Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
New Order 000212.exe

Overview

General Information

Sample Name:New Order 000212.exe
Analysis ID:680420
MD5:989e8988e2ed04a3e86a6faf2727c00f
SHA1:6a5397ef11996176e5c5ec5b94004591a77208e5
SHA256:c19a3d6f7af18f9fae141a7234341d0bf8e1038638c13a625194eb3fece6a540
Tags:exeFormbookloki
Infos:

Detection

FormBook
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Multi AV Scanner detection for submitted file
Yara detected FormBook
Malicious sample detected (through community Yara rule)
Antivirus / Scanner detection for submitted sample
Antivirus detection for URL or domain
Maps a DLL or memory area into another process
Initial sample is a PE file and has a suspicious name
Writes to foreign memory regions
Encrypted powershell cmdline option found
Machine Learning detection for sample
.NET source code contains potential unpacker
Injects a PE file into a foreign processes
Yara detected Generic Downloader
Queues an APC in another process (thread injection)
.NET source code contains very large array initializations
Modifies the context of a thread in another process (thread injection)
C2 URLs / IPs found in malware configuration
Uses 32bit PE files
Queries the volume information (name, serial number etc) of a device
Yara signature match
Antivirus or Machine Learning detection for unpacked file
May sleep (evasive loops) to hinder dynamic analysis
Uses code obfuscation techniques (call, push, ret)
Detected potential crypto function
Found potential string decryption / allocating functions
Contains functionality to call native functions
Contains functionality for execution timing, often used to detect debuggers
Contains long sleeps (>= 3 min)
Enables debug privileges
Creates a DirectInput object (often for capturing keystrokes)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Sample file is different than original file name gathered from version info
Contains functionality to read the PEB
Checks if the current process is being debugged
Found large amount of non-executed APIs
Creates a process in suspended mode (likely to inject code)
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Classification

Process Tree

  • System is w10x64
  • New Order 000212.exe (PID: 5020 cmdline: "C:\Users\user\Desktop\New Order 000212.exe" MD5: 989E8988E2ED04A3E86A6FAF2727C00F)
    • powershell.exe (PID: 3360 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -enc UwB0AGEAcgB0AC0AUwBsAGUAZQBwACAALQBTAGUAYwBvAG4AZABzACAAMgAwAA== MD5: DBA3E6449E97D4E3DF64527EF7012A10)
      • conhost.exe (PID: 5516 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • InstallUtil.exe (PID: 6444 cmdline: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe MD5: EFEC8C379D165E3F33B536739AEE26A3)
      • explorer.exe (PID: 3968 cmdline: C:\Windows\Explorer.EXE MD5: AD5296B280E8F522A8A897C96BAB0E1D)
        • explorer.exe (PID: 4504 cmdline: C:\Windows\SysWOW64\explorer.exe MD5: 166AB1B9462E5C1D6D18EC5EC0B6A5F7)
  • cleanup

Malware Configuration

Threatname: FormBook

{"C2 list": ["www.bitp0ker.com/ch0y/"], "decoy": ["Ds5uTIKP/TGroQ==", "P9qN441Kxi+xjWTAhKNR1LVxMgQ=", "9qCL4zvn9mwIdk0h/yV7/huJF5n3D30s", "j3uKB82SGqWBQ5xcOVU=", "6pKRfMiuuToAgP0cqw==", "4PiOeIts9Uq4vg==", "hHZlS1fCwzXHL+Nmy2McH7RGLJS6", "VMCC6Z2YZcKNXyHVh62k/ZBj", "MplUSTGToAHVs6dJSfvF", "rWIiAAFoa+19AxYCyu7nIEN5NjPOCLc4mA==", "F4VSNDGZpizupadJSfvF", "kUcwDfhqa8FGq35iHI+L1Q==", "U7pxZ33UK0oEgP0cqw==", "AVoLdz8pa5cChDxr04vA", "0oSIgH72TZJXqw==", "OJpSKSiksjbxJdr7uBde7ARCBg==", "kk5PLGxObs2YQ5xcOVU=", "LyYV4NAyNrh+O0Q0oFFFGKVGLJS6", "act4W4dKW9fV5afRXQlQ3Q==", "smBEMTUISG878JUW+Sab4rVxMgQ=", "Wb1w2UzCO3qQxcsYrg==", "dSXgTwHz4FQOQ1O4eaVX2LVxMgQ=", "QvKfeZZimp6l3cCXY5rN", "9VUBVxcFpD3AOw2NdRbP", "hG5VLzW5zD3NmHF/+6/N", "9Q2iC5t3RLk8", "H/vFsO8OKLJ4vYKcLxDdpDfPcww=", "SyIff/NY0lMW24cgrkgDE2mSNBM=", "h/af9Xs+GWhCf1SuXwxEqcReAN1MQQE=", "0sqqFcF9RJ4ik2MixGURGrNGLJS6", "5qCkDtvJCzff5Nsz+xGg8ZVp", "aVRU0kgCua5scnvoow==", "KhoDZfmuv0D5q6lJSfvF", "AuTfVsNxhvJ86NC0gauk/ZBj", "mEg6LRZjbPyU98icaiGk/ZBj", "vKKkf2/c3E4RNQ3i", "moZ6xEVmCotDuJpavA==", "3dbQwevfJF0RNQ3i", "v56zK/b0QJgusKlJSfvF", "4kEIfiWb7Cb+gP0cqw==", "ULZ/Z23Z4Aq+JATg", "2/V7WpqzpZVqqQ==", "0o6A/IhIDDoOwMvHN9/i7kJjDg==", "q2lbsR/ut/vWCJd1O1dgqLCyQWJ9CLc4mA==", "JHcxkSZ3SIJFdEP7", "jkABch8PzOa8bW1MAKxbWPPNv87tUYkk", "A2faCjfr9lAw9JEW+eu1AwZzDpj3D30s", "hi4UAvI9PLpOy7JJSfvF", "j2ZsUX1BQnF0JjlLHI+L1Q==", "QDAVa9qFOGAuz7JJSfvF", "i/esHebaIjvS1ZxcOVU=", "7VICdTIBPyw+Z20=", "c96mm825+D0JNRDo", "ULJ1c4LAsDDzqVD7", "LZJQLjXzKFYx87lJSfvF", "R7xeUVnL4CMc0d/EhKuk/ZBj", "UQAJ6h9Ctt5WgP0cqw==", "WEA7BDDp8lsRNQ3i", "UxC8g6d9uPrOgS+ggPT185Nr", "8lQI/eJYWLx1JTkJ5vnS", "6KJjWKGNrDoAgP0cqw==", "guFYvYNFTFbZrieXzmivlOs4JeTUGw==", "o5B7Q3xLEET9MQJD7hGV4bVxMgQ=", "4lQVff1TGVEIxGU="]}

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000012.00000000.437480635.00000000074AC000.00000040.00000001.00040000.00000000.sdmpJoeSecurity_FormBookYara detected FormBookJoe Security
    00000012.00000000.437480635.00000000074AC000.00000040.00000001.00040000.00000000.sdmpWindows_Trojan_Formbook_1112e116unknownunknown
    • 0xe7a0:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55
    • 0x7b57:$a4: 04 83 C4 0C 83 06 07 5B 5F 5E 8B E5 5D C3 8B 17 03 55 0C 6A 01 83
    00000012.00000000.437480635.00000000074AC000.00000040.00000001.00040000.00000000.sdmpFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
    • 0x7955:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
    • 0x7401:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
    • 0x7a57:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
    • 0x7bcf:$sequence_4: 5D C3 8D 50 7C 80 FA 07
    • 0x664c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
    • 0xd3f7:$sequence_8: 3C 54 74 04 3C 74 75 F4
    • 0xe50a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
    00000012.00000000.437480635.00000000074AC000.00000040.00000001.00040000.00000000.sdmpFormbookdetect Formbook in memoryJPCERT/CC Incident Response Group
    • 0x9e49:$sqlite3step: 68 34 1C 7B E1
    • 0x9f7c:$sqlite3step: 68 34 1C 7B E1
    • 0x9e8b:$sqlite3text: 68 38 2A 90 C5
    • 0x9fd3:$sqlite3text: 68 38 2A 90 C5
    • 0x9ea2:$sqlite3blob: 68 53 D8 7F 8C
    • 0x9ff5:$sqlite3blob: 68 53 D8 7F 8C
    00000000.00000002.368882478.0000000002F24000.00000004.00000800.00020000.00000000.sdmpWindows_Trojan_Formbook_1112e116unknownunknown
    • 0x1122d:$a1: 3C 30 50 4F 53 54 74 09 40
    • 0x1555b:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01
    Click to see the 19 entries

    Unpacked PEs

    SourceRuleDescriptionAuthorStrings
    16.0.InstallUtil.exe.400000.0.unpackJoeSecurity_FormBookYara detected FormBookJoe Security
      16.0.InstallUtil.exe.400000.0.unpackWindows_Trojan_Formbook_1112e116unknownunknown
      • 0x5811:$a1: 3C 30 50 4F 53 54 74 09 40
      • 0x1c9a0:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55
      • 0x9b3f:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01
      • 0x15d57:$a4: 04 83 C4 0C 83 06 07 5B 5F 5E 8B E5 5D C3 8B 17 03 55 0C 6A 01 83
      16.0.InstallUtil.exe.400000.0.unpackFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
      • 0x15b55:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
      • 0x15601:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
      • 0x15c57:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
      • 0x15dcf:$sequence_4: 5D C3 8D 50 7C 80 FA 07
      • 0x970a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
      • 0x1484c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
      • 0xa452:$sequence_7: 66 89 0C 02 5B 8B E5 5D
      • 0x1b5f7:$sequence_8: 3C 54 74 04 3C 74 75 F4
      • 0x1c70a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
      16.0.InstallUtil.exe.400000.0.unpackFormbookdetect Formbook in memoryJPCERT/CC Incident Response Group
      • 0x18049:$sqlite3step: 68 34 1C 7B E1
      • 0x1817c:$sqlite3step: 68 34 1C 7B E1
      • 0x1808b:$sqlite3text: 68 38 2A 90 C5
      • 0x181d3:$sqlite3text: 68 38 2A 90 C5
      • 0x180a2:$sqlite3blob: 68 53 D8 7F 8C
      • 0x181f5:$sqlite3blob: 68 53 D8 7F 8C
      0.2.New Order 000212.exe.9050000.0.raw.unpackJoeSecurity_GenericDownloader_1Yara detected Generic DownloaderJoe Security

        Sigma Signatures

        No Sigma rule has matched

        Snort Signatures

        No Snort rule has matched

        Joe Sandbox Signatures

        Click to jump to signature section

        Show All Signature Results

        AV Detection

        barindex
        Multi AV Scanner detection for submitted file
        Source: New Order 000212.exeVirustotal: Detection: 35%Perma Link
        Source: New Order 000212.exeReversingLabs: Detection: 42%
        Yara detected FormBook
        Source: Yara matchFile source: 16.0.InstallUtil.exe.400000.0.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 00000012.00000000.437480635.00000000074AC000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000000.00000002.370454504.0000000003E31000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000010.00000000.360788700.0000000000401000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000000.00000002.371811220.0000000003F30000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000012.00000000.455452421.00000000074AC000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
        Antivirus / Scanner detection for submitted sample
        Source: New Order 000212.exeAvira: detected
        Antivirus detection for URL or domain
        Source: www.bitp0ker.com/ch0y/Avira URL Cloud: Label: malware
        Machine Learning detection for sample
        Source: New Order 000212.exeJoe Sandbox ML: detected
        Source: 16.0.InstallUtil.exe.400000.0.unpackAvira: Label: TR/Crypt.ZPACK.Gen
        Source: 0.0.New Order 000212.exe.6c0000.0.unpackAvira: Label: TR/Crypt.XPACK.Gen7
        Source: 00000000.00000002.370454504.0000000003E31000.00000004.00000800.00020000.00000000.sdmpMalware Configuration Extractor: FormBook {"C2 list": ["www.bitp0ker.com/ch0y/"], "decoy": ["Ds5uTIKP/TGroQ==", "P9qN441Kxi+xjWTAhKNR1LVxMgQ=", "9qCL4zvn9mwIdk0h/yV7/huJF5n3D30s", "j3uKB82SGqWBQ5xcOVU=", "6pKRfMiuuToAgP0cqw==", "4PiOeIts9Uq4vg==", "hHZlS1fCwzXHL+Nmy2McH7RGLJS6", "VMCC6Z2YZcKNXyHVh62k/ZBj", "MplUSTGToAHVs6dJSfvF", "rWIiAAFoa+19AxYCyu7nIEN5NjPOCLc4mA==", "F4VSNDGZpizupadJSfvF", "kUcwDfhqa8FGq35iHI+L1Q==", "U7pxZ33UK0oEgP0cqw==", "AVoLdz8pa5cChDxr04vA", "0oSIgH72TZJXqw==", "OJpSKSiksjbxJdr7uBde7ARCBg==", "kk5PLGxObs2YQ5xcOVU=", "LyYV4NAyNrh+O0Q0oFFFGKVGLJS6", "act4W4dKW9fV5afRXQlQ3Q==", "smBEMTUISG878JUW+Sab4rVxMgQ=", "Wb1w2UzCO3qQxcsYrg==", "dSXgTwHz4FQOQ1O4eaVX2LVxMgQ=", "QvKfeZZimp6l3cCXY5rN", "9VUBVxcFpD3AOw2NdRbP", "hG5VLzW5zD3NmHF/+6/N", "9Q2iC5t3RLk8", "H/vFsO8OKLJ4vYKcLxDdpDfPcww=", "SyIff/NY0lMW24cgrkgDE2mSNBM=", "h/af9Xs+GWhCf1SuXwxEqcReAN1MQQE=", "0sqqFcF9RJ4ik2MixGURGrNGLJS6", "5qCkDtvJCzff5Nsz+xGg8ZVp", "aVRU0kgCua5scnvoow==", "KhoDZfmuv0D5q6lJSfvF", "AuTfVsNxhvJ86NC0gauk/ZBj", "mEg6LRZjbPyU98icaiGk/ZBj", "vKKkf2/c3E4RNQ3i", "moZ6xEVmCotDuJpavA==", "3dbQwevfJF0RNQ3i", "v56zK/b0QJgusKlJSfvF", "4kEIfiWb7Cb+gP0cqw==", "ULZ/Z23Z4Aq+JATg", "2/V7WpqzpZVqqQ==", "0o6A/IhIDDoOwMvHN9/i7kJjDg==", "q2lbsR/ut/vWCJd1O1dgqLCyQWJ9CLc4mA==", "JHcxkSZ3SIJFdEP7", "jkABch8PzOa8bW1MAKxbWPPNv87tUYkk", "A2faCjfr9lAw9JEW+eu1AwZzDpj3D30s", "hi4UAvI9PLpOy7JJSfvF", "j2ZsUX1BQnF0JjlLHI+L1Q==", "QDAVa9qFOGAuz7JJSfvF", "i/esHebaIjvS1ZxcOVU=", "7VICdTIBPyw+Z20=", "c96mm825+D0JNRDo", "ULJ1c4LAsDDzqVD7", "LZJQLjXzKFYx87lJSfvF", "R7xeUVnL4CMc0d/EhKuk/ZBj", "UQAJ6h9Ctt5WgP0cqw==", "WEA7BDDp8lsRNQ3i", "UxC8g6d9uPrOgS+ggPT185Nr", "8lQI/eJYWLx1JTkJ5vnS", "6KJjWKGNrDoAgP0cqw==", "guFYvYNFTFbZrieXzmivlOs4JeTUGw==", "o5B7Q3xLEET9MQJD7hGV4bVxMgQ=", "4lQVff1TGVEIxGU="]}
        Source: New Order 000212.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
        Source: New Order 000212.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
        Source: Binary string: explorer.pdbUGP source: InstallUtil.exe, 00000010.00000003.506919919.0000000003304000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000010.00000003.492046255.0000000002F89000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000010.00000002.525417511.0000000002F80000.00000040.10000000.00040000.00000000.sdmp
        Source: Binary string: wntdll.pdbUGP source: InstallUtil.exe, 00000010.00000003.361531595.0000000000C69000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000010.00000002.520472277.0000000000FB0000.00000040.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000010.00000003.364711699.0000000000E0F000.00000004.00000800.00020000.00000000.sdmp
        Source: Binary string: wntdll.pdb source: InstallUtil.exe, InstallUtil.exe, 00000010.00000003.361531595.0000000000C69000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000010.00000002.520472277.0000000000FB0000.00000040.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000010.00000003.364711699.0000000000E0F000.00000004.00000800.00020000.00000000.sdmp
        Source: Binary string: explorer.pdb source: InstallUtil.exe, 00000010.00000003.506919919.0000000003304000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000010.00000003.492046255.0000000002F89000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000010.00000002.525417511.0000000002F80000.00000040.10000000.00040000.00000000.sdmp

        Networking

        barindex
        Yara detected Generic Downloader
        Source: Yara matchFile source: 0.2.New Order 000212.exe.9050000.0.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 00000000.00000002.390898687.0000000009050000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
        C2 URLs / IPs found in malware configuration
        Source: Malware configuration extractorURLs: www.bitp0ker.com/ch0y/
        Source: New Order 000212.exe, 00000000.00000000.240015200.00000000006C2000.00000002.00000001.01000000.00000003.sdmp, New Order 000212.exe, 00000000.00000002.367007188.0000000002E31000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://google.com
        Source: New Order 000212.exe, 00000000.00000002.367648258.0000000002E7A000.00000004.00000800.00020000.00000000.sdmp, New Order 000212.exe, 00000000.00000002.369178934.0000000002F50000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://james.newtonking.com/projects/json
        Source: New Order 000212.exe, 00000000.00000002.371811220.0000000003F30000.00000004.00000800.00020000.00000000.sdmp, New Order 000212.exe, 00000000.00000002.390898687.0000000009050000.00000004.08000000.00040000.00000000.sdmpString found in binary or memory: https://www.newtonsoft.com/jsonschema
        Source: New Order 000212.exe, 00000000.00000002.371811220.0000000003F30000.00000004.00000800.00020000.00000000.sdmp, New Order 000212.exe, 00000000.00000002.390898687.0000000009050000.00000004.08000000.00040000.00000000.sdmpString found in binary or memory: https://www.nuget.org/packages/Newtonsoft.Json.Bson
        Source: New Order 000212.exe, 00000000.00000002.363190554.0000000000FD0000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>

        E-Banking Fraud

        barindex
        Yara detected FormBook
        Source: Yara matchFile source: 16.0.InstallUtil.exe.400000.0.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 00000012.00000000.437480635.00000000074AC000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000000.00000002.370454504.0000000003E31000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000010.00000000.360788700.0000000000401000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000000.00000002.371811220.0000000003F30000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000012.00000000.455452421.00000000074AC000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY

        System Summary

        barindex
        Malicious sample detected (through community Yara rule)
        Source: 16.0.InstallUtil.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
        Source: 16.0.InstallUtil.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
        Source: 16.0.InstallUtil.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
        Source: 00000012.00000000.437480635.00000000074AC000.00000040.00000001.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
        Source: 00000012.00000000.437480635.00000000074AC000.00000040.00000001.00040000.00000000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
        Source: 00000012.00000000.437480635.00000000074AC000.00000040.00000001.00040000.00000000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
        Source: 00000000.00000002.368882478.0000000002F24000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
        Source: 00000000.00000002.370454504.0000000003E31000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
        Source: 00000000.00000002.370454504.0000000003E31000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
        Source: 00000000.00000002.370454504.0000000003E31000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
        Source: 00000010.00000000.360788700.0000000000401000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
        Source: 00000010.00000000.360788700.0000000000401000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
        Source: 00000010.00000000.360788700.0000000000401000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
        Source: 00000000.00000002.371811220.0000000003F30000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
        Source: 00000000.00000002.371811220.0000000003F30000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
        Source: 00000000.00000002.371811220.0000000003F30000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
        Source: 00000012.00000000.455452421.00000000074AC000.00000040.00000001.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
        Source: 00000012.00000000.455452421.00000000074AC000.00000040.00000001.00040000.00000000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
        Source: 00000012.00000000.455452421.00000000074AC000.00000040.00000001.00040000.00000000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
        Source: Process Memory Space: New Order 000212.exe PID: 5020, type: MEMORYSTRMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
        Source: Process Memory Space: InstallUtil.exe PID: 6444, type: MEMORYSTRMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
        Initial sample is a PE file and has a suspicious name
        Source: initial sampleStatic PE information: Filename: New Order 000212.exe
        .NET source code contains very large array initializations
        Source: New Order 000212.exe, cahr.csLarge array initialization: yuue: array initializer size 2067968
        Source: New Order 000212.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
        Source: 16.0.InstallUtil.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
        Source: 16.0.InstallUtil.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
        Source: 16.0.InstallUtil.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
        Source: 00000012.00000000.437480635.00000000074AC000.00000040.00000001.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
        Source: 00000012.00000000.437480635.00000000074AC000.00000040.00000001.00040000.00000000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
        Source: 00000012.00000000.437480635.00000000074AC000.00000040.00000001.00040000.00000000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
        Source: 00000000.00000002.368882478.0000000002F24000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
        Source: 00000000.00000002.370454504.0000000003E31000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
        Source: 00000000.00000002.370454504.0000000003E31000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
        Source: 00000000.00000002.370454504.0000000003E31000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
        Source: 00000010.00000000.360788700.0000000000401000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
        Source: 00000010.00000000.360788700.0000000000401000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
        Source: 00000010.00000000.360788700.0000000000401000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
        Source: 00000000.00000002.371811220.0000000003F30000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
        Source: 00000000.00000002.371811220.0000000003F30000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
        Source: 00000000.00000002.371811220.0000000003F30000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
        Source: 00000012.00000000.455452421.00000000074AC000.00000040.00000001.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
        Source: 00000012.00000000.455452421.00000000074AC000.00000040.00000001.00040000.00000000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
        Source: 00000012.00000000.455452421.00000000074AC000.00000040.00000001.00040000.00000000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
        Source: Process Memory Space: New Order 000212.exe PID: 5020, type: MEMORYSTRMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
        Source: Process Memory Space: InstallUtil.exe PID: 6444, type: MEMORYSTRMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
        Source: C:\Users\user\Desktop\New Order 000212.exeCode function: 0_2_0130B0E8
        Source: C:\Users\user\Desktop\New Order 000212.exeCode function: 0_2_0130AF84
        Source: C:\Users\user\Desktop\New Order 000212.exeCode function: 0_2_0130DCA0
        Source: C:\Users\user\Desktop\New Order 000212.exeCode function: 0_2_0130DC90
        Source: C:\Users\user\Desktop\New Order 000212.exeCode function: 0_2_05EB0040
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 16_2_00FEB090
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 16_2_00FFA830
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 16_2_01091002
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 16_2_010AE824
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 16_2_010020A0
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 16_2_010A20A8
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 16_2_00FF4120
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 16_2_010A28EC
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 16_2_00FDF900
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 16_2_010A2B28
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 16_2_0100EBB0
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 16_2_010903DA
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 16_2_0109DBD2
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 16_2_0108FA2B
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 16_2_010A22AE
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 16_2_00FFAB40
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 16_2_010A2D07
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 16_2_010A1D55
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 16_2_01002581
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 16_2_010A25DD
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 16_2_00FE841F
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 16_2_00FED5E0
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 16_2_0109D466
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 16_2_00FD0D20
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 16_2_010ADFCE
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 16_2_00FF6E30
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 16_2_010A1FF1
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 16_2_0109D616
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 16_2_010A2EF7
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: String function: 00FDB150 appears 54 times
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 16_2_01019910 NtAdjustPrivilegesToken,LdrInitializeThunk,
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 16_2_010199A0 NtCreateSection,LdrInitializeThunk,
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 16_2_01019840 NtDelayExecution,LdrInitializeThunk,
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 16_2_01019860 NtQuerySystemInformation,LdrInitializeThunk,
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 16_2_010198F0 NtReadVirtualMemory,LdrInitializeThunk,
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 16_2_01019A00 NtProtectVirtualMemory,LdrInitializeThunk,
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 16_2_01019A50 NtCreateFile,LdrInitializeThunk,
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 16_2_01019540 NtReadFile,LdrInitializeThunk,
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 16_2_010195D0 NtClose,LdrInitializeThunk,
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 16_2_01019710 NtQueryInformationToken,LdrInitializeThunk,
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 16_2_01019780 NtMapViewOfSection,LdrInitializeThunk,
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 16_2_01019FE0 NtCreateMutant,LdrInitializeThunk,
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 16_2_01019660 NtAllocateVirtualMemory,LdrInitializeThunk,
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 16_2_010196E0 NtFreeVirtualMemory,LdrInitializeThunk,
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 16_2_01019950 NtQueueApcThread,
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 16_2_010199D0 NtCreateProcessEx,
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 16_2_01019820 NtEnumerateKey,
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 16_2_0101B040 NtSuspendThread,
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 16_2_010198A0 NtWriteVirtualMemory,
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 16_2_01019B00 NtSetValueKey,
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 16_2_0101A3B0 NtGetContextThread,
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 16_2_01019A10 NtQuerySection,
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 16_2_01019A20 NtResumeThread,
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 16_2_01019A80 NtOpenDirectoryObject,
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 16_2_01019520 NtWaitForSingleObject,
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 16_2_0101AD30 NtSetContextThread,
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 16_2_01019560 NtWriteFile,
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 16_2_010195F0 NtQueryInformationFile,
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 16_2_0101A710 NtOpenProcessToken,
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 16_2_01019730 NtQueryVirtualMemory,
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 16_2_01019760 NtOpenProcess,
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 16_2_0101A770 NtOpenThread,
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 16_2_01019770 NtSetInformationFile,
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 16_2_010197A0 NtUnmapViewOfSection,
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 16_2_01019610 NtEnumerateValueKey,
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 16_2_01019650 NtQueryValueKey,
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 16_2_01019670 NtQueryInformationProcess,
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 16_2_010196D0 NtCreateKey,
        Source: New Order 000212.exe, 00000000.00000000.240715388.00000000008BE000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenameNakglss.exeH vs New Order 000212.exe
        Source: New Order 000212.exe, 00000000.00000002.362612162.0000000000CF9000.00000004.00000010.00020000.00000000.sdmpBinary or memory string: OriginalFilenameUNKNOWN_FILET vs New Order 000212.exe
        Source: New Order 000212.exe, 00000000.00000002.367155906.0000000002E45000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilename vs New Order 000212.exe
        Source: New Order 000212.exe, 00000000.00000002.371811220.0000000003F30000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameEnrtxcvwynqqa.dll" vs New Order 000212.exe
        Source: New Order 000212.exe, 00000000.00000002.363190554.0000000000FD0000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameclr.dllT vs New Order 000212.exe
        Source: New Order 000212.exe, 00000000.00000002.390898687.0000000009050000.00000004.08000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameEnrtxcvwynqqa.dll" vs New Order 000212.exe
        Source: New Order 000212.exeVirustotal: Detection: 35%
        Source: New Order 000212.exeReversingLabs: Detection: 42%
        Source: New Order 000212.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
        Source: C:\Users\user\Desktop\New Order 000212.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers
        Source: unknownProcess created: C:\Users\user\Desktop\New Order 000212.exe "C:\Users\user\Desktop\New Order 000212.exe"
        Source: C:\Users\user\Desktop\New Order 000212.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -enc UwB0AGEAcgB0AC0AUwBsAGUAZQBwACAALQBTAGUAYwBvAG4AZABzACAAMgAwAA==
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        Source: C:\Users\user\Desktop\New Order 000212.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
        Source: C:\Windows\explorer.exeProcess created: C:\Windows\SysWOW64\explorer.exe C:\Windows\SysWOW64\explorer.exe
        Source: C:\Users\user\Desktop\New Order 000212.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -enc UwB0AGEAcgB0AC0AUwBsAGUAZQBwACAALQBTAGUAYwBvAG4AZABzACAAMgAwAA==
        Source: C:\Users\user\Desktop\New Order 000212.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
        Source: C:\Users\user\Desktop\New Order 000212.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{95E15D0A-66E6-93D9-C53C-76E6219D3341}\InProcServer32
        Source: C:\Users\user\Desktop\New Order 000212.exeFile created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\New Order 000212.exe.logJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_hhwx0ezb.tco.ps1Jump to behavior
        Source: classification engineClassification label: mal100.troj.evad.winEXE@7/6@0/0
        Source: C:\Users\user\Desktop\New Order 000212.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
        Source: New Order 000212.exeStatic file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.83%
        Source: C:\Users\user\Desktop\New Order 000212.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
        Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5516:120:WilError_01
        Source: C:\Windows\explorer.exeProcess created: C:\Windows\SysWOW64\explorer.exe
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll
        Source: New Order 000212.exeStatic PE information: Virtual size of .text is bigger than: 0x100000
        Source: New Order 000212.exeStatic file information: File size 2097664 > 1048576
        Source: New Order 000212.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
        Source: New Order 000212.exeStatic PE information: Raw size of .text is bigger than: 0x100000 < 0x1fa200
        Source: New Order 000212.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
        Source: Binary string: explorer.pdbUGP source: InstallUtil.exe, 00000010.00000003.506919919.0000000003304000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000010.00000003.492046255.0000000002F89000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000010.00000002.525417511.0000000002F80000.00000040.10000000.00040000.00000000.sdmp
        Source: Binary string: wntdll.pdbUGP source: InstallUtil.exe, 00000010.00000003.361531595.0000000000C69000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000010.00000002.520472277.0000000000FB0000.00000040.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000010.00000003.364711699.0000000000E0F000.00000004.00000800.00020000.00000000.sdmp
        Source: Binary string: wntdll.pdb source: InstallUtil.exe, InstallUtil.exe, 00000010.00000003.361531595.0000000000C69000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000010.00000002.520472277.0000000000FB0000.00000040.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000010.00000003.364711699.0000000000E0F000.00000004.00000800.00020000.00000000.sdmp
        Source: Binary string: explorer.pdb source: InstallUtil.exe, 00000010.00000003.506919919.0000000003304000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000010.00000003.492046255.0000000002F89000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000010.00000002.525417511.0000000002F80000.00000040.10000000.00040000.00000000.sdmp

        Data Obfuscation

        barindex
        .NET source code contains potential unpacker
        Source: New Order 000212.exe, cahq.cs.Net Code: qxko System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
        Source: C:\Users\user\Desktop\New Order 000212.exeCode function: 0_2_01300498 pushad ; retn 0002h
        Source: C:\Users\user\Desktop\New Order 000212.exeCode function: 0_2_05EB15B8 push eax; retf
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 16_2_0102D0D1 push ecx; ret
        Source: C:\Users\user\Desktop\New Order 000212.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\New Order 000212.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\New Order 000212.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\New Order 000212.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\New Order 000212.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\New Order 000212.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\New Order 000212.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\New Order 000212.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\New Order 000212.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\New Order 000212.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\New Order 000212.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\New Order 000212.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\New Order 000212.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\New Order 000212.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\New Order 000212.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\New Order 000212.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\New Order 000212.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\New Order 000212.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\New Order 000212.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\New Order 000212.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\New Order 000212.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\New Order 000212.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\New Order 000212.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\New Order 000212.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\New Order 000212.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\New Order 000212.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\New Order 000212.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\New Order 000212.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\New Order 000212.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\New Order 000212.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\New Order 000212.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\New Order 000212.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\New Order 000212.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\New Order 000212.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\New Order 000212.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\New Order 000212.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\New Order 000212.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\New Order 000212.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\New Order 000212.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\New Order 000212.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\New Order 000212.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\New Order 000212.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\New Order 000212.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\New Order 000212.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\New Order 000212.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\New Order 000212.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\New Order 000212.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\New Order 000212.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\New Order 000212.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\New Order 000212.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\New Order 000212.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\New Order 000212.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\New Order 000212.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\New Order 000212.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\New Order 000212.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\New Order 000212.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\New Order 000212.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\New Order 000212.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\New Order 000212.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\New Order 000212.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\New Order 000212.exe TID: 5684Thread sleep time: -922337203685477s >= -30000s
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 5668Thread sleep time: -7378697629483816s >= -30000s
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 16_2_01006B90 rdtsc
        Source: C:\Users\user\Desktop\New Order 000212.exeThread delayed: delay time: 922337203685477
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 9163
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeAPI coverage: 5.0 %
        Source: C:\Users\user\Desktop\New Order 000212.exeProcess information queried: ProcessInformation
        Source: C:\Users\user\Desktop\New Order 000212.exeThread delayed: delay time: 922337203685477
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
        Source: explorer.exe, 00000012.00000000.402361534.00000000080ED000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: SCSI\Disk&Ven_VMware&Prod_Virtual_disk\5&1ec51bf7&0&000000
        Source: explorer.exe, 00000012.00000000.438938333.000000000820E000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: \\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000025700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#000000001F400000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000026700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}*^d
        Source: explorer.exe, 00000012.00000000.402361534.00000000080ED000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: Prod_VMware_SATA
        Source: explorer.exe, 00000012.00000000.446278697.0000000000680000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: _VMware_SATA_CD00#5&280b647&
        Source: explorer.exe, 00000012.00000000.438938333.000000000820E000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: \\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000025700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#000000001F400000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000026700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
        Source: explorer.exe, 00000012.00000000.446345350.000000000069D000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}
        Source: explorer.exe, 00000012.00000000.438938333.000000000820E000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: VMware SATA CD00
        Source: explorer.exe, 00000012.00000000.434299264.00000000062C4000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}
        Source: explorer.exe, 00000012.00000000.449364756.0000000004287000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}0
        Source: explorer.exe, 00000012.00000000.438938333.000000000820E000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: SCSI\CDROM&VEN_NECVMWAR&PROD_VMWARE_SATA_CD00\5&280B647&0&000000
        Source: New Order 000212.exe, 00000000.00000002.364191680.000000000109E000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\
        Source: New Order 000212.exe, 00000000.00000002.364191680.000000000109E000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
        Source: explorer.exe, 00000012.00000000.402361534.00000000080ED000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: SCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\5&280b647&0&000000
        Source: explorer.exe, 00000012.00000000.438938333.000000000820E000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: VMware SATA CD00l
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 16_2_01006B90 rdtsc
        Source: C:\Users\user\Desktop\New Order 000212.exeProcess token adjusted: Debug
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: Debug
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess token adjusted: Debug
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 16_2_00FD58EC mov eax, dword ptr fs:[00000030h]
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 16_2_00FD40E1 mov eax, dword ptr fs:[00000030h]
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 16_2_00FD40E1 mov eax, dword ptr fs:[00000030h]
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 16_2_00FD40E1 mov eax, dword ptr fs:[00000030h]
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 16_2_0100513A mov eax, dword ptr fs:[00000030h]
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 16_2_0100513A mov eax, dword ptr fs:[00000030h]
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 16_2_00FD9080 mov eax, dword ptr fs:[00000030h]
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 16_2_0100A185 mov eax, dword ptr fs:[00000030h]
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 16_2_01002990 mov eax, dword ptr fs:[00000030h]
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 16_2_010061A0 mov eax, dword ptr fs:[00000030h]
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 16_2_010061A0 mov eax, dword ptr fs:[00000030h]
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 16_2_010569A6 mov eax, dword ptr fs:[00000030h]
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 16_2_010949A4 mov eax, dword ptr fs:[00000030h]
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 16_2_010949A4 mov eax, dword ptr fs:[00000030h]
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 16_2_010949A4 mov eax, dword ptr fs:[00000030h]
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 16_2_010949A4 mov eax, dword ptr fs:[00000030h]
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 16_2_00FF0050 mov eax, dword ptr fs:[00000030h]
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 16_2_00FF0050 mov eax, dword ptr fs:[00000030h]
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 16_2_010551BE mov eax, dword ptr fs:[00000030h]
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 16_2_010551BE mov eax, dword ptr fs:[00000030h]
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 16_2_010551BE mov eax, dword ptr fs:[00000030h]
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 16_2_010551BE mov eax, dword ptr fs:[00000030h]
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 16_2_00FFA830 mov eax, dword ptr fs:[00000030h]
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 16_2_00FFA830 mov eax, dword ptr fs:[00000030h]
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 16_2_00FFA830 mov eax, dword ptr fs:[00000030h]
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 16_2_00FFA830 mov eax, dword ptr fs:[00000030h]
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 16_2_00FEB02A mov eax, dword ptr fs:[00000030h]
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 16_2_00FEB02A mov eax, dword ptr fs:[00000030h]
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 16_2_00FEB02A mov eax, dword ptr fs:[00000030h]
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 16_2_00FEB02A mov eax, dword ptr fs:[00000030h]
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 16_2_010641E8 mov eax, dword ptr fs:[00000030h]
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 16_2_01057016 mov eax, dword ptr fs:[00000030h]
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 16_2_01057016 mov eax, dword ptr fs:[00000030h]
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 16_2_01057016 mov eax, dword ptr fs:[00000030h]
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 16_2_00FDB1E1 mov eax, dword ptr fs:[00000030h]
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 16_2_00FDB1E1 mov eax, dword ptr fs:[00000030h]
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 16_2_00FDB1E1 mov eax, dword ptr fs:[00000030h]
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 16_2_010A4015 mov eax, dword ptr fs:[00000030h]
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 16_2_010A4015 mov eax, dword ptr fs:[00000030h]
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 16_2_0100002D mov eax, dword ptr fs:[00000030h]
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 16_2_0100002D mov eax, dword ptr fs:[00000030h]
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 16_2_0100002D mov eax, dword ptr fs:[00000030h]
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 16_2_0100002D mov eax, dword ptr fs:[00000030h]
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 16_2_0100002D mov eax, dword ptr fs:[00000030h]
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 16_2_01092073 mov eax, dword ptr fs:[00000030h]
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 16_2_00FFC182 mov eax, dword ptr fs:[00000030h]
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 16_2_010A1074 mov eax, dword ptr fs:[00000030h]
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 16_2_01053884 mov eax, dword ptr fs:[00000030h]
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 16_2_01053884 mov eax, dword ptr fs:[00000030h]
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 16_2_00FDB171 mov eax, dword ptr fs:[00000030h]
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 16_2_00FDB171 mov eax, dword ptr fs:[00000030h]
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 16_2_00FDC962 mov eax, dword ptr fs:[00000030h]
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 16_2_010020A0 mov eax, dword ptr fs:[00000030h]
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 16_2_010020A0 mov eax, dword ptr fs:[00000030h]
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 16_2_010020A0 mov eax, dword ptr fs:[00000030h]
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 16_2_010020A0 mov eax, dword ptr fs:[00000030h]
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 16_2_010020A0 mov eax, dword ptr fs:[00000030h]
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 16_2_010020A0 mov eax, dword ptr fs:[00000030h]
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 16_2_010190AF mov eax, dword ptr fs:[00000030h]
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 16_2_00FFB944 mov eax, dword ptr fs:[00000030h]
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 16_2_00FFB944 mov eax, dword ptr fs:[00000030h]
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 16_2_0100F0BF mov ecx, dword ptr fs:[00000030h]
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 16_2_0100F0BF mov eax, dword ptr fs:[00000030h]
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 16_2_0100F0BF mov eax, dword ptr fs:[00000030h]
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 16_2_0106B8D0 mov eax, dword ptr fs:[00000030h]
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 16_2_0106B8D0 mov ecx, dword ptr fs:[00000030h]
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 16_2_0106B8D0 mov eax, dword ptr fs:[00000030h]
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 16_2_0106B8D0 mov eax, dword ptr fs:[00000030h]
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 16_2_0106B8D0 mov eax, dword ptr fs:[00000030h]
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 16_2_0106B8D0 mov eax, dword ptr fs:[00000030h]
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 16_2_00FF4120 mov eax, dword ptr fs:[00000030h]
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 16_2_00FF4120 mov eax, dword ptr fs:[00000030h]
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 16_2_00FF4120 mov eax, dword ptr fs:[00000030h]
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 16_2_00FF4120 mov eax, dword ptr fs:[00000030h]
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 16_2_00FF4120 mov ecx, dword ptr fs:[00000030h]
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 16_2_00FD9100 mov eax, dword ptr fs:[00000030h]
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 16_2_00FD9100 mov eax, dword ptr fs:[00000030h]
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 16_2_00FD9100 mov eax, dword ptr fs:[00000030h]
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 16_2_0109131B mov eax, dword ptr fs:[00000030h]
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 16_2_00FEAAB0 mov eax, dword ptr fs:[00000030h]
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 16_2_00FEAAB0 mov eax, dword ptr fs:[00000030h]
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 16_2_010A8B58 mov eax, dword ptr fs:[00000030h]
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 16_2_00FD52A5 mov eax, dword ptr fs:[00000030h]
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 16_2_00FD52A5 mov eax, dword ptr fs:[00000030h]
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 16_2_00FD52A5 mov eax, dword ptr fs:[00000030h]
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 16_2_00FD52A5 mov eax, dword ptr fs:[00000030h]
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 16_2_00FD52A5 mov eax, dword ptr fs:[00000030h]
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 16_2_01003B7A mov eax, dword ptr fs:[00000030h]
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 16_2_01003B7A mov eax, dword ptr fs:[00000030h]
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 16_2_0109138A mov eax, dword ptr fs:[00000030h]
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 16_2_0108D380 mov ecx, dword ptr fs:[00000030h]
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 16_2_0100B390 mov eax, dword ptr fs:[00000030h]
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 16_2_01002397 mov eax, dword ptr fs:[00000030h]
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 16_2_01004BAD mov eax, dword ptr fs:[00000030h]
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 16_2_01004BAD mov eax, dword ptr fs:[00000030h]
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 16_2_01004BAD mov eax, dword ptr fs:[00000030h]
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 16_2_010A5BA5 mov eax, dword ptr fs:[00000030h]
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 16_2_00FD9240 mov eax, dword ptr fs:[00000030h]
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 16_2_00FD9240 mov eax, dword ptr fs:[00000030h]
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 16_2_00FD9240 mov eax, dword ptr fs:[00000030h]
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 16_2_00FD9240 mov eax, dword ptr fs:[00000030h]
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 16_2_010553CA mov eax, dword ptr fs:[00000030h]
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 16_2_010553CA mov eax, dword ptr fs:[00000030h]
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 16_2_00FFA229 mov eax, dword ptr fs:[00000030h]
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 16_2_00FFA229 mov eax, dword ptr fs:[00000030h]
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 16_2_00FFA229 mov eax, dword ptr fs:[00000030h]
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 16_2_00FFA229 mov eax, dword ptr fs:[00000030h]
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 16_2_00FFA229 mov eax, dword ptr fs:[00000030h]
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 16_2_00FFA229 mov eax, dword ptr fs:[00000030h]
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 16_2_00FFA229 mov eax, dword ptr fs:[00000030h]
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 16_2_00FFA229 mov eax, dword ptr fs:[00000030h]
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 16_2_00FFA229 mov eax, dword ptr fs:[00000030h]
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 16_2_010003E2 mov eax, dword ptr fs:[00000030h]
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 16_2_010003E2 mov eax, dword ptr fs:[00000030h]
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 16_2_010003E2 mov eax, dword ptr fs:[00000030h]
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 16_2_010003E2 mov eax, dword ptr fs:[00000030h]
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 16_2_010003E2 mov eax, dword ptr fs:[00000030h]
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 16_2_010003E2 mov eax, dword ptr fs:[00000030h]
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 16_2_00FF3A1C mov eax, dword ptr fs:[00000030h]
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 16_2_00FDAA16 mov eax, dword ptr fs:[00000030h]
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 16_2_00FDAA16 mov eax, dword ptr fs:[00000030h]
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 16_2_00FD5210 mov eax, dword ptr fs:[00000030h]
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 16_2_00FD5210 mov ecx, dword ptr fs:[00000030h]
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 16_2_00FD5210 mov eax, dword ptr fs:[00000030h]
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 16_2_00FD5210 mov eax, dword ptr fs:[00000030h]
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 16_2_00FE8A0A mov eax, dword ptr fs:[00000030h]
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 16_2_00FFDBE9 mov eax, dword ptr fs:[00000030h]
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 16_2_0109AA16 mov eax, dword ptr fs:[00000030h]
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 16_2_0109AA16 mov eax, dword ptr fs:[00000030h]
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 16_2_01014A2C mov eax, dword ptr fs:[00000030h]
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 16_2_01014A2C mov eax, dword ptr fs:[00000030h]
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 16_2_01064257 mov eax, dword ptr fs:[00000030h]
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 16_2_0109EA55 mov eax, dword ptr fs:[00000030h]
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 16_2_0108B260 mov eax, dword ptr fs:[00000030h]
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 16_2_0108B260 mov eax, dword ptr fs:[00000030h]
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 16_2_010A8A62 mov eax, dword ptr fs:[00000030h]
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 16_2_00FE1B8F mov eax, dword ptr fs:[00000030h]
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 16_2_00FE1B8F mov eax, dword ptr fs:[00000030h]
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 16_2_0101927A mov eax, dword ptr fs:[00000030h]
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 16_2_0100D294 mov eax, dword ptr fs:[00000030h]
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 16_2_0100D294 mov eax, dword ptr fs:[00000030h]
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 16_2_00FDDB60 mov ecx, dword ptr fs:[00000030h]
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 16_2_00FDF358 mov eax, dword ptr fs:[00000030h]
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 16_2_0100FAB0 mov eax, dword ptr fs:[00000030h]
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 16_2_00FDDB40 mov eax, dword ptr fs:[00000030h]
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 16_2_01002ACB mov eax, dword ptr fs:[00000030h]
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 16_2_01002AE4 mov eax, dword ptr fs:[00000030h]
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 16_2_0109E539 mov eax, dword ptr fs:[00000030h]
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 16_2_0105A537 mov eax, dword ptr fs:[00000030h]
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 16_2_01004D3B mov eax, dword ptr fs:[00000030h]
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 16_2_01004D3B mov eax, dword ptr fs:[00000030h]
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 16_2_01004D3B mov eax, dword ptr fs:[00000030h]
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 16_2_010A8D34 mov eax, dword ptr fs:[00000030h]
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 16_2_01013D43 mov eax, dword ptr fs:[00000030h]
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 16_2_01053540 mov eax, dword ptr fs:[00000030h]
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 16_2_01083D40 mov eax, dword ptr fs:[00000030h]
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 16_2_00FE849B mov eax, dword ptr fs:[00000030h]
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 16_2_01002581 mov eax, dword ptr fs:[00000030h]
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 16_2_01002581 mov eax, dword ptr fs:[00000030h]
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 16_2_01002581 mov eax, dword ptr fs:[00000030h]
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 16_2_01002581 mov eax, dword ptr fs:[00000030h]
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 16_2_00FF746D mov eax, dword ptr fs:[00000030h]
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 16_2_0100FD9B mov eax, dword ptr fs:[00000030h]
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 16_2_0100FD9B mov eax, dword ptr fs:[00000030h]
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 16_2_010035A1 mov eax, dword ptr fs:[00000030h]
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 16_2_010A05AC mov eax, dword ptr fs:[00000030h]
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 16_2_010A05AC mov eax, dword ptr fs:[00000030h]
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 16_2_01001DB5 mov eax, dword ptr fs:[00000030h]
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 16_2_01001DB5 mov eax, dword ptr fs:[00000030h]
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 16_2_01001DB5 mov eax, dword ptr fs:[00000030h]
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 16_2_01056DC9 mov eax, dword ptr fs:[00000030h]
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 16_2_01056DC9 mov eax, dword ptr fs:[00000030h]
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 16_2_01056DC9 mov eax, dword ptr fs:[00000030h]
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 16_2_01056DC9 mov ecx, dword ptr fs:[00000030h]
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 16_2_01056DC9 mov eax, dword ptr fs:[00000030h]
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 16_2_01056DC9 mov eax, dword ptr fs:[00000030h]
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 16_2_0109FDE2 mov eax, dword ptr fs:[00000030h]
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 16_2_0109FDE2 mov eax, dword ptr fs:[00000030h]
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 16_2_0109FDE2 mov eax, dword ptr fs:[00000030h]
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 16_2_0109FDE2 mov eax, dword ptr fs:[00000030h]
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 16_2_01088DF1 mov eax, dword ptr fs:[00000030h]
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 16_2_010A740D mov eax, dword ptr fs:[00000030h]
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 16_2_010A740D mov eax, dword ptr fs:[00000030h]
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 16_2_010A740D mov eax, dword ptr fs:[00000030h]
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 16_2_01091C06 mov eax, dword ptr fs:[00000030h]
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 16_2_01091C06 mov eax, dword ptr fs:[00000030h]
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 16_2_01091C06 mov eax, dword ptr fs:[00000030h]
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 16_2_01091C06 mov eax, dword ptr fs:[00000030h]
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 16_2_01091C06 mov eax, dword ptr fs:[00000030h]
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 16_2_01091C06 mov eax, dword ptr fs:[00000030h]
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 16_2_01091C06 mov eax, dword ptr fs:[00000030h]
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 16_2_01091C06 mov eax, dword ptr fs:[00000030h]
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 16_2_01091C06 mov eax, dword ptr fs:[00000030h]
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 16_2_01091C06 mov eax, dword ptr fs:[00000030h]
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 16_2_01091C06 mov eax, dword ptr fs:[00000030h]
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 16_2_01091C06 mov eax, dword ptr fs:[00000030h]
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 16_2_01091C06 mov eax, dword ptr fs:[00000030h]
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 16_2_01091C06 mov eax, dword ptr fs:[00000030h]
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 16_2_01056C0A mov eax, dword ptr fs:[00000030h]
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 16_2_01056C0A mov eax, dword ptr fs:[00000030h]
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 16_2_01056C0A mov eax, dword ptr fs:[00000030h]
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 16_2_01056C0A mov eax, dword ptr fs:[00000030h]
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 16_2_00FED5E0 mov eax, dword ptr fs:[00000030h]
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 16_2_00FED5E0 mov eax, dword ptr fs:[00000030h]
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 16_2_0100BC2C mov eax, dword ptr fs:[00000030h]
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 16_2_0100A44B mov eax, dword ptr fs:[00000030h]
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 16_2_0106C450 mov eax, dword ptr fs:[00000030h]
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 16_2_0106C450 mov eax, dword ptr fs:[00000030h]
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 16_2_00FD2D8A mov eax, dword ptr fs:[00000030h]
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 16_2_00FD2D8A mov eax, dword ptr fs:[00000030h]
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 16_2_00FD2D8A mov eax, dword ptr fs:[00000030h]
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 16_2_00FD2D8A mov eax, dword ptr fs:[00000030h]
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 16_2_00FD2D8A mov eax, dword ptr fs:[00000030h]
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 16_2_00FFC577 mov eax, dword ptr fs:[00000030h]
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 16_2_00FFC577 mov eax, dword ptr fs:[00000030h]
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 16_2_00FF7D50 mov eax, dword ptr fs:[00000030h]
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 16_2_00FE3D34 mov eax, dword ptr fs:[00000030h]
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 16_2_00FE3D34 mov eax, dword ptr fs:[00000030h]
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 16_2_00FE3D34 mov eax, dword ptr fs:[00000030h]
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 16_2_00FE3D34 mov eax, dword ptr fs:[00000030h]
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 16_2_00FE3D34 mov eax, dword ptr fs:[00000030h]
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 16_2_00FE3D34 mov eax, dword ptr fs:[00000030h]
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 16_2_00FE3D34 mov eax, dword ptr fs:[00000030h]
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 16_2_00FE3D34 mov eax, dword ptr fs:[00000030h]
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 16_2_00FE3D34 mov eax, dword ptr fs:[00000030h]
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 16_2_00FE3D34 mov eax, dword ptr fs:[00000030h]
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 16_2_00FE3D34 mov eax, dword ptr fs:[00000030h]
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 16_2_00FE3D34 mov eax, dword ptr fs:[00000030h]
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 16_2_00FE3D34 mov eax, dword ptr fs:[00000030h]
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 16_2_00FDAD30 mov eax, dword ptr fs:[00000030h]
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 16_2_010A8CD6 mov eax, dword ptr fs:[00000030h]
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 16_2_010914FB mov eax, dword ptr fs:[00000030h]
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 16_2_01056CF0 mov eax, dword ptr fs:[00000030h]
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 16_2_01056CF0 mov eax, dword ptr fs:[00000030h]
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 16_2_01056CF0 mov eax, dword ptr fs:[00000030h]
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 16_2_010A070D mov eax, dword ptr fs:[00000030h]
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 16_2_010A070D mov eax, dword ptr fs:[00000030h]
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 16_2_0100A70E mov eax, dword ptr fs:[00000030h]
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 16_2_0100A70E mov eax, dword ptr fs:[00000030h]
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 16_2_0106FF10 mov eax, dword ptr fs:[00000030h]
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 16_2_0106FF10 mov eax, dword ptr fs:[00000030h]
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 16_2_00FE76E2 mov eax, dword ptr fs:[00000030h]
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 16_2_0100E730 mov eax, dword ptr fs:[00000030h]
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 16_2_010A8F6A mov eax, dword ptr fs:[00000030h]
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 16_2_00FFAE73 mov eax, dword ptr fs:[00000030h]
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 16_2_00FFAE73 mov eax, dword ptr fs:[00000030h]
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 16_2_00FFAE73 mov eax, dword ptr fs:[00000030h]
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 16_2_00FFAE73 mov eax, dword ptr fs:[00000030h]
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 16_2_00FFAE73 mov eax, dword ptr fs:[00000030h]
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 16_2_01057794 mov eax, dword ptr fs:[00000030h]
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 16_2_01057794 mov eax, dword ptr fs:[00000030h]
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 16_2_01057794 mov eax, dword ptr fs:[00000030h]
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 16_2_00FE766D mov eax, dword ptr fs:[00000030h]
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 16_2_00FE7E41 mov eax, dword ptr fs:[00000030h]
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 16_2_00FE7E41 mov eax, dword ptr fs:[00000030h]
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 16_2_00FE7E41 mov eax, dword ptr fs:[00000030h]
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 16_2_00FE7E41 mov eax, dword ptr fs:[00000030h]
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 16_2_00FE7E41 mov eax, dword ptr fs:[00000030h]
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 16_2_00FE7E41 mov eax, dword ptr fs:[00000030h]
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 16_2_00FDE620 mov eax, dword ptr fs:[00000030h]
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 16_2_010137F5 mov eax, dword ptr fs:[00000030h]
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 16_2_00FDC600 mov eax, dword ptr fs:[00000030h]
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 16_2_00FDC600 mov eax, dword ptr fs:[00000030h]
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 16_2_00FDC600 mov eax, dword ptr fs:[00000030h]
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 16_2_01008E00 mov eax, dword ptr fs:[00000030h]
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 16_2_01091608 mov eax, dword ptr fs:[00000030h]
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 16_2_0100A61C mov eax, dword ptr fs:[00000030h]
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 16_2_0100A61C mov eax, dword ptr fs:[00000030h]
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 16_2_0108FE3F mov eax, dword ptr fs:[00000030h]
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 16_2_0109AE44 mov eax, dword ptr fs:[00000030h]
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 16_2_0109AE44 mov eax, dword ptr fs:[00000030h]
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 16_2_00FE8794 mov eax, dword ptr fs:[00000030h]
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 16_2_0106FE87 mov eax, dword ptr fs:[00000030h]
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 16_2_00FEFF60 mov eax, dword ptr fs:[00000030h]
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 16_2_010546A7 mov eax, dword ptr fs:[00000030h]
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 16_2_010A0EA5 mov eax, dword ptr fs:[00000030h]
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 16_2_010A0EA5 mov eax, dword ptr fs:[00000030h]
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 16_2_010A0EA5 mov eax, dword ptr fs:[00000030h]
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 16_2_00FEEF40 mov eax, dword ptr fs:[00000030h]
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 16_2_01018EC7 mov eax, dword ptr fs:[00000030h]
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 16_2_0108FEC0 mov eax, dword ptr fs:[00000030h]
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 16_2_010036CC mov eax, dword ptr fs:[00000030h]
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 16_2_00FD4F2E mov eax, dword ptr fs:[00000030h]
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 16_2_00FD4F2E mov eax, dword ptr fs:[00000030h]
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 16_2_010A8ED6 mov eax, dword ptr fs:[00000030h]
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 16_2_010016E0 mov ecx, dword ptr fs:[00000030h]
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 16_2_00FFF716 mov eax, dword ptr fs:[00000030h]
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess queried: DebugPort
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 16_2_01019910 NtAdjustPrivilegesToken,LdrInitializeThunk,
        Source: C:\Users\user\Desktop\New Order 000212.exeMemory allocated: page read and write | page guard

        HIPS / PFW / Operating System Protection Evasion

        barindex
        Maps a DLL or memory area into another process
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: unknown target: C:\Windows\SysWOW64\explorer.exe protection: execute and read and write
        Writes to foreign memory regions
        Source: C:\Users\user\Desktop\New Order 000212.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe base: 400000
        Source: C:\Users\user\Desktop\New Order 000212.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe base: 401000
        Source: C:\Users\user\Desktop\New Order 000212.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe base: 860008
        Encrypted powershell cmdline option found
        Source: C:\Users\user\Desktop\New Order 000212.exeProcess created: Base64 decoded Start-Sleep -Seconds 20
        Source: C:\Users\user\Desktop\New Order 000212.exeProcess created: Base64 decoded Start-Sleep -Seconds 20
        Injects a PE file into a foreign processes
        Source: C:\Users\user\Desktop\New Order 000212.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe base: 400000 value starts with: 4D5A
        Queues an APC in another process (thread injection)
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread APC queued: target process: C:\Windows\explorer.exe
        Modifies the context of a thread in another process (thread injection)
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread register set: target process: 3968
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread register set: target process: 3968
        Source: C:\Users\user\Desktop\New Order 000212.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -enc UwB0AGEAcgB0AC0AUwBsAGUAZQBwACAALQBTAGUAYwBvAG4AZABzACAAMgAwAA==
        Source: C:\Users\user\Desktop\New Order 000212.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
        Source: explorer.exe, 00000012.00000000.446302005.0000000000688000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000012.00000000.476936024.0000000000688000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000012.00000000.370764856.0000000000688000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: ProgmanEXE^
        Source: InstallUtil.exe, 00000010.00000003.506919919.0000000003304000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000010.00000003.492046255.0000000002F89000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000010.00000002.525417511.0000000002F80000.00000040.10000000.00040000.00000000.sdmpBinary or memory string: Shell_TrayWnd
        Source: explorer.exe, 00000012.00000000.447464020.0000000000BE0000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000012.00000000.422819978.0000000000BE0000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000012.00000000.372707154.0000000000BE0000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: Progman
        Source: InstallUtil.exe, 00000010.00000003.506919919.0000000003304000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000010.00000003.492046255.0000000002F89000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000010.00000002.525417511.0000000002F80000.00000040.10000000.00040000.00000000.sdmpBinary or memory string: Microsoft-Reserved-24C26ACC-DE62-4303-88AD-6CD4F1447F18SecurityConfigureWindowsPasswordsProxy DesktopProgmanSoftware\Microsoft\Windows NT\CurrentVersion\WinlogonShellSoftware\Microsoft\Windows NT\CurrentVersion\Winlogon\AlternateShells\AvailableShells
        Source: explorer.exe, 00000012.00000000.447464020.0000000000BE0000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000012.00000000.422819978.0000000000BE0000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000012.00000000.372707154.0000000000BE0000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: Progmanlock
        Source: explorer.exe, 00000012.00000000.422350768.0000000000708000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000012.00000000.477177121.0000000000708000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000012.00000000.371497220.0000000000708000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Shell_TrayWnd4
        Source: explorer.exe, 00000012.00000000.447464020.0000000000BE0000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000012.00000000.422819978.0000000000BE0000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000012.00000000.372707154.0000000000BE0000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: WProgram Manager
        Source: C:\Users\user\Desktop\New Order 000212.exeQueries volume information: C:\Users\user\Desktop\New Order 000212.exe VolumeInformation
        Source: C:\Users\user\Desktop\New Order 000212.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
        Source: C:\Users\user\Desktop\New Order 000212.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
        Source: C:\Users\user\Desktop\New Order 000212.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
        Source: C:\Users\user\Desktop\New Order 000212.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Numerics\v4.0_4.0.0.0__b77a5c561934e089\System.Numerics.dll VolumeInformation
        Source: C:\Users\user\Desktop\New Order 000212.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
        Source: C:\Users\user\Desktop\New Order 000212.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
        Source: C:\Users\user\Desktop\New Order 000212.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.ConsoleHost\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.ConsoleHost.dll VolumeInformation
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.dll VolumeInformation
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Numerics\v4.0_4.0.0.0__b77a5c561934e089\System.Numerics.dll VolumeInformation
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.DirectoryServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.DirectoryServices.dll VolumeInformation
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Security\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Security.dll VolumeInformation
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Utility\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Utility.dll VolumeInformation
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Configuration.Install\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Configuration.Install.dll VolumeInformation
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
        Source: C:\Users\user\Desktop\New Order 000212.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

        Stealing of Sensitive Information

        barindex
        Yara detected FormBook
        Source: Yara matchFile source: 16.0.InstallUtil.exe.400000.0.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 00000012.00000000.437480635.00000000074AC000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000000.00000002.370454504.0000000003E31000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000010.00000000.360788700.0000000000401000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000000.00000002.371811220.0000000003F30000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000012.00000000.455452421.00000000074AC000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY

        Remote Access Functionality

        barindex
        Yara detected FormBook
        Source: Yara matchFile source: 16.0.InstallUtil.exe.400000.0.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 00000012.00000000.437480635.00000000074AC000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000000.00000002.370454504.0000000003E31000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000010.00000000.360788700.0000000000401000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000000.00000002.371811220.0000000003F30000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000012.00000000.455452421.00000000074AC000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY

        Mitre Att&ck Matrix

        Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
        Valid Accounts1
        PowerShell        		Path Interception512
        Process Injection        		1
        Masquerading        		1
        Input Capture        		21
        Security Software Discovery        		Remote Services1
        Input Capture        		Exfiltration Over Other Network Medium1
        Encrypted Channel        		Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
        Default AccountsScheduled Task/JobBoot or Logon Initialization ScriptsBoot or Logon Initialization Scripts1
        Disable or Modify Tools        		LSASS Memory2
        Process Discovery        		Remote Desktop Protocol1
        Archive Collected Data        		Exfiltration Over Bluetooth1
        Application Layer Protocol        		Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
        Domain AccountsAt (Linux)Logon Script (Windows)Logon Script (Windows)31
        Virtualization/Sandbox Evasion        		Security Account Manager31
        Virtualization/Sandbox Evasion        		SMB/Windows Admin SharesData from Network Shared DriveAutomated ExfiltrationSteganographyExploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
        Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)512
        Process Injection        		NTDS1
        Application Window Discovery        		Distributed Component Object ModelInput CaptureScheduled TransferProtocol ImpersonationSIM Card SwapCarrier Billing Fraud
        Cloud AccountsCronNetwork Logon ScriptNetwork Logon Script11
        Deobfuscate/Decode Files or Information        		LSA Secrets1
        File and Directory Discovery        		SSHKeyloggingData Transfer Size LimitsFallback ChannelsManipulate Device CommunicationManipulate App Store Rankings or Ratings
        Replication Through Removable MediaLaunchdRc.commonRc.common2
        Obfuscated Files or Information        		Cached Domain Credentials12
        System Information Discovery        		VNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features
        External Remote ServicesScheduled TaskStartup ItemsStartup Items11
        Software Packing        		DCSyncNetwork SniffingWindows Remote ManagementWeb Portal CaptureExfiltration Over Alternative ProtocolCommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact

        Behavior Graph

        Hide Legend

        Legend:

        • Process
        • Signature
        • Created File
        • DNS/IP Info
        • Is Dropped
        • Is Windows Process
        • Number of created Registry Values
        • Number of created Files
        • Visual Basic
        • Delphi
        • Java
        • .Net C# or VB.NET
        • C, C++ or other language
        • Is malicious
        • Internet

        Screenshots

        Thumbnails

        This section contains all screenshots as thumbnails, including those not shown in the slideshow.


        windows-stand

        Antivirus, Machine Learning and Genetic Malware Detection

        Initial Sample

        SourceDetectionScannerLabelLink
        New Order 000212.exe35%VirustotalBrowse
        New Order 000212.exe42%ReversingLabsByteCode-MSIL.Trojan.Generic
        New Order 000212.exe100%AviraTR/Crypt.XPACK.Gen7
        New Order 000212.exe100%Joe Sandbox ML

        Dropped Files

        No Antivirus matches

        Unpacked PE Files

        SourceDetectionScannerLabelLinkDownload
        16.2.InstallUtil.exe.2f80000.1.unpack100%AviraTR/Crypt.XPACK.GenDownload File
        16.0.InstallUtil.exe.400000.0.unpack100%AviraTR/Crypt.ZPACK.GenDownload File
        0.0.New Order 000212.exe.6c0000.0.unpack100%AviraTR/Crypt.XPACK.Gen7Download File

        Domains

        No Antivirus matches

        URLs

        SourceDetectionScannerLabelLink
        http://james.newtonking.com/projects/json0%URL Reputationsafe
        www.bitp0ker.com/ch0y/1%VirustotalBrowse
        www.bitp0ker.com/ch0y/100%Avira URL Cloudmalware

        Domains and IPs

        Contacted Domains

        No contacted domains info

        Contacted URLs

        NameMaliciousAntivirus DetectionReputation
        www.bitp0ker.com/ch0y/true
        • 1%, Virustotal, Browse
        • Avira URL Cloud: malware
        		low

        URLs from Memory and Binaries

        NameSourceMaliciousAntivirus DetectionReputation
        https://www.nuget.org/packages/Newtonsoft.Json.BsonNew Order 000212.exe, 00000000.00000002.371811220.0000000003F30000.00000004.00000800.00020000.00000000.sdmp, New Order 000212.exe, 00000000.00000002.390898687.0000000009050000.00000004.08000000.00040000.00000000.sdmpfalse
          		high
          http://google.comNew Order 000212.exe, 00000000.00000000.240015200.00000000006C2000.00000002.00000001.01000000.00000003.sdmp, New Order 000212.exe, 00000000.00000002.367007188.0000000002E31000.00000004.00000800.00020000.00000000.sdmpfalse
            		high
            http://james.newtonking.com/projects/jsonNew Order 000212.exe, 00000000.00000002.367648258.0000000002E7A000.00000004.00000800.00020000.00000000.sdmp, New Order 000212.exe, 00000000.00000002.369178934.0000000002F50000.00000004.00000800.00020000.00000000.sdmpfalse
            • URL Reputation: safe
            		unknown
            https://www.newtonsoft.com/jsonschemaNew Order 000212.exe, 00000000.00000002.371811220.0000000003F30000.00000004.00000800.00020000.00000000.sdmp, New Order 000212.exe, 00000000.00000002.390898687.0000000009050000.00000004.08000000.00040000.00000000.sdmpfalse
              		high

              World Map of Contacted IPs

              No contacted IP infos

              General Information

              Joe Sandbox Version:35.0.0 Citrine
              Analysis ID:680420
              Start date and time: 08/08/202215:26:082022-08-08 15:26:08 +02:00
              Joe Sandbox Product:CloudBasic
              Overall analysis duration:0h 8m 36s
              Hypervisor based Inspection enabled:false
              Report type:light
              Sample file name:New Order 000212.exe
              Cookbook file name:default.jbs
              Analysis system description:Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
              Number of analysed new started processes analysed:29
              Number of new started drivers analysed:0
              Number of existing processes analysed:0
              Number of existing drivers analysed:0
              Number of injected processes analysed:1
              Technologies:
              • HCA enabled
              • EGA enabled
              • HDC enabled
              • AMSI enabled
              Analysis Mode:default
              Analysis stop reason:Timeout
              Detection:MAL
              Classification:mal100.troj.evad.winEXE@7/6@0/0
              EGA Information:
              • Successful, ratio: 100%
              HDC Information:
              • Successful, ratio: 100% (good quality ratio 87.3%)
              • Quality average: 71.8%
              • Quality standard deviation: 33.2%
              HCA Information:
              • Successful, ratio: 96%
              • Number of executed functions: 0
              • Number of non-executed functions: 0
              Cookbook Comments:
              • Found application associated with file extension: .exe
              • Adjust boot time
              • Enable AMSI

              Warnings

              • Exclude process from analysis (whitelisted): MpCmdRun.exe, BackgroundTransferHost.exe, backgroundTaskHost.exe, SgrmBroker.exe, conhost.exe, svchost.exe
              • Excluded IPs from analysis (whitelisted): 23.211.6.115, 40.125.122.176, 52.242.101.226, 52.152.110.14, 20.223.24.244
              • Excluded domains from analysis (whitelisted): www.bing.com, fs.microsoft.com, neu-displaycatalogrp.frontdoor.bigcatalog.commerce.microsoft.com, ctldl.windowsupdate.com, store-images.s-microsoft.com-c.edgekey.net, arc.msn.com, e12564.dspb.akamaiedge.net, rp-consumer-prod-displaycatalog-geomap.trafficmanager.net, login.live.com, store-images.s-microsoft.com, sls.update.microsoft.com, displaycatalog.mp.microsoft.com, img-prod-cms-rt-microsoft-com.akamaized.net, displaycatalog-rp.md.mp.microsoft.com.akadns.net, glb.sls.prod.dcat.dsp.trafficmanager.net
              • Not all processes where analyzed, report is missing behavior information
              • Report creation exceeded maximum time and may have missing disassembly code information.
              • Report size getting too big, too many NtAllocateVirtualMemory calls found.
              • Report size getting too big, too many NtOpenKeyEx calls found.
              • Report size getting too big, too many NtProtectVirtualMemory calls found.
              • Report size getting too big, too many NtQueryValueKey calls found.

              Simulations

              Behavior and APIs

              TimeTypeDescription
              15:27:32API Interceptor41x Sleep call for process: powershell.exe modified

              Joe Sandbox View / Context

              IPs

              No context

              Domains

              No context

              ASNs

              No context

              JA3 Fingerprints

              No context

              Dropped Files

              No context

              Created / dropped Files

              C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\New Order 000212.exe.log

              Download File
              Process:C:\Users\user\Desktop\New Order 000212.exe
              File Type:ASCII text, with CRLF line terminators
              Category:dropped
              Size (bytes):1537
              Entropy (8bit):5.3478589519339295
              Encrypted:false
              SSDEEP:48:MIHK5HKXE1qHiYHKhQnoPtHoxHhAHKzvFHLHKdHKBqHKs:Pq5qXEwCYqhQnoPtIxHeqzNrqdq4qs
              MD5:F6D3657BD1FBEF54E7F7BACB2497E327
              SHA1:A0A712015C242DCC28B69CDF567F594627C9CFA0
              SHA-256:5B16B4A3E65F04484B12171163A2A739409FA7F8C3D69BF9BAD961618D973301
              SHA-512:0231195A111259A3AA48526DCBEA98394099794C710C3FB8E0E12E2B4D30C60FB4064F7F4F671866FB0D94585E23B73C1270440242B25DA60CCFFA82B0B74306
              Malicious:true
              Reputation:moderate, very likely benign file
              Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\4f0a7eefa3cd3e0ba98b5ebddbbc72e6\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\f1d8480152e0da9a60ad49c6d16a3b6d\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\8d67d92724ba494b6c7fd089d6f25b48\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\b219d4630d26b88041b59c21

              C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache

              Download File
              Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
              File Type:data
              Category:dropped
              Size (bytes):5829
              Entropy (8bit):4.8968676994158
              Encrypted:false
              SSDEEP:96:WCJ2Woe5o2k6Lm5emmXIGvgyg12jDs+un/iQLEYFjDaeWJ6KGcmXx9smyFRLcU6f:5xoe5oVsm5emd0gkjDt4iWN3yBGHh9s6
              MD5:36DE9155D6C265A1DE62A448F3B5B66E
              SHA1:02D21946CBDD01860A0DE38D7EEC6CDE3A964FC3
              SHA-256:8BA38D55AA8F1E4F959E7223FDF653ABB9BE5B8B5DE9D116604E1ABB371C1C87
              SHA-512:C734ADE161FB89472B1DF9B9F062F4A53E7010D3FF99EDC0BD564540A56BC35743625C50A00635C31D165A74DCDBB330FFB878C5919D7B267F6F33D2AAB328E7
              Malicious:false
              Reputation:high, very likely benign file
              Preview:PSMODULECACHE......<.e...Y...C:\Program Files (x86)\WindowsPowerShell\Modules\PowerShellGet\1.0.0.1\PowerShellGet.psd1........Uninstall-Module........inmo........fimo........Install-Module........New-ScriptFileInfo........Publish-Module........Install-Script........Update-Script........Find-Command........Update-ModuleManifest........Find-DscResource........Save-Module........Save-Script........upmo........Uninstall-Script........Get-InstalledScript........Update-Module........Register-PSRepository........Find-Script........Unregister-PSRepository........pumo........Test-ScriptFileInfo........Update-ScriptFileInfo........Set-PSRepository........Get-PSRepository........Get-InstalledModule........Find-Module........Find-RoleCapability........Publish-Script.........<.e...T...C:\Program Files (x86)\WindowsPowerShell\Modules\PowerShellGet\1.0.0.1\PSModule.psm1*.......Install-Script........Save-Module........Publish-Module........Find-Module........Download-Package........Update-Module....

              C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

              Download File
              Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
              File Type:data
              Category:dropped
              Size (bytes):17292
              Entropy (8bit):5.549929502421075
              Encrypted:false
              SSDEEP:384:rt9/O0TZSI6KQxAS0n2js9F7Y9g6SJ3k111JqYd:DPhQOT2o9N6ckjjd
              MD5:6B472317CDF95E79A0EC70654C5100EE
              SHA1:B0F9655B3CE430F88B6332058860FF2F7024304E
              SHA-256:ADA11F0D8E620C3C369251D1DAFD96928ED72C8EC936EFE9E68693748B0C6E97
              SHA-512:7B9B0E851ED2F298D0A1A92B30D98A1CE8991D0FF3A8B0CD454B299B2B16AB588736939883EDF864C948949A7B1B71569D2AE20F6B764973562E7878630DF862
              Malicious:false
              Reputation:low
              Preview:@...e.....................|.........F.....f..........@..........H...............<@.^.L."My...:'..... .Microsoft.PowerShell.ConsoleHostD...............fZve...F.....x.)h.......System.Management.Automation4...............[...{a.C..%6..h.........System.Core.0...............G-.o...A...4B..........System..4................Zg5..:O..g..q..........System.Xml..L...............7.....J@......~.......#.Microsoft.Management.Infrastructure.8................'....L..}............System.Numerics.@................Lo...QN......<Q........System.DirectoryServices<................H..QN.Y.f............System.Management...4....................].D.E.....#.......System.Data.H................. ....H..m)aUu.........Microsoft.PowerShell.Security...<.................~.[L.D.Z.>..m.........System.Transactions.<................):gK..G...$.1.q........System.ConfigurationP................./.C..J..%...].......%.Microsoft.PowerShell.Commands.Utility...D..................-.D.F.<;.nt.1........System.Configuration.Ins

              C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_2pz5sadz.0kr.psm1

              Download File
              Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
              File Type:very short file (no magic)
              Category:dropped
              Size (bytes):1
              Entropy (8bit):0.0
              Encrypted:false
              SSDEEP:3:U:U
              MD5:C4CA4238A0B923820DCC509A6F75849B
              SHA1:356A192B7913B04C54574D18C28D46E6395428AB
              SHA-256:6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
              SHA-512:4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
              Malicious:false
              Preview:1

              C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_hhwx0ezb.tco.ps1

              Download File
              Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
              File Type:very short file (no magic)
              Category:dropped
              Size (bytes):1
              Entropy (8bit):0.0
              Encrypted:false
              SSDEEP:3:U:U
              MD5:C4CA4238A0B923820DCC509A6F75849B
              SHA1:356A192B7913B04C54574D18C28D46E6395428AB
              SHA-256:6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
              SHA-512:4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
              Malicious:false
              Preview:1

              C:\Users\user\Documents\20220808\PowerShell_transcript.472847.ilae6BhB.20220808152730.txt

              Download File
              Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
              File Type:UTF-8 Unicode (with BOM) text, with CRLF line terminators
              Category:dropped
              Size (bytes):997
              Entropy (8bit):5.187722648651258
              Encrypted:false
              SSDEEP:24:BxSAQxvBnAx2DOXUWjxo3WUHjeTKKjX4CIym1ZJX2bnxSAZD:BZUvhAoODUqDYB1ZAZZD
              MD5:067F9236BA00C43066C65FD9858E46C7
              SHA1:73E0ED9B5DE2D6094DCCE4E210145C6EF50B4516
              SHA-256:C8007A5212125F4C54A0C429B093DC94206C13AB28FEFD32FBF0C36F378CF037
              SHA-512:AF3B7508857F4270C426837D92CF83EC3B7E388FC0AEFDFCFA33CEDEFFE4E3BA184E6CC121C892A52ABB02F7E8927C76694454BE6809748BAD1804269FB1E7F3
              Malicious:false
              Preview:.**********************..Windows PowerShell transcript start..Start time: 20220808152732..Username: computer\user..RunAs User: computer\user..Configuration Name: ..Machine: 472847 (Microsoft Windows NT 10.0.17134.0)..Host Application: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -enc UwB0AGEAcgB0AC0AUwBsAGUAZQBwACAALQBTAGUAYwBvAG4AZABzACAAMgAwAA==..Process ID: 3360..PSVersion: 5.1.17134.1..PSEdition: Desktop..PSCompatibleVersions: 1.0, 2.0, 3.0, 4.0, 5.0, 5.1.17134.1..BuildVersion: 10.0.17134.1..CLRVersion: 4.0.30319.42000..WSManStackVersion: 3.0..PSRemotingProtocolVersion: 2.3..SerializationVersion: 1.1.0.1..**********************..**********************..Command start time: 20220808152732..**********************..PS>Start-Sleep -Seconds 20..**********************..Command start time: 20220808153254..**********************..PS>$global:?..True..**********************..Windows PowerShell transcript end..End time: 20220808153254..**********************..

              Static File Info

              General

              File type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
              Entropy (8bit):7.083057901296718
              TrID:
              • Win32 Executable (generic) Net Framework (10011505/4) 49.83%
              • Win32 Executable (generic) a (10002005/4) 49.78%
              • Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36%
              • Generic Win/DOS Executable (2004/3) 0.01%
              • DOS Executable Generic (2002/1) 0.01%
              File name:New Order 000212.exe
              File size:2097664
              MD5:989e8988e2ed04a3e86a6faf2727c00f
              SHA1:6a5397ef11996176e5c5ec5b94004591a77208e5
              SHA256:c19a3d6f7af18f9fae141a7234341d0bf8e1038638c13a625194eb3fece6a540
              SHA512:50f596a7fd926a0d5144546c2bda255aae5aae57db4daa82463e760a89f1d490601601da35ed3b480149fde1e9efecb9a92c9686a8de037050440201601b3c5d
              SSDEEP:49152:YLPt5dsLNzogcDK8U7BgpUrXbA3tDzWNx:26bcDugpSrYD
              TLSH:91A54ACB3E97092260AB0AFFC9127B62DCF457C49D50B2C15179EAB0581BF4FB50B16A
              File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L... t.b..............0......^......~.... ........@.. .......................` ...........@................................

              File Icon

              Icon Hash:b6acfaac9a535b9a

              Static PE Info

              General

              Entrypoint:0x5fc17e
              Entrypoint Section:.text
              Digitally signed:false
              Imagebase:0x400000
              Subsystem:windows gui
              Image File Characteristics:EXECUTABLE_IMAGE, 32BIT_MACHINE
              DLL Characteristics:DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
              Time Stamp:0x62F07420 [Mon Aug 8 02:25:36 2022 UTC]
              TLS Callbacks:
              CLR (.Net) Version:
              OS Version Major:4
              OS Version Minor:0
              File Version Major:4
              File Version Minor:0
              Subsystem Version Major:4
              Subsystem Version Minor:0
              Import Hash:f34d5f2d4577ed6d9ceec516c1f5a744

              Entrypoint Preview

              Instruction
              jmp dword ptr [00402000h]
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al

              Data Directories

              NameVirtual AddressVirtual Size Is in Section
              IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
              IMAGE_DIRECTORY_ENTRY_IMPORT0x1fc12c0x4f.text
              IMAGE_DIRECTORY_ENTRY_RESOURCE0x1fe0000x5c00.rsrc
              IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
              IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
              IMAGE_DIRECTORY_ENTRY_BASERELOC0x2040000xc.reloc
              IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
              IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
              IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
              IMAGE_DIRECTORY_ENTRY_TLS0x00x0
              IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
              IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
              IMAGE_DIRECTORY_ENTRY_IAT0x20000x8.text
              IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
              IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x20080x48.text
              IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

              Sections

              NameVirtual AddressVirtual SizeRaw SizeXored PEZLIB ComplexityFile TypeEntropyCharacteristics
              .text0x20000x1fa1840x1fa200unknownunknownunknownunknownIMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
              .rsrc0x1fe0000x5c000x5c00False0.9403447690217391data7.815329450100946IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
              .reloc0x2040000xc0x200False0.044921875data0.10191042566270775IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

              Resources

              NameRVASizeTypeLanguageCountry
              RT_ICON0x1fe1600x430PNG image data, 16 x 16, 8-bit/color RGBA, non-interlaced
              RT_ICON0x1fe5a00xac8PNG image data, 32 x 32, 8-bit/color RGBA, non-interlaced
              RT_ICON0x1ff0780x124fPNG image data, 48 x 48, 8-bit/color RGBA, non-interlaced
              RT_ICON0x2002d80x32c0PNG image data, 128 x 128, 8-bit/color RGBA, non-interlaced
              RT_GROUP_ICON0x2035a80x3edata
              RT_VERSION0x2035f80x374data
              RT_MANIFEST0x20397c0x1eaXML 1.0 document, UTF-8 Unicode (with BOM) text, with CRLF line terminators

              Imports

              DLLImport
              mscoree.dll_CorExeMain

              Network Behavior

              No network behavior found

              Statistics

              Behavior

              Click to jump to process

              System Behavior

              General

              Target ID:0
              Start time:15:27:06
              Start date:08/08/2022
              Path:C:\Users\user\Desktop\New Order 000212.exe
              Wow64 process (32bit):true
              Commandline:"C:\Users\user\Desktop\New Order 000212.exe"
              Imagebase:0x6c0000
              File size:2097664 bytes
              MD5 hash:989E8988E2ED04A3E86A6FAF2727C00F
              Has elevated privileges:true
              Has administrator privileges:true
              Programmed in:.Net C# or VB.NET
              Yara matches:
              • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000000.00000002.368882478.0000000002F24000.00000004.00000800.00020000.00000000.sdmp, Author: unknown
              • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000000.00000002.370454504.0000000003E31000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
              • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000000.00000002.370454504.0000000003E31000.00000004.00000800.00020000.00000000.sdmp, Author: unknown
              • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000000.00000002.370454504.0000000003E31000.00000004.00000800.00020000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
              • Rule: Formbook, Description: detect Formbook in memory, Source: 00000000.00000002.370454504.0000000003E31000.00000004.00000800.00020000.00000000.sdmp, Author: JPCERT/CC Incident Response Group
              • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000000.00000002.371811220.0000000003F30000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
              • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000000.00000002.371811220.0000000003F30000.00000004.00000800.00020000.00000000.sdmp, Author: unknown
              • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000000.00000002.371811220.0000000003F30000.00000004.00000800.00020000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
              • Rule: Formbook, Description: detect Formbook in memory, Source: 00000000.00000002.371811220.0000000003F30000.00000004.00000800.00020000.00000000.sdmp, Author: JPCERT/CC Incident Response Group
              • Rule: JoeSecurity_GenericDownloader_1, Description: Yara detected Generic Downloader, Source: 00000000.00000002.390898687.0000000009050000.00000004.08000000.00040000.00000000.sdmp, Author: Joe Security
              Reputation:low

              General

              Target ID:4
              Start time:15:27:29
              Start date:08/08/2022
              Path:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
              Wow64 process (32bit):true
              Commandline:"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -enc UwB0AGEAcgB0AC0AUwBsAGUAZQBwACAALQBTAGUAYwBvAG4AZABzACAAMgAwAA==
              Imagebase:0xfc0000
              File size:430592 bytes
              MD5 hash:DBA3E6449E97D4E3DF64527EF7012A10
              Has elevated privileges:true
              Has administrator privileges:true
              Programmed in:.Net C# or VB.NET
              Reputation:high

              General

              Target ID:5
              Start time:15:27:30
              Start date:08/08/2022
              Path:C:\Windows\System32\conhost.exe
              Wow64 process (32bit):false
              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
              Imagebase:0x7ff7c9170000
              File size:625664 bytes
              MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
              Has elevated privileges:true
              Has administrator privileges:true
              Programmed in:C, C++ or other language
              Reputation:high

              General

              Target ID:16
              Start time:15:28:02
              Start date:08/08/2022
              Path:C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
              Wow64 process (32bit):true
              Commandline:C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
              Imagebase:0x610000
              File size:41064 bytes
              MD5 hash:EFEC8C379D165E3F33B536739AEE26A3
              Has elevated privileges:true
              Has administrator privileges:true
              Programmed in:C, C++ or other language
              Yara matches:
              • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000010.00000000.360788700.0000000000401000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
              • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000010.00000000.360788700.0000000000401000.00000040.00000400.00020000.00000000.sdmp, Author: unknown
              • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000010.00000000.360788700.0000000000401000.00000040.00000400.00020000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
              • Rule: Formbook, Description: detect Formbook in memory, Source: 00000010.00000000.360788700.0000000000401000.00000040.00000400.00020000.00000000.sdmp, Author: JPCERT/CC Incident Response Group
              Reputation:high

              General

              Target ID:18
              Start time:15:28:07
              Start date:08/08/2022
              Path:C:\Windows\explorer.exe
              Wow64 process (32bit):false
              Commandline:C:\Windows\Explorer.EXE
              Imagebase:0x7ff6b8cf0000
              File size:3933184 bytes
              MD5 hash:AD5296B280E8F522A8A897C96BAB0E1D
              Has elevated privileges:false
              Has administrator privileges:false
              Programmed in:C, C++ or other language
              Yara matches:
              • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000012.00000000.437480635.00000000074AC000.00000040.00000001.00040000.00000000.sdmp, Author: Joe Security
              • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000012.00000000.437480635.00000000074AC000.00000040.00000001.00040000.00000000.sdmp, Author: unknown
              • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000012.00000000.437480635.00000000074AC000.00000040.00000001.00040000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
              • Rule: Formbook, Description: detect Formbook in memory, Source: 00000012.00000000.437480635.00000000074AC000.00000040.00000001.00040000.00000000.sdmp, Author: JPCERT/CC Incident Response Group
              • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000012.00000000.455452421.00000000074AC000.00000040.00000001.00040000.00000000.sdmp, Author: Joe Security
              • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000012.00000000.455452421.00000000074AC000.00000040.00000001.00040000.00000000.sdmp, Author: unknown
              • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000012.00000000.455452421.00000000074AC000.00000040.00000001.00040000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
              • Rule: Formbook, Description: detect Formbook in memory, Source: 00000012.00000000.455452421.00000000074AC000.00000040.00000001.00040000.00000000.sdmp, Author: JPCERT/CC Incident Response Group
              Reputation:high

              General

              Target ID:27
              Start time:15:29:01
              Start date:08/08/2022
              Path:C:\Windows\SysWOW64\explorer.exe
              Wow64 process (32bit):
              Commandline:C:\Windows\SysWOW64\explorer.exe
              Imagebase:
              File size:3611360 bytes
              MD5 hash:166AB1B9462E5C1D6D18EC5EC0B6A5F7
              Has elevated privileges:false
              Has administrator privileges:false
              Programmed in:C, C++ or other language
              Reputation:high

              Disassembly

              No disassembly