Edit tour

Windows Analysis Report
Order Confirmation.exe

Overview

General Information

Sample name:	Order Confirmation.exe
Analysis ID:	1647195
MD5:	def8089469e487c53731ae99f90d757e
SHA1:	c05593e179f50a24d3fd02dc685a00a47775d844
SHA256:	e94a5d867470ecbde3df39a5ae8f69fd2000c9bd57183169953751544b3a4fbf
Tags:	exeuser-James_inthe_box
Infos:

Detection

Score:	68
Range:	0 - 100
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Multi AV Scanner detection for submitted file

.NET source code contains potential unpacker

Initial sample is a PE file and has a suspicious name

Joe Sandbox ML detected suspicious sample

Allocates memory with a write watch (potentially for evading sandboxes)

Contains long sleeps (>= 3 min)

Enables debug privileges

IP address seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

PE file does not import any functions

Queries the volume information (name, serial number etc) of a device

Sample file is different than original file name gathered from version info

Tries to connect to HTTP servers, but all servers are down (expired dropper behavior)

Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

System is w10x64

Order Confirmation.exe (PID: 7752 cmdline: "C:\Users\user\Desktop\Order Confirmation.exe" MD5: DEF8089469E487C53731AE99F90D757E)

cleanup

Joe Sandbox Signatures

• AV Detection
• Compliance
• Networking
• System Summary
• Data Obfuscation
• Hooking and other Techniques for Hiding and Protection
• Malware Analysis System Evasion
• Anti Debugging
• Language, Device and Operating System Detection

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus / Scanner detection for submitted sample

Source: Order Confirmation.exe

Avira: detected

Multi AV Scanner detection for submitted file

Source: Order Confirmation.exe	Virustotal: Detection: 63%			Perma Link
Source: Order Confirmation.exe	ReversingLabs: Detection: 69%

Joe Sandbox ML detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Source: Order Confirmation.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source: Joe Sandbox View	IP Address: 176.65.144.3 176.65.144.3
Source: Joe Sandbox View	IP Address: 176.65.144.3 176.65.144.3

Source: global traffic

TCP traffic: 192.168.2.4:49722 -> 176.65.144.3:80

Source: unknown	TCP traffic detected without corresponding DNS query: 176.65.144.3
Source: unknown	TCP traffic detected without corresponding DNS query: 176.65.144.3
Source: unknown	TCP traffic detected without corresponding DNS query: 176.65.144.3
Source: unknown	TCP traffic detected without corresponding DNS query: 176.65.144.3
Source: unknown	TCP traffic detected without corresponding DNS query: 176.65.144.3

Source: Order Confirmation.exe, 00000001.00000002.1662396132.00000000035A5000.00000004.00000800.00020000.00000000.sdmp, Order Confirmation.exe, 00000001.00000002.1662396132.00000000035C2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://176.65.144.3
Source: Order Confirmation.exe, 00000001.00000002.1662396132.0000000003529000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://176.65.144.3/host/guy.exe
Source: Order Confirmation.exe, 00000001.00000002.1662396132.00000000035A5000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name

System Summary

Initial sample is a PE file and has a suspicious name

Source: initial sample

Static PE information: Filename: Order Confirmation.exe

Source: Order Confirmation.exe

Static PE information: No import functions for PE file found

Source: Order Confirmation.exe, 00000001.00000000.1306801110.000000000026A000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenameGUYY.exe4 vs Order Confirmation.exe
Source: Order Confirmation.exe	Binary or memory string: OriginalFilenameGUYY.exe4 vs Order Confirmation.exe

Source: classification engine

Classification label: mal68.evad.winEXE@1/1@0/1

Source: C:\Users\user\Desktop\Order Confirmation.exe

File created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\Order Confirmation.exe.log

Jump to behavior

Source: C:\Users\user\Desktop\Order Confirmation.exe

Mutant created: NULL

Source: Order Confirmation.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\Order Confirmation.exe

Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: Order Confirmation.exe	Virustotal: Detection: 63%
Source: Order Confirmation.exe	ReversingLabs: Detection: 69%

Source: C:\Users\user\Desktop\Order Confirmation.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Desktop\Order Confirmation.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Order Confirmation.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\Order Confirmation.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\Order Confirmation.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\Order Confirmation.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\Order Confirmation.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\Order Confirmation.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Order Confirmation.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Order Confirmation.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\Order Confirmation.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Order Confirmation.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\Order Confirmation.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Order Confirmation.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\Order Confirmation.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\Order Confirmation.exe	Section loaded: rasapi32.dll	Jump to behavior
Source: C:\Users\user\Desktop\Order Confirmation.exe	Section loaded: rasman.dll	Jump to behavior
Source: C:\Users\user\Desktop\Order Confirmation.exe	Section loaded: rtutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\Order Confirmation.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\Order Confirmation.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Order Confirmation.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\Order Confirmation.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Order Confirmation.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Users\user\Desktop\Order Confirmation.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Users\user\Desktop\Order Confirmation.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Order Confirmation.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Users\user\Desktop\Order Confirmation.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\Order Confirmation.exe	Section loaded: textinputframework.dll	Jump to behavior
Source: C:\Users\user\Desktop\Order Confirmation.exe	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Users\user\Desktop\Order Confirmation.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\Desktop\Order Confirmation.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\Desktop\Order Confirmation.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\Order Confirmation.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\Order Confirmation.exe	Section loaded: wintypes.dll	Jump to behavior

Source: C:\Users\user\Desktop\Order Confirmation.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32

Jump to behavior

Source: Order Confirmation.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Source: Order Confirmation.exe

Static PE information: Image base 0x140000000 > 0x60000000

Source: Order Confirmation.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Data Obfuscation

.NET source code contains potential unpacker

Source: Order Confirmation.exe, -Module-.cs

.Net Code: _202E_206A_206A_206C_202B_202D_200F_206F_206A_200B_206B_206E_202C_200D_206B_200D_200C_200B_206E_202A_200C_200E_200F_202C_206E_206C_200E_200E_206C_206B_200B_206A_202D_200E_202E_206B_206D_200B_202D_200D_202E System.Reflection.Assembly.Load(byte[])

Source: C:\Users\user\Desktop\Order Confirmation.exe	Code function: 1_2_00007FFC3D8F49C0 push eax; iretd	1_2_00007FFC3D8F49E9
Source: C:\Users\user\Desktop\Order Confirmation.exe	Code function: 1_2_00007FFC3D8F00BD pushad ; iretd	1_2_00007FFC3D8F00C1
Source: C:\Users\user\Desktop\Order Confirmation.exe	Code function: 1_2_00007FFC3D8F7043 push eax; iretd	1_2_00007FFC3D8F704D

Source: C:\Users\user\Desktop\Order Confirmation.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Order Confirmation.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Order Confirmation.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Order Confirmation.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Order Confirmation.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Order Confirmation.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Order Confirmation.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Order Confirmation.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Order Confirmation.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Order Confirmation.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Order Confirmation.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Order Confirmation.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Order Confirmation.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Order Confirmation.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Order Confirmation.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Order Confirmation.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Order Confirmation.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Order Confirmation.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Order Confirmation.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Order Confirmation.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Order Confirmation.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Order Confirmation.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Order Confirmation.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Order Confirmation.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Order Confirmation.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Order Confirmation.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Order Confirmation.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Order Confirmation.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Order Confirmation.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Order Confirmation.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Order Confirmation.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Order Confirmation.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Order Confirmation.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Order Confirmation.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Order Confirmation.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Order Confirmation.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Order Confirmation.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Order Confirmation.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Order Confirmation.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Order Confirmation.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Source: C:\Users\user\Desktop\Order Confirmation.exe	Memory allocated: B90000 memory reserve \| memory write watch			Jump to behavior
Source: C:\Users\user\Desktop\Order Confirmation.exe	Memory allocated: 1B520000 memory reserve \| memory write watch			Jump to behavior

Source: C:\Users\user\Desktop\Order Confirmation.exe

Thread delayed: delay time: 922337203685477

Jump to behavior

Source: C:\Users\user\Desktop\Order Confirmation.exe TID: 7932	Thread sleep count: 39 > 30	Jump to behavior
Source: C:\Users\user\Desktop\Order Confirmation.exe TID: 7932	Thread sleep time: -39000s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Order Confirmation.exe TID: 8132	Thread sleep time: -30000s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Order Confirmation.exe TID: 7868	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior

Source: C:\Users\user\Desktop\Order Confirmation.exe

Thread delayed: delay time: 922337203685477

Jump to behavior

Source: Order Confirmation.exe, 00000001.00000002.1661994859.0000000000B56000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll

Source: C:\Users\user\Desktop\Order Confirmation.exe

Process token adjusted: Debug

Jump to behavior

Source: C:\Users\user\Desktop\Order Confirmation.exe

Memory allocated: page read and write | page guard

Jump to behavior

Source: C:\Users\user\Desktop\Order Confirmation.exe

Queries volume information: C:\Users\user\Desktop\Order Confirmation.exe VolumeInformation

Jump to behavior

Source: C:\Users\user\Desktop\Order Confirmation.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	Windows Management Instrumentation	1 DLL Side-Loading	1 DLL Side-Loading	1 Masquerading	OS Credential Dumping	1 Security Software Discovery	Remote Services	Data from Local System	Data Obfuscation	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	Boot or Logon Initialization Scripts	1 Disable or Modify Tools	LSASS Memory	31 Virtualization/Sandbox Evasion	Remote Desktop Protocol	Data from Removable Media	Junk Data	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	Logon Script (Windows)	31 Virtualization/Sandbox Evasion	Security Account Manager	12 System Information Discovery	SMB/Windows Admin Shares	Data from Network Shared Drive	Steganography	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	1 Software Packing	NTDS	System Network Configuration Discovery	Distributed Component Object Model	Input Capture	Protocol Impersonation	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	1 DLL Side-Loading	LSA Secrets	Internet Connection Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	1 Obfuscated Files or Information	Cached Domain Credentials	Wi-Fi Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Download Video

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
Order Confirmation.exe	63%	Virustotal		Browse
Order Confirmation.exe	69%	ReversingLabs	ByteCode-MSIL.Trojan.Generic
Order Confirmation.exe	100%	Avira	HEUR/AGEN.1313057

Dropped Files

⊘No Antivirus matches

Unpacked PE Files

⊘No Antivirus matches

Domains

⊘No Antivirus matches

URLs

Source	Detection	Scanner	Label	Link
http://176.65.144.3/host/guy.exe	0%	Avira URL Cloud	safe

Domains and IPs

Download Network PCAP: filtered – full

Contacted Domains

⊘No contacted domains info

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	Order Confirmation.exe, 00000001.00000002.1662396132.00000000035A5000.00000004.00000800.00020000.00000000.sdmp	false		high
http://176.65.144.3/host/guy.exe	Order Confirmation.exe, 00000001.00000002.1662396132.0000000003529000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://176.65.144.3	Order Confirmation.exe, 00000001.00000002.1662396132.00000000035A5000.00000004.00000800.00020000.00000000.sdmp, Order Confirmation.exe, 00000001.00000002.1662396132.00000000035C2000.00000004.00000800.00020000.00000000.sdmp	false		high

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
176.65.144.3	unknown	Germany		12975	PALTEL-ASPALTELAutonomousSystemPS	false

General Information

Joe Sandbox version:	42.0.0 Malachite
Analysis ID:	1647195
Start date and time:	2025-03-24 16:12:35 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 5m 38s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 134, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Run name:	Run with higher sleep bypass
Number of analysed new started processes analysed:	10
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	Order Confirmation.exe
Detection:	MAL
Classification:	mal68.evad.winEXE@1/1@0/1
EGA Information:	Failed
HCA Information:	Successful, ratio: 94% Number of executed functions: 33 Number of non-executed functions: 0
Cookbook Comments:	Found application associated with file extension: .exe Sleeps bigger than 100000000ms are automatically reduced to 1000ms Sleep loops longer than 100000000ms are bypassed. Single calls with delay of 100000000ms and higher are ignored

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, sppsvc.exe, WMIADAP.exe, SIHClient.exe, SgrmBroker.exe, conhost.exe, svchost.exe
Excluded IPs from analysis (whitelisted): 184.31.69.3, 52.149.20.212
Excluded domains from analysis (whitelisted): fs.microsoft.com, slscr.update.microsoft.com, prod.fs.microsoft.com.akadns.net, fs-wildcard.microsoft.com.edgekey.net, fs-wildcard.microsoft.com.edgekey.net.globalredir.akadns.net, e16604.dscf.akamaiedge.net, fe3cr.delivery.mp.microsoft.com
Execution Graph export aborted for target Order Confirmation.exe, PID 7752 because it is empty
Not all processes where analyzed, report is missing behavior information

Simulations

Behavior and APIs

⊘No simulations

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
176.65.144.3	#U4ed8#U6b3e#U6c47#U6b3e#U901a#U77e5.js	Get hash	malicious	Remcos	Browse	176.65.144.3/host/kent.exe
	xenn.ps1	Get hash	malicious	RedLine	Browse	176.65.144.3/dev/xenbuild.exe
	Confirmaci#U00f3n de Pago.js	Get hash	malicious	Remcos	Browse	176.65.144.3/FILE/KENNNTTT.ps1
	STEPH.js	Get hash	malicious	FormBook	Browse	176.65.144.3/FILE/STEPH.ps1
	Rendel#U00e9si k#U00e9relem.exe	Get hash	malicious	DarkCloud	Browse	176.65.144.3/dev/fireballs.exe
	MUKK.ps1	Get hash	malicious	AgentTesla	Browse	176.65.144.3/dev/muhk.exe
	obfuscated (1).js	Get hash	malicious	XWorm	Browse	176.65.144.3/dev/BRAINN.exe
	KIM.ps1	Get hash	malicious	Stealerium	Browse	176.65.144.3/dev/Cooperbuild34.exe
	KENT.ps1	Get hash	malicious	Remcos	Browse	176.65.144.3/dev/kent.exe
	VIK.ps1.vir.txt.ps1	Get hash	malicious	AgentTesla	Browse	176.65.144.3/dev/DONORIGIN.exe

Domains

⊘No context

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
PALTEL-ASPALTELAutonomousSystemPS	RFQ)_87661.pdf .js	Get hash	malicious	Unknown	Browse	176.65.144.3
	11001011021.js	Get hash	malicious	Unknown	Browse	176.65.144.3
	11001011021.js	Get hash	malicious	Unknown	Browse	176.65.144.3
	payment-pdf.js	Get hash	malicious	Unknown	Browse	176.65.144.3
	DHL AWB.js	Get hash	malicious	Unknown	Browse	176.65.144.3
	DHL AWB.js	Get hash	malicious	Unknown	Browse	176.65.144.3
	#U4ed8#U6b3e#U6c47#U6b3e#U901a#U77e5.js	Get hash	malicious	Remcos	Browse	176.65.144.3
	owari.spc.elf	Get hash	malicious	Unknown	Browse	213.6.206.42
	SecuriteInfo.com.Win32.Trojan.Agent.QWCKHW.31433.26307.exe	Get hash	malicious	Unknown	Browse	176.65.138.157

JA3 Fingerprints

⊘No context

Dropped Files

⊘No context

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\Order Confirmation.exe.log

Download File

Process:	C:\Users\user\Desktop\Order Confirmation.exe
File Type:	CSV text
Category:	dropped
Size (bytes):	1281
Entropy (8bit):	5.370111951859942
Encrypted:	false
SSDEEP:	24:ML9E4KQ71qE4GIs0E4KCKDE4KGKZI6KhPKIE4TKBGKoZAE4KKUNb:MxHKQ71qHGIs0HKCYHKGSI6oPtHTHhA2
MD5:	12C61586CD59AA6F2A21DF30501F71BD
SHA1:	E6B279DC134544867C868E3FF3C267A06CE340C7
SHA-256:	EC20A856DBBCF320F7F24C823D6E9D2FD10E9335F5DE2F56AB9A7DF1ED358543
SHA-512:	B0731F59C74C9D25A4C82E166B3DC300BBCF89F6969918EC748B867C641ED0D8E0DE81AAC68209EF140219861B4939F1B07D0885ACA112D494D23AAF9A9C03FE
Malicious:	true
Reputation:	high, very likely benign file
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System\b187b7f31cee3e87b56c8edca55324e0\System.ni.dll",0..3,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Drawing\567ff6b0de7f9dcd8111001e94ab7cf6\System.Drawing.ni.dll",0..3,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Windows.Forms\2a7fffeef3976b2a6f273db66b1f0107\System.Windows.Forms.ni.dll",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Core\31326613607f69254f3284ec964796c8\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_64\S

Static File Info

General

File type:	PE32+ executable (GUI) x86-64 Mono/.Net assembly, for MS Windows
Entropy (8bit):	4.625041322363815
TrID:	Win64 Executable GUI (202006/5) 92.65% Win64 Executable (generic) (12005/4) 5.51% Generic Win/DOS Executable (2004/3) 0.92% DOS Executable Generic (2002/1) 0.92% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	Order Confirmation.exe
File size:	225'280 bytes
MD5:	def8089469e487c53731ae99f90d757e
SHA1:	c05593e179f50a24d3fd02dc685a00a47775d844
SHA256:	e94a5d867470ecbde3df39a5ae8f69fd2000c9bd57183169953751544b3a4fbf
SHA512:	bef7dfc74b3a931c67328ff86d580644d6c340bc434e5f58ad914f1330db7c45130c1aaaa61f5e0a7be4707fbd9c5744c35a92dd7e7a3f7469c730728d27ec3d
SSDEEP:	6144:+0jILNjcNnchQBp/SEUFW+Y+B9SY0DSAxl4KQbhTh9UUCH:+1NjcNnchQBp/SEUFW+Y+B9SY0DSAxl7
TLSH:	4D248C9C755072DFC867C472DEA81CA4EB6128BB931F4207906315BD9E1E99BCF980F2
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d......g.........."......h............... .....@..... ....................................@...@......@............... .....

File Icon


Icon Hash:	90cececece8e8eb0

Static PE Info

General

Entrypoint:	0x140000000
Entrypoint Section:
Digitally signed:	false
Imagebase:	0x140000000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE
DLL Characteristics:	DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Time Stamp:	0x67E096CF [Sun Mar 23 23:18:39 2025 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:

Entrypoint Preview

Instruction
dec ebp
pop edx
nop
add byte ptr [ebx], al
add byte ptr [eax], al
add byte ptr [eax+eax], al
add byte ptr [eax], al

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x3a000	0x4c6	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x0	0x0
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x2000	0x48	.text
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x2000	0x367e0	0x36800	8db63a1fc6434ed10d66721019a36324	False	0.3158821315940367	data	4.611604511546848	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rsrc	0x3a000	0x4c6	0x600	958b4c70c5cfc30748af3a7b61fb8870	False	0.3736979166666667	data	3.710595291376913	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_VERSION	0x3a0a0	0x23c	data			0.47202797202797203
RT_MANIFEST	0x3a2dc	0x1ea	XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators			0.5469387755102041

Version Infos

Description	Data
Translation	0x0000 0x04b0
FileDescription
FileVersion	0.0.0.0
InternalName	GUYY.exe
LegalCopyright
OriginalFilename	GUYY.exe
ProductVersion	0.0.0.0
Assembly Version	0.0.0.0

Network Behavior

Download Network PCAP: filtered – full

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Mar 24, 2025 16:13:57.693998098 CET	49722	80	192.168.2.4	176.65.144.3
Mar 24, 2025 16:13:58.696672916 CET	49722	80	192.168.2.4	176.65.144.3
Mar 24, 2025 16:14:00.712445021 CET	49722	80	192.168.2.4	176.65.144.3
Mar 24, 2025 16:14:04.712393045 CET	49722	80	192.168.2.4	176.65.144.3
Mar 24, 2025 16:14:12.728055954 CET	49722	80	192.168.2.4	176.65.144.3

Statistics

CPU Usage

• Order Confirmation.exe

Click to jump to process

Memory Usage

• Order Confirmation.exe

Click to jump to process

High Level Behavior Distribution

• File
• Registry
• Network

Click to dive into process behavior distribution

System Behavior

Analysis Process: Order Confirmation.exePID: 7752, Parent PID: 3964

Function Logs Amsi Logs

General

Target ID:	1
Start time:	11:13:45
Start date:	24/03/2025
Path:	C:\Users\user\Desktop\Order Confirmation.exe
Wow64 process (32bit):	false
Commandline:	"C:\Users\user\Desktop\Order Confirmation.exe"
Imagebase:	0x230000
File size:	225'280 bytes
MD5 hash:	DEF8089469E487C53731AE99F90D757E
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

File Activities

File Opened

File Created

File Written

File Read

File Attributes Queried

Device IO

Show Windows behavior

Section Activities

Sections loaded by Windows

Sections loaded by Program

Show Windows behavior

Registry Activities

Key Opened

Key Value Queried

Key Monitored

Key Value Enumerated

Key Enumerated

Show Windows behavior

Mutex Activities

Mutex Created

Show Windows behavior

Process Activities

Process Queried

Process Information Set

Show Windows behavior

Thread Activities

Thread Created

Thread Execution Resumed

Thread Execution Suspended

Thread Delayed

Thread Information Set

Show Windows behavior

Memory Activities

Memory Allocated

Memory Protection Changed

Memory Usage Statistics

Show Windows behavior

System Activities

System Information Queried

Show Windows behavior

Timing Activities

There is hidden Windows Behavior. Click on Show Windows Behavior to show it.

Show Windows behavior

Windows UI Activities

Window UI Enumerated

Network Activities

Socket bound

Socket connected

Process Token Activities

Token Adjusted

Show Windows behavior

LPC Port Activities

There is hidden Windows Behavior. Click on Show Windows Behavior to show it.

Show Windows behavior

Chronological Activities

Disassembly

Analysis Process: Order Confirmation.exePID: 7752, Parent PID: 3964COMMON

Executed Functions

Function 00007FFC3D8F2494 Relevance: 2.7, Strings: 2, Instructions: 244COMMON

Download Yara Rule

Strings

hm~=, xrefs: 00007FFC3D8F260B
pq~=, xrefs: 00007FFC3D8F2666

Memory Dump Source

Source File: 00000001.00000002.1663721238.00007FFC3D8F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFC3D8F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffc3d8f0000_Order Confirmation.jbxd

Similarity

API ID:
String ID: hm~=$pq~=
API String ID: 0-2910195243
Opcode ID: 477c3f25170b898e703cc5b201ff9cfe5a0fcc3597d301280c588193602b4d34
Instruction ID: ee70b8336fbadbfee66c75f5e80daf3ba5c49fc375a88958d976b55c8037f779
Opcode Fuzzy Hash: 477c3f25170b898e703cc5b201ff9cfe5a0fcc3597d301280c588193602b4d34
Instruction Fuzzy Hash: B971A662A1CA9F4FDB5AE76444656B67BF1EF65210F0442FAD04AC7187FC2CB804C762

Function 00007FFC3D8F0575 Relevance: 2.7, Strings: 2, Instructions: 213COMMON

Download Yara Rule

Strings

hm~=, xrefs: 00007FFC3D8F260B
pq~=, xrefs: 00007FFC3D8F2666

Memory Dump Source

Source File: 00000001.00000002.1663721238.00007FFC3D8F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFC3D8F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffc3d8f0000_Order Confirmation.jbxd

Similarity

API ID:
String ID: hm~=$pq~=
API String ID: 0-2910195243
Opcode ID: 3c15e150de7b4c61b670621fa1b1bf899b65619ad1fca1078899869eb82c68e8
Instruction ID: 3c773685a74718b7c0728cfee7318cf0b0f574b0835bcb162b14743ead6a9e98
Opcode Fuzzy Hash: 3c15e150de7b4c61b670621fa1b1bf899b65619ad1fca1078899869eb82c68e8
Instruction Fuzzy Hash: 9961EA52B18A5F4BEA6DE76844656B677E1FF68310F0046BAD14FC7287FC28B404C752

Function 00007FFC3D8F0588 Relevance: 2.7, Strings: 2, Instructions: 210COMMON

Download Yara Rule

Strings

hm~=, xrefs: 00007FFC3D8F260B
pq~=, xrefs: 00007FFC3D8F2666

Memory Dump Source

Source File: 00000001.00000002.1663721238.00007FFC3D8F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFC3D8F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffc3d8f0000_Order Confirmation.jbxd

Similarity

API ID:
String ID: hm~=$pq~=
API String ID: 0-2910195243
Opcode ID: 8c80ea270cb337cf2561806b5f87fb05b9764d1b3625a1d76fd8e54dd12303f9
Instruction ID: 93529594488193a99f0fc3e44dd27e2fe5ab44e2b82be45da5276caf66e2b0d9
Opcode Fuzzy Hash: 8c80ea270cb337cf2561806b5f87fb05b9764d1b3625a1d76fd8e54dd12303f9
Instruction Fuzzy Hash: E661B952B18A5F4BEA6DE76844656B6B7E1FF68314F0046BAD10FC7287FC28B404C792

Function 00007FFC3D8F2249 Relevance: 1.4, Strings: 1, Instructions: 105COMMON

Download Yara Rule

Strings

Pi~=, xrefs: 00007FFC3D8F2255

Memory Dump Source

Source File: 00000001.00000002.1663721238.00007FFC3D8F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFC3D8F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffc3d8f0000_Order Confirmation.jbxd

Similarity

API ID:
String ID: Pi~=
API String ID: 0-1151023224
Opcode ID: ec3792374af25d8e818b8de71c0501520bdf1caee1b40525d58695fa7dfdd32f
Instruction ID: b048d2b3ef21e43639ab54971da460d4e787833a7409a1d86eca9be9721bbe36
Opcode Fuzzy Hash: ec3792374af25d8e818b8de71c0501520bdf1caee1b40525d58695fa7dfdd32f
Instruction Fuzzy Hash: 3421C531B0C91E0BA64CE65C78562B863C6EBD9360B54427ED44FC33E6EC556D1742C7

Function 00007FFC3D8F0472 Relevance: 1.3, Strings: 1, Instructions: 66COMMON

Download Yara Rule

Strings

sBO_^, xrefs: 00007FFC3D8F6463

Memory Dump Source

Source File: 00000001.00000002.1663721238.00007FFC3D8F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFC3D8F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffc3d8f0000_Order Confirmation.jbxd

Similarity

API ID:
String ID: sBO_^
API String ID: 0-182594170
Opcode ID: 7ab48a1be7397d661431b53a20d4ee5bbfbe360f12272ef5cc1bf4dd93b9fc25
Instruction ID: c1785c8698d5eeb99dddbc27bddc452e10aa9db793ce5ee164dfc69ad73a7177
Opcode Fuzzy Hash: 7ab48a1be7397d661431b53a20d4ee5bbfbe360f12272ef5cc1bf4dd93b9fc25
Instruction Fuzzy Hash: 1F110821E0D26F4BE7269BA464526752B6E9F81350F1402B2C409CB3D7EC7C7809D3E3

Function 00007FFC3D8F63E0 Relevance: 1.3, Strings: 1, Instructions: 23COMMON

Download Yara Rule

Strings

sBO_^, xrefs: 00007FFC3D8F641B

Memory Dump Source

Source File: 00000001.00000002.1663721238.00007FFC3D8F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFC3D8F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffc3d8f0000_Order Confirmation.jbxd

Similarity

API ID:
String ID: sBO_^
API String ID: 0-182594170
Opcode ID: 7d901448796ec9b2cfa107f3064c8ad3cc3223184ba793c5cb4a44232abfaa95
Instruction ID: aacd976c02263b5f92b3fe884416d023ca1956a455c9a17a6014381f3876aded
Opcode Fuzzy Hash: 7d901448796ec9b2cfa107f3064c8ad3cc3223184ba793c5cb4a44232abfaa95
Instruction Fuzzy Hash: ADE09B3170C12E47F36DB674A0113B965579F85354F100579D109873D3EE7D6885D3A2

Function 00007FFC3D8F322D Relevance: 1.3, Strings: 1, Instructions: 17COMMON

Download Yara Rule

Strings

dYy, xrefs: 00007FFC3D8F3257

Memory Dump Source

Source File: 00000001.00000002.1663721238.00007FFC3D8F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFC3D8F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffc3d8f0000_Order Confirmation.jbxd

Similarity

API ID:
String ID: dYy
API String ID: 0-626756453
Opcode ID: 2a20e462fb7fd9994958b5d2c46e3cc4072e268e6bd180066a25ed9744d23384
Instruction ID: eaa37046fcf9f28b420c6733cd8464a3baaf5a41e94e01c1fee28372aa4d218b
Opcode Fuzzy Hash: 2a20e462fb7fd9994958b5d2c46e3cc4072e268e6bd180066a25ed9744d23384
Instruction Fuzzy Hash: CDE08C72909B0D8FE350E664D4816AAB3EAFF95344F104838E08AC7352FE34F909D782

Function 00007FFC3D8F366E Relevance: 1.3, Strings: 1, Instructions: 14COMMON

Download Yara Rule

Strings

h'Q, xrefs: 00007FFC3D8F3684

Memory Dump Source

Source File: 00000001.00000002.1663721238.00007FFC3D8F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFC3D8F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffc3d8f0000_Order Confirmation.jbxd

Similarity

API ID:
String ID: h'Q
API String ID: 0-731743828
Opcode ID: 326c4fdf559db299a9cda0cfb37735aab7b587a36e2db0fc5bbb9907075408e9
Instruction ID: dc8fcd8fdf43d28b181951ce877b160a68ba0b79dd32c60b0fbd35d861d9265a
Opcode Fuzzy Hash: 326c4fdf559db299a9cda0cfb37735aab7b587a36e2db0fc5bbb9907075408e9
Instruction Fuzzy Hash: 4CD0A93070460D8F8369A61888028A6B3E5FF88740B20043CD4CBC3340EA26F94AE782

Function 00007FFC3D8F3AA0 Relevance: .1, Instructions: 124COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1663721238.00007FFC3D8F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFC3D8F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffc3d8f0000_Order Confirmation.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 897868e719a538aa14a9f28bf2490b4e7837d7a47d4350c219b3c09f00be094f
Instruction ID: e93c342c865621b79bfdeda3daa090905f6e25f197e6e065d13c6564f0d481f1
Opcode Fuzzy Hash: 897868e719a538aa14a9f28bf2490b4e7837d7a47d4350c219b3c09f00be094f
Instruction Fuzzy Hash: 3B41D16240D7C51FD30B8734AC666927FB5DF53214B1B42EFD481CB5E3E518591AC3A2

Function 00007FFC3D8F6473 Relevance: .1, Instructions: 99COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1663721238.00007FFC3D8F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFC3D8F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffc3d8f0000_Order Confirmation.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a4e0548f09f281fee75a55d13a96fe3f7b612a8dd18097100d091e7c862b835e
Instruction ID: d6591efe1930597cc707a68737aa4968de9c0b842f6048b13a5ca9061cf15426
Opcode Fuzzy Hash: a4e0548f09f281fee75a55d13a96fe3f7b612a8dd18097100d091e7c862b835e
Instruction Fuzzy Hash: 8A31F17180DB9D4FD792DB74582A6E97FF1EF1725070901EBC448DB2A3E919280AC7A3

Function 00007FFC3D8F05B0 Relevance: .1, Instructions: 93COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1663721238.00007FFC3D8F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFC3D8F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffc3d8f0000_Order Confirmation.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3b937d6db05c98cfd722e200725157e0c24212d64f21b4fb0a16400488c0f9d2
Instruction ID: 9536fc9018fc57e46a887e57804e50479f79094b0c9b7da9889f74ab3b5930ec
Opcode Fuzzy Hash: 3b937d6db05c98cfd722e200725157e0c24212d64f21b4fb0a16400488c0f9d2
Instruction Fuzzy Hash: EF11D032B5C21D1F972C9868A80B177B39AD3C6221B11933EE587C2296ED65A81341C6

Function 00007FFC3D8F34A0 Relevance: .1, Instructions: 93COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1663721238.00007FFC3D8F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFC3D8F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffc3d8f0000_Order Confirmation.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: faad023063e1f76169643420c1d8a48e673849d35483eaa4cd0a64e541605848
Instruction ID: 0188de6acce93fd6cac15ba8d651e53bc09c82932d67a291c4f97a6c98e9f7f8
Opcode Fuzzy Hash: faad023063e1f76169643420c1d8a48e673849d35483eaa4cd0a64e541605848
Instruction Fuzzy Hash: FD314B7190D7854FD30ADB24D8A19627FB0EF67340B1A44EED4C6CB6A3E928A845C763

Function 00007FFC3D8F1235 Relevance: .1, Instructions: 87COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1663721238.00007FFC3D8F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFC3D8F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffc3d8f0000_Order Confirmation.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: df99050ea02035859b29c9a230f1d7131d83a9a58f6de5dfd002059ab03cfabf
Instruction ID: 90d2f7caca1c09348c3cdaadf662893c3e7c2c7f4315497e8f36b5a7ad2e426c
Opcode Fuzzy Hash: df99050ea02035859b29c9a230f1d7131d83a9a58f6de5dfd002059ab03cfabf
Instruction Fuzzy Hash: 8841A470D0862D8FDBA9DB48C895BE8B7B1FB58300F1041E9944DE7251DA746EC4CF51

Function 00007FFC3D8F30BA Relevance: .1, Instructions: 79COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1663721238.00007FFC3D8F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFC3D8F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffc3d8f0000_Order Confirmation.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5f5fcb7421ae708140d7f434178a3374b08eb2a7612670ec67455fae7b349373
Instruction ID: 8c60fbef566f5388b391de5c2af78f4e71567c94332f8780f3b21da4869518ae
Opcode Fuzzy Hash: 5f5fcb7421ae708140d7f434178a3374b08eb2a7612670ec67455fae7b349373
Instruction Fuzzy Hash: 6C110E32B2C55D1B872C9878880A13BB69EE3C6210B11933EE987C3282EE64A80341C2

Function 00007FFC3D8F083D Relevance: .1, Instructions: 68COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1663721238.00007FFC3D8F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFC3D8F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffc3d8f0000_Order Confirmation.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 54239c8631b1ef1f9b19ed794bdc3c2aebe247b7103fc37f55b9cb48a38fcfd4
Instruction ID: e16d5f36529fd8c88677a2ea9f3f3af1d0af7d9aee5cbc5ad22fb393e8f24d5e
Opcode Fuzzy Hash: 54239c8631b1ef1f9b19ed794bdc3c2aebe247b7103fc37f55b9cb48a38fcfd4
Instruction Fuzzy Hash: 2521F030A08659DFE716ABA4C8A06EC77B1FF99304F04826AD018E71C2CF38A815C791

Function 00007FFC3D8F05A8 Relevance: .1, Instructions: 68COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1663721238.00007FFC3D8F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFC3D8F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffc3d8f0000_Order Confirmation.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 21f4891122d59874a14fb7850faf719de80ae8f54aebc8d735d38ab2bf06ca5f
Instruction ID: a050f71a1c08d71d2ae94ca7706750c5b51b9bb96a0ac8fcef5e8ba783d850a6
Opcode Fuzzy Hash: 21f4891122d59874a14fb7850faf719de80ae8f54aebc8d735d38ab2bf06ca5f
Instruction Fuzzy Hash: 3F01243220C5190FA72CA9ADBC5B4BA7789D382330761127EE487C2692F855BC1382C1

Function 00007FFC3D8F352D Relevance: .1, Instructions: 64COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1663721238.00007FFC3D8F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFC3D8F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffc3d8f0000_Order Confirmation.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ee9c9c9d2f4d2f549f3678d5601b42c1ae0e389b44ce0e10b966d5f4b2951abb
Instruction ID: d00748570a6858eee14a84f550fadafeb3c02f4aa328a72e5d2709a158376889
Opcode Fuzzy Hash: ee9c9c9d2f4d2f549f3678d5601b42c1ae0e389b44ce0e10b966d5f4b2951abb
Instruction Fuzzy Hash: D1219D7180E7C94FD307DB2498615967FB0AF63240B1A44EBD0C6CB6A7E529B809C763

Function 00007FFC3D8F20A0 Relevance: .1, Instructions: 62COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1663721238.00007FFC3D8F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFC3D8F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffc3d8f0000_Order Confirmation.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f47371f25215205af09347e843279cc609a353ede379ba5cae6e631e9e12a31b
Instruction ID: 3d8f213fdf91e7055d2a2282baf1cd02a840a2eacaacbaad3ded4ee9a7ffa1e3
Opcode Fuzzy Hash: f47371f25215205af09347e843279cc609a353ede379ba5cae6e631e9e12a31b
Instruction Fuzzy Hash: CA11B171A2C78A8FE748DB68904656ABBD1FF98744F40487DE049C3282EA38B405CB93

Function 00007FFC3D8F07FD Relevance: .1, Instructions: 61COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1663721238.00007FFC3D8F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFC3D8F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffc3d8f0000_Order Confirmation.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4651e1ce21b278263d2a170ca505cd02a185262aea1c08e2b2cb56dda8241215
Instruction ID: 61a219c6ef6be394be3aaace215a7747ec48fffd34a0d9d2e2ede5a09aa2b607
Opcode Fuzzy Hash: 4651e1ce21b278263d2a170ca505cd02a185262aea1c08e2b2cb56dda8241215
Instruction Fuzzy Hash: 0911DD30E0825E9EEB11DB64EC50AED77B5FF88310F0046BAD019E7282DB34A914CB92

Function 00007FFC3D8F6556 Relevance: .1, Instructions: 59COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1663721238.00007FFC3D8F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFC3D8F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffc3d8f0000_Order Confirmation.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a722c3bf9c15a50c9455333c5bfd613981abb0c7213584803e8d4c98e1e4c98d
Instruction ID: 7ae6ad64c5552c7b4e2c54041cd41ac999b55295a0f52e3d6e4bcdfcad0c3a46
Opcode Fuzzy Hash: a722c3bf9c15a50c9455333c5bfd613981abb0c7213584803e8d4c98e1e4c98d
Instruction Fuzzy Hash: 6C0125D3E1482E5FAAD4E76850562BD63D2EB586D0B94047AC04DD3386EE152C064393

Function 00007FFC3D8F296A Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1663721238.00007FFC3D8F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFC3D8F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffc3d8f0000_Order Confirmation.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0b6d38b61ef2c17b58bb03c865bde1b613ed6588b91cabd28884514ddaaeb09f
Instruction ID: 580859f82a94aea086f26f4c640b910fa837a19d10f8412d94311208ee18ba69
Opcode Fuzzy Hash: 0b6d38b61ef2c17b58bb03c865bde1b613ed6588b91cabd28884514ddaaeb09f
Instruction Fuzzy Hash: 3DF0FF3171821E4B870CEE6C985017973DAEB89341B40523DE48BC7397EE68BD16C686

Function 00007FFC3D8F41C7 Relevance: .0, Instructions: 42COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1663721238.00007FFC3D8F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFC3D8F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffc3d8f0000_Order Confirmation.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 37b1aecc16a0a69312a624ccae66073b34777af73927498bd5e4057aca1e479a
Instruction ID: e6131ffb5aa8f399507ea58716c271e81bf1607f0377ba8df3828bf87eef9e9f
Opcode Fuzzy Hash: 37b1aecc16a0a69312a624ccae66073b34777af73927498bd5e4057aca1e479a
Instruction Fuzzy Hash: B4F0C27A748A0E4BD718CA28D88107AB3D7E7D5360714833BC467C3794EE38F8578681

Function 00007FFC3D8F0F43 Relevance: .0, Instructions: 38COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1663721238.00007FFC3D8F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFC3D8F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffc3d8f0000_Order Confirmation.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1db85b92eda1d80e963619581d58d97d11a49859a746e2d4bc759e140c2cd7a5
Instruction ID: b288517b7c2e45c52e0187e6b600ee8824086050374f55463e7e9c10b5fc5c2c
Opcode Fuzzy Hash: 1db85b92eda1d80e963619581d58d97d11a49859a746e2d4bc759e140c2cd7a5
Instruction Fuzzy Hash: 3001F570D1466ECFEBA4D75098046E873A1EF88380F5000F9C00EAB3D6EE34695ADB42

Function 00007FFC3D8F2C3F Relevance: .0, Instructions: 37COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1663721238.00007FFC3D8F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFC3D8F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffc3d8f0000_Order Confirmation.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 39232cd5341b7538ae502faf4dbb4dc58521b41e4710d6b6fe6bfc834a0150d8
Instruction ID: ac69968eed58842017d3689d532d1ea8c8213c1f300bdd8278965baa3833ce2f
Opcode Fuzzy Hash: 39232cd5341b7538ae502faf4dbb4dc58521b41e4710d6b6fe6bfc834a0150d8
Instruction Fuzzy Hash: F4F09032708A1E4BC72C996898A16B673D7D7A4350750823EC107C76E9FC247A069681

Function 00007FFC3D8F7CA4 Relevance: .0, Instructions: 31COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1663721238.00007FFC3D8F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFC3D8F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffc3d8f0000_Order Confirmation.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8c82c84ba33db35c1d5c3e2339610be05d34382f388d0ce8b6a291b88110476d
Instruction ID: b3676f4d5a6c7da5ce2d8d16424fac5dd02ca789c8b3bd83fdd10985e5025081
Opcode Fuzzy Hash: 8c82c84ba33db35c1d5c3e2339610be05d34382f388d0ce8b6a291b88110476d
Instruction Fuzzy Hash: 30F0A73296C7C84FD755AF3484560667FE4FB4A645F04057EE8C7C2100DB34E4158783

Function 00007FFC3D8F2ED5 Relevance: .0, Instructions: 24COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1663721238.00007FFC3D8F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFC3D8F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffc3d8f0000_Order Confirmation.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 763b612244cb3acc74fe1bea55462435e67030b0ec4d61a7bb48c5b7c6815c24
Instruction ID: 2f9b5507eaacbcd8f5a90e9af6f5bbe2dca09eb6cc66c50dffd3e7ab309f29a0
Opcode Fuzzy Hash: 763b612244cb3acc74fe1bea55462435e67030b0ec4d61a7bb48c5b7c6815c24
Instruction Fuzzy Hash: 4CE0923030D61E8BC72CFA5098942BAB257EB85361F10423EC1038A7A5EDA4BA099796

Function 00007FFC3D8F32A2 Relevance: .0, Instructions: 20COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1663721238.00007FFC3D8F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFC3D8F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffc3d8f0000_Order Confirmation.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2ce397b8dc318236c4915baa837d8f71a9ad81091c78c5ea1b09afd9f11c3130
Instruction ID: 23fa628ee7e5aba7c18cc38611f8f9e8a8ad2eac7e46fef1056173e2ff4bff8b
Opcode Fuzzy Hash: 2ce397b8dc318236c4915baa837d8f71a9ad81091c78c5ea1b09afd9f11c3130
Instruction Fuzzy Hash: F3E08631B5C7084F924CDA28D893536B7E5EBC9350B10642DF0C783351C930F801C583

Function 00007FFC3D8F0B57 Relevance: .0, Instructions: 17COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1663721238.00007FFC3D8F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFC3D8F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffc3d8f0000_Order Confirmation.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ee68cf5c8f746e1b9a845e5c9dc4711f5d51cb8887f399e230c9ce6ccf37fba0
Instruction ID: 07a94bade3668d21f15424942208144e6ef0fd3b9b4ba3ac737398bfa6cce763
Opcode Fuzzy Hash: ee68cf5c8f746e1b9a845e5c9dc4711f5d51cb8887f399e230c9ce6ccf37fba0
Instruction Fuzzy Hash: EDD0C2B2D0CA2F8DFBD8E66848093F495A0EF24380F4005B9C00CD3293FE282485C623

Function 00007FFC3D8F23CF Relevance: .0, Instructions: 13COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1663721238.00007FFC3D8F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFC3D8F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffc3d8f0000_Order Confirmation.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a3b078e19926d66a5d4f3c29deb6d232127dbf1ed9f20415581ef443d12dfdfb
Instruction ID: abed42896aafcf5ca74dd270230d9a81e50e08d20f1c1d8357f35a5b25354f16
Opcode Fuzzy Hash: a3b078e19926d66a5d4f3c29deb6d232127dbf1ed9f20415581ef443d12dfdfb
Instruction Fuzzy Hash: D2C08C22A0C12D0B66AC9466141323EA04F87C9600B71703F864BE7386DC347C27A2D3

Function 00007FFC3D8F3691 Relevance: .0, Instructions: 12COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1663721238.00007FFC3D8F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFC3D8F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffc3d8f0000_Order Confirmation.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 946bbbbcad14dad4f53ed57bf1d261a0b824d19e339064b9750457258ebbdd70
Instruction ID: d1ac49693c79cb90d70fdb57feb1d1c0e8b5bab4a1bf81c70e624cd5f0c7d310
Opcode Fuzzy Hash: 946bbbbcad14dad4f53ed57bf1d261a0b824d19e339064b9750457258ebbdd70
Instruction Fuzzy Hash: 57D0A730519318CFC39CEA28C09353AB7E4AF85741F60643DF083523A0CA35F482C683

Function 00007FFC3D8F3C7F Relevance: .0, Instructions: 12COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1663721238.00007FFC3D8F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFC3D8F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffc3d8f0000_Order Confirmation.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fe61bc57c3403363b1cbc727345453dd101e165ff9c77f688bd5179c6ab5ba9b
Instruction ID: a83c7ac6c680a6f036f678346af73899e6aec849b5ddeda29fd1f6624444e54d
Opcode Fuzzy Hash: fe61bc57c3403363b1cbc727345453dd101e165ff9c77f688bd5179c6ab5ba9b
Instruction Fuzzy Hash: 92C012315942598BD21C5F644167035315A9B86245B21143EC547422D29DA9B4079943

Function 00007FFC3D8F3DEA Relevance: .0, Instructions: 11COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1663721238.00007FFC3D8F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFC3D8F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffc3d8f0000_Order Confirmation.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 00c1120ac0356d6e21b09cf790ec9468fec35f59612751581e82a831f9735bdf
Instruction ID: 3c055c73b381ab1684d62f080fd712ea7b49fffcc499cbb873168805b3d19a9b
Opcode Fuzzy Hash: 00c1120ac0356d6e21b09cf790ec9468fec35f59612751581e82a831f9735bdf
Instruction Fuzzy Hash: E1C0803154814D4FD35C95545012035314BFF8D545722603FD14747751DD74BC17DA47

Function 00007FFC3D8F3424 Relevance: .0, Instructions: 10COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1663721238.00007FFC3D8F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFC3D8F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffc3d8f0000_Order Confirmation.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8d33ef78fcc43a4d588c82515e9395627c02c29be719cf95dea062f949909b5b
Instruction ID: d70cf5e64b9b28f34a8a32abda7cbd08f94348043f76d7e9ec1fefb5ca059544
Opcode Fuzzy Hash: 8d33ef78fcc43a4d588c82515e9395627c02c29be719cf95dea062f949909b5b
Instruction Fuzzy Hash: 4BC08C34B08B1C8FE124991C540213173A59B85200720003CE18BC3382DD29F856E582

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report Order Confirmation.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Yara Signatures

Sigma Signatures

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Networking

System Summary

Data Obfuscation

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

Language, Device and Operating System Detection

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\Order Confirmation.exe.log

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Data Directories

Sections

Resources

Version Infos

Network Behavior

TCP Packets

Statistics

CPU Usage

Memory Usage

High Level Behavior Distribution

back

System Behavior

Analysis Process: Order Confirmation.exePID: 7752, Parent PID: 3964

General

File Activities

File Opened

File Created

File Written

File Read

Windows Analysis Report
Order Confirmation.exe