ptr fs:[00000030h] 16_2_00FD9100
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 16_2_00FD9100 mov eax, dword ptr fs:[00000030h] 16_2_00FD9100
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 16_2_00FD9100 mov eax, dword ptr fs:[00000030h] 16_2_00FD9100
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 16_2_0109131B mov eax, dword ptr fs:[00000030h] 16_2_0109131B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 16_2_00FEAAB0 mov eax, dword ptr fs:[00000030h] 16_2_00FEAAB0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 16_2_00FEAAB0 mov eax, dword ptr fs:[00000030h] 16_2_00FEAAB0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 16_2_010A8B58 mov eax, dword ptr fs:[00000030h] 16_2_010A8B58
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 16_2_00FD52A5 mov eax, dword ptr fs:[00000030h] 16_2_00FD52A5
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 16_2_00FD52A5 mov eax, dword ptr fs:[00000030h] 16_2_00FD52A5
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 16_2_00FD52A5 mov eax, dword ptr fs:[00000030h] 16_2_00FD52A5
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 16_2_00FD52A5 mov eax, dword ptr fs:[00000030h] 16_2_00FD52A5
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 16_2_00FD52A5 mov eax, dword ptr fs:[00000030h] 16_2_00FD52A5
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 16_2_01003B7A mov eax, dword ptr fs:[00000030h] 16_2_01003B7A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 16_2_01003B7A mov eax, dword ptr fs:[00000030h] 16_2_01003B7A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 16_2_0109138A mov eax, dword ptr fs:[00000030h] 16_2_0109138A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 16_2_0108D380 mov ecx, dword ptr fs:[00000030h] 16_2_0108D380
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 16_2_0100B390 mov eax, dword ptr fs:[00000030h] 16_2_0100B390
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 16_2_01002397 mov eax, dword ptr fs:[00000030h] 16_2_01002397
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 16_2_01004BAD mov eax, dword ptr fs:[00000030h] 16_2_01004BAD
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 16_2_01004BAD mov eax, dword ptr fs:[00000030h] 16_2_01004BAD
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 16_2_01004BAD mov eax, dword ptr fs:[00000030h] 16_2_01004BAD
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 16_2_010A5BA5 mov eax, dword ptr fs:[00000030h] 16_2_010A5BA5
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 16_2_00FD9240 mov eax, dword ptr fs:[00000030h] 16_2_00FD9240
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 16_2_00FD9240 mov eax, dword ptr fs:[00000030h] 16_2_00FD9240
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 16_2_00FD9240 mov eax, dword ptr fs:[00000030h] 16_2_00FD9240
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 16_2_00FD9240 mov eax, dword ptr fs:[00000030h] 16_2_00FD9240
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 16_2_010553CA mov eax, dword ptr fs:[00000030h] 16_2_010553CA
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 16_2_010553CA mov eax, dword ptr fs:[00000030h] 16_2_010553CA
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 16_2_00FFA229 mov eax, dword ptr fs:[00000030h] 16_2_00FFA229
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 16_2_00FFA229 mov eax, dword ptr fs:[00000030h] 16_2_00FFA229
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 16_2_00FFA229 mov eax, dword ptr fs:[00000030h] 16_2_00FFA229
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 16_2_00FFA229 mov eax, dword ptr fs:[00000030h] 16_2_00FFA229
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 16_2_00FFA229 mov eax, dword ptr fs:[00000030h] 16_2_00FFA229
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 16_2_00FFA229 mov eax, dword ptr fs:[00000030h] 16_2_00FFA229
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 16_2_00FFA229 mov eax, dword ptr fs:[00000030h] 16_2_00FFA229
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 16_2_00FFA229 mov eax, dword ptr fs:[00000030h] 16_2_00FFA229
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 16_2_00FFA229 mov eax, dword ptr fs:[00000030h] 16_2_00FFA229
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 16_2_010003E2 mov eax, dword ptr fs:[00000030h] 16_2_010003E2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 16_2_010003E2 mov eax, dword ptr fs:[00000030h] 16_2_010003E2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 16_2_010003E2 mov eax, dword ptr fs:[00000030h] 16_2_010003E2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 16_2_010003E2 mov eax, dword ptr fs:[00000030h] 16_2_010003E2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 16_2_010003E2 mov eax, dword ptr fs:[00000030h] 16_2_010003E2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 16_2_010003E2 mov eax, dword ptr fs:[00000030h] 16_2_010003E2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 16_2_00FF3A1C mov eax, dword ptr fs:[00000030h] 16_2_00FF3A1C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 16_2_00FDAA16 mov eax, dword ptr fs:[00000030h] 16_2_00FDAA16
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 16_2_00FDAA16 mov eax, dword ptr fs:[00000030h] 16_2_00FDAA16
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 16_2_00FD5210 mov eax, dword ptr fs:[00000030h] 16_2_00FD5210
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 16_2_00FD5210 mov ecx, dword ptr fs:[00000030h] 16_2_00FD5210
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 16_2_00FD5210 mov eax, dword ptr fs:[00000030h] 16_2_00FD5210
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 16_2_00FD5210 mov eax, dword ptr fs:[00000030h] 16_2_00FD5210
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 16_2_00FE8A0A mov eax, dword ptr fs:[00000030h] 16_2_00FE8A0A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 16_2_00FFDBE9 mov eax, dword ptr fs:[00000030h] 16_2_00FFDBE9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 16_2_0109AA16 mov eax, dword ptr fs:[00000030h] 16_2_0109AA16
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 16_2_0109AA16 mov eax, dword ptr fs:[00000030h] 16_2_0109AA16
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 16_2_01014A2C mov eax, dword ptr fs:[00000030h] 16_2_01014A2C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 16_2_01014A2C mov eax, dword ptr fs:[00000030h] 16_2_01014A2C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 16_2_01064257 mov eax, dword ptr fs:[00000030h] 16_2_01064257
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 16_2_0109EA55 mov eax, dword ptr fs:[00000030h] 16_2_0109EA55
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 16_2_0108B260 mov eax, dword ptr fs:[00000030h] 16_2_0108B260
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 16_2_0108B260 mov eax, dword ptr fs:[00000030h] 16_2_0108B260
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 16_2_010A8A62 mov eax, dword ptr fs:[00000030h] 16_2_010A8A62
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 16_2_00FE1B8F mov eax, dword ptr fs:[00000030h] 16_2_00FE1B8F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 16_2_00FE1B8F mov eax, dword ptr fs:[00000030h] 16_2_00FE1B8F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 16_2_0101927A mov eax, dword ptr fs:[00000030h] 16_2_0101927A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 16_2_0100D294 mov eax, dword ptr fs:[00000030h] 16_2_0100D294
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 16_2_0100D294 mov eax, dword ptr fs:[00000030h] 16_2_0100D294
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 16_2_00FDDB60 mov ecx, dword ptr fs:[00000030h] 16_2_00FDDB60
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 16_2_00FDF358 mov eax, dword ptr fs:[00000030h] 16_2_00FDF358
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 16_2_0100FAB0 mov eax, dword ptr fs:[00000030h] 16_2_0100FAB0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 16_2_00FDDB40 mov eax, dword ptr fs:[00000030h] 16_2_00FDDB40
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 16_2_01002ACB mov eax, dword ptr fs:[00000030h] 16_2_01002ACB
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 16_2_01002AE4 mov eax, dword ptr fs:[00000030h] 16_2_01002AE4
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 16_2_0109E539 mov eax, dword ptr fs:[00000030h] 16_2_0109E539
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 16_2_0105A537 mov eax, dword ptr fs:[00000030h] 16_2_0105A537
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 16_2_01004D3B mov eax, dword ptr fs:[00000030h] 16_2_01004D3B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 16_2_01004D3B mov eax, dword ptr fs:[00000030h] 16_2_01004D3B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 16_2_01004D3B mov eax, dword ptr fs:[00000030h] 16_2_01004D3B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 16_2_010A8D34 mov eax, dword ptr fs:[00000030h] 16_2_010A8D34
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 16_2_01013D43 mov eax, dword ptr fs:[00000030h] 16_2_01013D43
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 16_2_01053540 mov eax, dword ptr fs:[00000030h] 16_2_01053540
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 16_2_01083D40 mov eax, dword ptr fs:[00000030h] 16_2_01083D40
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 16_2_00FE849B mov eax, dword ptr fs:[00000030h] 16_2_00FE849B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 16_2_01002581 mov eax, dword ptr fs:[00000030h] 16_2_01002581
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 16_2_01002581 mov eax, dword ptr fs:[00000030h] 16_2_01002581
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 16_2_01002581 mov eax, dword ptr fs:[00000030h] 16_2_01002581
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 16_2_01002581 mov eax, dword ptr fs:[00000030h] 16_2_01002581
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 16_2_00FF746D mov eax, dword ptr fs:[00000030h] 16_2_00FF746D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 16_2_0100FD9B mov eax, dword ptr fs:[00000030h] 16_2_0100FD9B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 16_2_0100FD9B mov eax, dword ptr fs:[00000030h] 16_2_0100FD9B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 16_2_010035A1 mov eax, dword ptr fs:[00000030h] 16_2_010035A1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 16_2_010A05AC mov eax, dword ptr fs:[00000030h] 16_2_010A05AC
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 16_2_010A05AC mov eax, dword ptr fs:[00000030h] 16_2_010A05AC
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 16_2_01001DB5 mov eax, dword ptr fs:[00000030h] 16_2_01001DB5
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 16_2_01001DB5 mov eax, dword ptr fs:[00000030h] 16_2_01001DB5
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 16_2_01001DB5 mov eax, dword ptr fs:[00000030h] 16_2_01001DB5
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 16_2_01056DC9 mov eax, dword ptr fs:[00000030h] 16_2_01056DC9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 16_2_01056DC9 mov eax, dword ptr fs:[00000030h] 16_2_01056DC9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 16_2_01056DC9 mov eax, dword ptr fs:[00000030h] 16_2_01056DC9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 16_2_01056DC9 mov ecx, dword ptr fs:[00000030h] 16_2_01056DC9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 16_2_01056DC9 mov eax, dword ptr fs:[00000030h] 16_2_01056DC9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 16_2_01056DC9 mov eax, dword ptr fs:[00000030h] 16_2_01056DC9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 16_2_0109FDE2 mov eax, dword ptr fs:[00000030h] 16_2_0109FDE2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 16_2_0109FDE2 mov eax, dword ptr fs:[00000030h] 16_2_0109FDE2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 16_2_0109FDE2 mov eax, dword ptr fs:[00000030h] 16_2_0109FDE2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 16_2_0109FDE2 mov eax, dword ptr fs:[00000030h] 16_2_0109FDE2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 16_2_01088DF1 mov eax, dword ptr fs:[00000030h] 16_2_01088DF1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 16_2_010A740D mov eax, dword ptr fs:[00000030h] 16_2_010A740D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 16_2_010A740D mov eax, dword ptr fs:[00000030h] 16_2_010A740D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 16_2_010A740D mov eax, dword ptr fs:[00000030h] 16_2_010A740D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 16_2_01091C06 mov eax, dword ptr fs:[00000030h] 16_2_01091C06
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 16_2_01091C06 mov eax, dword ptr fs:[00000030h] 16_2_01091C06
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 16_2_01091C06 mov eax, dword ptr fs:[00000030h] 16_2_01091C06
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 16_2_01091C06 mov eax, dword ptr fs:[00000030h] 16_2_01091C06
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 16_2_01091C06 mov eax, dword ptr fs:[00000030h] 16_2_01091C06
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 16_2_01091C06 mov eax, dword ptr fs:[00000030h] 16_2_01091C06
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 16_2_01091C06 mov eax, dword ptr fs:[00000030h] 16_2_01091C06
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 16_2_01091C06 mov eax, dword ptr fs:[00000030h] 16_2_01091C06
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 16_2_01091C06 mov eax, dword ptr fs:[00000030h] 16_2_01091C06
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 16_2_01091C06 mov eax, dword ptr fs:[00000030h] 16_2_01091C06
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 16_2_01091C06 mov eax, dword ptr fs:[00000030h] 16_2_01091C06
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 16_2_01091C06 mov eax, dword ptr fs:[00000030h] 16_2_01091C06
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 16_2_01091C06 mov eax, dword ptr fs:[00000030h] 16_2_01091C06
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 16_2_01091C06 mov eax, dword ptr fs:[00000030h] 16_2_01091C06
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 16_2_01056C0A mov eax, dword ptr fs:[00000030h] 16_2_01056C0A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 16_2_01056C0A mov eax, dword ptr fs:[00000030h] 16_2_01056C0A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 16_2_01056C0A mov eax, dword ptr fs:[00000030h] 16_2_01056C0A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 16_2_01056C0A mov eax, dword ptr fs:[00000030h] 16_2_01056C0A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 16_2_00FED5E0 mov eax, dword ptr fs:[00000030h] 16_2_00FED5E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 16_2_00FED5E0 mov eax, dword ptr fs:[00000030h] 16_2_00FED5E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 16_2_0100BC2C mov eax, dword ptr fs:[00000030h] 16_2_0100BC2C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 16_2_0100A44B mov eax, dword ptr fs:[00000030h] 16_2_0100A44B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 16_2_0106C450 mov eax, dword ptr fs:[00000030h] 16_2_0106C450
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 16_2_0106C450 mov eax, dword ptr fs:[00000030h] 16_2_0106C450
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 16_2_00FD2D8A mov eax, dword ptr fs:[00000030h] 16_2_00FD2D8A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 16_2_00FD2D8A mov eax, dword ptr fs:[00000030h] 16_2_00FD2D8A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 16_2_00FD2D8A mov eax, dword ptr fs:[00000030h] 16_2_00FD2D8A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 16_2_00FD2D8A mov eax, dword ptr fs:[00000030h] 16_2_00FD2D8A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 16_2_00FD2D8A mov eax, dword ptr fs:[00000030h] 16_2_00FD2D8A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 16_2_00FFC577 mov eax, dword ptr fs:[00000030h] 16_2_00FFC577
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 16_2_00FFC577 mov eax, dword ptr fs:[00000030h] 16_2_00FFC577
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 16_2_00FF7D50 mov eax, dword ptr fs:[00000030h] 16_2_00FF7D50
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 16_2_00FE3D34 mov eax, dword ptr fs:[00000030h] 16_2_00FE3D34
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 16_2_00FE3D34 mov eax, dword ptr fs:[00000030h] 16_2_00FE3D34
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 16_2_00FE3D34 mov eax, dword ptr fs:[00000030h] 16_2_00FE3D34
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 16_2_00FE3D34 mov eax, dword ptr fs:[00000030h] 16_2_00FE3D34
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 16_2_00FE3D34 mov eax, dword ptr fs:[00000030h] 16_2_00FE3D34
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 16_2_00FE3D34 mov eax, dword ptr fs:[00000030h] 16_2_00FE3D34
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 16_2_00FE3D34 mov eax, dword ptr fs:[00000030h] 16_2_00FE3D34
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 16_2_00FE3D34 mov eax, dword ptr fs:[00000030h] 16_2_00FE3D34
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 16_2_00FE3D34 mov eax, dword ptr fs:[00000030h] 16_2_00FE3D34
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 16_2_00FE3D34 mov eax, dword ptr fs:[00000030h] 16_2_00FE3D34
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 16_2_00FE3D34 mov eax, dword ptr fs:[00000030h] 16_2_00FE3D34
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 16_2_00FE3D34 mov eax, dword ptr fs:[00000030h] 16_2_00FE3D34
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 16_2_00FE3D34 mov eax, dword ptr fs:[00000030h] 16_2_00FE3D34
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 16_2_00FDAD30 mov eax, dword ptr fs:[00000030h] 16_2_00FDAD30
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 16_2_010A8CD6 mov eax, dword ptr fs:[00000030h] 16_2_010A8CD6
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 16_2_010914FB mov eax, dword ptr fs:[00000030h] 16_2_010914FB
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 16_2_01056CF0 mov eax, dword ptr fs:[00000030h] 16_2_01056CF0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 16_2_01056CF0 mov eax, dword ptr fs:[00000030h] 16_2_01056CF0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 16_2_01056CF0 mov eax, dword ptr fs:[00000030h] 16_2_01056CF0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 16_2_010A070D mov eax, dword ptr fs:[00000030h] 16_2_010A070D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 16_2_010A070D mov eax, dword ptr fs:[00000030h] 16_2_010A070D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 16_2_0100A70E mov eax, dword ptr fs:[00000030h] 16_2_0100A70E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 16_2_0100A70E mov eax, dword ptr fs:[00000030h] 16_2_0100A70E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 16_2_0106FF10 mov eax, dword ptr fs:[00000030h] 16_2_0106FF10
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 16_2_0106FF10 mov eax, dword ptr fs:[00000030h] 16_2_0106FF10
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 16_2_00FE76E2 mov eax, dword ptr fs:[00000030h] 16_2_00FE76E2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 16_2_0100E730 mov eax, dword ptr fs:[00000030h] 16_2_0100E730
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 16_2_010A8F6A mov eax, dword ptr fs:[00000030h] 16_2_010A8F6A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 16_2_00FFAE73 mov eax, dword ptr fs:[00000030h] 16_2_00FFAE73
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 16_2_00FFAE73 mov eax, dword ptr fs:[00000030h] 16_2_00FFAE73
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 16_2_00FFAE73 mov eax, dword ptr fs:[00000030h] 16_2_00FFAE73
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 16_2_00FFAE73 mov eax, dword ptr fs:[00000030h] 16_2_00FFAE73
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 16_2_00FFAE73 mov eax, dword ptr fs:[00000030h] 16_2_00FFAE73
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 16_2_01057794 mov eax, dword ptr fs:[00000030h] 16_2_01057794
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 16_2_01057794 mov eax, dword ptr fs:[00000030h] 16_2_01057794
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 16_2_01057794 mov eax, dword ptr fs:[00000030h] 16_2_01057794
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 16_2_00FE766D mov eax, dword ptr fs:[00000030h] 16_2_00FE766D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 16_2_00FE7E41 mov eax, dword ptr fs:[00000030h] 16_2_00FE7E41
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 16_2_00FE7E41 mov eax, dword ptr fs:[00000030h] 16_2_00FE7E41
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 16_2_00FE7E41 mov eax, dword ptr fs:[00000030h] 16_2_00FE7E41
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 16_2_00FE7E41 mov eax, dword ptr fs:[00000030h] 16_2_00FE7E41
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 16_2_00FE7E41 mov eax, dword ptr fs:[00000030h] 16_2_00FE7E41
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 16_2_00FE7E41 mov eax, dword ptr fs:[00000030h] 16_2_00FE7E41
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 16_2_00FDE620 mov eax, dword ptr fs:[00000030h] 16_2_00FDE620
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 16_2_010137F5 mov eax, dword ptr fs:[00000030h] 16_2_010137F5
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 16_2_00FDC600 mov eax, dword ptr fs:[00000030h] 16_2_00FDC600
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 16_2_00FDC600 mov eax, dword ptr fs:[00000030h] 16_2_00FDC600
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 16_2_00FDC600 mov eax, dword ptr fs:[00000030h] 16_2_00FDC600
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 16_2_01008E00 mov eax, dword ptr fs:[00000030h] 16_2_01008E00
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 16_2_01091608 mov eax, dword ptr fs:[00000030h] 16_2_01091608
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 16_2_0100A61C mov eax, dword ptr fs:[00000030h] 16_2_0100A61C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 16_2_0100A61C mov eax, dword ptr fs:[00000030h] 16_2_0100A61C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 16_2_0108FE3F mov eax, dword ptr fs:[00000030h] 16_2_0108FE3F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 16_2_0109AE44 mov eax, dword ptr fs:[00000030h] 16_2_0109AE44
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 16_2_0109AE44 mov eax, dword ptr fs:[00000030h] 16_2_0109AE44
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 16_2_00FE8794 mov eax, dword ptr fs:[00000030h] 16_2_00FE8794
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 16_2_0106FE87 mov eax, dword ptr fs:[00000030h] 16_2_0106FE87
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 16_2_00FEFF60 mov eax, dword ptr fs:[00000030h] 16_2_00FEFF60
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 16_2_010546A7 mov eax, dword ptr fs:[00000030h] 16_2_010546A7
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 16_2_010A0EA5 mov eax, dword ptr fs:[00000030h] 16_2_010A0EA5
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 16_2_010A0EA5 mov eax, dword ptr fs:[00000030h] 16_2_010A0EA5
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 16_2_010A0EA5 mov eax, dword ptr fs:[00000030h] 16_2_010A0EA5
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 16_2_00FEEF40 mov eax, dword ptr fs:[00000030h] 16_2_00FEEF40
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 16_2_01018EC7 mov eax, dword ptr fs:[00000030h] 16_2_01018EC7
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 16_2_0108FEC0 mov eax, dword ptr fs:[00000030h] 16_2_0108FEC0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 16_2_010036CC mov eax, dword ptr fs:[00000030h] 16_2_010036CC
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 16_2_00FD4F2E mov eax, dword ptr fs:[00000030h] 16_2_00FD4F2E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 16_2_00FD4F2E mov eax, dword ptr fs:[00000030h] 16_2_00FD4F2E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 16_2_010A8ED6 mov eax, dword ptr fs:[00000030h] 16_2_010A8ED6
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 16_2_010016E0 mov ecx, dword ptr fs:[00000030h] 16_2_010016E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 16_2_00FFF716 mov eax, dword ptr fs:[00000030h] 16_2_00FFF716
Checks if the current process is being debugged
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process queried: DebugPort Jump to behavior
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 16_2_01019910 NtAdjustPrivilegesToken,LdrInitializeThunk, 16_2_01019910
Source: C:\Users\user\Desktop\New Order 000212.exe Memory allocated: page read and write | page guard Jump to behavior

HIPS / PFW / Operating System Protection Evasion
barindex
Maps a DLL or memory area into another process
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: unknown target: C:\Windows\SysWOW64\explorer.exe protection: execute and read and write Jump to behavior
Writes to foreign memory regions
Source: C:\Users\user\Desktop\New Order 000212.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe base: 400000 Jump to behavior
Source: C:\Users\user\Desktop\New Order 000212.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe base: 401000 Jump to behavior
Source: C:\Users\user\Desktop\New Order 000212.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe base: 860008 Jump to behavior
Encrypted powershell cmdline option found
Source: C:\Users\user\Desktop\New Order 000212.exe Process created: Base64 decoded Start-Sleep -Seconds 20
Source: C:\Users\user\Desktop\New Order 000212.exe Process created: Base64 decoded Start-Sleep -Seconds 20 Jump to behavior
Injects a PE file into a foreign processes
Source: C:\Users\user\Desktop\New Order 000212.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe base: 400000 value starts with: 4D5A Jump to behavior
Queues an APC in another process (thread injection)
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread APC queued: target process: C:\Windows\explorer.exe Jump to behavior
Modifies the context of a thread in another process (thread injection)
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread register set: target process: 3968 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread register set: target process: 3968 Jump to behavior
Creates a process in suspended mode (likely to inject code)
Source: C:\Users\user\Desktop\New Order 000212.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -enc UwB0AGEAcgB0AC0AUwBsAGUAZQBwACAALQBTAGUAYwBvAG4AZABzACAAMgAwAA== Jump to behavior
Source: C:\Users\user\Desktop\New Order 000212.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Jump to behavior
Source: explorer.exe, 00000012.00000000.446302005.0000000000688000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000012.00000000.476936024.0000000000688000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000012.00000000.370764856.0000000000688000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: ProgmanEXE^
Source: InstallUtil.exe, 00000010.00000003.506919919.0000000003304000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000010.00000003.492046255.0000000002F89000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000010.00000002.525417511.0000000002F80000.00000040.10000000.00040000.00000000.sdmp Binary or memory string: Shell_TrayWnd
Source: explorer.exe, 00000012.00000000.447464020.0000000000BE0000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000012.00000000.422819978.0000000000BE0000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000012.00000000.372707154.0000000000BE0000.00000002.00000001.00040000.00000000.sdmp Binary or memory string: Progman
Source: InstallUtil.exe, 00000010.00000003.506919919.0000000003304000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000010.00000003.492046255.0000000002F89000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000010.00000002.525417511.0000000002F80000.00000040.10000000.00040000.00000000.sdmp Binary or memory string: Microsoft-Reserved-24C26ACC-DE62-4303-88AD-6CD4F1447F18SecurityConfigureWindowsPasswordsProxy DesktopProgmanSoftware\Microsoft\Windows NT\CurrentVersion\WinlogonShellSoftware\Microsoft\Windows NT\CurrentVersion\Winlogon\AlternateShells\AvailableShells
Source: explorer.exe, 00000012.00000000.447464020.0000000000BE0000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000012.00000000.422819978.0000000000BE0000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000012.00000000.372707154.0000000000BE0000.00000002.00000001.00040000.00000000.sdmp Binary or memory string: Progmanlock
Source: explorer.exe, 00000012.00000000.422350768.0000000000708000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000012.00000000.477177121.0000000000708000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000012.00000000.371497220.0000000000708000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Shell_TrayWnd4
Source: explorer.exe, 00000012.00000000.447464020.0000000000BE0000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000012.00000000.422819978.0000000000BE0000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000012.00000000.372707154.0000000000BE0000.00000002.00000001.00040000.00000000.sdmp Binary or memory string: WProgram Manager
Queries the volume information (name, serial number etc) of a device
Source: C:\Users\user\Desktop\New Order 000212.exe Queries volume information: C:\Users\user\Desktop\New Order 000212.exe VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\New Order 000212.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\New Order 000212.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\New Order 000212.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\New Order 000212.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Numerics\v4.0_4.0.0.0__b77a5c561934e089\System.Numerics.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\New Order 000212.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\New Order 000212.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\New Order 000212.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.ConsoleHost\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.ConsoleHost.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Numerics\v4.0_4.0.0.0__b77a5c561934e089\System.Numerics.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.DirectoryServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.DirectoryServices.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Security\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Security.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Utility\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Utility.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Configuration.Install\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Configuration.Install.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\New Order 000212.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior

Stealing of Sensitive Information
barindex
Yara detected FormBook
Source: Yara match File source: 16.0.InstallUtil.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000012.00000000.437480635.00000000074AC000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.370454504.0000000003E31000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000010.00000000.360788700.0000000000401000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.371811220.0000000003F30000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000012.00000000.455452421.00000000074AC000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY

Remote Access Functionality
barindex
Yara detected FormBook
Source: Yara match File source: 16.0.InstallUtil.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000012.00000000.437480635.00000000074AC000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.370454504.0000000003E31000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000010.00000000.360788700.0000000000401000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.371811220.0000000003F30000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000012.00000000.455452421.00000000074AC000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 680420 Sample: New Order 000212.exe Startdate: 08/08/2022 Architecture: WINDOWS Score: 100 25 Malicious sample detected (through community Yara rule) 2->25 27 Antivirus detection for URL or domain 2->27 29 Antivirus / Scanner detection for submitted sample 2->29 31 9 other signatures 2->31 8 New Order 000212.exe 4 2->8         started        process3 file4 23 C:\Users\user\...23ew Order 000212.exe.log, ASCII 8->23 dropped 33 Encrypted powershell cmdline option found 8->33 35 Writes to foreign memory regions 8->35 37 Injects a PE file into a foreign processes 8->37 12 InstallUtil.exe 8->12         started        15 powershell.exe 16 8->15         started        signatures5 process6 signatures7 39 Modifies the context of a thread in another process (thread injection) 12->39 41 Maps a DLL or memory area into another process 12->41 43 Queues an APC in another process (thread injection) 12->43 17 explorer.exe 12->17 injected 19 conhost.exe 15->19         started        process8 process9 21 explorer.exe 17->21         started       
No contacted IP infos

Contacted URLs

Name Malicious Antivirus Detection Reputation
www.bitp0ker.com/ch0y/ true
  • 1%, Virustotal, Browse
  • Avira URL Cloud: malware
 low