Edit tour

Windows Analysis Report
Product Order Hirsch 1475.exe

Overview

General Information

Sample name:	Product Order Hirsch 1475.exe
Analysis ID:	1636901
MD5:	c115613bdeeef582663b98b91348ba55
SHA1:	2da29044cff0ee0d983a4c5794842fd59206ea3a
SHA256:	127e0f05b7b37ee7c27e2cf7bea75f5eae94be3e237ae3a60f9176950d0d68f5
Tags:	exeuser-lowmal3
Infos:

Detection

Snake Keylogger

Score:	100
Range:	0 - 100
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Found malware configuration

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

Yara detected Snake Keylogger

.NET source code contains potential unpacker

Initial sample is a PE file and has a suspicious name

Injects a PE file into a foreign processes

Joe Sandbox ML detected suspicious sample

Sample uses string decryption to hide its real strings

Tries to detect the country of the analysis system (by using the IP)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to steal Mail credentials (via file / registry access)

Abnormal high CPU Usage

Allocates memory with a write watch (potentially for evading sandboxes)

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Detected non-DNS traffic on DNS port

Detected potential crypto function

Enables debug privileges

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found inlined nop instructions (likely shell or obfuscated code)

HTTP GET or POST without a user agent

IP address seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

May check the online IP address of the machine

May sleep (evasive loops) to hinder dynamic analysis

Queries the volume information (name, serial number etc) of a device

Sample file is different than original file name gathered from version info

Suricata IDS alerts with low severity for network traffic

Uses 32bit PE files

Uses a known web browser user agent for HTTP communication

Uses code obfuscation techniques (call, push, ret)

Uses insecure TLS / SSL version for HTTPS connection

Yara detected Credential Stealer

Yara signature match

Classification

Process Tree

System is w10x64

Product Order Hirsch 1475.exe (PID: 4352 cmdline: "C:\Users\user\Desktop\Product Order Hirsch 1475.exe" MD5: C115613BDEEEF582663B98B91348BA55)

Product Order Hirsch 1475.exe (PID: 1776 cmdline: "C:\Users\user\Desktop\Product Order Hirsch 1475.exe" MD5: C115613BDEEEF582663B98B91348BA55)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
404 Keylogger, Snake Keylogger	Snake Keylogger (aka 404 Keylogger) is a subscription-based keylogger that has many capabilities. The infostealer can steal a victims sensitive information, log keyboard strokes, take screenshots and extract information from the system clipboard. It was initially released on a Russian hacking forum in August 2019. It is notable for its relatively unusual methods of data exfiltration, including via email, FTP, SMTP, Pastebin or the messaging app Telegram.	No Attribution	https://any.run/cybersecurity-blog/analyzing-snake-keylogger/ https://any.run/cybersecurity-blog/reverse-usering-snake-keylogger/ https://blog.netlab.360.com/purecrypter https://blog.nviso.eu/2022/04/06/analyzing-a-multilayer-maldoc-a-beginners-guide/ https://blogs.blackberry.com/en/2022/05/dot-net-stubs-sowing-the-seeds-of-discord	https://malpedia.caad.fkie.fraunhofer.de/details/win.404keylogger

Malware Configuration

Threatname: Snake Keylogger

{"Exfil Mode": "Telegram", "Telegram URL": "https://api.telegram.org/bot7922655426:AAFVRqVw9pB4VZ3uipJRDfn5kD08nswJtAk/sendMessage?chat_id=7854955274", "Token": "7922655426:AAFVRqVw9pB4VZ3uipJRDfn5kD08nswJtAk", "Chat_id": "7854955274", "Version": "5.1"}

Yara Signatures

Memory Dumps

Source	Rule	Description	Author	Strings
00000003.00000002.3662820175.0000000002FBB000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
00000003.00000002.3660976736.0000000000402000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000003.00000002.3660976736.0000000000402000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
00000003.00000002.3660976736.0000000000402000.00000040.00000400.00020000.00000000.sdmp	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x148ce:$a1: get_encryptedPassword 0x14bba:$a2: get_encryptedUsername 0x146da:$a3: get_timePasswordChanged 0x147d5:$a4: get_passwordField 0x148e4:$a5: set_encryptedPassword 0x15f8b:$a7: get_logins 0x15eee:$a10: KeyLoggerEventArgs 0x15b59:$a11: KeyLoggerEventArgsEventHandler
00000003.00000002.3660976736.0000000000402000.00000040.00000400.00020000.00000000.sdmp	MALWARE_Win_SnakeKeylogger	Detects Snake Keylogger	ditekSHen	0x198a4:$x1: $%SMTPDV$ 0x18288:$x2: $#TheHashHere%& 0x1984c:$x3: %FTPDV$ 0x18228:$x4: $%TelegramDv$ 0x15b59:$x5: KeyLoggerEventArgs 0x15eee:$x5: KeyLoggerEventArgs 0x19870:$m2: Clipboard Logs ID 0x19aae:$m2: Screenshot Logs ID 0x19bbe:$m2: keystroke Logs ID 0x19e98:$m3: SnakePW 0x19a86:$m4: \SnakeKeylogger\
00000001.00000002.1222191509.0000000003409000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000001.00000002.1222191509.0000000003409000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
00000001.00000002.1222191509.0000000003409000.00000004.00000800.00020000.00000000.sdmp	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x82746:$a1: get_encryptedPassword 0xa3166:$a1: get_encryptedPassword 0xc3986:$a1: get_encryptedPassword 0x82a32:$a2: get_encryptedUsername 0xa3452:$a2: get_encryptedUsername 0xc3c72:$a2: get_encryptedUsername 0x82552:$a3: get_timePasswordChanged 0xa2f72:$a3: get_timePasswordChanged 0xc3792:$a3: get_timePasswordChanged 0x8264d:$a4: get_passwordField 0xa306d:$a4: get_passwordField 0xc388d:$a4: get_passwordField 0x8275c:$a5: set_encryptedPassword 0xa317c:$a5: set_encryptedPassword 0xc399c:$a5: set_encryptedPassword 0x83e03:$a7: get_logins 0xa4823:$a7: get_logins 0xc5043:$a7: get_logins 0x83d66:$a10: KeyLoggerEventArgs 0xa4786:$a10: KeyLoggerEventArgs 0xc4fa6:$a10: KeyLoggerEventArgs
00000001.00000002.1222191509.0000000003409000.00000004.00000800.00020000.00000000.sdmp	MALWARE_Win_SnakeKeylogger	Detects Snake Keylogger	ditekSHen	0x8771c:$x1: $%SMTPDV$ 0xa813c:$x1: $%SMTPDV$ 0xc895c:$x1: $%SMTPDV$ 0x86100:$x2: $#TheHashHere%& 0xa6b20:$x2: $#TheHashHere%& 0xc7340:$x2: $#TheHashHere%& 0x876c4:$x3: %FTPDV$ 0xa80e4:$x3: %FTPDV$ 0xc8904:$x3: %FTPDV$ 0x860a0:$x4: $%TelegramDv$ 0xa6ac0:$x4: $%TelegramDv$ 0xc72e0:$x4: $%TelegramDv$ 0x839d1:$x5: KeyLoggerEventArgs 0x83d66:$x5: KeyLoggerEventArgs 0xa43f1:$x5: KeyLoggerEventArgs 0xa4786:$x5: KeyLoggerEventArgs 0xc4c11:$x5: KeyLoggerEventArgs 0xc4fa6:$x5: KeyLoggerEventArgs 0x876e8:$m2: Clipboard Logs ID 0x87926:$m2: Screenshot Logs ID 0x87a36:$m2: keystroke Logs ID
00000003.00000002.3662820175.0000000002DF1000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
Process Memory Space: Product Order Hirsch 1475.exe PID: 4352	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: Product Order Hirsch 1475.exe PID: 4352	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
Process Memory Space: Product Order Hirsch 1475.exe PID: 4352	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x23ff0:$a1: get_encryptedPassword 0x242d2:$a2: get_encryptedUsername 0x23e06:$a3: get_timePasswordChanged 0x23f01:$a4: get_passwordField 0x24006:$a5: set_encryptedPassword 0x264e4:$a7: get_logins 0x26447:$a10: KeyLoggerEventArgs 0x260b2:$a11: KeyLoggerEventArgsEventHandler
Process Memory Space: Product Order Hirsch 1475.exe PID: 4352	MALWARE_Win_SnakeKeylogger	Detects Snake Keylogger	ditekSHen	0x260b2:$x5: KeyLoggerEventArgs 0x26447:$x5: KeyLoggerEventArgs 0x26d4e:$x5: KeyLoggerEventArgs 0x270af:$x5: KeyLoggerEventArgs 0x28672:$m2: Clipboard Logs ID 0x28778:$m2: Screenshot Logs ID 0x287ce:$m2: keystroke Logs ID 0x28903:$m3: SnakePW 0x28764:$m4: \SnakeKeylogger\
Process Memory Space: Product Order Hirsch 1475.exe PID: 1776	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: Product Order Hirsch 1475.exe PID: 1776	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
Process Memory Space: Product Order Hirsch 1475.exe PID: 1776	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x4b242:$a1: get_encryptedPassword 0x4b524:$a2: get_encryptedUsername 0x4b058:$a3: get_timePasswordChanged 0x4b153:$a4: get_passwordField 0x4b258:$a5: set_encryptedPassword 0x4d736:$a7: get_logins 0x4d699:$a10: KeyLoggerEventArgs 0x4d304:$a11: KeyLoggerEventArgsEventHandler
Process Memory Space: Product Order Hirsch 1475.exe PID: 1776	MALWARE_Win_SnakeKeylogger	Detects Snake Keylogger	ditekSHen	0x4d304:$x5: KeyLoggerEventArgs 0x4d699:$x5: KeyLoggerEventArgs 0x4dfa0:$x5: KeyLoggerEventArgs 0x4e301:$x5: KeyLoggerEventArgs 0x4f8c4:$m2: Clipboard Logs ID 0x4f9ca:$m2: Screenshot Logs ID 0x4fa20:$m2: keystroke Logs ID 0x4fb55:$m3: SnakePW 0x4f9b6:$m4: \SnakeKeylogger\
Click to see the 13 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
1.2.Product Order Hirsch 1475.exe.3476c78.1.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
1.2.Product Order Hirsch 1475.exe.3476c78.1.unpack	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
1.2.Product Order Hirsch 1475.exe.3476c78.1.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x12cce:$a1: get_encryptedPassword 0x12fba:$a2: get_encryptedUsername 0x12ada:$a3: get_timePasswordChanged 0x12bd5:$a4: get_passwordField 0x12ce4:$a5: set_encryptedPassword 0x1438b:$a7: get_logins 0x142ee:$a10: KeyLoggerEventArgs 0x13f59:$a11: KeyLoggerEventArgsEventHandler
1.2.Product Order Hirsch 1475.exe.3476c78.1.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x1a65a:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x1988c:$a3: \Google\Chrome\User Data\Default\Login Data 0x19cbf:$a4: \Orbitum\User Data\Default\Login Data 0x1acfe:$a5: \Kometa\User Data\Default\Login Data
1.2.Product Order Hirsch 1475.exe.3476c78.1.unpack	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0x138c7:$s1: UnHook 0x138ce:$s2: SetHook 0x138d6:$s3: CallNextHook 0x138e3:$s4: _hook
1.2.Product Order Hirsch 1475.exe.3476c78.1.unpack	MALWARE_Win_SnakeKeylogger	Detects Snake Keylogger	ditekSHen	0x17ca4:$x1: $%SMTPDV$ 0x16688:$x2: $#TheHashHere%& 0x17c4c:$x3: %FTPDV$ 0x16628:$x4: $%TelegramDv$ 0x13f59:$x5: KeyLoggerEventArgs 0x142ee:$x5: KeyLoggerEventArgs 0x17c70:$m2: Clipboard Logs ID 0x17eae:$m2: Screenshot Logs ID 0x17fbe:$m2: keystroke Logs ID 0x18298:$m3: SnakePW 0x17e86:$m4: \SnakeKeylogger\
3.2.Product Order Hirsch 1475.exe.400000.0.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
3.2.Product Order Hirsch 1475.exe.400000.0.unpack	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
3.2.Product Order Hirsch 1475.exe.400000.0.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x14ace:$a1: get_encryptedPassword 0x14dba:$a2: get_encryptedUsername 0x148da:$a3: get_timePasswordChanged 0x149d5:$a4: get_passwordField 0x14ae4:$a5: set_encryptedPassword 0x1618b:$a7: get_logins 0x160ee:$a10: KeyLoggerEventArgs 0x15d59:$a11: KeyLoggerEventArgsEventHandler
3.2.Product Order Hirsch 1475.exe.400000.0.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x1c45a:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x1b68c:$a3: \Google\Chrome\User Data\Default\Login Data 0x1babf:$a4: \Orbitum\User Data\Default\Login Data 0x1cafe:$a5: \Kometa\User Data\Default\Login Data
3.2.Product Order Hirsch 1475.exe.400000.0.unpack	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0x156c7:$s1: UnHook 0x156ce:$s2: SetHook 0x156d6:$s3: CallNextHook 0x156e3:$s4: _hook
3.2.Product Order Hirsch 1475.exe.400000.0.unpack	MALWARE_Win_SnakeKeylogger	Detects Snake Keylogger	ditekSHen	0x19aa4:$x1: $%SMTPDV$ 0x18488:$x2: $#TheHashHere%& 0x19a4c:$x3: %FTPDV$ 0x18428:$x4: $%TelegramDv$ 0x15d59:$x5: KeyLoggerEventArgs 0x160ee:$x5: KeyLoggerEventArgs 0x19a70:$m2: Clipboard Logs ID 0x19cae:$m2: Screenshot Logs ID 0x19dbe:$m2: keystroke Logs ID 0x1a098:$m3: SnakePW 0x19c86:$m4: \SnakeKeylogger\
1.2.Product Order Hirsch 1475.exe.3497698.2.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
1.2.Product Order Hirsch 1475.exe.3497698.2.unpack	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
1.2.Product Order Hirsch 1475.exe.3497698.2.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x12cce:$a1: get_encryptedPassword 0x12fba:$a2: get_encryptedUsername 0x12ada:$a3: get_timePasswordChanged 0x12bd5:$a4: get_passwordField 0x12ce4:$a5: set_encryptedPassword 0x1438b:$a7: get_logins 0x142ee:$a10: KeyLoggerEventArgs 0x13f59:$a11: KeyLoggerEventArgsEventHandler
1.2.Product Order Hirsch 1475.exe.3497698.2.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x1a65a:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x1988c:$a3: \Google\Chrome\User Data\Default\Login Data 0x19cbf:$a4: \Orbitum\User Data\Default\Login Data 0x1acfe:$a5: \Kometa\User Data\Default\Login Data
1.2.Product Order Hirsch 1475.exe.3497698.2.unpack	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0x138c7:$s1: UnHook 0x138ce:$s2: SetHook 0x138d6:$s3: CallNextHook 0x138e3:$s4: _hook
1.2.Product Order Hirsch 1475.exe.3497698.2.unpack	MALWARE_Win_SnakeKeylogger	Detects Snake Keylogger	ditekSHen	0x17ca4:$x1: $%SMTPDV$ 0x16688:$x2: $#TheHashHere%& 0x17c4c:$x3: %FTPDV$ 0x16628:$x4: $%TelegramDv$ 0x13f59:$x5: KeyLoggerEventArgs 0x142ee:$x5: KeyLoggerEventArgs 0x17c70:$m2: Clipboard Logs ID 0x17eae:$m2: Screenshot Logs ID 0x17fbe:$m2: keystroke Logs ID 0x18298:$m3: SnakePW 0x17e86:$m4: \SnakeKeylogger\
1.2.Product Order Hirsch 1475.exe.3476c78.1.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
1.2.Product Order Hirsch 1475.exe.3476c78.1.raw.unpack	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
1.2.Product Order Hirsch 1475.exe.3476c78.1.raw.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x14ace:$a1: get_encryptedPassword 0x354ee:$a1: get_encryptedPassword 0x55d0e:$a1: get_encryptedPassword 0x14dba:$a2: get_encryptedUsername 0x357da:$a2: get_encryptedUsername 0x55ffa:$a2: get_encryptedUsername 0x148da:$a3: get_timePasswordChanged 0x352fa:$a3: get_timePasswordChanged 0x55b1a:$a3: get_timePasswordChanged 0x149d5:$a4: get_passwordField 0x353f5:$a4: get_passwordField 0x55c15:$a4: get_passwordField 0x14ae4:$a5: set_encryptedPassword 0x35504:$a5: set_encryptedPassword 0x55d24:$a5: set_encryptedPassword 0x1618b:$a7: get_logins 0x36bab:$a7: get_logins 0x573cb:$a7: get_logins 0x160ee:$a10: KeyLoggerEventArgs 0x36b0e:$a10: KeyLoggerEventArgs 0x5732e:$a10: KeyLoggerEventArgs
1.2.Product Order Hirsch 1475.exe.3476c78.1.raw.unpack	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0x156c7:$s1: UnHook 0x360e7:$s1: UnHook 0x56907:$s1: UnHook 0x156ce:$s2: SetHook 0x360ee:$s2: SetHook 0x5690e:$s2: SetHook 0x156d6:$s3: CallNextHook 0x360f6:$s3: CallNextHook 0x56916:$s3: CallNextHook 0x156e3:$s4: _hook 0x36103:$s4: _hook 0x56923:$s4: _hook
1.2.Product Order Hirsch 1475.exe.3476c78.1.raw.unpack	MALWARE_Win_SnakeKeylogger	Detects Snake Keylogger	ditekSHen	0x19aa4:$x1: $%SMTPDV$ 0x3a4c4:$x1: $%SMTPDV$ 0x5ace4:$x1: $%SMTPDV$ 0x18488:$x2: $#TheHashHere%& 0x38ea8:$x2: $#TheHashHere%& 0x596c8:$x2: $#TheHashHere%& 0x19a4c:$x3: %FTPDV$ 0x3a46c:$x3: %FTPDV$ 0x5ac8c:$x3: %FTPDV$ 0x18428:$x4: $%TelegramDv$ 0x38e48:$x4: $%TelegramDv$ 0x59668:$x4: $%TelegramDv$ 0x15d59:$x5: KeyLoggerEventArgs 0x160ee:$x5: KeyLoggerEventArgs 0x36779:$x5: KeyLoggerEventArgs 0x36b0e:$x5: KeyLoggerEventArgs 0x56f99:$x5: KeyLoggerEventArgs 0x5732e:$x5: KeyLoggerEventArgs 0x19a70:$m2: Clipboard Logs ID 0x19cae:$m2: Screenshot Logs ID 0x19dbe:$m2: keystroke Logs ID
1.2.Product Order Hirsch 1475.exe.3497698.2.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
1.2.Product Order Hirsch 1475.exe.3497698.2.raw.unpack	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
1.2.Product Order Hirsch 1475.exe.3497698.2.raw.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x14ace:$a1: get_encryptedPassword 0x352ee:$a1: get_encryptedPassword 0x14dba:$a2: get_encryptedUsername 0x355da:$a2: get_encryptedUsername 0x148da:$a3: get_timePasswordChanged 0x350fa:$a3: get_timePasswordChanged 0x149d5:$a4: get_passwordField 0x351f5:$a4: get_passwordField 0x14ae4:$a5: set_encryptedPassword 0x35304:$a5: set_encryptedPassword 0x1618b:$a7: get_logins 0x369ab:$a7: get_logins 0x160ee:$a10: KeyLoggerEventArgs 0x3690e:$a10: KeyLoggerEventArgs 0x15d59:$a11: KeyLoggerEventArgsEventHandler 0x36579:$a11: KeyLoggerEventArgsEventHandler
1.2.Product Order Hirsch 1475.exe.3497698.2.raw.unpack	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0x156c7:$s1: UnHook 0x35ee7:$s1: UnHook 0x156ce:$s2: SetHook 0x35eee:$s2: SetHook 0x156d6:$s3: CallNextHook 0x35ef6:$s3: CallNextHook 0x156e3:$s4: _hook 0x35f03:$s4: _hook
1.2.Product Order Hirsch 1475.exe.3497698.2.raw.unpack	MALWARE_Win_SnakeKeylogger	Detects Snake Keylogger	ditekSHen	0x19aa4:$x1: $%SMTPDV$ 0x3a2c4:$x1: $%SMTPDV$ 0x18488:$x2: $#TheHashHere%& 0x38ca8:$x2: $#TheHashHere%& 0x19a4c:$x3: %FTPDV$ 0x3a26c:$x3: %FTPDV$ 0x18428:$x4: $%TelegramDv$ 0x38c48:$x4: $%TelegramDv$ 0x15d59:$x5: KeyLoggerEventArgs 0x160ee:$x5: KeyLoggerEventArgs 0x36579:$x5: KeyLoggerEventArgs 0x3690e:$x5: KeyLoggerEventArgs 0x19a70:$m2: Clipboard Logs ID 0x19cae:$m2: Screenshot Logs ID 0x19dbe:$m2: keystroke Logs ID 0x3a290:$m2: Clipboard Logs ID 0x3a4ce:$m2: Screenshot Logs ID 0x3a5de:$m2: keystroke Logs ID 0x1a098:$m3: SnakePW 0x3a8b8:$m3: SnakePW 0x19c86:$m4: \SnakeKeylogger\
Click to see the 23 entries

Suricata Signatures

ETPRO MALWARE Common Downloader Header Pattern H

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-03-13T08:51:07.577363+0100	2803305	3	Unknown Traffic	192.168.2.6	49688	104.21.80.1	443	TCP
2025-03-13T08:51:16.082873+0100	2803305	3	Unknown Traffic	192.168.2.6	49695	104.21.80.1	443	TCP
2025-03-13T08:51:18.881915+0100	2803305	3	Unknown Traffic	192.168.2.6	49698	104.21.80.1	443	TCP
2025-03-13T08:51:21.558161+0100	2803305	3	Unknown Traffic	192.168.2.6	49702	104.21.80.1	443	TCP

ETPRO MALWARE Common Downloader Header Pattern UH

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-03-13T08:51:03.016519+0100	2803274	2	Potentially Bad Traffic	192.168.2.6	49684	132.226.247.73	80	TCP
2025-03-13T08:51:05.547671+0100	2803274	2	Potentially Bad Traffic	192.168.2.6	49684	132.226.247.73	80	TCP
2025-03-13T08:51:08.360166+0100	2803274	2	Potentially Bad Traffic	192.168.2.6	49690	132.226.247.73	80	TCP
2025-03-13T08:51:11.172694+0100	2803274	2	Potentially Bad Traffic	192.168.2.6	49692	132.226.247.73	80	TCP
2025-03-13T08:51:13.938300+0100	2803274	2	Potentially Bad Traffic	192.168.2.6	49694	132.226.247.73	80	TCP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus / Scanner detection for submitted sample

Source: Product Order Hirsch 1475.exe

Avira: detected

Found malware configuration

Source: 00000003.00000002.3662820175.0000000002DF1000.00000004.00000800.00020000.00000000.sdmp

Malware Configuration Extractor: Snake Keylogger {"Exfil Mode": "Telegram", "Telegram URL": "https://api.telegram.org/bot7922655426:AAFVRqVw9pB4VZ3uipJRDfn5kD08nswJtAk/sendMessage?chat_id=7854955274", "Token": "7922655426:AAFVRqVw9pB4VZ3uipJRDfn5kD08nswJtAk", "Chat_id": "7854955274", "Version": "5.1"}

Multi AV Scanner detection for submitted file

Source: Product Order Hirsch 1475.exe	Virustotal: Detection: 35%			Perma Link
Source: Product Order Hirsch 1475.exe	ReversingLabs: Detection: 34%

Joe Sandbox ML detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Sample uses string decryption to hide its real strings

Source: 1.2.Product Order Hirsch 1475.exe.3476c78.1.unpack	String decryptor:
Source: 1.2.Product Order Hirsch 1475.exe.3476c78.1.unpack	String decryptor: 7922655426:AAFVRqVw9pB4VZ3uipJRDfn5kD08nswJtAk
Source: 1.2.Product Order Hirsch 1475.exe.3476c78.1.unpack	String decryptor: 7854955274

Location Tracking

Tries to detect the country of the analysis system (by using the IP)

Source: unknown

DNS query: name: reallyfreegeoip.org

Source: Product Order Hirsch 1475.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: unknown

HTTPS traffic detected: 104.21.80.1:443 -> 192.168.2.6:49686 version: TLS 1.0

Source: Product Order Hirsch 1475.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source: C:\Users\user\Desktop\Product Order Hirsch 1475.exe	Code function: 4x nop then jmp 0133F1F6h	3_2_0133F007
Source: C:\Users\user\Desktop\Product Order Hirsch 1475.exe	Code function: 4x nop then jmp 0133FB80h	3_2_0133F007
Source: C:\Users\user\Desktop\Product Order Hirsch 1475.exe	Code function: 4x nop then mov dword ptr [ebp-14h], 00000000h	3_2_0133E528
Source: C:\Users\user\Desktop\Product Order Hirsch 1475.exe	Code function: 4x nop then mov dword ptr [ebp-14h], 00000000h	3_2_0133EB5B
Source: C:\Users\user\Desktop\Product Order Hirsch 1475.exe	Code function: 4x nop then mov dword ptr [ebp-14h], 00000000h	3_2_0133ED3C
Source: C:\Users\user\Desktop\Product Order Hirsch 1475.exe	Code function: 4x nop then jmp 06AD8D4Dh	3_2_06AD8A10
Source: C:\Users\user\Desktop\Product Order Hirsch 1475.exe	Code function: 4x nop then jmp 06AD6579h	3_2_06AD62D0
Source: C:\Users\user\Desktop\Product Order Hirsch 1475.exe	Code function: 4x nop then jmp 06AD5CC9h	3_2_06AD5A20
Source: C:\Users\user\Desktop\Product Order Hirsch 1475.exe	Code function: 4x nop then jmp 06AD6121h	3_2_06AD5E78
Source: C:\Users\user\Desktop\Product Order Hirsch 1475.exe	Code function: 4x nop then lea esp, dword ptr [ebp-04h]	3_2_06AD37B0
Source: C:\Users\user\Desktop\Product Order Hirsch 1475.exe	Code function: 4x nop then jmp 06AD6E29h	3_2_06AD6B80
Source: C:\Users\user\Desktop\Product Order Hirsch 1475.exe	Code function: 4x nop then lea esp, dword ptr [ebp-04h]	3_2_06AD37C0
Source: C:\Users\user\Desktop\Product Order Hirsch 1475.exe	Code function: 4x nop then jmp 06AD7281h	3_2_06AD6FD8
Source: C:\Users\user\Desktop\Product Order Hirsch 1475.exe	Code function: 4x nop then jmp 06AD69D1h	3_2_06AD6728
Source: C:\Users\user\Desktop\Product Order Hirsch 1475.exe	Code function: 4x nop then jmp 06AD7B59h	3_2_06AD78B0
Source: C:\Users\user\Desktop\Product Order Hirsch 1475.exe	Code function: 4x nop then jmp 06AD0741h	3_2_06AD0498
Source: C:\Users\user\Desktop\Product Order Hirsch 1475.exe	Code function: 4x nop then jmp 06AD0B99h	3_2_06AD08F0
Source: C:\Users\user\Desktop\Product Order Hirsch 1475.exe	Code function: 4x nop then jmp 06AD02E9h	3_2_06AD0040
Source: C:\Users\user\Desktop\Product Order Hirsch 1475.exe	Code function: 4x nop then jmp 06AD7702h	3_2_06AD7458
Source: C:\Users\user\Desktop\Product Order Hirsch 1475.exe	Code function: 4x nop then jmp 06AD5849h	3_2_06AD55A0
Source: C:\Users\user\Desktop\Product Order Hirsch 1475.exe	Code function: 4x nop then jmp 06AD8861h	3_2_06AD85B8
Source: C:\Users\user\Desktop\Product Order Hirsch 1475.exe	Code function: 4x nop then jmp 06AD7FB1h	3_2_06AD7D08
Source: C:\Users\user\Desktop\Product Order Hirsch 1475.exe	Code function: 4x nop then jmp 06AD8409h	3_2_06AD8160
Source: C:\Users\user\Desktop\Product Order Hirsch 1475.exe	Code function: 4x nop then jmp 06AD0FF1h	3_2_06AD0D48

Source: global traffic

TCP traffic: 192.168.2.6:62404 -> 162.159.36.2:53

Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive

Source: Joe Sandbox View	IP Address: 104.21.80.1 104.21.80.1
Source: Joe Sandbox View	IP Address: 104.21.80.1 104.21.80.1
Source: Joe Sandbox View	IP Address: 132.226.247.73 132.226.247.73

Source: Joe Sandbox View

JA3 fingerprint: 54328bd36c14bd82ddaa0c04b25ed9ad

Source: unknown	DNS query: name: checkip.dyndns.org
Source: unknown	DNS query: name: reallyfreegeoip.org

Source: Network traffic	Suricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.6:49692 -> 132.226.247.73:80
Source: Network traffic	Suricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.6:49694 -> 132.226.247.73:80
Source: Network traffic	Suricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.6:49684 -> 132.226.247.73:80
Source: Network traffic	Suricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.6:49690 -> 132.226.247.73:80
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.6:49698 -> 104.21.80.1:443
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.6:49695 -> 104.21.80.1:443
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.6:49688 -> 104.21.80.1:443
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.6:49702 -> 104.21.80.1:443

Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive

Source: unknown

HTTPS traffic detected: 104.21.80.1:443 -> 192.168.2.6:49686 version: TLS 1.0

Source: unknown	TCP traffic detected without corresponding DNS query: 162.159.36.2
Source: unknown	TCP traffic detected without corresponding DNS query: 162.159.36.2
Source: unknown	TCP traffic detected without corresponding DNS query: 162.159.36.2
Source: unknown	TCP traffic detected without corresponding DNS query: 162.159.36.2
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive

Source: global traffic	DNS traffic detected: DNS query: checkip.dyndns.org
Source: global traffic	DNS traffic detected: DNS query: reallyfreegeoip.org

Source: Product Order Hirsch 1475.exe, 00000003.00000002.3662820175.0000000002FAD000.00000004.00000800.00020000.00000000.sdmp, Product Order Hirsch 1475.exe, 00000003.00000002.3662820175.0000000002F64000.00000004.00000800.00020000.00000000.sdmp, Product Order Hirsch 1475.exe, 00000003.00000002.3662820175.0000000002F71000.00000004.00000800.00020000.00000000.sdmp, Product Order Hirsch 1475.exe, 00000003.00000002.3662820175.0000000002F9F000.00000004.00000800.00020000.00000000.sdmp, Product Order Hirsch 1475.exe, 00000003.00000002.3662820175.0000000002F56000.00000004.00000800.00020000.00000000.sdmp, Product Order Hirsch 1475.exe, 00000003.00000002.3662820175.0000000002F49000.00000004.00000800.00020000.00000000.sdmp, Product Order Hirsch 1475.exe, 00000003.00000002.3662820175.0000000002EB6000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://checkip.dyndns.com
Source: Product Order Hirsch 1475.exe, 00000003.00000002.3662820175.0000000002EAA000.00000004.00000800.00020000.00000000.sdmp, Product Order Hirsch 1475.exe, 00000003.00000002.3662820175.0000000002F7F000.00000004.00000800.00020000.00000000.sdmp, Product Order Hirsch 1475.exe, 00000003.00000002.3662820175.0000000002FAD000.00000004.00000800.00020000.00000000.sdmp, Product Order Hirsch 1475.exe, 00000003.00000002.3662820175.0000000002F64000.00000004.00000800.00020000.00000000.sdmp, Product Order Hirsch 1475.exe, 00000003.00000002.3662820175.0000000002F71000.00000004.00000800.00020000.00000000.sdmp, Product Order Hirsch 1475.exe, 00000003.00000002.3662820175.0000000002F9F000.00000004.00000800.00020000.00000000.sdmp, Product Order Hirsch 1475.exe, 00000003.00000002.3662820175.0000000002EF9000.00000004.00000800.00020000.00000000.sdmp, Product Order Hirsch 1475.exe, 00000003.00000002.3662820175.0000000002F56000.00000004.00000800.00020000.00000000.sdmp, Product Order Hirsch 1475.exe, 00000003.00000002.3662820175.0000000002F49000.00000004.00000800.00020000.00000000.sdmp, Product Order Hirsch 1475.exe, 00000003.00000002.3662820175.0000000002EB6000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://checkip.dyndns.org
Source: Product Order Hirsch 1475.exe, 00000003.00000002.3662820175.0000000002DF1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://checkip.dyndns.org/
Source: Product Order Hirsch 1475.exe, 00000001.00000002.1222191509.0000000003409000.00000004.00000800.00020000.00000000.sdmp, Product Order Hirsch 1475.exe, 00000003.00000002.3660976736.0000000000402000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: http://checkip.dyndns.org/q
Source: Product Order Hirsch 1475.exe, 00000003.00000002.3662820175.0000000002FAD000.00000004.00000800.00020000.00000000.sdmp, Product Order Hirsch 1475.exe, 00000003.00000002.3662820175.0000000002F64000.00000004.00000800.00020000.00000000.sdmp, Product Order Hirsch 1475.exe, 00000003.00000002.3662820175.0000000002F71000.00000004.00000800.00020000.00000000.sdmp, Product Order Hirsch 1475.exe, 00000003.00000002.3662820175.0000000002F9F000.00000004.00000800.00020000.00000000.sdmp, Product Order Hirsch 1475.exe, 00000003.00000002.3662820175.0000000002F56000.00000004.00000800.00020000.00000000.sdmp, Product Order Hirsch 1475.exe, 00000003.00000002.3662820175.0000000002F49000.00000004.00000800.00020000.00000000.sdmp, Product Order Hirsch 1475.exe, 00000003.00000002.3662820175.0000000002ECE000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://reallyfreegeoip.org
Source: Product Order Hirsch 1475.exe, 00000003.00000002.3662820175.0000000002DF1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: Product Order Hirsch 1475.exe, 00000003.00000002.3662820175.0000000002FAD000.00000004.00000800.00020000.00000000.sdmp, Product Order Hirsch 1475.exe, 00000003.00000002.3662820175.0000000002F64000.00000004.00000800.00020000.00000000.sdmp, Product Order Hirsch 1475.exe, 00000003.00000002.3662820175.0000000002F71000.00000004.00000800.00020000.00000000.sdmp, Product Order Hirsch 1475.exe, 00000003.00000002.3662820175.0000000002F9F000.00000004.00000800.00020000.00000000.sdmp, Product Order Hirsch 1475.exe, 00000003.00000002.3662820175.0000000002EF9000.00000004.00000800.00020000.00000000.sdmp, Product Order Hirsch 1475.exe, 00000003.00000002.3662820175.0000000002F56000.00000004.00000800.00020000.00000000.sdmp, Product Order Hirsch 1475.exe, 00000003.00000002.3662820175.0000000002F49000.00000004.00000800.00020000.00000000.sdmp, Product Order Hirsch 1475.exe, 00000003.00000002.3662820175.0000000002EB6000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://reallyfreegeoip.org
Source: Product Order Hirsch 1475.exe, 00000001.00000002.1222191509.0000000003409000.00000004.00000800.00020000.00000000.sdmp, Product Order Hirsch 1475.exe, 00000003.00000002.3662820175.0000000002EB6000.00000004.00000800.00020000.00000000.sdmp, Product Order Hirsch 1475.exe, 00000003.00000002.3660976736.0000000000402000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: https://reallyfreegeoip.org/xml/
Source: Product Order Hirsch 1475.exe, 00000003.00000002.3662820175.0000000002EB6000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://reallyfreegeoip.org/xml/8.46.123.189
Source: Product Order Hirsch 1475.exe, 00000003.00000002.3662820175.0000000002FAD000.00000004.00000800.00020000.00000000.sdmp, Product Order Hirsch 1475.exe, 00000003.00000002.3662820175.0000000002F64000.00000004.00000800.00020000.00000000.sdmp, Product Order Hirsch 1475.exe, 00000003.00000002.3662820175.0000000002F71000.00000004.00000800.00020000.00000000.sdmp, Product Order Hirsch 1475.exe, 00000003.00000002.3662820175.0000000002F9F000.00000004.00000800.00020000.00000000.sdmp, Product Order Hirsch 1475.exe, 00000003.00000002.3662820175.0000000002EF9000.00000004.00000800.00020000.00000000.sdmp, Product Order Hirsch 1475.exe, 00000003.00000002.3662820175.0000000002F56000.00000004.00000800.00020000.00000000.sdmp, Product Order Hirsch 1475.exe, 00000003.00000002.3662820175.0000000002F49000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://reallyfreegeoip.org/xml/8.46.123.189$

Source: unknown	Network traffic detected: HTTP traffic on port 49698 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49688
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49698
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49686
Source: unknown	Network traffic detected: HTTP traffic on port 49706 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49695 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49695
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49693
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49691
Source: unknown	Network traffic detected: HTTP traffic on port 49693 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49702 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49691 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49686 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49688 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49706
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49702

System Summary

Malicious sample detected (through community Yara rule)

Source: 1.2.Product Order Hirsch 1475.exe.3476c78.1.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 1.2.Product Order Hirsch 1475.exe.3476c78.1.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 1.2.Product Order Hirsch 1475.exe.3476c78.1.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 1.2.Product Order Hirsch 1475.exe.3476c78.1.unpack, type: UNPACKEDPE	Matched rule: Detects Snake Keylogger Author: ditekSHen
Source: 3.2.Product Order Hirsch 1475.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 3.2.Product Order Hirsch 1475.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 3.2.Product Order Hirsch 1475.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 3.2.Product Order Hirsch 1475.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects Snake Keylogger Author: ditekSHen
Source: 1.2.Product Order Hirsch 1475.exe.3497698.2.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 1.2.Product Order Hirsch 1475.exe.3497698.2.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 1.2.Product Order Hirsch 1475.exe.3497698.2.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 1.2.Product Order Hirsch 1475.exe.3497698.2.unpack, type: UNPACKEDPE	Matched rule: Detects Snake Keylogger Author: ditekSHen
Source: 1.2.Product Order Hirsch 1475.exe.3476c78.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 1.2.Product Order Hirsch 1475.exe.3476c78.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 1.2.Product Order Hirsch 1475.exe.3476c78.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Snake Keylogger Author: ditekSHen
Source: 1.2.Product Order Hirsch 1475.exe.3497698.2.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 1.2.Product Order Hirsch 1475.exe.3497698.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 1.2.Product Order Hirsch 1475.exe.3497698.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Snake Keylogger Author: ditekSHen
Source: 00000003.00000002.3660976736.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 00000003.00000002.3660976736.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects Snake Keylogger Author: ditekSHen
Source: 00000001.00000002.1222191509.0000000003409000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 00000001.00000002.1222191509.0000000003409000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects Snake Keylogger Author: ditekSHen
Source: Process Memory Space: Product Order Hirsch 1475.exe PID: 4352, type: MEMORYSTR	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: Process Memory Space: Product Order Hirsch 1475.exe PID: 4352, type: MEMORYSTR	Matched rule: Detects Snake Keylogger Author: ditekSHen
Source: Process Memory Space: Product Order Hirsch 1475.exe PID: 1776, type: MEMORYSTR	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: Process Memory Space: Product Order Hirsch 1475.exe PID: 1776, type: MEMORYSTR	Matched rule: Detects Snake Keylogger Author: ditekSHen

Initial sample is a PE file and has a suspicious name

Source: initial sample

Static PE information: Filename: Product Order Hirsch 1475.exe

Source: C:\Users\user\Desktop\Product Order Hirsch 1475.exe

Process Stats: CPU usage > 49%

Source: C:\Users\user\Desktop\Product Order Hirsch 1475.exe	Code function: 1_2_00A93E1C	1_2_00A93E1C
Source: C:\Users\user\Desktop\Product Order Hirsch 1475.exe	Code function: 1_2_06A67D00	1_2_06A67D00
Source: C:\Users\user\Desktop\Product Order Hirsch 1475.exe	Code function: 1_2_06A69AF8	1_2_06A69AF8
Source: C:\Users\user\Desktop\Product Order Hirsch 1475.exe	Code function: 1_2_06A647B8	1_2_06A647B8
Source: C:\Users\user\Desktop\Product Order Hirsch 1475.exe	Code function: 1_2_06A63F48	1_2_06A63F48
Source: C:\Users\user\Desktop\Product Order Hirsch 1475.exe	Code function: 1_2_06A67CF0	1_2_06A67CF0
Source: C:\Users\user\Desktop\Product Order Hirsch 1475.exe	Code function: 1_2_06A66408	1_2_06A66408
Source: C:\Users\user\Desktop\Product Order Hirsch 1475.exe	Code function: 1_2_06A65A58	1_2_06A65A58
Source: C:\Users\user\Desktop\Product Order Hirsch 1475.exe	Code function: 1_2_06A64380	1_2_06A64380
Source: C:\Users\user\Desktop\Product Order Hirsch 1475.exe	Code function: 1_2_06A64370	1_2_06A64370
Source: C:\Users\user\Desktop\Product Order Hirsch 1475.exe	Code function: 1_2_06A67D00	1_2_06A67D00
Source: C:\Users\user\Desktop\Product Order Hirsch 1475.exe	Code function: 3_2_01336108	3_2_01336108
Source: C:\Users\user\Desktop\Product Order Hirsch 1475.exe	Code function: 3_2_0133C190	3_2_0133C190
Source: C:\Users\user\Desktop\Product Order Hirsch 1475.exe	Code function: 3_2_0133F007	3_2_0133F007
Source: C:\Users\user\Desktop\Product Order Hirsch 1475.exe	Code function: 3_2_0133B328	3_2_0133B328
Source: C:\Users\user\Desktop\Product Order Hirsch 1475.exe	Code function: 3_2_0133C470	3_2_0133C470
Source: C:\Users\user\Desktop\Product Order Hirsch 1475.exe	Code function: 3_2_0133C752	3_2_0133C752
Source: C:\Users\user\Desktop\Product Order Hirsch 1475.exe	Code function: 3_2_01339858	3_2_01339858
Source: C:\Users\user\Desktop\Product Order Hirsch 1475.exe	Code function: 3_2_01336880	3_2_01336880
Source: C:\Users\user\Desktop\Product Order Hirsch 1475.exe	Code function: 3_2_0133BBD2	3_2_0133BBD2
Source: C:\Users\user\Desktop\Product Order Hirsch 1475.exe	Code function: 3_2_0133CA32	3_2_0133CA32
Source: C:\Users\user\Desktop\Product Order Hirsch 1475.exe	Code function: 3_2_01334AD9	3_2_01334AD9
Source: C:\Users\user\Desktop\Product Order Hirsch 1475.exe	Code function: 3_2_0133BEB0	3_2_0133BEB0
Source: C:\Users\user\Desktop\Product Order Hirsch 1475.exe	Code function: 3_2_01339170	3_2_01339170
Source: C:\Users\user\Desktop\Product Order Hirsch 1475.exe	Code function: 3_2_0133215C	3_2_0133215C
Source: C:\Users\user\Desktop\Product Order Hirsch 1475.exe	Code function: 3_2_0133300F	3_2_0133300F
Source: C:\Users\user\Desktop\Product Order Hirsch 1475.exe	Code function: 3_2_01333062	3_2_01333062
Source: C:\Users\user\Desktop\Product Order Hirsch 1475.exe	Code function: 3_2_013330AE	3_2_013330AE
Source: C:\Users\user\Desktop\Product Order Hirsch 1475.exe	Code function: 3_2_0133330E	3_2_0133330E
Source: C:\Users\user\Desktop\Product Order Hirsch 1475.exe	Code function: 3_2_0133E528	3_2_0133E528
Source: C:\Users\user\Desktop\Product Order Hirsch 1475.exe	Code function: 3_2_0133E517	3_2_0133E517
Source: C:\Users\user\Desktop\Product Order Hirsch 1475.exe	Code function: 3_2_01333572	3_2_01333572
Source: C:\Users\user\Desktop\Product Order Hirsch 1475.exe	Code function: 3_2_0133B4F2	3_2_0133B4F2
Source: C:\Users\user\Desktop\Product Order Hirsch 1475.exe	Code function: 3_2_06ADB6F0	3_2_06ADB6F0
Source: C:\Users\user\Desktop\Product Order Hirsch 1475.exe	Code function: 3_2_06AD8A10	3_2_06AD8A10
Source: C:\Users\user\Desktop\Product Order Hirsch 1475.exe	Code function: 3_2_06ADAA60	3_2_06ADAA60
Source: C:\Users\user\Desktop\Product Order Hirsch 1475.exe	Code function: 3_2_06ADD678	3_2_06ADD678
Source: C:\Users\user\Desktop\Product Order Hirsch 1475.exe	Code function: 3_2_06ADC390	3_2_06ADC390
Source: C:\Users\user\Desktop\Product Order Hirsch 1475.exe	Code function: 3_2_06ADB0A8	3_2_06ADB0A8
Source: C:\Users\user\Desktop\Product Order Hirsch 1475.exe	Code function: 3_2_06ADD030	3_2_06ADD030
Source: C:\Users\user\Desktop\Product Order Hirsch 1475.exe	Code function: 3_2_06ADA410	3_2_06ADA410
Source: C:\Users\user\Desktop\Product Order Hirsch 1475.exe	Code function: 3_2_06AD9059	3_2_06AD9059
Source: C:\Users\user\Desktop\Product Order Hirsch 1475.exe	Code function: 3_2_06AD11A0	3_2_06AD11A0
Source: C:\Users\user\Desktop\Product Order Hirsch 1475.exe	Code function: 3_2_06ADC9E0	3_2_06ADC9E0
Source: C:\Users\user\Desktop\Product Order Hirsch 1475.exe	Code function: 3_2_06ADBD40	3_2_06ADBD40
Source: C:\Users\user\Desktop\Product Order Hirsch 1475.exe	Code function: 3_2_06ADB6E1	3_2_06ADB6E1
Source: C:\Users\user\Desktop\Product Order Hirsch 1475.exe	Code function: 3_2_06AD62C0	3_2_06AD62C0
Source: C:\Users\user\Desktop\Product Order Hirsch 1475.exe	Code function: 3_2_06AD62D0	3_2_06AD62D0
Source: C:\Users\user\Desktop\Product Order Hirsch 1475.exe	Code function: 3_2_06AD5A20	3_2_06AD5A20
Source: C:\Users\user\Desktop\Product Order Hirsch 1475.exe	Code function: 3_2_06AD8A0B	3_2_06AD8A0B
Source: C:\Users\user\Desktop\Product Order Hirsch 1475.exe	Code function: 3_2_06AD5A13	3_2_06AD5A13
Source: C:\Users\user\Desktop\Product Order Hirsch 1475.exe	Code function: 3_2_06AD5E68	3_2_06AD5E68
Source: C:\Users\user\Desktop\Product Order Hirsch 1475.exe	Code function: 3_2_06ADD66A	3_2_06ADD66A
Source: C:\Users\user\Desktop\Product Order Hirsch 1475.exe	Code function: 3_2_06AD5E78	3_2_06AD5E78
Source: C:\Users\user\Desktop\Product Order Hirsch 1475.exe	Code function: 3_2_06ADAA5A	3_2_06ADAA5A
Source: C:\Users\user\Desktop\Product Order Hirsch 1475.exe	Code function: 3_2_06AD37B0	3_2_06AD37B0
Source: C:\Users\user\Desktop\Product Order Hirsch 1475.exe	Code function: 3_2_06AD6B80	3_2_06AD6B80
Source: C:\Users\user\Desktop\Product Order Hirsch 1475.exe	Code function: 3_2_06ADC380	3_2_06ADC380
Source: C:\Users\user\Desktop\Product Order Hirsch 1475.exe	Code function: 3_2_06AD6FC9	3_2_06AD6FC9
Source: C:\Users\user\Desktop\Product Order Hirsch 1475.exe	Code function: 3_2_06AD37C0	3_2_06AD37C0
Source: C:\Users\user\Desktop\Product Order Hirsch 1475.exe	Code function: 3_2_06AD6FD8	3_2_06AD6FD8
Source: C:\Users\user\Desktop\Product Order Hirsch 1475.exe	Code function: 3_2_06AD6728	3_2_06AD6728
Source: C:\Users\user\Desktop\Product Order Hirsch 1475.exe	Code function: 3_2_06AD3B38	3_2_06AD3B38
Source: C:\Users\user\Desktop\Product Order Hirsch 1475.exe	Code function: 3_2_06AD671B	3_2_06AD671B
Source: C:\Users\user\Desktop\Product Order Hirsch 1475.exe	Code function: 3_2_06AD6B73	3_2_06AD6B73
Source: C:\Users\user\Desktop\Product Order Hirsch 1475.exe	Code function: 3_2_06AD78B0	3_2_06AD78B0
Source: C:\Users\user\Desktop\Product Order Hirsch 1475.exe	Code function: 3_2_06AD0488	3_2_06AD0488
Source: C:\Users\user\Desktop\Product Order Hirsch 1475.exe	Code function: 3_2_06AD789F	3_2_06AD789F
Source: C:\Users\user\Desktop\Product Order Hirsch 1475.exe	Code function: 3_2_06AD0498	3_2_06AD0498
Source: C:\Users\user\Desktop\Product Order Hirsch 1475.exe	Code function: 3_2_06ADB097	3_2_06ADB097
Source: C:\Users\user\Desktop\Product Order Hirsch 1475.exe	Code function: 3_2_06AD08E0	3_2_06AD08E0
Source: C:\Users\user\Desktop\Product Order Hirsch 1475.exe	Code function: 3_2_06AD7CF8	3_2_06AD7CF8
Source: C:\Users\user\Desktop\Product Order Hirsch 1475.exe	Code function: 3_2_06AD08F0	3_2_06AD08F0
Source: C:\Users\user\Desktop\Product Order Hirsch 1475.exe	Code function: 3_2_06AD2C20	3_2_06AD2C20
Source: C:\Users\user\Desktop\Product Order Hirsch 1475.exe	Code function: 3_2_06ADD020	3_2_06ADD020
Source: C:\Users\user\Desktop\Product Order Hirsch 1475.exe	Code function: 3_2_06AD4838	3_2_06AD4838
Source: C:\Users\user\Desktop\Product Order Hirsch 1475.exe	Code function: 3_2_06AD2C0F	3_2_06AD2C0F
Source: C:\Users\user\Desktop\Product Order Hirsch 1475.exe	Code function: 3_2_06AD0006	3_2_06AD0006
Source: C:\Users\user\Desktop\Product Order Hirsch 1475.exe	Code function: 3_2_06ADA400	3_2_06ADA400
Source: C:\Users\user\Desktop\Product Order Hirsch 1475.exe	Code function: 3_2_06AD0040	3_2_06AD0040
Source: C:\Users\user\Desktop\Product Order Hirsch 1475.exe	Code function: 3_2_06AD7458	3_2_06AD7458
Source: C:\Users\user\Desktop\Product Order Hirsch 1475.exe	Code function: 3_2_06AD7451	3_2_06AD7451
Source: C:\Users\user\Desktop\Product Order Hirsch 1475.exe	Code function: 3_2_06AD85A8	3_2_06AD85A8
Source: C:\Users\user\Desktop\Product Order Hirsch 1475.exe	Code function: 3_2_06AD55A0	3_2_06AD55A0
Source: C:\Users\user\Desktop\Product Order Hirsch 1475.exe	Code function: 3_2_06AD85B8	3_2_06AD85B8
Source: C:\Users\user\Desktop\Product Order Hirsch 1475.exe	Code function: 3_2_06AD5597	3_2_06AD5597
Source: C:\Users\user\Desktop\Product Order Hirsch 1475.exe	Code function: 3_2_06AD1191	3_2_06AD1191
Source: C:\Users\user\Desktop\Product Order Hirsch 1475.exe	Code function: 3_2_06ADC9D0	3_2_06ADC9D0
Source: C:\Users\user\Desktop\Product Order Hirsch 1475.exe	Code function: 3_2_06AD0D39	3_2_06AD0D39
Source: C:\Users\user\Desktop\Product Order Hirsch 1475.exe	Code function: 3_2_06ADBD30	3_2_06ADBD30
Source: C:\Users\user\Desktop\Product Order Hirsch 1475.exe	Code function: 3_2_06AD7D08	3_2_06AD7D08
Source: C:\Users\user\Desktop\Product Order Hirsch 1475.exe	Code function: 3_2_06AD8160	3_2_06AD8160
Source: C:\Users\user\Desktop\Product Order Hirsch 1475.exe	Code function: 3_2_06AD0D48	3_2_06AD0D48
Source: C:\Users\user\Desktop\Product Order Hirsch 1475.exe	Code function: 3_2_06AD8150	3_2_06AD8150

Source: Product Order Hirsch 1475.exe, 00000001.00000002.1225072731.00000000066B0000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameTL.dll" vs Product Order Hirsch 1475.exe
Source: Product Order Hirsch 1475.exe, 00000001.00000002.1221560737.0000000002401000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamelfwhUWZlmFnGhDYPudAJ.exeX vs Product Order Hirsch 1475.exe
Source: Product Order Hirsch 1475.exe, 00000001.00000002.1221560737.00000000025FA000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameTL.dll" vs Product Order Hirsch 1475.exe
Source: Product Order Hirsch 1475.exe, 00000001.00000002.1222191509.0000000003409000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamelfwhUWZlmFnGhDYPudAJ.exeX vs Product Order Hirsch 1475.exe
Source: Product Order Hirsch 1475.exe, 00000001.00000002.1222191509.0000000003409000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameMontero.dll8 vs Product Order Hirsch 1475.exe
Source: Product Order Hirsch 1475.exe, 00000001.00000002.1221560737.0000000002415000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameTL.dll" vs Product Order Hirsch 1475.exe
Source: Product Order Hirsch 1475.exe, 00000001.00000002.1220189902.00000000007DE000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameclr.dllT vs Product Order Hirsch 1475.exe
Source: Product Order Hirsch 1475.exe, 00000001.00000002.1225256007.00000000069C0000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameMontero.dll8 vs Product Order Hirsch 1475.exe
Source: Product Order Hirsch 1475.exe, 00000003.00000002.3661205423.0000000000EF7000.00000004.00000010.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameUNKNOWN_FILET vs Product Order Hirsch 1475.exe
Source: Product Order Hirsch 1475.exe, 00000003.00000002.3661331539.0000000000F48000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameclr.dllT vs Product Order Hirsch 1475.exe
Source: Product Order Hirsch 1475.exe, 00000003.00000002.3660976736.0000000000402000.00000040.00000400.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamelfwhUWZlmFnGhDYPudAJ.exeX vs Product Order Hirsch 1475.exe
Source: Product Order Hirsch 1475.exe	Binary or memory string: OriginalFilenamezLyI.exe8 vs Product Order Hirsch 1475.exe

Source: Product Order Hirsch 1475.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: 1.2.Product Order Hirsch 1475.exe.3476c78.1.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 1.2.Product Order Hirsch 1475.exe.3476c78.1.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 1.2.Product Order Hirsch 1475.exe.3476c78.1.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 1.2.Product Order Hirsch 1475.exe.3476c78.1.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: 3.2.Product Order Hirsch 1475.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 3.2.Product Order Hirsch 1475.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 3.2.Product Order Hirsch 1475.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 3.2.Product Order Hirsch 1475.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: 1.2.Product Order Hirsch 1475.exe.3497698.2.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 1.2.Product Order Hirsch 1475.exe.3497698.2.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 1.2.Product Order Hirsch 1475.exe.3497698.2.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 1.2.Product Order Hirsch 1475.exe.3497698.2.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: 1.2.Product Order Hirsch 1475.exe.3476c78.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 1.2.Product Order Hirsch 1475.exe.3476c78.1.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 1.2.Product Order Hirsch 1475.exe.3476c78.1.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: 1.2.Product Order Hirsch 1475.exe.3497698.2.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 1.2.Product Order Hirsch 1475.exe.3497698.2.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 1.2.Product Order Hirsch 1475.exe.3497698.2.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: 00000003.00000002.3660976736.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 00000003.00000002.3660976736.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: 00000001.00000002.1222191509.0000000003409000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 00000001.00000002.1222191509.0000000003409000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: Process Memory Space: Product Order Hirsch 1475.exe PID: 4352, type: MEMORYSTR	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: Process Memory Space: Product Order Hirsch 1475.exe PID: 4352, type: MEMORYSTR	Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: Process Memory Space: Product Order Hirsch 1475.exe PID: 1776, type: MEMORYSTR	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: Process Memory Space: Product Order Hirsch 1475.exe PID: 1776, type: MEMORYSTR	Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger

Source: Product Order Hirsch 1475.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: 1.2.Product Order Hirsch 1475.exe.3497698.2.raw.unpack, ---.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 1.2.Product Order Hirsch 1475.exe.3497698.2.raw.unpack, ---.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 1.2.Product Order Hirsch 1475.exe.3497698.2.raw.unpack, z2.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 1.2.Product Order Hirsch 1475.exe.3497698.2.raw.unpack, z2.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 1.2.Product Order Hirsch 1475.exe.3476c78.1.raw.unpack, ---.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 1.2.Product Order Hirsch 1475.exe.3476c78.1.raw.unpack, ---.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 1.2.Product Order Hirsch 1475.exe.3476c78.1.raw.unpack, z2.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 1.2.Product Order Hirsch 1475.exe.3476c78.1.raw.unpack, z2.cs	Cryptographic APIs: 'TransformFinalBlock'

Source: 1.2.Product Order Hirsch 1475.exe.3497698.2.raw.unpack, ---.cs	Base64 encoded string: 'JzeJw/b9xm+6S2XbSxm04VLxDXW0s8jprFo3QVj1S6zHgpFf8L4EKsa9LKLu5QP6'
Source: 1.2.Product Order Hirsch 1475.exe.3476c78.1.raw.unpack, ---.cs	Base64 encoded string: 'JzeJw/b9xm+6S2XbSxm04VLxDXW0s8jprFo3QVj1S6zHgpFf8L4EKsa9LKLu5QP6'

Source: 1.2.Product Order Hirsch 1475.exe.35ae1d0.3.raw.unpack, qaGH5uEUrRK2412hok.cs	Security API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
Source: 1.2.Product Order Hirsch 1475.exe.35ae1d0.3.raw.unpack, qaGH5uEUrRK2412hok.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 1.2.Product Order Hirsch 1475.exe.35ae1d0.3.raw.unpack, dLMc7sNLZ0KVR4Mtj8.cs	Security API names: System.IO.DirectoryInfo.SetAccessControl(System.Security.AccessControl.DirectorySecurity)
Source: 1.2.Product Order Hirsch 1475.exe.35ae1d0.3.raw.unpack, dLMc7sNLZ0KVR4Mtj8.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 1.2.Product Order Hirsch 1475.exe.35ae1d0.3.raw.unpack, dLMc7sNLZ0KVR4Mtj8.cs	Security API names: System.Security.AccessControl.FileSystemSecurity.AddAccessRule(System.Security.AccessControl.FileSystemAccessRule)
Source: 1.2.Product Order Hirsch 1475.exe.69c0000.5.raw.unpack, qaGH5uEUrRK2412hok.cs	Security API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
Source: 1.2.Product Order Hirsch 1475.exe.69c0000.5.raw.unpack, qaGH5uEUrRK2412hok.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 1.2.Product Order Hirsch 1475.exe.69c0000.5.raw.unpack, dLMc7sNLZ0KVR4Mtj8.cs	Security API names: System.IO.DirectoryInfo.SetAccessControl(System.Security.AccessControl.DirectorySecurity)
Source: 1.2.Product Order Hirsch 1475.exe.69c0000.5.raw.unpack, dLMc7sNLZ0KVR4Mtj8.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 1.2.Product Order Hirsch 1475.exe.69c0000.5.raw.unpack, dLMc7sNLZ0KVR4Mtj8.cs	Security API names: System.Security.AccessControl.FileSystemSecurity.AddAccessRule(System.Security.AccessControl.FileSystemAccessRule)

Source: classification engine

Classification label: mal100.troj.spyw.evad.winEXE@3/1@2/2

Source: C:\Users\user\Desktop\Product Order Hirsch 1475.exe

File created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\Product Order Hirsch 1475.exe.log

Jump to behavior

Source: C:\Users\user\Desktop\Product Order Hirsch 1475.exe

Mutant created: NULL

Source: Product Order Hirsch 1475.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: Product Order Hirsch 1475.exe

Static file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.83%

Source: C:\Users\user\Desktop\Product Order Hirsch 1475.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: Product Order Hirsch 1475.exe, 00000003.00000002.3662820175.0000000003036000.00000004.00000800.00020000.00000000.sdmp, Product Order Hirsch 1475.exe, 00000003.00000002.3664411044.0000000003E7D000.00000004.00000800.00020000.00000000.sdmp, Product Order Hirsch 1475.exe, 00000003.00000002.3662820175.0000000003044000.00000004.00000800.00020000.00000000.sdmp, Product Order Hirsch 1475.exe, 00000003.00000002.3662820175.0000000003026000.00000004.00000800.00020000.00000000.sdmp, Product Order Hirsch 1475.exe, 00000003.00000002.3662820175.0000000003078000.00000004.00000800.00020000.00000000.sdmp, Product Order Hirsch 1475.exe, 00000003.00000002.3662820175.000000000306C000.00000004.00000800.00020000.00000000.sdmp

Binary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));

Source: Product Order Hirsch 1475.exe	Virustotal: Detection: 35%
Source: Product Order Hirsch 1475.exe	ReversingLabs: Detection: 34%

Source: unknown	Process created: C:\Users\user\Desktop\Product Order Hirsch 1475.exe "C:\Users\user\Desktop\Product Order Hirsch 1475.exe"
Source: C:\Users\user\Desktop\Product Order Hirsch 1475.exe	Process created: C:\Users\user\Desktop\Product Order Hirsch 1475.exe "C:\Users\user\Desktop\Product Order Hirsch 1475.exe"
Source: C:\Users\user\Desktop\Product Order Hirsch 1475.exe	Process created: C:\Users\user\Desktop\Product Order Hirsch 1475.exe "C:\Users\user\Desktop\Product Order Hirsch 1475.exe"	Jump to behavior

Source: C:\Users\user\Desktop\Product Order Hirsch 1475.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Desktop\Product Order Hirsch 1475.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Product Order Hirsch 1475.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\Product Order Hirsch 1475.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\Product Order Hirsch 1475.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\Product Order Hirsch 1475.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\Product Order Hirsch 1475.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\Product Order Hirsch 1475.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\Product Order Hirsch 1475.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Product Order Hirsch 1475.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Product Order Hirsch 1475.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Product Order Hirsch 1475.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\Product Order Hirsch 1475.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\Product Order Hirsch 1475.exe	Section loaded: dwrite.dll	Jump to behavior
Source: C:\Users\user\Desktop\Product Order Hirsch 1475.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Users\user\Desktop\Product Order Hirsch 1475.exe	Section loaded: windowscodecs.dll	Jump to behavior
Source: C:\Users\user\Desktop\Product Order Hirsch 1475.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Product Order Hirsch 1475.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\Product Order Hirsch 1475.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\Product Order Hirsch 1475.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Product Order Hirsch 1475.exe	Section loaded: iconcodecservice.dll	Jump to behavior
Source: C:\Users\user\Desktop\Product Order Hirsch 1475.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Desktop\Product Order Hirsch 1475.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\Product Order Hirsch 1475.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\Product Order Hirsch 1475.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\Product Order Hirsch 1475.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\Product Order Hirsch 1475.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\Product Order Hirsch 1475.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\Product Order Hirsch 1475.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\Product Order Hirsch 1475.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Product Order Hirsch 1475.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Product Order Hirsch 1475.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Product Order Hirsch 1475.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\Product Order Hirsch 1475.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\Product Order Hirsch 1475.exe	Section loaded: rasapi32.dll	Jump to behavior
Source: C:\Users\user\Desktop\Product Order Hirsch 1475.exe	Section loaded: rasman.dll	Jump to behavior
Source: C:\Users\user\Desktop\Product Order Hirsch 1475.exe	Section loaded: rtutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\Product Order Hirsch 1475.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\Product Order Hirsch 1475.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Product Order Hirsch 1475.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\Product Order Hirsch 1475.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Product Order Hirsch 1475.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Users\user\Desktop\Product Order Hirsch 1475.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Users\user\Desktop\Product Order Hirsch 1475.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Product Order Hirsch 1475.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Product Order Hirsch 1475.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Product Order Hirsch 1475.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\Desktop\Product Order Hirsch 1475.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Users\user\Desktop\Product Order Hirsch 1475.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\Product Order Hirsch 1475.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Users\user\Desktop\Product Order Hirsch 1475.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Users\user\Desktop\Product Order Hirsch 1475.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\Product Order Hirsch 1475.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Users\user\Desktop\Product Order Hirsch 1475.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Product Order Hirsch 1475.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\Product Order Hirsch 1475.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Product Order Hirsch 1475.exe	Section loaded: dpapi.dll	Jump to behavior

Source: C:\Users\user\Desktop\Product Order Hirsch 1475.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32

Jump to behavior

Source: C:\Users\user\Desktop\Product Order Hirsch 1475.exe

File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll

Jump to behavior

Source: C:\Users\user\Desktop\Product Order Hirsch 1475.exe

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676

Jump to behavior

Source: Product Order Hirsch 1475.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Source: Product Order Hirsch 1475.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Data Obfuscation

.NET source code contains potential unpacker

Source: 1.2.Product Order Hirsch 1475.exe.69c0000.5.raw.unpack, dLMc7sNLZ0KVR4Mtj8.cs	.Net Code: jFGuOHtM88 System.Reflection.Assembly.Load(byte[])
Source: 1.2.Product Order Hirsch 1475.exe.35ae1d0.3.raw.unpack, dLMc7sNLZ0KVR4Mtj8.cs	.Net Code: jFGuOHtM88 System.Reflection.Assembly.Load(byte[])

Source: C:\Users\user\Desktop\Product Order Hirsch 1475.exe	Code function: 1_2_06A6BEA3 pushfd ; retf	1_2_06A6BEA9
Source: C:\Users\user\Desktop\Product Order Hirsch 1475.exe	Code function: 1_2_06A6BE18 pushad ; retf	1_2_06A6BE19
Source: C:\Users\user\Desktop\Product Order Hirsch 1475.exe	Code function: 3_2_06ADEFEE push es; iretd	3_2_06ADEFEC
Source: C:\Users\user\Desktop\Product Order Hirsch 1475.exe	Code function: 3_2_06AD8F60 push es; ret	3_2_06AD904C
Source: C:\Users\user\Desktop\Product Order Hirsch 1475.exe	Code function: 3_2_06ADF19A push es; iretd	3_2_06ADF22C
Source: C:\Users\user\Desktop\Product Order Hirsch 1475.exe	Code function: 3_2_06ADE190 push es; iretd	3_2_06ADEFEC

Source: Product Order Hirsch 1475.exe

Static PE information: section name: .text entropy: 7.822969317321778

Source: 1.2.Product Order Hirsch 1475.exe.69c0000.5.raw.unpack, RhmHap0PUGpBE91PZ6.cs	High entropy of concatenated method names: 'Km1OAQiIC', 'jcMLtfOYL', 'T5hmS0fF1', 'cbn4j8SqQ', 'C5XjK1GR7', 'gXdSQTqO3', 't20yfe92gUxVZYtmyu', 'MyJ0dxj4Lfkb67ZTiL', 'x9JMBJU1d', 'eHfee6M5g'
Source: 1.2.Product Order Hirsch 1475.exe.69c0000.5.raw.unpack, u2MlrhPPITKBKMo8eDq.cs	High entropy of concatenated method names: 'uHZea54MLA', 'RtCezGC2Ve', 'pEk5IW9DCY', 'vKd5PJkq1c', 'l2n50naIiT', 'Dib5tqUFAN', 'dU05uYuhi8', 'Uls563f9Hb', 'BL75X2mdnk', 'zto5JoRAHt'
Source: 1.2.Product Order Hirsch 1475.exe.69c0000.5.raw.unpack, uq16oU8GE5uEHtmX9L.cs	High entropy of concatenated method names: 'WXZ26Hf0Dg', 'UjI2JANSJt', 'BjB27jutsi', 'Cmx2oRFoEV', 'ork2NC4IfU', 'QHN7B3iJQf', 'Qvs7Vwj4Z1', 'XLp7HlIQ2K', 'Tql7ZEZiCW', 'Fhs7lvdtJ3'
Source: 1.2.Product Order Hirsch 1475.exe.69c0000.5.raw.unpack, QORDP6PIuM4Ys8i08An.cs	High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'lJBenKuUV0', 'bdVehC4cXn', 'nZUekW5xXJ', 'xe5e35BxLh', 'nPEexFaBr2', 'rtbegCFlOg', 'AqReQYjxC8'
Source: 1.2.Product Order Hirsch 1475.exe.69c0000.5.raw.unpack, aH9gI7lC9uLUZZwEf3.cs	High entropy of concatenated method names: 'AJsf8vR0Yh', 'CqgfWepUNV', 'iirfpdNlUv', 'q62fGJslik', 'uTEfTlSq1G', 'LwJfbaSkvi', 'wSvf9Oiy4o', 'KJ1frdCF2e', 'SUxf1wH69l', 'ERRfK0KfMk'
Source: 1.2.Product Order Hirsch 1475.exe.69c0000.5.raw.unpack, sDq4dDSQoHJWatRMxJ.cs	High entropy of concatenated method names: 'KZP7Y9FPk2', 'Ucq74bC367', 'wOnvpfTEvO', 'CK2vGsmLik', 'zHVvT5e6ZW', 'h7lvbXOHZA', 'FVHv96gGcN', 'rMYvrcg6SI', 'mupv1QafWr', 'HLNvK3LZyp'
Source: 1.2.Product Order Hirsch 1475.exe.69c0000.5.raw.unpack, HCvUl3HEEaYxN07YC2.cs	High entropy of concatenated method names: 'eBXfc74BHm', 'xIFfyQLkud', 'fMFffEaGuY', 'U8Hf5fXWPY', 'ehCfDRrT5h', 'oKRfAZXrjv', 'Dispose', 'zmaMXikaS8', 'cKQMJJr70T', 'nmfMv5B6T7'
Source: 1.2.Product Order Hirsch 1475.exe.69c0000.5.raw.unpack, PUXroyziidHvJY8p0X.cs	High entropy of concatenated method names: 'NyTemtG7v6', 'WrmeE2D4wt', 'wnrejjhLhC', 'LQRe8TnqOY', 'LvreWPoimI', 'QqneGxIag9', 'NLheT66llw', 'kYheAmS9IB', 'PLbeRIQnOl', 'ALUes0GPH7'
Source: 1.2.Product Order Hirsch 1475.exe.69c0000.5.raw.unpack, LySciLknQMs3lOHQy5.cs	High entropy of concatenated method names: 'cNOdEWkZgy', 'mmGdj2nKAu', 'qxRd8ILMSj', 'yGSdWngaEC', 'kpUdGJ28FJ', 'u7JdTQ0ICg', 'XbXd9AKfhS', 'e3Edrh7W9L', 'Tw0dK7fhUW', 'drNdnpXYn0'
Source: 1.2.Product Order Hirsch 1475.exe.69c0000.5.raw.unpack, xAYv03j9oMbu5LvMgK.cs	High entropy of concatenated method names: 'mx1vLAkRlQ', 't59vmMevuA', 'Wh5vEajqPj', 'xX1vjGIx2D', 'UsGvcaN7Du', 'jEyvienQXd', 'zx9vygLsYe', 'sFQvMW1nv5', 'Hdfvf7HwVV', 'vuBveSNdsR'
Source: 1.2.Product Order Hirsch 1475.exe.69c0000.5.raw.unpack, EgAFyd9Pn1RNrNvnia.cs	High entropy of concatenated method names: 'Ui1oXQKj5g', 'pU1ovtbyqm', 'Xcso2JN30M', 'nxb2an4LMf', 'IrN2z9ZQCy', 'yfhoIhqnCf', 'ksooP09xr6', 'D5Ko0NTcBq', 'XhSotNvAOQ', 'oQEou4WlK9'
Source: 1.2.Product Order Hirsch 1475.exe.69c0000.5.raw.unpack, eBJTbYPuNsvTkpKfLka.cs	High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'L8BCfWpRwR', 'OTyCefrqih', 'BAjC5hoQaa', 'MmeCCyPxMn', 'TvPCDSEl4n', 'LUJCwaUdSx', 'p88CA0JccG'
Source: 1.2.Product Order Hirsch 1475.exe.69c0000.5.raw.unpack, qaGH5uEUrRK2412hok.cs	High entropy of concatenated method names: 'uXAJ3xr9Ia', 'ri6JxjVJfT', 'vxbJgf85NC', 'b8yJQJ3kEV', 'BpHJB4CyVb', 'COoJVC8GQN', 'TixJHumSOX', 'YJyJZi3i9h', 'vxYJlgoKyG', 'qpEJamAabK'
Source: 1.2.Product Order Hirsch 1475.exe.69c0000.5.raw.unpack, rYBSE81kyVH9yUIUJm.cs	High entropy of concatenated method names: 'o8LoRs64CV', 'a1losi1etN', 'IBEoO64ML5', 'uQjoLY2hZM', 'Q9uoYaUn5T', 'Dnuom9IdRl', 'D1ho4lcIdW', 'BKKoEoZFJc', 'gCFojFLZcp', 'toJoS2HLEN'
Source: 1.2.Product Order Hirsch 1475.exe.69c0000.5.raw.unpack, SbCswgP0PSN7boKZ3PM.cs	High entropy of concatenated method names: 'ToString', 'zwe5EdnG8U', 'YsZ5joicSj', 'ILq5SvBNZw', 'f3R58mHErI', 'zsh5WTBW3m', 'R8d5pyOevp', 'lXF5GbealD', 'wYTvSSXKVyAuLNfl0JY', 'fa235CXkCB6Ew8o23KN'
Source: 1.2.Product Order Hirsch 1475.exe.69c0000.5.raw.unpack, dcy01xuyX5oP6hMpco.cs	High entropy of concatenated method names: 'huyPoaGH5u', 'lrRPNK2412', 'Q9oPUMbu5L', 'hMgPqKfDq4', 'dRMPcxJCq1', 'eoUPiGE5uE', 'sAgLpZiXt0XKTYlQfG', 'uJSJ6cRqHYRtADFTr7', 'vafPPqlYNB', 'HgkPtoDQHu'
Source: 1.2.Product Order Hirsch 1475.exe.69c0000.5.raw.unpack, v5cr7cavvUHLr4B53A.cs	High entropy of concatenated method names: 'SoDevIiulB', 'mP9e7dcKSM', 'vBLe2ylJB6', 'OTweonYaEy', 'u7qef1Dfxq', 'vHheNE9Z7B', 'Next', 'Next', 'Next', 'NextBytes'
Source: 1.2.Product Order Hirsch 1475.exe.69c0000.5.raw.unpack, a6MB9agSGSKtv2l1Uk.cs	High entropy of concatenated method names: 'ToString', 'QEEinxAiU0', 'on7iW7IGqq', 'BZUippLWT5', 'sHtiGoA6cW', 'DgaiThJadD', 'uQqibCpNPM', 'l4Di9BtCCt', 'g2Tiruuwfv', 'CXPi1lTEEy'
Source: 1.2.Product Order Hirsch 1475.exe.69c0000.5.raw.unpack, l0SvTsVZV44HY3CG1J.cs	High entropy of concatenated method names: 'RdvyZRZrWa', 'QELyaWVlnT', 'uspMITEU0y', 'cDyMPJQMCU', 'LBeyn2jR6m', 'k5JyhJK7MZ', 'cgYykgVi07', 'HgYy3u7gnw', 'lbhyx7B0po', 'l0Vygdqvco'
Source: 1.2.Product Order Hirsch 1475.exe.69c0000.5.raw.unpack, rMqNJiJeAZCZ69flpu.cs	High entropy of concatenated method names: 'Dispose', 'YYxPlN07YC', 'H8n0W1jLpV', 'XdQD15XVt4', 'jVnPaH1bUv', 'v9gPzAO5eb', 'ProcessDialogKey', 'ElI0IH9gI7', 'u9u0PLUZZw', 'Df300D5cr7'
Source: 1.2.Product Order Hirsch 1475.exe.69c0000.5.raw.unpack, dLMc7sNLZ0KVR4Mtj8.cs	High entropy of concatenated method names: 'hxQt6EAFu4', 'eiItXsF4FV', 'K8htJohfme', 'h4GtvBGLsq', 'YRlt7HNtac', 'EUIt2CjJpd', 'uW3toOMHZN', 'jqMtNiqMF9', 'R6XtFCsvmQ', 'aMOtUARPOa'
Source: 1.2.Product Order Hirsch 1475.exe.35ae1d0.3.raw.unpack, RhmHap0PUGpBE91PZ6.cs	High entropy of concatenated method names: 'Km1OAQiIC', 'jcMLtfOYL', 'T5hmS0fF1', 'cbn4j8SqQ', 'C5XjK1GR7', 'gXdSQTqO3', 't20yfe92gUxVZYtmyu', 'MyJ0dxj4Lfkb67ZTiL', 'x9JMBJU1d', 'eHfee6M5g'
Source: 1.2.Product Order Hirsch 1475.exe.35ae1d0.3.raw.unpack, u2MlrhPPITKBKMo8eDq.cs	High entropy of concatenated method names: 'uHZea54MLA', 'RtCezGC2Ve', 'pEk5IW9DCY', 'vKd5PJkq1c', 'l2n50naIiT', 'Dib5tqUFAN', 'dU05uYuhi8', 'Uls563f9Hb', 'BL75X2mdnk', 'zto5JoRAHt'
Source: 1.2.Product Order Hirsch 1475.exe.35ae1d0.3.raw.unpack, uq16oU8GE5uEHtmX9L.cs	High entropy of concatenated method names: 'WXZ26Hf0Dg', 'UjI2JANSJt', 'BjB27jutsi', 'Cmx2oRFoEV', 'ork2NC4IfU', 'QHN7B3iJQf', 'Qvs7Vwj4Z1', 'XLp7HlIQ2K', 'Tql7ZEZiCW', 'Fhs7lvdtJ3'
Source: 1.2.Product Order Hirsch 1475.exe.35ae1d0.3.raw.unpack, QORDP6PIuM4Ys8i08An.cs	High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'lJBenKuUV0', 'bdVehC4cXn', 'nZUekW5xXJ', 'xe5e35BxLh', 'nPEexFaBr2', 'rtbegCFlOg', 'AqReQYjxC8'
Source: 1.2.Product Order Hirsch 1475.exe.35ae1d0.3.raw.unpack, aH9gI7lC9uLUZZwEf3.cs	High entropy of concatenated method names: 'AJsf8vR0Yh', 'CqgfWepUNV', 'iirfpdNlUv', 'q62fGJslik', 'uTEfTlSq1G', 'LwJfbaSkvi', 'wSvf9Oiy4o', 'KJ1frdCF2e', 'SUxf1wH69l', 'ERRfK0KfMk'
Source: 1.2.Product Order Hirsch 1475.exe.35ae1d0.3.raw.unpack, sDq4dDSQoHJWatRMxJ.cs	High entropy of concatenated method names: 'KZP7Y9FPk2', 'Ucq74bC367', 'wOnvpfTEvO', 'CK2vGsmLik', 'zHVvT5e6ZW', 'h7lvbXOHZA', 'FVHv96gGcN', 'rMYvrcg6SI', 'mupv1QafWr', 'HLNvK3LZyp'
Source: 1.2.Product Order Hirsch 1475.exe.35ae1d0.3.raw.unpack, HCvUl3HEEaYxN07YC2.cs	High entropy of concatenated method names: 'eBXfc74BHm', 'xIFfyQLkud', 'fMFffEaGuY', 'U8Hf5fXWPY', 'ehCfDRrT5h', 'oKRfAZXrjv', 'Dispose', 'zmaMXikaS8', 'cKQMJJr70T', 'nmfMv5B6T7'
Source: 1.2.Product Order Hirsch 1475.exe.35ae1d0.3.raw.unpack, PUXroyziidHvJY8p0X.cs	High entropy of concatenated method names: 'NyTemtG7v6', 'WrmeE2D4wt', 'wnrejjhLhC', 'LQRe8TnqOY', 'LvreWPoimI', 'QqneGxIag9', 'NLheT66llw', 'kYheAmS9IB', 'PLbeRIQnOl', 'ALUes0GPH7'
Source: 1.2.Product Order Hirsch 1475.exe.35ae1d0.3.raw.unpack, LySciLknQMs3lOHQy5.cs	High entropy of concatenated method names: 'cNOdEWkZgy', 'mmGdj2nKAu', 'qxRd8ILMSj', 'yGSdWngaEC', 'kpUdGJ28FJ', 'u7JdTQ0ICg', 'XbXd9AKfhS', 'e3Edrh7W9L', 'Tw0dK7fhUW', 'drNdnpXYn0'
Source: 1.2.Product Order Hirsch 1475.exe.35ae1d0.3.raw.unpack, xAYv03j9oMbu5LvMgK.cs	High entropy of concatenated method names: 'mx1vLAkRlQ', 't59vmMevuA', 'Wh5vEajqPj', 'xX1vjGIx2D', 'UsGvcaN7Du', 'jEyvienQXd', 'zx9vygLsYe', 'sFQvMW1nv5', 'Hdfvf7HwVV', 'vuBveSNdsR'
Source: 1.2.Product Order Hirsch 1475.exe.35ae1d0.3.raw.unpack, EgAFyd9Pn1RNrNvnia.cs	High entropy of concatenated method names: 'Ui1oXQKj5g', 'pU1ovtbyqm', 'Xcso2JN30M', 'nxb2an4LMf', 'IrN2z9ZQCy', 'yfhoIhqnCf', 'ksooP09xr6', 'D5Ko0NTcBq', 'XhSotNvAOQ', 'oQEou4WlK9'
Source: 1.2.Product Order Hirsch 1475.exe.35ae1d0.3.raw.unpack, eBJTbYPuNsvTkpKfLka.cs	High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'L8BCfWpRwR', 'OTyCefrqih', 'BAjC5hoQaa', 'MmeCCyPxMn', 'TvPCDSEl4n', 'LUJCwaUdSx', 'p88CA0JccG'
Source: 1.2.Product Order Hirsch 1475.exe.35ae1d0.3.raw.unpack, qaGH5uEUrRK2412hok.cs	High entropy of concatenated method names: 'uXAJ3xr9Ia', 'ri6JxjVJfT', 'vxbJgf85NC', 'b8yJQJ3kEV', 'BpHJB4CyVb', 'COoJVC8GQN', 'TixJHumSOX', 'YJyJZi3i9h', 'vxYJlgoKyG', 'qpEJamAabK'
Source: 1.2.Product Order Hirsch 1475.exe.35ae1d0.3.raw.unpack, rYBSE81kyVH9yUIUJm.cs	High entropy of concatenated method names: 'o8LoRs64CV', 'a1losi1etN', 'IBEoO64ML5', 'uQjoLY2hZM', 'Q9uoYaUn5T', 'Dnuom9IdRl', 'D1ho4lcIdW', 'BKKoEoZFJc', 'gCFojFLZcp', 'toJoS2HLEN'
Source: 1.2.Product Order Hirsch 1475.exe.35ae1d0.3.raw.unpack, SbCswgP0PSN7boKZ3PM.cs	High entropy of concatenated method names: 'ToString', 'zwe5EdnG8U', 'YsZ5joicSj', 'ILq5SvBNZw', 'f3R58mHErI', 'zsh5WTBW3m', 'R8d5pyOevp', 'lXF5GbealD', 'wYTvSSXKVyAuLNfl0JY', 'fa235CXkCB6Ew8o23KN'
Source: 1.2.Product Order Hirsch 1475.exe.35ae1d0.3.raw.unpack, dcy01xuyX5oP6hMpco.cs	High entropy of concatenated method names: 'huyPoaGH5u', 'lrRPNK2412', 'Q9oPUMbu5L', 'hMgPqKfDq4', 'dRMPcxJCq1', 'eoUPiGE5uE', 'sAgLpZiXt0XKTYlQfG', 'uJSJ6cRqHYRtADFTr7', 'vafPPqlYNB', 'HgkPtoDQHu'
Source: 1.2.Product Order Hirsch 1475.exe.35ae1d0.3.raw.unpack, v5cr7cavvUHLr4B53A.cs	High entropy of concatenated method names: 'SoDevIiulB', 'mP9e7dcKSM', 'vBLe2ylJB6', 'OTweonYaEy', 'u7qef1Dfxq', 'vHheNE9Z7B', 'Next', 'Next', 'Next', 'NextBytes'
Source: 1.2.Product Order Hirsch 1475.exe.35ae1d0.3.raw.unpack, a6MB9agSGSKtv2l1Uk.cs	High entropy of concatenated method names: 'ToString', 'QEEinxAiU0', 'on7iW7IGqq', 'BZUippLWT5', 'sHtiGoA6cW', 'DgaiThJadD', 'uQqibCpNPM', 'l4Di9BtCCt', 'g2Tiruuwfv', 'CXPi1lTEEy'
Source: 1.2.Product Order Hirsch 1475.exe.35ae1d0.3.raw.unpack, l0SvTsVZV44HY3CG1J.cs	High entropy of concatenated method names: 'RdvyZRZrWa', 'QELyaWVlnT', 'uspMITEU0y', 'cDyMPJQMCU', 'LBeyn2jR6m', 'k5JyhJK7MZ', 'cgYykgVi07', 'HgYy3u7gnw', 'lbhyx7B0po', 'l0Vygdqvco'
Source: 1.2.Product Order Hirsch 1475.exe.35ae1d0.3.raw.unpack, rMqNJiJeAZCZ69flpu.cs	High entropy of concatenated method names: 'Dispose', 'YYxPlN07YC', 'H8n0W1jLpV', 'XdQD15XVt4', 'jVnPaH1bUv', 'v9gPzAO5eb', 'ProcessDialogKey', 'ElI0IH9gI7', 'u9u0PLUZZw', 'Df300D5cr7'
Source: 1.2.Product Order Hirsch 1475.exe.35ae1d0.3.raw.unpack, dLMc7sNLZ0KVR4Mtj8.cs	High entropy of concatenated method names: 'hxQt6EAFu4', 'eiItXsF4FV', 'K8htJohfme', 'h4GtvBGLsq', 'YRlt7HNtac', 'EUIt2CjJpd', 'uW3toOMHZN', 'jqMtNiqMF9', 'R6XtFCsvmQ', 'aMOtUARPOa'

Source: C:\Users\user\Desktop\Product Order Hirsch 1475.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Product Order Hirsch 1475.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Product Order Hirsch 1475.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Product Order Hirsch 1475.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Product Order Hirsch 1475.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Product Order Hirsch 1475.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Product Order Hirsch 1475.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Product Order Hirsch 1475.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Product Order Hirsch 1475.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Product Order Hirsch 1475.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Product Order Hirsch 1475.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Product Order Hirsch 1475.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Product Order Hirsch 1475.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Product Order Hirsch 1475.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Product Order Hirsch 1475.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Product Order Hirsch 1475.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Product Order Hirsch 1475.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Product Order Hirsch 1475.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Product Order Hirsch 1475.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Product Order Hirsch 1475.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Product Order Hirsch 1475.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Product Order Hirsch 1475.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Product Order Hirsch 1475.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Product Order Hirsch 1475.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Product Order Hirsch 1475.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Product Order Hirsch 1475.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Product Order Hirsch 1475.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Product Order Hirsch 1475.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Product Order Hirsch 1475.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Product Order Hirsch 1475.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Product Order Hirsch 1475.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Product Order Hirsch 1475.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Product Order Hirsch 1475.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Product Order Hirsch 1475.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Product Order Hirsch 1475.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Product Order Hirsch 1475.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Product Order Hirsch 1475.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Product Order Hirsch 1475.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Product Order Hirsch 1475.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Product Order Hirsch 1475.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Product Order Hirsch 1475.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Product Order Hirsch 1475.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Product Order Hirsch 1475.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Product Order Hirsch 1475.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Product Order Hirsch 1475.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Product Order Hirsch 1475.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Product Order Hirsch 1475.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Product Order Hirsch 1475.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Product Order Hirsch 1475.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Product Order Hirsch 1475.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Product Order Hirsch 1475.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Product Order Hirsch 1475.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Product Order Hirsch 1475.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Product Order Hirsch 1475.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Product Order Hirsch 1475.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Product Order Hirsch 1475.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Product Order Hirsch 1475.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Product Order Hirsch 1475.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Product Order Hirsch 1475.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Product Order Hirsch 1475.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Product Order Hirsch 1475.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Product Order Hirsch 1475.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Product Order Hirsch 1475.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Product Order Hirsch 1475.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Product Order Hirsch 1475.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Product Order Hirsch 1475.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Product Order Hirsch 1475.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Product Order Hirsch 1475.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Product Order Hirsch 1475.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Product Order Hirsch 1475.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Product Order Hirsch 1475.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Product Order Hirsch 1475.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Product Order Hirsch 1475.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Product Order Hirsch 1475.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Product Order Hirsch 1475.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Product Order Hirsch 1475.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Product Order Hirsch 1475.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Product Order Hirsch 1475.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Product Order Hirsch 1475.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Product Order Hirsch 1475.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Product Order Hirsch 1475.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Product Order Hirsch 1475.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Product Order Hirsch 1475.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Product Order Hirsch 1475.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Product Order Hirsch 1475.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Product Order Hirsch 1475.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Product Order Hirsch 1475.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Product Order Hirsch 1475.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Product Order Hirsch 1475.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Product Order Hirsch 1475.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Product Order Hirsch 1475.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Product Order Hirsch 1475.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Product Order Hirsch 1475.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Product Order Hirsch 1475.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Product Order Hirsch 1475.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Product Order Hirsch 1475.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Product Order Hirsch 1475.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Product Order Hirsch 1475.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Source: C:\Users\user\Desktop\Product Order Hirsch 1475.exe	Memory allocated: A90000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\Product Order Hirsch 1475.exe	Memory allocated: 2400000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\Product Order Hirsch 1475.exe	Memory allocated: 2350000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\Product Order Hirsch 1475.exe	Memory allocated: 86A0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\Product Order Hirsch 1475.exe	Memory allocated: 96A0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\Product Order Hirsch 1475.exe	Memory allocated: 98B0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\Product Order Hirsch 1475.exe	Memory allocated: A8B0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\Product Order Hirsch 1475.exe	Memory allocated: 1330000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\Product Order Hirsch 1475.exe	Memory allocated: 2DF0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\Product Order Hirsch 1475.exe	Memory allocated: 4DF0000 memory reserve \| memory write watch	Jump to behavior

Source: C:\Users\user\Desktop\Product Order Hirsch 1475.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\Product Order Hirsch 1475.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\Product Order Hirsch 1475.exe	Thread delayed: delay time: 600000	Jump to behavior
Source: C:\Users\user\Desktop\Product Order Hirsch 1475.exe	Thread delayed: delay time: 599875	Jump to behavior
Source: C:\Users\user\Desktop\Product Order Hirsch 1475.exe	Thread delayed: delay time: 599765	Jump to behavior
Source: C:\Users\user\Desktop\Product Order Hirsch 1475.exe	Thread delayed: delay time: 599656	Jump to behavior
Source: C:\Users\user\Desktop\Product Order Hirsch 1475.exe	Thread delayed: delay time: 599546	Jump to behavior
Source: C:\Users\user\Desktop\Product Order Hirsch 1475.exe	Thread delayed: delay time: 599437	Jump to behavior
Source: C:\Users\user\Desktop\Product Order Hirsch 1475.exe	Thread delayed: delay time: 599328	Jump to behavior
Source: C:\Users\user\Desktop\Product Order Hirsch 1475.exe	Thread delayed: delay time: 599218	Jump to behavior
Source: C:\Users\user\Desktop\Product Order Hirsch 1475.exe	Thread delayed: delay time: 599097	Jump to behavior
Source: C:\Users\user\Desktop\Product Order Hirsch 1475.exe	Thread delayed: delay time: 598972	Jump to behavior
Source: C:\Users\user\Desktop\Product Order Hirsch 1475.exe	Thread delayed: delay time: 598829	Jump to behavior
Source: C:\Users\user\Desktop\Product Order Hirsch 1475.exe	Thread delayed: delay time: 598712	Jump to behavior
Source: C:\Users\user\Desktop\Product Order Hirsch 1475.exe	Thread delayed: delay time: 598483	Jump to behavior
Source: C:\Users\user\Desktop\Product Order Hirsch 1475.exe	Thread delayed: delay time: 598374	Jump to behavior
Source: C:\Users\user\Desktop\Product Order Hirsch 1475.exe	Thread delayed: delay time: 598244	Jump to behavior
Source: C:\Users\user\Desktop\Product Order Hirsch 1475.exe	Thread delayed: delay time: 598134	Jump to behavior
Source: C:\Users\user\Desktop\Product Order Hirsch 1475.exe	Thread delayed: delay time: 598030	Jump to behavior
Source: C:\Users\user\Desktop\Product Order Hirsch 1475.exe	Thread delayed: delay time: 597882	Jump to behavior
Source: C:\Users\user\Desktop\Product Order Hirsch 1475.exe	Thread delayed: delay time: 597780	Jump to behavior
Source: C:\Users\user\Desktop\Product Order Hirsch 1475.exe	Thread delayed: delay time: 597671	Jump to behavior
Source: C:\Users\user\Desktop\Product Order Hirsch 1475.exe	Thread delayed: delay time: 597562	Jump to behavior
Source: C:\Users\user\Desktop\Product Order Hirsch 1475.exe	Thread delayed: delay time: 597453	Jump to behavior
Source: C:\Users\user\Desktop\Product Order Hirsch 1475.exe	Thread delayed: delay time: 597343	Jump to behavior
Source: C:\Users\user\Desktop\Product Order Hirsch 1475.exe	Thread delayed: delay time: 597234	Jump to behavior
Source: C:\Users\user\Desktop\Product Order Hirsch 1475.exe	Thread delayed: delay time: 597125	Jump to behavior
Source: C:\Users\user\Desktop\Product Order Hirsch 1475.exe	Thread delayed: delay time: 597015	Jump to behavior
Source: C:\Users\user\Desktop\Product Order Hirsch 1475.exe	Thread delayed: delay time: 596906	Jump to behavior
Source: C:\Users\user\Desktop\Product Order Hirsch 1475.exe	Thread delayed: delay time: 596796	Jump to behavior
Source: C:\Users\user\Desktop\Product Order Hirsch 1475.exe	Thread delayed: delay time: 596687	Jump to behavior
Source: C:\Users\user\Desktop\Product Order Hirsch 1475.exe	Thread delayed: delay time: 596578	Jump to behavior
Source: C:\Users\user\Desktop\Product Order Hirsch 1475.exe	Thread delayed: delay time: 596468	Jump to behavior
Source: C:\Users\user\Desktop\Product Order Hirsch 1475.exe	Thread delayed: delay time: 596359	Jump to behavior
Source: C:\Users\user\Desktop\Product Order Hirsch 1475.exe	Thread delayed: delay time: 596236	Jump to behavior
Source: C:\Users\user\Desktop\Product Order Hirsch 1475.exe	Thread delayed: delay time: 596050	Jump to behavior
Source: C:\Users\user\Desktop\Product Order Hirsch 1475.exe	Thread delayed: delay time: 595904	Jump to behavior
Source: C:\Users\user\Desktop\Product Order Hirsch 1475.exe	Thread delayed: delay time: 595743	Jump to behavior
Source: C:\Users\user\Desktop\Product Order Hirsch 1475.exe	Thread delayed: delay time: 595625	Jump to behavior
Source: C:\Users\user\Desktop\Product Order Hirsch 1475.exe	Thread delayed: delay time: 595513	Jump to behavior
Source: C:\Users\user\Desktop\Product Order Hirsch 1475.exe	Thread delayed: delay time: 595406	Jump to behavior
Source: C:\Users\user\Desktop\Product Order Hirsch 1475.exe	Thread delayed: delay time: 595296	Jump to behavior
Source: C:\Users\user\Desktop\Product Order Hirsch 1475.exe	Thread delayed: delay time: 595187	Jump to behavior
Source: C:\Users\user\Desktop\Product Order Hirsch 1475.exe	Thread delayed: delay time: 595078	Jump to behavior
Source: C:\Users\user\Desktop\Product Order Hirsch 1475.exe	Thread delayed: delay time: 594968	Jump to behavior
Source: C:\Users\user\Desktop\Product Order Hirsch 1475.exe	Thread delayed: delay time: 594859	Jump to behavior
Source: C:\Users\user\Desktop\Product Order Hirsch 1475.exe	Thread delayed: delay time: 594749	Jump to behavior
Source: C:\Users\user\Desktop\Product Order Hirsch 1475.exe	Thread delayed: delay time: 594640	Jump to behavior
Source: C:\Users\user\Desktop\Product Order Hirsch 1475.exe	Thread delayed: delay time: 594531	Jump to behavior
Source: C:\Users\user\Desktop\Product Order Hirsch 1475.exe	Thread delayed: delay time: 594421	Jump to behavior
Source: C:\Users\user\Desktop\Product Order Hirsch 1475.exe	Thread delayed: delay time: 594312	Jump to behavior
Source: C:\Users\user\Desktop\Product Order Hirsch 1475.exe	Thread delayed: delay time: 594203	Jump to behavior
Source: C:\Users\user\Desktop\Product Order Hirsch 1475.exe	Thread delayed: delay time: 594093	Jump to behavior
Source: C:\Users\user\Desktop\Product Order Hirsch 1475.exe	Thread delayed: delay time: 593984	Jump to behavior
Source: C:\Users\user\Desktop\Product Order Hirsch 1475.exe	Thread delayed: delay time: 593874	Jump to behavior

Source: C:\Users\user\Desktop\Product Order Hirsch 1475.exe	Window / User API: threadDelayed 2739			Jump to behavior
Source: C:\Users\user\Desktop\Product Order Hirsch 1475.exe	Window / User API: threadDelayed 7101			Jump to behavior

Source: C:\Users\user\Desktop\Product Order Hirsch 1475.exe TID: 2432	Thread sleep time: -30000s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Product Order Hirsch 1475.exe TID: 5584	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Product Order Hirsch 1475.exe TID: 5996	Thread sleep count: 34 > 30	Jump to behavior
Source: C:\Users\user\Desktop\Product Order Hirsch 1475.exe TID: 5996	Thread sleep time: -31359464925306218s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Product Order Hirsch 1475.exe TID: 5996	Thread sleep time: -600000s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Product Order Hirsch 1475.exe TID: 5996	Thread sleep time: -599875s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Product Order Hirsch 1475.exe TID: 6844	Thread sleep count: 2739 > 30	Jump to behavior
Source: C:\Users\user\Desktop\Product Order Hirsch 1475.exe TID: 6844	Thread sleep count: 7101 > 30	Jump to behavior
Source: C:\Users\user\Desktop\Product Order Hirsch 1475.exe TID: 5996	Thread sleep time: -599765s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Product Order Hirsch 1475.exe TID: 5996	Thread sleep time: -599656s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Product Order Hirsch 1475.exe TID: 5996	Thread sleep time: -599546s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Product Order Hirsch 1475.exe TID: 5996	Thread sleep time: -599437s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Product Order Hirsch 1475.exe TID: 5996	Thread sleep time: -599328s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Product Order Hirsch 1475.exe TID: 5996	Thread sleep time: -599218s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Product Order Hirsch 1475.exe TID: 5996	Thread sleep time: -599097s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Product Order Hirsch 1475.exe TID: 5996	Thread sleep time: -598972s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Product Order Hirsch 1475.exe TID: 5996	Thread sleep time: -598829s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Product Order Hirsch 1475.exe TID: 5996	Thread sleep time: -598712s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Product Order Hirsch 1475.exe TID: 5996	Thread sleep time: -598483s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Product Order Hirsch 1475.exe TID: 5996	Thread sleep time: -598374s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Product Order Hirsch 1475.exe TID: 5996	Thread sleep time: -598244s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Product Order Hirsch 1475.exe TID: 5996	Thread sleep time: -598134s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Product Order Hirsch 1475.exe TID: 5996	Thread sleep time: -598030s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Product Order Hirsch 1475.exe TID: 5996	Thread sleep time: -597882s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Product Order Hirsch 1475.exe TID: 5996	Thread sleep time: -597780s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Product Order Hirsch 1475.exe TID: 5996	Thread sleep time: -597671s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Product Order Hirsch 1475.exe TID: 5996	Thread sleep time: -597562s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Product Order Hirsch 1475.exe TID: 5996	Thread sleep time: -597453s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Product Order Hirsch 1475.exe TID: 5996	Thread sleep time: -597343s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Product Order Hirsch 1475.exe TID: 5996	Thread sleep time: -597234s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Product Order Hirsch 1475.exe TID: 5996	Thread sleep time: -597125s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Product Order Hirsch 1475.exe TID: 5996	Thread sleep time: -597015s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Product Order Hirsch 1475.exe TID: 5996	Thread sleep time: -596906s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Product Order Hirsch 1475.exe TID: 5996	Thread sleep time: -596796s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Product Order Hirsch 1475.exe TID: 5996	Thread sleep time: -596687s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Product Order Hirsch 1475.exe TID: 5996	Thread sleep time: -596578s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Product Order Hirsch 1475.exe TID: 5996	Thread sleep time: -596468s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Product Order Hirsch 1475.exe TID: 5996	Thread sleep time: -596359s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Product Order Hirsch 1475.exe TID: 5996	Thread sleep time: -596236s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Product Order Hirsch 1475.exe TID: 5996	Thread sleep time: -596050s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Product Order Hirsch 1475.exe TID: 5996	Thread sleep time: -595904s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Product Order Hirsch 1475.exe TID: 5996	Thread sleep time: -595743s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Product Order Hirsch 1475.exe TID: 5996	Thread sleep time: -595625s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Product Order Hirsch 1475.exe TID: 5996	Thread sleep time: -595513s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Product Order Hirsch 1475.exe TID: 5996	Thread sleep time: -595406s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Product Order Hirsch 1475.exe TID: 5996	Thread sleep time: -595296s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Product Order Hirsch 1475.exe TID: 5996	Thread sleep time: -595187s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Product Order Hirsch 1475.exe TID: 5996	Thread sleep time: -595078s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Product Order Hirsch 1475.exe TID: 5996	Thread sleep time: -594968s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Product Order Hirsch 1475.exe TID: 5996	Thread sleep time: -594859s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Product Order Hirsch 1475.exe TID: 5996	Thread sleep time: -594749s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Product Order Hirsch 1475.exe TID: 5996	Thread sleep time: -594640s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Product Order Hirsch 1475.exe TID: 5996	Thread sleep time: -594531s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Product Order Hirsch 1475.exe TID: 5996	Thread sleep time: -594421s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Product Order Hirsch 1475.exe TID: 5996	Thread sleep time: -594312s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Product Order Hirsch 1475.exe TID: 5996	Thread sleep time: -594203s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Product Order Hirsch 1475.exe TID: 5996	Thread sleep time: -594093s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Product Order Hirsch 1475.exe TID: 5996	Thread sleep time: -593984s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Product Order Hirsch 1475.exe TID: 5996	Thread sleep time: -593874s >= -30000s	Jump to behavior

Source: C:\Users\user\Desktop\Product Order Hirsch 1475.exe	Thread delayed: delay time: 30000	Jump to behavior
Source: C:\Users\user\Desktop\Product Order Hirsch 1475.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\Product Order Hirsch 1475.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\Product Order Hirsch 1475.exe	Thread delayed: delay time: 600000	Jump to behavior
Source: C:\Users\user\Desktop\Product Order Hirsch 1475.exe	Thread delayed: delay time: 599875	Jump to behavior
Source: C:\Users\user\Desktop\Product Order Hirsch 1475.exe	Thread delayed: delay time: 599765	Jump to behavior
Source: C:\Users\user\Desktop\Product Order Hirsch 1475.exe	Thread delayed: delay time: 599656	Jump to behavior
Source: C:\Users\user\Desktop\Product Order Hirsch 1475.exe	Thread delayed: delay time: 599546	Jump to behavior
Source: C:\Users\user\Desktop\Product Order Hirsch 1475.exe	Thread delayed: delay time: 599437	Jump to behavior
Source: C:\Users\user\Desktop\Product Order Hirsch 1475.exe	Thread delayed: delay time: 599328	Jump to behavior
Source: C:\Users\user\Desktop\Product Order Hirsch 1475.exe	Thread delayed: delay time: 599218	Jump to behavior
Source: C:\Users\user\Desktop\Product Order Hirsch 1475.exe	Thread delayed: delay time: 599097	Jump to behavior
Source: C:\Users\user\Desktop\Product Order Hirsch 1475.exe	Thread delayed: delay time: 598972	Jump to behavior
Source: C:\Users\user\Desktop\Product Order Hirsch 1475.exe	Thread delayed: delay time: 598829	Jump to behavior
Source: C:\Users\user\Desktop\Product Order Hirsch 1475.exe	Thread delayed: delay time: 598712	Jump to behavior
Source: C:\Users\user\Desktop\Product Order Hirsch 1475.exe	Thread delayed: delay time: 598483	Jump to behavior
Source: C:\Users\user\Desktop\Product Order Hirsch 1475.exe	Thread delayed: delay time: 598374	Jump to behavior
Source: C:\Users\user\Desktop\Product Order Hirsch 1475.exe	Thread delayed: delay time: 598244	Jump to behavior
Source: C:\Users\user\Desktop\Product Order Hirsch 1475.exe	Thread delayed: delay time: 598134	Jump to behavior
Source: C:\Users\user\Desktop\Product Order Hirsch 1475.exe	Thread delayed: delay time: 598030	Jump to behavior
Source: C:\Users\user\Desktop\Product Order Hirsch 1475.exe	Thread delayed: delay time: 597882	Jump to behavior
Source: C:\Users\user\Desktop\Product Order Hirsch 1475.exe	Thread delayed: delay time: 597780	Jump to behavior
Source: C:\Users\user\Desktop\Product Order Hirsch 1475.exe	Thread delayed: delay time: 597671	Jump to behavior
Source: C:\Users\user\Desktop\Product Order Hirsch 1475.exe	Thread delayed: delay time: 597562	Jump to behavior
Source: C:\Users\user\Desktop\Product Order Hirsch 1475.exe	Thread delayed: delay time: 597453	Jump to behavior
Source: C:\Users\user\Desktop\Product Order Hirsch 1475.exe	Thread delayed: delay time: 597343	Jump to behavior
Source: C:\Users\user\Desktop\Product Order Hirsch 1475.exe	Thread delayed: delay time: 597234	Jump to behavior
Source: C:\Users\user\Desktop\Product Order Hirsch 1475.exe	Thread delayed: delay time: 597125	Jump to behavior
Source: C:\Users\user\Desktop\Product Order Hirsch 1475.exe	Thread delayed: delay time: 597015	Jump to behavior
Source: C:\Users\user\Desktop\Product Order Hirsch 1475.exe	Thread delayed: delay time: 596906	Jump to behavior
Source: C:\Users\user\Desktop\Product Order Hirsch 1475.exe	Thread delayed: delay time: 596796	Jump to behavior
Source: C:\Users\user\Desktop\Product Order Hirsch 1475.exe	Thread delayed: delay time: 596687	Jump to behavior
Source: C:\Users\user\Desktop\Product Order Hirsch 1475.exe	Thread delayed: delay time: 596578	Jump to behavior
Source: C:\Users\user\Desktop\Product Order Hirsch 1475.exe	Thread delayed: delay time: 596468	Jump to behavior
Source: C:\Users\user\Desktop\Product Order Hirsch 1475.exe	Thread delayed: delay time: 596359	Jump to behavior
Source: C:\Users\user\Desktop\Product Order Hirsch 1475.exe	Thread delayed: delay time: 596236	Jump to behavior
Source: C:\Users\user\Desktop\Product Order Hirsch 1475.exe	Thread delayed: delay time: 596050	Jump to behavior
Source: C:\Users\user\Desktop\Product Order Hirsch 1475.exe	Thread delayed: delay time: 595904	Jump to behavior
Source: C:\Users\user\Desktop\Product Order Hirsch 1475.exe	Thread delayed: delay time: 595743	Jump to behavior
Source: C:\Users\user\Desktop\Product Order Hirsch 1475.exe	Thread delayed: delay time: 595625	Jump to behavior
Source: C:\Users\user\Desktop\Product Order Hirsch 1475.exe	Thread delayed: delay time: 595513	Jump to behavior
Source: C:\Users\user\Desktop\Product Order Hirsch 1475.exe	Thread delayed: delay time: 595406	Jump to behavior
Source: C:\Users\user\Desktop\Product Order Hirsch 1475.exe	Thread delayed: delay time: 595296	Jump to behavior
Source: C:\Users\user\Desktop\Product Order Hirsch 1475.exe	Thread delayed: delay time: 595187	Jump to behavior
Source: C:\Users\user\Desktop\Product Order Hirsch 1475.exe	Thread delayed: delay time: 595078	Jump to behavior
Source: C:\Users\user\Desktop\Product Order Hirsch 1475.exe	Thread delayed: delay time: 594968	Jump to behavior
Source: C:\Users\user\Desktop\Product Order Hirsch 1475.exe	Thread delayed: delay time: 594859	Jump to behavior
Source: C:\Users\user\Desktop\Product Order Hirsch 1475.exe	Thread delayed: delay time: 594749	Jump to behavior
Source: C:\Users\user\Desktop\Product Order Hirsch 1475.exe	Thread delayed: delay time: 594640	Jump to behavior
Source: C:\Users\user\Desktop\Product Order Hirsch 1475.exe	Thread delayed: delay time: 594531	Jump to behavior
Source: C:\Users\user\Desktop\Product Order Hirsch 1475.exe	Thread delayed: delay time: 594421	Jump to behavior
Source: C:\Users\user\Desktop\Product Order Hirsch 1475.exe	Thread delayed: delay time: 594312	Jump to behavior
Source: C:\Users\user\Desktop\Product Order Hirsch 1475.exe	Thread delayed: delay time: 594203	Jump to behavior
Source: C:\Users\user\Desktop\Product Order Hirsch 1475.exe	Thread delayed: delay time: 594093	Jump to behavior
Source: C:\Users\user\Desktop\Product Order Hirsch 1475.exe	Thread delayed: delay time: 593984	Jump to behavior
Source: C:\Users\user\Desktop\Product Order Hirsch 1475.exe	Thread delayed: delay time: 593874	Jump to behavior

Source: Product Order Hirsch 1475.exe, 00000003.00000002.3661331539.0000000000FAC000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllp

Source: C:\Users\user\Desktop\Product Order Hirsch 1475.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Users\user\Desktop\Product Order Hirsch 1475.exe

Process token adjusted: Debug

Jump to behavior

Source: C:\Users\user\Desktop\Product Order Hirsch 1475.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion

Injects a PE file into a foreign processes

Source: C:\Users\user\Desktop\Product Order Hirsch 1475.exe

Memory written: C:\Users\user\Desktop\Product Order Hirsch 1475.exe base: 400000 value starts with: 4D5A

Jump to behavior

Source: C:\Users\user\Desktop\Product Order Hirsch 1475.exe

Process created: C:\Users\user\Desktop\Product Order Hirsch 1475.exe "C:\Users\user\Desktop\Product Order Hirsch 1475.exe"

Jump to behavior

Source: C:\Users\user\Desktop\Product Order Hirsch 1475.exe	Queries volume information: C:\Users\user\Desktop\Product Order Hirsch 1475.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Product Order Hirsch 1475.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Product Order Hirsch 1475.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Product Order Hirsch 1475.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Product Order Hirsch 1475.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Product Order Hirsch 1475.exe	Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Product Order Hirsch 1475.exe	Queries volume information: C:\Users\user\Desktop\Product Order Hirsch 1475.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Product Order Hirsch 1475.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Product Order Hirsch 1475.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Product Order Hirsch 1475.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Product Order Hirsch 1475.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Web.Extensions\v4.0_4.0.0.0__31bf3856ad364e35\System.Web.Extensions.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Product Order Hirsch 1475.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Product Order Hirsch 1475.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior

Source: C:\Users\user\Desktop\Product Order Hirsch 1475.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Stealing of Sensitive Information

Yara detected Snake Keylogger

Source: Yara match	File source: 1.2.Product Order Hirsch 1475.exe.3476c78.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.Product Order Hirsch 1475.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.Product Order Hirsch 1475.exe.3497698.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.Product Order Hirsch 1475.exe.3476c78.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.Product Order Hirsch 1475.exe.3497698.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000003.00000002.3662820175.0000000002FBB000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.3660976736.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.1222191509.0000000003409000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.3662820175.0000000002DF1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: Product Order Hirsch 1475.exe PID: 4352, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Product Order Hirsch 1475.exe PID: 1776, type: MEMORYSTR

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Users\user\Desktop\Product Order Hirsch 1475.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data			Jump to behavior
Source: C:\Users\user\Desktop\Product Order Hirsch 1475.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data			Jump to behavior

Tries to steal Mail credentials (via file / registry access)

Source: C:\Users\user\Desktop\Product Order Hirsch 1475.exe	File opened: C:\Users\user\AppData\Roaming\PostboxApp\Profiles\			Jump to behavior
Source: C:\Users\user\Desktop\Product Order Hirsch 1475.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676			Jump to behavior

Source: Yara match	File source: 1.2.Product Order Hirsch 1475.exe.3476c78.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.Product Order Hirsch 1475.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.Product Order Hirsch 1475.exe.3497698.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.Product Order Hirsch 1475.exe.3476c78.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.Product Order Hirsch 1475.exe.3497698.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000003.00000002.3660976736.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.1222191509.0000000003409000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: Product Order Hirsch 1475.exe PID: 4352, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Product Order Hirsch 1475.exe PID: 1776, type: MEMORYSTR

Remote Access Functionality

Yara detected Snake Keylogger

Source: Yara match	File source: 1.2.Product Order Hirsch 1475.exe.3476c78.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.Product Order Hirsch 1475.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.Product Order Hirsch 1475.exe.3497698.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.Product Order Hirsch 1475.exe.3476c78.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.Product Order Hirsch 1475.exe.3497698.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000003.00000002.3662820175.0000000002FBB000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.3660976736.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.1222191509.0000000003409000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.3662820175.0000000002DF1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: Product Order Hirsch 1475.exe PID: 4352, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Product Order Hirsch 1475.exe PID: 1776, type: MEMORYSTR

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	Windows Management Instrumentation	1 DLL Side-Loading	111 Process Injection	1 Masquerading	1 OS Credential Dumping	1 Security Software Discovery	Remote Services	1 Email Collection	11 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	1 DLL Side-Loading	1 Disable or Modify Tools	LSASS Memory	1 Process Discovery	Remote Desktop Protocol	11 Archive Collected Data	1 Ingress Tool Transfer	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	Logon Script (Windows)	31 Virtualization/Sandbox Evasion	Security Account Manager	31 Virtualization/Sandbox Evasion	SMB/Windows Admin Shares	1 Data from Local System	2 Non-Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	111 Process Injection	NTDS	1 Application Window Discovery	Distributed Component Object Model	Input Capture	13 Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	1 Deobfuscate/Decode Files or Information	LSA Secrets	1 System Network Configuration Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	31 Obfuscated Files or Information	Cached Domain Credentials	13 System Information Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	12 Software Packing	DCSync	Remote System Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	1 DLL Side-Loading	Proc Filesystem	System Owner/User Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report Product Order Hirsch 1475.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: Snake Keylogger

Yara Signatures

Memory Dumps

Unpacked PEs

Sigma Signatures

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Location Tracking

Compliance

Software Vulnerabilities

Networking

System Summary

Data Obfuscation

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Windows Analysis Report
Product Order Hirsch 1475.exe