Edit tour

Windows Analysis Report
ORDER SPECIFICATION.exe

Overview

General Information

Sample name:	ORDER SPECIFICATION.exe
Analysis ID:	1427952
MD5:	34070a881f75f12cd4e5bfcb3bdf48c6
SHA1:	68d694a74aa970c84bf48ca15c979b408970843a
SHA256:	562b14cbead15ecad71e6e25e6c00656e47c3cf6e7d12eec64bfb4b9a6aaca05
Tags:	AgentTeslaexe
Infos:

Detection

AgentTesla

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Found malware configuration

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

Yara detected AgentTesla

Yara detected AntiVM3

.NET source code contains potential unpacker

.NET source code contains very large array initializations

.NET source code contains very large strings

Contains functionality to log keystrokes (.Net Source)

Initial sample is a PE file and has a suspicious name

Machine Learning detection for sample

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to harvest and steal ftp login credentials

Tries to steal Mail credentials (via file / registry access)

Allocates memory with a write watch (potentially for evading sandboxes)

Binary contains a suspicious time stamp

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Detected TCP or UDP traffic on non-standard ports

Detected potential crypto function

Enables debug privileges

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found inlined nop instructions (likely shell or obfuscated code)

IP address seen in connection with other malware

Internet Provider seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

May check the online IP address of the machine

May sleep (evasive loops) to hinder dynamic analysis

Monitors certain registry keys / values for changes (often done to protect autostart functionality)

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)

Queries the volume information (name, serial number etc) of a device

Sample file is different than original file name gathered from version info

Sigma detected: Suspicious Outbound SMTP Connections

Uses 32bit PE files

Uses SMTP (mail sending)

Uses a known web browser user agent for HTTP communication

Uses code obfuscation techniques (call, push, ret)

Yara detected Credential Stealer

Yara signature match

Classification

Process Tree

System is w10x64

ORDER SPECIFICATION.exe (PID: 2576 cmdline: "C:\Users\user\Desktop\ORDER SPECIFICATION.exe" MD5: 34070A881F75F12CD4E5BFCB3BDF48C6)

ORDER SPECIFICATION.exe (PID: 6128 cmdline: "C:\Users\user\Desktop\ORDER SPECIFICATION.exe" MD5: 34070A881F75F12CD4E5BFCB3BDF48C6)

ORDER SPECIFICATION.exe (PID: 6664 cmdline: "C:\Users\user\Desktop\ORDER SPECIFICATION.exe" MD5: 34070A881F75F12CD4E5BFCB3BDF48C6)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
Agent Tesla, AgentTesla	A .NET based information stealer readily available to actors due to leaked builders. The malware is able to log keystrokes, can access the host's clipboard and crawls the disk for credentials or other valuable information. It has the capability to send information back to its C&C via HTTP(S), SMTP, FTP, or towards a Telegram channel.	SWEED	http://blog.nsfocus.net/sweed-611/ http://l1v1ngc0d3.wordpress.com/2021/11/12/agenttesla-dropped-via-nsis-installer/ http://ropgadget.com/posts/originlogger.html http://www.secureworks.com/research/threat-profiles/gold-galleon https://asec.ahnlab.com/ko/29133/	https://malpedia.caad.fkie.fraunhofer.de/details/win.agent_tesla

Malware Configuration

Threatname: Agenttesla

{"Exfil Mode": "SMTP", "Port": "587", "Host": "mail.techwiser.in", "Username": "tech@techwiser.in", "Password": "tech@#$121"}

Yara Signatures

Memory Dumps

Source	Rule	Description	Author
00000003.00000002.3255257042.0000000003169000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
00000003.00000002.3252989012.0000000000402000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000003.00000002.3252989012.0000000000402000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
00000003.00000002.3255257042.0000000003141000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000003.00000002.3255257042.0000000003141000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
00000000.00000002.2054266616.000000000432E000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000000.00000002.2054266616.000000000432E000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
Process Memory Space: ORDER SPECIFICATION.exe PID: 2576	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: ORDER SPECIFICATION.exe PID: 2576	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
Process Memory Space: ORDER SPECIFICATION.exe PID: 2576	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
Process Memory Space: ORDER SPECIFICATION.exe PID: 6664	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: ORDER SPECIFICATION.exe PID: 6664	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
Click to see the 7 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
0.2.ORDER SPECIFICATION.exe.432e500.2.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0.2.ORDER SPECIFICATION.exe.4368f20.0.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0.2.ORDER SPECIFICATION.exe.4368f20.0.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
0.2.ORDER SPECIFICATION.exe.432e500.2.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
0.2.ORDER SPECIFICATION.exe.4368f20.0.unpack	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID	Detects executables referencing Windows vault credential objects. Observed in infostealers	ditekSHen	0x31673:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x316e5:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x3176f:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x31801:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x3186b:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x318dd:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x31973:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x31a03:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
0.2.ORDER SPECIFICATION.exe.432e500.2.unpack	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID	Detects executables referencing Windows vault credential objects. Observed in infostealers	ditekSHen	0x31673:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x316e5:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x3176f:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x31801:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x3186b:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x318dd:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x31973:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x31a03:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
3.2.ORDER SPECIFICATION.exe.400000.0.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
3.2.ORDER SPECIFICATION.exe.400000.0.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
3.2.ORDER SPECIFICATION.exe.400000.0.unpack	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID	Detects executables referencing Windows vault credential objects. Observed in infostealers	ditekSHen	0x33473:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x334e5:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x3356f:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x33601:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x3366b:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x336dd:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x33773:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x33803:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
0.2.ORDER SPECIFICATION.exe.4368f20.0.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0.2.ORDER SPECIFICATION.exe.4368f20.0.raw.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
0.2.ORDER SPECIFICATION.exe.4368f20.0.raw.unpack	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID	Detects executables referencing Windows vault credential objects. Observed in infostealers	ditekSHen	0x33473:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x6dc93:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x334e5:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x6dd05:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x3356f:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x6dd8f:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x33601:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x6de21:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x3366b:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x6de8b:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x336dd:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x6defd:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x33773:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x6df93:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x33803:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548 0x6e023:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
0.2.ORDER SPECIFICATION.exe.432e500.2.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0.2.ORDER SPECIFICATION.exe.432e500.2.raw.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
0.2.ORDER SPECIFICATION.exe.432e500.2.raw.unpack	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID	Detects executables referencing Windows vault credential objects. Observed in infostealers	ditekSHen	0x33473:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x6de93:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0xa86b3:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x334e5:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x6df05:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0xa8725:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x3356f:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x6df8f:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0xa87af:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x33601:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x6e021:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0xa8841:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x3366b:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x6e08b:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0xa88ab:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x336dd:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x6e0fd:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0xa891d:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x33773:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x6e193:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0xa89b3:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B
Click to see the 10 entries

Sigma Signatures

System Summary

Sigma detected: Suspicious Outbound SMTP Connections

Source: Network Connection

Author: frack113: Data: DestinationIp: 162.241.123.30, DestinationIsIpv6: false, DestinationPort: 587, EventID: 3, Image: C:\Users\user\Desktop\ORDER SPECIFICATION.exe, Initiated: true, ProcessId: 6664, Protocol: tcp, SourceIp: 192.168.2.5, SourceIsIpv6: false, SourcePort: 49706

Snort Signatures

⊘No Snort rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Found malware configuration

Source: 3.2.ORDER SPECIFICATION.exe.400000.0.unpack

Malware Configuration Extractor: Agenttesla {"Exfil Mode": "SMTP", "Port": "587", "Host": "mail.techwiser.in", "Username": "tech@techwiser.in", "Password": "tech@#$121"}

Multi AV Scanner detection for submitted file

Source: ORDER SPECIFICATION.exe	ReversingLabs: Detection: 34%
Source: ORDER SPECIFICATION.exe	Virustotal: Detection: 38%			Perma Link

Machine Learning detection for sample

Source: ORDER SPECIFICATION.exe

Joe Sandbox ML: detected

Source: ORDER SPECIFICATION.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: unknown

HTTPS traffic detected: 104.26.12.205:443 -> 192.168.2.5:49705 version: TLS 1.2

Source: ORDER SPECIFICATION.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source:	Binary string: DuePw.pdb source: ORDER SPECIFICATION.exe
Source:	Binary string: DuePw.pdbSHA256 source: ORDER SPECIFICATION.exe

Source: C:\Users\user\Desktop\ORDER SPECIFICATION.exe

Code function: 4x nop then jmp 00B009A5h

0_2_00B00D33

Source: global traffic

TCP traffic: 192.168.2.5:49706 -> 162.241.123.30:587

Source: Joe Sandbox View	IP Address: 104.26.12.205 104.26.12.205
Source: Joe Sandbox View	IP Address: 162.241.123.30 162.241.123.30

Source: Joe Sandbox View

ASN Name: UNIFIEDLAYER-AS-1US UNIFIEDLAYER-AS-1US

Source: Joe Sandbox View

JA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e

Source: unknown	DNS query: name: api.ipify.org
Source: unknown	DNS query: name: api.ipify.org
Source: unknown	DNS query: name: api.ipify.org

Source: global traffic

TCP traffic: 192.168.2.5:49706 -> 162.241.123.30:587

Source: global traffic

HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0Host: api.ipify.orgConnection: Keep-Alive

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic

HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0Host: api.ipify.orgConnection: Keep-Alive

Source: unknown

DNS traffic detected: queries for: api.ipify.org

Source: ORDER SPECIFICATION.exe, 00000003.00000002.3255257042.0000000003169000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://mail.techwiser.in
Source: ORDER SPECIFICATION.exe, 00000003.00000002.3253754912.000000000138C000.00000004.00000020.00020000.00000000.sdmp, ORDER SPECIFICATION.exe, 00000003.00000002.3253558213.0000000001331000.00000004.00000020.00020000.00000000.sdmp, ORDER SPECIFICATION.exe, 00000003.00000002.3253754912.0000000001363000.00000004.00000020.00020000.00000000.sdmp, ORDER SPECIFICATION.exe, 00000003.00000002.3255257042.0000000003169000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://r3.i.lencr.org/0
Source: ORDER SPECIFICATION.exe, 00000003.00000002.3253754912.000000000138C000.00000004.00000020.00020000.00000000.sdmp, ORDER SPECIFICATION.exe, 00000003.00000002.3253558213.0000000001331000.00000004.00000020.00020000.00000000.sdmp, ORDER SPECIFICATION.exe, 00000003.00000002.3253754912.0000000001363000.00000004.00000020.00020000.00000000.sdmp, ORDER SPECIFICATION.exe, 00000003.00000002.3255257042.0000000003169000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://r3.o.lencr.org0
Source: ORDER SPECIFICATION.exe, 00000003.00000002.3255257042.00000000030F1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: ORDER SPECIFICATION.exe	String found in binary or memory: http://tempuri.org/DataSet1.xsd)Microsoft
Source: ORDER SPECIFICATION.exe, 00000003.00000002.3253558213.0000000001331000.00000004.00000020.00020000.00000000.sdmp, ORDER SPECIFICATION.exe, 00000003.00000002.3253754912.0000000001363000.00000004.00000020.00020000.00000000.sdmp, ORDER SPECIFICATION.exe, 00000003.00000002.3253558213.000000000134E000.00000004.00000020.00020000.00000000.sdmp, ORDER SPECIFICATION.exe, 00000003.00000002.3255257042.0000000003169000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://x1.c.lencr.org/0
Source: ORDER SPECIFICATION.exe, 00000003.00000002.3253558213.0000000001331000.00000004.00000020.00020000.00000000.sdmp, ORDER SPECIFICATION.exe, 00000003.00000002.3253754912.0000000001363000.00000004.00000020.00020000.00000000.sdmp, ORDER SPECIFICATION.exe, 00000003.00000002.3253558213.000000000134E000.00000004.00000020.00020000.00000000.sdmp, ORDER SPECIFICATION.exe, 00000003.00000002.3255257042.0000000003169000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://x1.i.lencr.org/0
Source: ORDER SPECIFICATION.exe, 00000000.00000002.2054266616.000000000432E000.00000004.00000800.00020000.00000000.sdmp, ORDER SPECIFICATION.exe, 00000003.00000002.3252989012.0000000000402000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: https://account.dyn.com/
Source: ORDER SPECIFICATION.exe, 00000000.00000002.2054266616.000000000432E000.00000004.00000800.00020000.00000000.sdmp, ORDER SPECIFICATION.exe, 00000003.00000002.3255257042.00000000030F1000.00000004.00000800.00020000.00000000.sdmp, ORDER SPECIFICATION.exe, 00000003.00000002.3252989012.0000000000402000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: https://api.ipify.org
Source: ORDER SPECIFICATION.exe, 00000003.00000002.3255257042.00000000030F1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.ipify.org/
Source: ORDER SPECIFICATION.exe, 00000003.00000002.3255257042.00000000030F1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.ipify.org/t

Source: unknown	Network traffic detected: HTTP traffic on port 49705 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49705

Source: unknown

HTTPS traffic detected: 104.26.12.205:443 -> 192.168.2.5:49705 version: TLS 1.2

Key, Mouse, Clipboard, Microphone and Screen Capturing

Contains functionality to log keystrokes (.Net Source)

Source: 0.2.ORDER SPECIFICATION.exe.432e500.2.raw.unpack, oAKy.cs	.Net Code: xXlophBw8
Source: 0.2.ORDER SPECIFICATION.exe.4368f20.0.raw.unpack, oAKy.cs	.Net Code: xXlophBw8

System Summary

Malicious sample detected (through community Yara rule)

Source: 0.2.ORDER SPECIFICATION.exe.4368f20.0.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 0.2.ORDER SPECIFICATION.exe.432e500.2.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 3.2.ORDER SPECIFICATION.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 0.2.ORDER SPECIFICATION.exe.4368f20.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 0.2.ORDER SPECIFICATION.exe.432e500.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen

.NET source code contains very large array initializations

Source: 0.2.ORDER SPECIFICATION.exe.4cf0000.6.raw.unpack, LoginForm.cs

Large array initialization: : array initializer size 33603

.NET source code contains very large strings

Source: ORDER SPECIFICATION.exe, Form1.cs

Long String: Length: 131612

Initial sample is a PE file and has a suspicious name

Source: initial sample

Static PE information: Filename: ORDER SPECIFICATION.exe

Source: C:\Users\user\Desktop\ORDER SPECIFICATION.exe	Code function: 0_2_00B03150	0_2_00B03150
Source: C:\Users\user\Desktop\ORDER SPECIFICATION.exe	Code function: 0_2_00B00390	0_2_00B00390
Source: C:\Users\user\Desktop\ORDER SPECIFICATION.exe	Code function: 0_2_00BAD59C	0_2_00BAD59C
Source: C:\Users\user\Desktop\ORDER SPECIFICATION.exe	Code function: 3_2_0170E6D0	3_2_0170E6D0
Source: C:\Users\user\Desktop\ORDER SPECIFICATION.exe	Code function: 3_2_0170A948	3_2_0170A948
Source: C:\Users\user\Desktop\ORDER SPECIFICATION.exe	Code function: 3_2_01704A98	3_2_01704A98
Source: C:\Users\user\Desktop\ORDER SPECIFICATION.exe	Code function: 3_2_01703E80	3_2_01703E80
Source: C:\Users\user\Desktop\ORDER SPECIFICATION.exe	Code function: 3_2_017041C8	3_2_017041C8
Source: C:\Users\user\Desktop\ORDER SPECIFICATION.exe	Code function: 3_2_06C6A068	3_2_06C6A068
Source: C:\Users\user\Desktop\ORDER SPECIFICATION.exe	Code function: 3_2_06C6B900	3_2_06C6B900
Source: C:\Users\user\Desktop\ORDER SPECIFICATION.exe	Code function: 3_2_06C85570	3_2_06C85570
Source: C:\Users\user\Desktop\ORDER SPECIFICATION.exe	Code function: 3_2_06C83028	3_2_06C83028
Source: C:\Users\user\Desktop\ORDER SPECIFICATION.exe	Code function: 3_2_06C8B1E8	3_2_06C8B1E8
Source: C:\Users\user\Desktop\ORDER SPECIFICATION.exe	Code function: 3_2_06C8C148	3_2_06C8C148
Source: C:\Users\user\Desktop\ORDER SPECIFICATION.exe	Code function: 3_2_06C87D40	3_2_06C87D40
Source: C:\Users\user\Desktop\ORDER SPECIFICATION.exe	Code function: 3_2_06C87660	3_2_06C87660
Source: C:\Users\user\Desktop\ORDER SPECIFICATION.exe	Code function: 3_2_06C8E360	3_2_06C8E360
Source: C:\Users\user\Desktop\ORDER SPECIFICATION.exe	Code function: 3_2_06C80040	3_2_06C80040
Source: C:\Users\user\Desktop\ORDER SPECIFICATION.exe	Code function: 3_2_06C85CAF	3_2_06C85CAF
Source: C:\Users\user\Desktop\ORDER SPECIFICATION.exe	Code function: 3_2_06C80006	3_2_06C80006

Source: ORDER SPECIFICATION.exe, 00000000.00000002.2057108058.0000000004CF0000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameSimpleLogin.dll8 vs ORDER SPECIFICATION.exe
Source: ORDER SPECIFICATION.exe, 00000000.00000002.2054266616.0000000003F15000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameTyrone.dll8 vs ORDER SPECIFICATION.exe
Source: ORDER SPECIFICATION.exe, 00000000.00000002.2054266616.000000000432E000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilename28519625-fb4c-40d0-af15-66ea2f96c830.exe4 vs ORDER SPECIFICATION.exe
Source: ORDER SPECIFICATION.exe, 00000000.00000000.2002351467.0000000000140000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenameDuePw.exeT vs ORDER SPECIFICATION.exe
Source: ORDER SPECIFICATION.exe, 00000000.00000002.2053757578.0000000002580000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilename28519625-fb4c-40d0-af15-66ea2f96c830.exe4 vs ORDER SPECIFICATION.exe
Source: ORDER SPECIFICATION.exe, 00000000.00000002.2058455099.00000000083D0000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameTyrone.dll8 vs ORDER SPECIFICATION.exe
Source: ORDER SPECIFICATION.exe, 00000000.00000002.2052874317.000000000084E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameclr.dllT vs ORDER SPECIFICATION.exe
Source: ORDER SPECIFICATION.exe, 00000003.00000002.3253195215.0000000001169000.00000004.00000010.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameUNKNOWN_FILET vs ORDER SPECIFICATION.exe
Source: ORDER SPECIFICATION.exe, 00000003.00000002.3252989012.0000000000402000.00000040.00000400.00020000.00000000.sdmp	Binary or memory string: OriginalFilename28519625-fb4c-40d0-af15-66ea2f96c830.exe4 vs ORDER SPECIFICATION.exe
Source: ORDER SPECIFICATION.exe	Binary or memory string: OriginalFilenameDuePw.exeT vs ORDER SPECIFICATION.exe

Source: ORDER SPECIFICATION.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: 0.2.ORDER SPECIFICATION.exe.4368f20.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 0.2.ORDER SPECIFICATION.exe.432e500.2.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 3.2.ORDER SPECIFICATION.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 0.2.ORDER SPECIFICATION.exe.4368f20.0.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 0.2.ORDER SPECIFICATION.exe.432e500.2.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers

Source: ORDER SPECIFICATION.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: 0.2.ORDER SPECIFICATION.exe.432e500.2.raw.unpack, ekKu0.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.ORDER SPECIFICATION.exe.432e500.2.raw.unpack, vKf1z6NvS.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.ORDER SPECIFICATION.exe.432e500.2.raw.unpack, ZNAvlD7qmXc.cs	Cryptographic APIs: 'CreateDecryptor', 'TransformBlock'
Source: 0.2.ORDER SPECIFICATION.exe.432e500.2.raw.unpack, U2doU2.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.ORDER SPECIFICATION.exe.432e500.2.raw.unpack, BgffYko.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.ORDER SPECIFICATION.exe.432e500.2.raw.unpack, HrTdA63.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 0.2.ORDER SPECIFICATION.exe.432e500.2.raw.unpack, Vvp22TrBv9g.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.ORDER SPECIFICATION.exe.432e500.2.raw.unpack, Vvp22TrBv9g.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.ORDER SPECIFICATION.exe.432e500.2.raw.unpack, Vvp22TrBv9g.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.ORDER SPECIFICATION.exe.432e500.2.raw.unpack, Vvp22TrBv9g.cs	Cryptographic APIs: 'TransformFinalBlock'

Source: 0.2.ORDER SPECIFICATION.exe.424f418.3.raw.unpack, za3l5cjND4NLNjUJsH.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.ORDER SPECIFICATION.exe.41aedf8.1.raw.unpack, za3l5cjND4NLNjUJsH.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.ORDER SPECIFICATION.exe.41aedf8.1.raw.unpack, F7eBRxBmOB5Brcbgw6.cs	Security API names: _0020.SetAccessControl
Source: 0.2.ORDER SPECIFICATION.exe.41aedf8.1.raw.unpack, F7eBRxBmOB5Brcbgw6.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.ORDER SPECIFICATION.exe.41aedf8.1.raw.unpack, F7eBRxBmOB5Brcbgw6.cs	Security API names: _0020.AddAccessRule
Source: 0.2.ORDER SPECIFICATION.exe.83d0000.7.raw.unpack, F7eBRxBmOB5Brcbgw6.cs	Security API names: _0020.SetAccessControl
Source: 0.2.ORDER SPECIFICATION.exe.83d0000.7.raw.unpack, F7eBRxBmOB5Brcbgw6.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.ORDER SPECIFICATION.exe.83d0000.7.raw.unpack, F7eBRxBmOB5Brcbgw6.cs	Security API names: _0020.AddAccessRule
Source: 0.2.ORDER SPECIFICATION.exe.83d0000.7.raw.unpack, za3l5cjND4NLNjUJsH.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.ORDER SPECIFICATION.exe.424f418.3.raw.unpack, F7eBRxBmOB5Brcbgw6.cs	Security API names: _0020.SetAccessControl
Source: 0.2.ORDER SPECIFICATION.exe.424f418.3.raw.unpack, F7eBRxBmOB5Brcbgw6.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.ORDER SPECIFICATION.exe.424f418.3.raw.unpack, F7eBRxBmOB5Brcbgw6.cs	Security API names: _0020.AddAccessRule

Source: classification engine

Classification label: mal100.troj.spyw.evad.winEXE@5/1@2/2

Source: C:\Users\user\Desktop\ORDER SPECIFICATION.exe

File created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\ORDER SPECIFICATION.exe.log

Jump to behavior

Source: C:\Users\user\Desktop\ORDER SPECIFICATION.exe	Mutant created: NULL
Source: C:\Users\user\Desktop\ORDER SPECIFICATION.exe	Mutant created: \Sessions\1\BaseNamedObjects\fdhqGoehwjUrjl

Source: ORDER SPECIFICATION.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: ORDER SPECIFICATION.exe

Static file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.83%

Source: C:\Users\user\Desktop\ORDER SPECIFICATION.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\Desktop\ORDER SPECIFICATION.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor

Source: C:\Users\user\Desktop\ORDER SPECIFICATION.exe

File read: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini

Jump to behavior

Source: C:\Users\user\Desktop\ORDER SPECIFICATION.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: ORDER SPECIFICATION.exe	ReversingLabs: Detection: 34%
Source: ORDER SPECIFICATION.exe	Virustotal: Detection: 38%

Source: unknown	Process created: C:\Users\user\Desktop\ORDER SPECIFICATION.exe "C:\Users\user\Desktop\ORDER SPECIFICATION.exe"
Source: C:\Users\user\Desktop\ORDER SPECIFICATION.exe	Process created: C:\Users\user\Desktop\ORDER SPECIFICATION.exe "C:\Users\user\Desktop\ORDER SPECIFICATION.exe"
Source: C:\Users\user\Desktop\ORDER SPECIFICATION.exe	Process created: C:\Users\user\Desktop\ORDER SPECIFICATION.exe "C:\Users\user\Desktop\ORDER SPECIFICATION.exe"
Source: C:\Users\user\Desktop\ORDER SPECIFICATION.exe	Process created: C:\Users\user\Desktop\ORDER SPECIFICATION.exe "C:\Users\user\Desktop\ORDER SPECIFICATION.exe"	Jump to behavior
Source: C:\Users\user\Desktop\ORDER SPECIFICATION.exe	Process created: C:\Users\user\Desktop\ORDER SPECIFICATION.exe "C:\Users\user\Desktop\ORDER SPECIFICATION.exe"	Jump to behavior

Source: C:\Users\user\Desktop\ORDER SPECIFICATION.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Desktop\ORDER SPECIFICATION.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\ORDER SPECIFICATION.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\ORDER SPECIFICATION.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\ORDER SPECIFICATION.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\ORDER SPECIFICATION.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\ORDER SPECIFICATION.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\ORDER SPECIFICATION.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\ORDER SPECIFICATION.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\ORDER SPECIFICATION.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\ORDER SPECIFICATION.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\ORDER SPECIFICATION.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\ORDER SPECIFICATION.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\ORDER SPECIFICATION.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\ORDER SPECIFICATION.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\ORDER SPECIFICATION.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\ORDER SPECIFICATION.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\ORDER SPECIFICATION.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\Desktop\ORDER SPECIFICATION.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\Desktop\ORDER SPECIFICATION.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\ORDER SPECIFICATION.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\ORDER SPECIFICATION.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\ORDER SPECIFICATION.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\Desktop\ORDER SPECIFICATION.exe	Section loaded: windowscodecs.dll	Jump to behavior
Source: C:\Users\user\Desktop\ORDER SPECIFICATION.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Desktop\ORDER SPECIFICATION.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\ORDER SPECIFICATION.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\ORDER SPECIFICATION.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\ORDER SPECIFICATION.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\ORDER SPECIFICATION.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\ORDER SPECIFICATION.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\ORDER SPECIFICATION.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\ORDER SPECIFICATION.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\ORDER SPECIFICATION.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\ORDER SPECIFICATION.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\ORDER SPECIFICATION.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\ORDER SPECIFICATION.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\ORDER SPECIFICATION.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\Desktop\ORDER SPECIFICATION.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\ORDER SPECIFICATION.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\ORDER SPECIFICATION.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\ORDER SPECIFICATION.exe	Section loaded: rasapi32.dll	Jump to behavior
Source: C:\Users\user\Desktop\ORDER SPECIFICATION.exe	Section loaded: rasman.dll	Jump to behavior
Source: C:\Users\user\Desktop\ORDER SPECIFICATION.exe	Section loaded: rtutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\ORDER SPECIFICATION.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\ORDER SPECIFICATION.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\Desktop\ORDER SPECIFICATION.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\ORDER SPECIFICATION.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\ORDER SPECIFICATION.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Users\user\Desktop\ORDER SPECIFICATION.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Users\user\Desktop\ORDER SPECIFICATION.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\ORDER SPECIFICATION.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\ORDER SPECIFICATION.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\Desktop\ORDER SPECIFICATION.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\Desktop\ORDER SPECIFICATION.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Users\user\Desktop\ORDER SPECIFICATION.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Users\user\Desktop\ORDER SPECIFICATION.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Users\user\Desktop\ORDER SPECIFICATION.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\ORDER SPECIFICATION.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Users\user\Desktop\ORDER SPECIFICATION.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Users\user\Desktop\ORDER SPECIFICATION.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\ORDER SPECIFICATION.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\ORDER SPECIFICATION.exe	Section loaded: vaultcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\ORDER SPECIFICATION.exe	Section loaded: wintypes.dll	Jump to behavior

Source: C:\Users\user\Desktop\ORDER SPECIFICATION.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32

Jump to behavior

Source: C:\Users\user\Desktop\ORDER SPECIFICATION.exe

File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll

Jump to behavior

Source: C:\Users\user\Desktop\ORDER SPECIFICATION.exe

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\11.0\Outlook\Profiles

Jump to behavior

Source: ORDER SPECIFICATION.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Source: ORDER SPECIFICATION.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source: ORDER SPECIFICATION.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:	Binary string: DuePw.pdb source: ORDER SPECIFICATION.exe
Source:	Binary string: DuePw.pdbSHA256 source: ORDER SPECIFICATION.exe

Data Obfuscation

.NET source code contains potential unpacker

Source: 0.2.ORDER SPECIFICATION.exe.4cf0000.6.raw.unpack, .cs	.Net Code: System.Reflection.Assembly.Load(byte[])
Source: 0.2.ORDER SPECIFICATION.exe.41aedf8.1.raw.unpack, F7eBRxBmOB5Brcbgw6.cs	.Net Code: cpIrJGqiVc System.Reflection.Assembly.Load(byte[])
Source: 0.2.ORDER SPECIFICATION.exe.424f418.3.raw.unpack, F7eBRxBmOB5Brcbgw6.cs	.Net Code: cpIrJGqiVc System.Reflection.Assembly.Load(byte[])
Source: 0.2.ORDER SPECIFICATION.exe.83d0000.7.raw.unpack, F7eBRxBmOB5Brcbgw6.cs	.Net Code: cpIrJGqiVc System.Reflection.Assembly.Load(byte[])

Source: ORDER SPECIFICATION.exe

Static PE information: 0xBCABE6C0 [Tue Apr 22 08:52:16 2070 UTC]

Source: C:\Users\user\Desktop\ORDER SPECIFICATION.exe	Code function: 3_2_01700C3D push edi; ret	3_2_01700CC2
Source: C:\Users\user\Desktop\ORDER SPECIFICATION.exe	Code function: 3_2_01700C95 push edi; retf	3_2_01700C3A
Source: C:\Users\user\Desktop\ORDER SPECIFICATION.exe	Code function: 3_2_06C6FCC7 push es; retf	3_2_06C6FCC8

Source: ORDER SPECIFICATION.exe

Static PE information: section name: .text entropy: 7.283155285954524

Source: 0.2.ORDER SPECIFICATION.exe.41aedf8.1.raw.unpack, cYjlLH4jCW2VOlKR96.cs	High entropy of concatenated method names: 'RY63fXqJfB', 'd8e32uj7tE', 'dwx3FvXEu7', 'ToString', 'oDt3GZme21', 'tNw3eJVhhS', 'oA4DiRCFHQPLQAFUXfZ', 'O5G7lVC5aDrtyQq0W4q'
Source: 0.2.ORDER SPECIFICATION.exe.41aedf8.1.raw.unpack, uJG2vZ80tU5P3l0MYT.cs	High entropy of concatenated method names: 'aWV39DPkal', 'y063NMXHIn', 'hbo3aBIrmp', 'qpL3mvRulG', 'hZ73BTckGx', 'hWEaF1mVO6', 'OF7aGYl6vW', 'P7vaeQkyaL', 'VTpaMfZvCV', 'Llsauk5AdO'
Source: 0.2.ORDER SPECIFICATION.exe.41aedf8.1.raw.unpack, iWKyL5clMxLoJWmJ6C.cs	High entropy of concatenated method names: 'RCTaSc3vtG', 'V0CaUWVlki', 'imOYV4UmVV', 'LMoYdSVLaB', 'W46YC1wsJx', 'vGdY4emuxx', 'p0rYTpIoMe', 'hwOY62JYj1', 'EI1YyUXIO8', 'XH8YlAKwNt'
Source: 0.2.ORDER SPECIFICATION.exe.41aedf8.1.raw.unpack, QAP0keG8Yd5jv1Xl0Y.cs	High entropy of concatenated method names: 's6w7McJFGp', 'TWY7RDAUA0', 'dqDXLDcujR', 'HvHXKt24cx', 'FpT7p6XCq1', 'rPi7O8G46T', 'wUH71LDErX', 'Xvv7kCEkx9', 'sIC7nYlju0', 'ow57fOoglL'
Source: 0.2.ORDER SPECIFICATION.exe.41aedf8.1.raw.unpack, b2a5pwkX0lu50obdgL.cs	High entropy of concatenated method names: 'OwQElVEELJ', 'YVJEOcBTsC', 'VehEkP8Cj2', 'imiEnCBTMZ', 'rGaEWWCUne', 'YceEVutN5y', 'hecEdLWnro', 'EmGECcS55X', 'zexE4eNkx7', 'TsFETSLyO6'
Source: 0.2.ORDER SPECIFICATION.exe.41aedf8.1.raw.unpack, nVcNWUTErCgkCmphYN.cs	High entropy of concatenated method names: 'jy4mZHedR7', 'eR5mYC9n1U', 'ErYm3nqprX', 'acC3ROQyKK', 'BDT3z1Paqi', 'joUmL3yU7M', 'RdJmKSU2pA', 'VHNm5aVh3g', 'F3ymwiYmV1', 'DZimrPkJcW'
Source: 0.2.ORDER SPECIFICATION.exe.41aedf8.1.raw.unpack, gl3oKrR1qqiT30vSiT.cs	High entropy of concatenated method names: 'rnloKkR3Th', 'R6MowMpUQa', 'MLnorBitFX', 'y5YoZ18di3', 'JtYoNlT2FC', 'hHcoaivcq5', 'gS0o3xRvsd', 'UCUXexrV1V', 'XwrXMYhjeF', 'P2ZXu5U4Uy'
Source: 0.2.ORDER SPECIFICATION.exe.41aedf8.1.raw.unpack, WpKvZJijw23n3QB5iC.cs	High entropy of concatenated method names: 'OPiYx9LcR9', 'zM3YIu4pwo', 'COOYjro1mt', 'ja4Yig34Kj', 'yBRYEuQAMC', 'XvlYg8y9GP', 'rfTY7sfc5p', 'UPeYXIYMCA', 'pyKYoNGcCE', 'DF6YhjTTCP'
Source: 0.2.ORDER SPECIFICATION.exe.41aedf8.1.raw.unpack, zmiTT8MfIrnMZdAt1J.cs	High entropy of concatenated method names: 'UQZXZmYZQv', 'qbvXN6rUMN', 'fLQXYyWUXe', 'pOMXayqro5', 'mG7X3ERV1D', 'kUTXmMQWCd', 'ODgXBsxEVy', 'HjpX0x5XKn', 'uHZXHOlDg5', 'YyUXb73SpC'
Source: 0.2.ORDER SPECIFICATION.exe.41aedf8.1.raw.unpack, za3l5cjND4NLNjUJsH.cs	High entropy of concatenated method names: 'P4jNkO70Md', 'LGgNn2BCYg', 'qixNf4c8IL', 'VWoN2JueQj', 'rY0NF8vrJ3', 'rSsNGBZHny', 'SCNNeV8Ang', 'wMpNMbbIwf', 'CWKNucKItI', 'hcyNRENRNQ'
Source: 0.2.ORDER SPECIFICATION.exe.41aedf8.1.raw.unpack, wobfetzyoCSKIeE3kM.cs	High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'N9GoAghS9M', 'q79oE67rFb', 'DdNogEDDfc', 'xamo7s4sUS', 'Ej5oXd6oON', 'Jfcoo6Wc8M', 'FKrohpL3e6'
Source: 0.2.ORDER SPECIFICATION.exe.41aedf8.1.raw.unpack, f8hAT8YLP7gxbLHpdL.cs	High entropy of concatenated method names: 'EditValue', 'GetEditStyle', 'aZf5uxmO16', 'uHL5Rucfrq', 'lrx5ziJkpS', 'afJwLTkeM3', 'EgHwKvGQpq', 'nXKw544gx0', 'fVlwwBK3Xe', 'vKoV3NXJqSnOT71W59c'
Source: 0.2.ORDER SPECIFICATION.exe.41aedf8.1.raw.unpack, FMqbjCKLh4H5q0Ba22L.cs	High entropy of concatenated method names: 'EbOoPIviEc', 'opAoDduFUP', 'p0qoJ4JfHb', 's9Woxh5l6d', 'hl1oSWTEMs', 'mU3oI1qEfI', 'aL4oU0aaaA', 'Lk8ojPeyK4', 'fOUoi7SMfO', 'u9bocKbmLo'
Source: 0.2.ORDER SPECIFICATION.exe.41aedf8.1.raw.unpack, YXPk43Ni1pBKjVfOSf.cs	High entropy of concatenated method names: 'Dispose', 'KnaKuZU6WX', 'iZP5WKZYBs', 'sqKVV5a6ns', 'rJmKRiTT8f', 'CrnKzMZdAt', 'ProcessDialogKey', 'QJg5LCEuMf', 'WvA5KZf0Ll', 'ds455Yl3oK'
Source: 0.2.ORDER SPECIFICATION.exe.41aedf8.1.raw.unpack, dZGeiGrj2NrVuLS35e.cs	High entropy of concatenated method names: 'YsJKma3l5c', 'gD4KBNLNjU', 'zjwKH23n3Q', 'k5iKbC3WKy', 'GmJKE6CvJG', 'TvZKg0tU5P', 'h0Lm08lTro6U2YJ687', 'vxaXjQeNiv56dMfiSX', 'fLWKK4Ia1r', 'JkpKws709I'
Source: 0.2.ORDER SPECIFICATION.exe.41aedf8.1.raw.unpack, L0oDSqyO4bbtafwmkS.cs	High entropy of concatenated method names: 'Y8WmPWF83V', 'cZfmDTMN7u', 'LIYmJA7r2k', 'H0ymxZPEdO', 'qQTmSayvND', 'jyqmIYll5n', 'ojEmUO51tI', 'S7GmjnsZtQ', 'NrlmiPG784', 'eSjmcmx7vZ'
Source: 0.2.ORDER SPECIFICATION.exe.41aedf8.1.raw.unpack, e8xLqc1syX4Orjh579.cs	High entropy of concatenated method names: 'rMMAj1a75d', 'CQlAiUOLib', 's1NA8bnVqj', 'ztIAW5Acvv', 'DLrAdtojoS', 'bOGACUiu8K', 'J5TATgSa8k', 'UUFA6u8nw2', 'l3eAlNFtm1', 'FjvApxMSks'
Source: 0.2.ORDER SPECIFICATION.exe.41aedf8.1.raw.unpack, F7eBRxBmOB5Brcbgw6.cs	High entropy of concatenated method names: 'bsEw9lhSZJ', 'h0AwZq1dji', 'qo0wN0P0E9', 'Oq4wYhjVZL', 'Ji4waVtVbU', 'jFOw3ur8vD', 'I8dwmtka2B', 'hOTwBt80Iu', 'z2Sw0NR8Ew', 'LpGwHlFyTX'
Source: 0.2.ORDER SPECIFICATION.exe.41aedf8.1.raw.unpack, X44r6cK5dk9PsSvkBKA.cs	High entropy of concatenated method names: 'tCahPAFxpd', 'EA9hD78dFU', 'XvZhJ3l6V2', 'zMnUAYZwX0gLTRMtHE9', 'cRn6flZHHxTo3YUIXxb', 'trBZkiZ0eaj39TEe2Rr', 'XxNACGZzwqQDjKw9bPk', 'VNEb34tQgVJ38NMywtW', 'EBLtHXtXrjbgJxMOEJo'
Source: 0.2.ORDER SPECIFICATION.exe.41aedf8.1.raw.unpack, NilLd55MB9vBSZax7f.cs	High entropy of concatenated method names: 'aBnJIgun8', 'Qe2xQBILP', 'UNPIbyOmq', 'VvCUGpgLI', 'q0siESqWH', 'CrgcvsYmx', 'cKoCtXRx6HXpWxVIUd', 'b8jYn6NTE6ZbhBaMXg', 'qYqX2w56o', 'WAghmHEX7'
Source: 0.2.ORDER SPECIFICATION.exe.41aedf8.1.raw.unpack, pCEuMfuMvAZf0Llrs4.cs	High entropy of concatenated method names: 'OGsX8pHqeO', 'NSnXW4sRnK', 'w35XVHhXPn', 'o6IXdLnnhQ', 'lGpXkeAQea', 'YdaXCvs9EN', 'Next', 'Next', 'Next', 'NextBytes'
Source: 0.2.ORDER SPECIFICATION.exe.424f418.3.raw.unpack, cYjlLH4jCW2VOlKR96.cs	High entropy of concatenated method names: 'RY63fXqJfB', 'd8e32uj7tE', 'dwx3FvXEu7', 'ToString', 'oDt3GZme21', 'tNw3eJVhhS', 'oA4DiRCFHQPLQAFUXfZ', 'O5G7lVC5aDrtyQq0W4q'
Source: 0.2.ORDER SPECIFICATION.exe.424f418.3.raw.unpack, uJG2vZ80tU5P3l0MYT.cs	High entropy of concatenated method names: 'aWV39DPkal', 'y063NMXHIn', 'hbo3aBIrmp', 'qpL3mvRulG', 'hZ73BTckGx', 'hWEaF1mVO6', 'OF7aGYl6vW', 'P7vaeQkyaL', 'VTpaMfZvCV', 'Llsauk5AdO'
Source: 0.2.ORDER SPECIFICATION.exe.424f418.3.raw.unpack, iWKyL5clMxLoJWmJ6C.cs	High entropy of concatenated method names: 'RCTaSc3vtG', 'V0CaUWVlki', 'imOYV4UmVV', 'LMoYdSVLaB', 'W46YC1wsJx', 'vGdY4emuxx', 'p0rYTpIoMe', 'hwOY62JYj1', 'EI1YyUXIO8', 'XH8YlAKwNt'
Source: 0.2.ORDER SPECIFICATION.exe.424f418.3.raw.unpack, QAP0keG8Yd5jv1Xl0Y.cs	High entropy of concatenated method names: 's6w7McJFGp', 'TWY7RDAUA0', 'dqDXLDcujR', 'HvHXKt24cx', 'FpT7p6XCq1', 'rPi7O8G46T', 'wUH71LDErX', 'Xvv7kCEkx9', 'sIC7nYlju0', 'ow57fOoglL'
Source: 0.2.ORDER SPECIFICATION.exe.424f418.3.raw.unpack, b2a5pwkX0lu50obdgL.cs	High entropy of concatenated method names: 'OwQElVEELJ', 'YVJEOcBTsC', 'VehEkP8Cj2', 'imiEnCBTMZ', 'rGaEWWCUne', 'YceEVutN5y', 'hecEdLWnro', 'EmGECcS55X', 'zexE4eNkx7', 'TsFETSLyO6'
Source: 0.2.ORDER SPECIFICATION.exe.424f418.3.raw.unpack, nVcNWUTErCgkCmphYN.cs	High entropy of concatenated method names: 'jy4mZHedR7', 'eR5mYC9n1U', 'ErYm3nqprX', 'acC3ROQyKK', 'BDT3z1Paqi', 'joUmL3yU7M', 'RdJmKSU2pA', 'VHNm5aVh3g', 'F3ymwiYmV1', 'DZimrPkJcW'
Source: 0.2.ORDER SPECIFICATION.exe.424f418.3.raw.unpack, gl3oKrR1qqiT30vSiT.cs	High entropy of concatenated method names: 'rnloKkR3Th', 'R6MowMpUQa', 'MLnorBitFX', 'y5YoZ18di3', 'JtYoNlT2FC', 'hHcoaivcq5', 'gS0o3xRvsd', 'UCUXexrV1V', 'XwrXMYhjeF', 'P2ZXu5U4Uy'
Source: 0.2.ORDER SPECIFICATION.exe.424f418.3.raw.unpack, WpKvZJijw23n3QB5iC.cs	High entropy of concatenated method names: 'OPiYx9LcR9', 'zM3YIu4pwo', 'COOYjro1mt', 'ja4Yig34Kj', 'yBRYEuQAMC', 'XvlYg8y9GP', 'rfTY7sfc5p', 'UPeYXIYMCA', 'pyKYoNGcCE', 'DF6YhjTTCP'
Source: 0.2.ORDER SPECIFICATION.exe.424f418.3.raw.unpack, zmiTT8MfIrnMZdAt1J.cs	High entropy of concatenated method names: 'UQZXZmYZQv', 'qbvXN6rUMN', 'fLQXYyWUXe', 'pOMXayqro5', 'mG7X3ERV1D', 'kUTXmMQWCd', 'ODgXBsxEVy', 'HjpX0x5XKn', 'uHZXHOlDg5', 'YyUXb73SpC'
Source: 0.2.ORDER SPECIFICATION.exe.424f418.3.raw.unpack, za3l5cjND4NLNjUJsH.cs	High entropy of concatenated method names: 'P4jNkO70Md', 'LGgNn2BCYg', 'qixNf4c8IL', 'VWoN2JueQj', 'rY0NF8vrJ3', 'rSsNGBZHny', 'SCNNeV8Ang', 'wMpNMbbIwf', 'CWKNucKItI', 'hcyNRENRNQ'
Source: 0.2.ORDER SPECIFICATION.exe.424f418.3.raw.unpack, wobfetzyoCSKIeE3kM.cs	High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'N9GoAghS9M', 'q79oE67rFb', 'DdNogEDDfc', 'xamo7s4sUS', 'Ej5oXd6oON', 'Jfcoo6Wc8M', 'FKrohpL3e6'
Source: 0.2.ORDER SPECIFICATION.exe.424f418.3.raw.unpack, f8hAT8YLP7gxbLHpdL.cs	High entropy of concatenated method names: 'EditValue', 'GetEditStyle', 'aZf5uxmO16', 'uHL5Rucfrq', 'lrx5ziJkpS', 'afJwLTkeM3', 'EgHwKvGQpq', 'nXKw544gx0', 'fVlwwBK3Xe', 'vKoV3NXJqSnOT71W59c'
Source: 0.2.ORDER SPECIFICATION.exe.424f418.3.raw.unpack, FMqbjCKLh4H5q0Ba22L.cs	High entropy of concatenated method names: 'EbOoPIviEc', 'opAoDduFUP', 'p0qoJ4JfHb', 's9Woxh5l6d', 'hl1oSWTEMs', 'mU3oI1qEfI', 'aL4oU0aaaA', 'Lk8ojPeyK4', 'fOUoi7SMfO', 'u9bocKbmLo'
Source: 0.2.ORDER SPECIFICATION.exe.424f418.3.raw.unpack, YXPk43Ni1pBKjVfOSf.cs	High entropy of concatenated method names: 'Dispose', 'KnaKuZU6WX', 'iZP5WKZYBs', 'sqKVV5a6ns', 'rJmKRiTT8f', 'CrnKzMZdAt', 'ProcessDialogKey', 'QJg5LCEuMf', 'WvA5KZf0Ll', 'ds455Yl3oK'
Source: 0.2.ORDER SPECIFICATION.exe.424f418.3.raw.unpack, dZGeiGrj2NrVuLS35e.cs	High entropy of concatenated method names: 'YsJKma3l5c', 'gD4KBNLNjU', 'zjwKH23n3Q', 'k5iKbC3WKy', 'GmJKE6CvJG', 'TvZKg0tU5P', 'h0Lm08lTro6U2YJ687', 'vxaXjQeNiv56dMfiSX', 'fLWKK4Ia1r', 'JkpKws709I'
Source: 0.2.ORDER SPECIFICATION.exe.424f418.3.raw.unpack, L0oDSqyO4bbtafwmkS.cs	High entropy of concatenated method names: 'Y8WmPWF83V', 'cZfmDTMN7u', 'LIYmJA7r2k', 'H0ymxZPEdO', 'qQTmSayvND', 'jyqmIYll5n', 'ojEmUO51tI', 'S7GmjnsZtQ', 'NrlmiPG784', 'eSjmcmx7vZ'
Source: 0.2.ORDER SPECIFICATION.exe.424f418.3.raw.unpack, e8xLqc1syX4Orjh579.cs	High entropy of concatenated method names: 'rMMAj1a75d', 'CQlAiUOLib', 's1NA8bnVqj', 'ztIAW5Acvv', 'DLrAdtojoS', 'bOGACUiu8K', 'J5TATgSa8k', 'UUFA6u8nw2', 'l3eAlNFtm1', 'FjvApxMSks'
Source: 0.2.ORDER SPECIFICATION.exe.424f418.3.raw.unpack, F7eBRxBmOB5Brcbgw6.cs	High entropy of concatenated method names: 'bsEw9lhSZJ', 'h0AwZq1dji', 'qo0wN0P0E9', 'Oq4wYhjVZL', 'Ji4waVtVbU', 'jFOw3ur8vD', 'I8dwmtka2B', 'hOTwBt80Iu', 'z2Sw0NR8Ew', 'LpGwHlFyTX'
Source: 0.2.ORDER SPECIFICATION.exe.424f418.3.raw.unpack, X44r6cK5dk9PsSvkBKA.cs	High entropy of concatenated method names: 'tCahPAFxpd', 'EA9hD78dFU', 'XvZhJ3l6V2', 'zMnUAYZwX0gLTRMtHE9', 'cRn6flZHHxTo3YUIXxb', 'trBZkiZ0eaj39TEe2Rr', 'XxNACGZzwqQDjKw9bPk', 'VNEb34tQgVJ38NMywtW', 'EBLtHXtXrjbgJxMOEJo'
Source: 0.2.ORDER SPECIFICATION.exe.424f418.3.raw.unpack, NilLd55MB9vBSZax7f.cs	High entropy of concatenated method names: 'aBnJIgun8', 'Qe2xQBILP', 'UNPIbyOmq', 'VvCUGpgLI', 'q0siESqWH', 'CrgcvsYmx', 'cKoCtXRx6HXpWxVIUd', 'b8jYn6NTE6ZbhBaMXg', 'qYqX2w56o', 'WAghmHEX7'
Source: 0.2.ORDER SPECIFICATION.exe.424f418.3.raw.unpack, pCEuMfuMvAZf0Llrs4.cs	High entropy of concatenated method names: 'OGsX8pHqeO', 'NSnXW4sRnK', 'w35XVHhXPn', 'o6IXdLnnhQ', 'lGpXkeAQea', 'YdaXCvs9EN', 'Next', 'Next', 'Next', 'NextBytes'
Source: 0.2.ORDER SPECIFICATION.exe.83d0000.7.raw.unpack, cYjlLH4jCW2VOlKR96.cs	High entropy of concatenated method names: 'RY63fXqJfB', 'd8e32uj7tE', 'dwx3FvXEu7', 'ToString', 'oDt3GZme21', 'tNw3eJVhhS', 'oA4DiRCFHQPLQAFUXfZ', 'O5G7lVC5aDrtyQq0W4q'
Source: 0.2.ORDER SPECIFICATION.exe.83d0000.7.raw.unpack, uJG2vZ80tU5P3l0MYT.cs	High entropy of concatenated method names: 'aWV39DPkal', 'y063NMXHIn', 'hbo3aBIrmp', 'qpL3mvRulG', 'hZ73BTckGx', 'hWEaF1mVO6', 'OF7aGYl6vW', 'P7vaeQkyaL', 'VTpaMfZvCV', 'Llsauk5AdO'
Source: 0.2.ORDER SPECIFICATION.exe.83d0000.7.raw.unpack, iWKyL5clMxLoJWmJ6C.cs	High entropy of concatenated method names: 'RCTaSc3vtG', 'V0CaUWVlki', 'imOYV4UmVV', 'LMoYdSVLaB', 'W46YC1wsJx', 'vGdY4emuxx', 'p0rYTpIoMe', 'hwOY62JYj1', 'EI1YyUXIO8', 'XH8YlAKwNt'
Source: 0.2.ORDER SPECIFICATION.exe.83d0000.7.raw.unpack, QAP0keG8Yd5jv1Xl0Y.cs	High entropy of concatenated method names: 's6w7McJFGp', 'TWY7RDAUA0', 'dqDXLDcujR', 'HvHXKt24cx', 'FpT7p6XCq1', 'rPi7O8G46T', 'wUH71LDErX', 'Xvv7kCEkx9', 'sIC7nYlju0', 'ow57fOoglL'
Source: 0.2.ORDER SPECIFICATION.exe.83d0000.7.raw.unpack, b2a5pwkX0lu50obdgL.cs	High entropy of concatenated method names: 'OwQElVEELJ', 'YVJEOcBTsC', 'VehEkP8Cj2', 'imiEnCBTMZ', 'rGaEWWCUne', 'YceEVutN5y', 'hecEdLWnro', 'EmGECcS55X', 'zexE4eNkx7', 'TsFETSLyO6'
Source: 0.2.ORDER SPECIFICATION.exe.83d0000.7.raw.unpack, nVcNWUTErCgkCmphYN.cs	High entropy of concatenated method names: 'jy4mZHedR7', 'eR5mYC9n1U', 'ErYm3nqprX', 'acC3ROQyKK', 'BDT3z1Paqi', 'joUmL3yU7M', 'RdJmKSU2pA', 'VHNm5aVh3g', 'F3ymwiYmV1', 'DZimrPkJcW'
Source: 0.2.ORDER SPECIFICATION.exe.83d0000.7.raw.unpack, gl3oKrR1qqiT30vSiT.cs	High entropy of concatenated method names: 'rnloKkR3Th', 'R6MowMpUQa', 'MLnorBitFX', 'y5YoZ18di3', 'JtYoNlT2FC', 'hHcoaivcq5', 'gS0o3xRvsd', 'UCUXexrV1V', 'XwrXMYhjeF', 'P2ZXu5U4Uy'
Source: 0.2.ORDER SPECIFICATION.exe.83d0000.7.raw.unpack, WpKvZJijw23n3QB5iC.cs	High entropy of concatenated method names: 'OPiYx9LcR9', 'zM3YIu4pwo', 'COOYjro1mt', 'ja4Yig34Kj', 'yBRYEuQAMC', 'XvlYg8y9GP', 'rfTY7sfc5p', 'UPeYXIYMCA', 'pyKYoNGcCE', 'DF6YhjTTCP'
Source: 0.2.ORDER SPECIFICATION.exe.83d0000.7.raw.unpack, zmiTT8MfIrnMZdAt1J.cs	High entropy of concatenated method names: 'UQZXZmYZQv', 'qbvXN6rUMN', 'fLQXYyWUXe', 'pOMXayqro5', 'mG7X3ERV1D', 'kUTXmMQWCd', 'ODgXBsxEVy', 'HjpX0x5XKn', 'uHZXHOlDg5', 'YyUXb73SpC'
Source: 0.2.ORDER SPECIFICATION.exe.83d0000.7.raw.unpack, za3l5cjND4NLNjUJsH.cs	High entropy of concatenated method names: 'P4jNkO70Md', 'LGgNn2BCYg', 'qixNf4c8IL', 'VWoN2JueQj', 'rY0NF8vrJ3', 'rSsNGBZHny', 'SCNNeV8Ang', 'wMpNMbbIwf', 'CWKNucKItI', 'hcyNRENRNQ'
Source: 0.2.ORDER SPECIFICATION.exe.83d0000.7.raw.unpack, wobfetzyoCSKIeE3kM.cs	High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'N9GoAghS9M', 'q79oE67rFb', 'DdNogEDDfc', 'xamo7s4sUS', 'Ej5oXd6oON', 'Jfcoo6Wc8M', 'FKrohpL3e6'
Source: 0.2.ORDER SPECIFICATION.exe.83d0000.7.raw.unpack, f8hAT8YLP7gxbLHpdL.cs	High entropy of concatenated method names: 'EditValue', 'GetEditStyle', 'aZf5uxmO16', 'uHL5Rucfrq', 'lrx5ziJkpS', 'afJwLTkeM3', 'EgHwKvGQpq', 'nXKw544gx0', 'fVlwwBK3Xe', 'vKoV3NXJqSnOT71W59c'
Source: 0.2.ORDER SPECIFICATION.exe.83d0000.7.raw.unpack, FMqbjCKLh4H5q0Ba22L.cs	High entropy of concatenated method names: 'EbOoPIviEc', 'opAoDduFUP', 'p0qoJ4JfHb', 's9Woxh5l6d', 'hl1oSWTEMs', 'mU3oI1qEfI', 'aL4oU0aaaA', 'Lk8ojPeyK4', 'fOUoi7SMfO', 'u9bocKbmLo'
Source: 0.2.ORDER SPECIFICATION.exe.83d0000.7.raw.unpack, YXPk43Ni1pBKjVfOSf.cs	High entropy of concatenated method names: 'Dispose', 'KnaKuZU6WX', 'iZP5WKZYBs', 'sqKVV5a6ns', 'rJmKRiTT8f', 'CrnKzMZdAt', 'ProcessDialogKey', 'QJg5LCEuMf', 'WvA5KZf0Ll', 'ds455Yl3oK'
Source: 0.2.ORDER SPECIFICATION.exe.83d0000.7.raw.unpack, dZGeiGrj2NrVuLS35e.cs	High entropy of concatenated method names: 'YsJKma3l5c', 'gD4KBNLNjU', 'zjwKH23n3Q', 'k5iKbC3WKy', 'GmJKE6CvJG', 'TvZKg0tU5P', 'h0Lm08lTro6U2YJ687', 'vxaXjQeNiv56dMfiSX', 'fLWKK4Ia1r', 'JkpKws709I'
Source: 0.2.ORDER SPECIFICATION.exe.83d0000.7.raw.unpack, L0oDSqyO4bbtafwmkS.cs	High entropy of concatenated method names: 'Y8WmPWF83V', 'cZfmDTMN7u', 'LIYmJA7r2k', 'H0ymxZPEdO', 'qQTmSayvND', 'jyqmIYll5n', 'ojEmUO51tI', 'S7GmjnsZtQ', 'NrlmiPG784', 'eSjmcmx7vZ'
Source: 0.2.ORDER SPECIFICATION.exe.83d0000.7.raw.unpack, e8xLqc1syX4Orjh579.cs	High entropy of concatenated method names: 'rMMAj1a75d', 'CQlAiUOLib', 's1NA8bnVqj', 'ztIAW5Acvv', 'DLrAdtojoS', 'bOGACUiu8K', 'J5TATgSa8k', 'UUFA6u8nw2', 'l3eAlNFtm1', 'FjvApxMSks'
Source: 0.2.ORDER SPECIFICATION.exe.83d0000.7.raw.unpack, F7eBRxBmOB5Brcbgw6.cs	High entropy of concatenated method names: 'bsEw9lhSZJ', 'h0AwZq1dji', 'qo0wN0P0E9', 'Oq4wYhjVZL', 'Ji4waVtVbU', 'jFOw3ur8vD', 'I8dwmtka2B', 'hOTwBt80Iu', 'z2Sw0NR8Ew', 'LpGwHlFyTX'
Source: 0.2.ORDER SPECIFICATION.exe.83d0000.7.raw.unpack, X44r6cK5dk9PsSvkBKA.cs	High entropy of concatenated method names: 'tCahPAFxpd', 'EA9hD78dFU', 'XvZhJ3l6V2', 'zMnUAYZwX0gLTRMtHE9', 'cRn6flZHHxTo3YUIXxb', 'trBZkiZ0eaj39TEe2Rr', 'XxNACGZzwqQDjKw9bPk', 'VNEb34tQgVJ38NMywtW', 'EBLtHXtXrjbgJxMOEJo'
Source: 0.2.ORDER SPECIFICATION.exe.83d0000.7.raw.unpack, NilLd55MB9vBSZax7f.cs	High entropy of concatenated method names: 'aBnJIgun8', 'Qe2xQBILP', 'UNPIbyOmq', 'VvCUGpgLI', 'q0siESqWH', 'CrgcvsYmx', 'cKoCtXRx6HXpWxVIUd', 'b8jYn6NTE6ZbhBaMXg', 'qYqX2w56o', 'WAghmHEX7'
Source: 0.2.ORDER SPECIFICATION.exe.83d0000.7.raw.unpack, pCEuMfuMvAZf0Llrs4.cs	High entropy of concatenated method names: 'OGsX8pHqeO', 'NSnXW4sRnK', 'w35XVHhXPn', 'o6IXdLnnhQ', 'lGpXkeAQea', 'YdaXCvs9EN', 'Next', 'Next', 'Next', 'NextBytes'

Source: C:\Users\user\Desktop\ORDER SPECIFICATION.exe	Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot	Jump to behavior
Source: C:\Users\user\Desktop\ORDER SPECIFICATION.exe	Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\AutoUpdate	Jump to behavior
Source: C:\Users\user\Desktop\ORDER SPECIFICATION.exe	Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot	Jump to behavior

Source: C:\Users\user\Desktop\ORDER SPECIFICATION.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ORDER SPECIFICATION.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ORDER SPECIFICATION.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ORDER SPECIFICATION.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ORDER SPECIFICATION.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ORDER SPECIFICATION.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ORDER SPECIFICATION.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ORDER SPECIFICATION.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ORDER SPECIFICATION.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ORDER SPECIFICATION.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ORDER SPECIFICATION.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ORDER SPECIFICATION.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ORDER SPECIFICATION.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ORDER SPECIFICATION.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ORDER SPECIFICATION.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ORDER SPECIFICATION.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ORDER SPECIFICATION.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ORDER SPECIFICATION.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ORDER SPECIFICATION.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ORDER SPECIFICATION.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ORDER SPECIFICATION.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ORDER SPECIFICATION.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ORDER SPECIFICATION.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ORDER SPECIFICATION.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ORDER SPECIFICATION.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ORDER SPECIFICATION.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ORDER SPECIFICATION.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ORDER SPECIFICATION.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ORDER SPECIFICATION.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ORDER SPECIFICATION.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ORDER SPECIFICATION.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ORDER SPECIFICATION.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ORDER SPECIFICATION.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ORDER SPECIFICATION.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ORDER SPECIFICATION.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ORDER SPECIFICATION.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ORDER SPECIFICATION.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ORDER SPECIFICATION.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ORDER SPECIFICATION.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ORDER SPECIFICATION.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ORDER SPECIFICATION.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ORDER SPECIFICATION.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ORDER SPECIFICATION.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ORDER SPECIFICATION.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ORDER SPECIFICATION.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ORDER SPECIFICATION.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ORDER SPECIFICATION.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ORDER SPECIFICATION.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ORDER SPECIFICATION.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ORDER SPECIFICATION.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ORDER SPECIFICATION.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ORDER SPECIFICATION.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ORDER SPECIFICATION.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ORDER SPECIFICATION.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ORDER SPECIFICATION.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ORDER SPECIFICATION.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ORDER SPECIFICATION.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ORDER SPECIFICATION.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ORDER SPECIFICATION.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ORDER SPECIFICATION.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ORDER SPECIFICATION.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ORDER SPECIFICATION.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ORDER SPECIFICATION.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ORDER SPECIFICATION.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ORDER SPECIFICATION.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ORDER SPECIFICATION.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ORDER SPECIFICATION.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ORDER SPECIFICATION.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ORDER SPECIFICATION.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ORDER SPECIFICATION.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ORDER SPECIFICATION.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ORDER SPECIFICATION.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ORDER SPECIFICATION.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ORDER SPECIFICATION.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ORDER SPECIFICATION.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ORDER SPECIFICATION.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ORDER SPECIFICATION.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ORDER SPECIFICATION.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ORDER SPECIFICATION.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ORDER SPECIFICATION.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ORDER SPECIFICATION.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ORDER SPECIFICATION.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ORDER SPECIFICATION.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ORDER SPECIFICATION.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ORDER SPECIFICATION.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ORDER SPECIFICATION.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ORDER SPECIFICATION.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ORDER SPECIFICATION.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ORDER SPECIFICATION.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ORDER SPECIFICATION.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ORDER SPECIFICATION.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ORDER SPECIFICATION.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ORDER SPECIFICATION.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ORDER SPECIFICATION.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ORDER SPECIFICATION.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ORDER SPECIFICATION.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ORDER SPECIFICATION.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ORDER SPECIFICATION.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ORDER SPECIFICATION.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ORDER SPECIFICATION.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ORDER SPECIFICATION.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ORDER SPECIFICATION.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ORDER SPECIFICATION.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ORDER SPECIFICATION.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ORDER SPECIFICATION.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ORDER SPECIFICATION.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ORDER SPECIFICATION.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ORDER SPECIFICATION.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Yara detected AntiVM3

Source: Yara match

File source: Process Memory Space: ORDER SPECIFICATION.exe PID: 2576, type: MEMORYSTR

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Source: C:\Users\user\Desktop\ORDER SPECIFICATION.exe

WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration

Source: C:\Users\user\Desktop\ORDER SPECIFICATION.exe	Memory allocated: AB0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\ORDER SPECIFICATION.exe	Memory allocated: 24B0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\ORDER SPECIFICATION.exe	Memory allocated: B00000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\ORDER SPECIFICATION.exe	Memory allocated: 5B00000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\ORDER SPECIFICATION.exe	Memory allocated: 6B00000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\ORDER SPECIFICATION.exe	Memory allocated: 6C40000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\ORDER SPECIFICATION.exe	Memory allocated: 7C40000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\ORDER SPECIFICATION.exe	Memory allocated: 8480000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\ORDER SPECIFICATION.exe	Memory allocated: 9480000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\ORDER SPECIFICATION.exe	Memory allocated: A480000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\ORDER SPECIFICATION.exe	Memory allocated: B480000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\ORDER SPECIFICATION.exe	Memory allocated: 1700000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\ORDER SPECIFICATION.exe	Memory allocated: 30F0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\ORDER SPECIFICATION.exe	Memory allocated: 50F0000 memory reserve \| memory write watch	Jump to behavior

Source: C:\Users\user\Desktop\ORDER SPECIFICATION.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\ORDER SPECIFICATION.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\ORDER SPECIFICATION.exe	Thread delayed: delay time: 922337203685477	Jump to behavior

Source: C:\Users\user\Desktop\ORDER SPECIFICATION.exe	Window / User API: threadDelayed 3809			Jump to behavior
Source: C:\Users\user\Desktop\ORDER SPECIFICATION.exe	Window / User API: threadDelayed 1468			Jump to behavior

Source: C:\Users\user\Desktop\ORDER SPECIFICATION.exe TID: 5520	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\ORDER SPECIFICATION.exe TID: 3396	Thread sleep time: -16602069666338586s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\ORDER SPECIFICATION.exe TID: 3396	Thread sleep time: -100000s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\ORDER SPECIFICATION.exe TID: 3396	Thread sleep time: -99890s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\ORDER SPECIFICATION.exe TID: 5032	Thread sleep count: 3809 > 30	Jump to behavior
Source: C:\Users\user\Desktop\ORDER SPECIFICATION.exe TID: 5032	Thread sleep count: 1468 > 30	Jump to behavior
Source: C:\Users\user\Desktop\ORDER SPECIFICATION.exe TID: 3396	Thread sleep time: -99781s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\ORDER SPECIFICATION.exe TID: 3396	Thread sleep time: -99672s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\ORDER SPECIFICATION.exe TID: 3396	Thread sleep time: -99562s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\ORDER SPECIFICATION.exe TID: 3396	Thread sleep time: -99438s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\ORDER SPECIFICATION.exe TID: 3396	Thread sleep time: -99328s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\ORDER SPECIFICATION.exe TID: 3396	Thread sleep time: -99219s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\ORDER SPECIFICATION.exe TID: 3396	Thread sleep time: -99108s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\ORDER SPECIFICATION.exe TID: 3396	Thread sleep time: -99000s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\ORDER SPECIFICATION.exe TID: 3396	Thread sleep time: -98890s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\ORDER SPECIFICATION.exe TID: 3396	Thread sleep time: -98781s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\ORDER SPECIFICATION.exe TID: 3396	Thread sleep time: -98672s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\ORDER SPECIFICATION.exe TID: 3396	Thread sleep time: -98562s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\ORDER SPECIFICATION.exe TID: 3396	Thread sleep time: -98453s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\ORDER SPECIFICATION.exe TID: 3396	Thread sleep time: -98344s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\ORDER SPECIFICATION.exe TID: 3396	Thread sleep time: -98234s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\ORDER SPECIFICATION.exe TID: 3396	Thread sleep time: -98125s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\ORDER SPECIFICATION.exe TID: 3396	Thread sleep time: -98015s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\ORDER SPECIFICATION.exe TID: 3396	Thread sleep time: -97906s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\ORDER SPECIFICATION.exe TID: 3396	Thread sleep time: -97796s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\ORDER SPECIFICATION.exe TID: 3396	Thread sleep time: -97687s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\ORDER SPECIFICATION.exe TID: 3396	Thread sleep time: -97578s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\ORDER SPECIFICATION.exe TID: 3396	Thread sleep time: -97468s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\ORDER SPECIFICATION.exe TID: 3396	Thread sleep time: -97359s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\ORDER SPECIFICATION.exe TID: 3396	Thread sleep time: -97246s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\ORDER SPECIFICATION.exe TID: 3396	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior

Source: C:\Users\user\Desktop\ORDER SPECIFICATION.exe

WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard

Source: C:\Users\user\Desktop\ORDER SPECIFICATION.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\Desktop\ORDER SPECIFICATION.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor

Source: C:\Users\user\Desktop\ORDER SPECIFICATION.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\ORDER SPECIFICATION.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\ORDER SPECIFICATION.exe	Thread delayed: delay time: 100000	Jump to behavior
Source: C:\Users\user\Desktop\ORDER SPECIFICATION.exe	Thread delayed: delay time: 99890	Jump to behavior
Source: C:\Users\user\Desktop\ORDER SPECIFICATION.exe	Thread delayed: delay time: 99781	Jump to behavior
Source: C:\Users\user\Desktop\ORDER SPECIFICATION.exe	Thread delayed: delay time: 99672	Jump to behavior
Source: C:\Users\user\Desktop\ORDER SPECIFICATION.exe	Thread delayed: delay time: 99562	Jump to behavior
Source: C:\Users\user\Desktop\ORDER SPECIFICATION.exe	Thread delayed: delay time: 99438	Jump to behavior
Source: C:\Users\user\Desktop\ORDER SPECIFICATION.exe	Thread delayed: delay time: 99328	Jump to behavior
Source: C:\Users\user\Desktop\ORDER SPECIFICATION.exe	Thread delayed: delay time: 99219	Jump to behavior
Source: C:\Users\user\Desktop\ORDER SPECIFICATION.exe	Thread delayed: delay time: 99108	Jump to behavior
Source: C:\Users\user\Desktop\ORDER SPECIFICATION.exe	Thread delayed: delay time: 99000	Jump to behavior
Source: C:\Users\user\Desktop\ORDER SPECIFICATION.exe	Thread delayed: delay time: 98890	Jump to behavior
Source: C:\Users\user\Desktop\ORDER SPECIFICATION.exe	Thread delayed: delay time: 98781	Jump to behavior
Source: C:\Users\user\Desktop\ORDER SPECIFICATION.exe	Thread delayed: delay time: 98672	Jump to behavior
Source: C:\Users\user\Desktop\ORDER SPECIFICATION.exe	Thread delayed: delay time: 98562	Jump to behavior
Source: C:\Users\user\Desktop\ORDER SPECIFICATION.exe	Thread delayed: delay time: 98453	Jump to behavior
Source: C:\Users\user\Desktop\ORDER SPECIFICATION.exe	Thread delayed: delay time: 98344	Jump to behavior
Source: C:\Users\user\Desktop\ORDER SPECIFICATION.exe	Thread delayed: delay time: 98234	Jump to behavior
Source: C:\Users\user\Desktop\ORDER SPECIFICATION.exe	Thread delayed: delay time: 98125	Jump to behavior
Source: C:\Users\user\Desktop\ORDER SPECIFICATION.exe	Thread delayed: delay time: 98015	Jump to behavior
Source: C:\Users\user\Desktop\ORDER SPECIFICATION.exe	Thread delayed: delay time: 97906	Jump to behavior
Source: C:\Users\user\Desktop\ORDER SPECIFICATION.exe	Thread delayed: delay time: 97796	Jump to behavior
Source: C:\Users\user\Desktop\ORDER SPECIFICATION.exe	Thread delayed: delay time: 97687	Jump to behavior
Source: C:\Users\user\Desktop\ORDER SPECIFICATION.exe	Thread delayed: delay time: 97578	Jump to behavior
Source: C:\Users\user\Desktop\ORDER SPECIFICATION.exe	Thread delayed: delay time: 97468	Jump to behavior
Source: C:\Users\user\Desktop\ORDER SPECIFICATION.exe	Thread delayed: delay time: 97359	Jump to behavior
Source: C:\Users\user\Desktop\ORDER SPECIFICATION.exe	Thread delayed: delay time: 97246	Jump to behavior
Source: C:\Users\user\Desktop\ORDER SPECIFICATION.exe	Thread delayed: delay time: 922337203685477	Jump to behavior

Source: ORDER SPECIFICATION.exe, 00000003.00000002.3253754912.000000000138C000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll

Source: C:\Users\user\Desktop\ORDER SPECIFICATION.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Users\user\Desktop\ORDER SPECIFICATION.exe	Process token adjusted: Debug			Jump to behavior
Source: C:\Users\user\Desktop\ORDER SPECIFICATION.exe	Process token adjusted: Debug			Jump to behavior

Source: C:\Users\user\Desktop\ORDER SPECIFICATION.exe

Memory allocated: page read and write | page guard

Jump to behavior

Source: C:\Users\user\Desktop\ORDER SPECIFICATION.exe	Process created: C:\Users\user\Desktop\ORDER SPECIFICATION.exe "C:\Users\user\Desktop\ORDER SPECIFICATION.exe"			Jump to behavior
Source: C:\Users\user\Desktop\ORDER SPECIFICATION.exe	Process created: C:\Users\user\Desktop\ORDER SPECIFICATION.exe "C:\Users\user\Desktop\ORDER SPECIFICATION.exe"			Jump to behavior

Source: C:\Users\user\Desktop\ORDER SPECIFICATION.exe	Queries volume information: C:\Users\user\Desktop\ORDER SPECIFICATION.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDER SPECIFICATION.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDER SPECIFICATION.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDER SPECIFICATION.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDER SPECIFICATION.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDER SPECIFICATION.exe	Queries volume information: C:\Users\user\Desktop\ORDER SPECIFICATION.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDER SPECIFICATION.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDER SPECIFICATION.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDER SPECIFICATION.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDER SPECIFICATION.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDER SPECIFICATION.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior

Source: C:\Users\user\Desktop\ORDER SPECIFICATION.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Stealing of Sensitive Information

Yara detected AgentTesla

Source: Yara match	File source: 0.2.ORDER SPECIFICATION.exe.4368f20.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.ORDER SPECIFICATION.exe.432e500.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.ORDER SPECIFICATION.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.ORDER SPECIFICATION.exe.4368f20.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.ORDER SPECIFICATION.exe.432e500.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000003.00000002.3255257042.0000000003169000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.3252989012.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.3255257042.0000000003141000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2054266616.000000000432E000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: ORDER SPECIFICATION.exe PID: 2576, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: ORDER SPECIFICATION.exe PID: 6664, type: MEMORYSTR

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Source: C:\Users\user\Desktop\ORDER SPECIFICATION.exe

Key opened: HKEY_CURRENT_USER\SOFTWARE\Martin Prikryl\WinSCP 2\Sessions

Jump to behavior

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Users\user\Desktop\ORDER SPECIFICATION.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data	Jump to behavior
Source: C:\Users\user\Desktop\ORDER SPECIFICATION.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data	Jump to behavior
Source: C:\Users\user\Desktop\ORDER SPECIFICATION.exe	File opened: C:\Users\user\AppData\Roaming\NETGATE Technologies\BlackHawk\profiles.ini	Jump to behavior
Source: C:\Users\user\Desktop\ORDER SPECIFICATION.exe	File opened: C:\Users\user\AppData\Roaming\8pecxstudios\Cyberfox\profiles.ini	Jump to behavior
Source: C:\Users\user\Desktop\ORDER SPECIFICATION.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini	Jump to behavior

Tries to harvest and steal ftp login credentials

Source: C:\Users\user\Desktop\ORDER SPECIFICATION.exe

File opened: C:\FTP Navigator\Ftplist.txt

Jump to behavior

Tries to steal Mail credentials (via file / registry access)

Source: C:\Users\user\Desktop\ORDER SPECIFICATION.exe	File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini	Jump to behavior
Source: C:\Users\user\Desktop\ORDER SPECIFICATION.exe	File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini	Jump to behavior
Source: C:\Users\user\Desktop\ORDER SPECIFICATION.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles	Jump to behavior
Source: C:\Users\user\Desktop\ORDER SPECIFICATION.exe	Key opened: HKEY_CURRENT_USER\Software\IncrediMail\Identities	Jump to behavior

Source: Yara match	File source: 0.2.ORDER SPECIFICATION.exe.432e500.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.ORDER SPECIFICATION.exe.4368f20.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.ORDER SPECIFICATION.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.ORDER SPECIFICATION.exe.4368f20.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.ORDER SPECIFICATION.exe.432e500.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000003.00000002.3252989012.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.3255257042.0000000003141000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2054266616.000000000432E000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: ORDER SPECIFICATION.exe PID: 2576, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: ORDER SPECIFICATION.exe PID: 6664, type: MEMORYSTR

Remote Access Functionality

Yara detected AgentTesla

Source: Yara match	File source: 0.2.ORDER SPECIFICATION.exe.4368f20.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.ORDER SPECIFICATION.exe.432e500.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.ORDER SPECIFICATION.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.ORDER SPECIFICATION.exe.4368f20.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.ORDER SPECIFICATION.exe.432e500.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000003.00000002.3255257042.0000000003169000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.3252989012.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.3255257042.0000000003141000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2054266616.000000000432E000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: ORDER SPECIFICATION.exe PID: 2576, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: ORDER SPECIFICATION.exe PID: 6664, type: MEMORYSTR

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	121 Windows Management Instrumentation	1 DLL Side-Loading	1 DLL Side-Loading	1 Disable or Modify Tools	2 OS Credential Dumping	1 File and Directory Discovery	Remote Services	11 Archive Collected Data	1 Ingress Tool Transfer	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	11 Process Injection	1 Deobfuscate/Decode Files or Information	1 Input Capture	24 System Information Discovery	Remote Desktop Protocol	2 Data from Local System	11 Encrypted Channel	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	Logon Script (Windows)	3 Obfuscated Files or Information	1 Credentials in Registry	1 Query Registry	SMB/Windows Admin Shares	1 Email Collection	1 Non-Standard Port	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	12 Software Packing	NTDS	111 Security Software Discovery	Distributed Component Object Model	1 Input Capture	2 Non-Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	1 Timestomp	LSA Secrets	1 Process Discovery	SSH	Keylogging	23 Application Layer Protocol	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	1 DLL Side-Loading	Cached Domain Credentials	141 Virtualization/Sandbox Evasion	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	1 Masquerading	DCSync	1 Application Window Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	141 Virtualization/Sandbox Evasion	Proc Filesystem	1 System Network Configuration Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement
Network Topology	Malvertising	Exploit Public-Facing Application	Command and Scripting Interpreter	At	At	11 Process Injection	/etc/passwd and /etc/shadow	Network Sniffing	Direct Cloud VM Connections	Data Staged	Web Protocols	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Internal Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
ORDER SPECIFICATION.exe	34%	ReversingLabs	ByteCode-MSIL.Trojan.Generic
ORDER SPECIFICATION.exe	38%	Virustotal		Browse
ORDER SPECIFICATION.exe	100%	Joe Sandbox ML

Source	Detection	Scanner	Label	Link
mail.techwiser.in	1%	Virustotal		Browse

URLs

Source	Detection	Scanner	Label	Link
http://r3.o.lencr.org0	0%	URL Reputation	safe
http://x1.c.lencr.org/0	0%	URL Reputation	safe
http://x1.i.lencr.org/0	0%	URL Reputation	safe
http://r3.i.lencr.org/0	0%	URL Reputation	safe
http://mail.techwiser.in	1%	Virustotal		Browse
http://tempuri.org/DataSet1.xsd)Microsoft	1%	Virustotal		Browse

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
api.ipify.org	104.26.12.205	true	false		high
mail.techwiser.in	162.241.123.30	true	true	1%, Virustotal, Browse	unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
https://api.ipify.org/	false		high

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://r3.o.lencr.org0	ORDER SPECIFICATION.exe, 00000003.00000002.3253754912.000000000138C000.00000004.00000020.00020000.00000000.sdmp, ORDER SPECIFICATION.exe, 00000003.00000002.3253558213.0000000001331000.00000004.00000020.00020000.00000000.sdmp, ORDER SPECIFICATION.exe, 00000003.00000002.3253754912.0000000001363000.00000004.00000020.00020000.00000000.sdmp, ORDER SPECIFICATION.exe, 00000003.00000002.3255257042.0000000003169000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://api.ipify.org	ORDER SPECIFICATION.exe, 00000000.00000002.2054266616.000000000432E000.00000004.00000800.00020000.00000000.sdmp, ORDER SPECIFICATION.exe, 00000003.00000002.3255257042.00000000030F1000.00000004.00000800.00020000.00000000.sdmp, ORDER SPECIFICATION.exe, 00000003.00000002.3252989012.0000000000402000.00000040.00000400.00020000.00000000.sdmp	false		high
http://mail.techwiser.in	ORDER SPECIFICATION.exe, 00000003.00000002.3255257042.0000000003169000.00000004.00000800.00020000.00000000.sdmp	false	1%, Virustotal, Browse	unknown
https://account.dyn.com/	ORDER SPECIFICATION.exe, 00000000.00000002.2054266616.000000000432E000.00000004.00000800.00020000.00000000.sdmp, ORDER SPECIFICATION.exe, 00000003.00000002.3252989012.0000000000402000.00000040.00000400.00020000.00000000.sdmp	false		high
https://api.ipify.org/t	ORDER SPECIFICATION.exe, 00000003.00000002.3255257042.00000000030F1000.00000004.00000800.00020000.00000000.sdmp	false		high
http://tempuri.org/DataSet1.xsd)Microsoft	ORDER SPECIFICATION.exe	false	1%, Virustotal, Browse	unknown
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	ORDER SPECIFICATION.exe, 00000003.00000002.3255257042.00000000030F1000.00000004.00000800.00020000.00000000.sdmp	false		high
http://x1.c.lencr.org/0	ORDER SPECIFICATION.exe, 00000003.00000002.3253558213.0000000001331000.00000004.00000020.00020000.00000000.sdmp, ORDER SPECIFICATION.exe, 00000003.00000002.3253754912.0000000001363000.00000004.00000020.00020000.00000000.sdmp, ORDER SPECIFICATION.exe, 00000003.00000002.3253558213.000000000134E000.00000004.00000020.00020000.00000000.sdmp, ORDER SPECIFICATION.exe, 00000003.00000002.3255257042.0000000003169000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://x1.i.lencr.org/0	ORDER SPECIFICATION.exe, 00000003.00000002.3253558213.0000000001331000.00000004.00000020.00020000.00000000.sdmp, ORDER SPECIFICATION.exe, 00000003.00000002.3253754912.0000000001363000.00000004.00000020.00020000.00000000.sdmp, ORDER SPECIFICATION.exe, 00000003.00000002.3253558213.000000000134E000.00000004.00000020.00020000.00000000.sdmp, ORDER SPECIFICATION.exe, 00000003.00000002.3255257042.0000000003169000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://r3.i.lencr.org/0	ORDER SPECIFICATION.exe, 00000003.00000002.3253754912.000000000138C000.00000004.00000020.00020000.00000000.sdmp, ORDER SPECIFICATION.exe, 00000003.00000002.3253558213.0000000001331000.00000004.00000020.00020000.00000000.sdmp, ORDER SPECIFICATION.exe, 00000003.00000002.3253754912.0000000001363000.00000004.00000020.00020000.00000000.sdmp, ORDER SPECIFICATION.exe, 00000003.00000002.3255257042.0000000003169000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
104.26.12.205	api.ipify.org	United States		13335	CLOUDFLARENETUS	false
162.241.123.30	mail.techwiser.in	United States		46606	UNIFIEDLAYER-AS-1US	true

General Information

Joe Sandbox version:	40.0.0 Tourmaline
Analysis ID:	1427952
Start date and time:	2024-04-18 11:31:07 +02:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 6m 35s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	6
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	ORDER SPECIFICATION.exe
Detection:	MAL
Classification:	mal100.troj.spyw.evad.winEXE@5/1@2/2
EGA Information:	Successful, ratio: 100%
HCA Information:	Successful, ratio: 100% Number of executed functions: 83 Number of non-executed functions: 9
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, SIHClient.exe
Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtQueryValueKey calls found.

Simulations

Behavior and APIs

Time	Type	Description
11:31:53	API Interceptor	27x Sleep call for process: ORDER SPECIFICATION.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
104.26.12.205	Sky-Beta.exe	Get hash	malicious	Stealit	Browse	api.ipify.org/?format=json
	SecuriteInfo.com.Backdoor.Win32.Agent.myuuxz.13708.17224.exe	Get hash	malicious	Bunny Loader	Browse	api.ipify.org/
	lods.cmd	Get hash	malicious	Remcos	Browse	api.ipify.org/
162.241.123.30	invoice & packing list.exe	Get hash	malicious	AgentTesla	Browse
	Draft Sales contract.exe	Get hash	malicious	AgentTesla	Browse
	signed documents and BOL.exe	Get hash	malicious	AgentTesla	Browse
	NOA, BL and invoice.exe	Get hash	malicious	AgentTesla	Browse
	#568350035791.exe	Get hash	malicious	AgentTesla	Browse
	shipping documents and ETA.exe	Get hash	malicious	AgentTesla	Browse
	shipping documents and ETA.exe	Get hash	malicious	AgentTesla	Browse
	QUOTATION.exe	Get hash	malicious	AgentTesla	Browse
	https://t.co/hkbALnjMCQ	Get hash	malicious	HTMLPhisher	Browse

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
api.ipify.org	BKG#SGN2106728.PDF.exe	Get hash	malicious	AgentTesla	Browse	172.67.74.152
	product11221.exe	Get hash	malicious	AgentTesla	Browse	104.26.12.205
	DHL-9384915702.vbs	Get hash	malicious	AgentTesla, GuLoader	Browse	104.26.13.205
	Outstanding Payment Invoice PO 3400375980.vbs	Get hash	malicious	AgentTesla, GuLoader	Browse	104.26.13.205
	Arrival Notice PUS_pdf.vbs	Get hash	malicious	AgentTesla, GuLoader	Browse	104.26.13.205
	Purchase Order PDF.exe	Get hash	malicious	AgentTesla	Browse	104.26.13.205
	Leoch-Purchase Order.exe	Get hash	malicious	AgentTesla	Browse	172.67.74.152
	p silp AI240190.pdf.exe	Get hash	malicious	AgentTesla	Browse	104.26.12.205
	SecuriteInfo.com.Win32.PWSX-gen.1728.1300.exe	Get hash	malicious	AgentTesla	Browse	104.26.12.205
	SecuriteInfo.com.Heur.15333.25205.exe	Get hash	malicious	AgentTesla	Browse	172.67.74.152
mail.techwiser.in	invoice & packing list.exe	Get hash	malicious	AgentTesla	Browse	162.241.123.30
	Draft Sales contract.exe	Get hash	malicious	AgentTesla	Browse	162.241.123.30
	signed documents and BOL.exe	Get hash	malicious	AgentTesla	Browse	162.241.123.30
	NOA, BL and invoice.exe	Get hash	malicious	AgentTesla	Browse	162.241.123.30
	#568350035791.exe	Get hash	malicious	AgentTesla	Browse	162.241.123.30
	shipping documents and ETA.exe	Get hash	malicious	AgentTesla	Browse	162.241.123.30
	shipping documents and ETA.exe	Get hash	malicious	AgentTesla	Browse	162.241.123.30
	QUOTATION.exe	Get hash	malicious	AgentTesla	Browse	162.241.123.30

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
CLOUDFLARENETUS	BKG#SGN2106728.PDF.exe	Get hash	malicious	AgentTesla	Browse	172.67.74.152
	product11221.exe	Get hash	malicious	AgentTesla	Browse	104.26.12.205
	http://streaming.jsonmediapacks.com	Get hash	malicious	Unknown	Browse	1.1.1.1
	https://www.hegemann-reiners.de/	Get hash	malicious	Unknown	Browse	172.67.157.200
	http://gamma.app/docs/Adobe-1098-uanmwmhgl6i90tc?mode=doc	Get hash	malicious	Unknown	Browse	104.18.11.200
	DHL-9384915702.vbs	Get hash	malicious	AgentTesla, GuLoader	Browse	104.26.13.205
	Outstanding Payment Invoice PO 3400375980.vbs	Get hash	malicious	AgentTesla, GuLoader	Browse	104.26.13.205
	Arrival Notice PUS_pdf.vbs	Get hash	malicious	AgentTesla, GuLoader	Browse	104.26.13.205
	5FU4LRpQdy.rtf	Get hash	malicious	Remcos	Browse	104.21.84.67
	NEW ORDER.doc	Get hash	malicious	HTMLPhisher	Browse	104.21.25.202
UNIFIEDLAYER-AS-1US	DHL-9384915702.vbs	Get hash	malicious	AgentTesla, GuLoader	Browse	192.185.13.234
	I-IN-6757165752-DEL983527_20240416074318.exe	Get hash	malicious	AgentTesla	Browse	50.87.253.239
	MY69DoYgp5.elf	Get hash	malicious	Mirai	Browse	98.131.25.121
	SecuriteInfo.com.PWSX-gen.32561.14552.exe	Get hash	malicious	AgentTesla	Browse	50.87.253.239
	SecuriteInfo.com.Win32.PWSX-gen.27467.16755.exe	Get hash	malicious	AgentTesla	Browse	192.185.35.67
	SecuriteInfo.com.Win32.MalwareX-gen.3610.30636.exe	Get hash	malicious	AgentTesla	Browse	50.87.219.149
	invoice & packing list.exe	Get hash	malicious	AgentTesla	Browse	162.241.123.30
	Draft Sales contract.exe	Get hash	malicious	AgentTesla	Browse	162.241.123.30
	Bank slip.exe	Get hash	malicious	AgentTesla	Browse	50.87.219.149
	https://tracker.club-os.com/campaign/click?msgId=f8ea317d963149a518aa35e03e5541f797badf3c&target=splendidanimations.com%2F%40%2FQuantexa/IpoXF42991IpoXF42991IpoXF/bWFzc2ltb2JvcnJlbGxpQHF1YW50ZXhhLmNvbQ==	Get hash	malicious	HTMLPhisher	Browse	192.185.104.70

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
3b5074b1b5d032e5620f69f9f700ff0e	BKG#SGN2106728.PDF.exe	Get hash	malicious	AgentTesla	Browse	104.26.12.205
	product11221.exe	Get hash	malicious	AgentTesla	Browse	104.26.12.205
	product1122.html	Get hash	malicious	Unknown	Browse	104.26.12.205
	DHL-9384915702.vbs	Get hash	malicious	AgentTesla, GuLoader	Browse	104.26.12.205
	FACTURA24021151 - BP.vbs	Get hash	malicious	Unknown	Browse	104.26.12.205
	Outstanding Payment Invoice PO 3400375980.vbs	Get hash	malicious	AgentTesla, GuLoader	Browse	104.26.12.205
	Arrival Notice PUS_pdf.vbs	Get hash	malicious	AgentTesla, GuLoader	Browse	104.26.12.205
	Transferencias SEPA.vbs	Get hash	malicious	Unknown	Browse	104.26.12.205
	shipping doc.vbs	Get hash	malicious	GuLoader	Browse	104.26.12.205
	FACTURA 130424435.vbs	Get hash	malicious	Unknown	Browse	104.26.12.205

Process:	C:\Users\user\Desktop\ORDER SPECIFICATION.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	1216
Entropy (8bit):	5.34331486778365
Encrypted:	false
SSDEEP:	24:MLUE4K5E4KH1qE4qXKDE4KhKiKhPKIE4oKNzKoZAE4Kze0E4x84j:MIHK5HKH1qHiYHKh3oPtHo6hAHKze0HJ
MD5:	1330C80CAAC9A0FB172F202485E9B1E8
SHA1:	86BAFDA4E4AE68C7C3012714A33D85D2B6E1A492
SHA-256:	B6C63ECE799A8F7E497C2A158B1FFC2F5CB4F745A2F8E585F794572B7CF03560
SHA-512:	75A17AB129FE97BBAB36AA2BD66D59F41DB5AFF44A705EF3E4D094EC5FCD056A3ED59992A0AC96C9D0D40E490F8596B07DCA9B60E606B67223867B061D9D0EB2
Malicious:	false
Reputation:	high, very likely benign file
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\8b2c1203fd20aea8260bfbc518004720\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\2192b0d5aa4aa14486ae08118d3b9fcc\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\2062ed810929ec0e33254c02

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Entropy (8bit):	7.275411324523825
TrID:	Win32 Executable (generic) Net Framework (10011505/4) 49.83% Win32 Executable (generic) a (10002005/4) 49.78% Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36% Generic Win/DOS Executable (2004/3) 0.01% DOS Executable Generic (2002/1) 0.01%
File name:	ORDER SPECIFICATION.exe
File size:	1'036'288 bytes
MD5:	34070a881f75f12cd4e5bfcb3bdf48c6
SHA1:	68d694a74aa970c84bf48ca15c979b408970843a
SHA256:	562b14cbead15ecad71e6e25e6c00656e47c3cf6e7d12eec64bfb4b9a6aaca05
SHA512:	c2bcac60beacd3f58e90bf1b04ad5b9dd4397c4e38efa191c1c74ace3bbeaf2ca0c35c17d5f29b21e414061fc27177084c220b5d2fd951f7c1ba0131ac86ffca
SSDEEP:	24576:N6gObWRvPAbx/N35bTeguR2EHPF9kPps:BObIAt/nbTeguRdnd
TLSH:	8725D13D1CBD2A3B91B6D2A9CFE98567F040D07B3A11AD7698D383958346A9335C313E
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....................0.............R.... ........@.. .......................@............@................................

File Icon


Icon Hash:	00928e8e8686b000

Static PE Info

General

Entrypoint:	0x4fe352
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Time Stamp:	0xBCABE6C0 [Tue Apr 22 08:52:16 2070 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	f34d5f2d4577ed6d9ceec516c1f5a744

Entrypoint Preview

Instruction
jmp dword ptr [00402000h]
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0xfe2ff	0x4f	.text
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x100000	0x624	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x102000	0xc	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0xfc024	0x70	.text
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x2000	0x8	.text
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x2008	0x48	.text
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x2000	0xfc358	0xfc400	e0f0abf6c3d65bb0b192c6d7de41c6fe	False	0.7812267715559961	data	7.283155285954524	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rsrc	0x100000	0x624	0x800	bf635c92f289ace403c7be99ceb5d032	False	0.33349609375	data	3.458579280664745	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x102000	0xc	0x200	b14bd444b924a15fdc3663ba6da3afbb	False	0.044921875	data	0.10191042566270775	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_VERSION	0x100090	0x394	OpenPGP Secret Key			0.42139737991266374
RT_MANIFEST	0x100434	0x1ea	XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators			0.5489795918367347

Imports

DLL	Import
mscoree.dll	_CorExeMain

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Apr 18, 2024 11:31:57.957952023 CEST	49705	443	192.168.2.5	104.26.12.205
Apr 18, 2024 11:31:57.958019972 CEST	443	49705	104.26.12.205	192.168.2.5
Apr 18, 2024 11:31:57.958092928 CEST	49705	443	192.168.2.5	104.26.12.205
Apr 18, 2024 11:31:57.966128111 CEST	49705	443	192.168.2.5	104.26.12.205
Apr 18, 2024 11:31:57.966165066 CEST	443	49705	104.26.12.205	192.168.2.5
Apr 18, 2024 11:31:58.198847055 CEST	443	49705	104.26.12.205	192.168.2.5
Apr 18, 2024 11:31:58.198915958 CEST	49705	443	192.168.2.5	104.26.12.205
Apr 18, 2024 11:31:58.202697039 CEST	49705	443	192.168.2.5	104.26.12.205
Apr 18, 2024 11:31:58.202708006 CEST	443	49705	104.26.12.205	192.168.2.5
Apr 18, 2024 11:31:58.203125954 CEST	443	49705	104.26.12.205	192.168.2.5
Apr 18, 2024 11:31:58.245042086 CEST	49705	443	192.168.2.5	104.26.12.205
Apr 18, 2024 11:31:58.362745047 CEST	49705	443	192.168.2.5	104.26.12.205
Apr 18, 2024 11:31:58.404118061 CEST	443	49705	104.26.12.205	192.168.2.5
Apr 18, 2024 11:31:58.520750999 CEST	443	49705	104.26.12.205	192.168.2.5
Apr 18, 2024 11:31:58.520826101 CEST	443	49705	104.26.12.205	192.168.2.5
Apr 18, 2024 11:31:58.520888090 CEST	49705	443	192.168.2.5	104.26.12.205
Apr 18, 2024 11:31:58.527442932 CEST	49705	443	192.168.2.5	104.26.12.205
Apr 18, 2024 11:31:59.350140095 CEST	49706	587	192.168.2.5	162.241.123.30
Apr 18, 2024 11:31:59.510189056 CEST	587	49706	162.241.123.30	192.168.2.5
Apr 18, 2024 11:31:59.510404110 CEST	49706	587	192.168.2.5	162.241.123.30
Apr 18, 2024 11:31:59.940258980 CEST	587	49706	162.241.123.30	192.168.2.5
Apr 18, 2024 11:31:59.940485001 CEST	49706	587	192.168.2.5	162.241.123.30
Apr 18, 2024 11:32:00.100958109 CEST	587	49706	162.241.123.30	192.168.2.5
Apr 18, 2024 11:32:00.101159096 CEST	49706	587	192.168.2.5	162.241.123.30
Apr 18, 2024 11:32:00.262620926 CEST	587	49706	162.241.123.30	192.168.2.5
Apr 18, 2024 11:32:00.263204098 CEST	49706	587	192.168.2.5	162.241.123.30
Apr 18, 2024 11:32:00.435519934 CEST	587	49706	162.241.123.30	192.168.2.5
Apr 18, 2024 11:32:00.435547113 CEST	587	49706	162.241.123.30	192.168.2.5
Apr 18, 2024 11:32:00.435561895 CEST	587	49706	162.241.123.30	192.168.2.5
Apr 18, 2024 11:32:00.435661077 CEST	49706	587	192.168.2.5	162.241.123.30
Apr 18, 2024 11:32:00.473829985 CEST	49706	587	192.168.2.5	162.241.123.30
Apr 18, 2024 11:32:00.634385109 CEST	587	49706	162.241.123.30	192.168.2.5
Apr 18, 2024 11:32:00.640681028 CEST	49706	587	192.168.2.5	162.241.123.30
Apr 18, 2024 11:32:00.800903082 CEST	587	49706	162.241.123.30	192.168.2.5
Apr 18, 2024 11:32:00.802711010 CEST	49706	587	192.168.2.5	162.241.123.30
Apr 18, 2024 11:32:00.963260889 CEST	587	49706	162.241.123.30	192.168.2.5
Apr 18, 2024 11:32:00.964385033 CEST	49706	587	192.168.2.5	162.241.123.30
Apr 18, 2024 11:32:01.139029026 CEST	587	49706	162.241.123.30	192.168.2.5
Apr 18, 2024 11:32:01.139482021 CEST	49706	587	192.168.2.5	162.241.123.30
Apr 18, 2024 11:32:01.299968004 CEST	587	49706	162.241.123.30	192.168.2.5
Apr 18, 2024 11:32:01.300234079 CEST	49706	587	192.168.2.5	162.241.123.30
Apr 18, 2024 11:32:01.504909992 CEST	587	49706	162.241.123.30	192.168.2.5
Apr 18, 2024 11:32:01.528764009 CEST	587	49706	162.241.123.30	192.168.2.5
Apr 18, 2024 11:32:01.528966904 CEST	49706	587	192.168.2.5	162.241.123.30
Apr 18, 2024 11:32:01.689587116 CEST	587	49706	162.241.123.30	192.168.2.5
Apr 18, 2024 11:32:01.691016912 CEST	587	49706	162.241.123.30	192.168.2.5
Apr 18, 2024 11:32:01.691673040 CEST	49706	587	192.168.2.5	162.241.123.30
Apr 18, 2024 11:32:01.691730976 CEST	49706	587	192.168.2.5	162.241.123.30
Apr 18, 2024 11:32:01.691752911 CEST	49706	587	192.168.2.5	162.241.123.30
Apr 18, 2024 11:32:01.691771030 CEST	49706	587	192.168.2.5	162.241.123.30
Apr 18, 2024 11:32:01.865835905 CEST	587	49706	162.241.123.30	192.168.2.5
Apr 18, 2024 11:32:01.865876913 CEST	587	49706	162.241.123.30	192.168.2.5
Apr 18, 2024 11:32:01.865914106 CEST	587	49706	162.241.123.30	192.168.2.5
Apr 18, 2024 11:32:01.865950108 CEST	587	49706	162.241.123.30	192.168.2.5
Apr 18, 2024 11:32:01.916928053 CEST	49706	587	192.168.2.5	162.241.123.30
Apr 18, 2024 11:33:39.135857105 CEST	49706	587	192.168.2.5	162.241.123.30
Apr 18, 2024 11:33:39.296905994 CEST	587	49706	162.241.123.30	192.168.2.5
Apr 18, 2024 11:33:39.297616005 CEST	49706	587	192.168.2.5	162.241.123.30

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Apr 18, 2024 11:31:57.839766979 CEST	51302	53	192.168.2.5	1.1.1.1
Apr 18, 2024 11:31:57.944309950 CEST	53	51302	1.1.1.1	192.168.2.5
Apr 18, 2024 11:31:59.112888098 CEST	49720	53	192.168.2.5	1.1.1.1
Apr 18, 2024 11:31:59.349308968 CEST	53	49720	1.1.1.1	192.168.2.5

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Apr 18, 2024 11:31:57.839766979 CEST	192.168.2.5	1.1.1.1	0x5f5c	Standard query (0)	api.ipify.org	A (IP address)	IN (0x0001)	false
Apr 18, 2024 11:31:59.112888098 CEST	192.168.2.5	1.1.1.1	0x4bf7	Standard query (0)	mail.techwiser.in	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	Address	Type	Class	DNS over HTTPS
Apr 18, 2024 11:31:57.944309950 CEST	1.1.1.1	192.168.2.5	0x5f5c	No error (0)	api.ipify.org	104.26.12.205	A (IP address)	IN (0x0001)	false
Apr 18, 2024 11:31:57.944309950 CEST	1.1.1.1	192.168.2.5	0x5f5c	No error (0)	api.ipify.org	104.26.13.205	A (IP address)	IN (0x0001)	false
Apr 18, 2024 11:31:57.944309950 CEST	1.1.1.1	192.168.2.5	0x5f5c	No error (0)	api.ipify.org	172.67.74.152	A (IP address)	IN (0x0001)	false
Apr 18, 2024 11:31:59.349308968 CEST	1.1.1.1	192.168.2.5	0x4bf7	No error (0)	mail.techwiser.in	162.241.123.30	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

api.ipify.org

HTTPS Proxied Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.5	49705	104.26.12.205	443	6664	C:\Users\user\Desktop\ORDER SPECIFICATION.exe

Timestamp	Bytes transferred	Direction	Data
2024-04-18 09:31:58 UTC	155	OUT	GET / HTTP/1.1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0 Host: api.ipify.org Connection: Keep-Alive
2024-04-18 09:31:58 UTC	211	IN	HTTP/1.1 200 OK Date: Thu, 18 Apr 2024 09:31:58 GMT Content-Type: text/plain Content-Length: 12 Connection: close Vary: Origin CF-Cache-Status: DYNAMIC Server: cloudflare CF-RAY: 8763a51a19356740-ATL
2024-04-18 09:31:58 UTC	12	IN	Data Raw: 38 31 2e 31 38 31 2e 35 37 2e 35 32 Data Ascii: 81.181.57.52

SMTP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP	Commands
Apr 18, 2024 11:31:59.940258980 CEST	587	49706	162.241.123.30	192.168.2.5	220-sh014.hostgator.in ESMTP Exim 4.96.2 #2 Thu, 18 Apr 2024 15:01:59 +0530 220-We do not authorize the use of this system to transport unsolicited, 220 and/or bulk e-mail.
Apr 18, 2024 11:31:59.940485001 CEST	49706	587	192.168.2.5	162.241.123.30	EHLO 494126
Apr 18, 2024 11:32:00.100958109 CEST	587	49706	162.241.123.30	192.168.2.5	250-sh014.hostgator.in Hello 494126 [81.181.57.52] 250-SIZE 52428800 250-8BITMIME 250-PIPELINING 250-PIPECONNECT 250-AUTH PLAIN LOGIN 250-STARTTLS 250 HELP
Apr 18, 2024 11:32:00.101159096 CEST	49706	587	192.168.2.5	162.241.123.30	STARTTLS
Apr 18, 2024 11:32:00.262620926 CEST	587	49706	162.241.123.30	192.168.2.5	220 TLS go ahead

Target ID:	0
Start time:	11:31:53
Start date:	18/04/2024
Path:	C:\Users\user\Desktop\ORDER SPECIFICATION.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\ORDER SPECIFICATION.exe"
Imagebase:	0x40000
File size:	1'036'288 bytes
MD5 hash:	34070A881F75F12CD4E5BFCB3BDF48C6
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000000.00000002.2054266616.000000000432E000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000000.00000002.2054266616.000000000432E000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	2
Start time:	11:31:56
Start date:	18/04/2024
Path:	C:\Users\user\Desktop\ORDER SPECIFICATION.exe
Wow64 process (32bit):	false
Commandline:	"C:\Users\user\Desktop\ORDER SPECIFICATION.exe"
Imagebase:	0x140000
File size:	1'036'288 bytes
MD5 hash:	34070A881F75F12CD4E5BFCB3BDF48C6
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	3
Start time:	11:31:56
Start date:	18/04/2024
Path:	C:\Users\user\Desktop\ORDER SPECIFICATION.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\ORDER SPECIFICATION.exe"
Imagebase:	0xcd0000
File size:	1'036'288 bytes
MD5 hash:	34070A881F75F12CD4E5BFCB3BDF48C6
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000003.00000002.3255257042.0000000003169000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000003.00000002.3252989012.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000003.00000002.3252989012.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000003.00000002.3255257042.0000000003141000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000003.00000002.3255257042.0000000003141000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
Reputation:	low
Has exited:	false

Show Windows behavior

Execution Graph

Execution Coverage:	9.2%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	0%
Total number of Nodes:	58
Total number of Limit Nodes:	1

Executed Functions

Function 00B00D33 Relevance: .0, Instructions: 8COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2053254130.0000000000B00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b00000_ORDER SPECIFICATION.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ae4abd4259564bde245765f86575d2d2e57c0ca854fe97d64b9018f7b616b822
Instruction ID: 85ead32842cedca393bd53692a07132107c60932247951bc5faaaef334f60fc5
Opcode Fuzzy Hash: ae4abd4259564bde245765f86575d2d2e57c0ca854fe97d64b9018f7b616b822
Instruction Fuzzy Hash: A0A00240D9E455F1F4043C1A10811B5C8BD664F304D2138C4409A334930680D500305D

Uniqueness

Uniqueness Score: -1.00%

Function 00BAAD88 Relevance: 1.7, APIs: 1, Instructions: 197
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleHandleW.KERNEL32(00000000), ref: 00BAAFDE

Memory Dump Source

Source File: 00000000.00000002.2053368878.0000000000BA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00BA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ba0000_ORDER SPECIFICATION.jbxd

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: b0faf77114052671748e2f1ab9301f76307ec6027c9f51387753c6fbb0884652
Instruction ID: 4cae02ad78cd0ea2410e5de8e688903ab50b25c2a887736a131de2e92b380307
Opcode Fuzzy Hash: b0faf77114052671748e2f1ab9301f76307ec6027c9f51387753c6fbb0884652
Instruction Fuzzy Hash: ED716870A04B058FD724DF29D0407AABBF5FF89304F108A6DD48AD7A50DB75E949CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 00BA5A84 Relevance: 1.6, APIs: 1, Instructions: 103
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000000.00000002.2053368878.0000000000BA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00BA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ba0000_ORDER SPECIFICATION.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 35f9d60b93989ced9b06abe375909129b79affc4717292e7736c4c16848d2016
Instruction ID: 42fa229565aeafef725dc6c74fc4bd221c2ddbc0f363e9f1b5d7e8f0a8781464
Opcode Fuzzy Hash: 35f9d60b93989ced9b06abe375909129b79affc4717292e7736c4c16848d2016
Instruction Fuzzy Hash: 0741D1B1808A49CFDF21CFA8C8857EEBBF0EF56314F10829AC455AB251C775AA46CB51

Uniqueness

Uniqueness Score: -1.00%

Function 00BA590C Relevance: 1.6, APIs: 1, Instructions: 101
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateActCtxA.KERNEL32(?), ref: 00BA59C9

Memory Dump Source

Source File: 00000000.00000002.2053368878.0000000000BA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00BA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ba0000_ORDER SPECIFICATION.jbxd

Similarity

API ID: Create
String ID:
API String ID: 2289755597-0
Opcode ID: 4b90d5a0646bed3d5eb35de13bc7579c0df6315595a6396b1536b2382dc06da6
Instruction ID: 8ae86b6e5650d61b964c5c12977655e88d6ee3765db4ded291753aa7c60d8f45
Opcode Fuzzy Hash: 4b90d5a0646bed3d5eb35de13bc7579c0df6315595a6396b1536b2382dc06da6
Instruction Fuzzy Hash: D841D2B1D04619CFDB24DFA9C884ACDBBF5FF49304F20816AD408AB255DB756946CF90

Uniqueness

Uniqueness Score: -1.00%

Function 00BA44B0 Relevance: 1.6, APIs: 1, Instructions: 96
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateActCtxA.KERNEL32(?), ref: 00BA59C9

Memory Dump Source

Source File: 00000000.00000002.2053368878.0000000000BA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00BA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ba0000_ORDER SPECIFICATION.jbxd

Similarity

API ID: Create
String ID:
API String ID: 2289755597-0
Opcode ID: c70afa336056bf5a4573d78aa1a26d6c22f2cf217256c7a30a5a87aa5f58f1f9
Instruction ID: f4d9f90d16e7f76e98ddc09acdc6b93677de633be23e47fdeb66ca247b0abe62
Opcode Fuzzy Hash: c70afa336056bf5a4573d78aa1a26d6c22f2cf217256c7a30a5a87aa5f58f1f9
Instruction Fuzzy Hash: 6441D2B0D0471DCBDB24DFA9C884A9EBBF5BF89304F20816AD408AB255DB756946CF90

Uniqueness

Uniqueness Score: -1.00%

Function 00BAD25C Relevance: 1.6, APIs: 1, Instructions: 65
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?,?,?,?,00BAD636,?,?,?,?,?), ref: 00BAD6F7

Memory Dump Source

Source File: 00000000.00000002.2053368878.0000000000BA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00BA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ba0000_ORDER SPECIFICATION.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: c74e86141624cfa384d6d1f6e00fa120d51fa7849e64c02c76e8fbbec009bb89
Instruction ID: d73be23f8c1dd75fedb767971df1a1e3032f4ee5dc574a8362b8c68d903774c6
Opcode Fuzzy Hash: c74e86141624cfa384d6d1f6e00fa120d51fa7849e64c02c76e8fbbec009bb89
Instruction Fuzzy Hash: 0121E5B59002489FDB10CFAAD584ADEFBF4FB49310F14845AE919A7350D378A944CFA4

Uniqueness

Uniqueness Score: -1.00%

Function 00BAD668 Relevance: 1.6, APIs: 1, Instructions: 65
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?,?,?,?,00BAD636,?,?,?,?,?), ref: 00BAD6F7

Memory Dump Source

Source File: 00000000.00000002.2053368878.0000000000BA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00BA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ba0000_ORDER SPECIFICATION.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: 7f975768c7fa1e2db82057a245272e68fe9fbb5607cbbeb02712d15d47d6b72f
Instruction ID: 199a158d6f4149af7225fae502c16864b24a45019e54dec0e29fca7cb235c92a
Opcode Fuzzy Hash: 7f975768c7fa1e2db82057a245272e68fe9fbb5607cbbeb02712d15d47d6b72f
Instruction Fuzzy Hash: 792114B59002189FDB10CF9AD984ADEFFF4FB48310F14801AE918A3350D378A940CFA0

Uniqueness

Uniqueness Score: -1.00%

Function 00BAA110 Relevance: 1.6, APIs: 1, Instructions: 55
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LoadLibraryExW.KERNEL32(00000000,00000000,?,?,?,?,00000000,?,00BAB059,00000800,00000000,00000000), ref: 00BAB26A

Memory Dump Source

Source File: 00000000.00000002.2053368878.0000000000BA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00BA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ba0000_ORDER SPECIFICATION.jbxd

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: 5fb0db775d50ced047730c25f5839a7f62d779d16b2579761a93a17f7af30e03
Instruction ID: 6d2c508c60b2aa2c33e3e5effaec956c9706885cba890ad8305b40b4aadb5b73
Opcode Fuzzy Hash: 5fb0db775d50ced047730c25f5839a7f62d779d16b2579761a93a17f7af30e03
Instruction Fuzzy Hash: 351112B68043089FDB10DF9AC444BDEFBF4EB89310F10846AE529A7201C379A944CFA4

Uniqueness

Uniqueness Score: -1.00%

Function 00BAB1F8 Relevance: 1.6, APIs: 1, Instructions: 55
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LoadLibraryExW.KERNEL32(00000000,00000000,?,?,?,?,00000000,?,00BAB059,00000800,00000000,00000000), ref: 00BAB26A

Memory Dump Source

Source File: 00000000.00000002.2053368878.0000000000BA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00BA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ba0000_ORDER SPECIFICATION.jbxd

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: 8946143c3e87cdae360b25a7f75bd8abe4733d06104382e7d1b5ac1f0cd0418d
Instruction ID: 499b9f69f68229b683cd1a63cdc580ecd6e8114f5719a5cbfa2ddf80708bfaa3
Opcode Fuzzy Hash: 8946143c3e87cdae360b25a7f75bd8abe4733d06104382e7d1b5ac1f0cd0418d
Instruction Fuzzy Hash: E61114B69002498FDB10CF9AC984ADEFFF4EB89310F10856ED429A7650C378A545CFA4

Uniqueness

Uniqueness Score: -1.00%

Function 00B01A40 Relevance: 1.5, APIs: 1, Instructions: 47windowCOMMON

Download Yara Rule

APIs

PostMessageW.USER32(?,?,?,?), ref: 00B01AA5

Memory Dump Source

Source File: 00000000.00000002.2053254130.0000000000B00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b00000_ORDER SPECIFICATION.jbxd

Similarity

API ID: MessagePost
String ID:
API String ID: 410705778-0
Opcode ID: 955835e14021e14f50eabbc46e4e59b1c488fd0e39455c3120e5cfe7c15be2bb
Instruction ID: 55515a6389b22caec584082189831d96ba8b46215a7fbd691ca6ed62722baab7
Opcode Fuzzy Hash: 955835e14021e14f50eabbc46e4e59b1c488fd0e39455c3120e5cfe7c15be2bb
Instruction Fuzzy Hash: AC11C2B58002499FDB10DF9AD985BDEFFF8EB49324F108459E918A7340D379A944CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 00BAAF78 Relevance: 1.5, APIs: 1, Instructions: 47COMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000), ref: 00BAAFDE

Memory Dump Source

Source File: 00000000.00000002.2053368878.0000000000BA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00BA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ba0000_ORDER SPECIFICATION.jbxd

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: acbee7062e337a2652e500813fdcb7069b0f26cc00346add10d54b38e7f6808e
Instruction ID: 8ebc3d27985107d5db5a3fb1882903a313a64319d48e0fa3717d1b5ed886ad43
Opcode Fuzzy Hash: acbee7062e337a2652e500813fdcb7069b0f26cc00346add10d54b38e7f6808e
Instruction Fuzzy Hash: 6211E0B6C042498FCB14DF9AC544ADEFBF4EF89314F10845AD429A7610D379A545CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 00B01A48 Relevance: 1.5, APIs: 1, Instructions: 44windowCOMMON

Download Yara Rule

APIs

PostMessageW.USER32(?,?,?,?), ref: 00B01AA5

Memory Dump Source

Source File: 00000000.00000002.2053254130.0000000000B00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b00000_ORDER SPECIFICATION.jbxd

Similarity

API ID: MessagePost
String ID:
API String ID: 410705778-0
Opcode ID: ed0e2c66b09e9fb00f231d29446a88e0878acc5405a7cffd4851af4e4fa93ef6
Instruction ID: 3cac0962a52cd858b8f0ca0c4902a9b2beec775537815cf9780ee87411092d3f
Opcode Fuzzy Hash: ed0e2c66b09e9fb00f231d29446a88e0878acc5405a7cffd4851af4e4fa93ef6
Instruction Fuzzy Hash: 2A11D3B58003499FDB10DF9AC585BDEFFF8EB49310F108459E518A7240C379A944CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 0081D4C4 Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2052771919.000000000081D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0081D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_81d000_ORDER SPECIFICATION.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: aa064852e1c0bed6f1bd4af6d0abd53c91a6add9cdde15f57a59e0489b0c32fa
Instruction ID: 81652b32e922e98221dcc66ee224107a80298dcf18517d9cd08fda89a4bb3187
Opcode Fuzzy Hash: aa064852e1c0bed6f1bd4af6d0abd53c91a6add9cdde15f57a59e0489b0c32fa
Instruction Fuzzy Hash: C6210371500344DFCB15DF14D9C0FA6BF6AFF98318F20C569E9098B256C33AD896DAA2

Uniqueness

Uniqueness Score: -1.00%

Function 0081D3D8 Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2052771919.000000000081D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0081D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_81d000_ORDER SPECIFICATION.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0214706e38216ff53403946c932dedda09288e8c13085b76f1c8e0962a32dc3a
Instruction ID: b07ef6a066113149ed3619b28da39227b743cd7d42d29e1f9e980652fd4c3762
Opcode Fuzzy Hash: 0214706e38216ff53403946c932dedda09288e8c13085b76f1c8e0962a32dc3a
Instruction Fuzzy Hash: 70210671500304DFDB05DF14D9C0B56BF69FF98314F20C569E9098B256C33AE896D7A2

Uniqueness

Uniqueness Score: -1.00%

Function 0082D1EC Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2052817378.000000000082D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0082D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_82d000_ORDER SPECIFICATION.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0c6988b9274c4b53ccf00242a5072493baa590991fe3d3a71526e436e400e884
Instruction ID: d14687713803683bf5df468712494a1a1dc427cdd3ee976efdbcc618fcfcb38b
Opcode Fuzzy Hash: 0c6988b9274c4b53ccf00242a5072493baa590991fe3d3a71526e436e400e884
Instruction Fuzzy Hash: 092104B1544304EFDB04DF54E5C0B26BFA5FB98314F20C56DD8098B396C37AE886CAA1

Uniqueness

Uniqueness Score: -1.00%

Function 0082D01C Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2052817378.000000000082D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0082D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_82d000_ORDER SPECIFICATION.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 750896bd3c41e49e590e5289dfc40c897d775b5c91813f88d5c08378b360479e
Instruction ID: 30abcd788c9932c1e5cc79f476fac0539ba3662b6b64205c15688cf5262c7a65
Opcode Fuzzy Hash: 750896bd3c41e49e590e5289dfc40c897d775b5c91813f88d5c08378b360479e
Instruction Fuzzy Hash: 3A21F271604744DFCB14DF24E984B26BF65FB88314F20C569D94A8B3A6C33AD887CAA1

Uniqueness

Uniqueness Score: -1.00%

Function 0081D3D3 Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2052771919.000000000081D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0081D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_81d000_ORDER SPECIFICATION.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: be84e5d2ba6eb25d2e30d29f2c5ffdc4cdcd384a79140dda988d9b090738847a
Instruction ID: e9c012e31079974d01c5059321bbd4f6f813f5ceeef44f05e0a49f58fa029e5f
Opcode Fuzzy Hash: be84e5d2ba6eb25d2e30d29f2c5ffdc4cdcd384a79140dda988d9b090738847a
Instruction Fuzzy Hash: A111DF72404340CFCB16CF00D5C4B56BF71FB98324F24C6A9D9094B256C33AE85ACBA2

Uniqueness

Uniqueness Score: -1.00%

Function 0081D4BF Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2052771919.000000000081D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0081D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_81d000_ORDER SPECIFICATION.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: be84e5d2ba6eb25d2e30d29f2c5ffdc4cdcd384a79140dda988d9b090738847a
Instruction ID: 8dc1ce435c2f61966a31dc9f64e3bd0faa854ae5e06481acf88cd0d81c4908ad
Opcode Fuzzy Hash: be84e5d2ba6eb25d2e30d29f2c5ffdc4cdcd384a79140dda988d9b090738847a
Instruction Fuzzy Hash: 2611DF72404280CFCB06CF10D5C4B96BF72FB98314F24C6A9D8494B256C336D85ACBA2

Uniqueness

Uniqueness Score: -1.00%

Function 0082D1E7 Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2052817378.000000000082D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0082D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_82d000_ORDER SPECIFICATION.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 945d3a080ad63b5e32bcc5b18ec1e97d0272151c1fb78e482730898ede984437
Instruction ID: 460f3e033addf338c1e5be1228142f6b9ca31be27008ef511325c8de65cd7189
Opcode Fuzzy Hash: 945d3a080ad63b5e32bcc5b18ec1e97d0272151c1fb78e482730898ede984437
Instruction Fuzzy Hash: AD119D75504380DFDB06CF54E5C4B15BFA2FB88314F24C6A9D8498B656C33AE84ACBA2

Uniqueness

Uniqueness Score: -1.00%

Function 0082D017 Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2052817378.000000000082D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0082D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_82d000_ORDER SPECIFICATION.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 945d3a080ad63b5e32bcc5b18ec1e97d0272151c1fb78e482730898ede984437
Instruction ID: b8d386ea37286f8ca44eef2ad48a249ccd98d9364c9f1a8cbd729bcb213b2675
Opcode Fuzzy Hash: 945d3a080ad63b5e32bcc5b18ec1e97d0272151c1fb78e482730898ede984437
Instruction Fuzzy Hash: BB118E75504780DFDB15CF14E5C4B15BF61FB44314F24C6A9D8498B666C33AD84ACB62

Uniqueness

Uniqueness Score: -1.00%

Function 0081D731 Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2052771919.000000000081D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0081D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_81d000_ORDER SPECIFICATION.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d4aba174cc50c8e2e847a2d87ede5f26bc98cfa859579e0af7e151e45f3c6aa9
Instruction ID: f4c77831d892525fa48e57199a9d4910fd724608eca980ea57ff466e404b9da0
Opcode Fuzzy Hash: d4aba174cc50c8e2e847a2d87ede5f26bc98cfa859579e0af7e151e45f3c6aa9
Instruction Fuzzy Hash: 55012B710043089AE7108A65CD84BA7FF9CFF85324F28CD29ED098A2C2C2789C80CA71

Uniqueness

Uniqueness Score: -1.00%

Function 0081D730 Relevance: .0, Instructions: 36COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2052771919.000000000081D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0081D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_81d000_ORDER SPECIFICATION.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6fafb6b9d752337cf764e34006578ac382c0f10d0057d4311cd6e9761ceac738
Instruction ID: d291546b33d574cf47aeaca385d28351a37773494c42daf427e61c06a857bb8b
Opcode Fuzzy Hash: 6fafb6b9d752337cf764e34006578ac382c0f10d0057d4311cd6e9761ceac738
Instruction Fuzzy Hash: EDF0C2720043449AE7108A16C884BA6FFACEF91334F18C95AED084A2C2C2799840CA70

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 00B03150 Relevance: .4, Instructions: 350COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2053254130.0000000000B00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b00000_ORDER SPECIFICATION.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2ca1879fb61adbfc789b12e4077a74a730d738ba830a67dc8b64ef57fb4309f6
Instruction ID: bd8eb91e0c0a88e382d940c27947dbd07d6f6018a2e6056391a6e3cdbd98aa73
Opcode Fuzzy Hash: 2ca1879fb61adbfc789b12e4077a74a730d738ba830a67dc8b64ef57fb4309f6
Instruction Fuzzy Hash: 72D189317006008FDB19DB75C4597AEBBFAAF8AB40F1444ADE1469B2D1DB34EE41CB61

Uniqueness

Uniqueness Score: -1.00%

Function 00B00390 Relevance: .3, Instructions: 312COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2053254130.0000000000B00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b00000_ORDER SPECIFICATION.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0f00048161995009114778119c844721db130997c730a3e7b0a61483df159841
Instruction ID: 62bcda08bb10dd72c883901a0a472ed90ff7756bf1c06d578fbb6688e17c5a2c
Opcode Fuzzy Hash: 0f00048161995009114778119c844721db130997c730a3e7b0a61483df159841
Instruction Fuzzy Hash: AEE1B674E102198FCB14DFA9C980AAEBBF2FF89305F2481A9D415AB356D731AD41CF61

Uniqueness

Uniqueness Score: -1.00%

Function 00BAD59C Relevance: .3, Instructions: 264COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2053368878.0000000000BA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00BA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ba0000_ORDER SPECIFICATION.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 626bcc058f754e931ceef2f68075582d7bc944652ccdc8abccf78bedc3e374cc
Instruction ID: 10d7a47675fcbdc8b35d024b3421a6e7ae56ae5aa5f09fe922da94b1ada9f196
Opcode Fuzzy Hash: 626bcc058f754e931ceef2f68075582d7bc944652ccdc8abccf78bedc3e374cc
Instruction Fuzzy Hash: E2A13932E0420ACFCF15DFA4C9445EEB7F2FF86300B1585BAE815AB265DB359916CB40

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: ORDER SPECIFICATION.exePID: 6664, Parent PID: 2576COMMON

Execution Graph

Execution Coverage:	11.1%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	0%
Total number of Nodes:	147
Total number of Limit Nodes:	15

Executed Functions

Function 06C83028 Relevance: 8.0, Strings: 6, Instructions: 545
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

$]q, xrefs: 06C836FE
$]q, xrefs: 06C83727
$]q, xrefs: 06C8374B
$]q, xrefs: 06C8370A
$]q, xrefs: 06C83757
$]q, xrefs: 06C83733

Memory Dump Source

Source File: 00000003.00000002.3260270086.0000000006C80000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c80000_ORDER SPECIFICATION.jbxd

Similarity

API ID:
String ID: $]q$$]q$$]q$$]q$$]q$$]q
API String ID: 0-3723351465
Opcode ID: d530c3346f290915d2b381f4db9234c11168a345f801174a1773c01435a0da8a
Instruction ID: d1ba33311263b6f993550f64b97ecc0a7e90212fdc42f7af2aa229f9971d7e55
Opcode Fuzzy Hash: d530c3346f290915d2b381f4db9234c11168a345f801174a1773c01435a0da8a
Instruction Fuzzy Hash: 01325E30E1075ACFCB55EFA5C99459DB3B6FF89304F10966AD409A7264EB30EE85CB80

Uniqueness

Uniqueness Score: -1.00%

Function 06C87D40 Relevance: 3.0, Strings: 2, Instructions: 471
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

$]q, xrefs: 06C880A3
$]q, xrefs: 06C880AF

Memory Dump Source

Source File: 00000003.00000002.3260270086.0000000006C80000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c80000_ORDER SPECIFICATION.jbxd

Similarity

API ID:
String ID: $]q$$]q
API String ID: 0-127220927
Opcode ID: 698b99fd36584f255755ee5bd567e0c5a31d16c9d8aece1d18343a509b4e6f5b
Instruction ID: fa90b654a25e6d61c218501f64b2c22a8c4c2f103f11eef059b2eac1e86f062a
Opcode Fuzzy Hash: 698b99fd36584f255755ee5bd567e0c5a31d16c9d8aece1d18343a509b4e6f5b
Instruction Fuzzy Hash: A302D230B002058FDB64EF69D490AAEB7E6FF84308F648529D405DB791EB35ED42CB91

Uniqueness

Uniqueness Score: -1.00%

Function 06C85570 Relevance: 1.8, Strings: 1, Instructions: 591COMMON

Download Yara Rule

Strings

$, xrefs: 06C85C7F

Memory Dump Source

Source File: 00000003.00000002.3260270086.0000000006C80000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c80000_ORDER SPECIFICATION.jbxd

Similarity

API ID:
String ID: $
API String ID: 0-3993045852
Opcode ID: 96e593dbcc828a429c74cfedd38edc76d6e087b94e2e0c51f53d8cca90fed58f
Instruction ID: 22258aa4c5ad9febc25415c1054bfb02ba813cfcf18df6e058256dd399370540
Opcode Fuzzy Hash: 96e593dbcc828a429c74cfedd38edc76d6e087b94e2e0c51f53d8cca90fed58f
Instruction Fuzzy Hash: 9822D335E002158FDFA4EFA4C4906AEBBB2EF84318F64846AD405EB351DB75DD42CB91

Uniqueness

Uniqueness Score: -1.00%

Function 06C8C148 Relevance: .6, Instructions: 639COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.3260270086.0000000006C80000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c80000_ORDER SPECIFICATION.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d168a4f40642bfb0deb66be208b07a7e5d0ff558120bb0412fa328b3a644af6f
Instruction ID: 4aaf0a2710630f859bccbb6aeef9cc3b634f5f91b61d64251defdecb977ce0bc
Opcode Fuzzy Hash: d168a4f40642bfb0deb66be208b07a7e5d0ff558120bb0412fa328b3a644af6f
Instruction Fuzzy Hash: 5D329134B00209CFDB64EF69D890AAEB7B6FB84314F108529D405E7395DB39ED46CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 06C8B1E8 Relevance: .6, Instructions: 570COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.3260270086.0000000006C80000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c80000_ORDER SPECIFICATION.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5348ff6dd712b490e0a257549fc5ee36918d3fd173e21761a68223fbad17a6c9
Instruction ID: ca9ee9b2d4ce4f2595e6a0ccf8348fcdb8c37fdd66689bc8c1687a83df9b405f
Opcode Fuzzy Hash: 5348ff6dd712b490e0a257549fc5ee36918d3fd173e21761a68223fbad17a6c9
Instruction Fuzzy Hash: A7226270E002098FDF74EF69D5907ADB7B6EB89314F24892AE405DB391DA38DD81CB51

Uniqueness

Uniqueness Score: -1.00%

Function 06C8AC90 Relevance: 10.4, Strings: 8, Instructions: 391
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

$]q, xrefs: 06C8AE3F
$]q, xrefs: 06C8AE10
$]q, xrefs: 06C8ADB1
$]q, xrefs: 06C8AE5C
$]q, xrefs: 06C8ADBD
$]q, xrefs: 06C8AE33
$]q, xrefs: 06C8AE04
$]q, xrefs: 06C8AE68

Memory Dump Source

Source File: 00000003.00000002.3260270086.0000000006C80000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c80000_ORDER SPECIFICATION.jbxd

Similarity

API ID:
String ID: $]q$$]q$$]q$$]q$$]q$$]q$$]q$$]q
API String ID: 0-1273862796
Opcode ID: eec1404bfdce9d80b4464b08c417edd4b8262353b98529fffc2a70cdf5e5ca32
Instruction ID: 974f34455a95d93ab667167b9d3beaad0f7441fecf158b59d7ec47f8e4b6133d
Opcode Fuzzy Hash: eec1404bfdce9d80b4464b08c417edd4b8262353b98529fffc2a70cdf5e5ca32
Instruction Fuzzy Hash: F7E16030E0020A8FDB65EFA9D8906AEB7B6FF85304F10892AD405EB355DB35DD46CB91

Uniqueness

Uniqueness Score: -1.00%

Function 06C8B618 Relevance: 8.0, Strings: 6, Instructions: 471
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

$]q, xrefs: 06C8BB95
$]q, xrefs: 06C8BB61
$]q, xrefs: 06C8BBA1
$]q, xrefs: 06C8BBC9
$]q, xrefs: 06C8BBD5
$]q, xrefs: 06C8BB6D

Memory Dump Source

Source File: 00000003.00000002.3260270086.0000000006C80000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c80000_ORDER SPECIFICATION.jbxd

Similarity

API ID:
String ID: $]q$$]q$$]q$$]q$$]q$$]q
API String ID: 0-3723351465
Opcode ID: ff4ad411d00b9c797eb14c5ca6b95a25728a9da21e3add95ff7423a9c1906672
Instruction ID: 76b7cad4d60e70b9d584d998cd3e61ac8a8ec1a780307664fa65144556d0a0ba
Opcode Fuzzy Hash: ff4ad411d00b9c797eb14c5ca6b95a25728a9da21e3add95ff7423a9c1906672
Instruction Fuzzy Hash: 0F026B30E002098FDBB4EF69D480AADB7B6FF85318F24856AD405EB255DB34ED85CB91

Uniqueness

Uniqueness Score: -1.00%

Function 06C62E03 Relevance: 6.1, APIs: 4, Instructions: 129
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentProcess.KERNEL32 ref: 06C62E86
GetCurrentThread.KERNEL32 ref: 06C62EC3
GetCurrentProcess.KERNEL32 ref: 06C62F00
GetCurrentThreadId.KERNEL32 ref: 06C62F59

Memory Dump Source

Source File: 00000003.00000002.3260055473.0000000006C60000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c60000_ORDER SPECIFICATION.jbxd

Similarity

API ID: Current$ProcessThread
String ID:
API String ID: 2063062207-0
Opcode ID: ade759414034dac8d90c013a06201b4f421fc5a20a5819d9c2c417412b0ce3ea
Instruction ID: 774810ee48bbe7620f0b5096549224f2048be532bb5a38088aa23fdb4dc6d349
Opcode Fuzzy Hash: ade759414034dac8d90c013a06201b4f421fc5a20a5819d9c2c417412b0ce3ea
Instruction Fuzzy Hash: 655149B09002498FDB54DFAAD948BEEBBF5FF48304F208459E419A7350D7385944CFA5

Uniqueness

Uniqueness Score: -1.00%

Function 06C62E08 Relevance: 6.1, APIs: 4, Instructions: 128
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentProcess.KERNEL32 ref: 06C62E86
GetCurrentThread.KERNEL32 ref: 06C62EC3
GetCurrentProcess.KERNEL32 ref: 06C62F00
GetCurrentThreadId.KERNEL32 ref: 06C62F59

Memory Dump Source

Source File: 00000003.00000002.3260055473.0000000006C60000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c60000_ORDER SPECIFICATION.jbxd

Similarity

API ID: Current$ProcessThread
String ID:
API String ID: 2063062207-0
Opcode ID: f3f16d24515934958053d7536081b08320e61f99c804863f0a6231a41841f7e6
Instruction ID: 8f72aabf65e3dfcec287cbebf47df2b28102f1965925560d40615cea9f141b00
Opcode Fuzzy Hash: f3f16d24515934958053d7536081b08320e61f99c804863f0a6231a41841f7e6
Instruction Fuzzy Hash: 175148B09002098FDB54DFAAD948BDEBBF5FF48304F208459E419A7350D7386944CF65

Uniqueness

Uniqueness Score: -1.00%

Function 06C89110 Relevance: 5.2, Strings: 4, Instructions: 230
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

$]q, xrefs: 06C8919E
$]q, xrefs: 06C89157
$]q, xrefs: 06C89163
$]q, xrefs: 06C89192

Memory Dump Source

Source File: 00000003.00000002.3260270086.0000000006C80000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c80000_ORDER SPECIFICATION.jbxd

Similarity

API ID:
String ID: $]q$$]q$$]q$$]q
API String ID: 0-858218434
Opcode ID: 1f6437dc18af5fa0a5e637fbec2ec1b74cc39720ec26e5fa18656c18805df851
Instruction ID: 272cf826d74e3ee55ea08aeb9b538a88405a35609a06d3d02c9076603dfae283
Opcode Fuzzy Hash: 1f6437dc18af5fa0a5e637fbec2ec1b74cc39720ec26e5fa18656c18805df851
Instruction Fuzzy Hash: B1914F30F1020A9FDBA5EF69D850BAEB7F6FF85204F108569C409EB344EA349D46CB91

Uniqueness

Uniqueness Score: -1.00%

Function 06C8CF00 Relevance: 4.6, Strings: 3, Instructions: 800
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

$]q, xrefs: 06C8D2F7
$]q, xrefs: 06C8D2FF
$]q, xrefs: 06C8D30B

Memory Dump Source

Source File: 00000003.00000002.3260270086.0000000006C80000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c80000_ORDER SPECIFICATION.jbxd

Similarity

API ID:
String ID: $]q$$]q$$]q
API String ID: 0-182748909
Opcode ID: ea53a55d69083453a23c8000b1e4e6e57fa5fdf8b21c02207b801a011b6403cc
Instruction ID: d453f9977fc9c578c297f610688a871da628db6721035193fda0f8c8f273afb7
Opcode Fuzzy Hash: ea53a55d69083453a23c8000b1e4e6e57fa5fdf8b21c02207b801a011b6403cc
Instruction Fuzzy Hash: 57624F3060020A8FCB55EF68E590A5EB7B6FF84704B108A79D0069F769DB79FD46CB81

Uniqueness

Uniqueness Score: -1.00%

Function 06C84B38 Relevance: 3.9, Strings: 3, Instructions: 186
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

XPbq, xrefs: 06C84C89
\Obq, xrefs: 06C84D13
fbq, xrefs: 06C84B63

Memory Dump Source

Source File: 00000003.00000002.3260270086.0000000006C80000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c80000_ORDER SPECIFICATION.jbxd

Similarity

API ID:
String ID: fbq$XPbq$\Obq
API String ID: 0-4057264190
Opcode ID: 8d835df0757b0e9b247b230236224be2b056cf2a50457d2ff9c7b1c0dfb20335
Instruction ID: 5ea42e4442467916d324043568d09d2b42b2c3e860c420cfb180ea118e866e6a
Opcode Fuzzy Hash: 8d835df0757b0e9b247b230236224be2b056cf2a50457d2ff9c7b1c0dfb20335
Instruction Fuzzy Hash: D6618130F002199FEB649FA5C8547AEBAF6FF88704F20842AD506AB395DB758C45CF91

Uniqueness

Uniqueness Score: -1.00%

Function 06C89105 Relevance: 2.7, Strings: 2, Instructions: 159
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

$]q, xrefs: 06C89157
$]q, xrefs: 06C89192

Memory Dump Source

Source File: 00000003.00000002.3260270086.0000000006C80000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c80000_ORDER SPECIFICATION.jbxd

Similarity

API ID:
String ID: $]q$$]q
API String ID: 0-127220927
Opcode ID: a5e12205a4c16ab94aefb5ab7b3b104a9c2979182b46597d2b4d68518be465b9
Instruction ID: 93f18b50a817ddc4bef9182b5b7028ac787431afa7d3b1bb2e4bf5e69174052c
Opcode Fuzzy Hash: a5e12205a4c16ab94aefb5ab7b3b104a9c2979182b46597d2b4d68518be465b9
Instruction Fuzzy Hash: B4517130B102069FDB95EB79D850BAEB7FAFB88644F148469C409DB384EA34DC46CB91

Uniqueness

Uniqueness Score: -1.00%

Function 06C84B28 Relevance: 2.6, Strings: 2, Instructions: 138
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

XPbq, xrefs: 06C84C89
fbq, xrefs: 06C84B63

Memory Dump Source

Source File: 00000003.00000002.3260270086.0000000006C80000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c80000_ORDER SPECIFICATION.jbxd

Similarity

API ID:
String ID: fbq$XPbq
API String ID: 0-2292610095
Opcode ID: b06ed730c6496cf2ef3b7a2bd7c18dad72764f4fd3e3d7befddec46f8e1d21d7
Instruction ID: 5b2b39ceada1012ffeca7aa0f9ff6753b565e1dc2abcebc716e672288d0bda58
Opcode Fuzzy Hash: b06ed730c6496cf2ef3b7a2bd7c18dad72764f4fd3e3d7befddec46f8e1d21d7
Instruction Fuzzy Hash: 3E518E70F002099FEB549FA5C854BAEBAF7FF88700F20852AD506AB395DA749C41CB91

Uniqueness

Uniqueness Score: -1.00%

Function 06C6B218 Relevance: 1.7, APIs: 1, Instructions: 208COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.3260055473.0000000006C60000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c60000_ORDER SPECIFICATION.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a6708ca2da36c088bdde7ebd946b3a4788da154b58ad6330e15c37b25db38982
Instruction ID: 1e822001cab4485e1c6411f16efd43f354a4eba3a4d12b03a903cfe6747e6fac
Opcode Fuzzy Hash: a6708ca2da36c088bdde7ebd946b3a4788da154b58ad6330e15c37b25db38982
Instruction Fuzzy Hash: 61814570A00B458FD7A4DF2AD48479ABBF1FF88300F00892EE49AD7A50DB74E955CB94

Uniqueness

Uniqueness Score: -1.00%

Function 06C6D7C5 Relevance: 1.6, APIs: 1, Instructions: 139COMMON

Download Yara Rule

APIs

CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 06C6D922

Memory Dump Source

Source File: 00000003.00000002.3260055473.0000000006C60000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c60000_ORDER SPECIFICATION.jbxd

Similarity

API ID: CreateWindow
String ID:
API String ID: 716092398-0
Opcode ID: a43d9c8445d2c99d87703bb29bd0beecda59b877dc2e3eab5685a8e0fc571800
Instruction ID: 413cf1bb4f9a0f0463b01ee0e62790649e58919c276bf74a82f46fb0b36cbd94
Opcode Fuzzy Hash: a43d9c8445d2c99d87703bb29bd0beecda59b877dc2e3eab5685a8e0fc571800
Instruction Fuzzy Hash: DE51E1B1D00249AFDF15CF9AC884ADDBFB6BF48314F14816AF819AB220D775A941CF90

Uniqueness

Uniqueness Score: -1.00%

Function 0170EB68 Relevance: 1.6, APIs: 1, Instructions: 132COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.3254471224.0000000001700000.00000040.00000800.00020000.00000000.sdmp, Offset: 01700000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1700000_ORDER SPECIFICATION.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0b0398d7f0d1f4ed7953b3b5450eed6675bae059b0c7ff3d9a32e1c4b8763565
Instruction ID: bb2b9ad300643abfa84b91097d5de8f04f4adf807d128d21a5c6419f13e913b8
Opcode Fuzzy Hash: 0b0398d7f0d1f4ed7953b3b5450eed6675bae059b0c7ff3d9a32e1c4b8763565
Instruction Fuzzy Hash: 4F415372D043458FCB15DFA9C8042AEBFF2AF89310F15896AD509A7391EB789845CBE0

Uniqueness

Uniqueness Score: -1.00%

Function 06C6D804 Relevance: 1.6, APIs: 1, Instructions: 119COMMON

Download Yara Rule

APIs

CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 06C6D922

Memory Dump Source

Source File: 00000003.00000002.3260055473.0000000006C60000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c60000_ORDER SPECIFICATION.jbxd

Similarity

API ID: CreateWindow
String ID:
API String ID: 716092398-0
Opcode ID: 22575608827a5deae1a66adde2ab2de9482721df19b126efe2015f85e2f668d8
Instruction ID: 825e9a9664e80fceef29894305e2a509c18c74c5b57823d2d9cee1908c4d91c4
Opcode Fuzzy Hash: 22575608827a5deae1a66adde2ab2de9482721df19b126efe2015f85e2f668d8
Instruction Fuzzy Hash: 0751D2B1D00349AFDB14CF9AC884ADEFFB5BF48314F64852AE419AB210D775A941CF94

Uniqueness

Uniqueness Score: -1.00%

Function 06C6D810 Relevance: 1.6, APIs: 1, Instructions: 113COMMON

Download Yara Rule

APIs

CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 06C6D922

Memory Dump Source

Source File: 00000003.00000002.3260055473.0000000006C60000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c60000_ORDER SPECIFICATION.jbxd

Similarity

API ID: CreateWindow
String ID:
API String ID: 716092398-0
Opcode ID: a61ccfd4569954ec267f51a56343cb75505c2e359dcdca8764d725156ba60b5a
Instruction ID: eb98f41f2ebd63759d65aaa947adf5304552ea0865b4c32cc06183a3ae259208
Opcode Fuzzy Hash: a61ccfd4569954ec267f51a56343cb75505c2e359dcdca8764d725156ba60b5a
Instruction Fuzzy Hash: 1C41C2B1D00349AFDF14CF9AC884ADEBBB5BF48314F24852AE419AB210D775A985CF94

Uniqueness

Uniqueness Score: -1.00%

Function 06C6CD6C Relevance: 1.6, APIs: 1, Instructions: 97COMMON

Download Yara Rule

APIs

CallWindowProcW.USER32(?,?,?,?,?), ref: 06C6FE91

Memory Dump Source

Source File: 00000003.00000002.3260055473.0000000006C60000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c60000_ORDER SPECIFICATION.jbxd

Similarity

API ID: CallProcWindow
String ID:
API String ID: 2714655100-0
Opcode ID: 3ac71a59cce6845f036d71e0f0bfd35f78ad9c41adfa53bae410b793ad587905
Instruction ID: d6247521295a564277884b9b9ef07926df378cc074f2199ea8a9ef2500990009
Opcode Fuzzy Hash: 3ac71a59cce6845f036d71e0f0bfd35f78ad9c41adfa53bae410b793ad587905
Instruction Fuzzy Hash: BA4128B49003099FCB54CF9AC488AAABBF6FF88314F24C45DE519A7321D374A940CFA4

Uniqueness

Uniqueness Score: -1.00%

Function 06C63048 Relevance: 1.6, APIs: 1, Instructions: 62COMMON

Download Yara Rule

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 06C630D7

Memory Dump Source

Source File: 00000003.00000002.3260055473.0000000006C60000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c60000_ORDER SPECIFICATION.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: 02ea0618817cf3cff53acdd49faed578e00a3be4d1fe41a98aaf396ef94d87e9
Instruction ID: b86891ab87bbed9b1c35b9e63094ee5f923ea766338db53c2e39e4a8307354d8
Opcode Fuzzy Hash: 02ea0618817cf3cff53acdd49faed578e00a3be4d1fe41a98aaf396ef94d87e9
Instruction Fuzzy Hash: 3521E5B5D002489FDB10CFAAD584ADEBBF5FF48310F14841AE958A3250D3799944CFA5

Uniqueness

Uniqueness Score: -1.00%

Function 06C63050 Relevance: 1.6, APIs: 1, Instructions: 62COMMON

Download Yara Rule

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 06C630D7

Memory Dump Source

Source File: 00000003.00000002.3260055473.0000000006C60000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c60000_ORDER SPECIFICATION.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: 61eca0062984eb141210e3f456b96215beeade773c01582f60c849689b42c956
Instruction ID: e121580b3d2ba6253308a3555ff65ce0a8e55d2ac3a6c16e6756e43797a06d5d
Opcode Fuzzy Hash: 61eca0062984eb141210e3f456b96215beeade773c01582f60c849689b42c956
Instruction Fuzzy Hash: D521C6B5D00248AFDB10CF9AD584ADEFBF5FB48310F14841AE918A3350D379A944CFA5

Uniqueness

Uniqueness Score: -1.00%

Function 06C6B679 Relevance: 1.6, APIs: 1, Instructions: 57libraryCOMMON

Download Yara Rule

APIs

LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,00000000,?,06C6B4F9,00000800,00000000,00000000), ref: 06C6B6EA

Memory Dump Source

Source File: 00000003.00000002.3260055473.0000000006C60000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c60000_ORDER SPECIFICATION.jbxd

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: 054b86223e6dc0bc53830a454e5b17ef46bd05ab645ab475d087a902198c307a
Instruction ID: 29463ec9b8bfbf42b65357638dd992d92f3ab702082e1292205f85b93f71f31d
Opcode Fuzzy Hash: 054b86223e6dc0bc53830a454e5b17ef46bd05ab645ab475d087a902198c307a
Instruction Fuzzy Hash: 031117B6C002099FDB14CF9AD884ADEFBF4FB88310F10841AE419A7210C379A545CFA5

Uniqueness

Uniqueness Score: -1.00%

Function 06C6A1C0 Relevance: 1.6, APIs: 1, Instructions: 55libraryCOMMON

Download Yara Rule

APIs

LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,00000000,?,06C6B4F9,00000800,00000000,00000000), ref: 06C6B6EA

Memory Dump Source

Source File: 00000003.00000002.3260055473.0000000006C60000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c60000_ORDER SPECIFICATION.jbxd

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: 8d60faae3d045286149ca92e7fc4b637b7fa8d3fba53f711aeeef5f1a4520aa3
Instruction ID: 36c48e88460f6920306b50f44102460e65782e6e2a49b0e44c584c84c56e318c
Opcode Fuzzy Hash: 8d60faae3d045286149ca92e7fc4b637b7fa8d3fba53f711aeeef5f1a4520aa3
Instruction Fuzzy Hash: E811E4B6D042099FDB14DF9AD884ADEFBF4FB48310F10842EE519A7210C379A945CFA9

Uniqueness

Uniqueness Score: -1.00%

Function 0170EC50 Relevance: 1.6, APIs: 1, Instructions: 52COMMON

Download Yara Rule

APIs

GlobalMemoryStatusEx.KERNELBASE ref: 0170ECB7

Memory Dump Source

Source File: 00000003.00000002.3254471224.0000000001700000.00000040.00000800.00020000.00000000.sdmp, Offset: 01700000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1700000_ORDER SPECIFICATION.jbxd

Similarity

API ID: GlobalMemoryStatus
String ID:
API String ID: 1890195054-0
Opcode ID: 0e304b387c18d0da4119f8a5abc23a197fd8258e97c234ba9c6e66857dbdb311
Instruction ID: c9f94101cb13e705d41e1e11be4499b38da1bc41ca6622baf1feb3e17b3affb4
Opcode Fuzzy Hash: 0e304b387c18d0da4119f8a5abc23a197fd8258e97c234ba9c6e66857dbdb311
Instruction Fuzzy Hash: D211EFB1C006599BCB10DFAAC544BDEFBF4BF48320F14856AE918A7240D779A944CFE5

Uniqueness

Uniqueness Score: -1.00%

Function 06C6B418 Relevance: 1.5, APIs: 1, Instructions: 47COMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNELBASE(00000000), ref: 06C6B47E

Memory Dump Source

Source File: 00000003.00000002.3260055473.0000000006C60000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c60000_ORDER SPECIFICATION.jbxd

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: 720081758fed5a30fb10765524eabb826cde808982e39da4337e4089c6f98749
Instruction ID: f4c712237004d2df6c61fb15159d96f4f42d5599264fe545e0bb7d3e916bdc79
Opcode Fuzzy Hash: 720081758fed5a30fb10765524eabb826cde808982e39da4337e4089c6f98749
Instruction Fuzzy Hash: 3911E0B5C003499FCB10DF9AC484ADEFBF4EF88324F10841AD429A7210D3B9A645CFA5

Uniqueness

Uniqueness Score: -1.00%

Function 06C8DA75 Relevance: 1.4, Strings: 1, Instructions: 126COMMON

Download Yara Rule

Strings

PH]q, xrefs: 06C8DBD1

Memory Dump Source

Source File: 00000003.00000002.3260270086.0000000006C80000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c80000_ORDER SPECIFICATION.jbxd

Similarity

API ID:
String ID: PH]q
API String ID: 0-3168235125
Opcode ID: 50ee67f2dc0b6a803bb903ae7919f72a1a546c20e406202d0b734e1a7e149073
Instruction ID: 6f036dd0af4df7066dc7fb82e7275f1064e5b88fb43e876dd09e4c04813b11d5
Opcode Fuzzy Hash: 50ee67f2dc0b6a803bb903ae7919f72a1a546c20e406202d0b734e1a7e149073
Instruction Fuzzy Hash: EC418130E0030ADFDB64AF65D8506AEBBB6FF85344F204529E406EB285DB74E946CB91

Uniqueness

Uniqueness Score: -1.00%

Function 06C821BD Relevance: 1.4, Strings: 1, Instructions: 109COMMON

Download Yara Rule

Strings

PH]q, xrefs: 06C8230B

Memory Dump Source

Source File: 00000003.00000002.3260270086.0000000006C80000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c80000_ORDER SPECIFICATION.jbxd

Similarity

API ID:
String ID: PH]q
API String ID: 0-3168235125
Opcode ID: c8d447c1df5edea500ea3d991de77f688f9448f55d1a9849712a1f62863fc07e
Instruction ID: 2868af4be6c12894f474b8f33ea5a1844a57972dec78cdabb53ae47c30c11f77
Opcode Fuzzy Hash: c8d447c1df5edea500ea3d991de77f688f9448f55d1a9849712a1f62863fc07e
Instruction Fuzzy Hash: 0531F130B102019FCBA9AB7489686AE3BE6EF85214F10457CD002DB345DE39DE46CBD5

Uniqueness

Uniqueness Score: -1.00%

Function 06C821D0 Relevance: 1.4, Strings: 1, Instructions: 105COMMON

Download Yara Rule

Strings

PH]q, xrefs: 06C8230B

Memory Dump Source

Source File: 00000003.00000002.3260270086.0000000006C80000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c80000_ORDER SPECIFICATION.jbxd

Similarity

API ID:
String ID: PH]q
API String ID: 0-3168235125
Opcode ID: a33cbf9c002a8e9268e98953fa96903ef8241dc7c868d68a7d1974224d8edf9c
Instruction ID: 6d0bcfdaf6a80226a08bb32249633c9122cbb55ba827d865f34de6b072bcf84d
Opcode Fuzzy Hash: a33cbf9c002a8e9268e98953fa96903ef8241dc7c868d68a7d1974224d8edf9c
Instruction Fuzzy Hash: 0531C330B102018FDBA8AB74D95866E76E7EF89214F10453CD406DB354DE39DE45CBD5

Uniqueness

Uniqueness Score: -1.00%

Function 06C869E0 Relevance: .5, Instructions: 495COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.3260270086.0000000006C80000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c80000_ORDER SPECIFICATION.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2cdfa37aa29f3f7b90085bb211c1e69ddadf19f252ba7592da5541db1a5dc9db
Instruction ID: 37bdf62bb3a411f2f602147e913e15e0aadb0e2851a08ce73f55d149563a988b
Opcode Fuzzy Hash: 2cdfa37aa29f3f7b90085bb211c1e69ddadf19f252ba7592da5541db1a5dc9db
Instruction Fuzzy Hash: EA028B30B002048FDB64EB69D944BAEB7F2EF84318F148569E41ADB391DB35ED46CB90

Uniqueness

Uniqueness Score: -1.00%

Function 06C861B8 Relevance: .2, Instructions: 229COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.3260270086.0000000006C80000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c80000_ORDER SPECIFICATION.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e4193002581ed6d32eee214c585d914fd75ef2fc0a96450163590767f629155e
Instruction ID: 3e3f3c50b99612db0bc28231d79ccca8d787a90842d69e250e0feb51948399db
Opcode Fuzzy Hash: e4193002581ed6d32eee214c585d914fd75ef2fc0a96450163590767f629155e
Instruction Fuzzy Hash: 2961BF71F000214FDB64AA6ED884A6FBADBAF94224F154479D80EDB360DE79DD02C7D2

Uniqueness

Uniqueness Score: -1.00%

Function 06C84268 Relevance: .2, Instructions: 224COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.3260270086.0000000006C80000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c80000_ORDER SPECIFICATION.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6689c55a92c5e261ce2f03d75535b5511118104f831e2d31abfea5ca7eb34281
Instruction ID: ef976dd3e6dd15e43a22859662234610089c0cfa7c34e851fc3a5d765eecd5a5
Opcode Fuzzy Hash: 6689c55a92c5e261ce2f03d75535b5511118104f831e2d31abfea5ca7eb34281
Instruction Fuzzy Hash: 7C814D30B0020A9FDB58EF69D45479EB7F3AB89304F108529D40AEB395EB34DD46CB91

Uniqueness

Uniqueness Score: -1.00%

Function 06C84588 Relevance: .2, Instructions: 218COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.3260270086.0000000006C80000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c80000_ORDER SPECIFICATION.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 49414fffc1529733fac342fad5bae33cb0208515e26d0efcba1b3e92ee163d41
Instruction ID: 7638c02b6ef3c03e05b085b4995aaf188386e4a4411a51494d2f4c15f14be902
Opcode Fuzzy Hash: 49414fffc1529733fac342fad5bae33cb0208515e26d0efcba1b3e92ee163d41
Instruction Fuzzy Hash: 29912C30E1021A8FDF64DF68C890B9DB7B1FF89304F208599D549EB295DB70AA85CF91

Uniqueness

Uniqueness Score: -1.00%

Function 06C845A0 Relevance: .2, Instructions: 210COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.3260270086.0000000006C80000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c80000_ORDER SPECIFICATION.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b6869d053de76b777e62b4540a2ba728b60af313a191b65b5e8390b3389a5d1e
Instruction ID: e5fe1517d4dcb2a638ff23f0840e9c1009a8219ce43e5b8abac3735357fbb4ed
Opcode Fuzzy Hash: b6869d053de76b777e62b4540a2ba728b60af313a191b65b5e8390b3389a5d1e
Instruction Fuzzy Hash: 76913A30E1021A8FDF64DF68C890B9DB7B1FF89304F20C699D549AB255DB70AA85CF91

Uniqueness

Uniqueness Score: -1.00%

Function 06C8EAC8 Relevance: .2, Instructions: 205COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.3260270086.0000000006C80000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c80000_ORDER SPECIFICATION.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2990c5bef7d6372cea10f1a632a30bbbb619f42251806ab86349122d838296e1
Instruction ID: 0b932d6ace5c175113c822fe13a7e7c3dec286d9e2e71f31b24d1125d2dcf7bb
Opcode Fuzzy Hash: 2990c5bef7d6372cea10f1a632a30bbbb619f42251806ab86349122d838296e1
Instruction Fuzzy Hash: C5713B70A002099FCB64EFA9D990AAEBBF6FF88304F148529D415EB355DB34ED46CB50

Uniqueness

Uniqueness Score: -1.00%

Function 06C8EAD8 Relevance: .2, Instructions: 201COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.3260270086.0000000006C80000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c80000_ORDER SPECIFICATION.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bc95f3fae737ae5387e05744bb488ef770fd282ba8bc06482320bf7a261a2cff
Instruction ID: da0fc573abc268f17fce4feb11c15eccfca707418dbce96fdb2055db308a1920
Opcode Fuzzy Hash: bc95f3fae737ae5387e05744bb488ef770fd282ba8bc06482320bf7a261a2cff
Instruction Fuzzy Hash: 55712970A002099FDB54EFA9D990AAEBBF6FF88304F148429D405EB355DB34ED46CB50

Uniqueness

Uniqueness Score: -1.00%

Function 06C8FC39 Relevance: .2, Instructions: 176COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.3260270086.0000000006C80000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c80000_ORDER SPECIFICATION.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3b1aa9fff3624f3fd003b7ce8977442b623297da09183b32d4cf66457af89d66
Instruction ID: ccb2e152dfa0dac11d68a9e574542cdb6b0e69cd4d33d02bc6bb4c39086cd3cb
Opcode Fuzzy Hash: 3b1aa9fff3624f3fd003b7ce8977442b623297da09183b32d4cf66457af89d66
Instruction Fuzzy Hash: 0151C131E00105CFCB64BF78E8546ADB7B2FB84359F20887DE12AD7251DB359A55CB81

Uniqueness

Uniqueness Score: -1.00%

Function 06C8F9E8 Relevance: .2, Instructions: 168COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.3260270086.0000000006C80000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c80000_ORDER SPECIFICATION.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0204d6a6469d6a2b7ce645c90471c0c863e0b6f530795df1b3708943c688c85b
Instruction ID: de39b2dec38441ff5881bbca28a0bc3445e242f5882d19c997bda007b0e9e024
Opcode Fuzzy Hash: 0204d6a6469d6a2b7ce645c90471c0c863e0b6f530795df1b3708943c688c85b
Instruction Fuzzy Hash: 3651B5B0B102048FEF746A78E95476F265EDB89394F20483EE80AD7795CA6CCD45C792

Uniqueness

Uniqueness Score: -1.00%

Function 06C8F9F8 Relevance: .2, Instructions: 163COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.3260270086.0000000006C80000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c80000_ORDER SPECIFICATION.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 34a2a895f064009bcc5dade95e3b53b4e5a4bf6d0998c5bb2d7f5e17726357cc
Instruction ID: a5c0d816ef83c4433546bb949ccba8cc427719641f0aa1a4d466befaf38f60da
Opcode Fuzzy Hash: 34a2a895f064009bcc5dade95e3b53b4e5a4bf6d0998c5bb2d7f5e17726357cc
Instruction Fuzzy Hash: 2451B4B0B102049FEF746A6CE95476F265EDB89394F20483EE40AD7795C96CCD45C3A2

Uniqueness

Uniqueness Score: -1.00%

Function 06C85560 Relevance: .1, Instructions: 139COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.3260270086.0000000006C80000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c80000_ORDER SPECIFICATION.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ceacea21dcebb2cfc2d9ebf9cad404aacf136df487ee314730267192db72fc0b
Instruction ID: e2360bb21b48278b86e6cff1ab28e28ce001f0a33c96cff45517aad446ad68de
Opcode Fuzzy Hash: ceacea21dcebb2cfc2d9ebf9cad404aacf136df487ee314730267192db72fc0b
Instruction Fuzzy Hash: 2641D575E101059FDFB0AE68C48077EBBB2EB45318FA0892DD51ADB791C671EE41CB81

Uniqueness

Uniqueness Score: -1.00%

Function 06C853E8 Relevance: .1, Instructions: 134COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.3260270086.0000000006C80000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c80000_ORDER SPECIFICATION.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a654515343f4aa7623d0ce19099cf2c4ef4228770f79cac8bfee6bbd2d98238b
Instruction ID: 2c0ce37b340383f855129edd4b34f58c03ed41bd11d11415fc2a834f41368c79
Opcode Fuzzy Hash: a654515343f4aa7623d0ce19099cf2c4ef4228770f79cac8bfee6bbd2d98238b
Instruction Fuzzy Hash: 1541AF71E002098FDFB0DFA9D880AAFFBB2EB85314F50492AE11AD7650D370E955CB91

Uniqueness

Uniqueness Score: -1.00%

Function 06C82080 Relevance: .1, Instructions: 98COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.3260270086.0000000006C80000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c80000_ORDER SPECIFICATION.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b2843be56d1674d339199a3655cb25f6c7120bb46cd59de52f7d32f95f8b96a0
Instruction ID: 7ae136f9c11823f6e3feaf9623be7750b78eeb5dcc343b0fafd88f4fae86e383
Opcode Fuzzy Hash: b2843be56d1674d339199a3655cb25f6c7120bb46cd59de52f7d32f95f8b96a0
Instruction Fuzzy Hash: 7331AF30E102069FCB59DFA4D85869EB7B2EF89304F10852DE906E7750DB75EE46CB90

Uniqueness

Uniqueness Score: -1.00%

Function 06C82090 Relevance: .1, Instructions: 91COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.3260270086.0000000006C80000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c80000_ORDER SPECIFICATION.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5742db4b4f3e8022e4b0e0e52cb7c1bc63d1dd9f5dec16fcbbdcb43a779207dd
Instruction ID: d8bf528c89dee71da1649993e20ea51052182735772eb36b80c7399864b63fd2
Opcode Fuzzy Hash: 5742db4b4f3e8022e4b0e0e52cb7c1bc63d1dd9f5dec16fcbbdcb43a779207dd
Instruction Fuzzy Hash: 4B319E30E102059FCB59DFA4D85869EB7B2EF89304F208529E906E7350DB75EE42CB80

Uniqueness

Uniqueness Score: -1.00%

Function 06C83A68 Relevance: .1, Instructions: 82COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.3260270086.0000000006C80000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c80000_ORDER SPECIFICATION.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4ab5a94ffdfea664bcfbc653bac34094c280d2a7f44bd9e3bc54af870e3aa333
Instruction ID: c7c02ed5b0aaab940a6cb22aed7aa5828131627d86eabcbf33a9c61f06a5a454
Opcode Fuzzy Hash: 4ab5a94ffdfea664bcfbc653bac34094c280d2a7f44bd9e3bc54af870e3aa333
Instruction Fuzzy Hash: 86216871E00255DFDB50DFA9D840BEEBBF5AB48614F108029E909EB380E734D942CB91

Uniqueness

Uniqueness Score: -1.00%

Function 06C83A78 Relevance: .1, Instructions: 78COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.3260270086.0000000006C80000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c80000_ORDER SPECIFICATION.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b3632e09033ef27340c044119cc998f499258fabdb06517ee3596ff8c2310580
Instruction ID: 91cdc38523e687db846c8bb1f8fceb4fb2771bd4e67fb68c7f448484ccf7c39b
Opcode Fuzzy Hash: b3632e09033ef27340c044119cc998f499258fabdb06517ee3596ff8c2310580
Instruction Fuzzy Hash: FF215AB5E00255DFDB50EFA9D880AEEB7F5EB48614F108029E919EB280E735DD42CB91

Uniqueness

Uniqueness Score: -1.00%

Function 016BD006 Relevance: .1, Instructions: 78COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.3254176361.00000000016BD000.00000040.00000800.00020000.00000000.sdmp, Offset: 016BD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_16bd000_ORDER SPECIFICATION.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6b92b52fbab5710962a10dc58e2a9a0a1fa71b338081025b0a943264c5dd9e9c
Instruction ID: bef03c6aa682306a74ccd2ee1baaf206ef7de4cdb3536fee8bd8f8fa72b94260
Opcode Fuzzy Hash: 6b92b52fbab5710962a10dc58e2a9a0a1fa71b338081025b0a943264c5dd9e9c
Instruction Fuzzy Hash: 9631297150E3C09FD7038B64D9A4651BF71AB47214F2985DBD8898F2A7C23A984ACB62

Uniqueness

Uniqueness Score: -1.00%

Function 016BD044 Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.3254176361.00000000016BD000.00000040.00000800.00020000.00000000.sdmp, Offset: 016BD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_16bd000_ORDER SPECIFICATION.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7b3e3d5b4d09d697e82e2ad9b6f1ccb51c25f8801f5a04a526a3b0f8ab949e4d
Instruction ID: 9471d31db37f763110d11c7573a0b8e86643fc86c6d2c28c3dc464252d313687
Opcode Fuzzy Hash: 7b3e3d5b4d09d697e82e2ad9b6f1ccb51c25f8801f5a04a526a3b0f8ab949e4d
Instruction Fuzzy Hash: F8210071504204AFCB15CF68C9C0B26BB65FB84318F20C569E9490F352C73AD487CB62

Uniqueness

Uniqueness Score: -1.00%

Function 06C86CD8 Relevance: .1, Instructions: 68COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.3260270086.0000000006C80000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c80000_ORDER SPECIFICATION.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ec47bc042b29c289bd3711d09d9d94e7d301e14a45e054010f8eb7ddaf73dfa2
Instruction ID: 3f8cf4a78c931bc1b5e5cdb2c768a555171ee3a741e4bb935e9b64b35e20f156
Opcode Fuzzy Hash: ec47bc042b29c289bd3711d09d9d94e7d301e14a45e054010f8eb7ddaf73dfa2
Instruction Fuzzy Hash: 88219330B101089FDF94EA6AE95469EB7B6EB84314F248439D405E7341E735ED41CB95

Uniqueness

Uniqueness Score: -1.00%

Function 06C83B88 Relevance: .1, Instructions: 59COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.3260270086.0000000006C80000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c80000_ORDER SPECIFICATION.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 63acad40109e66de54135dd7407171063564f5804550373e231fe40f53da538c
Instruction ID: 7aa331941cdb80fe8a2acdca70e642d76910d997c47111e41473b204d18ed6ff
Opcode Fuzzy Hash: 63acad40109e66de54135dd7407171063564f5804550373e231fe40f53da538c
Instruction Fuzzy Hash: 6811A132B105288FDBA4EAB9CC146AE73AAEBC8714F008139C40AE7354DE75DC028BD1

Uniqueness

Uniqueness Score: -1.00%

Function 06C83023 Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.3260270086.0000000006C80000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c80000_ORDER SPECIFICATION.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0089635e2277aba6cbf15be7419d311388cd50676e4c6ae07dc6e396550d526e
Instruction ID: 666237d9851e8eb0278ea0cf29a2b44d83f084f553a65b830412bb95e72676b2
Opcode Fuzzy Hash: 0089635e2277aba6cbf15be7419d311388cd50676e4c6ae07dc6e396550d526e
Instruction Fuzzy Hash: E511A571E002A48FCB68DBB5D8405DEF7B5EF88714F10956AD50AE7240DA31DA46CBD1

Uniqueness

Uniqueness Score: -1.00%

Function 06C8ED49 Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.3260270086.0000000006C80000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c80000_ORDER SPECIFICATION.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1eb6876fe9a33bc2fd69cf23e71a77ec870036d980b321d7c260040cdd4eb896
Instruction ID: a86f3c82257c99a2354dfd095de4d0dc1e4b9d9921c7b01a9238801e871a7856
Opcode Fuzzy Hash: 1eb6876fe9a33bc2fd69cf23e71a77ec870036d980b321d7c260040cdd4eb896
Instruction Fuzzy Hash: B601F772B000110FDB65AA7CD854B6B67D6DBCA614F10493FE10AC7351DE64DE0683D1

Uniqueness

Uniqueness Score: -1.00%

Function 06C841C8 Relevance: .1, Instructions: 54COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.3260270086.0000000006C80000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c80000_ORDER SPECIFICATION.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5ca754f4e701b4bde1590285f27a26ad65a5ab1d73f3a55da4c40ca9e00eaaad
Instruction ID: b13054cf8cbeaf8318dd69242539728c5edc701497d0fbaf28f079b40c2eff65
Opcode Fuzzy Hash: 5ca754f4e701b4bde1590285f27a26ad65a5ab1d73f3a55da4c40ca9e00eaaad
Instruction Fuzzy Hash: 48012831B041224FDBB596BDA808B1BB7D6EBC6318F10893EE10EC7395D959DD02C381

Uniqueness

Uniqueness Score: -1.00%

Function 06C83848 Relevance: .1, Instructions: 52COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.3260270086.0000000006C80000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c80000_ORDER SPECIFICATION.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ccf404c21f2f374e0e813f333ab588bfb2f740f3de03cd1b942fa03547f2933e
Instruction ID: 6c55c4a859ec47abb1771faaf72c70bae17623f57ee9d8665e891f32f7765973
Opcode Fuzzy Hash: ccf404c21f2f374e0e813f333ab588bfb2f740f3de03cd1b942fa03547f2933e
Instruction Fuzzy Hash: 7411D3B5D01259AFCB10DF9AD884ADEFBB4FB48314F10812AE518A7200C378A544CFE5

Uniqueness

Uniqueness Score: -1.00%

Function 06C83840 Relevance: .1, Instructions: 52COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.3260270086.0000000006C80000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c80000_ORDER SPECIFICATION.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: addcf3fe67cdb8df0d5b4939b3e2f666275192bb333fbd76b49068f8dcb7a43a
Instruction ID: a31ba280e65925c7d28bd7c400800f6496303d96808cc812356765e851585a38
Opcode Fuzzy Hash: addcf3fe67cdb8df0d5b4939b3e2f666275192bb333fbd76b49068f8dcb7a43a
Instruction Fuzzy Hash: 7421C2B5D01259AFCB10DF9AD984ADEFBB4FB48314F10852AE918A7200C378A554CBA5

Uniqueness

Uniqueness Score: -1.00%

Function 06C8A2C0 Relevance: .1, Instructions: 51COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.3260270086.0000000006C80000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c80000_ORDER SPECIFICATION.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d11134d9c93c620d420ad95715c8e98046138bc5be5d2252265a18f3ebda6428
Instruction ID: 97a3e21f829fd2cd4cda412a0a17eba104b659839ce8d88d6a1a3126ebb93f60
Opcode Fuzzy Hash: d11134d9c93c620d420ad95715c8e98046138bc5be5d2252265a18f3ebda6428
Instruction Fuzzy Hash: E2012830B001518FD7B1ABADD804B5B77D1EB86714F10492EE04EC7791EA29DE41C740

Uniqueness

Uniqueness Score: -1.00%

Function 06C83B78 Relevance: .1, Instructions: 51COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.3260270086.0000000006C80000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c80000_ORDER SPECIFICATION.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3948cd4bcdb148d8a12de018c76d7c9570cdd9c9b8a2150a89c6f0edf391e34a
Instruction ID: c62ef2e763768e16ed106b53ba935e80d68e6ec277540000b6d3cdf96f265bdb
Opcode Fuzzy Hash: 3948cd4bcdb148d8a12de018c76d7c9570cdd9c9b8a2150a89c6f0edf391e34a
Instruction Fuzzy Hash: 9101D436B104558BEB65AA69CC107FF76AB9BC8714F00413DC40AE3390DA64CC078792

Uniqueness

Uniqueness Score: -1.00%

Function 06C841D8 Relevance: .1, Instructions: 51COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.3260270086.0000000006C80000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c80000_ORDER SPECIFICATION.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 00a4dd02f44b4ef790d160e8af2dc1a7a885484d34db51d59323bb7c320e562e
Instruction ID: d31406f38bc02873dc535c87ec00730312410373b2f0f2010749c32a06963def
Opcode Fuzzy Hash: 00a4dd02f44b4ef790d160e8af2dc1a7a885484d34db51d59323bb7c320e562e
Instruction Fuzzy Hash: E5016235B000214FDBA9A6AEA85871BB6DAEBC5615F10C83EE50EC7354D969DE028391

Uniqueness

Uniqueness Score: -1.00%

Function 06C8ED58 Relevance: .0, Instructions: 49COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.3260270086.0000000006C80000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c80000_ORDER SPECIFICATION.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 06fc0b41689929b213fa8ab4862d2a68249bf72ddd379b9ff96e7896420fedb1
Instruction ID: 79a5747be74b9524211615fe38b8ef5bc659259a4897f12d5f6e74c83249a9ca
Opcode Fuzzy Hash: 06fc0b41689929b213fa8ab4862d2a68249bf72ddd379b9ff96e7896420fedb1
Instruction Fuzzy Hash: E301A471B000100FDBB5AA7DD85472F66DBDBC9615F10883EE10AC7350DE65DD0683D1

Uniqueness

Uniqueness Score: -1.00%

Function 06C8A2D0 Relevance: .0, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.3260270086.0000000006C80000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c80000_ORDER SPECIFICATION.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 058e697b9858aee15f499909f9f57c413b9d71f8dce9f9ac025f93c4d3ba3fd4
Instruction ID: b5b4ef283b5b57f09e5c9fb3195c3e5c0d64951295e4ccdbdf76f0c0ae85fac1
Opcode Fuzzy Hash: 058e697b9858aee15f499909f9f57c413b9d71f8dce9f9ac025f93c4d3ba3fd4
Instruction Fuzzy Hash: 9E018630B001144FCB71AAADE854B5B73D6EB89615F10493DE10EC7350D915DE418781

Uniqueness

Uniqueness Score: -1.00%

Function 06C8C798 Relevance: .0, Instructions: 43COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.3260270086.0000000006C80000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c80000_ORDER SPECIFICATION.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 19aa07ae2317092e2ae4d1bfe0d08dffbbce74e63a91273b9dc2f865cb023603
Instruction ID: a0d4080f1133ff0ec3755314fe6dfb46d4826997a7169c92a3f2031668b46240
Opcode Fuzzy Hash: 19aa07ae2317092e2ae4d1bfe0d08dffbbce74e63a91273b9dc2f865cb023603
Instruction Fuzzy Hash: 7301A431E102249FCB64AF69EC40A9EB77AFB85354F00453DE905EB384DB36AD05C790

Uniqueness

Uniqueness Score: -1.00%

Function 06C86438 Relevance: .0, Instructions: 25COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.3260270086.0000000006C80000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c80000_ORDER SPECIFICATION.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7a851cd0d3d0900c0a48878cb58c3ee4ea1918fc63e64d4970f0434851d92d4e
Instruction ID: 48d17c86ffba1f4f27650e61cb60965b4d69ce0cc39e65e0b03aa31cf2a8234e
Opcode Fuzzy Hash: 7a851cd0d3d0900c0a48878cb58c3ee4ea1918fc63e64d4970f0434851d92d4e
Instruction Fuzzy Hash: 53E04F72E251449FEF60DEB1DA1975E766A9BC121CF21C8AAD409DB242E136CE06C340

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 06C87660 Relevance: 13.0, Strings: 10, Instructions: 468COMMON

Download Yara Rule

Strings

$]q, xrefs: 06C87BC2
$]q, xrefs: 06C8775C
$]q, xrefs: 06C8778D
$]q, xrefs: 06C87B19
$]q, xrefs: 06C87750
$]q, xrefs: 06C87B0D
$]q, xrefs: 06C87781
$]q, xrefs: 06C87BAC
$]q, xrefs: 06C87BCE
$]q, xrefs: 06C87BB8

Memory Dump Source

Source File: 00000003.00000002.3260270086.0000000006C80000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c80000_ORDER SPECIFICATION.jbxd

Similarity

API ID:
String ID: $]q$$]q$$]q$$]q$$]q$$]q$$]q$$]q$$]q$$]q
API String ID: 0-2843079600
Opcode ID: 2eccffc23fe8f8eaba75305b57e04d2a64a61c05158811e20e124278d1158cd1
Instruction ID: 5ae5189cc3e3bb0dc72f75c27b54af94c1a84c69586056fdf4166ba166f09987
Opcode Fuzzy Hash: 2eccffc23fe8f8eaba75305b57e04d2a64a61c05158811e20e124278d1158cd1
Instruction Fuzzy Hash: 43122C30E00219CFDB69EF69C994A9DB7F6FF84308F208569D409AB355EB349D85CB90

Uniqueness

Uniqueness Score: -1.00%

Function 06C8A8F8 Relevance: 10.2, Strings: 8, Instructions: 229COMMON

Download Yara Rule

Strings

$]q, xrefs: 06C8AA49
$]q, xrefs: 06C8AAAA
$]q, xrefs: 06C8A9EE
$]q, xrefs: 06C8AA74
$]q, xrefs: 06C8AAB6
$]q, xrefs: 06C8AA55
$]q, xrefs: 06C8A9FA
$]q, xrefs: 06C8AA80

Memory Dump Source

Source File: 00000003.00000002.3260270086.0000000006C80000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c80000_ORDER SPECIFICATION.jbxd

Similarity

API ID:
String ID: $]q$$]q$$]q$$]q$$]q$$]q$$]q$$]q
API String ID: 0-1273862796
Opcode ID: 4a4b52b03fdc36838a6eec5df99ac9540766d6a2beb3d76d685d3d159c969ce3
Instruction ID: d0aa423630a8d0e9cdcf5a7245243dbac6baefbf5087bb4333aa7ce35e7826fc
Opcode Fuzzy Hash: 4a4b52b03fdc36838a6eec5df99ac9540766d6a2beb3d76d685d3d159c969ce3
Instruction Fuzzy Hash: 82916030A00209DFDB68EFA9D994BAEB7F6FF44308F10852AD40297295DB799D45CB90

Uniqueness

Uniqueness Score: -1.00%

Function 06C87060 Relevance: 9.2, Strings: 7, Instructions: 405COMMON

Download Yara Rule

Strings

$]q, xrefs: 06C873A8
$]q, xrefs: 06C87342
$]q, xrefs: 06C87568
$]q, xrefs: 06C8739C
$]q, xrefs: 06C87574
.5uq, xrefs: 06C870BB
$]q, xrefs: 06C874FC

Memory Dump Source

Source File: 00000003.00000002.3260270086.0000000006C80000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c80000_ORDER SPECIFICATION.jbxd

Similarity

API ID:
String ID: .5uq$$]q$$]q$$]q$$]q$$]q$$]q
API String ID: 0-981061697
Opcode ID: ec99255ae2079ee77934848d65ca5e80562a61350bc871aca271a69b2c451f92
Instruction ID: ac118537b937355c99cb1cd75a42ac0ac292dc43bfaf3532f904d2bdb4d8b0d4
Opcode Fuzzy Hash: ec99255ae2079ee77934848d65ca5e80562a61350bc871aca271a69b2c451f92
Instruction Fuzzy Hash: 86F13C30A00305CFDB69EFA5D594A6EB7B6FF84344F208568D8059B3A9DB39DC82CB51

Uniqueness

Uniqueness Score: -1.00%

Function 06C88398 Relevance: 5.3, Strings: 4, Instructions: 282COMMON

Download Yara Rule

Strings

$]q, xrefs: 06C885FE
$]q, xrefs: 06C88657
$]q, xrefs: 06C885F2
$]q, xrefs: 06C88663

Memory Dump Source

Source File: 00000003.00000002.3260270086.0000000006C80000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c80000_ORDER SPECIFICATION.jbxd

Similarity

API ID:
String ID: $]q$$]q$$]q$$]q
API String ID: 0-858218434
Opcode ID: 42de278d99261c2cdb8e20be4c64896868205b24db6a407b46a4d3f806edf873
Instruction ID: 8d3b366b5ec696898cdcc802473080c416f9834fa570289e3c996057571cc4db
Opcode Fuzzy Hash: 42de278d99261c2cdb8e20be4c64896868205b24db6a407b46a4d3f806edf873
Instruction Fuzzy Hash: 7CB15B30A11209CFDB64EFA9C99469EB7B6FF84304F648829D406DB795DB34DD82CB90

Uniqueness

Uniqueness Score: -1.00%

Function 06C887B0 Relevance: 5.2, Strings: 4, Instructions: 168COMMON

Download Yara Rule

Strings

$]q, xrefs: 06C8882F
LR]q, xrefs: 06C888F2
$]q, xrefs: 06C8883B
LR]q, xrefs: 06C888A3

Memory Dump Source

Source File: 00000003.00000002.3260270086.0000000006C80000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c80000_ORDER SPECIFICATION.jbxd

Similarity

API ID:
String ID: LR]q$LR]q$$]q$$]q
API String ID: 0-3527005858
Opcode ID: 84f4a3774dacae8907f5ac9ff8e65804d5d49c1d4f20a9615db7fd5c419940fb
Instruction ID: cecf79b05898424f89521007197cb45d09f4b542cbce596f4ad97c28a0790bd7
Opcode Fuzzy Hash: 84f4a3774dacae8907f5ac9ff8e65804d5d49c1d4f20a9615db7fd5c419940fb
Instruction Fuzzy Hash: 9251D330B012019FDB68EF69D880A6AB7F6FF88708F50856DE4069B795DB35EC41CB91

Uniqueness

Uniqueness Score: -1.00%

Function 06C8AC87 Relevance: 5.2, Strings: 4, Instructions: 159COMMON

Download Yara Rule

Strings

$]q, xrefs: 06C8ADB1
$]q, xrefs: 06C8AE5C
$]q, xrefs: 06C8AE33
$]q, xrefs: 06C8AE04

Memory Dump Source

Source File: 00000003.00000002.3260270086.0000000006C80000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c80000_ORDER SPECIFICATION.jbxd

Similarity

API ID:
String ID: $]q$$]q$$]q$$]q
API String ID: 0-858218434
Opcode ID: 8ec29317af4f0692a68306b56fabea51c9ce72947c2c6ae2bc6349c70b5ebc79
Instruction ID: 636f32c262da94a63b12866f2e86b030757bfff52faeb7f0e058e65d1e7922b0
Opcode Fuzzy Hash: 8ec29317af4f0692a68306b56fabea51c9ce72947c2c6ae2bc6349c70b5ebc79
Instruction Fuzzy Hash: AA518F30A10205DFCBB5EBA8D580AAEB3B6FB85315F14892BD805EB355DB35ED41CB90

Uniqueness

Uniqueness Score: -1.00%

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to execute malicious commands and payloads. WMI is an administration feature that provides a uniform environment to access Windows system components. The WMI service enables both local and remote access, though the latter is facilitated by Remote Services such as Distributed Component Object Model (DCOM) and Windows Remote Management (WinRM).Remote WMI over DCOM operates using port 135, whereas WMI over WinRM operates over port 5985 when using HTTP and 5986 for HTTPS.
Tactics:	Execution
Data Sources:	Command: Command Execution, Network Traffic: Network Connection Creation, Process: Process Creation, WMI: WMI Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify file time attributes to hide new or changes to existing files. Timestomping is a technique that modifies the timestamps of a file (the modify, access, create, and change times), often to mimic files that are in the same folder. This is done, for example, on files that have been modified or created by the adversary so that they do not appear conspicuous to forensic investigators or file analysis tools.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata, File: File Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to dump credentials to obtain account login and credential material, normally in the form of a hash or a clear text password, from the operating system and software. Credentials can then be used to perform Lateral Movement and access restricted information.
Tactics:	Credential Access
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. Credential API Hooking ) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. Web Portal Capture ).
Tactics:	Collection, Credential Access
Data Sources:	Driver: Driver Load, File: File Modification, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Windows Registry: Windows Registry Key Modification
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search the Registry on compromised systems for insecurely stored credentials. The Windows Registry stores configuration information that can be used by the system or other programs. Adversaries may query the Registry looking for credentials and passwords that have been stored for use by other programs or services. Sometimes these credentials are used for automatic logons.
Tactics:	Credential Access
Data Sources:	Command: Command Execution, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the Windows Registry to gather information about the system, configuration, and installed software.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may look for details about the network configuration and settings, such as IP and/or MAC addresses, of systems they access or through information discovery of remote systems. Several operating system administration utilities exist that can be used to gather this information. Examples include Arp , ipconfig / ifconfig , nbtstat , and route .
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report ORDER SPECIFICATION.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: Agenttesla

Yara Signatures

Memory Dumps

Unpacked PEs

Sigma Signatures

System Summary

Snort Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Software Vulnerabilities

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\ORDER SPECIFICATION.exe.log

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Data Directories

Sections

Resources

Imports

Network Behavior

Network Port Distribution

TCP Packets

UDP Packets

Windows Analysis Report
ORDER SPECIFICATION.exe

Function 00BAAD88 Relevance: 1.7, APIs: 1, Instructions: 197
COMMON

Function 00BA5A84 Relevance: 1.6, APIs: 1, Instructions: 103
COMMON

Function 00BA590C Relevance: 1.6, APIs: 1, Instructions: 101
COMMON

Function 00BA44B0 Relevance: 1.6, APIs: 1, Instructions: 96
COMMON

Function 00BAD25C Relevance: 1.6, APIs: 1, Instructions: 65
COMMON

Function 00BAD668 Relevance: 1.6, APIs: 1, Instructions: 65
COMMON

Function 00BAA110 Relevance: 1.6, APIs: 1, Instructions: 55
libraryCOMMON

Function 00BAB1F8 Relevance: 1.6, APIs: 1, Instructions: 55
libraryCOMMON

Function 06C83028 Relevance: 8.0, Strings: 6, Instructions: 545
COMMON

Function 06C87D40 Relevance: 3.0, Strings: 2, Instructions: 471
COMMON

Description:	Adversaries may search local system sources, such as file systems and configuration files or local databases, to find files of interest and sensitive data prior to Exfiltration.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Access, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may target user email to collect sensitive information. Emails may contain sensitive data, including trade secrets or personal information, that can prove valuable to adversaries. Adversaries can collect or forward email from mail servers or clients.
Tactics:	Collection
Data Sources:	Application Log: Application Log Content, Command: Command Execution, File: File Access, Logon Session: Logon Session Creation, Network Traffic: Network Connection Creation
Platforms:	Google Workspace, Linux, macOS, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using a protocol and port pairing that are typically not associated. For example, HTTPS over port 8088or port 587as opposed to the traditional port 443. Adversaries may make changes to the standard port used by a protocol to bypass filtering or muddle analysis/parsing of network data.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre