Windows Analysis Report
Order Details.exe

Overview

General Information

Sample name:	Order Details.exe
Analysis ID:	1592377
MD5:	06c48ef3e45a7dafedbd596368918830
SHA1:	6ec2e82db6d702ddc0f4b302a4d8f02fd4c36c36
SHA256:	1e2333cb4fb3ecca06d22bb3b6255e5ac62b7ba43c3bceb8c17252657f34ba1e
Tags:	exeuser-threatcat_ch
Infos:

Detection

Snake Keylogger

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Found malware configuration

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

Yara detected AntiVM3

Yara detected Snake Keylogger

AI detected suspicious sample

Initial sample is a PE file and has a suspicious name

Injects a PE file into a foreign processes

Machine Learning detection for sample

Tries to detect the country of the analysis system (by using the IP)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to steal Mail credentials (via file / registry access)

Yara detected Generic Downloader

Allocates memory with a write watch (potentially for evading sandboxes)

Binary contains a suspicious time stamp

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Detected potential crypto function

Enables debug privileges

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found inlined nop instructions (likely shell or obfuscated code)

HTTP GET or POST without a user agent

IP address seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

May check the online IP address of the machine

May sleep (evasive loops) to hinder dynamic analysis

Monitors certain registry keys / values for changes (often done to protect autostart functionality)

Queries the volume information (name, serial number etc) of a device

Sample file is different than original file name gathered from version info

Suricata IDS alerts with low severity for network traffic

Uses 32bit PE files

Uses a known web browser user agent for HTTP communication

Uses code obfuscation techniques (call, push, ret)

Uses insecure TLS / SSL version for HTTPS connection

Yara detected Credential Stealer

Yara signature match

Classification

Malware Threat Intel
Provided by

Name	Description	Attribution	Blogpost URLs	Link
404 Keylogger, Snake Keylogger	Snake Keylogger (aka 404 Keylogger) is a subscription-based keylogger that has many capabilities. The infostealer can steal a victims sensitive information, log keyboard strokes, take screenshots and extract information from the system clipboard. It was initially released on a Russian hacking forum in August 2019. It is notable for its relatively unusual methods of data exfiltration, including via email, FTP, SMTP, Pastebin or the messaging app Telegram.	No Attribution	https://any.run/cybersecurity-blog/analyzing-snake-keylogger/ https://any.run/cybersecurity-blog/reverse-engineering-snake-keylogger/ https://blog.netlab.360.com/purecrypter https://blog.nviso.eu/2022/04/06/analyzing-a-multilayer-maldoc-a-beginners-guide/ https://blogs.blackberry.com/en/2022/05/dot-net-stubs-sowing-the-seeds-of-discord	https://malpedia.caad.fkie.fraunhofer.de/details/win.404keylogger

Signatures

AV Detection

Antivirus / Scanner detection for submitted sample

Source: Order Details.exe

Avira: detected

Found malware configuration

Source: 00000001.00000002.4155374471.0000000000402000.00000040.00000400.00020000.00000000.sdmp

Malware Configuration Extractor: Snake Keylogger {"Exfil Mode": "SMTP", "Username": "frankichong@yulifertilizer.com.my", "Password": "Ayfc931319*", "Host": "yulifertilizer.com.my", "Port": "25", "Version": "5.1"}

Multi AV Scanner detection for submitted file

Source: Order Details.exe	Virustotal: Detection: 50%			Perma Link
Source: Order Details.exe	ReversingLabs: Detection: 39%

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Machine Learning detection for sample

Source: Order Details.exe

Joe Sandbox ML: detected

Location Tracking

Tries to detect the country of the analysis system (by using the IP)

Source: unknown

DNS query: name: reallyfreegeoip.org

Uses 32bit PE files

Source: Order Details.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Uses insecure TLS / SSL version for HTTPS connection

Source: unknown

HTTPS traffic detected: 104.21.32.1:443 -> 192.168.2.4:49731 version: TLS 1.0

Source: Order Details.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source:

Binary string: C:\Users\GT350\source\repos\UpdatedRunpe\UpdatedRunpe\obj\x86\Debug\AQipUvwTwkLZyiCs.pdb source: Order Details.exe, 00000000.00000002.1680271362.00000000050D0000.00000004.08000000.00040000.00000000.sdmp, Order Details.exe, 00000000.00000002.1678634520.00000000028E1000.00000004.00000800.00020000.00000000.sdmp

Found inlined nop instructions (likely shell or obfuscated code)

Source: C:\Users\user\Desktop\Order Details.exe	Code function: 4x nop then jmp 019AF1F6h	1_2_019AF007
Source: C:\Users\user\Desktop\Order Details.exe	Code function: 4x nop then jmp 019AFB80h	1_2_019AF007
Source: C:\Users\user\Desktop\Order Details.exe	Code function: 4x nop then mov dword ptr [ebp-14h], 00000000h	1_2_019AE528
Source: C:\Users\user\Desktop\Order Details.exe	Code function: 4x nop then mov dword ptr [ebp-14h], 00000000h	1_2_019AEB5B
Source: C:\Users\user\Desktop\Order Details.exe	Code function: 4x nop then mov dword ptr [ebp-14h], 00000000h	1_2_019AED3C
Source: C:\Users\user\Desktop\Order Details.exe	Code function: 4x nop then jmp 05EDCD49h	1_2_05EDCAA0
Source: C:\Users\user\Desktop\Order Details.exe	Code function: 4x nop then jmp 05EDC499h	1_2_05EDC1F0
Source: C:\Users\user\Desktop\Order Details.exe	Code function: 4x nop then jmp 05ED1471h	1_2_05ED11C0
Source: C:\Users\user\Desktop\Order Details.exe	Code function: 4x nop then jmp 05EDF461h	1_2_05EDF1B8
Source: C:\Users\user\Desktop\Order Details.exe	Code function: 4x nop then jmp 05EDC041h	1_2_05EDBD98
Source: C:\Users\user\Desktop\Order Details.exe	Code function: 4x nop then jmp 05ED1A38h	1_2_05ED1966
Source: C:\Users\user\Desktop\Order Details.exe	Code function: 4x nop then jmp 05ED1011h	1_2_05ED0D60
Source: C:\Users\user\Desktop\Order Details.exe	Code function: 4x nop then jmp 05EDF009h	1_2_05EDED60
Source: C:\Users\user\Desktop\Order Details.exe	Code function: 4x nop then jmp 05EDBBE9h	1_2_05EDB940
Source: C:\Users\user\Desktop\Order Details.exe	Code function: 4x nop then jmp 05EDEBB1h	1_2_05EDE908
Source: C:\Users\user\Desktop\Order Details.exe	Code function: 4x nop then jmp 05ED0BB1h	1_2_05ED0900
Source: C:\Users\user\Desktop\Order Details.exe	Code function: 4x nop then jmp 05EDB791h	1_2_05EDB4E8
Source: C:\Users\user\Desktop\Order Details.exe	Code function: 4x nop then jmp 05ED0751h	1_2_05ED04A0
Source: C:\Users\user\Desktop\Order Details.exe	Code function: 4x nop then jmp 05EDE759h	1_2_05EDE4B0
Source: C:\Users\user\Desktop\Order Details.exe	Code function: 4x nop then jmp 05ED02F1h	1_2_05ED0040
Source: C:\Users\user\Desktop\Order Details.exe	Code function: 4x nop then jmp 05EDE301h	1_2_05EDE058
Source: C:\Users\user\Desktop\Order Details.exe	Code function: 4x nop then jmp 05EDDEA9h	1_2_05EDDC00
Source: C:\Users\user\Desktop\Order Details.exe	Code function: 4x nop then jmp 05EDDA51h	1_2_05EDD7A8
Source: C:\Users\user\Desktop\Order Details.exe	Code function: 4x nop then jmp 05EDD5F9h	1_2_05EDD350
Source: C:\Users\user\Desktop\Order Details.exe	Code function: 4x nop then jmp 05EDD1A1h	1_2_05EDCEF8
Source: C:\Users\user\Desktop\Order Details.exe	Code function: 4x nop then jmp 05EDFD11h	1_2_05EDFA68
Source: C:\Users\user\Desktop\Order Details.exe	Code function: 4x nop then jmp 05EDC8F1h	1_2_05EDC648
Source: C:\Users\user\Desktop\Order Details.exe	Code function: 4x nop then jmp 05ED1A38h	1_2_05ED1620
Source: C:\Users\user\Desktop\Order Details.exe	Code function: 4x nop then jmp 05EDF8B9h	1_2_05EDF610
Source: C:\Users\user\Desktop\Order Details.exe	Code function: 4x nop then jmp 06FB8945h	1_2_06FB8608
Source: C:\Users\user\Desktop\Order Details.exe	Code function: 4x nop then jmp 06FB6171h	1_2_06FB5EC8
Source: C:\Users\user\Desktop\Order Details.exe	Code function: 4x nop then lea esp, dword ptr [ebp-04h]	1_2_06FB36CE
Source: C:\Users\user\Desktop\Order Details.exe	Code function: 4x nop then jmp 06FB5D19h	1_2_06FB5A70
Source: C:\Users\user\Desktop\Order Details.exe	Code function: 4x nop then jmp 06FB58C1h	1_2_06FB5618
Source: C:\Users\user\Desktop\Order Details.exe	Code function: 4x nop then jmp 06FB6E79h	1_2_06FB6BD0
Source: C:\Users\user\Desktop\Order Details.exe	Code function: 4x nop then lea esp, dword ptr [ebp-04h]	1_2_06FB33B8
Source: C:\Users\user\Desktop\Order Details.exe	Code function: 4x nop then lea esp, dword ptr [ebp-04h]	1_2_06FB33A8
Source: C:\Users\user\Desktop\Order Details.exe	Code function: 4x nop then jmp 06FB6A21h	1_2_06FB6778
Source: C:\Users\user\Desktop\Order Details.exe	Code function: 4x nop then jmp 06FB65C9h	1_2_06FB6320
Source: C:\Users\user\Desktop\Order Details.exe	Code function: 4x nop then jmp 06FB0B99h	1_2_06FB08F0
Source: C:\Users\user\Desktop\Order Details.exe	Code function: 4x nop then jmp 06FB7751h	1_2_06FB74A8
Source: C:\Users\user\Desktop\Order Details.exe	Code function: 4x nop then jmp 06FB0741h	1_2_06FB0498
Source: C:\Users\user\Desktop\Order Details.exe	Code function: 4x nop then jmp 06FB72FAh	1_2_06FB7050
Source: C:\Users\user\Desktop\Order Details.exe	Code function: 4x nop then jmp 06FB02E9h	1_2_06FB0040
Source: C:\Users\user\Desktop\Order Details.exe	Code function: 4x nop then jmp 06FB8459h	1_2_06FB81B0
Source: C:\Users\user\Desktop\Order Details.exe	Code function: 4x nop then jmp 06FB5441h	1_2_06FB5198
Source: C:\Users\user\Desktop\Order Details.exe	Code function: 4x nop then jmp 06FB8001h	1_2_06FB7D58
Source: C:\Users\user\Desktop\Order Details.exe	Code function: 4x nop then jmp 06FB0FF1h	1_2_06FB0D48
Source: C:\Users\user\Desktop\Order Details.exe	Code function: 4x nop then jmp 06FB7BA9h	1_2_06FB7900

Networking

Yara detected Generic Downloader

Source: Yara match	File source: 1.2.Order Details.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Order Details.exe.39e8e20.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Order Details.exe.39c81f0.3.raw.unpack, type: UNPACKEDPE

HTTP GET or POST without a user agent

Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive

IP address seen in connection with other malware

Source: Joe Sandbox View	IP Address: 104.21.32.1 104.21.32.1
Source: Joe Sandbox View	IP Address: 104.21.32.1 104.21.32.1
Source: Joe Sandbox View	IP Address: 193.122.6.168 193.122.6.168

JA3 SSL client fingerprint seen in connection with other malware

Source: Joe Sandbox View

JA3 fingerprint: 54328bd36c14bd82ddaa0c04b25ed9ad

May check the online IP address of the machine

Source: unknown	DNS query: name: checkip.dyndns.org
Source: unknown	DNS query: name: reallyfreegeoip.org

Suricata IDS alerts with low severity for network traffic

Source: Network traffic	Suricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.4:49733 -> 193.122.6.168:80
Source: Network traffic	Suricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.4:49730 -> 193.122.6.168:80
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.4:49740 -> 104.21.32.1:443
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.4:49732 -> 104.21.32.1:443
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.4:49742 -> 104.21.32.1:443
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.4:49738 -> 104.21.32.1:443

Uses a known web browser user agent for HTTP communication

Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive

Uses insecure TLS / SSL version for HTTPS connection

Source: unknown

HTTPS traffic detected: 104.21.32.1:443 -> 192.168.2.4:49731 version: TLS 1.0

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive

Source: global traffic	DNS traffic detected: DNS query: checkip.dyndns.org
Source: global traffic	DNS traffic detected: DNS query: reallyfreegeoip.org

Source: Order Details.exe, 00000001.00000002.4156338198.00000000034A9000.00000004.00000800.00020000.00000000.sdmp, Order Details.exe, 00000001.00000002.4156338198.0000000003416000.00000004.00000800.00020000.00000000.sdmp, Order Details.exe, 00000001.00000002.4156338198.000000000350E000.00000004.00000800.00020000.00000000.sdmp, Order Details.exe, 00000001.00000002.4156338198.00000000034FF000.00000004.00000800.00020000.00000000.sdmp, Order Details.exe, 00000001.00000002.4156338198.00000000034B6000.00000004.00000800.00020000.00000000.sdmp, Order Details.exe, 00000001.00000002.4156338198.00000000034C4000.00000004.00000800.00020000.00000000.sdmp, Order Details.exe, 00000001.00000002.4156338198.00000000034D2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://checkip.dyndns.com
Source: Order Details.exe, 00000001.00000002.4156338198.00000000034E0000.00000004.00000800.00020000.00000000.sdmp, Order Details.exe, 00000001.00000002.4156338198.00000000034A9000.00000004.00000800.00020000.00000000.sdmp, Order Details.exe, 00000001.00000002.4156338198.0000000003416000.00000004.00000800.00020000.00000000.sdmp, Order Details.exe, 00000001.00000002.4156338198.000000000350E000.00000004.00000800.00020000.00000000.sdmp, Order Details.exe, 00000001.00000002.4156338198.00000000034FF000.00000004.00000800.00020000.00000000.sdmp, Order Details.exe, 00000001.00000002.4156338198.00000000034B6000.00000004.00000800.00020000.00000000.sdmp, Order Details.exe, 00000001.00000002.4156338198.0000000003459000.00000004.00000800.00020000.00000000.sdmp, Order Details.exe, 00000001.00000002.4156338198.000000000340A000.00000004.00000800.00020000.00000000.sdmp, Order Details.exe, 00000001.00000002.4156338198.00000000034C4000.00000004.00000800.00020000.00000000.sdmp, Order Details.exe, 00000001.00000002.4156338198.00000000034D2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://checkip.dyndns.org
Source: Order Details.exe, 00000001.00000002.4156338198.0000000003351000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://checkip.dyndns.org/
Source: Order Details.exe, 00000000.00000002.1678770489.0000000003986000.00000004.00000800.00020000.00000000.sdmp, Order Details.exe, 00000001.00000002.4155374471.0000000000402000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: http://checkip.dyndns.org/q
Source: Order Details.exe, 00000001.00000002.4156338198.00000000034A9000.00000004.00000800.00020000.00000000.sdmp, Order Details.exe, 00000001.00000002.4156338198.000000000350E000.00000004.00000800.00020000.00000000.sdmp, Order Details.exe, 00000001.00000002.4156338198.00000000034FF000.00000004.00000800.00020000.00000000.sdmp, Order Details.exe, 00000001.00000002.4156338198.000000000342E000.00000004.00000800.00020000.00000000.sdmp, Order Details.exe, 00000001.00000002.4156338198.00000000034B6000.00000004.00000800.00020000.00000000.sdmp, Order Details.exe, 00000001.00000002.4156338198.00000000034C4000.00000004.00000800.00020000.00000000.sdmp, Order Details.exe, 00000001.00000002.4156338198.00000000034D2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://reallyfreegeoip.org
Source: Order Details.exe, 00000001.00000002.4156338198.0000000003351000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: Order Details.exe, 00000001.00000002.4156338198.00000000034A9000.00000004.00000800.00020000.00000000.sdmp, Order Details.exe, 00000001.00000002.4156338198.0000000003416000.00000004.00000800.00020000.00000000.sdmp, Order Details.exe, 00000001.00000002.4156338198.000000000350E000.00000004.00000800.00020000.00000000.sdmp, Order Details.exe, 00000001.00000002.4156338198.00000000034FF000.00000004.00000800.00020000.00000000.sdmp, Order Details.exe, 00000001.00000002.4156338198.00000000034B6000.00000004.00000800.00020000.00000000.sdmp, Order Details.exe, 00000001.00000002.4156338198.0000000003459000.00000004.00000800.00020000.00000000.sdmp, Order Details.exe, 00000001.00000002.4156338198.00000000034C4000.00000004.00000800.00020000.00000000.sdmp, Order Details.exe, 00000001.00000002.4156338198.00000000034D2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://reallyfreegeoip.org
Source: Order Details.exe, 00000000.00000002.1678770489.0000000003986000.00000004.00000800.00020000.00000000.sdmp, Order Details.exe, 00000001.00000002.4155374471.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Order Details.exe, 00000001.00000002.4156338198.0000000003416000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://reallyfreegeoip.org/xml/
Source: Order Details.exe, 00000001.00000002.4156338198.00000000034D2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://reallyfreegeoip.org/xml/8.46.123.189
Source: Order Details.exe, 00000001.00000002.4156338198.00000000034A9000.00000004.00000800.00020000.00000000.sdmp, Order Details.exe, 00000001.00000002.4156338198.000000000350E000.00000004.00000800.00020000.00000000.sdmp, Order Details.exe, 00000001.00000002.4156338198.00000000034FF000.00000004.00000800.00020000.00000000.sdmp, Order Details.exe, 00000001.00000002.4156338198.00000000034B6000.00000004.00000800.00020000.00000000.sdmp, Order Details.exe, 00000001.00000002.4156338198.0000000003459000.00000004.00000800.00020000.00000000.sdmp, Order Details.exe, 00000001.00000002.4156338198.00000000034C4000.00000004.00000800.00020000.00000000.sdmp, Order Details.exe, 00000001.00000002.4156338198.00000000034D2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://reallyfreegeoip.org/xml/8.46.123.189$

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49744
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49732
Source: unknown	Network traffic detected: HTTP traffic on port 49734 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49731
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49742
Source: unknown	Network traffic detected: HTTP traffic on port 49731 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49732 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49740
Source: unknown	Network traffic detected: HTTP traffic on port 49740 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49742 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49744 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49738
Source: unknown	Network traffic detected: HTTP traffic on port 49736 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49736
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49734
Source: unknown	Network traffic detected: HTTP traffic on port 49738 -> 443

System Summary

Malicious sample detected (through community Yara rule)

Source: 0.2.Order Details.exe.4ff0000.5.unpack, type: UNPACKEDPE	Matched rule: Detects downloader injector Author: ditekSHen
Source: 0.2.Order Details.exe.4ff0000.5.raw.unpack, type: UNPACKEDPE	Matched rule: Detects downloader injector Author: ditekSHen
Source: 0.2.Order Details.exe.3933f90.2.unpack, type: UNPACKEDPE	Matched rule: Detects downloader injector Author: ditekSHen
Source: 0.2.Order Details.exe.3933f90.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detects downloader injector Author: ditekSHen
Source: 0.2.Order Details.exe.39e8e20.4.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 0.2.Order Details.exe.39e8e20.4.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 0.2.Order Details.exe.39e8e20.4.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 0.2.Order Details.exe.39e8e20.4.unpack, type: UNPACKEDPE	Matched rule: Detects Snake Keylogger Author: ditekSHen
Source: 0.2.Order Details.exe.39c81f0.3.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 0.2.Order Details.exe.39c81f0.3.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 0.2.Order Details.exe.39c81f0.3.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 0.2.Order Details.exe.39c81f0.3.unpack, type: UNPACKEDPE	Matched rule: Detects Snake Keylogger Author: ditekSHen
Source: 1.2.Order Details.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 1.2.Order Details.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 1.2.Order Details.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 1.2.Order Details.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects Snake Keylogger Author: ditekSHen
Source: 0.2.Order Details.exe.39e8e20.4.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 0.2.Order Details.exe.39e8e20.4.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 0.2.Order Details.exe.39e8e20.4.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 0.2.Order Details.exe.39e8e20.4.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Snake Keylogger Author: ditekSHen
Source: 0.2.Order Details.exe.39c81f0.3.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 0.2.Order Details.exe.39c81f0.3.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 0.2.Order Details.exe.39c81f0.3.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 0.2.Order Details.exe.39c81f0.3.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Snake Keylogger Author: ditekSHen
Source: 0.2.Order Details.exe.28ef718.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects downloader injector Author: ditekSHen
Source: 0.2.Order Details.exe.28f1f58.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detects downloader injector Author: ditekSHen
Source: 00000001.00000002.4155374471.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 00000001.00000002.4155374471.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects Snake Keylogger Author: ditekSHen
Source: 00000000.00000002.1679581061.0000000004FF0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Detects downloader injector Author: ditekSHen
Source: 00000000.00000002.1678770489.0000000003986000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 00000000.00000002.1678770489.0000000003986000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects Snake Keylogger Author: ditekSHen
Source: Process Memory Space: Order Details.exe PID: 2032, type: MEMORYSTR	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: Process Memory Space: Order Details.exe PID: 2032, type: MEMORYSTR	Matched rule: Detects Snake Keylogger Author: ditekSHen
Source: Process Memory Space: Order Details.exe PID: 908, type: MEMORYSTR	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: Process Memory Space: Order Details.exe PID: 908, type: MEMORYSTR	Matched rule: Detects Snake Keylogger Author: ditekSHen

Initial sample is a PE file and has a suspicious name

Source: initial sample

Static PE information: Filename: Order Details.exe

Detected potential crypto function

Source: C:\Users\user\Desktop\Order Details.exe	Code function: 0_2_027BAE48	0_2_027BAE48
Source: C:\Users\user\Desktop\Order Details.exe	Code function: 0_2_027B3118	0_2_027B3118
Source: C:\Users\user\Desktop\Order Details.exe	Code function: 1_2_019AC190	1_2_019AC190
Source: C:\Users\user\Desktop\Order Details.exe	Code function: 1_2_019A6108	1_2_019A6108
Source: C:\Users\user\Desktop\Order Details.exe	Code function: 1_2_019AF007	1_2_019AF007
Source: C:\Users\user\Desktop\Order Details.exe	Code function: 1_2_019AB328	1_2_019AB328
Source: C:\Users\user\Desktop\Order Details.exe	Code function: 1_2_019AC470	1_2_019AC470
Source: C:\Users\user\Desktop\Order Details.exe	Code function: 1_2_019A6730	1_2_019A6730
Source: C:\Users\user\Desktop\Order Details.exe	Code function: 1_2_019AC753	1_2_019AC753
Source: C:\Users\user\Desktop\Order Details.exe	Code function: 1_2_019A9858	1_2_019A9858
Source: C:\Users\user\Desktop\Order Details.exe	Code function: 1_2_019ABBD3	1_2_019ABBD3
Source: C:\Users\user\Desktop\Order Details.exe	Code function: 1_2_019A4AD9	1_2_019A4AD9
Source: C:\Users\user\Desktop\Order Details.exe	Code function: 1_2_019ACA33	1_2_019ACA33
Source: C:\Users\user\Desktop\Order Details.exe	Code function: 1_2_019ABEB0	1_2_019ABEB0
Source: C:\Users\user\Desktop\Order Details.exe	Code function: 1_2_019AE517	1_2_019AE517
Source: C:\Users\user\Desktop\Order Details.exe	Code function: 1_2_019AE528	1_2_019AE528
Source: C:\Users\user\Desktop\Order Details.exe	Code function: 1_2_019A3573	1_2_019A3573
Source: C:\Users\user\Desktop\Order Details.exe	Code function: 1_2_019AB4F3	1_2_019AB4F3
Source: C:\Users\user\Desktop\Order Details.exe	Code function: 1_2_05ED7D90	1_2_05ED7D90
Source: C:\Users\user\Desktop\Order Details.exe	Code function: 1_2_05ED8460	1_2_05ED8460
Source: C:\Users\user\Desktop\Order Details.exe	Code function: 1_2_05ED3870	1_2_05ED3870
Source: C:\Users\user\Desktop\Order Details.exe	Code function: 1_2_05EDCAA0	1_2_05EDCAA0
Source: C:\Users\user\Desktop\Order Details.exe	Code function: 1_2_05EDC1E0	1_2_05EDC1E0
Source: C:\Users\user\Desktop\Order Details.exe	Code function: 1_2_05EDC1F0	1_2_05EDC1F0
Source: C:\Users\user\Desktop\Order Details.exe	Code function: 1_2_05ED11C0	1_2_05ED11C0
Source: C:\Users\user\Desktop\Order Details.exe	Code function: 1_2_05EDF1A9	1_2_05EDF1A9
Source: C:\Users\user\Desktop\Order Details.exe	Code function: 1_2_05EDF1B8	1_2_05EDF1B8
Source: C:\Users\user\Desktop\Order Details.exe	Code function: 1_2_05ED11B0	1_2_05ED11B0
Source: C:\Users\user\Desktop\Order Details.exe	Code function: 1_2_05EDBD88	1_2_05EDBD88
Source: C:\Users\user\Desktop\Order Details.exe	Code function: 1_2_05EDBD98	1_2_05EDBD98
Source: C:\Users\user\Desktop\Order Details.exe	Code function: 1_2_05ED0D60	1_2_05ED0D60
Source: C:\Users\user\Desktop\Order Details.exe	Code function: 1_2_05EDED60	1_2_05EDED60
Source: C:\Users\user\Desktop\Order Details.exe	Code function: 1_2_05EDB940	1_2_05EDB940
Source: C:\Users\user\Desktop\Order Details.exe	Code function: 1_2_05ED0D51	1_2_05ED0D51
Source: C:\Users\user\Desktop\Order Details.exe	Code function: 1_2_05EDED50	1_2_05EDED50
Source: C:\Users\user\Desktop\Order Details.exe	Code function: 1_2_05EDB930	1_2_05EDB930
Source: C:\Users\user\Desktop\Order Details.exe	Code function: 1_2_05EDE908	1_2_05EDE908
Source: C:\Users\user\Desktop\Order Details.exe	Code function: 1_2_05ED0900	1_2_05ED0900
Source: C:\Users\user\Desktop\Order Details.exe	Code function: 1_2_05EDB4E8	1_2_05EDB4E8
Source: C:\Users\user\Desktop\Order Details.exe	Code function: 1_2_05EDE8F8	1_2_05EDE8F8
Source: C:\Users\user\Desktop\Order Details.exe	Code function: 1_2_05ED08F0	1_2_05ED08F0
Source: C:\Users\user\Desktop\Order Details.exe	Code function: 1_2_05EDB4D7	1_2_05EDB4D7
Source: C:\Users\user\Desktop\Order Details.exe	Code function: 1_2_05ED04A0	1_2_05ED04A0
Source: C:\Users\user\Desktop\Order Details.exe	Code function: 1_2_05EDE4A0	1_2_05EDE4A0
Source: C:\Users\user\Desktop\Order Details.exe	Code function: 1_2_05EDE4B0	1_2_05EDE4B0
Source: C:\Users\user\Desktop\Order Details.exe	Code function: 1_2_05ED0490	1_2_05ED0490
Source: C:\Users\user\Desktop\Order Details.exe	Code function: 1_2_05ED3860	1_2_05ED3860
Source: C:\Users\user\Desktop\Order Details.exe	Code function: 1_2_05EDE049	1_2_05EDE049
Source: C:\Users\user\Desktop\Order Details.exe	Code function: 1_2_05ED0040	1_2_05ED0040
Source: C:\Users\user\Desktop\Order Details.exe	Code function: 1_2_05EDE058	1_2_05EDE058
Source: C:\Users\user\Desktop\Order Details.exe	Code function: 1_2_05ED0006	1_2_05ED0006
Source: C:\Users\user\Desktop\Order Details.exe	Code function: 1_2_05EDDC00	1_2_05EDDC00
Source: C:\Users\user\Desktop\Order Details.exe	Code function: 1_2_05ED73E8	1_2_05ED73E8
Source: C:\Users\user\Desktop\Order Details.exe	Code function: 1_2_05EDDBF1	1_2_05EDDBF1
Source: C:\Users\user\Desktop\Order Details.exe	Code function: 1_2_05ED73D8	1_2_05ED73D8
Source: C:\Users\user\Desktop\Order Details.exe	Code function: 1_2_05EDD7A8	1_2_05EDD7A8
Source: C:\Users\user\Desktop\Order Details.exe	Code function: 1_2_05EDD798	1_2_05EDD798
Source: C:\Users\user\Desktop\Order Details.exe	Code function: 1_2_05EDD340	1_2_05EDD340
Source: C:\Users\user\Desktop\Order Details.exe	Code function: 1_2_05EDD350	1_2_05EDD350
Source: C:\Users\user\Desktop\Order Details.exe	Code function: 1_2_05EDCEE9	1_2_05EDCEE9
Source: C:\Users\user\Desktop\Order Details.exe	Code function: 1_2_05EDCEF8	1_2_05EDCEF8
Source: C:\Users\user\Desktop\Order Details.exe	Code function: 1_2_05EDCA90	1_2_05EDCA90
Source: C:\Users\user\Desktop\Order Details.exe	Code function: 1_2_05EDFA68	1_2_05EDFA68
Source: C:\Users\user\Desktop\Order Details.exe	Code function: 1_2_05EDC648	1_2_05EDC648
Source: C:\Users\user\Desktop\Order Details.exe	Code function: 1_2_05EDFA59	1_2_05EDFA59
Source: C:\Users\user\Desktop\Order Details.exe	Code function: 1_2_05EDC638	1_2_05EDC638
Source: C:\Users\user\Desktop\Order Details.exe	Code function: 1_2_05EDF600	1_2_05EDF600
Source: C:\Users\user\Desktop\Order Details.exe	Code function: 1_2_05EDF610	1_2_05EDF610
Source: C:\Users\user\Desktop\Order Details.exe	Code function: 1_2_06FBB6E8	1_2_06FBB6E8
Source: C:\Users\user\Desktop\Order Details.exe	Code function: 1_2_06FBD670	1_2_06FBD670
Source: C:\Users\user\Desktop\Order Details.exe	Code function: 1_2_06FBAA58	1_2_06FBAA58
Source: C:\Users\user\Desktop\Order Details.exe	Code function: 1_2_06FB8608	1_2_06FB8608
Source: C:\Users\user\Desktop\Order Details.exe	Code function: 1_2_06FBC388	1_2_06FBC388
Source: C:\Users\user\Desktop\Order Details.exe	Code function: 1_2_06FBB0A0	1_2_06FBB0A0
Source: C:\Users\user\Desktop\Order Details.exe	Code function: 1_2_06FB8C51	1_2_06FB8C51
Source: C:\Users\user\Desktop\Order Details.exe	Code function: 1_2_06FBD028	1_2_06FBD028
Source: C:\Users\user\Desktop\Order Details.exe	Code function: 1_2_06FBA408	1_2_06FBA408
Source: C:\Users\user\Desktop\Order Details.exe	Code function: 1_2_06FBC9D8	1_2_06FBC9D8
Source: C:\Users\user\Desktop\Order Details.exe	Code function: 1_2_06FB11A0	1_2_06FB11A0
Source: C:\Users\user\Desktop\Order Details.exe	Code function: 1_2_06FBBD38	1_2_06FBBD38
Source: C:\Users\user\Desktop\Order Details.exe	Code function: 1_2_06FBB6D9	1_2_06FBB6D9
Source: C:\Users\user\Desktop\Order Details.exe	Code function: 1_2_06FB5EC8	1_2_06FB5EC8
Source: C:\Users\user\Desktop\Order Details.exe	Code function: 1_2_06FB5EB8	1_2_06FB5EB8
Source: C:\Users\user\Desktop\Order Details.exe	Code function: 1_2_06FB5A70	1_2_06FB5A70
Source: C:\Users\user\Desktop\Order Details.exe	Code function: 1_2_06FBD661	1_2_06FBD661
Source: C:\Users\user\Desktop\Order Details.exe	Code function: 1_2_06FB5A60	1_2_06FB5A60
Source: C:\Users\user\Desktop\Order Details.exe	Code function: 1_2_06FBAA52	1_2_06FBAA52
Source: C:\Users\user\Desktop\Order Details.exe	Code function: 1_2_06FB5618	1_2_06FB5618
Source: C:\Users\user\Desktop\Order Details.exe	Code function: 1_2_06FB5609	1_2_06FB5609
Source: C:\Users\user\Desktop\Order Details.exe	Code function: 1_2_06FB8602	1_2_06FB8602
Source: C:\Users\user\Desktop\Order Details.exe	Code function: 1_2_06FBA3F8	1_2_06FBA3F8
Source: C:\Users\user\Desktop\Order Details.exe	Code function: 1_2_06FB6BD0	1_2_06FB6BD0
Source: C:\Users\user\Desktop\Order Details.exe	Code function: 1_2_06FB6BC1	1_2_06FB6BC1
Source: C:\Users\user\Desktop\Order Details.exe	Code function: 1_2_06FB33B8	1_2_06FB33B8
Source: C:\Users\user\Desktop\Order Details.exe	Code function: 1_2_06FB33A8	1_2_06FB33A8
Source: C:\Users\user\Desktop\Order Details.exe	Code function: 1_2_06FB6778	1_2_06FB6778
Source: C:\Users\user\Desktop\Order Details.exe	Code function: 1_2_06FBC378	1_2_06FBC378
Source: C:\Users\user\Desktop\Order Details.exe	Code function: 1_2_06FB676A	1_2_06FB676A
Source: C:\Users\user\Desktop\Order Details.exe	Code function: 1_2_06FB3730	1_2_06FB3730
Source: C:\Users\user\Desktop\Order Details.exe	Code function: 1_2_06FB6320	1_2_06FB6320
Source: C:\Users\user\Desktop\Order Details.exe	Code function: 1_2_06FB6311	1_2_06FB6311
Source: C:\Users\user\Desktop\Order Details.exe	Code function: 1_2_06FB78F0	1_2_06FB78F0
Source: C:\Users\user\Desktop\Order Details.exe	Code function: 1_2_06FB08F0	1_2_06FB08F0
Source: C:\Users\user\Desktop\Order Details.exe	Code function: 1_2_06FB08E0	1_2_06FB08E0
Source: C:\Users\user\Desktop\Order Details.exe	Code function: 1_2_06FB74A8	1_2_06FB74A8
Source: C:\Users\user\Desktop\Order Details.exe	Code function: 1_2_06FB0498	1_2_06FB0498
Source: C:\Users\user\Desktop\Order Details.exe	Code function: 1_2_06FB7497	1_2_06FB7497
Source: C:\Users\user\Desktop\Order Details.exe	Code function: 1_2_06FB0488	1_2_06FB0488
Source: C:\Users\user\Desktop\Order Details.exe	Code function: 1_2_06FBB08F	1_2_06FBB08F
Source: C:\Users\user\Desktop\Order Details.exe	Code function: 1_2_06FB7050	1_2_06FB7050
Source: C:\Users\user\Desktop\Order Details.exe	Code function: 1_2_06FB7049	1_2_06FB7049
Source: C:\Users\user\Desktop\Order Details.exe	Code function: 1_2_06FB0040	1_2_06FB0040
Source: C:\Users\user\Desktop\Order Details.exe	Code function: 1_2_06FB4430	1_2_06FB4430
Source: C:\Users\user\Desktop\Order Details.exe	Code function: 1_2_06FB2818	1_2_06FB2818
Source: C:\Users\user\Desktop\Order Details.exe	Code function: 1_2_06FBD018	1_2_06FBD018
Source: C:\Users\user\Desktop\Order Details.exe	Code function: 1_2_06FB2807	1_2_06FB2807
Source: C:\Users\user\Desktop\Order Details.exe	Code function: 1_2_06FB0006	1_2_06FB0006
Source: C:\Users\user\Desktop\Order Details.exe	Code function: 1_2_06FBC9C8	1_2_06FBC9C8
Source: C:\Users\user\Desktop\Order Details.exe	Code function: 1_2_06FB81B0	1_2_06FB81B0
Source: C:\Users\user\Desktop\Order Details.exe	Code function: 1_2_06FB81A0	1_2_06FB81A0
Source: C:\Users\user\Desktop\Order Details.exe	Code function: 1_2_06FB5198	1_2_06FB5198
Source: C:\Users\user\Desktop\Order Details.exe	Code function: 1_2_06FB1191	1_2_06FB1191
Source: C:\Users\user\Desktop\Order Details.exe	Code function: 1_2_06FB518A	1_2_06FB518A
Source: C:\Users\user\Desktop\Order Details.exe	Code function: 1_2_06FB7D58	1_2_06FB7D58
Source: C:\Users\user\Desktop\Order Details.exe	Code function: 1_2_06FB0D48	1_2_06FB0D48
Source: C:\Users\user\Desktop\Order Details.exe	Code function: 1_2_06FB7D48	1_2_06FB7D48
Source: C:\Users\user\Desktop\Order Details.exe	Code function: 1_2_06FB0D39	1_2_06FB0D39
Source: C:\Users\user\Desktop\Order Details.exe	Code function: 1_2_06FBBD28	1_2_06FBBD28
Source: C:\Users\user\Desktop\Order Details.exe	Code function: 1_2_06FB7900	1_2_06FB7900

Sample file is different than original file name gathered from version info

Source: Order Details.exe, 00000000.00000002.1678770489.00000000038E5000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameExample.dll0 vs Order Details.exe
Source: Order Details.exe, 00000000.00000002.1680271362.00000000050D0000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameAQipUvwTwkLZyiCs.dll: vs Order Details.exe
Source: Order Details.exe, 00000000.00000002.1679581061.0000000004FF0000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameExample.dll0 vs Order Details.exe
Source: Order Details.exe, 00000000.00000002.1678634520.00000000028E1000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameAQipUvwTwkLZyiCs.dll: vs Order Details.exe
Source: Order Details.exe, 00000000.00000002.1678634520.00000000028E1000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamelfwhUWZlmFnGhDYPudAJ.exeX vs Order Details.exe
Source: Order Details.exe, 00000000.00000002.1678770489.0000000003986000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamelfwhUWZlmFnGhDYPudAJ.exeX vs Order Details.exe
Source: Order Details.exe, 00000000.00000000.1673230829.0000000000592000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenameBladeNoPa.exe4 vs Order Details.exe
Source: Order Details.exe, 00000000.00000002.1678087390.0000000000D5E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameclr.dllT vs Order Details.exe
Source: Order Details.exe, 00000001.00000002.4155374471.0000000000402000.00000040.00000400.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamelfwhUWZlmFnGhDYPudAJ.exeX vs Order Details.exe
Source: Order Details.exe, 00000001.00000002.4155467566.0000000001377000.00000004.00000010.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameUNKNOWN_FILET vs Order Details.exe
Source: Order Details.exe	Binary or memory string: OriginalFilenameBladeNoPa.exe4 vs Order Details.exe

Uses 32bit PE files

Source: Order Details.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Yara signature match

Source: 0.2.Order Details.exe.4ff0000.5.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_DLInjector02 author = ditekSHen, description = Detects downloader injector
Source: 0.2.Order Details.exe.4ff0000.5.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_DLInjector02 author = ditekSHen, description = Detects downloader injector
Source: 0.2.Order Details.exe.3933f90.2.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_DLInjector02 author = ditekSHen, description = Detects downloader injector
Source: 0.2.Order Details.exe.3933f90.2.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_DLInjector02 author = ditekSHen, description = Detects downloader injector
Source: 0.2.Order Details.exe.39e8e20.4.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 0.2.Order Details.exe.39e8e20.4.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0.2.Order Details.exe.39e8e20.4.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 0.2.Order Details.exe.39e8e20.4.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: 0.2.Order Details.exe.39c81f0.3.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 0.2.Order Details.exe.39c81f0.3.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0.2.Order Details.exe.39c81f0.3.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 0.2.Order Details.exe.39c81f0.3.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: 1.2.Order Details.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 1.2.Order Details.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 1.2.Order Details.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 1.2.Order Details.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: 0.2.Order Details.exe.39e8e20.4.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 0.2.Order Details.exe.39e8e20.4.raw.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0.2.Order Details.exe.39e8e20.4.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 0.2.Order Details.exe.39e8e20.4.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: 0.2.Order Details.exe.39c81f0.3.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 0.2.Order Details.exe.39c81f0.3.raw.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0.2.Order Details.exe.39c81f0.3.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 0.2.Order Details.exe.39c81f0.3.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: 0.2.Order Details.exe.28ef718.1.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_DLInjector02 author = ditekSHen, description = Detects downloader injector
Source: 0.2.Order Details.exe.28f1f58.0.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_DLInjector02 author = ditekSHen, description = Detects downloader injector
Source: 00000001.00000002.4155374471.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 00000001.00000002.4155374471.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: 00000000.00000002.1679581061.0000000004FF0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_DLInjector02 author = ditekSHen, description = Detects downloader injector
Source: 00000000.00000002.1678770489.0000000003986000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 00000000.00000002.1678770489.0000000003986000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: Process Memory Space: Order Details.exe PID: 2032, type: MEMORYSTR	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: Process Memory Space: Order Details.exe PID: 2032, type: MEMORYSTR	Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: Process Memory Space: Order Details.exe PID: 908, type: MEMORYSTR	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: Process Memory Space: Order Details.exe PID: 908, type: MEMORYSTR	Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger

Source: classification engine

Classification label: mal100.troj.spyw.evad.winEXE@3/1@2/2

Source: C:\Users\user\Desktop\Order Details.exe

File created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\Order Details.exe.log

Source: unknown	Process created: C:\Users\user\Desktop\Order Details.exe "C:\Users\user\Desktop\Order Details.exe"
Source: C:\Users\user\Desktop\Order Details.exe	Process created: C:\Users\user\Desktop\Order Details.exe "C:\Users\user\Desktop\Order Details.exe"
Source: C:\Users\user\Desktop\Order Details.exe	Process created: C:\Users\user\Desktop\Order Details.exe "C:\Users\user\Desktop\Order Details.exe"	Jump to behavior

Source: C:\Users\user\Desktop\Order Details.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Desktop\Order Details.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Order Details.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\Order Details.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\Order Details.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\Order Details.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\Order Details.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\Order Details.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\Order Details.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Order Details.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Order Details.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\Order Details.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Order Details.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\Order Details.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Order Details.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Order Details.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\Order Details.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\Order Details.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\Order Details.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Desktop\Order Details.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\Order Details.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\Order Details.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\Order Details.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\Order Details.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\Order Details.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\Order Details.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Order Details.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Order Details.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Order Details.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\Order Details.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\Order Details.exe	Section loaded: rasapi32.dll	Jump to behavior
Source: C:\Users\user\Desktop\Order Details.exe	Section loaded: rasman.dll	Jump to behavior
Source: C:\Users\user\Desktop\Order Details.exe	Section loaded: rtutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\Order Details.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\Order Details.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Order Details.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\Order Details.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Order Details.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Users\user\Desktop\Order Details.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Users\user\Desktop\Order Details.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Order Details.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Order Details.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Order Details.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\Desktop\Order Details.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Users\user\Desktop\Order Details.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\Order Details.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Users\user\Desktop\Order Details.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Users\user\Desktop\Order Details.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\Order Details.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Users\user\Desktop\Order Details.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Order Details.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\Order Details.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Order Details.exe	Section loaded: dpapi.dll	Jump to behavior

Source: C:\Users\user\Desktop\Order Details.exe	Code function: 1_2_05ED2990 push esp; retf		1_2_05ED2AC9
Source: C:\Users\user\Desktop\Order Details.exe	Code function: 1_2_05ED2E60 push esp; iretd		1_2_05ED2E79

Source: C:\Users\user\Desktop\Order Details.exe	Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\AutoUpdate			Jump to behavior
Source: C:\Users\user\Desktop\Order Details.exe	Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot			Jump to behavior

Source: C:\Users\user\Desktop\Order Details.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Order Details.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Order Details.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Order Details.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Order Details.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Order Details.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Order Details.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Order Details.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Order Details.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Order Details.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Order Details.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Order Details.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Order Details.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Order Details.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Order Details.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Order Details.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Order Details.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Order Details.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Order Details.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Order Details.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Order Details.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Order Details.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Order Details.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Order Details.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Order Details.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Order Details.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Order Details.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Order Details.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Order Details.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Order Details.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Order Details.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Order Details.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Order Details.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Order Details.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Order Details.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Order Details.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Order Details.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Order Details.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Order Details.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Order Details.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Order Details.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Order Details.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Order Details.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Order Details.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Order Details.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Order Details.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Order Details.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Order Details.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Order Details.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Order Details.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Order Details.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Order Details.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Order Details.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Order Details.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Order Details.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Order Details.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Order Details.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Order Details.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Order Details.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Order Details.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Order Details.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Order Details.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Order Details.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Order Details.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Order Details.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Order Details.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Order Details.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Order Details.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Order Details.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Order Details.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Order Details.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Order Details.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Order Details.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Order Details.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Order Details.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Order Details.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Order Details.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Order Details.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Order Details.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Order Details.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Order Details.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Order Details.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Order Details.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Order Details.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Order Details.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Order Details.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Source: C:\Users\user\Desktop\Order Details.exe	Memory allocated: 2740000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\Order Details.exe	Memory allocated: 28E0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\Order Details.exe	Memory allocated: 48E0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\Order Details.exe	Memory allocated: 1960000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\Order Details.exe	Memory allocated: 3350000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\Order Details.exe	Memory allocated: 3170000 memory reserve \| memory write watch	Jump to behavior

Source: C:\Users\user\Desktop\Order Details.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\Order Details.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\Order Details.exe	Thread delayed: delay time: 600000	Jump to behavior
Source: C:\Users\user\Desktop\Order Details.exe	Thread delayed: delay time: 599875	Jump to behavior
Source: C:\Users\user\Desktop\Order Details.exe	Thread delayed: delay time: 599766	Jump to behavior
Source: C:\Users\user\Desktop\Order Details.exe	Thread delayed: delay time: 599657	Jump to behavior
Source: C:\Users\user\Desktop\Order Details.exe	Thread delayed: delay time: 599532	Jump to behavior
Source: C:\Users\user\Desktop\Order Details.exe	Thread delayed: delay time: 599407	Jump to behavior
Source: C:\Users\user\Desktop\Order Details.exe	Thread delayed: delay time: 599282	Jump to behavior
Source: C:\Users\user\Desktop\Order Details.exe	Thread delayed: delay time: 599172	Jump to behavior
Source: C:\Users\user\Desktop\Order Details.exe	Thread delayed: delay time: 599063	Jump to behavior
Source: C:\Users\user\Desktop\Order Details.exe	Thread delayed: delay time: 598938	Jump to behavior
Source: C:\Users\user\Desktop\Order Details.exe	Thread delayed: delay time: 598813	Jump to behavior
Source: C:\Users\user\Desktop\Order Details.exe	Thread delayed: delay time: 598688	Jump to behavior
Source: C:\Users\user\Desktop\Order Details.exe	Thread delayed: delay time: 598563	Jump to behavior
Source: C:\Users\user\Desktop\Order Details.exe	Thread delayed: delay time: 598454	Jump to behavior
Source: C:\Users\user\Desktop\Order Details.exe	Thread delayed: delay time: 598329	Jump to behavior
Source: C:\Users\user\Desktop\Order Details.exe	Thread delayed: delay time: 598204	Jump to behavior
Source: C:\Users\user\Desktop\Order Details.exe	Thread delayed: delay time: 598079	Jump to behavior
Source: C:\Users\user\Desktop\Order Details.exe	Thread delayed: delay time: 597943	Jump to behavior
Source: C:\Users\user\Desktop\Order Details.exe	Thread delayed: delay time: 597813	Jump to behavior
Source: C:\Users\user\Desktop\Order Details.exe	Thread delayed: delay time: 597698	Jump to behavior
Source: C:\Users\user\Desktop\Order Details.exe	Thread delayed: delay time: 597563	Jump to behavior
Source: C:\Users\user\Desktop\Order Details.exe	Thread delayed: delay time: 597454	Jump to behavior
Source: C:\Users\user\Desktop\Order Details.exe	Thread delayed: delay time: 597329	Jump to behavior
Source: C:\Users\user\Desktop\Order Details.exe	Thread delayed: delay time: 597213	Jump to behavior
Source: C:\Users\user\Desktop\Order Details.exe	Thread delayed: delay time: 597094	Jump to behavior
Source: C:\Users\user\Desktop\Order Details.exe	Thread delayed: delay time: 596985	Jump to behavior
Source: C:\Users\user\Desktop\Order Details.exe	Thread delayed: delay time: 596860	Jump to behavior
Source: C:\Users\user\Desktop\Order Details.exe	Thread delayed: delay time: 596735	Jump to behavior
Source: C:\Users\user\Desktop\Order Details.exe	Thread delayed: delay time: 596610	Jump to behavior
Source: C:\Users\user\Desktop\Order Details.exe	Thread delayed: delay time: 596485	Jump to behavior
Source: C:\Users\user\Desktop\Order Details.exe	Thread delayed: delay time: 596360	Jump to behavior
Source: C:\Users\user\Desktop\Order Details.exe	Thread delayed: delay time: 596235	Jump to behavior
Source: C:\Users\user\Desktop\Order Details.exe	Thread delayed: delay time: 596110	Jump to behavior
Source: C:\Users\user\Desktop\Order Details.exe	Thread delayed: delay time: 595985	Jump to behavior
Source: C:\Users\user\Desktop\Order Details.exe	Thread delayed: delay time: 595860	Jump to behavior
Source: C:\Users\user\Desktop\Order Details.exe	Thread delayed: delay time: 595735	Jump to behavior
Source: C:\Users\user\Desktop\Order Details.exe	Thread delayed: delay time: 595610	Jump to behavior
Source: C:\Users\user\Desktop\Order Details.exe	Thread delayed: delay time: 595485	Jump to behavior
Source: C:\Users\user\Desktop\Order Details.exe	Thread delayed: delay time: 595360	Jump to behavior
Source: C:\Users\user\Desktop\Order Details.exe	Thread delayed: delay time: 595235	Jump to behavior
Source: C:\Users\user\Desktop\Order Details.exe	Thread delayed: delay time: 594966	Jump to behavior
Source: C:\Users\user\Desktop\Order Details.exe	Thread delayed: delay time: 594857	Jump to behavior
Source: C:\Users\user\Desktop\Order Details.exe	Thread delayed: delay time: 594717	Jump to behavior
Source: C:\Users\user\Desktop\Order Details.exe	Thread delayed: delay time: 594610	Jump to behavior
Source: C:\Users\user\Desktop\Order Details.exe	Thread delayed: delay time: 594500	Jump to behavior
Source: C:\Users\user\Desktop\Order Details.exe	Thread delayed: delay time: 594391	Jump to behavior
Source: C:\Users\user\Desktop\Order Details.exe	Thread delayed: delay time: 594266	Jump to behavior
Source: C:\Users\user\Desktop\Order Details.exe	Thread delayed: delay time: 594157	Jump to behavior
Source: C:\Users\user\Desktop\Order Details.exe	Thread delayed: delay time: 594032	Jump to behavior
Source: C:\Users\user\Desktop\Order Details.exe	Thread delayed: delay time: 593907	Jump to behavior
Source: C:\Users\user\Desktop\Order Details.exe	Thread delayed: delay time: 593797	Jump to behavior

Source: C:\Users\user\Desktop\Order Details.exe	Window / User API: threadDelayed 8474			Jump to behavior
Source: C:\Users\user\Desktop\Order Details.exe	Window / User API: threadDelayed 1346			Jump to behavior

Source: C:\Users\user\Desktop\Order Details.exe TID: 3584	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Order Details.exe TID: 2200	Thread sleep count: 32 > 30	Jump to behavior
Source: C:\Users\user\Desktop\Order Details.exe TID: 2200	Thread sleep time: -29514790517935264s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Order Details.exe TID: 2200	Thread sleep time: -600000s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Order Details.exe TID: 2200	Thread sleep time: -599875s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Order Details.exe TID: 1908	Thread sleep count: 8474 > 30	Jump to behavior
Source: C:\Users\user\Desktop\Order Details.exe TID: 2200	Thread sleep time: -599766s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Order Details.exe TID: 1908	Thread sleep count: 1346 > 30	Jump to behavior
Source: C:\Users\user\Desktop\Order Details.exe TID: 2200	Thread sleep time: -599657s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Order Details.exe TID: 2200	Thread sleep time: -599532s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Order Details.exe TID: 2200	Thread sleep time: -599407s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Order Details.exe TID: 2200	Thread sleep time: -599282s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Order Details.exe TID: 2200	Thread sleep time: -599172s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Order Details.exe TID: 2200	Thread sleep time: -599063s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Order Details.exe TID: 2200	Thread sleep time: -598938s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Order Details.exe TID: 2200	Thread sleep time: -598813s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Order Details.exe TID: 2200	Thread sleep time: -598688s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Order Details.exe TID: 2200	Thread sleep time: -598563s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Order Details.exe TID: 2200	Thread sleep time: -598454s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Order Details.exe TID: 2200	Thread sleep time: -598329s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Order Details.exe TID: 2200	Thread sleep time: -598204s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Order Details.exe TID: 2200	Thread sleep time: -598079s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Order Details.exe TID: 2200	Thread sleep time: -597943s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Order Details.exe TID: 2200	Thread sleep time: -597813s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Order Details.exe TID: 2200	Thread sleep time: -597698s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Order Details.exe TID: 2200	Thread sleep time: -597563s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Order Details.exe TID: 2200	Thread sleep time: -597454s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Order Details.exe TID: 2200	Thread sleep time: -597329s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Order Details.exe TID: 2200	Thread sleep time: -597213s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Order Details.exe TID: 2200	Thread sleep time: -597094s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Order Details.exe TID: 2200	Thread sleep time: -596985s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Order Details.exe TID: 2200	Thread sleep time: -596860s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Order Details.exe TID: 2200	Thread sleep time: -596735s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Order Details.exe TID: 2200	Thread sleep time: -596610s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Order Details.exe TID: 2200	Thread sleep time: -596485s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Order Details.exe TID: 2200	Thread sleep time: -596360s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Order Details.exe TID: 2200	Thread sleep time: -596235s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Order Details.exe TID: 2200	Thread sleep time: -596110s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Order Details.exe TID: 2200	Thread sleep time: -595985s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Order Details.exe TID: 2200	Thread sleep time: -595860s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Order Details.exe TID: 2200	Thread sleep time: -595735s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Order Details.exe TID: 2200	Thread sleep time: -595610s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Order Details.exe TID: 2200	Thread sleep time: -595485s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Order Details.exe TID: 2200	Thread sleep time: -595360s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Order Details.exe TID: 2200	Thread sleep time: -595235s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Order Details.exe TID: 2200	Thread sleep time: -594966s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Order Details.exe TID: 2200	Thread sleep time: -594857s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Order Details.exe TID: 2200	Thread sleep time: -594717s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Order Details.exe TID: 2200	Thread sleep time: -594610s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Order Details.exe TID: 2200	Thread sleep time: -594500s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Order Details.exe TID: 2200	Thread sleep time: -594391s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Order Details.exe TID: 2200	Thread sleep time: -594266s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Order Details.exe TID: 2200	Thread sleep time: -594157s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Order Details.exe TID: 2200	Thread sleep time: -594032s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Order Details.exe TID: 2200	Thread sleep time: -593907s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Order Details.exe TID: 2200	Thread sleep time: -593797s >= -30000s	Jump to behavior

Source: C:\Users\user\Desktop\Order Details.exe	Queries volume information: C:\Users\user\Desktop\Order Details.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Order Details.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Order Details.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Order Details.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Order Details.exe	Queries volume information: C:\Users\user\Desktop\Order Details.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Order Details.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Order Details.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Order Details.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Order Details.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Web.Extensions\v4.0_4.0.0.0__31bf3856ad364e35\System.Web.Extensions.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Order Details.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Order Details.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior

Source: C:\Users\user\Desktop\Order Details.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data			Jump to behavior
Source: C:\Users\user\Desktop\Order Details.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data			Jump to behavior

Source: C:\Users\user\Desktop\Order Details.exe	File opened: C:\Users\user\AppData\Roaming\PostboxApp\Profiles\			Jump to behavior
Source: C:\Users\user\Desktop\Order Details.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676			Jump to behavior

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
104.21.32.1	reallyfreegeoip.org	United States		13335	CLOUDFLARENETUS	false
193.122.6.168	checkip.dyndns.com	United States		31898	ORACLE-BMC-31898US	false

Name	IP	Active
reallyfreegeoip.org	104.21.32.1	true
checkip.dyndns.com	193.122.6.168	true
checkip.dyndns.org	unknown	unknown

Name	Malicious	Antivirus Detection	Reputation
http://checkip.dyndns.org/	false		high
https://reallyfreegeoip.org/xml/8.46.123.189	false		high

ID:	1592377
Product:	CloudBasic
Start time:	02:23:07
Start date:	16.01.2025
Sample:	Order Details.exe
Cookbook:	default.jbs
System description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Architecture:	WINDOWS
MD5:	06c48ef3e45a7dafedbd596368918830
SHA1:	6ec2e82db6d702ddc0f4b302a4d8f02fd4c36c36
SHA256:	1e2333cb4fb3ecca06d22bb3b6255e5ac62b7ba43c3bceb8c17252657f34ba1e
Filetype:	Win32 Executable (generic) Net Framework (10011505/4) 49.83%

Windows Analysis Report Order Details.exe

Overview

General Information

Detection

Signatures

Classification

Malware Threat Intel Provided by

Signatures

AV Detection

Location Tracking

Compliance

Software Vulnerabilities

Networking

System Summary

Data Obfuscation

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Screenshots

Behavior Graph

Network Map

Contacted Public IPs

Contacted Domains

Contacted URLs

Windows Analysis Report
Order Details.exe

Malware Threat Intel
Provided by