Edit tour

Windows Analysis Report
Order Confirmation.exe

Overview

General Information

Sample name:	Order Confirmation.exe
Analysis ID:	1647195
MD5:	def8089469e487c53731ae99f90d757e
SHA1:	c05593e179f50a24d3fd02dc685a00a47775d844
SHA256:	e94a5d867470ecbde3df39a5ae8f69fd2000c9bd57183169953751544b3a4fbf
Tags:	exeuser-James_inthe_box
Infos:

Detection

Score:	68
Range:	0 - 100
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Multi AV Scanner detection for submitted file

.NET source code contains potential unpacker

Initial sample is a PE file and has a suspicious name

Joe Sandbox ML detected suspicious sample

Allocates memory with a write watch (potentially for evading sandboxes)

Contains long sleeps (>= 3 min)

Enables debug privileges

IP address seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

PE file does not import any functions

Queries the volume information (name, serial number etc) of a device

Sample file is different than original file name gathered from version info

Tries to connect to HTTP servers, but all servers are down (expired dropper behavior)

Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

System is w10x64

Order Confirmation.exe (PID: 2444 cmdline: "C:\Users\user\Desktop\Order Confirmation.exe" MD5: DEF8089469E487C53731AE99F90D757E)

cleanup

Joe Sandbox Signatures

• AV Detection
• Compliance
• Networking
• System Summary
• Data Obfuscation
• Hooking and other Techniques for Hiding and Protection
• Malware Analysis System Evasion
• Anti Debugging
• Language, Device and Operating System Detection

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus / Scanner detection for submitted sample

Source: Order Confirmation.exe

Avira: detected

Multi AV Scanner detection for submitted file

Source: Order Confirmation.exe	Virustotal: Detection: 63%			Perma Link
Source: Order Confirmation.exe	ReversingLabs: Detection: 69%

Joe Sandbox ML detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 99.9% probability

Source: Order Confirmation.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source: Joe Sandbox View	IP Address: 176.65.144.3 176.65.144.3
Source: Joe Sandbox View	IP Address: 176.65.144.3 176.65.144.3

Source: global traffic

TCP traffic: 192.168.2.11:49707 -> 176.65.144.3:80

Source: unknown	TCP traffic detected without corresponding DNS query: 176.65.144.3
Source: unknown	TCP traffic detected without corresponding DNS query: 176.65.144.3
Source: unknown	TCP traffic detected without corresponding DNS query: 176.65.144.3
Source: unknown	TCP traffic detected without corresponding DNS query: 176.65.144.3
Source: unknown	TCP traffic detected without corresponding DNS query: 176.65.144.3

Source: Order Confirmation.exe, 00000000.00000002.1390094926.0000000003A90000.00000004.00000800.00020000.00000000.sdmp, Order Confirmation.exe, 00000000.00000002.1390094926.0000000003A78000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://176.65.144.3
Source: Order Confirmation.exe, 00000000.00000002.1390094926.00000000039F6000.00000004.00000800.00020000.00000000.sdmp, Order Confirmation.exe, 00000000.00000002.1390094926.00000000039FC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://176.65.144.3/host/guy.exe
Source: Order Confirmation.exe, 00000000.00000002.1390094926.0000000003A78000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name

System Summary

Initial sample is a PE file and has a suspicious name

Source: initial sample

Static PE information: Filename: Order Confirmation.exe

Source: Order Confirmation.exe

Static PE information: No import functions for PE file found

Source: Order Confirmation.exe, 00000000.00000000.1137763727.00000000006FA000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenameGUYY.exe4 vs Order Confirmation.exe
Source: Order Confirmation.exe	Binary or memory string: OriginalFilenameGUYY.exe4 vs Order Confirmation.exe

Source: classification engine

Classification label: mal68.evad.winEXE@1/1@0/1

Source: C:\Users\user\Desktop\Order Confirmation.exe

File created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\Order Confirmation.exe.log

Jump to behavior

Source: C:\Users\user\Desktop\Order Confirmation.exe

Mutant created: NULL

Source: Order Confirmation.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\Order Confirmation.exe

Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: Order Confirmation.exe	Virustotal: Detection: 63%
Source: Order Confirmation.exe	ReversingLabs: Detection: 69%

Source: C:\Users\user\Desktop\Order Confirmation.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Desktop\Order Confirmation.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Order Confirmation.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\Order Confirmation.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\Order Confirmation.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\Order Confirmation.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\Order Confirmation.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\Order Confirmation.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Order Confirmation.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Order Confirmation.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\Order Confirmation.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Order Confirmation.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\Order Confirmation.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Order Confirmation.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\Order Confirmation.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\Order Confirmation.exe	Section loaded: rasapi32.dll	Jump to behavior
Source: C:\Users\user\Desktop\Order Confirmation.exe	Section loaded: rasman.dll	Jump to behavior
Source: C:\Users\user\Desktop\Order Confirmation.exe	Section loaded: rtutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\Order Confirmation.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\Order Confirmation.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Order Confirmation.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\Order Confirmation.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Order Confirmation.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Users\user\Desktop\Order Confirmation.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Users\user\Desktop\Order Confirmation.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Order Confirmation.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Users\user\Desktop\Order Confirmation.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\Order Confirmation.exe	Section loaded: textinputframework.dll	Jump to behavior
Source: C:\Users\user\Desktop\Order Confirmation.exe	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Users\user\Desktop\Order Confirmation.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\Desktop\Order Confirmation.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\Desktop\Order Confirmation.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\Order Confirmation.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\Order Confirmation.exe	Section loaded: wintypes.dll	Jump to behavior

Source: C:\Users\user\Desktop\Order Confirmation.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32

Jump to behavior

Source: Order Confirmation.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Source: Order Confirmation.exe

Static PE information: Image base 0x140000000 > 0x60000000

Source: Order Confirmation.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Data Obfuscation

.NET source code contains potential unpacker

Source: Order Confirmation.exe, -Module-.cs

.Net Code: _202E_206A_206A_206C_202B_202D_200F_206F_206A_200B_206B_206E_202C_200D_206B_200D_200C_200B_206E_202A_200C_200E_200F_202C_206E_206C_200E_200E_206C_206B_200B_206A_202D_200E_202E_206B_206D_200B_202D_200D_202E System.Reflection.Assembly.Load(byte[])

Source: C:\Users\user\Desktop\Order Confirmation.exe	Code function: 0_2_00007FFABC7649C0 push eax; iretd	0_2_00007FFABC7649E9
Source: C:\Users\user\Desktop\Order Confirmation.exe	Code function: 0_2_00007FFABC767055 push eax; iretd	0_2_00007FFABC76704D
Source: C:\Users\user\Desktop\Order Confirmation.exe	Code function: 0_2_00007FFABC766FC5 push eax; iretd	0_2_00007FFABC76704D

Source: C:\Users\user\Desktop\Order Confirmation.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Order Confirmation.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Order Confirmation.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Order Confirmation.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Order Confirmation.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Order Confirmation.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Order Confirmation.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Order Confirmation.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Order Confirmation.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Order Confirmation.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Order Confirmation.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Order Confirmation.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Order Confirmation.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Order Confirmation.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Order Confirmation.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Order Confirmation.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Order Confirmation.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Order Confirmation.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Order Confirmation.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Order Confirmation.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Order Confirmation.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Order Confirmation.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Order Confirmation.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Order Confirmation.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Order Confirmation.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Order Confirmation.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Order Confirmation.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Order Confirmation.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Order Confirmation.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Order Confirmation.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Order Confirmation.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Order Confirmation.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Order Confirmation.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Order Confirmation.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Order Confirmation.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Order Confirmation.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Order Confirmation.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Order Confirmation.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Order Confirmation.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Order Confirmation.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Source: C:\Users\user\Desktop\Order Confirmation.exe	Memory allocated: 1020000 memory reserve \| memory write watch			Jump to behavior
Source: C:\Users\user\Desktop\Order Confirmation.exe	Memory allocated: 1B9E0000 memory reserve \| memory write watch			Jump to behavior

Source: C:\Users\user\Desktop\Order Confirmation.exe

Thread delayed: delay time: 922337203685477

Jump to behavior

Source: C:\Users\user\Desktop\Order Confirmation.exe TID: 6288	Thread sleep count: 42 > 30	Jump to behavior
Source: C:\Users\user\Desktop\Order Confirmation.exe TID: 6288	Thread sleep time: -42000s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Order Confirmation.exe TID: 5276	Thread sleep time: -30000s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Order Confirmation.exe TID: 4616	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior

Source: C:\Users\user\Desktop\Order Confirmation.exe

Thread delayed: delay time: 922337203685477

Jump to behavior

Source: Order Confirmation.exe, 00000000.00000002.1389321586.0000000000EE7000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll

Source: C:\Users\user\Desktop\Order Confirmation.exe

Process token adjusted: Debug

Jump to behavior

Source: C:\Users\user\Desktop\Order Confirmation.exe

Memory allocated: page read and write | page guard

Jump to behavior

Source: C:\Users\user\Desktop\Order Confirmation.exe

Queries volume information: C:\Users\user\Desktop\Order Confirmation.exe VolumeInformation

Jump to behavior

Source: C:\Users\user\Desktop\Order Confirmation.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	Windows Management Instrumentation	1 DLL Side-Loading	1 DLL Side-Loading	1 Masquerading	OS Credential Dumping	1 Security Software Discovery	Remote Services	Data from Local System	Data Obfuscation	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	Boot or Logon Initialization Scripts	1 Disable or Modify Tools	LSASS Memory	31 Virtualization/Sandbox Evasion	Remote Desktop Protocol	Data from Removable Media	Junk Data	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	Logon Script (Windows)	31 Virtualization/Sandbox Evasion	Security Account Manager	12 System Information Discovery	SMB/Windows Admin Shares	Data from Network Shared Drive	Steganography	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	1 Software Packing	NTDS	System Network Configuration Discovery	Distributed Component Object Model	Input Capture	Protocol Impersonation	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	1 DLL Side-Loading	LSA Secrets	Internet Connection Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	1 Obfuscated Files or Information	Cached Domain Credentials	Wi-Fi Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Download Video

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
Order Confirmation.exe	63%	Virustotal		Browse
Order Confirmation.exe	69%	ReversingLabs	ByteCode-MSIL.Trojan.Generic
Order Confirmation.exe	100%	Avira	HEUR/AGEN.1313057

Dropped Files

⊘No Antivirus matches

Unpacked PE Files

⊘No Antivirus matches

Domains

⊘No Antivirus matches

URLs

Source	Detection	Scanner	Label	Link
http://176.65.144.3/host/guy.exe	0%	Avira URL Cloud	safe

Domains and IPs

Download Network PCAP: filtered – full

Contacted Domains

⊘No contacted domains info

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	Order Confirmation.exe, 00000000.00000002.1390094926.0000000003A78000.00000004.00000800.00020000.00000000.sdmp	false		high
http://176.65.144.3/host/guy.exe	Order Confirmation.exe, 00000000.00000002.1390094926.00000000039F6000.00000004.00000800.00020000.00000000.sdmp, Order Confirmation.exe, 00000000.00000002.1390094926.00000000039FC000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://176.65.144.3	Order Confirmation.exe, 00000000.00000002.1390094926.0000000003A90000.00000004.00000800.00020000.00000000.sdmp, Order Confirmation.exe, 00000000.00000002.1390094926.0000000003A78000.00000004.00000800.00020000.00000000.sdmp	false		high

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
176.65.144.3	unknown	Germany		12975	PALTEL-ASPALTELAutonomousSystemPS	false

General Information

Joe Sandbox version:	42.0.0 Malachite
Analysis ID:	1647195
Start date and time:	2025-03-24 16:07:08 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 4m 56s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 134, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	12
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	Order Confirmation.exe
Detection:	MAL
Classification:	mal68.evad.winEXE@1/1@0/1
EGA Information:	Failed
HCA Information:	Successful, ratio: 92% Number of executed functions: 31 Number of non-executed functions: 0
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, sppsvc.exe, SIHClient.exe, SgrmBroker.exe, conhost.exe, svchost.exe
Excluded IPs from analysis (whitelisted): 184.31.69.3, 20.109.210.53
Excluded domains from analysis (whitelisted): fs.microsoft.com, slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
Execution Graph export aborted for target Order Confirmation.exe, PID 2444 because it is empty
Not all processes where analyzed, report is missing behavior information

Simulations

Behavior and APIs

Time	Type	Description
11:08:56	API Interceptor	1x Sleep call for process: Order Confirmation.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
176.65.144.3	#U4ed8#U6b3e#U6c47#U6b3e#U901a#U77e5.js	Get hash	malicious	Remcos	Browse	176.65.144.3/host/kent.exe
	xenn.ps1	Get hash	malicious	RedLine	Browse	176.65.144.3/dev/xenbuild.exe
	Confirmaci#U00f3n de Pago.js	Get hash	malicious	Remcos	Browse	176.65.144.3/FILE/KENNNTTT.ps1
	STEPH.js	Get hash	malicious	FormBook	Browse	176.65.144.3/FILE/STEPH.ps1
	Rendel#U00e9si k#U00e9relem.exe	Get hash	malicious	DarkCloud	Browse	176.65.144.3/dev/fireballs.exe
	MUKK.ps1	Get hash	malicious	AgentTesla	Browse	176.65.144.3/dev/muhk.exe
	obfuscated (1).js	Get hash	malicious	XWorm	Browse	176.65.144.3/dev/BRAINN.exe
	KIM.ps1	Get hash	malicious	Stealerium	Browse	176.65.144.3/dev/Cooperbuild34.exe
	KENT.ps1	Get hash	malicious	Remcos	Browse	176.65.144.3/dev/kent.exe
	VIK.ps1.vir.txt.ps1	Get hash	malicious	AgentTesla	Browse	176.65.144.3/dev/DONORIGIN.exe

Domains

⊘No context

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
PALTEL-ASPALTELAutonomousSystemPS	RFQ)_87661.pdf .js	Get hash	malicious	Unknown	Browse	176.65.144.3
	11001011021.js	Get hash	malicious	Unknown	Browse	176.65.144.3
	11001011021.js	Get hash	malicious	Unknown	Browse	176.65.144.3
	payment-pdf.js	Get hash	malicious	Unknown	Browse	176.65.144.3
	DHL AWB.js	Get hash	malicious	Unknown	Browse	176.65.144.3
	DHL AWB.js	Get hash	malicious	Unknown	Browse	176.65.144.3
	#U4ed8#U6b3e#U6c47#U6b3e#U901a#U77e5.js	Get hash	malicious	Remcos	Browse	176.65.144.3
	owari.spc.elf	Get hash	malicious	Unknown	Browse	213.6.206.42
	SecuriteInfo.com.Win32.Trojan.Agent.QWCKHW.31433.26307.exe	Get hash	malicious	Unknown	Browse	176.65.138.157
	xenn.ps1	Get hash	malicious	RedLine	Browse	176.65.144.135

JA3 Fingerprints

⊘No context

Dropped Files

⊘No context

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\Order Confirmation.exe.log

Download File

Process:	C:\Users\user\Desktop\Order Confirmation.exe
File Type:	CSV text
Category:	dropped
Size (bytes):	1281
Entropy (8bit):	5.370111951859942
Encrypted:	false
SSDEEP:	24:ML9E4KQ71qE4GIs0E4KCKDE4KGKZI6KhPKIE4TKBGKoZAE4KKUNb:MxHKQ71qHGIs0HKCYHKGSI6oPtHTHhA2
MD5:	12C61586CD59AA6F2A21DF30501F71BD
SHA1:	E6B279DC134544867C868E3FF3C267A06CE340C7
SHA-256:	EC20A856DBBCF320F7F24C823D6E9D2FD10E9335F5DE2F56AB9A7DF1ED358543
SHA-512:	B0731F59C74C9D25A4C82E166B3DC300BBCF89F6969918EC748B867C641ED0D8E0DE81AAC68209EF140219861B4939F1B07D0885ACA112D494D23AAF9A9C03FE
Malicious:	true
Reputation:	high, very likely benign file
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System\b187b7f31cee3e87b56c8edca55324e0\System.ni.dll",0..3,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Drawing\567ff6b0de7f9dcd8111001e94ab7cf6\System.Drawing.ni.dll",0..3,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Windows.Forms\2a7fffeef3976b2a6f273db66b1f0107\System.Windows.Forms.ni.dll",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Core\31326613607f69254f3284ec964796c8\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_64\S

Static File Info

General

File type:	PE32+ executable (GUI) x86-64 Mono/.Net assembly, for MS Windows
Entropy (8bit):	4.625041322363815
TrID:	Win64 Executable GUI (202006/5) 92.65% Win64 Executable (generic) (12005/4) 5.51% Generic Win/DOS Executable (2004/3) 0.92% DOS Executable Generic (2002/1) 0.92% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	Order Confirmation.exe
File size:	225'280 bytes
MD5:	def8089469e487c53731ae99f90d757e
SHA1:	c05593e179f50a24d3fd02dc685a00a47775d844
SHA256:	e94a5d867470ecbde3df39a5ae8f69fd2000c9bd57183169953751544b3a4fbf
SHA512:	bef7dfc74b3a931c67328ff86d580644d6c340bc434e5f58ad914f1330db7c45130c1aaaa61f5e0a7be4707fbd9c5744c35a92dd7e7a3f7469c730728d27ec3d
SSDEEP:	6144:+0jILNjcNnchQBp/SEUFW+Y+B9SY0DSAxl4KQbhTh9UUCH:+1NjcNnchQBp/SEUFW+Y+B9SY0DSAxl7
TLSH:	4D248C9C755072DFC867C472DEA81CA4EB6128BB931F4207906315BD9E1E99BCF980F2
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d......g.........."......h............... .....@..... ....................................@...@......@............... .....

File Icon


Icon Hash:	90cececece8e8eb0

Static PE Info

General

Entrypoint:	0x140000000
Entrypoint Section:
Digitally signed:	false
Imagebase:	0x140000000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE
DLL Characteristics:	DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Time Stamp:	0x67E096CF [Sun Mar 23 23:18:39 2025 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:

Entrypoint Preview

Instruction
dec ebp
pop edx
nop
add byte ptr [ebx], al
add byte ptr [eax], al
add byte ptr [eax+eax], al
add byte ptr [eax], al

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x3a000	0x4c6	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x0	0x0
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x2000	0x48	.text
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x2000	0x367e0	0x36800	8db63a1fc6434ed10d66721019a36324	False	0.3158821315940367	data	4.611604511546848	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rsrc	0x3a000	0x4c6	0x600	958b4c70c5cfc30748af3a7b61fb8870	False	0.3736979166666667	data	3.710595291376913	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_VERSION	0x3a0a0	0x23c	data			0.47202797202797203
RT_MANIFEST	0x3a2dc	0x1ea	XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators			0.5469387755102041

Version Infos

Description	Data
Translation	0x0000 0x04b0
FileDescription
FileVersion	0.0.0.0
InternalName	GUYY.exe
LegalCopyright
OriginalFilename	GUYY.exe
ProductVersion	0.0.0.0
Assembly Version	0.0.0.0

Network Behavior

Download Network PCAP: filtered – full

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Mar 24, 2025 16:08:33.097564936 CET	49707	80	192.168.2.11	176.65.144.3
Mar 24, 2025 16:08:34.107033014 CET	49707	80	192.168.2.11	176.65.144.3
Mar 24, 2025 16:08:36.122687101 CET	49707	80	192.168.2.11	176.65.144.3
Mar 24, 2025 16:08:40.138272047 CET	49707	80	192.168.2.11	176.65.144.3
Mar 24, 2025 16:08:48.138380051 CET	49707	80	192.168.2.11	176.65.144.3

Statistics

CPU Usage

• Order Confirmation.exe

Click to jump to process

Memory Usage

• Order Confirmation.exe

Click to jump to process

High Level Behavior Distribution

• File
• Registry
• Network

Click to dive into process behavior distribution

System Behavior

Analysis Process: Order Confirmation.exePID: 2444, Parent PID: 4076

Function Logs Amsi Logs

General

Target ID:	0
Start time:	11:08:31
Start date:	24/03/2025
Path:	C:\Users\user\Desktop\Order Confirmation.exe
Wow64 process (32bit):	false
Commandline:	"C:\Users\user\Desktop\Order Confirmation.exe"
Imagebase:	0x6c0000
File size:	225'280 bytes
MD5 hash:	DEF8089469E487C53731AE99F90D757E
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

File Activities

File Opened

File Created

File Written

File Read

File Attributes Queried

Device IO

Show Windows behavior

Section Activities

Sections loaded by Windows

Sections loaded by Program

Show Windows behavior

Registry Activities

Key Opened

Key Value Queried

Key Monitored

Key Value Enumerated

Key Enumerated

Show Windows behavior

Mutex Activities

Mutex Created

Show Windows behavior

Process Activities

Process Queried

Process Information Set

Show Windows behavior

Thread Activities

Thread Created

Thread Execution Resumed

Thread Execution Suspended

Thread Delayed

Thread Information Set

Show Windows behavior

Memory Activities

Memory Allocated

Memory Protection Changed

Memory Usage Statistics

Show Windows behavior

System Activities

System Information Queried

Show Windows behavior

Timing Activities

There is hidden Windows Behavior. Click on Show Windows Behavior to show it.

Show Windows behavior

Windows UI Activities

Window UI Enumerated

Network Activities

Socket bound

Socket connected

Process Token Activities

Token Adjusted

Show Windows behavior

LPC Port Activities

There is hidden Windows Behavior. Click on Show Windows Behavior to show it.

Show Windows behavior

Chronological Activities

Disassembly

Analysis Process: Order Confirmation.exePID: 2444, Parent PID: 4076COMMON

Executed Functions

Function 00007FFABC7663E0 Relevance: 1.3, Strings: 1, Instructions: 23COMMON

Download Yara Rule

Strings

sBO_^, xrefs: 00007FFABC76641B

Memory Dump Source

Source File: 00000000.00000002.1392747743.00007FFABC760000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFABC760000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffabc760000_Order Confirmation.jbxd

Similarity

API ID:
String ID: sBO_^
API String ID: 0-182594170
Opcode ID: 3028ddb3722742d4236eed02e66c6778091afce3541c3baedba77553a7976a95
Instruction ID: 1c63f50cf1163c3d51278436c53c4ce866f50936917a948b3bb5c5a04eddde74
Opcode Fuzzy Hash: 3028ddb3722742d4236eed02e66c6778091afce3541c3baedba77553a7976a95
Instruction Fuzzy Hash: A6E09B30A0C5024BF31DB638D0117F955639F86314F50847DD10D862D2DE7D68C1C380

Function 00007FFABC76322D Relevance: 1.3, Strings: 1, Instructions: 17COMMON

Download Yara Rule

Strings

dYy, xrefs: 00007FFABC763257

Memory Dump Source

Source File: 00000000.00000002.1392747743.00007FFABC760000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFABC760000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffabc760000_Order Confirmation.jbxd

Similarity

API ID:
String ID: dYy
API String ID: 0-626756453
Opcode ID: 2a20e462fb7fd9994958b5d2c46e3cc4072e268e6bd180066a25ed9744d23384
Instruction ID: 7bf629a82c0e09f3f1931db513ff027239a76e5dd3acd7862dd3c54a78675bf3
Opcode Fuzzy Hash: 2a20e462fb7fd9994958b5d2c46e3cc4072e268e6bd180066a25ed9744d23384
Instruction Fuzzy Hash: 28E08C72909B058FE354E728C4849AAB3E2FFA2304F108838E08EC7352EE31F941C740

Function 00007FFABC76366E Relevance: 1.3, Strings: 1, Instructions: 14COMMON

Download Yara Rule

Strings

h'Q, xrefs: 00007FFABC763684

Memory Dump Source

Source File: 00000000.00000002.1392747743.00007FFABC760000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFABC760000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffabc760000_Order Confirmation.jbxd

Similarity

API ID:
String ID: h'Q
API String ID: 0-731743828
Opcode ID: 326c4fdf559db299a9cda0cfb37735aab7b587a36e2db0fc5bbb9907075408e9
Instruction ID: f48e3d3ed6ba138d3816b8927ae9a365cf9b93660582cb7e190c0247072efc7c
Opcode Fuzzy Hash: 326c4fdf559db299a9cda0cfb37735aab7b587a36e2db0fc5bbb9907075408e9
Instruction Fuzzy Hash: E6D0C934B04A098F8369A71D8852CA6B3E1FF85741B21943C95CFC3751DE26F986D740

Function 00007FFABC762494 Relevance: .2, Instructions: 245COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1392747743.00007FFABC760000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFABC760000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffabc760000_Order Confirmation.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 259f7890fcc896b3e744813c61cfbc81e21b932891b113ea53bde5cd03ef1ffa
Instruction ID: bbc2226a8401ea2c399f5132f23dee6958263faf8b5bdb253c0cea9d3ebbfbf4
Opcode Fuzzy Hash: 259f7890fcc896b3e744813c61cfbc81e21b932891b113ea53bde5cd03ef1ffa
Instruction Fuzzy Hash: 5E81F6A1E1CB864FD795E73888659A1BBF2EF66310F0482BAE04FC7597DD28A8448741

Function 00007FFABC760588 Relevance: .2, Instructions: 210COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1392747743.00007FFABC760000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFABC760000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffabc760000_Order Confirmation.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ea5e5578709386965f7fd78aff9f4d2e28c0586ade97099e042967aefd53f168
Instruction ID: 7599c9e357a24b61b098bdff223c808f9fbd381b875eada288bfa59410d32e49
Opcode Fuzzy Hash: ea5e5578709386965f7fd78aff9f4d2e28c0586ade97099e042967aefd53f168
Instruction Fuzzy Hash: 8A61C7A1F18E4A4BD698E7788459EA5B7E2FFA5310F00C6BAE00FC7597DD38E4448781

Function 00007FFABC763AA0 Relevance: .1, Instructions: 124COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1392747743.00007FFABC760000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFABC760000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffabc760000_Order Confirmation.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6acdd4771057f50591bc4825924419e38a766be067af6d2e926fef78c4d1f0f6
Instruction ID: 0f9d1588dee868f11fe1655e927626c34372bc401e233b3a8a5f4fb129c34c45
Opcode Fuzzy Hash: 6acdd4771057f50591bc4825924419e38a766be067af6d2e926fef78c4d1f0f6
Instruction Fuzzy Hash: 3B41CEA280E7C11FD30B87349C666A27FB5EF53224B1B42EFD485CB5E3E518591AC362

Function 00007FFABC762249 Relevance: .1, Instructions: 105COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1392747743.00007FFABC760000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFABC760000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffabc760000_Order Confirmation.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: db54d476ca1dd868af04051175f54b72aa4e6291ee68797472fe928fda37a99e
Instruction ID: e88d65c43522b0eaeb64fd6ef4043f13a15e03b3d572f08f5004ff4c4ced971d
Opcode Fuzzy Hash: db54d476ca1dd868af04051175f54b72aa4e6291ee68797472fe928fda37a99e
Instruction Fuzzy Hash: 2621D761B1CD050BE78CA61C68566FC73D2EBD9321B54827EE54FC32D6EC245C4302CA

Function 00007FFABC766473 Relevance: .1, Instructions: 99COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1392747743.00007FFABC760000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFABC760000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffabc760000_Order Confirmation.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 37a0bd3c77ffd9ca0feb023f2fea9f440597c6b37a519cdec4262d5479995d26
Instruction ID: 53f2029a6ebb49049db28c1704df4403b57eb1bfbf12995bfdc7301c79ad210a
Opcode Fuzzy Hash: 37a0bd3c77ffd9ca0feb023f2fea9f440597c6b37a519cdec4262d5479995d26
Instruction Fuzzy Hash: 2231BF7180EB894FD792DB78486A5E97FF1EF47310B4941EBD44CCB1A3D928184A8762

Function 00007FFABC7605B0 Relevance: .1, Instructions: 93COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1392747743.00007FFABC760000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFABC760000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffabc760000_Order Confirmation.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3b937d6db05c98cfd722e200725157e0c24212d64f21b4fb0a16400488c0f9d2
Instruction ID: c2d3055be5f74771da612c2acf9ab010ab74c827252c076d55febf9c7854e3b0
Opcode Fuzzy Hash: 3b937d6db05c98cfd722e200725157e0c24212d64f21b4fb0a16400488c0f9d2
Instruction Fuzzy Hash: F3112232B1C20D0F972C992C9C0B577B3DAE3C3220B01933EE6CBC2292ED64A81341C5

Function 00007FFABC7634A0 Relevance: .1, Instructions: 93COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1392747743.00007FFABC760000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFABC760000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffabc760000_Order Confirmation.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: faad023063e1f76169643420c1d8a48e673849d35483eaa4cd0a64e541605848
Instruction ID: 3291105c383b6e1f0ff82269f9cee5d9479795151b6cb9d81f68e74a396a908d
Opcode Fuzzy Hash: faad023063e1f76169643420c1d8a48e673849d35483eaa4cd0a64e541605848
Instruction Fuzzy Hash: FD314B7190D7814FD30ADB28C8A19617FB1EF67300B1A44EED5CACB5A3D928A885C762

Function 00007FFABC761232 Relevance: .1, Instructions: 88COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1392747743.00007FFABC760000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFABC760000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffabc760000_Order Confirmation.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 389ffdb612597b115f33e854679d0b87643fdd149f6df32d487c085c7b312bca
Instruction ID: c5abc93a5db8bfc91d30e91844e77db8a7bc2ba6c9094a39b689bcbc434f41ef
Opcode Fuzzy Hash: 389ffdb612597b115f33e854679d0b87643fdd149f6df32d487c085c7b312bca
Instruction Fuzzy Hash: C6419270E0862D8FDBA9DF18C895BE9B7B1FB69300F1081E9954DA7251DB74AEC18F40

Function 00007FFABC7630BB Relevance: .1, Instructions: 78COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1392747743.00007FFABC760000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFABC760000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffabc760000_Order Confirmation.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9487496a48394741f461ef7ef22c238b658e99cb215ed157ba419ba57d6bdeb9
Instruction ID: 6e3f0376ee9d9f0290d1df4cbb8b7764df348de0326a9c7e207540c787908c49
Opcode Fuzzy Hash: 9487496a48394741f461ef7ef22c238b658e99cb215ed157ba419ba57d6bdeb9
Instruction Fuzzy Hash: DA112131B2C14D1B872C9D3C880A537B79AE3C7310B01D33EEACBC2282EE64A81341C5

Function 00007FFABC7605A8 Relevance: .1, Instructions: 68COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1392747743.00007FFABC760000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFABC760000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffabc760000_Order Confirmation.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 21f4891122d59874a14fb7850faf719de80ae8f54aebc8d735d38ab2bf06ca5f
Instruction ID: 77d1e11cd2d94e885e057a10e98be6e5ed41a74cf514b05f18defd5e7a704e78
Opcode Fuzzy Hash: 21f4891122d59874a14fb7850faf719de80ae8f54aebc8d735d38ab2bf06ca5f
Instruction Fuzzy Hash: 3101243260C5050FA72CA96DA85B8BA7799D383330765527EE58BC2692E851AC5382C4

Function 00007FFABC76352D Relevance: .1, Instructions: 64COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1392747743.00007FFABC760000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFABC760000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffabc760000_Order Confirmation.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ee9c9c9d2f4d2f549f3678d5601b42c1ae0e389b44ce0e10b966d5f4b2951abb
Instruction ID: c4032a923cb9f16200c867e888717a7f1a3db830ddb0391335e4625ee49fd118
Opcode Fuzzy Hash: ee9c9c9d2f4d2f549f3678d5601b42c1ae0e389b44ce0e10b966d5f4b2951abb
Instruction Fuzzy Hash: B4216D7180E7C14FD307CB2888618957FB1AF63300F1A84FBD1CACB5A7E528A849C762

Function 00007FFABC7620A0 Relevance: .1, Instructions: 62COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1392747743.00007FFABC760000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFABC760000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffabc760000_Order Confirmation.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 22ba63aad45b09c9fd4718ac08fa0d12786538af1187dca3e5a3cc9392d32ea4
Instruction ID: e0d9cdd44430d859f37fdee17a2197967223a9b4f0c87c7a58cc6fdf0947f9f8
Opcode Fuzzy Hash: 22ba63aad45b09c9fd4718ac08fa0d12786538af1187dca3e5a3cc9392d32ea4
Instruction Fuzzy Hash: 54118970D3DB814FD748DB6C8056869BBE1FF95701F44587DE18AC7292DE78E4418B42

Function 00007FFABC766556 Relevance: .1, Instructions: 60COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1392747743.00007FFABC760000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFABC760000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffabc760000_Order Confirmation.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b0d3032d8016d173991eb7865bb9b3f1f2f6adeaffb5ca03b14898515dd3a1bd
Instruction ID: b4b9846e23cee4ab10b92dffe27153517652e6220fe9e8e178190c5e2ca1a046
Opcode Fuzzy Hash: b0d3032d8016d173991eb7865bb9b3f1f2f6adeaffb5ca03b14898515dd3a1bd
Instruction Fuzzy Hash: 1A110892E0594A4FA6C4D76C8457AB96BF2EF8A380BD4443AD54DD328BDD285C430741

Function 00007FFABC760873 Relevance: .1, Instructions: 52COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1392747743.00007FFABC760000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFABC760000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffabc760000_Order Confirmation.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 643d72e0cfad8ea243b38e280e7f0caf79178cca66e6f07e2e6cc29b847ed44c
Instruction ID: 571a7dd5aa304be8db2573b075a685a6a2bd215a2641f59456a014264a33c990
Opcode Fuzzy Hash: 643d72e0cfad8ea243b38e280e7f0caf79178cca66e6f07e2e6cc29b847ed44c
Instruction Fuzzy Hash: 4B11C435E0964D8FEB25DB18D8549ED77F1FB9A320F0042BAD54DE7281DE346A54CB40

Function 00007FFABC76296A Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1392747743.00007FFABC760000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFABC760000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffabc760000_Order Confirmation.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0b6d38b61ef2c17b58bb03c865bde1b613ed6588b91cabd28884514ddaaeb09f
Instruction ID: 33fe343d2cfb1551f69a2e1b132a9375150d992d0f45935afcb88cb6e143db7f
Opcode Fuzzy Hash: 0b6d38b61ef2c17b58bb03c865bde1b613ed6588b91cabd28884514ddaaeb09f
Instruction Fuzzy Hash: A4F0C831B186064F870CEE2D885587973E6FBCA705750923DE54FC72D7CE74AD528684

Function 00007FFABC7641C7 Relevance: .0, Instructions: 42COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1392747743.00007FFABC760000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFABC760000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffabc760000_Order Confirmation.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c77763e09bffb06b17cbaad50006f62e1991bad30115c04b4c9246a98c0c279c
Instruction ID: 680990106de3d5003c2f626315dd84e39060c68db918b877135de1879f32b97c
Opcode Fuzzy Hash: c77763e09bffb06b17cbaad50006f62e1991bad30115c04b4c9246a98c0c279c
Instruction Fuzzy Hash: 29F0C26AB48A0A4BD71CDE28C881469B3D3E7D5360728C33AC55BC7694CE38E8934680

Function 00007FFABC760F43 Relevance: .0, Instructions: 39COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1392747743.00007FFABC760000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFABC760000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffabc760000_Order Confirmation.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0ba7d61227743a93c23b5bed6cd06b2b6c8ae4f62fb6d60df6e7f41c46148776
Instruction ID: 1fe9aa51f85e2a3f5c4a67521b1d365ef07d16f396bfb11827004759c84ab305
Opcode Fuzzy Hash: 0ba7d61227743a93c23b5bed6cd06b2b6c8ae4f62fb6d60df6e7f41c46148776
Instruction Fuzzy Hash: 2001D2B0D14A46CFE3A4DB649845AE833B2EF86344F5041F9D00EAB2C6CE3868858B40

Function 00007FFABC762C3F Relevance: .0, Instructions: 37COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1392747743.00007FFABC760000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFABC760000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffabc760000_Order Confirmation.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d10f73750534555b97eb9c776fd4875fb1abfa2b8afc2baaeeefc8e86d4d1814
Instruction ID: 7f8cd876cb658eaf3f2563c4f0bd2093f178226003360537edf4e626d8675442
Opcode Fuzzy Hash: d10f73750534555b97eb9c776fd4875fb1abfa2b8afc2baaeeefc8e86d4d1814
Instruction Fuzzy Hash: 32F0B432B0CA0A47C76C9E6C89B19B673D3D7A4350754C73EC20BC66E9EC3469464280

Function 00007FFABC760FD2 Relevance: .0, Instructions: 36COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1392747743.00007FFABC760000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFABC760000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffabc760000_Order Confirmation.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7a9218b09fbf480188c8be6da34c8d1c278e516b26c7d86477cbad7be9384144
Instruction ID: dabc434b238e024623083e66903bb757e6748c20629f61b6d78c38146a2a28c3
Opcode Fuzzy Hash: 7a9218b09fbf480188c8be6da34c8d1c278e516b26c7d86477cbad7be9384144
Instruction Fuzzy Hash: 42016270D14959CFE754DB24DC44AE97373EFC9315F5481F6D00E5A385CE346D818A40

Function 00007FFABC767CA4 Relevance: .0, Instructions: 31COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1392747743.00007FFABC760000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFABC760000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffabc760000_Order Confirmation.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 227f66710ef91fecf958ed550eb8021891481fb3893e6201d0f7edc58f4ecf8f
Instruction ID: 814955a4894e9462ad3a7606ebc847fd33345c9584812d0914843a254517ee91
Opcode Fuzzy Hash: 227f66710ef91fecf958ed550eb8021891481fb3893e6201d0f7edc58f4ecf8f
Instruction Fuzzy Hash: 48F08C3296C7C84FC715AF3884860AABFE4FB4A619F00057EE9DBC2140DB3494458B83

Function 00007FFABC762ED5 Relevance: .0, Instructions: 24COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1392747743.00007FFABC760000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFABC760000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffabc760000_Order Confirmation.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 763b612244cb3acc74fe1bea55462435e67030b0ec4d61a7bb48c5b7c6815c24
Instruction ID: 2c5d2f6063897604f2c956acabd58030fdd243368ba220a62361989a4f4fe731
Opcode Fuzzy Hash: 763b612244cb3acc74fe1bea55462435e67030b0ec4d61a7bb48c5b7c6815c24
Instruction Fuzzy Hash: C8E0D13070860E8BC75CFF14C4545B67353EB85311F10823FC6178B695DD7469454744

Function 00007FFABC7632A2 Relevance: .0, Instructions: 20COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1392747743.00007FFABC760000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFABC760000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffabc760000_Order Confirmation.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2ce397b8dc318236c4915baa837d8f71a9ad81091c78c5ea1b09afd9f11c3130
Instruction ID: 4cd61ddda9d7784ee3bd3a89e8389fa8b93ce9d3e984756276f0251c8f479865
Opcode Fuzzy Hash: 2ce397b8dc318236c4915baa837d8f71a9ad81091c78c5ea1b09afd9f11c3130
Instruction Fuzzy Hash: F2E08C71B6C7008B824CDB2CC893836B7E2EBD9310B20A83DA0CB83251C930F841CA43

Function 00007FFABC760B54 Relevance: .0, Instructions: 18COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1392747743.00007FFABC760000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFABC760000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffabc760000_Order Confirmation.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 52553950d952a9bac287f41726cdc01a9dcf9ab134dff7488493ee500b20be48
Instruction ID: 99da6a6df8359b94d0b615a8f39921840cc87605e40bd4448676867343a2da80
Opcode Fuzzy Hash: 52553950d952a9bac287f41726cdc01a9dcf9ab134dff7488493ee500b20be48
Instruction Fuzzy Hash: E5E0C2A2D0CA470AF3949F2C481A6F8ABF0EF16340F8881B9D40CC2182ED2818C58A51

Function 00007FFABC7623CF Relevance: .0, Instructions: 13COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1392747743.00007FFABC760000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFABC760000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffabc760000_Order Confirmation.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a3b078e19926d66a5d4f3c29deb6d232127dbf1ed9f20415581ef443d12dfdfb
Instruction ID: 5f58e5b320bc537b8dda5b761141fca83c02f5fc177faec452b9b46b28775261
Opcode Fuzzy Hash: a3b078e19926d66a5d4f3c29deb6d232127dbf1ed9f20415581ef443d12dfdfb
Instruction Fuzzy Hash: 8CC08C22E0C1020A66ECA12A042383A616F87CA700B32F03F874F93287CC346C131282

Function 00007FFABC763C7F Relevance: .0, Instructions: 12COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1392747743.00007FFABC760000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFABC760000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffabc760000_Order Confirmation.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fe61bc57c3403363b1cbc727345453dd101e165ff9c77f688bd5179c6ab5ba9b
Instruction ID: 71198838199ae192b8646d4ecb9badcf8157ce94bae1390c088273777f922ce6
Opcode Fuzzy Hash: fe61bc57c3403363b1cbc727345453dd101e165ff9c77f688bd5179c6ab5ba9b
Instruction Fuzzy Hash: CBC012319942418B921C5F3841524353276AB87306B10543EC64B421D28DA5A4438906

Function 00007FFABC763691 Relevance: .0, Instructions: 12COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1392747743.00007FFABC760000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFABC760000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffabc760000_Order Confirmation.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 946bbbbcad14dad4f53ed57bf1d261a0b824d19e339064b9750457258ebbdd70
Instruction ID: c8eb4cffcd5bb00fe701ee519b1491b44fc4450b6c944d6d8de12f0f6990cd1a
Opcode Fuzzy Hash: 946bbbbcad14dad4f53ed57bf1d261a0b824d19e339064b9750457258ebbdd70
Instruction Fuzzy Hash: FAD0A730919300CFC39DDB2CC09293AB7F0AF85701F60A43DE187522B0CA31F482C642

Function 00007FFABC763DEA Relevance: .0, Instructions: 11COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1392747743.00007FFABC760000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFABC760000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffabc760000_Order Confirmation.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 00c1120ac0356d6e21b09cf790ec9468fec35f59612751581e82a831f9735bdf
Instruction ID: 859e3be18b7dcd7d98fc75950e725fa125cbd04e05855253c5c2d7bdea7daeb3
Opcode Fuzzy Hash: 00c1120ac0356d6e21b09cf790ec9468fec35f59612751581e82a831f9735bdf
Instruction Fuzzy Hash: 87C012319441454F925C962840124353266AB8A705721A03FD24B426928E64A8428A0A

Function 00007FFABC763424 Relevance: .0, Instructions: 10COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1392747743.00007FFABC760000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFABC760000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffabc760000_Order Confirmation.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8d33ef78fcc43a4d588c82515e9395627c02c29be719cf95dea062f949909b5b
Instruction ID: b3f2fbb56403ec2f07e218a194d53f3572bef05eca7049aa0a2f134cb60a2152
Opcode Fuzzy Hash: 8d33ef78fcc43a4d588c82515e9395627c02c29be719cf95dea062f949909b5b
Instruction Fuzzy Hash: 32C04C34B09B058BE1299A1D440157577B19B86714760557CA24FC3792CD25E892D544

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report Order Confirmation.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Yara Signatures

Sigma Signatures

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Networking

System Summary

Data Obfuscation

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

Language, Device and Operating System Detection

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\Order Confirmation.exe.log

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Data Directories

Sections

Resources

Version Infos

Network Behavior

TCP Packets

Statistics

CPU Usage

Memory Usage

High Level Behavior Distribution

back

System Behavior

Analysis Process: Order Confirmation.exePID: 2444, Parent PID: 4076

General

File Activities

File Opened

File Created

File Written

File Read

Windows Analysis Report
Order Confirmation.exe